FortiGate Firewall Security Policy Audit
Policy-audit-driven analysis of FortiGate/FortiOS firewall policies. Unlike
generic firewall checklists that check for open ports and default-deny, this
skill evaluates the FortiOS-specific security architecture: Virtual Domain
(VDOM) segmentation, UTM profile binding on every allow policy, FortiGuard
signature freshness, and SD-WAN SLA-based traffic steering security
implications.
Covers FortiOS 7.x+ on FortiGate hardware appliances and FortiGate-VM virtual
instances. For FortiManager-managed deployments, the audit addresses ADOM
hierarchy and policy package consistency. Reference references/policy-model.md
for the full VDOM/UTM inspection chain and references/cli-reference.md for
read-only CLI commands.
When to Use
- - Post-change policy review after rule additions or VDOM topology changes
- VDOM segmentation audit verifying inter-VDOM link isolation and per-VDOM policy independence
- UTM profile coverage assessment — finding allow policies without antivirus, IPS, or web-filter inspection
- SD-WAN security evaluation — confirming SLA violations do not steer traffic around security controls
- FortiGuard license and connectivity validation — ensuring signature databases are current
- HA cluster security posture check — verifying firmware parity, config sync, and session-sync settings
- Quarterly or annual compliance audit requiring per-policy justification
- Pre-upgrade baseline before FortiOS major version changes
Prerequisites
- - Read-only administrative access to FortiOS CLI (or
diagnose-level privilege for runtime state) - Understanding of the VDOM topology — which VDOMs exist, their function (management, traffic, DMZ), and expected inter-VDOM links
- Knowledge of expected UTM profile assignments per policy category (internet-bound, inter-zone, intrazone)
- For FortiManager-managed environments: access to the ADOM with visibility into policy packages
- Awareness of SD-WAN configuration — SLA targets, member interfaces, and health-check definitions
- Running configuration committed — audit evaluates the active configuration, not pending changes
Procedure
Follow this audit flow sequentially. Each step builds on prior findings.
The procedure moves from VDOM architecture inventory through per-VDOM
rule-level analysis to UTM coverage, FortiGuard health, SD-WAN security,
and HA posture.
Step 1: VDOM Architecture Inventory
Collect all VDOMs and their roles.
CODEBLOCK0
On a multi-VDOM system, list all VDOMs:
CODEBLOCK1
For each VDOM, record: name, type (traffic/management/admin), assigned
interfaces (physical and virtual), inter-VDOM link pairs, and VDOM resource
limits (session count, CPU quota). Identify the management VDOM — this
is where FortiGuard updates, logging, and administrative access are
configured.
Check inter-VDOM links:
CODEBLOCK2
Inter-VDOM links function as virtual interfaces connecting two VDOMs.
Traffic crossing a VDOM link is subject to the receiving VDOM's firewall
policies — verify that inter-VDOM traffic is not bypassing inspection.
Verify VDOM resource limits to detect unbounded VDOMs that could starve
other VDOMs during volumetric events:
CODEBLOCK3
Flag any VDOM without explicit resource limits in a multi-VDOM deployment.
Step 2: Firewall Policy Rule-by-Rule Analysis
For each VDOM, retrieve the full policy table:
CODEBLOCK4
FortiOS evaluates firewall policies top-down by sequence number within each
VDOM. The first matching policy is applied. Evaluate each policy against
these criteria:
- - Overly permissive policies: Policies with
srcaddr "all",
dstaddr "all",
service "ALL", and
action accept are Critical
findings — they accept all traffic on all ports with no restriction.
- - Missing UTM profiles: Allow policies without antivirus, web-filter,
application-control, or IPS profile binding pass traffic uninspected.
Check
utm-status,
av-profile,
webfilter-profile,
application-list, and
ips-sensor on each allow policy.
- - Disabled policies: Policies with
status disable still occupy
sequence numbers and create audit confusion. Flag for cleanup.
- - Schedule-based policies: Policies with
schedule other than �INLINECODE14
may create time-window security gaps. Verify schedules align with
intended access windows.
- - Implicit deny: FortiOS has an implicit deny (policy ID 0) at the
bottom of each VDOM's policy table. Verify it is logging traffic for
visibility into denied connections.
Check for unused policies using hit count data:
CODEBLOCK5
Policies with zero hits over 90+ days are cleanup candidates.
Step 3: UTM Profile Binding Audit
For each allow policy in every VDOM, verify that UTM inspection profiles
are bound. The goal is zero allow policies without threat inspection.
Check each allow policy for these profile bindings:
- - Antivirus (
av-profile): File-based malware scanning. Required on
all internet-bound and inter-zone policies.
- - Web Filter (
webfilter-profile): URL categorization and blocking.
Required on all policies permitting HTTP/HTTPS.
- - Application Control (
application-list): Application identification
and enforcement. FortiOS equivalent of App-ID.
- - IPS (
ips-sensor): Intrusion prevention signatures. Required on
all allow policies carrying untrusted traffic.
- - Email Filter (
emailfilter-profile): Anti-spam for SMTP/IMAP/POP3.
Required on email-carrying policies.
- - DLP Sensor (
dlp-sensor): Data loss prevention pattern matching.
Required where sensitive data egress risk exists.
- - SSL Inspection (
ssl-ssh-profile): Determines whether encrypted
traffic is decrypted for UTM inspection. Without SSL inspection set to
deep-inspection, AV and IPS see only connection metadata on HTTPS.
Summarize coverage: count allow policies with full UTM binding versus allow
policies with partial or no UTM profiles. Calculate the UTM coverage ratio.
Check the inspection mode per VDOM:
CODEBLOCK6
Flow-based mode applies all UTM in a single pass (faster, less thorough).
Proxy-based mode buffers and inspects fully (more thorough, more resource
intensive). The mode affects which UTM features are available and their
efficacy.
Step 4: FortiGuard Service Validation
FortiGuard provides the signature databases that UTM profiles depend on.
Stale signatures reduce detection efficacy.
CODEBLOCK7
Verify the following signature databases are current:
| Database | Maximum Acceptable Age | Check Command |
|---|
| Antivirus definitions | 24 hours | INLINECODE23 |
| IPS signatures |
7 days |
diagnose autoupdate versions | grep -A2 'IPS' |
| Web filter database | 7 days |
get webfilter status |
| Application control DB | 7 days |
diagnose autoupdate versions | grep -A2 'App' |
| Anti-spam database | 7 days |
diagnose autoupdate versions | grep -A2 'Spam' |
Check FortiGuard connectivity:
CODEBLOCK8
If FortiGuard is unreachable, all cloud-dependent features (web filter
rating queries, FortiSandbox cloud, outbreak prevention) operate in
degraded mode using cached data only.
Verify the update schedule:
CODEBLOCK9
Best practice is scheduled updates every 1–4 hours for AV and daily for
IPS/App-Control. Manual-only updates are a finding.
Step 5: SD-WAN SLA and Rule Security
If SD-WAN is configured, evaluate security implications of traffic steering.
CODEBLOCK10
Review SD-WAN components:
- - SLA targets and health checks: Examine each health check definition
(protocol, server, threshold). Verify health-check servers are reachable
and meaningful for the SLA metric (latency, jitter, packet loss).
CODEBLOCK11
- - SD-WAN rules: Each rule maps traffic to preferred WAN members based
on SLA status. Review rule priorities and the
tie-break method.
CODEBLOCK12
- - Fail-open behavior: When all SLA members fail, SD-WAN rules may fall
through to standard routing. Determine whether this fallback path still
traverses security inspection. A fail-open that routes around a security
VDOM or UTM-inspecting policy is a Critical finding.
- - SD-WAN + firewall policy interaction: SD-WAN selects the egress
interface, but firewall policies still control access. Verify that
firewall policies cover all SD-WAN member interfaces. A policy that
references a specific interface may not match when SD-WAN steers traffic
to an alternate member.
Step 6: HA and Session Sync Audit
Evaluate HA cluster security posture.
CODEBLOCK13
Check the following:
- - HA mode: Active-passive (recommended for stateful firewalls) vs
active-active (requires careful session-sync configuration). Record
the mode and verify it matches design intent.
- - Firmware parity: Both cluster members must run the same FortiOS
version. Version mismatch can cause session-sync failures and policy
inconsistencies.
CODEBLOCK14
Compare configuration checksums between members. Mismatched checksums
indicate configuration drift — a security risk when policies differ
between HA members.
- - Session sync configuration: Verify which session types are
synchronized (TCP, UDP, ICMP, expectation sessions). Unsynchronized
sessions drop during failover.
CODEBLOCK15
Check session-pickup and session-pickup-connectionless settings.
- - HA heartbeat security: Verify heartbeat interfaces use encryption
and authentication. Unencrypted heartbeats on shared network segments
are vulnerable to spoofing.
- - HA management interface: Verify dedicated management access is
configured for each cluster member (ha-mgmt-interfaces) to ensure
both nodes remain independently accessible.
Threshold Tables
Policy Rule Severity Classification
| Finding | Severity | Rationale |
|---|
INLINECODE31� + dstaddr "all" + service "ALL" + �INLINECODE34 | Critical | Fully open policy — no restriction on source, destination, or service |
| Allow policy without any UTM profile (no AV, IPS, web-filter) |
Critical | Traffic passes without threat inspection |
| FortiGuard unreachable — all signatures stale | Critical | UTM profiles active but signatures outdated; detection efficacy severely degraded |
| SD-WAN fail-open bypasses security inspection path | Critical | SLA failure routes traffic around UTM inspection |
| Allow policy with
service "ALL" (specific src/dst) | High | Permits all services — evaluate whether specific services can be defined |
| FortiGuard signatures >7 days old | High | Detection gap for new threats discovered in the past week |
| VDOM without resource limits in multi-VDOM deployment | High | Unbounded VDOM can starve other VDOMs during volumetric events |
| HA configuration checksum mismatch between members | High | Policy or configuration drift — active and standby may enforce different rules |
| HA firmware version mismatch | High | Session sync and feature parity issues during failover |
| Allow policy with partial UTM (missing IPS or AV) | Medium | Some inspection, but exploit or malware detection gap |
| Disabled policies in production VDOM | Medium | Audit confusion; stale configuration; cleanup recommended |
| SSL inspection not set to deep-inspection on internet-bound policy | Medium | UTM sees only metadata on encrypted traffic — AV/IPS efficacy reduced |
| Schedule-based policy creates off-hours security gap | Medium | Access permitted during window only, but gap during that window is intentional risk |
| Inter-VDOM link without receiving-side policy | Medium | Traffic may traverse VDOM boundary without inspection |
| Policies with zero hits >90 days | Low | Unused rules — cleanup candidates |
UTM Coverage Maturity
| UTM Coverage Ratio | Maturity | Guidance |
|---|
| >90% allow policies with full UTM | Mature | Maintain; review remaining gaps quarterly |
| 60–90% allow policies with UTM |
Developing | Prioritize internet-bound and inter-zone policies for UTM binding |
| <60% allow policies with UTM | Immature | Systematic UTM profile binding campaign needed |
Decision Trees
UTM Gap Remediation
CODEBLOCK16
VDOM Consolidation Assessment
CODEBLOCK17
SD-WAN Fail-Open Risk Evaluation
CODEBLOCK18
Report Template
CODEBLOCK19
Troubleshooting
Large Multi-VDOM Deployments
Auditing more than 10 VDOMs manually is impractical. Export per-VDOM policy
tables via the FortiOS REST API (/api/v2/cmdb/firewall/policy?vdom=<name>)
for programmatic analysis. Prioritize VDOMs carrying internet-bound or
inter-zone traffic — management VDOMs are lower risk.
FortiManager Policy Packages
In FortiManager-managed deployments, audit the installed policy on the
FortiGate (via show firewall policy), not just the FortiManager package —
local policies and installation state may differ. Use
diagnose fortimanager policy-check to identify discrepancies.
UTM Performance Impact
Before binding UTM profiles on high-throughput policies, assess headroom:
CODEBLOCK20
FortiGate models have rated throughput for NGFW and Threat Protection
profiles. Ensure traffic volume is within rated capacity. If constrained,
prioritize UTM on internet-bound policies and use flow-based inspection.
Firmware Upgrade Impact on Policies
FortiOS major upgrades may change UTM profile schema or deprecate features.
Export the policy baseline before upgrading, then post-upgrade verify:
UTM profile bindings preserved, policy sequence intact, SD-WAN rules
migrated, and HA cluster upgraded in sequence (secondary first).
Split-VDOM Mode vs Multi-VDOM Mode
Split-VDOM provides two VDOMs (root + FG-traffic); full multi-VDOM allows
custom count. Audit whether split-VDOM segmentation is sufficient for
compliance requirements. Changing VDOM mode requires a reboot.
FortiGate 防火墙安全策略审计
基于策略审计驱动的 FortiGate/FortiOS 防火墙策略分析。与检查开放端口和默认拒绝的通用防火墙检查清单不同,本技能评估 FortiOS 特定的安全架构:虚拟域(VDOM)分段、每条允许策略上的 UTM 配置文件绑定、FortiGuard 签名新鲜度以及基于 SD-WAN SLA 的流量引导安全影响。
涵盖 FortiGate 硬件设备和 FortiGate-VM 虚拟实例上的 FortiOS 7.x+ 版本。对于 FortiManager 管理的部署,审计涉及 ADOM 层级结构和策略包一致性。参考 references/policy-model.md 了解完整的 VDOM/UTM 检查链,参考 references/cli-reference.md 了解只读 CLI 命令。
使用时机
- - 规则添加或 VDOM 拓扑变更后的策略变更审查
- VDOM 分段审计,验证 VDOM 间链路隔离和每个 VDOM 的策略独立性
- UTM 配置文件覆盖范围评估——查找未配置防病毒、IPS 或网页过滤检查的允许策略
- SD-WAN 安全评估——确认 SLA 违规不会使流量绕过安全控制
- FortiGuard 许可证和连接验证——确保签名数据库是最新的
- HA 集群安全态势检查——验证固件一致性、配置同步和会话同步设置
- 需要逐策略说明的季度或年度合规审计
- FortiOS 主版本升级前的基线检查
前提条件
- - FortiOS CLI 的只读管理访问权限(或运行时状态的 diagnose 级别权限)
- 了解 VDOM 拓扑——存在哪些 VDOM、它们的功能(管理、流量、DMZ)以及预期的 VDOM 间链路
- 了解每个策略类别(互联网出站、区域间、区域内)预期的 UTM 配置文件分配
- 对于 FortiManager 管理的环境:能够访问 ADOM 并查看策略包
- 了解 SD-WAN 配置——SLA 目标、成员接口和健康检查定义
- 运行配置已提交——审计评估的是活动配置,而非待定更改
流程
按顺序执行此审计流程。每个步骤都基于之前的发现结果。流程从 VDOM 架构清单开始,经过每个 VDOM 的规则级分析,再到 UTM 覆盖范围、FortiGuard 健康状态、SD-WAN 安全和 HA 态势。
步骤 1:VDOM 架构清单
收集所有 VDOM 及其角色。
config vdom
edit root
end
get system status
在多 VDOM 系统上,列出所有 VDOM:
diagnose sys vd list
对于每个 VDOM,记录:名称、类型(流量/管理/管理)、分配的接口(物理和虚拟)、VDOM 间链路对以及 VDOM 资源限制(会话数、CPU 配额)。识别管理 VDOM——这是配置 FortiGuard 更新、日志记录和管理访问的地方。
检查 VDOM 间链路:
show system vdom-link
VDOM 间链路作为连接两个 VDOM 的虚拟接口。跨越 VDOM 链路的流量受接收 VDOM 的防火墙策略约束——验证 VDOM 间流量没有绕过检查。
验证 VDOM 资源限制,以检测在大流量事件期间可能耗尽其他 VDOM 资源的无限制 VDOM:
config global
get system vdom-property
在多 VDOM 部署中标记任何没有明确资源限制的 VDOM。
步骤 2:防火墙策略逐规则分析
对于每个 VDOM,检索完整的策略表:
config vdom
edit
show firewall policy
FortiOS 在每个 VDOM 内按序列号从上到下评估防火墙策略。应用第一个匹配的策略。根据以下标准评估每条策略:
- - 过于宽松的策略: 具有 srcaddr all、dstaddr all、service ALL 和 action accept 的策略是关键发现——它们接受所有端口上的所有流量,没有任何限制。
- 缺少 UTM 配置文件: 没有防病毒、网页过滤、应用控制或 IPS 配置文件绑定的允许策略会让流量未经检查通过。检查每条允许策略上的 utm-status、av-profile、webfilter-profile、application-list 和 ips-sensor。
- 禁用的策略: 具有 status disable 的策略仍占用序列号并造成审计混淆。标记以进行清理。
- 基于时间表的策略: 具有非 always 的 schedule 的策略可能会造成时间窗口安全漏洞。验证时间表与预期的访问窗口一致。
- 隐式拒绝: FortiOS 在每个 VDOM 的策略表底部有一个隐式拒绝(策略 ID 0)。验证它是否记录流量以了解被拒绝的连接。
使用命中计数数据检查未使用的策略:
diagnose firewall iprope show 100004
超过 90 天命中次数为零的策略是清理候选对象。
步骤 3:UTM 配置文件绑定审计
对于每个 VDOM 中的每条允许策略,验证 UTM 检查配置文件是否已绑定。目标是零条允许策略没有威胁检查。
检查每条允许策略的以下配置文件绑定:
- - 防病毒(av-profile): 基于文件的恶意软件扫描。所有互联网出站和区域间策略都需要。
- 网页过滤(webfilter-profile): URL 分类和阻止。所有允许 HTTP/HTTPS 的策略都需要。
- 应用控制(application-list): 应用识别和执行。FortiOS 相当于 App-ID。
- IPS(ips-sensor): 入侵防御签名。所有承载不可信流量的允许策略都需要。
- 电子邮件过滤(emailfilter-profile): 针对 SMTP/IMAP/POP3 的反垃圾邮件。承载电子邮件的策略需要。
- DLP 传感器(dlp-sensor): 数据丢失预防模式匹配。存在敏感数据外泄风险的地方需要。
- SSL 检查(ssl-ssh-profile): 确定是否解密加密流量以进行 UTM 检查。如果没有将 SSL 检查设置为 deep-inspection,防病毒和 IPS 在 HTTPS 上只能看到连接元数据。
总结覆盖范围:统计具有完整 UTM 绑定的允许策略与具有部分或没有 UTM 配置文件的允许策略。计算 UTM 覆盖率。
检查每个 VDOM 的检查模式:
config vdom
edit
get system settings | grep inspection-mode
基于流的模式一次性应用所有 UTM(更快,但不够彻底)。基于代理的模式缓冲并完全检查(更彻底,但资源消耗更大)。该模式影响哪些 UTM 功能可用及其有效性。
步骤 4:FortiGuard 服务验证
FortiGuard 提供 UTM 配置文件所依赖的签名数据库。过时的签名会降低检测有效性。
get system fortiguard-service status
diagnose autoupdate versions
验证以下签名数据库是最新的:
| 数据库 | 最大可接受期限 | 检查命令 |
|---|
| 防病毒定义 | 24 小时 | diagnose autoupdate versions | grep -A2 Virus |
| IPS 签名 |
7 天 | diagnose autoupdate versions | grep -A2 IPS |
| 网页过滤数据库 | 7 天 | get webfilter status |
| 应用控制数据库 | 7 天 | diagnose autoupdate versions | grep -A2 App |
| 反垃圾邮件数据库 | 7 天 | diagnose autoupdate versions | grep -A2 Spam |
检查 FortiGuard 连接:
diagnose debug rating
execute ping service.fortiguard.net
如果 FortiGuard 不可达,所有依赖云的功能(网页过滤评级查询、FortiSandbox 云、爆发预防)将仅使用缓存数据以降级模式运行。
验证更新计划:
show system autoupdate schedule
最佳实践是防病毒每 1-4 小时计划更新一次,IPS/应用控制每天更新一次。仅手动更新是一个发现项。
步骤 5:SD-WAN SLA 和规则安全
如果配置了 SD-WAN,评估流量引导的安全影响。
config vdom
edit
show system sdwan
审查 SD-WAN 组件:
- - SLA 目标和健康检查: 检查每个健康检查定义(协议、服务器、阈值)。验证健康检查服务器是否可达且对 SLA 指标(延迟、抖动、丢包)有意义。
diagnose sys sdwan health-check
- - SD-WAN 规则: 每条规则根据 SLA 状态将流量映射到首选 WAN 成员。审查规则优先级和 tie-break 方法。
diagnose sys sdwan service
- - 故障开放行为: 当所有 SLA 成员都失败时,SD-WAN 规则可能会回退到标准路由。确定此回退路径是否仍然经过安全检查。绕过安全 VDOM 或 UTM 检查策略的故障开放是关键发现。
