Fortinet Security Best Practices: A Complete Hardening Guide
Comprehensive guide to securing Fortinet devices including FortiGate, FortiOS, and FortiWeb. Learn hardening techniques, authentication security, patch management, and monitoring strategies from an IT security professional.
Fortinet devices—particularly FortiGate firewalls—protect millions of networks worldwide. They're powerful, feature-rich, and when properly configured, provide excellent security. The problem? "Properly configured" is doing a lot of heavy lifting in that sentence.
Out of the box, Fortinet devices prioritize ease of deployment over maximum security. Default settings get you running quickly but leave gaps that attackers actively exploit. We've seen this repeatedly: the December 2025 FortiCloud SSO authentication bypass flaws (CVE-2025-59718 and CVE-2025-59719), the FortiWeb zero-days exploited throughout 2025, and the infamous Volt Typhoon campaign where Chinese state hackers used FortiOS vulnerabilities to compromise a Dutch military network.
This guide covers the essential hardening steps every Fortinet administrator should implement—whether you're managing a single FortiGate for a small business or deploying enterprise FortiManager infrastructure. These aren't theoretical recommendations; they're practical configurations based on real-world attack patterns and 23+ years of IT security experience.
1. Firmware and Patch Management
Why It Matters
Fortinet vulnerabilities are consistently among the most exploited in the wild. Ransomware groups and nation-state APTs actively scan for unpatched Fortinet devices because compromising a perimeter firewall often means compromising the entire network.
1.1 Establish a Patch Schedule
Don't wait for emergencies. Establish a regular firmware review cycle: check for new firmware releases monthly (at minimum), subscribe to Fortinet PSIRT (Product Security Incident Response Team) advisories, and monitor CISA's Known Exploited Vulnerabilities (KEV) catalog for Fortinet entries.
1.2 Maintain a Staging Environment
Never apply firmware updates directly to production without testing. Keep a lab FortiGate (even a VM) for testing updates, verify VPN connectivity, routing, and critical policies after updates, and document any configuration changes required by new firmware.
1.3 Know Your Current Versions
Maintain an inventory of all Fortinet devices and their firmware versions. You can check firmware version via CLI with: get system status. Track this in your asset management system and compare against Fortinet's security advisories.
1.4 Emergency Patch Protocol
For critical zero-days (CVSS 9.0+), have a pre-approved emergency process: authority to patch within 24-48 hours without standard change control, pre-tested rollback procedures, and a communication plan for affected users.
1.5 End-of-Life Planning
Fortinet eventually stops releasing security patches for older firmware branches. Know your EOL dates and budget for upgrades before support ends.
2. Administrative Access Hardening
The December 2025 FortiCloud SSO bypass vulnerabilities highlight why administrative access security is critical. If attackers can authenticate as administrators, your firewall becomes their firewall.
2.1 Disable Unnecessary Management Interfaces
By default, FortiGate enables management access on multiple interfaces. Lock this down—only enable HTTPS, SSH, or other management protocols on dedicated management interfaces, never on WAN-facing ports. Use the CLI to restrict allowaccess on each interface.
2.2 Restrict Management Access by Source IP
Limit who can even attempt to log in. Use trusted hosts to restrict administrative access to known management networks or jump hosts. Configure trusthost settings for each admin account to specify allowed source IP ranges.
2.3 Implement Multi-Factor Authentication
Single-factor authentication for firewall admins is unacceptable in 2025. Integrate with FortiAuthenticator or FortiToken, use RADIUS/TACACS+ with MFA-enabled identity providers, and at minimum, enable FortiToken Mobile for all admin accounts.
2.4 Disable FortiCloud SSO (If Not Needed)
Given the recent CVE-2025-59718 and CVE-2025-59719 vulnerabilities, disable FortiCloud SSO if you don't actively use it. Use the command: config system global then set admin-forticloud-sso-login disable. Only enable it if you actively use it—and ensure you're on patched firmware.
2.5 Use Role-Based Access Control
Don't give every admin full super_admin privileges. Create custom admin profiles with least-privilege access, separate read-only monitoring accounts from configuration accounts, and audit who has what access quarterly.
2.6 Change Default Credentials Immediately
This seems obvious, but compromised devices with default credentials are still discovered regularly. Change the default "admin" password on first login, consider renaming the default admin account, and disable the "maintainer" account if not needed for hardware recovery.
2.7 Configure Session Timeouts
Idle admin sessions are a risk. Set reasonable timeouts (10-30 minutes) for administrative sessions using: config system global then set admintimeout 15.
3. Network Segmentation and Access Control
A firewall that allows everything isn't a firewall—it's an expensive router. Proper segmentation limits blast radius when (not if) something gets compromised.
3.1 Default-Deny Policies
Start with implicit deny and explicitly allow only required traffic. Remove or disable default "allow all" policies, document business justification for every permit rule, and review and prune unused rules quarterly.
3.2 Segment by Security Zone
Create logical zones based on trust levels: Untrusted (Internet, guest WiFi), DMZ (public-facing servers), Internal (standard corporate network), Restricted (sensitive systems like finance, HR, executive), and Management (network infrastructure devices).
3.3 Inspect Internal Traffic
Don't assume internal traffic is safe. Enable inspection between internal VLANs, apply IPS policies to east-west traffic, and consider zero-trust microsegmentation for critical assets.
3.4 Use Address Objects and Groups
Don't hardcode IPs in policies. Use named objects and groups for maintainability and audit clarity. This makes policy review easier and reduces errors during changes.
3.5 Implement Application Control
Layer 7 visibility matters. Enable application control to identify traffic beyond port/protocol, block high-risk applications (Tor, anonymous proxies, unauthorized remote access tools), and monitor for shadow IT applications.
4. VPN Security
VPN gateways are prime targets—they're internet-facing by design and provide network access when compromised. The Volt Typhoon campaign specifically exploited FortiOS SSL VPN vulnerabilities.
4.1 Prefer IPsec Over SSL VPN (When Possible)
SSL VPN has a larger attack surface due to its web-based nature. For site-to-site connections and users who can install a client, IPsec is generally more secure.
4.2 Enforce Strong Authentication
For SSL VPN and IPsec with XAUTH: require MFA for all VPN users—no exceptions, integrate with enterprise identity providers (Azure AD, Okta, etc.), and implement certificate-based authentication where feasible.
4.3 Enable SSL VPN Security Features
If using SSL VPN, require TLS 1.2 or higher, disable weak ciphers (SHA1, MD5), and consider client certificate requirements. Configure via config vpn ssl settings.
4.4 Implement Host Checking
Verify endpoint security before granting access. Check for running antivirus/EDR, verify OS patch levels, and require corporate-managed devices for full access.
4.5 Limit VPN Access Scope
VPN users shouldn't get full network access. Apply firewall policies to VPN traffic, segment VPN users into restricted zones, and provide access only to required resources.
4.6 Monitor VPN Logs Actively
VPN authentication logs often show early signs of attack. Alert on failed authentication spikes, monitor for impossible travel (logins from geographically distant locations), and track unusual connection patterns.
5. Logging and Monitoring
You can't defend what you can't see. Fortinet devices generate extensive logs—but only if configured properly, and only if someone's watching.
5.1 Configure Remote Logging
Local logs can be wiped by attackers. Send logs off-device using FortiAnalyzer, a SIEM, or at minimum a syslog server. Configure syslog via config log syslogd setting.
5.2 Enable Comprehensive Logging
Don't just log denies—log allows too. Enable traffic logs (both allowed and denied sessions), event logs (system events, admin logins, configuration changes), security logs (IPS, antivirus, web filtering events), and VPN logs (tunnel status, user authentication).
5.3 Log Administrative Actions
Every configuration change should be logged. Enable CLI audit logging via config system global then set cli-audit-log enable. This creates an audit trail for compliance and incident investigation.
5.4 Implement Alerting
Logs are useless if no one reads them. Create alerts for: admin login failures (threshold: 5 in 10 minutes), admin logins from unexpected sources, configuration changes outside maintenance windows, IPS critical severity events, and VPN brute-force attempts.
5.5 Retain Logs Appropriately
Balance storage costs with investigation needs. Minimum 90 days for security logs, 1 year+ for compliance-regulated industries, and consider cold storage for long-term retention.
5.6 Regular Log Review
Automated alerting catches obvious attacks. Manual review catches subtle ones. Weekly review of admin activity logs, monthly review of policy hit counts (find unused rules), and quarterly review of top blocked threats.
6. Security Feature Configuration
FortiGate includes multiple security engines. Enable and tune them appropriately.
6.1 Intrusion Prevention System (IPS)
Enable IPS on policies where it matters. Apply to inbound traffic from untrusted zones, use appropriate profiles (don't apply heavy inspection to trusted internal traffic), tune signatures to reduce false positives, and update IPS signatures automatically via FortiGuard subscription.
6.2 Antivirus/Anti-Malware
Enable AV scanning on HTTP/HTTPS traffic (requires SSL inspection), SMTP traffic, and file downloads. Consider proxy-based inspection for higher catch rates.
6.3 Web Filtering
Block access to known-malicious categories: malware sites, phishing sites, and newly registered domains (frequently malicious). Consider blocking uncategorized sites.
6.4 DNS Filtering
Layer DNS-based protection. Enable FortiGuard DNS filtering, block DNS over HTTPS (DoH) to prevent bypass, and consider DNS sinkholing for malware domains.
6.5 SSL/TLS Inspection
You can't inspect what you can't see. Encrypted traffic hides threats. Implement SSL deep inspection for outbound web traffic, use certificate inspection (less invasive) where deep inspection isn't feasible, maintain an exception list for sensitive sites (banking, healthcare), and deploy your inspection CA certificate to endpoints.
6.6 Botnet Detection
FortiGuard includes botnet C2 detection. Enable botnet detection on outbound policies, alert on botnet traffic (indicates compromised internal host), and block known botnet C2 addresses.
7. High Availability and Disaster Recovery
Security includes resilience. A firewall that's down provides zero protection.
7.1 Deploy in HA Pairs
For production environments, single firewalls are single points of failure. Use active-passive HA for simplicity or active-active for performance (more complex). Ensure HA heartbeat links are on dedicated interfaces.
7.2 Regular Configuration Backups
Automate configuration backups with daily automated backups to secure storage, backup before any configuration changes, and test restore procedures quarterly. Use execute backup config tftp or similar methods.
7.3 Document Your Configuration
In a disaster, you need to know what you had. Maintain network diagrams, document firewall policies and their business purpose, and keep runbooks for common procedures.
7.4 Test Failover Regularly
HA that's never tested might not work when needed. Schedule quarterly HA failover tests, verify stateful session continuity, and document failover times.
8. Common Mistakes to Avoid
After years of auditing Fortinet deployments, these are the most frequent security gaps:
8.1 "Any Any Accept" Policies
Legacy rules that allow all traffic destroy the firewall's purpose. Find them and fix them using diagnose firewall policy list to review for overly permissive rules.
8.2 Management on WAN Interface
Never expose HTTPS/SSH management to the internet. Use VPN for remote administration.
8.3 Ignoring Certificate Warnings
Self-signed certificates for management are fine internally, but certificate validation for external services (FortiGuard, etc.) should be strict.
8.4 Not Reviewing FortiGuard Subscription Status
Security features require active subscriptions. Expired FortiGuard means no IPS signature updates, no AV definition updates, no web filtering updates, and no botnet detection updates. Check status regularly with diagnose autoupdate status.
8.5 Disabling Security Features for "Performance"
Modern FortiGate hardware handles security inspection at line rate. If you're disabling features for performance, you probably need bigger hardware—not less security.
8.6 Set-and-Forget Mentality
Firewalls require ongoing maintenance. Rules accumulate and become outdated, new vulnerabilities emerge, business requirements change, and threats evolve.
9. Security Checklist
Use this checklist for initial deployment and quarterly audits:
Administrative Security
Firmware and Updates
Network Policies
Security Features
Logging and Monitoring
VPN Security
Resilience
Conclusion
Fortinet devices are powerful security tools—but only when properly configured and maintained. The default settings get you running quickly; the hardening steps in this guide keep you running securely.
Key takeaways:
The recent FortiCloud SSO bypass flaws remind us that even security vendors have vulnerabilities. Defense in depth—multiple layers of security, each covering for the others' potential failures—remains the only reliable strategy.
Your firewall is your network's front door. Make sure it's locked.
