| 1.1 Ensure DNS server is configured | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2 Ensure intra-zone traffic is not always allowed | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3 Disable all management related services on WAN port | CONFIGURATION MANAGEMENT |
| 2.1.1 Ensure 'Pre-Login Banner' is set | ACCESS CONTROL |
| 2.1.2 Ensure 'Post-Login-Banner' is set | ACCESS CONTROL |
| 2.1.3 Ensure timezone is properly configured | AUDIT AND ACCOUNTABILITY |
| 2.1.4 Ensure correct system time is configured through NTP | AUDIT AND ACCOUNTABILITY |
| 2.1.5 Ensure hostname is set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.10 Ensure management GUI listens on secure TLS version | ACCESS CONTROL |
| 2.1.12 Ensure single CPU core overloaded event is logged | AUDIT AND ACCOUNTABILITY |
| 2.2.1 Ensure 'Password Policy' is enabled | IDENTIFICATION AND AUTHENTICATION |
| 2.2.2 Ensure administrator password retries and lockout time are configured | ACCESS CONTROL |
| 2.3.1 Ensure only SNMPv3 is enabled | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.4 Enabling SNMP trap for memory usage | AUDIT AND ACCOUNTABILITY |
| 2.4.1 Remove default admin user and create one with other name | IDENTIFICATION AND AUTHENTICATION |
| 2.4.2 Ensure all the login accounts having specific trusted hosts enabled | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 2.4.3 Ensure admin accounts with different privileges have their correct profiles assigned | ACCESS CONTROL |
| 2.4.4 Ensure Admin idle timeout time is configured | ACCESS CONTROL |
| 2.4.5 Ensure only encrypted access channels are enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4.6 Apply Local-in Policies | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, MEDIA PROTECTION, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4.7 Ensure default Admin ports are changed | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, MEDIA PROTECTION, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4.8 Virtual patching on the local-in management interface | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.5.2 Ensure "Monitor Interfaces" for High Availability devices is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 2.5.3 Ensure HA Reserved Management Interface is configured | SYSTEM AND INFORMATION INTEGRITY |
| 3.2 Ensure that policies do not use "ALL" as Service | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3 Ensure firewall policy denying all traffic to/from Tor, malicious server, or scanner IP addresses using ISDB | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4 Ensure logging is enabled on all firewall policies | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.1.2 Apply IPS Security Profile to Policies | RISK ASSESSMENT |
| 4.2.6 Ensure inline scanning with FortiGuard AI-Based Sandbox Service is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 4.3.2 Ensure DNS Filter logs all DNS queries and responses | AUDIT AND ACCOUNTABILITY |
| 4.3.3 Apply DNS Filter Security Profile to Policies | SYSTEM AND INFORMATION INTEGRITY |
| 4.4.1 Create a Web Filtering Profile | ACCESS CONTROL |
| 4.5.1 Block high risk categories on Application Control | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.3 Ensure all Application Control related traffic is logged | SYSTEM AND INFORMATION INTEGRITY |
| 4.5.4 Apply Application Control Security Profile to Policies | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.1 Enable Compromised Host Quarantine | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 7.3.1 Encrypt Log Transmission to FortiAnalyzer / FortiManager | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3.2 Encrypt Log Transmission to Syslog | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3.3 Encrypt Log Transmission to Syslog | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
