TNS Fortigate FortiOS Best Practices v2.0.0

Audit Details

Name: TNS Fortigate FortiOS Best Practices v2.0.0

Updated: 4/25/2022

Authority: TNS

Plugin: FortiGate

Revision: 1.3

Estimated Item Count: 90

File Details

Filename: TNS_Fortigate_Best_Practices_v2.0.0.audit

Size: 102 kB

MD5: 2f4b74c21b091689d16389b20100c237
SHA256: 916cd79584b4dfd052632f8bc1fbd44259b36d622bbfcee66d5292f5add9587a

Audit Items

DescriptionCategories
Alertmail server not configured or this feature is not available on the device

SYSTEM AND INFORMATION INTEGRITY

Auto Backup via central management is not available or not configured.

CONTINGENCY PLANNING

Event Logging is not available or enabled - Event Logging category checks not performed

AUDIT AND ACCOUNTABILITY

Fortigate - AAA - LDAP server is trusted

IDENTIFICATION AND AUTHENTICATION

Fortigate - AAA - RADIUS server is trusted

IDENTIFICATION AND AUTHENTICATION

Fortigate - AAA - TACACS+ server is trusted

IDENTIFICATION AND AUTHENTICATION

Fortigate - Admin access - trusted hosts

ACCESS CONTROL

Fortigate - Admin password lockout >= 300 seconds

ACCESS CONTROL

Fortigate - Admin password lockout threshold - '1-3'

ACCESS CONTROL

Fortigate - Admin SCP - 'disabled'

ACCESS CONTROL

Fortigate - Alert Emails - 'admin address'

SYSTEM AND INFORMATION INTEGRITY

Fortigate - Antispam License - Not Expired

CONFIGURATION MANAGEMENT

Fortigate - Auto backup is configured - 'FortiManager'

CONTINGENCY PLANNING

Fortigate - AV Grayware

SYSTEM AND INFORMATION INTEGRITY

Fortigate - AV Heuristic - 'block'

SYSTEM AND INFORMATION INTEGRITY

Fortigate - AV License - Not Expired

CONFIGURATION MANAGEMENT

Fortigate - Close port TCP 113 on external interface

CONFIGURATION MANAGEMENT

Fortigate - Disable auto USB installation - 'config'

CONFIGURATION MANAGEMENT

Fortigate - Disable auto USB installation - 'image'

CONFIGURATION MANAGEMENT

Fortigate - Disable insecure services - HTTP

CONFIGURATION MANAGEMENT

Fortigate - Disable insecure services - TELNET

CONFIGURATION MANAGEMENT

Fortigate - Disable SSHv1 admin access

CONFIGURATION MANAGEMENT

Fortigate - DNS - primary server

SYSTEM AND COMMUNICATIONS PROTECTION

Fortigate - DNS - secondary server

SYSTEM AND COMMUNICATIONS PROTECTION

Fortigate - Does not use self-signed certificate - 'admin'

IDENTIFICATION AND AUTHENTICATION

Fortigate - Does not use self-signed certificate - 'user'

IDENTIFICATION AND AUTHENTICATION

Fortigate - Enable logs of failed connection attempts

AUDIT AND ACCOUNTABILITY

Fortigate - Encrypt logs sent to FortiAnalyzer/FortiManager

SYSTEM AND COMMUNICATIONS PROTECTION

Fortigate - Ensure default admin usernames are not used

ACCESS CONTROL

Fortigate - External Logging - 'fortianalyzer'

AUDIT AND ACCOUNTABILITY

Fortigate - External Logging - 'fortianalyzer2'

AUDIT AND ACCOUNTABILITY

Fortigate - External Logging - 'fortianalyzer3'

AUDIT AND ACCOUNTABILITY

Fortigate - External Logging - 'syslog2'

AUDIT AND ACCOUNTABILITY

Fortigate - External Logging - 'syslog3'

AUDIT AND ACCOUNTABILITY

Fortigate - External Logging - 'syslogd'

AUDIT AND ACCOUNTABILITY

Fortigate - Fortianalyzer Logs - severity 'information'

AUDIT AND ACCOUNTABILITY

Fortigate - Fortianalyzer2 Logs - severity 'information'

AUDIT AND ACCOUNTABILITY

Fortigate - Fortianalyzer3 Logs - severity 'information'

AUDIT AND ACCOUNTABILITY

Fortigate - full-final-warning-threshold <= 95%

AUDIT AND ACCOUNTABILITY

Fortigate - full-first-warning-threshold <= 75%

AUDIT AND ACCOUNTABILITY

Fortigate - full-second-warning-threshold <= 90%

AUDIT AND ACCOUNTABILITY

Fortigate - HTTPS/SSH admin access strong ciphers

ACCESS CONTROL

Fortigate - Inactivity timeout - 'console' <= 5

ACCESS CONTROL

Fortigate - Inactivity timeout - 'console' <= 300

ACCESS CONTROL

Fortigate - Inactivity timeout - 'global' <= 5

ACCESS CONTROL

Fortigate - IPS database - extended

SYSTEM AND INFORMATION INTEGRITY

Fortigate - Local Logging - severity 'information'

AUDIT AND ACCOUNTABILITY

Fortigate - Local Logging is enabled

AUDIT AND ACCOUNTABILITY

Fortigate - Log user authentication messages

AUDIT AND ACCOUNTABILITY

Fortigate - Log WAN optimization messages

AUDIT AND ACCOUNTABILITY