| Alertmail server not configured or this feature is not available on the device | SYSTEM AND INFORMATION INTEGRITY |
| Auto Backup via central management is not available or not configured. | CONTINGENCY PLANNING |
| Event Logging is not available or enabled - Event Logging category checks not performed | AUDIT AND ACCOUNTABILITY |
| Fortigate - AAA - LDAP server is trusted | IDENTIFICATION AND AUTHENTICATION |
| Fortigate - AAA - RADIUS server is trusted | IDENTIFICATION AND AUTHENTICATION |
| Fortigate - AAA - TACACS+ server is trusted | IDENTIFICATION AND AUTHENTICATION |
| Fortigate - Admin access - trusted hosts | ACCESS CONTROL |
| Fortigate - Admin password lockout >= 300 seconds | ACCESS CONTROL |
| Fortigate - Admin password lockout threshold - '1-3' | ACCESS CONTROL |
| Fortigate - Admin SCP - 'disabled' | ACCESS CONTROL |
| Fortigate - Alert Emails - 'admin address' | SYSTEM AND INFORMATION INTEGRITY |
| Fortigate - Antispam License - Not Expired | CONFIGURATION MANAGEMENT |
| Fortigate - Auto backup is configured - 'FortiManager' | CONTINGENCY PLANNING |
| Fortigate - AV Grayware | SYSTEM AND INFORMATION INTEGRITY |
| Fortigate - AV License - Not Expired | CONFIGURATION MANAGEMENT |
| Fortigate - Close port TCP 113 on external interface | CONFIGURATION MANAGEMENT |
| Fortigate - Disable auto USB installation - 'config' | CONFIGURATION MANAGEMENT |
| Fortigate - Disable auto USB installation - 'image' | CONFIGURATION MANAGEMENT |
| Fortigate - Disable insecure services - HTTP | CONFIGURATION MANAGEMENT |
| Fortigate - Disable insecure services - TELNET | CONFIGURATION MANAGEMENT |
| Fortigate - Disable SSHv1 admin access | CONFIGURATION MANAGEMENT |
| Fortigate - DNS - primary server | SYSTEM AND COMMUNICATIONS PROTECTION |
| Fortigate - DNS - secondary server | SYSTEM AND COMMUNICATIONS PROTECTION |
| Fortigate - Does not use self-signed certificate - 'admin' | IDENTIFICATION AND AUTHENTICATION |
| Fortigate - Does not use self-signed certificate - 'user' | IDENTIFICATION AND AUTHENTICATION |
| Fortigate - Enable logs of failed connection attempts | AUDIT AND ACCOUNTABILITY |
| Fortigate - Encrypt logs sent to FortiAnalyzer/FortiManager | SYSTEM AND COMMUNICATIONS PROTECTION |
| Fortigate - Ensure default admin usernames are not used | ACCESS CONTROL |
| Fortigate - External Logging - 'fortianalyzer' | AUDIT AND ACCOUNTABILITY |
| Fortigate - External Logging - 'fortianalyzer2' | AUDIT AND ACCOUNTABILITY |
| Fortigate - External Logging - 'fortianalyzer3' | AUDIT AND ACCOUNTABILITY |
| Fortigate - External Logging - 'syslog2' | AUDIT AND ACCOUNTABILITY |
| Fortigate - External Logging - 'syslog3' | AUDIT AND ACCOUNTABILITY |
| Fortigate - External Logging - 'syslogd' | AUDIT AND ACCOUNTABILITY |
| Fortigate - Fortianalyzer Logs - severity 'information' | AUDIT AND ACCOUNTABILITY |
| Fortigate - Fortianalyzer2 Logs - severity 'information' | AUDIT AND ACCOUNTABILITY |
| Fortigate - Fortianalyzer3 Logs - severity 'information' | AUDIT AND ACCOUNTABILITY |
| Fortigate - full-final-warning-threshold <= 95% | AUDIT AND ACCOUNTABILITY |
| Fortigate - full-first-warning-threshold <= 75% | AUDIT AND ACCOUNTABILITY |
| Fortigate - full-second-warning-threshold <= 90% | AUDIT AND ACCOUNTABILITY |
| Fortigate - HTTPS/SSH admin access strong ciphers | ACCESS CONTROL |
| Fortigate - Inactivity timeout - 'console' <= 5 | ACCESS CONTROL |
| Fortigate - Inactivity timeout - 'console' <= 300 | ACCESS CONTROL |
| Fortigate - Inactivity timeout - 'global' <= 5 | ACCESS CONTROL |
| Fortigate - IPS database - extended | SYSTEM AND INFORMATION INTEGRITY |
| Fortigate - Local Logging - severity 'information' | AUDIT AND ACCOUNTABILITY |
| Fortigate - Local Logging is enabled | AUDIT AND ACCOUNTABILITY |
| Fortigate - Log user authentication messages | AUDIT AND ACCOUNTABILITY |
| Fortigate - Log WAN optimization messages | AUDIT AND ACCOUNTABILITY |
| Fortigate - Login Banner - post-login-banner | ACCESS CONTROL |
