Security Rating FortiOS 6.0

FBSP Name Status Update Products
SH05.1
Admin Password Policy
New
A password policy should be set up for system administrators. FortiGate
SH05.2
Admin Password Security
New
The password policy should enforce secure passwords. FortiGate
FS01.1
Compatible Firmware
New
All FortiGates in the Security Fabric should run the same firmware version. FortiGate FortiAnalyzer
SH01.8
Default Port HTTPS
New
HTTPS should not use the default port. FortiGate
SH01.10
Default Port SSH
New
SSH should not use the default port. FortiGate
ND09.1
Detect Botnet Connections
New
Interfaces which are classified as "WAN" should block or monitor outgoing connections to botnet sites. FortiGate
ND07.1
Device Discovery
New
Interfaces which are classified as "LAN" or "DMZ" should have device detection enabled. FortiGate
EM01.1
Endpoint Registration
New
Interfaces which are classified as "LAN" should have FortiTelemetry enabled. FortiGate
ND01.2
Unauthorized FortiAPs
New
All discovered FortiAPs should be authorized or disabled. FortiGate
FS01.2
FortiAP Firmware Versions
New
All FortiAPs should be running the latest firmware. FortiGate
AL02.2
FortiAnalyzer
New
All FortiGates in the Security Fabric can connect to and authenticate with their configured FortiAnalyzer. FortiGate
FS02.1
FortiCare Support
New
FortiGate should be registered with FortiCare and have valid support coverage. FortiGate
EM02.1
FortiClient Compliance
New
All registered FortiClient devices should be compliant with FortiClient compliance profile. FortiGate
EM02.2
FortiClient Protected
New
All supported devices should be registered via FortiClient. FortiGate
EM01.2
FortiClient Vulnerabilities
New
All registered FortiClient devices should have no critical vulnerabilities. FortiGate
SH14.1
FortiGate Identification
New
All FortiGates should have a unique hostname set. FortiGate
FS02.6
Anti-Spam
New
Anti-Spam subscription should be valid. FortiGate
FS02.3
AntiVirus
New
AntiVirus subscription should be valid. FortiGate
FS02.10
Firmware & General Updates
New
Firmware & General Updates subscription should be valid. FortiGate
FS02.7
FortiClient
New
FortiClient subscription should be valid. FortiGate
FS02.2
IPS
New
IPS subscription should be valid. FortiGate
FS02.8
Industrial DB
New
Industrial DB subscription should be valid. FortiGate
FS02.9
Outbreak Prevention
New
Outbreak Prevention subscription should be valid. FortiGate
FS03.1
Security Rating
New
Security Rating subscription should be valid. FortiGate
FS02.5
Web Filtering
New
Web Filtering subscription should be valid. FortiGate
TV01.1
Advanced Threat Protection
New
Suspicious files should be submitted to FortiSandbox Appliance/FortiSandbox Cloud for inspection. FortiGate
TV01.2
FortiSandbox Appliance
New
All FortiGates in the Security Fabric can connect to their configured FortiSandbox Appliance. FortiGate
ND01.1
Unauthorized FortiSwitches
New
All discovered FortiSwitches should be authorized or disabled. FortiGate
FS01.3
FortiSwitch Firmware Versions
New
All FortiSwitches should be running the latest firmware. FortiGate
SH09.1
Admin Idle Timeout
New
The timeout for idle administrators should be at most 10 minutes. FortiGate FortiAnalyzer
ND08.1
Interface Classification
New
All interfaces should be classified as either "LAN", "WAN", or "DMZ". FortiGate
ND04.1
LAN Segment Servers
New
Servers should be placed behind interfaces classified as "DMZ". FortiGate
AL02.1
Centralized Logging & Reporting
New
Logging and reporting should be done in a centralized place throughout the Security Fabric. FortiGate
SH09.2
Failed Login Attempts
New
The administrator lockout threshold should be at most 3 attempts, and the lockout duration at least 15 minutes. FortiGate
SH01.5
NTP
New
FortiGuard NTP servers, or multiple custom NTP servers, should be used for system time synchronization. FortiGate
ND10.1
Explicit Interface Policies
New
Polices that allow traffic should not be using the "any" interface. FortiGate
ND03.2
Uniquely Named Policies
New
Verify that all policies are uniquely named. FortiGate
SH01.4
SNMP Polling
New
Only SNMP v3 should be used for polling. FortiGate
ND06.1
Third Party Router & NAT Devices
New
No third party router or NAT devices should be detected in the network. FortiGate
SH01.3
Trusted Hosts
New
For each administrator, login access should be restricted to trusted hosts. FortiGate
SH09.5
Two Factor Authentication
New
Every administrator should have two factor authentication enabled. FortiGate
SH15.1
USB Auto Configuration
New
Automatic USB firmware and configuration provisioning features should be disabled during normal operation. FortiGate
SH01.2
Unsecure Protocol - HTTP
New
Interfaces should not allow HTTP administrative access. FortiGate
SH01.1
Unsecure Protocol - Telnet
New
Interfaces which are classified as "WAN" should not allow Telnet administrative access. FortiGate
ND03.1
Unused Policies
New
All IPv4 policies should be used. FortiGate
ND05.2
VLAN Management
New
Non-FortiLink interfaces should not have multiple VLANs configured on them. FortiGate
SH03.1
Valid HTTPS Certificate - Administrative GUI
New
The administrative GUI should be using a valid and secure certificate. FortiGate
SH04.2
Valid Certificate - IPsec Tunnels
New
IPsec tunnels should be using valid and secure certificates. FortiGate
SH04.1
Valid HTTPS Certificate - SSL-VPN
New
SSL-VPN should be using a valid and secure certificate. FortiGate