Security Rating FortiOS 6.0

FBSP Name Status Update Products
SH01.1
Unsecure Protocol - Telnet
Add
Interfaces which are classified as "WAN" should not allow Telnet administrative access. FortiGate FortiAnalyzer
FS01.1
Compatible Firmware
Add
All FortiGates in the Security Fabric should run the same firmware version. FortiGate
FS02.9
Outbreak Prevention
Add
Outbreak Prevention subscription should be valid. FortiGate
AL02.1
Centralized Logging & Reporting
Add
Logging and reporting should be done in a centralized place throughout the Security Fabric. FortiGate
ND03.2
Uniquely Named Policies
Add
Verify that all policies are uniquely named. FortiGate
ND01.1
Unauthorized FortiSwitches
Add
All discovered FortiSwitches should be authorized or disabled. FortiSwitch
FS02.2
IPS
Add
IPS subscription should be valid. FortiGate
SH01.2
Unsecure Protocol - HTTP
Add
Interfaces should not allow HTTP administrative access. FortiGate FortiManager FortiAnalyzer
ND04.1
LAN Segment Servers
Add
Servers should be placed behind interfaces classified as "DMZ". FortiGate
TV01.2
FortiSandbox Appliance
Add
All FortiGates in the Security Fabric can connect to their configured FortiSandbox Appliance. FortiGate
SH05.1
Admin Password Policy
Add
A password policy should be set up for system administrators. FortiGate FortiAnalyzer
SH01.5
NTP
Add
FortiGuard NTP servers, or multiple custom NTP servers, should be used for system time synchronization. FortiGate
ND03.1
Unused Policies
Add
All IPv4 policies should be used. FortiGate
FS02.5
Web Filtering
Add
Web Filtering subscription should be valid. FortiGate
EM01.2
FortiClient Vulnerabilities
Add
All registered FortiClient devices should have no critical vulnerabilities. FortiGate
SH04.2
Valid Certificate - IPsec Tunnels
Add
IPsec tunnels should be using valid and secure certificates. FortiGate
FS02.10
Firmware & General Updates
Add
Firmware & General Updates subscription should be valid. FortiGate
SH01.3
Trusted Hosts
Add
For each administrator, login access should be restricted to trusted hosts. FortiGate
SH05.2
Admin Password Security
Add
The password policy should enforce secure passwords. FortiGate FortiAnalyzer
FS01.3
FortiSwitch Firmware Versions
Add
All FortiSwitches should be running the latest firmware. FortiSwitch
ND08.1
Interface Classification
Add
All interfaces should be classified as either "LAN", "WAN", or "DMZ". FortiGate
N/A FortiClient
Add
FortiClient subscription should be valid.
SH01.8
Default Port HTTPS
Add
HTTPS should not use the default port. FortiGate FortiAnalyzer
SH09.2
Failed Login Attempts
Add
The administrator lockout threshold should be at most 3 attempts, and the lockout duration at least 15 minutes. FortiGate FortiAnalyzer
SH15.1
USB Auto Configuration
Add
Automatic USB firmware and configuration provisioning features should be disabled during normal operation. FortiGate
FS01.2
FortiAP Firmware Versions
Add
All FortiAPs should be running the latest firmware. FortiAP
SH09.1
Admin Idle Timeout
Add
The timeout for idle administrators should be at most 10 minutes. FortiGate FortiAnalyzer FortiManager
ND06.1
Third Party Router & NAT Devices
Add
No third party router or NAT devices should be detected in the network. FortiGate
FS02.6
Anti-Spam
Add
Anti-Spam subscription should be valid. FortiGate
EM01.1
Endpoint Registration
Add
Interfaces which are classified as "LAN" should have FortiTelemetry enabled. FortiGate
ND07.1
Device Discovery
Add
Interfaces which are classified as "LAN" or "DMZ" should have device detection enabled. FortiGate
FS02.3
AntiVirus
Add
AntiVirus subscription should be valid. FortiGate
FS02.1
FortiCare Support
Add
FortiGate should be registered with FortiCare and have valid support coverage. FortiGate FortiAnalyzer
FS03.1
Security Rating
Add
Security Rating subscription should be valid. FortiGate
FS02.8
Industrial DB
Add
Industrial DB subscription should be valid. FortiGate
SH09.5
Two Factor Authentication
Add
Every administrator should have two factor authentication enabled. FortiGate
N/A FortiClient Compliance
Add
All registered FortiClient devices should be compliant with FortiClient compliance profile.
SH03.1
Valid HTTPS Certificate - Administrative GUI
Add
The administrative GUI should be using a valid and secure certificate. FortiGate
AL02.2
FortiAnalyzer
Add
All FortiGates in the Security Fabric can connect to and authenticate with their configured FortiAnalyzer. FortiGate
SH01.4
SNMP Polling
Add
Only SNMP v3 should be used for polling. FortiGate
ND05.2
VLAN Management
Add
Non-FortiLink interfaces should not have multiple VLANs configured on them. FortiGate
ND01.2
Unauthorized FortiAPs
Add
All discovered FortiAPs should be authorized or disabled. FortiAP
ND09.1
Detect Botnet Connections
Add
Interfaces which are classified as "WAN" should block or monitor outgoing connections to botnet sites. FortiGate
N/A FortiClient Protected
Add
All supported devices should be registered via FortiClient.
TV01.1
Advanced Threat Protection
Add
Suspicious files should be submitted to FortiSandbox Appliance/FortiSandbox Cloud for inspection. FortiGate
SH04.1
Valid HTTPS Certificate - SSL-VPN
Add
SSL-VPN should be using a valid and secure certificate. FortiGate
ND10.1
Explicit Interface Policies
Add
Polices that allow traffic should not be using the "any" interface. FortiGate
SH01.10
Default Port SSH
Add
SSH should not use the default port. FortiGate
SH14.1
FortiGate Identification
Add
All FortiGates should have a unique hostname set. FortiGate