Security Fabric Audit and Fabric Score

This chapter contains information about the Security Fabric Audit and Fabric Score, which together provide a method to continually monitor and improve your Security Fabric’s configuration.

What is the Security Fabric Audit?

The Security Fabric Audit is a feature on your FortiGate that allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Why should you run a Security Fabric Audit?

Using the Security Fabric Audit helps you to tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Fabric Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

Running a Security Fabric Audit

The Security Fabric Audit can be found by going to Security Fabric > Audit. In the first step, all detected FortiGates are shown.

Running a Security Fabric Audit

In the second step, the audit is performed and a list of recommendations are shown. Two views are available: Failed or All Results. These views can be further segmented so that you view results from all FortiGates or just a specific unit.

In each view, a chart appears showing the results of individual checks. The following information is shown: the name and a description of the check, which FortiGate the check occurred on, the checks result on your overall security score, and any necessary recommendations.

If you hover the mouse over the Result for a check, you can get a breakdown on how this score was determined.

For more information about this, see “Security Fabric Score” on page 38.

Logging for the Security Fabric Audit

In Step Three of the Audit, Easy Apply recommendations are displayed and can be applied. By using Easy Apply, you can change the configuration of any FortiGate in the fabric.

For other recommendations, further action is required if you wish to follow the recommendation.

You can also view Audit recommendations for specific devices using the FortiView Topology consoles. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available, while the color of the circle shows the severity of the highest check that failed (red is critical, orange is high, yellow is medium, and blue is low).

Logging for the Security Fabric Audit

An event filter subtype is available for the Security Audit. Every time an audit is run, event logs are created on the root FortiGate that summarize the results of the audit, as well as details into the individual tests.

Security Fabric Audit Checks

Syntax

config log eventfilter set security-audit {enable | disable} (enabled by default)

end

Security Fabric Audit Checks

The Security Fabric Audit performs a variety of checks when analyzing your network. All checks are based on your current network configuration, using realtime monitoring. The Audit runs these checks across all FortiGates in the Security Fabric.

Firmware & Subscriptions

Easy Apply?

Recommendation

Run same version as root.

Register with FortiCare.

Renew subscriptions.

Upgrade FortiAP to recommended version.

Check

All FortiGates in the Security Fabric should run the same firmware version.

FortiGate should be registered with FortiCare.

All registered FortiGuard license subscriptions should be valid.

All FortiAPs should be running the latest firmware.

Severity

Critical

Critical

High

Low

Goal

Compatible Firmware

FortiCare Support

FortiGuard License Subscriptions

FortiAP Firmware Versions

No

No

No

No

FortiSwitch FirmwareAll FortiSwitches should beUpdate all FortiSwitches to use

LowNo

Versionsrunning the latest firmware.the latest firmware.

Internal Segmentation Firewall (ISFW)

Easy Apply?

Recommendation

Configure the interface role.

Enable device detection.

Check

All interfaces should be classified as either “LAN”, “WAN”, or “DMZ”.

Interfaces which are classified as “LAN” or “DMZ” should have device detection enabled.

Severity

High

High

Goal

Interface Classification

Device Discovery

Yes

Yes

 

Checks

Easy Apply?

Recommendation

Replace the device with a FortiGate.

Use FortiSwitch and FortiLink.

Install FortiAnalyzer for logging & reporting.

All servers should be moved to interfaces with role “DMZ”.

Review all IPv4 policies that haven’t been used in the last 90 days.

Check

No third party router or NAT devices should be detected in the network.

Non-FortiLink interfaces should not have multiple VLANs configured on them.

Logging and reporting should be done in a centralized place throughout the Security Fabric.

Servers should be placed behind interfaces classified as “DMZ”.

All IPv4 policies should be used.

Severity

Medium

Medium

High

Medium

Medium

Goal

Third Party Router & NAT Devices

VLAN Management

Centralized Logging & Reporting

LAN Segment

Unused Policies

No

No

No

No

No

Advanced Threat Protection

High

Suspicious files should be submitted to FortiSandbox or FortiSandbox Cloud for inspection.

Configure AntiVirus profiles to send files to FortiSandbox or FortiSandbox Cloud for inspection.

No

All discovered FortiAPs should     Authorize or disable

Unauthorized FortiAPs             Medium                                                                                                     Yes

be authorized or disabled.            unauthorized FortiAPs.

Unauthorized FortiSwitches

Medium

All discovered FortiSwitches should be authorized or disabled.

Authorize or disable unauthorized FortiSwitches.

Yes

Endpoint Compliance

Easy Apply?

Recommendation

Enable FortiTelemetry on “LAN” interfaces.

Register all devices via FortiClient.

Check

Interfaces which are classified as “LAN” should have FortiTelemetry enabled.

All supported devices should be registered via FortiClient.

Severity

High

Medium

Goal

Endpoint Registration

FortiClient Protected

No

Yes

All registered FortiClientInvestigate non-compliant

FortiClient ComplianceMediumdevices should be compliantreason(s) for FortiClientNo with FortiClient profile.endpoints.

Security Fabric Audit Checks

Goal FortiClient Vulnerabilities

Severity Critical

Check All registered FortiClient devices should have no critical vulnerabilities.

Recommendation Have FortiClient fix the detected critical vulnerabilities.

Easy Apply? No

Security Best Practices

Goal

Severity

Check

Recommendation

Easy Apply?

Yes

Enable HTTPS redirection globally.

Disable Telnet.

Interfaces which are classified as “WAN” should not allow HTTP administrative access.

Interfaces which are classified as “WAN” should not allow Telnet administrative access.

High

High

Unsecure Protocol – HTTP

Unsecure Protocol – Telnet

Yes

Valid HTTPS Certificate Administrative GUI

Medium

The administrative GUI should not be using a default built-in certificate.

Acquire a certificate for your domain, upload it, and configure the administrative GUI to use it.

No

Acquire a certificate for your

Valid HTTPS Certificate –                         SSL VPN should not be using a

Medium                                                      domain, upload it, and                 No

SSL VPN                                                default built-in certificate.

configure SSL VPN to use it.

Explicit Interface Policies

Low

Policies that allow traffic should not be using the “any” interface.

Change the policy to use a specific interface.

No

A password policy should beEnable a simple password

Admin Password PolicyMediumsetup for systempolicy for systemYes administrators.administrators.

Security Fabric Score

The Security Fabric Score widget has been added to the FortiGate Dashboard to give visibility into auditing trends. This widget uses information from the Security Fabric Audit to determine your score. Score can be positive or negative, with a higher score representing a more secure network.

Score is based on the number of checks failed and the severity of these checks. The weight for each severity level is as follows:

l Critical: 50 points l High: 25 points l Medium: 10 points l Low: 5 points

You get points for passing a test only when it passes for all FortiGates in your fabric. If this occurs, the score is calculated using this formula:

+Severity Weight x Secure FortiGate Multiplier

The Severity Weight is calculated as Severity divided by the number of FortiGates in the Fabric. The Secure FortiGate Multiplier is determined using logarithms and the number of FortiGates in the fabric. For example, if you have four FortiGates in your fabric that all pass the Compatible Firmware check, your score for each individual FortiGate is:

(50/4) x 1.292 = 16.2 points

If a test fails on any FortiGate in your Fabric, all other FortiGates that passed the check award 0 points. For the FortiGate the test failed on, the score is calculated using this formula:

-Severity Weight x Count

Count is the number of times the check failed during the audit. For example, if two critical FortiClient vulnerabilities are discovered during the Audit, your score for that check is:

-50 x 2 = -100 points

 

For checks that do not apply, your score does not change. For example, if you have no FortiAPs in the fabric, you will receive no points for the FortiAP Firmware Versions check.