Security Fabric Audit and Fabric Score
This chapter contains information about the Security Fabric Audit and Fabric Score, which together provide a method to continually monitor and improve your Security Fabric’s configuration.
What is the Security Fabric Audit?
The Security Fabric Audit is a feature on your FortiGate that allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.
Why should you run a Security Fabric Audit?
Using the Security Fabric Audit helps you to tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Fabric Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.
Running a Security Fabric Audit
The Security Fabric Audit can be found by going to Security Fabric > Audit. In the first step, all detected FortiGates are shown.
Running a Security Fabric Audit
In the second step, the audit is performed and a list of recommendations are shown. Two views are available: Failed or All Results. These views can be further segmented so that you view results from all FortiGates or just a specific unit.
In each view, a chart appears showing the results of individual checks. The following information is shown: the name and a description of the check, which FortiGate the check occurred on, the checks result on your overall security score, and any necessary recommendations.
If you hover the mouse over the Result for a check, you can get a breakdown on how this score was determined.
For more information about this, see “Security Fabric Score” on page 38.
Logging for the Security Fabric Audit
In Step Three of the Audit, Easy Apply recommendations are displayed and can be applied. By using Easy Apply, you can change the configuration of any FortiGate in the fabric.
For other recommendations, further action is required if you wish to follow the recommendation.
You can also view Audit recommendations for specific devices using the FortiView Topology consoles. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available, while the color of the circle shows the severity of the highest check that failed (red is critical, orange is high, yellow is medium, and blue is low).
Logging for the Security Fabric Audit
An event filter subtype is available for the Security Audit. Every time an audit is run, event logs are created on the root FortiGate that summarize the results of the audit, as well as details into the individual tests.
Security Fabric Audit Checks
Syntax
config log eventfilter set security-audit {enable | disable} (enabled by default)
end
Security Fabric Audit Checks
The Security Fabric Audit performs a variety of checks when analyzing your network. All checks are based on your current network configuration, using realtime monitoring. The Audit runs these checks across all FortiGates in the Security Fabric.
Firmware & Subscriptions
Easy Apply? |
Recommendation |
Run same version as root. |
Register with FortiCare. |
Renew subscriptions. |
Upgrade FortiAP to recommended version. |
Check |
All FortiGates in the Security Fabric should run the same firmware version. |
FortiGate should be registered with FortiCare. |
All registered FortiGuard license subscriptions should be valid. |
All FortiAPs should be running the latest firmware. |
Severity |
Critical |
Critical |
High |
Low |
Goal |
Compatible Firmware |
FortiCare Support |
FortiGuard License Subscriptions |
FortiAP Firmware Versions |
No |
No |
No
No
FortiSwitch FirmwareAll FortiSwitches should beUpdate all FortiSwitches to use
LowNo
Versionsrunning the latest firmware.the latest firmware.
Internal Segmentation Firewall (ISFW)
Easy Apply? |
Recommendation |
Configure the interface role. |
Enable device detection. |
Check |
All interfaces should be classified as either “LAN”, “WAN”, or “DMZ”. |
Interfaces which are classified as “LAN” or “DMZ” should have device detection enabled. |
Severity |
High |
High |
Goal |
Interface Classification |
Device Discovery |
Yes |
Yes
Checks
Easy Apply? |
Recommendation |
Replace the device with a FortiGate. |
Use FortiSwitch and FortiLink. |
Install FortiAnalyzer for logging & reporting. |
All servers should be moved to interfaces with role “DMZ”. |
Review all IPv4 policies that haven’t been used in the last 90 days. |
Check |
No third party router or NAT devices should be detected in the network. |
Non-FortiLink interfaces should not have multiple VLANs configured on them. |
Logging and reporting should be done in a centralized place throughout the Security Fabric. |
Servers should be placed behind interfaces classified as “DMZ”. |
All IPv4 policies should be used. |
Severity |
Medium |
Medium |
High |
Medium |
Medium |
Goal |
Third Party Router & NAT Devices |
VLAN Management |
Centralized Logging & Reporting |
LAN Segment |
Unused Policies |
No |
No |
No
No
No
Advanced Threat
Protection |
High | Suspicious files should be submitted to FortiSandbox or FortiSandbox Cloud for inspection. | Configure AntiVirus profiles to send files to FortiSandbox or FortiSandbox Cloud for inspection. | No |
All discovered FortiAPs should Authorize or disable
Unauthorized FortiAPs Medium Yes
be authorized or disabled. unauthorized FortiAPs.
|
|
|
|
|
Endpoint Compliance
Easy Apply? |
Recommendation |
Enable FortiTelemetry on “LAN” interfaces. |
Register all devices via FortiClient. |
Check |
Interfaces which are classified as “LAN” should have
FortiTelemetry enabled. |
All supported devices should be registered via FortiClient. |
Severity |
High |
Medium |
Goal |
Endpoint Registration |
FortiClient Protected |
No |
Yes
All registered FortiClientInvestigate non-compliant
FortiClient ComplianceMediumdevices should be compliantreason(s) for FortiClientNo with FortiClient profile.endpoints.
Security Fabric Audit Checks
|
|
|
|
|
Security Best Practices
Goal | Severity | Check | Recommendation | Easy Apply? |
Yes |
Enable HTTPS redirection globally. |
Disable Telnet. |
Interfaces which are classified as “WAN” should not allow
HTTP administrative access. |
Interfaces which are classified as “WAN” should not allow
Telnet administrative access. |
High |
High |
Unsecure Protocol – HTTP |
Unsecure Protocol – Telnet |
Yes
Valid HTTPS Certificate Administrative GUI | Medium | The administrative GUI should not be using a default built-in certificate. | Acquire a certificate for your domain, upload it, and configure the administrative GUI to use it. | No |
Acquire a certificate for your
Valid HTTPS Certificate – SSL VPN should not be using a
Medium domain, upload it, and No
SSL VPN default built-in certificate.
configure SSL VPN to use it.
|
|
|
|
|
A password policy should beEnable a simple password
Admin Password PolicyMediumsetup for systempolicy for systemYes administrators.administrators.
Security Fabric Score
The Security Fabric Score widget has been added to the FortiGate Dashboard to give visibility into auditing trends. This widget uses information from the Security Fabric Audit to determine your score. Score can be positive or negative, with a higher score representing a more secure network.
Score is based on the number of checks failed and the severity of these checks. The weight for each severity level is as follows:
l Critical: 50 points l High: 25 points l Medium: 10 points l Low: 5 points
You get points for passing a test only when it passes for all FortiGates in your fabric. If this occurs, the score is calculated using this formula:
+Severity Weight x Secure FortiGate Multiplier
The Severity Weight is calculated as Severity divided by the number of FortiGates in the Fabric. The Secure FortiGate Multiplier is determined using logarithms and the number of FortiGates in the fabric. For example, if you have four FortiGates in your fabric that all pass the Compatible Firmware check, your score for each individual FortiGate is:
(50/4) x 1.292 = 16.2 points
If a test fails on any FortiGate in your Fabric, all other FortiGates that passed the check award 0 points. For the FortiGate the test failed on, the score is calculated using this formula:
-Severity Weight x Count
Count is the number of times the check failed during the audit. For example, if two critical FortiClient vulnerabilities are discovered during the Audit, your score for that check is:
-50 x 2 = -100 points
For checks that do not apply, your score does not change. For example, if you have no FortiAPs in the fabric, you will receive no points for the FortiAP Firmware Versions check.