Fortigate Firewall Audit
by @vahagn-madatyan
FortiOS VDOM segmentation audit with UTM profile binding validation, FortiGuard service health assessment, SD-WAN security evaluation, and HA cluster posture...
clawhub install fortigate-firewall-auditπ About This Skill
name: fortigate-firewall-audit description: >- FortiOS VDOM segmentation audit with UTM profile binding validation, FortiGuard service health assessment, SD-WAN security evaluation, and HA cluster posture check. Systematic per-VDOM policy analysis for FortiGate appliances and FortiGate-VM instances. license: Apache-2.0 metadata: safety: read-only author: network-security-skills-suite version: "1.0.0" openclaw: '{"emoji":"π‘οΈ","safetyTier":"read-only","requires":{"bins":["ssh"],"env":[]},"tags":["fortinet","fortigate","firewall"],"mcpDependencies":[],"egressEndpoints":[]}'
FortiGate Firewall Security Policy Audit
Policy-audit-driven analysis of FortiGate/FortiOS firewall policies. Unlike generic firewall checklists that check for open ports and default-deny, this skill evaluates the FortiOS-specific security architecture: Virtual Domain (VDOM) segmentation, UTM profile binding on every allow policy, FortiGuard signature freshness, and SD-WAN SLA-based traffic steering security implications.
Covers FortiOS 7.x+ on FortiGate hardware appliances and FortiGate-VM virtual
instances. For FortiManager-managed deployments, the audit addresses ADOM
hierarchy and policy package consistency. Reference references/policy-model.md
for the full VDOM/UTM inspection chain and references/cli-reference.md for
read-only CLI commands.
When to Use
Prerequisites
diagnose-level privilege for runtime state)Procedure
Follow this audit flow sequentially. Each step builds on prior findings. The procedure moves from VDOM architecture inventory through per-VDOM rule-level analysis to UTM coverage, FortiGuard health, SD-WAN security, and HA posture.
Step 1: VDOM Architecture Inventory
Collect all VDOMs and their roles.
config vdom
edit root
end
get system status
On a multi-VDOM system, list all VDOMs:
diagnose sys vd list
For each VDOM, record: name, type (traffic/management/admin), assigned interfaces (physical and virtual), inter-VDOM link pairs, and VDOM resource limits (session count, CPU quota). Identify the management VDOM β this is where FortiGuard updates, logging, and administrative access are configured.
Check inter-VDOM links:
show system vdom-link
Inter-VDOM links function as virtual interfaces connecting two VDOMs. Traffic crossing a VDOM link is subject to the receiving VDOM's firewall policies β verify that inter-VDOM traffic is not bypassing inspection.
Verify VDOM resource limits to detect unbounded VDOMs that could starve other VDOMs during volumetric events:
config global
get system vdom-property
Flag any VDOM without explicit resource limits in a multi-VDOM deployment.
Step 2: Firewall Policy Rule-by-Rule Analysis
For each VDOM, retrieve the full policy table:
config vdom
edit
show firewall policy
FortiOS evaluates firewall policies top-down by sequence number within each VDOM. The first matching policy is applied. Evaluate each policy against these criteria:
srcaddr "all",dstaddr "all", service "ALL", and action accept are Critical
findings β they accept all traffic on all ports with no restriction.
utm-status, av-profile, webfilter-profile,
application-list, and ips-sensor on each allow policy.
status disable still occupyschedule other than alwaysCheck for unused policies using hit count data:
diagnose firewall iprope show 100004
Policies with zero hits over 90+ days are cleanup candidates.
Step 3: UTM Profile Binding Audit
For each allow policy in every VDOM, verify that UTM inspection profiles are bound. The goal is zero allow policies without threat inspection.
Check each allow policy for these profile bindings:
av-profile): File-based malware scanning. Required onwebfilter-profile): URL categorization and blocking.application-list): Application identificationips-sensor): Intrusion prevention signatures. Required onemailfilter-profile): Anti-spam for SMTP/IMAP/POP3.dlp-sensor): Data loss prevention pattern matching.ssl-ssh-profile): Determines whether encrypteddeep-inspection, AV and IPS see only connection metadata on HTTPS.Summarize coverage: count allow policies with full UTM binding versus allow policies with partial or no UTM profiles. Calculate the UTM coverage ratio.
Check the inspection mode per VDOM:
config vdom
edit
get system settings | grep inspection-mode
Flow-based mode applies all UTM in a single pass (faster, less thorough). Proxy-based mode buffers and inspects fully (more thorough, more resource intensive). The mode affects which UTM features are available and their efficacy.
Step 4: FortiGuard Service Validation
FortiGuard provides the signature databases that UTM profiles depend on. Stale signatures reduce detection efficacy.
get system fortiguard-service status
diagnose autoupdate versions
Verify the following signature databases are current:
| Database | Maximum Acceptable Age | Check Command |
|----------|----------------------|---------------|
| Antivirus definitions | 24 hours | diagnose autoupdate versions | grep -A2 'Virus' |
| IPS signatures | 7 days | diagnose autoupdate versions | grep -A2 'IPS' |
| Web filter database | 7 days | get webfilter status |
| Application control DB | 7 days | diagnose autoupdate versions | grep -A2 'App' |
| Anti-spam database | 7 days | diagnose autoupdate versions | grep -A2 'Spam' |
Check FortiGuard connectivity:
diagnose debug rating
execute ping service.fortiguard.net
If FortiGuard is unreachable, all cloud-dependent features (web filter rating queries, FortiSandbox cloud, outbreak prevention) operate in degraded mode using cached data only.
Verify the update schedule:
show system autoupdate schedule
Best practice is scheduled updates every 1β4 hours for AV and daily for IPS/App-Control. Manual-only updates are a finding.
Step 5: SD-WAN SLA and Rule Security
If SD-WAN is configured, evaluate security implications of traffic steering.
config vdom
edit
show system sdwan
Review SD-WAN components:
diagnose sys sdwan health-check
tie-break method.diagnose sys sdwan service
Step 6: HA and Session Sync Audit
Evaluate HA cluster security posture.
get system ha status
diagnose sys ha checksum cluster
Check the following:
diagnose sys ha checksum cluster
Compare configuration checksums between members. Mismatched checksums indicate configuration drift β a security risk when policies differ between HA members.
show system ha
Check session-pickup and session-pickup-connectionless settings.
Threshold Tables
Policy Rule Severity Classification
| Finding | Severity | Rationale |
|---------|----------|-----------|
| srcaddr "all" + dstaddr "all" + service "ALL" + action accept | Critical | Fully open policy β no restriction on source, destination, or service |
| Allow policy without any UTM profile (no AV, IPS, web-filter) | Critical | Traffic passes without threat inspection |
| FortiGuard unreachable β all signatures stale | Critical | UTM profiles active but signatures outdated; detection efficacy severely degraded |
| SD-WAN fail-open bypasses security inspection path | Critical | SLA failure routes traffic around UTM inspection |
| Allow policy with service "ALL" (specific src/dst) | High | Permits all services β evaluate whether specific services can be defined |
| FortiGuard signatures >7 days old | High | Detection gap for new threats discovered in the past week |
| VDOM without resource limits in multi-VDOM deployment | High | Unbounded VDOM can starve other VDOMs during volumetric events |
| HA configuration checksum mismatch between members | High | Policy or configuration drift β active and standby may enforce different rules |
| HA firmware version mismatch | High | Session sync and feature parity issues during failover |
| Allow policy with partial UTM (missing IPS or AV) | Medium | Some inspection, but exploit or malware detection gap |
| Disabled policies in production VDOM | Medium | Audit confusion; stale configuration; cleanup recommended |
| SSL inspection not set to deep-inspection on internet-bound policy | Medium | UTM sees only metadata on encrypted traffic β AV/IPS efficacy reduced |
| Schedule-based policy creates off-hours security gap | Medium | Access permitted during window only, but gap during that window is intentional risk |
| Inter-VDOM link without receiving-side policy | Medium | Traffic may traverse VDOM boundary without inspection |
| Policies with zero hits >90 days | Low | Unused rules β cleanup candidates |
UTM Coverage Maturity
| UTM Coverage Ratio | Maturity | Guidance | |---------------------|----------|----------| | >90% allow policies with full UTM | Mature | Maintain; review remaining gaps quarterly | | 60β90% allow policies with UTM | Developing | Prioritize internet-bound and inter-zone policies for UTM binding | | <60% allow policies with UTM | Immature | Systematic UTM profile binding campaign needed |
Decision Trees
UTM Gap Remediation
Allow policy without UTM profiles
βββ What traffic does this policy carry?
β βββ Internet-bound β CRITICAL: Bind full UTM (AV+IPS+WebFilter+AppCtrl+SSL deep-inspection)
β βββ Inter-VDOM or inter-zone β HIGH: Bind AV+IPS+AppCtrl minimum
β βββ Intra-zone management β MEDIUM: Bind IPS+AppCtrl; AV optional
β βββ Monitoring/logging only β LOW: Evaluate if allow is needed
β
βββ SSL inspection mode?
β βββ certificate-inspection β UTM limited to metadata on HTTPS
β β βββ Evaluate switching to deep-inspection for this policy
β βββ deep-inspection β Full UTM efficacy on encrypted traffic
β βββ none β Only unencrypted traffic inspected
β βββ Add ssl-ssh-profile before UTM profiles
β
βββ Inspection mode (VDOM-level)?
βββ flow-based β Single-pass; good performance, some UTM features limited
βββ proxy-based β Full buffered inspection; verify resource impact
βββ Check CPU/memory: diagnose sys top
VDOM Consolidation Assessment
Multi-VDOM deployment evaluation
βββ How many VDOMs are configured?
β βββ >10 VDOMs β Evaluate consolidation; management complexity increases risk
β βββ 3β10 VDOMs β Typical; verify each serves a distinct security function
β βββ 1β2 VDOMs β Minimal; verify VDOM is needed vs single-VDOM mode
β
βββ Do all VDOMs have active policies?
β βββ Empty or minimal policy VDOMs β Candidates for consolidation or removal
β βββ Active policy VDOMs β Verify traffic segmentation justification
β
βββ Are inter-VDOM links necessary?
β βββ Inter-VDOM traffic inspected by receiving VDOM β Correct architecture
β βββ Inter-VDOM traffic not inspected β Finding: add policies on VDOM links
β
βββ Resource contention?
βββ VDOM resource limits configured β Check utilization vs limits
βββ No limits β Set limits per VDOM to prevent starvation
SD-WAN Fail-Open Risk Evaluation
SD-WAN SLA failure scenario
βββ All SLA members for a rule fail
β βββ Rule has dst = security VDOM or UTM-inspecting path?
β β βββ Yes β Traffic falls to routing table
β β β βββ Routing table path includes UTM inspection? β Acceptable
β β β βββ Routing table path bypasses UTM? β CRITICAL: fail-open gap
β β βββ No β Standard egress; verify firewall policy still matches
β β
β βββ SLA health-check server unreachable (false positive)?
β βββ Single health-check server β HIGH: Add redundant check servers
β βββ Multiple servers, all down β Likely real outage; verify failover
β
βββ Partial SLA failure (some members down)
βββ Traffic steers to remaining members β Verify capacity
βββ Remaining member is a lower-security path β Evaluate risk
Report Template
FORTIGATE SECURITY POLICY AUDIT REPORT
========================================
Device: [hostname]
FortiOS Version: [version]
Platform: [FortiGate model / FortiGate-VM]
VDOM Mode: [multi-vdom / split-vdom / disabled]
Management: [standalone / FortiManager ADOM name]
Audit Date: [timestamp]
Performed By: [operator/agent]VDOM ARCHITECTURE:
VDOMs configured: [count]
Management VDOM: [name]
Inter-VDOM links: [count] ([list pairs])
VDOMs with resource limits: [n] / [total] PER-VDOM POLICY SUMMARY:
VDOM: [name]
- Total firewall policies: [count]
- Accept policies: [n] | Deny policies: [n]
- Policies with full UTM profiles: [n] / [accept count]
- Inspection mode: [flow-based / proxy-based]
- SSL inspection (deep): [n] policies
[Repeat for each VDOM]
FORTIGUARD STATUS:
Connectivity: [connected / unreachable]
AV signatures: [version] ([age])
IPS signatures: [version] ([age])
Web filter DB: [version] ([age])
Application control DB: [version] ([age])
Update schedule: [interval] SD-WAN STATUS:
SD-WAN enabled: [yes/no]
SLA health checks: [count] ([all passing / N failing])
Fail-open risk: [none identified / risk details] HA STATUS:
HA mode: [active-passive / active-active / standalone]
Firmware parity: [matched / mismatched β versions]
Config checksum: [matched / mismatched]
Session sync: [enabled / disabled] FINDINGS:
1. [Severity] [Category] β [Description]
VDOM: [vdom-name]
Policy ID: [id] (Seq: [sequence])
Interfaces: [srcintf] β [dstintf]
Issue: [specific problem]
Current Config: [relevant policy fields]
Recommendation: [specific remediation]
UTM COVERAGE:
Per-VDOM coverage ratios: [list each VDOM: n/total (%)]
Policies missing AV: [count]
Policies missing IPS: [count]
Policies missing web-filter: [count]
Policies missing application-control: [count] RECOMMENDATIONS:
[Prioritized action list by severity] NEXT AUDIT: [CRITICAL findings: 30d, HIGH: 90d, clean: 180d]
Troubleshooting
Large Multi-VDOM Deployments
Auditing more than 10 VDOMs manually is impractical. Export per-VDOM policy
tables via the FortiOS REST API (/api/v2/cmdb/firewall/policy?vdom=)
for programmatic analysis. Prioritize VDOMs carrying internet-bound or
inter-zone traffic β management VDOMs are lower risk.
FortiManager Policy Packages
In FortiManager-managed deployments, audit the installed policy on the
FortiGate (via show firewall policy), not just the FortiManager package β
local policies and installation state may differ. Use
diagnose fortimanager policy-check to identify discrepancies.
UTM Performance Impact
Before binding UTM profiles on high-throughput policies, assess headroom:
get system performance status
diagnose sys top 2 20
FortiGate models have rated throughput for NGFW and Threat Protection profiles. Ensure traffic volume is within rated capacity. If constrained, prioritize UTM on internet-bound policies and use flow-based inspection.
Firmware Upgrade Impact on Policies
FortiOS major upgrades may change UTM profile schema or deprecate features. Export the policy baseline before upgrading, then post-upgrade verify: UTM profile bindings preserved, policy sequence intact, SD-WAN rules migrated, and HA cluster upgraded in sequence (secondary first).
Split-VDOM Mode vs Multi-VDOM Mode
Split-VDOM provides two VDOMs (root + FG-traffic); full multi-VDOM allows custom count. Audit whether split-VDOM segmentation is sufficient for compliance requirements. Changing VDOM mode requires a reboot.
β‘ When to Use
βοΈ Configuration
diagnose-level privilege for runtime state)π Tips & Best Practices
Large Multi-VDOM Deployments
Auditing more than 10 VDOMs manually is impractical. Export per-VDOM policy
tables via the FortiOS REST API (/api/v2/cmdb/firewall/policy?vdom=)
for programmatic analysis. Prioritize VDOMs carrying internet-bound or
inter-zone traffic β management VDOMs are lower risk.
FortiManager Policy Packages
In FortiManager-managed deployments, audit the installed policy on the
FortiGate (via show firewall policy), not just the FortiManager package β
local policies and installation state may differ. Use
diagnose fortimanager policy-check to identify discrepancies.
UTM Performance Impact
Before binding UTM profiles on high-throughput policies, assess headroom:
get system performance status
diagnose sys top 2 20
FortiGate models have rated throughput for NGFW and Threat Protection profiles. Ensure traffic volume is within rated capacity. If constrained, prioritize UTM on internet-bound policies and use flow-based inspection.
Firmware Upgrade Impact on Policies
FortiOS major upgrades may change UTM profile schema or deprecate features. Export the policy baseline before upgrading, then post-upgrade verify: UTM profile bindings preserved, policy sequence intact, SD-WAN rules migrated, and HA cluster upgraded in sequence (secondary first).
Split-VDOM Mode vs Multi-VDOM Mode
Split-VDOM provides two VDOMs (root + FG-traffic); full multi-VDOM allows custom count. Audit whether split-VDOM segmentation is sufficient for compliance requirements. Changing VDOM mode requires a reboot.