Fortinet: Auditing Configs
Overview
This skill guides systematic security and consistency auditing of FortiGate .conf snapshots. Use it when the user asks to "audit", "review for issues", "check security", or "validate" one or more firewall configs.
See fortinet:read-configs for: how to locate and parse config sections, fleet inventory, file paths.
Audit Workflow
- Determine scope: single site or all 10 sites
- For each config section below, extract the relevant block using the read-configs approach
- Check each item in the checklist
- Collect all findings into a report grouped by severity
- Present report (Critical first, then Warning, then Info)
Severity Definitions
| Severity | Meaning |
|---|---|
| Critical | Active security risk — should be remediated immediately |
| Warning | Suboptimal or inconsistent — should be reviewed |
| Info | Informational, best-practice gap — low urgency |
Checklist
System Global (config system global)
| Check | Field | Bad value | Severity | Note |
|---|---|---|---|---|
| Telnet enabled | admin-telnet | enable | Critical | Plaintext admin protocol |
| TLS minimum too low | ssl-min-proto-version | anything < TLSv1-2 | Critical | |
| Lockout threshold too high | admin-lockout-threshold | > 3 | Warning | Default is 3 |
| Lockout duration too short | admin-lockout-duration | < 60 | Warning | |
| CLI audit log off | cli-audit-log | disable | Info | Useful for change tracking |
| Auto-save off | cfg-save | manual | Info | Risk of losing unsaved changes |
System Interface (config system interface)
For each interface in the block:
| Check | Field | Bad value | Severity | Note |
|---|---|---|---|---|
| Telnet in allowaccess | allowaccess | contains telnet | Critical | |
| HTTP in allowaccess | allowaccess | contains http | Warning | Unencrypted management |
| No description | description | '' (empty) | Info | |
| Interface down, no comment | status | down with empty comment | Info | Decommissioned? |
Firewall Policies (config firewall policy)
For each policy (edit N ... next):
| Check | Condition | Severity | Note |
|---|---|---|---|
| Accept with no UTM | action accept AND utm-status disable | Warning | No inspection |
| Accept any-to-any | action accept AND srcaddr "all" AND dstaddr "all" | Critical | Overly permissive |
| Logging off | logtraffic disable | Warning | No visibility |
| Disabled policy | status disable | Info | Flag for review/cleanup |
| No policy name | name '' | Info | Hard to manage unnamed policies |
Router Static (config router static)
| Check | Condition | Severity | Note |
|---|---|---|---|
| Multiple default routes | More than one dst 0.0.0.0 0.0.0.0 entry | Warning | Check distance/priority for intent |
| Blackhole route | blackhole enable | Info | Intentional? Document it |
VPN IPsec Phase1 (config vpn ipsec phase1-interface)
For each tunnel:
| Check | Field | Bad value | Severity | Note |
|---|---|---|---|---|
| Weak encryption | proposal | contains 3des or des | Critical | Broken ciphers |
| Weak hash | proposal | contains -md5 | Critical | Broken hash |
| SHA1 only | proposal | contains -sha1 (no sha256/sha384) | Warning | SHA1 deprecated |
| IKEv1 | ike-version | 1 | Warning | Prefer IKEv2 |
| Weak DH group | dhgrp | 1, 2, or 5 | Critical | DH1/2/5 are broken |
VPN IPsec Phase2 (config vpn ipsec phase2-interface)
| Check | Field | Bad value | Severity | Note |
|---|---|---|---|---|
| PFS disabled | pfs | disable | Warning | Forward secrecy lost |
| Weak proposal | proposal | contains 3des, des, -md5 | Critical |
Known fleet issues to flag:
- CDW (
cdwfw01) hasproposal aes128-sha1anddhgrp 2on existing tunnels — these are existing Critical findings
Report Format
## Audit Report — {site(s)} — {date}
### Critical (N)
- **[SITE] [DOMAIN]** `config vpn ipsec phase1-interface / edit "EV-AWS-00"`
Finding: `dhgrp 2` — DH group 2 (1024-bit) is cryptographically broken
Remediation: `set dhgrp 14` (minimum) or `set dhgrp 19` for ECDH
### Warning (N)
- ...
### Info (N)
- ...
### Clean
- System lockout settings: all sites ✓
- ...
Always list what was checked and found clean, not just problems.
Multi-Site Audit
When auditing all 10 sites, consolidate:
- Group by finding type, list affected sites
- Example: "Telnet enabled — affects: cdw (1/10 sites)"
- Produce a summary matrix: rows = finding types, columns = sites, cells = ✓/✗