10 Essential FortiGate Audit Checks for Compliance Success

Whether you’re heading into a PCI-DSS QSA assessment, an ISO 27001 surveillance audit, or an internal security review, your FortiGate firewall policy table is always in scope. Auditors look for overly permissive rules, missing logging, and stale objects that create unaccountable network paths. A structured pre-audit checklist is the difference between a clean pass and a flurry of findings.

This guide walks through ten concrete checks every network engineer should perform before a compliance review. Each check includes the exact CLI command or GUI path so you can work through the list systematically.

Why FortiGate Policy Audits Are Complex

FortiGate deployments grow organically. A policy added for a project three years ago may never have been reviewed since. Unlike code, firewall rules don’t throw errors when they become obsolete — they simply sit there, consuming processing resources and widening the attack surface. Over time, the policy table becomes a mix of active rules, dead rules, and rules whose original intent is unknown.

Compliance frameworks require you to demonstrate that every allow rule has a documented business justification and that access is restricted to the minimum necessary. That is impossible if you can’t explain what half your rules do.

The 10-Point Pre-Compliance Checklist

Work through each item below. The checklist is interactive — check items off as you complete them.

✅ Pre-Compliance FortiGate Audit Checklist

1. Identify zero-hit policies — run diagnose firewall iprope show 100004 0 and flag any rule with 0 packets since last reboot.

2. Check for unnamed policies — Policy & Objects > Firewall Policy: sort by Name column and look for blank entries.

3. Verify no “any/any” rules exist — show firewall policy | grep -i "set srcaddr all" combined with set dstaddr all.

4. Confirm logging is enabled on all allow rules — show firewall policy | grep -A 20 "edit" | grep "set logtraffic".

5. Review disabled (inactive) policies — disabled rules accumulate silently; document each one’s business justification.

6. Validate address object accuracy — cross-reference IPAM or CMDB; stale address objects produce shadow rules.

7. Check service objects for “ALL” overuse — show firewall policy | grep "set service ALL" flags overly broad service definitions.

8. Confirm UTM profiles are attached to internet-facing rules — AV, IPS, and Web Filter profiles should be present on all WAN-sourced allow policies.

9. Review admin accounts and authentication settings — System > Administrators: no default admin account with blank password, MFA enabled.

10. Export and version-control the full configuration — execute backup config ftp <server> or via GUI: System > Config > Backup.

Using Automation to Speed Up the Process

Running these checks manually across hundreds of policies is time-consuming and error-prone. The APO Tool was built specifically to automate the most labour-intensive parts: identifying zero-hit policies, flagging unnamed rules, and detecting any/any configurations across your entire policy table in seconds.

For the CLI-based checks, the following one-liner exports a filtered policy summary useful for offline review:

show full-configuration firewall policy | grep -E "(edit|set name|set srcaddr|set dstaddr|set service|set logtraffic|set status)" > policy_summary.txt

Documenting Results

Auditors expect evidence, not just assertions. For each check, save the output of the relevant command with a timestamp. Store it in version control alongside your configuration backup. This creates an auditable history that demonstrates ongoing compliance rather than a point-in-time snapshot.

What Auditors Actually Look For

In practice, most audit findings on FortiGate deployments fall into four categories:

Overly permissive source or destination — any/any rules or rules scoped to entire subnets when specific hosts would suffice.
Missing UTM inspection — allow rules that bypass AV, IPS, or application control on internet-facing traffic.
No log evidence — rules with set logtraffic disable that produce no forensic trail.
Stale configuration — address objects pointing to decommissioned systems, or rules for services that were retired months ago.

The checklist above targets all four categories. Run it at least 30 days before an audit to give yourself time to remediate findings and generate fresh traffic logs that prove the changes are working.

Scheduling Regular Policy Reviews

Compliance is a continuous process, not a pre-audit sprint. Configure a calendar reminder to repeat this checklist quarterly. Pair it with the APO Tool for automated hit-count analysis, and you’ll spend less than an hour per quarter keeping your policy table audit-ready.

For a deeper look at one of the most common issues this checklist surfaces, see our previous post: FortiGate Hit Count Zero Policies: How to Find and Clean Them Up.