Choice Guide Lab

FortiGate policy optimisation is not a one-time project you complete and close. It is an ongoing operational discipline that, when practised consistently, keeps your firewall performing efficiently, your audit findings minimal, and your security posture defensible. This guide is the complete reference — covering every stage from initial assessment through continuous maintenance.

Phase 1: Discovery — Know Your Current State

Optimisation starts with an honest assessment of what you have. The discovery phase produces a baseline that quantifies the problem and prioritises remediation efforts.

Hit Count Analysis

The primary signal for policy health. Policies with zero bytes since the last reboot are unused by definition:

diagnose firewall iprope show 100004 0

For a persistent view that survives reboots, FortiAnalyzer stores per-policy traffic statistics over time. Query it for policies with no traffic in the past 90 days to exclude rules that match infrequent but legitimate periodic jobs.

Shadow Rule Detection

A shadow rule is one that a broader rule earlier in the policy table will always intercept, meaning the shadow rule can never match traffic regardless of hit count. Shadow rules are dangerous because they create the illusion of security controls that are never enforced.

Automated Baseline Report

The APO Tool consolidates discovery into a single report: zero-hit rate, unnamed rule rate, any-to-any count, logging gaps, and shadow rule count. Run it as the first step of every optimisation cycle to quantify the current state before making changes.

Phase 2: Remediation — Risk-Ordered Cleanup

Priority 1 — Logging Gaps (Highest Risk)

Enable logging on all allow policies before any other change. This creates an evidence trail for subsequent modifications and is required by all major compliance frameworks:

config firewall policy
    edit 0
        set logtraffic all
    next
end

Priority 2 — Unnamed Rules

Apply your naming convention to all unnamed rules. A consistent format like ALLOW-{SRC}-TO-{DST}-{APP}-{TICKET} makes every subsequent review faster and creates traceability back to the change that created each rule.

Priority 3 — Disable Zero-Hit Rules (30-Day Verify)

Follow the disable-verify-delete workflow: disable the rule, monitor logs for 30 days, then delete. Never delete without the observation window — quarterly batch jobs and DR procedures will catch you off guard if you do.

Priority 4 — Tighten Overly Permissive Rules

Replace any-to-any rules with the specific traffic flows they were intended to permit. Use the traffic logs from the logging gap remediation step to identify exactly what the rule has been matching before tightening scope.

Phase 3: Maintain — Continuous Hygiene

Automated Weekly Scan

Configure the FortiGate automation framework or an external cron job to run policy analysis weekly. Alert only on threshold breaches — a 15% zero-hit rate or more than 10 new unnamed rules since the last scan — to avoid alert fatigue.

Rule Expiry Schedules

Attach schedule objects to all rules created for temporary needs. When the schedule expires, the rule stops matching traffic and automatically appears in your zero-hit list for review and deletion:

config firewall schedule onetime
    edit "EXPIRE-90D"
        set end 00:00 2026/07/28
    next
end

Naming Convention Enforcement

Use a pre-change review checklist that requires a policy name and change ticket reference before any new rule is approved. This prevents unnamed rule accumulation at the source rather than requiring periodic cleanup.

VDOM-Per-Tenant Quarterly Review

For multi-VDOM environments, treat each VDOM as an independent policy domain with its own quarterly review cycle. The same optimisation framework applies in each VDOM context.

The Optimisation Mindset

The most important shift is treating policy optimisation as infrastructure maintenance — like patching or certificate renewal — rather than a special project that happens when auditors arrive. A 30-minute weekly scan and a quarterly full review is all it takes to keep a 500-policy table audit-ready year-round.

For the foundational technique that underlies every phase of this framework, see our original post on FortiGate zero-hit policy identification and cleanup — the starting point for every optimisation cycle.

FortiGate Policy Optimization: A Repeatable Operating Model

FortiGate policy optimization works best as a repeatable operating model: weekly lightweight scans, monthly exception review, quarterly cleanup, and annual architecture validation. This rhythm prevents policy debt from becoming a crisis before audits or migrations. It also gives management a measurable security hygiene trend.

Related FortiGate Cleanup Guide

Related baseline: FortiGate zero-hit policy cleanup guide.

When the same checks need to be repeated across multiple firewalls, APO Tool helps reduce manual review time while keeping the final change decision with the network security team.

Frequently Asked Questions

Q: What is FortiGate policy optimization?

A: It is the continuous process of removing unused rules, tightening broad access, improving naming, and maintaining audit evidence.

Q: How often should policy optimization run?

A: Use weekly scans, quarterly cleanup, and annual architecture review for a sustainable operating model.