FortiGate Policy Optimization: A Complete Guide for Network Engineers

fortigate policy optimization in detail — a critical topic for network security engineers managing enterprise FortiGate environments.

FortiGate policy optimisation is not a one-time project you complete and close. It is an ongoing operational discipline that, when practised consistently, keeps your firewall performing efficiently, your audit findings minimal, and your security posture defensible. This guide is the complete reference — covering every stage from initial assessment through continuous maintenance.

FortiGate Policy Optimisation Framework

Phase 1: Discover
Baseline assessment
▸ Export policy table
▸ Run hit-count analysis
▸ Identify unnamed rules
▸ Find any-any rules
▸ Check logging gaps
▸ Detect shadow rules
▸ Audit admin accounts

Tools: AI-Policy Optimizer(APO) Tool / CLI

Phase 2: Remediate
Risk-ordered cleanup
▸ Enable logtraffic all
▸ Name all rules
▸ Disable zero-hit rules
▸ Tighten any-any scope
▸ Add UTM profiles
▸ Remove shadow rules
▸ Clean stale objects

30-day verify window

Phase 3: Maintain
Continuous hygiene
▸ Weekly auto-scan
▸ Quarterly full review
▸ Rule expiry schedules
▸ Change-ticket naming
▸ VDOM per-tenant audit
▸ Annual full rebuild
▸ Audit-ready docs

Automated pipeline

Cycle repeats — optimisation is a process, not a project

Legend

Fortinet Red

Review

Safe

Phase 1: Discovery — Know Your Current State

Optimisation starts with an honest assessment of what you have. The discovery phase produces a baseline that quantifies the problem and prioritises remediation efforts.

Hit Count Analysis

The primary signal for policy health. Policies with zero bytes since the last reboot are unused by definition:

diagnose firewall iprope show 100004 0

For a persistent view that survives reboots, FortiAnalyzer stores per-policy traffic statistics over time. Query it for policies with no traffic in the past 90 days to exclude rules that match infrequent but legitimate periodic jobs.

Shadow Rule Detection

A shadow rule is one that a broader rule earlier in the policy table will always intercept, meaning the shadow rule can never match traffic regardless of hit count. Shadow rules are dangerous because they create the illusion of security controls that are never enforced.

Automated Baseline Report

The APO Tool consolidates discovery into a single report: zero-hit rate, unnamed rule rate, any-to-any count, logging gaps, and shadow rule count. Run it as the first step of every optimisation cycle to quantify the current state before making changes.

Phase 2: Remediation — Risk-Ordered Cleanup

Priority 1 — Logging Gaps (Highest Risk)

Enable logging on all allow policies before any other change. This creates an evidence trail for subsequent modifications and is required by all major compliance frameworks:

config firewall policy
    edit 0
        set logtraffic all
    next
end

Priority 2 — Unnamed Rules

Apply your naming convention to all unnamed rules. A consistent format like ALLOW-{SRC}-TO-{DST}-{APP}-{TICKET} makes every subsequent review faster and creates traceability back to the change that created each rule.

Priority 3 — Disable Zero-Hit Rules (30-Day Verify)

Follow the disable-verify-delete workflow: disable the rule, monitor logs for 30 days, then delete. Never delete without the observation window — quarterly batch jobs and DR procedures will catch you off guard if you do.

Priority 4 — Tighten Overly Permissive Rules

Replace any-to-any rules with the specific traffic flows they were intended to permit. Use the traffic logs from the logging gap remediation step to identify exactly what the rule has been matching before tightening scope.

Phase 3: Maintain — Continuous Hygiene

Automated Weekly Scan

Configure the FortiGate automation framework or an external cron job to run policy analysis weekly. Alert only on threshold breaches — a 15% zero-hit rate or more than 10 new unnamed rules since the last scan — to avoid alert fatigue.

Rule Expiry Schedules

Attach schedule objects to all rules created for temporary needs. When the schedule expires, the rule stops matching traffic and automatically appears in your zero-hit list for review and deletion:

config firewall schedule onetime
    edit "EXPIRE-90D"
        set end 00:00 2026/07/28
    next
end

Naming Convention Enforcement

Use a pre-change review checklist that requires a policy name and change ticket reference before any new rule is approved. This prevents unnamed rule accumulation at the source rather than requiring periodic cleanup.

VDOM-Per-Tenant Quarterly Review

For multi-VDOM environments, treat each VDOM as an independent policy domain with its own quarterly review cycle. The same optimisation framework applies in each VDOM context.

The Optimisation Mindset

The most important shift is treating policy optimisation as infrastructure maintenance — like patching or certificate renewal — rather than a special project that happens when auditors arrive. A 30-minute weekly scan and a quarterly full review is all it takes to keep a 500-policy table audit-ready year-round.

For the foundational technique that underlies every phase of this framework, see our original post on FortiGate zero-hit policy identification and cleanup — the starting point for every optimisation cycle.

FortiGate Policy Optimization: A Repeatable Operating Model

FortiGate policy optimization works best as a repeatable operating model: weekly lightweight scans, monthly exception review, quarterly cleanup, and annual architecture validation. This rhythm prevents policy debt from becoming a crisis before audits or migrations. It also gives management a measurable security hygiene trend.

Related FortiGate Cleanup Guide

Related baseline: FortiGate zero-hit policy cleanup guide.

When the same checks need to be repeated across multiple firewalls, APO Tool helps reduce manual review time while keeping the final change decision with the network security team.

Frequently Asked Questions

Q: What is FortiGate policy optimization?

A: It is the continuous process of removing unused rules, tightening broad access, improving naming, and maintaining audit evidence.

Q: How often should policy optimization run?

A: Use weekly scans, quarterly cleanup, and annual architecture review for a sustainable operating model.

References & Further Reading

Technical Tip: How policy order works on FortiGate

— Fortinet Community
Technical Tip: How to check which firewall policy was last used on a FortiGate

— Fortinet Community
Technical Tip: Security Rating shows Configuration has too many entries to check

— Fortinet Community

Source: Fortinet Community Knowledge Base —
community.fortinet.com

Advanced Policy Ordering: Performance and Security Trade-offs

FortiGate processes firewall policies in sequential order from lowest to highest policy ID by default. This means policy placement directly affects both security enforcement and throughput performance. In a 400-policy environment, a packet destined for a high-traffic service that matches policy 380 will be evaluated against 379 policies before finding a match — adding measurable latency during session establishment.

The practical recommendation is to position high-traffic policies near the top of the policy table, while keeping restrictive or rarely-matched deny policies lower. However, this must be balanced carefully: a broad accept rule placed too high can shadow legitimate deny rules below it.


# Check policy hit counts to identify high-traffic policies
diagnose firewall iprope show 100004

# Move a high-traffic policy to a better position
config firewall policy
    move 45 before 5
end

# Verify the reorder took effect
show firewall policy 45

Object Reuse: Reducing Policy Table Complexity

One of the most effective long-term optimization strategies is rigorous address and service object reuse. Every unique object reference in a policy requires memory allocation and lookup time. Environments that create a new address object for each policy — rather than reusing existing objects — accumulate thousands of redundant objects over time.


# Find duplicate address objects with identical subnets
show firewall address | grep "set subnet" | sort | uniq -d

# List unused address objects
diagnose firewall object list unused-address

# Consolidate redundant objects
config firewall addrgrp
    edit "Web-Infrastructure"
        set member "Web-01" "Web-02" "Web-03" "Web-LB"
    next
end

# Replace multiple individual references with the group
config firewall policy
    edit 25
        set dstaddr "Web-Infrastructure"
    next
end

Long-Term Governance: Preventing Policy Drift

Policy optimization is not a one-time project — it is an ongoing governance discipline. Without process controls, a cleaned-up policy table will return to a bloated state within 12 to 18 months as new rules are added without corresponding cleanup of superseded ones.

The three controls with the highest impact on long-term policy hygiene are mandatory change tickets for every policy addition, a quarterly hit-count review that flags zero-hit policies for owner review, and an automatic expiry mechanism for temporary access rules using FortiGate’s schedule feature.


# Create a recurring schedule for temporary access
config firewall schedule recurring
    edit "Business-Hours-Only"
        set day monday tuesday wednesday thursday friday
        set start 08:00
        set end 18:00
    next
end

# Apply schedule to temporary policies
config firewall policy
    edit 99
        set schedule "Business-Hours-Only"
        set comments "Temporary access - ticket INC-2024-0892 - review Q2"
    next
end