fortigate external security audit in detail — a critical topic for network security engineers managing enterprise FortiGate environments.
An external security audit on your FortiGate environment typically falls into one of two categories: a planned compliance review (PCI DSS, ISO 27001, SOC 2) or a post-incident forensic audit. The preparation requirements differ significantly between these two scenarios. This post focuses on the planned compliance review, specifically what you need to have ready three to four weeks before the auditors arrive — and what happens if you don’t.
The single biggest mistake I’ve seen in audit preparation is treating it as a documentation exercise. Auditors don’t just want to see policy screenshots. They test whether the controls actually work. In a 2023 PCI DSS audit for a retail client, a firewall policy that was documented as “deny all inbound to cardholder data environment” was actually shadowed by a broader any/any accept rule higher in the table. The auditor discovered this in 15 minutes using a simple packet capture test. The organization failed the audit and needed four weeks of remediation plus a re-audit, at a cost of approximately $180,000.
Four Weeks Before: Environment Assessment
Start with an honest assessment of where you are, not where you want to be.
# Generate a complete policy inventory
show firewall policy > /tmp/policy_inventory.txt
# Check policy hit counts — identifies potentially unused policies
diagnose firewall iprope show 100004 > /tmp/hit_counts.txt
# Review admin accounts
show system admin
# Check current firmware version against known vulnerabilities
get system status | grep Version
# Cross-reference with Fortinet PSIRT advisories
# Review logging configuration
show log setting
show log fortianalyzer setting
show log syslogd setting
# Verify NTP synchronization (timestamp integrity for logs)
diagnose sys ntp status
Critical Pre-Audit Findings Checklist
| Check | Command | Pass Criteria |
|---|---|---|
| No any/any accept rules | show firewall policy | grep "srcaddr.*all" |
No results, or all with justification |
| All accept rules have logging | show firewall policy | grep "logtraffic disable" |
No accept policies with disabled logging |
| UTM profiles applied | show firewall policy | grep "utm-status disable" |
All internet-facing policies have UTM |
| No default admin accounts | show system admin | grep "edit admin" |
Default “admin” account renamed or disabled |
| MFA on admin access | show system admin | grep two-factor |
Two-factor enabled for all admins |
| Firmware current | get system status |
Within two patch releases of latest stable |
| Log integrity | diagnose sys ntp status |
NTP synchronized, max offset < 1 second |
Three Weeks Before: Documentation Assembly
Auditors request documentation in advance. Being unprepared for documentation requests signals poor change management and often triggers deeper technical testing.
Required Documentation Package
# 1. Network topology diagram
# Export from FortiGate (partial — interfaces and zones)
show system zone
show system interface | grep -E "alias|ip|vdom|status"
# 2. Current configuration backup
execute backup config tftp audit_baseline_$(date +%Y%m%d).conf 192.168.100.10
# 3. Change management log
# Export from your ITSM system — FortiGate itself stores limited change history
execute log filter category config
execute log filter time 2024-01-01 00:00:00 2024-03-31 23:59:59
execute log display > /tmp/config_changes_q1.txt
# 4. Vulnerability scan results
# Run from external tool, but verify FortiGate's own vulnerability assessment
diagnose autoupdate versions
execute update-av
execute update-ips
# 5. Admin access log
execute log filter category event
execute log filter field type user
execute log display > /tmp/admin_access_log.txt
# 6. Failed login attempts
execute log filter field action login-failed
execute log display
Policy Justification Matrix
For every accept policy in your rule set, auditors expect a business justification. Build this spreadsheet before the audit:
# Export policy details for justification matrix
show firewall policy | grep -E "edit [0-9]+|set name|set srcintf|set dstintf|set srcaddr|set dstaddr|set service|set action|set comments|next" > /tmp/policy_details.txt
# For each accept policy, you need:
# - Business justification (which application/service)
# - Owner (team or system)
# - Last review date
# - Risk acceptance (if any overly permissive element remains)
# - Compensating controls (if policy is broad but other controls mitigate)
Two Weeks Before: Control Testing
Test every control you’ll claim is in place. This is the step that most organizations skip, and it’s the most valuable.
# Test 1: Verify segmentation controls are enforced
# From a source host in the test environment
# This should be BLOCKED per your policy documentation
ping -c 3 [protected_server_ip] -I [source_interface]
# Verify the block appears in logs
execute log filter field srcip [source_ip]
execute log filter field action deny
execute log display
# Test 2: Verify UTM is actually inspecting traffic
diagnose debug flow filter addr [test_client_ip]
diagnose debug flow trace start 20
diagnose debug enable
# Browse to a test malware sample site
# Verify UTM block appears in flow trace output
diagnose debug disable
# Test 3: Verify logging is reaching SIEM
# Generate a test deny event
# Verify the event appears in your SIEM within 5 minutes
# Test 4: Admin authentication test
# Attempt login with wrong password 5 times
# Verify account lockout activates
show system admin | grep lockout
# Test 5: Verify admin access is logged
execute log filter field type login
execute log display | head -20
# Confirm your test login attempts appear
# Test 6: NTP drift test
diagnose sys ntp status
# Verify "offset" is within acceptable range (< 1 second for PCI)
Penetration Testing Coordination
# If a pen test is part of the audit, coordinate access window
# Enable enhanced logging during pen test window
config log setting
set faz-override enable
set override-setting
edit 1
set status enable
set server "192.168.100.200"
set upload-option realtime
next
end
end
# After pen test, review for unexpected successes
execute log filter category traffic
execute log filter field action accept
execute log display | grep "pentest-source-ip"
# Verify all pen test traffic was logged
diagnose sys session list | grep "pentest-source-ip"
One Week Before: Final Remediation Window
Any issues found in control testing must be remediated in this window. Emergency changes during the audit itself are a major red flag.
# Priority 1: Fix any/any rules
# First, analyze what traffic is actually using the rule
diagnose firewall iprope show 100004 [policy_id]
# If hit count is zero, safe to disable first
config firewall policy
edit [policy_id]
set status disable
set comments "Disabled pre-audit - review traffic impact - 2024-01-15"
next
end
# Priority 2: Enable logging on all accept policies
# Script to enable logging on all accept policies
config firewall policy
show | grep -B 2 "action accept"
# Manually enable logtraffic for each identified policy
end
# Priority 3: Update admin accounts
config system admin
edit "admin"
set name "fg-admin-jdoe" # Rename default admin
set password "ComplexPass#2024"
set two-factor fortitoken
set fortitoken "FT[token_serial]"
next
end
# Priority 4: Verify firmware
get system status | grep Version
# Update if needed — but ONLY if you have a tested rollback plan
# Never apply untested firmware in the week before an audit
Audit Day: What to Expect
External auditors typically follow a structured methodology. Understanding what they’re checking helps you prepare the right person with the right access in the room.
Common Auditor Tests on FortiGate
# Auditors will likely run or request these themselves:
# 1. Policy review — looking for broad/risky rules
show firewall policy
# 2. Admin account review
show system admin
get system admin | grep -E "two-factor|trusthost"
# 3. Log verification
execute log filter category traffic
execute log filter time [30 days back] [today]
execute log display | wc -l # Volume check
# 4. Firmware and software version
get system status
diagnose autoupdate versions
# 5. Network segmentation test
# They may run this themselves with a laptop on the test network
# Or ask you to run specific ping/traceroute tests
# 6. Encryption standards
config vpn ssl settings
show | grep ssl-min-proto
end
show system global | grep admin-https-ssl
# 7. Session timeout configuration
show system global | grep admintimeout
# PCI DSS requires ≤ 15 minutes
config system global
set admintimeout 10 # 10 minutes maximum
end
Post-Audit: Hardening the Baseline
Whether you pass or fail, treat the audit findings as a permanent improvement baseline rather than a one-time compliance exercise.
# Create a post-audit snapshot for comparison
execute backup config tftp post_audit_$(date +%Y%m%d).conf 192.168.100.10
# Document the audit baseline in comments
config system global
set hostname "FG-PROD-01"
set alias "FortiGate Production - Audit Baseline 2024-Q1"
end
# Schedule recurring automated checks
config system automation-stitch
edit "monthly-audit-check"
set trigger "monthly-trigger"
set action "run-audit-script"
next
end
# Tag policies with last-review date
config firewall policy
edit 1
set comments "Last reviewed: 2024-03-15 by jdoe | Next review: 2024-06-15"
next
end
Organizations that treat the audit process as a continuous security practice rather than a periodic compliance event consistently outperform peers in both audit outcomes and actual security posture. The automated compliance checking framework for NIST 800-53 provides a repeatable process for maintaining this posture between audit cycles.
Timeline Summary
| Timeframe | Key Activities | Owner |
|---|---|---|
| T-4 weeks | Environment assessment, identify gaps | Firewall admin |
| T-3 weeks | Documentation assembly, policy justification matrix | Firewall admin + security manager |
| T-2 weeks | Control testing, remediation of test failures | Firewall admin |
| T-1 week | Final remediation, configuration freeze | Change advisory board |
| Audit day | Active cooperation, evidence provision | Firewall admin + manager |
| Post-audit | Findings remediation, process improvement | Security team |
Related Articles
- FortiGate Policy Optimization: A Complete Guide for Network Engineers
- APO Tool: FortiGate Firewall Policy Analyzer for Network Engineers
- Automated Compliance Checking: NIST 800-53 Controls on Network Devices
- FortiGate vs Palo Alto Policy Management: Key Differences Explained