← Back to Blog

FortiGate Firewall Hardening Best Practices (2026)

A firewall is the first line of defense for any organization's network. However, deploying a FortiGate firewall with default settings is not enough to protect against today's sophisticated cyber threats. This guide covers practical FortiGate hardening techniques recommended for enterprise deployments.

1. Keep FortiOS Updated

Always run a supported FortiOS version. Avoid running End-of-Support firmware.

2. Change Default Administrator Account

Never use the default "admin" account. Disable or rename the default administrator account whenever possible.

3. Enable Multi-Factor Authentication (MFA)

Enable MFA for administrators, SSL VPN users, and remote users to reduce the risk of unauthorized access.

4. Restrict Administrative Access

Only allow management from trusted IP addresses such as the management VLAN, jump server, or VPN network.

5. Use Strong Password Policies

Strong passwords remain one of the most important security controls.

6. Disable Unused Services

Reduce the attack surface by disabling services that are not required.

7. Configure Security Profiles

Apply security profiles to every Internet policy to inspect and control traffic.

8. Enable IPS

IPS should operate in Protect Mode with automatic signature updates enabled, using the Recommended Protection profile.

9. Enable Web Filtering

Block malicious and non-business categories to reduce risk.

10. Enable Application Control

Block risky applications such as BitTorrent, Tor, UltraSurf, Psiphon, and unapproved remote administration tools.

11. Configure SSL Inspection

Modern malware hides in encrypted traffic. Use Deep Inspection and import the Fortinet CA certificate into managed endpoints.

12. Enable DNS Filtering

Block newly registered domains, malware domains, botnets, and phishing domains.

13. Harden SSL VPN

If SSL VPN is used, apply the following controls:

14. Configure IPSec VPN Securely

Use AES-256, SHA-256, DH Group 14+, IKEv2, and Perfect Forward Secrecy. Avoid DES, 3DES, and MD5.

15. Enable Logging

Forward logs to FortiAnalyzer, Syslog Server, or a SIEM (e.g., Wazuh, Microsoft Sentinel, Splunk).

16. Backup Configuration

Automate backups and store encrypted configuration, offline copies, and version history.

17. Enable HA Monitoring

For High Availability clusters, monitor interfaces, power supplies, CPU, memory, and session synchronization.

18. Monitor Resource Usage

Monitor CPU, memory, session count, IPS load, and disk usage. Configure alerts for abnormal utilization.

19. Enable Geo-IP Filtering

Block traffic from countries where your organization has no business operations, including high-risk regions, sanctioned countries, and known attack sources.

20. Use Least Privilege Policies

Avoid ANY → ANY → ALLOW rules. Use specific users, services, and destinations, and regularly review and remove unused rules.

21. Secure Management Interfaces

Use a dedicated management network and restrict HTTPS, SSH, and SNMP. Never expose management interfaces directly to the Internet.

22. Enable DoS Policies

Protect against SYN Flood, UDP Flood, ICMP Flood, and Port Scanning. Configure thresholds based on normal traffic patterns.

23. Integrate with FortiGuard Services

Enable Antivirus Updates, IPS Updates, Web Filter Ratings, DNS Security, and Outbreak Protection.

24. Audit Firewall Policies

Review policies monthly and remove shadow rules, unused objects, duplicate rules, and expired temporary access.

25. Regular Security Assessment

Perform Vulnerability Assessment, Penetration Testing, Firewall Rule Review, Configuration Audit, and Compliance Review at least quarterly.

Security Hardening Checklist

ItemStatus
Latest FortiOS Installed
MFA Enabled
Default Admin Disabled
HTTPS Only Management
IPS Enabled
Antivirus Enabled
Application Control Enabled
Web Filter Enabled
SSL Inspection Enabled
DNS Filter Enabled
Logging Configured
Geo-IP Blocking Enabled
Configuration Backups Scheduled
VPN Hardened
DoS Policies Enabled

Common Mistakes

Conclusion

A FortiGate firewall provides robust security capabilities, but its effectiveness depends on proper configuration and ongoing maintenance. By applying the hardening practices outlined in this guide, organizations can significantly reduce their attack surface, improve visibility into network activity, and strengthen their overall security posture.