A firewall is the first line of defense for any organization's network. However, deploying a FortiGate firewall with default settings is not enough to protect against today's sophisticated cyber threats. This guide covers practical FortiGate hardening techniques recommended for enterprise deployments.
Always run a supported FortiOS version. Avoid running End-of-Support firmware.
Never use the default "admin" account. Disable or rename the default administrator account whenever possible.
Enable MFA for administrators, SSL VPN users, and remote users to reduce the risk of unauthorized access.
Only allow management from trusted IP addresses such as the management VLAN, jump server, or VPN network.
Strong passwords remain one of the most important security controls.
Reduce the attack surface by disabling services that are not required.
Apply security profiles to every Internet policy to inspect and control traffic.
IPS should operate in Protect Mode with automatic signature updates enabled, using the Recommended Protection profile.
Block malicious and non-business categories to reduce risk.
Block risky applications such as BitTorrent, Tor, UltraSurf, Psiphon, and unapproved remote administration tools.
Modern malware hides in encrypted traffic. Use Deep Inspection and import the Fortinet CA certificate into managed endpoints.
Block newly registered domains, malware domains, botnets, and phishing domains.
If SSL VPN is used, apply the following controls:
Use AES-256, SHA-256, DH Group 14+, IKEv2, and Perfect Forward Secrecy. Avoid DES, 3DES, and MD5.
Forward logs to FortiAnalyzer, Syslog Server, or a SIEM (e.g., Wazuh, Microsoft Sentinel, Splunk).
Automate backups and store encrypted configuration, offline copies, and version history.
For High Availability clusters, monitor interfaces, power supplies, CPU, memory, and session synchronization.
Monitor CPU, memory, session count, IPS load, and disk usage. Configure alerts for abnormal utilization.
Block traffic from countries where your organization has no business operations, including high-risk regions, sanctioned countries, and known attack sources.
Avoid ANY → ANY → ALLOW rules. Use specific users, services, and destinations, and regularly review and remove unused rules.
Use a dedicated management network and restrict HTTPS, SSH, and SNMP. Never expose management interfaces directly to the Internet.
Protect against SYN Flood, UDP Flood, ICMP Flood, and Port Scanning. Configure thresholds based on normal traffic patterns.
Enable Antivirus Updates, IPS Updates, Web Filter Ratings, DNS Security, and Outbreak Protection.
Review policies monthly and remove shadow rules, unused objects, duplicate rules, and expired temporary access.
Perform Vulnerability Assessment, Penetration Testing, Firewall Rule Review, Configuration Audit, and Compliance Review at least quarterly.
| Item | Status |
|---|---|
| Latest FortiOS Installed | ☐ |
| MFA Enabled | ☐ |
| Default Admin Disabled | ☐ |
| HTTPS Only Management | ☐ |
| IPS Enabled | ☐ |
| Antivirus Enabled | ☐ |
| Application Control Enabled | ☐ |
| Web Filter Enabled | ☐ |
| SSL Inspection Enabled | ☐ |
| DNS Filter Enabled | ☐ |
| Logging Configured | ☐ |
| Geo-IP Blocking Enabled | ☐ |
| Configuration Backups Scheduled | ☐ |
| VPN Hardened | ☐ |
| DoS Policies Enabled | ☐ |
A FortiGate firewall provides robust security capabilities, but its effectiveness depends on proper configuration and ongoing maintenance. By applying the hardening practices outlined in this guide, organizations can significantly reduce their attack surface, improve visibility into network activity, and strengthen their overall security posture.