How to Audit a FortiGate Firewall: Export, Analyze, and Fix Common Issues

FortiGate firewalls are the most deployed enterprise firewalls globally. They're also the most commonly misconfigured — not because FortiOS is bad, but because it's flexible enough to let you do almost anything, including things you shouldn't.

This guide walks through the process of exporting, analyzing, and fixing the most common FortiGate policy issues.

Step 1: Export the Configuration

From the FortiGate GUI:

1. Go to System → Configuration → Backups
2. Select Full Configuration
3. Click Backup and save the .conf file

From the CLI:

execute backup full-config tftp <filename> <server-ip>

Or simply:

show full-configuration

Copy the output to a text file. This is your audit input.

Step 2: What to Look For

Allow-All Policies

The most dangerous pattern in FortiOS:

config firewall policy
    edit 16
        set name "ALLOW-ALL-OUTBOUND"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

This rule allows any internal host to reach any external destination on any port. It should be replaced with specific rules for known services (HTTPS, DNS, email).

Missing UTM Profiles

FortiGate's value is in its UTM features — antivirus, IPS, web filtering, application control. A permit rule without UTM profiles attached is a missed opportunity:

# Bad: no inspection
set action accept

# Good: full inspection
set action accept
set utm-status enable
set av-profile "default"
set ips-sensor "default"
set webfilter-profile "default"

Disabled Logging

FortiGate defaults to logging only security events. Make sure every policy has:

set logtraffic all

Not just set logtraffic utm — you need "all" to capture both allowed and denied traffic for forensics.

Stale VIP Mappings

Virtual IPs (VIPs) that map external addresses to internal servers are common in FortiGate. Check for VIPs that point to internal addresses that no longer exist, or VIPs with mappedport ranges wider than necessary.

Weak Admin Access

Check the admin configuration:

config system admin
    edit "admin"
        set accprofile "super_admin"
        set trusthost1 0.0.0.0 0.0.0.0  # BAD: accessible from anywhere
    next
end

Admin access should be restricted to specific management networks via trusthost settings.

Step 3: Automate It

Manually reading through a FortiGate config with 200+ policies is painful. Every rule needs to be checked against every best practice, then cross-referenced for duplicates, shadows, and compliance gaps.

ShieldIQ parses FortiGate configs natively — it understands FortiOS syntax including VIPs, address groups, service groups, and interface zones. Upload the .conf file and get a risk score, compliance mapping, and vendor-specific remediation commands (actual FortiOS CLI commands to fix each finding) in 60 seconds.