Fortinet: Auditing Configs

Overview

This skill guides systematic security and consistency auditing of FortiGate .conf snapshots. Use it when the user asks to "audit", "review for issues", "check security", or "validate" one or more firewall configs.

See fortinet:read-configs for: how to locate and parse config sections, fleet inventory, file paths.

Audit Workflow

1. Determine scope: single site or all 10 sites
2. For each config section below, extract the relevant block using the read-configs approach
3. Check each item in the checklist
4. Collect all findings into a report grouped by severity
5. Present report (Critical first, then Warning, then Info)

Severity Definitions

Severity	Meaning
Critical	Active security risk — should be remediated immediately
Warning	Suboptimal or inconsistent — should be reviewed
Info	Informational, best-practice gap — low urgency

Checklist

System Global (config system global)

Check	Field	Bad value	Severity	Note
Telnet enabled	admin-telnet	enable	Critical	Plaintext admin protocol
TLS minimum too low	ssl-min-proto-version	anything < TLSv1-2	Critical
Lockout threshold too high	admin-lockout-threshold	> 3	Warning	Default is 3
Lockout duration too short	admin-lockout-duration	< 60	Warning
CLI audit log off	cli-audit-log	disable	Info	Useful for change tracking
Auto-save off	cfg-save	manual	Info	Risk of losing unsaved changes

System Interface (config system interface)

For each interface in the block:

Check	Field	Bad value	Severity	Note
Telnet in allowaccess	allowaccess	contains telnet	Critical
HTTP in allowaccess	allowaccess	contains http	Warning	Unencrypted management
No description	description	'' (empty)	Info
Interface down, no comment	status	down with empty comment	Info	Decommissioned?

Firewall Policies (config firewall policy)

For each policy (edit N ... next):

Check	Condition	Severity	Note
Accept with no UTM	action accept AND utm-status disable	Warning	No inspection
Accept any-to-any	action accept AND srcaddr "all" AND dstaddr "all"	Critical	Overly permissive
Logging off	logtraffic disable	Warning	No visibility
Disabled policy	status disable	Info	Flag for review/cleanup
No policy name	name ''	Info	Hard to manage unnamed policies

Router Static (config router static)

Check	Condition	Severity	Note
Multiple default routes	More than one dst 0.0.0.0 0.0.0.0 entry	Warning	Check distance/priority for intent
Blackhole route	blackhole enable	Info	Intentional? Document it

VPN IPsec Phase1 (config vpn ipsec phase1-interface)

For each tunnel:

Check	Field	Bad value	Severity	Note
Weak encryption	proposal	contains 3des or des	Critical	Broken ciphers
Weak hash	proposal	contains -md5	Critical	Broken hash
SHA1 only	proposal	contains -sha1 (no sha256/sha384)	Warning	SHA1 deprecated
IKEv1	ike-version	1	Warning	Prefer IKEv2
Weak DH group	dhgrp	1, 2, or 5	Critical	DH1/2/5 are broken

VPN IPsec Phase2 (config vpn ipsec phase2-interface)

Check	Field	Bad value	Severity	Note
PFS disabled	pfs	disable	Warning	Forward secrecy lost
Weak proposal	proposal	contains 3des, des, -md5	Critical

Known fleet issues to flag:

• CDW (cdwfw01) has proposal aes128-sha1 and dhgrp 2 on existing tunnels — these are existing Critical findings

Report Format

## Audit Report — {site(s)} — {date}

### Critical (N)
- **[SITE] [DOMAIN]** `config vpn ipsec phase1-interface / edit "EV-AWS-00"`
  Finding: `dhgrp 2` — DH group 2 (1024-bit) is cryptographically broken
  Remediation: `set dhgrp 14` (minimum) or `set dhgrp 19` for ECDH

### Warning (N)
- ...

### Info (N)
- ...

### Clean
- System lockout settings: all sites ✓
- ...

Always list what was checked and found clean, not just problems.

Multi-Site Audit

When auditing all 10 sites, consolidate:

• Group by finding type, list affected sites
• Example: "Telnet enabled — affects: cdw (1/10 sites)"
• Produce a summary matrix: rows = finding types, columns = sites, cells = ✓/✗