TickYouOff
Sign in
Back
🔒

Fortinet FortiGate Firewall STIG

Hard 18 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps administrators harden Fortinet FortiGate firewalls to meet DISA STIG Y26M01 security requirements. It’s intended for network and security engineers or system administrators responsible for FortiGate devices in DoD or enterprise environments.

Source: https://ncp.nist.gov/checklist/1007

Progress
0 / 18
  1. Backup current configuration — Save running config to a secure location before changes.
  2. Export running configuration to external storage — Use SCP, TFTP to secure server, or FortiManager export.
  3. Verify backup integrity and timestamp — Confirm file integrity and record date/time of export.
  4. Verify device firmware is supported and up to date — Check Fortinet advisories and apply vendor security patches.
  5. Review STIG documentation version and applicability — Confirm Y26M01 applies to your model and enabled features.
  6. Set and enforce an administrative password policy — Require complex passwords, rotation, and account lockouts.
  7. Configure role-based administrative accounts — Create least-privilege admin roles and unique user accounts.
  8. Enable two-factor authentication for admin access — Use FortiToken or other supported MFA for GUI/SSH logins.
  9. Restrict management access to trusted networks only — Limit management interfaces and allowed source IPs.
  10. Disable unused services and ports — Turn off Telnet, HTTP, SNMP v1/v2 and other unneeded services.
  11. Configure secure management protocols — Use HTTPS, SSH, and SNMPv3 for remote management only.
  12. Harden SSH and SSL/TLS settings — Disable weak ciphers; enforce TLS 1.2+ and secure SSH algorithms.
  13. Implement logging and forward logs to a central system — Send logs to SIEM, FortiAnalyzer, and retain per policy.
  14. Enable audit logging for administrative actions — Record config changes, admin logins, and privilege escalations.
  15. Review and implement least-privilege firewall rules — Remove unused rules and restrict source/destination/service fields.
  16. Enable intrusion prevention and web filtering profiles — Activate IPS/AV and URL filtering where traffic requires protection.
  17. Configure SSL/TLS inspection where required — Manage inspection policies and trusted certificates carefully.
  18. Perform vulnerability scan and remediate findings — Scan device and connected networks; prioritize and remediate risks.
Sign in to save
📝 My Notes