Running a Security Fabric Rating
You can run a Security Fabric Rating to analyze your organization's Security Fabric deployment, identify potential vulnerabilities, and highlight best practices that you can use to improve the overall security and performance of your organization's network.
The Security Fabric Rating performs a variety of checks when it analyzes your network. All checks are based on your current network configuration, using real-time monitoring. The check runs across all FortiGate devices in the Security Fabric.
When the check is complete, a list of recommendations is shown. Two views are available: Failed or All Results. You can filter these views further in order to view results from a specific FortiGate or all FortiGate devices. Each view has a chart that shows the results of individual checks, and includes the name and a description of the check, which FortiGate the check was performed on, the impact of the check on the overall security score, and recommendations. If you hover over the result for a check, you can see a breakdown of how the score was determined.
You can choose to automatically apply the recommendations that include the Easy Apply option. By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric. Further action is required if you want to follow other recommendations.
You can also view recommendations for specific devices in the Physical and Logical Topology views in the Security Fabric menu. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available. The color of the circle shows the severity of the highest check that failed. The following table shows the severity that each color represents:
For more information about the Security Fabric Rating, and details about each of the checks that are performed, see the Fortinet Recommended Security Best Practices document.
Run a Security Fabric check
You must run the Security Fabric Rating check on the root FortiGate in the Security Fabric.
The following image shows the GUI:
- In the root FortiGate GUI, select Security Fabric > Security Rating. Click Show Topology to view all FortiGate devices in the Security Fabric.
- To run the check, select Run Now.
The check will run. When it completes, it shows the following information:
- The Security Rating Score field shows the score for your Security Fabric
- The page shows the overall count of how many checks passed or failed, with the failed checks divided by severity
- Information about each failed check, including which FortiGate failed the check, the effect of the check failure on the security score, and recommendations to fix the issue
- The Easy Apply option appears with recommendations that can be automatically applied by the wizard
- To move to the Easy Apply option page, select Next.
- Select all recommendations that you want to implement in the Security Fabric.
- Select Apply Recommendations.
|Not all FortiGate models can run the FortiGuard Security Rating Service if they are the root FortiGate in a Security Fabric. For more information, see the FortiOS 6.0 Release Notes.|
The Security Rating license is a FortiGuard service and you must purchase a license to access to all the latest features. Security audit checks from FortiOS 5.6 will continue to run, but the following new upgrades are available only when you purchase a Security Rating license:
- Receive FortiGuard updates.
- Run Security Rating checks across each licensed device or all FortiGates in the Security Fabric from the Root FortiGate.
- New 6.0 Rating checks
- Submit rating scores to FortiGuard and receive Security Rating scores from FortiGuard for ranking customers by percentile.
For more information, see the Fortinet Recommended Security Best Practices document.
Opt out of customer ranking service
You can opt out of submitting Security Rating scores to FortiGuard.
If you opt out of from submitting your network's Security Rating scores, you won't be able to see how your organization's scores compare with the scores of other organizations. Instead, an absolute score is shown.
To disable FortiGuard Security Rating result submission - CLI:
config system global
set fortiguard-audit-result-submission disable
Logging for Security Fabric Rating
To view the results of past Security Fabric Rating checks, go to Log & Report > Security Rating Events.
You can also configure an event filter subtype for the Security Fabric Rating. When you run a check, event logs are created on the root FortiGate that summarize the results of the audit and show detailed information for the individual tests.
To configure logging for the Security Fabric Rating, use the following CLI commands:
config log eventfilter
set security-audit enable
Understanding the Security Fabric Score
When you run a Security Fabric Rating, your organization's Security Fabric receives a Security Fabric Score. The score will be positive or negative, and a higher score represents a more secure network.
The score is based on how many checks your network passes and fails, as well as the severity level of these checks. The following table shows the weight for each severity level:
The check awards points when a check passes, using the following formula:
+ <Severity Weight> x <Secure FortiGate Multiplier>
- Severity Weight is <Severity level> / <number of FortiGate devices in the Security Fabric>
- Secure FortiGate Multiplier is determined using logarithms and the number of FortiGate devices in the Security Fabric
For example, if you have four FortiGate devices in the Security Fabric, and all of them pass the Compatible Firmware check, the score for each FortiGate is calculated as: (50/4) x 1.292 = 16.2 points.
All FortiGate devices in the Security Fabric must pass the check in order to receive points. If any of the FortiGate devices in the Security Fabric fail a check, any FortiGate devices in the Security Fabric that passed the check are not awarded points. For the FortiGate that failed the test, the score is calculated using the following formula:
- <Severity Weight> x <Count>
- Severity Weight is <Severity level>
- Count is the number of times the check failed during the check
For example, if the check finds two critical FortiClient vulnerabilities, the score for that check is calculated as: -50 x 2 = -100 points.
The score is not affected by checks that do not apply to your network. For example, if you do not have any FortiAP devices in the Security Fabric, you will not receive any points for the FortiAP Firmware Versions check.