Fortinet white logo
Fortinet white logo

Cookbook

Security rating

Security rating

The security rating analyzes your Security Fabric deployment, identifies potential vulnerabilities, highlights best practices that can be used to improve the security and performance of your network, and calculates Security Fabric scores.

To view the security rating and run a security rating check, go to Security Fabric > Security Rating on the root FortiGate. Click Run Now to run a security rating check. Checks can also be run automatically every four hours.

The security rating check uses real-time monitoring to analyze the network based on the current network configuration. When the check is complete, the results table shows a list of the checks that where performed, including:

  • The name and a description of the check.
  • The device or devices that the check was performed on.
  • The impact of the check on the overall security score.
  • The check results - whether it passed or failed.

The list can be searched, filtered to show all results or only failed checks, and exported to a CSV or JSON file. Clicking on a color or legend name in the donut charts will also filter the results.

Hovering the cursor over a check result score will show the breakdown of how that score was calculated.

Selecting a specific check from the list shows details about that check in the Security Control Details pane, including recommendations and compliance information. For failed checks, this includes a description of what remediation actions could be taken. For recommendations that support Easy Apply, the device will have an EZ symbol next to its name, and the remediation action can be taken automatically by clicking Apply under the recommendations.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

Security Rating licenses are required to run security rating checks across all the devices in the Security Fabric. It also allows ratings scores to be submitted to and received from FortiGuard for ranking networks by percentile.

See https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/security-rating.html for information.

Automatic security rating checks

Security rating checks can be scheduled to run automatically every four hours.

To enable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule {enable | disable}
end

Opt out of ranking

Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.

To opt out of submitting the score using the CLI:
config system global
    set security-rating-result-submission {enable | disable}
end

Logging the security rating

The results of past security checks is available in Log & Report > Security Rating Events.

An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate that summarize the results of a check, and show detailed information for the individual tests.

To configure Security Rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Security Fabric score

The Security Fabric score is calculated when a security rating check is run, based on the severity level of the checks that are passed or failed. A higher scores represents a more secure network. Points are added for passed checks, and removed for failed checks.

Severity level

Weight (points)

Critical

50

High

25

Medium

10

Low

5

To calculate the number of points awarded to a device for a passed check, the following equation is used:

score =

<severity level weight>

x <secure FortiGate multiplier>

<# of FortiGates>

The secure FortiGate multiplier is determined using logarithms and the number of FortiGate devices in the Security Fabric.

For example, if there are four FortiGate devices in the Security Fabric that all pass the Compatible Firmware check, the score for each FortiGate device is calculated with the following equation:

50

x 1.292

= 16.15 points

4

All of the FortiGate devices in the Security Fabric must pass the check in order to receive the points. If any one of the FortiGate devices fails a check, the devices that passed are not awarded any points. For the device that failed the check, the following equation is used to calculated the number of points that are lost:

score =

<severity level weight>

x <secure FortiGate multiplier>

For example, if the check finds two critical FortiClient vulnerabilities, the score is calculated with the following equation:

-50

x 2

= -100 points

Scores are not affect by checks that do not apply to your network. For example, if there are no FortiAP devices in the Security Fabric, no points will be added or subtracted for the FortiAP firmware version check.

Security rating

Security rating

The security rating analyzes your Security Fabric deployment, identifies potential vulnerabilities, highlights best practices that can be used to improve the security and performance of your network, and calculates Security Fabric scores.

To view the security rating and run a security rating check, go to Security Fabric > Security Rating on the root FortiGate. Click Run Now to run a security rating check. Checks can also be run automatically every four hours.

The security rating check uses real-time monitoring to analyze the network based on the current network configuration. When the check is complete, the results table shows a list of the checks that where performed, including:

  • The name and a description of the check.
  • The device or devices that the check was performed on.
  • The impact of the check on the overall security score.
  • The check results - whether it passed or failed.

The list can be searched, filtered to show all results or only failed checks, and exported to a CSV or JSON file. Clicking on a color or legend name in the donut charts will also filter the results.

Hovering the cursor over a check result score will show the breakdown of how that score was calculated.

Selecting a specific check from the list shows details about that check in the Security Control Details pane, including recommendations and compliance information. For failed checks, this includes a description of what remediation actions could be taken. For recommendations that support Easy Apply, the device will have an EZ symbol next to its name, and the remediation action can be taken automatically by clicking Apply under the recommendations.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

Security Rating licenses are required to run security rating checks across all the devices in the Security Fabric. It also allows ratings scores to be submitted to and received from FortiGuard for ranking networks by percentile.

See https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/security-rating.html for information.

Automatic security rating checks

Security rating checks can be scheduled to run automatically every four hours.

To enable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule {enable | disable}
end

Opt out of ranking

Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.

To opt out of submitting the score using the CLI:
config system global
    set security-rating-result-submission {enable | disable}
end

Logging the security rating

The results of past security checks is available in Log & Report > Security Rating Events.

An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate that summarize the results of a check, and show detailed information for the individual tests.

To configure Security Rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Security Fabric score

The Security Fabric score is calculated when a security rating check is run, based on the severity level of the checks that are passed or failed. A higher scores represents a more secure network. Points are added for passed checks, and removed for failed checks.

Severity level

Weight (points)

Critical

50

High

25

Medium

10

Low

5

To calculate the number of points awarded to a device for a passed check, the following equation is used:

score =

<severity level weight>

x <secure FortiGate multiplier>

<# of FortiGates>

The secure FortiGate multiplier is determined using logarithms and the number of FortiGate devices in the Security Fabric.

For example, if there are four FortiGate devices in the Security Fabric that all pass the Compatible Firmware check, the score for each FortiGate device is calculated with the following equation:

50

x 1.292

= 16.15 points

4

All of the FortiGate devices in the Security Fabric must pass the check in order to receive the points. If any one of the FortiGate devices fails a check, the devices that passed are not awarded any points. For the device that failed the check, the following equation is used to calculated the number of points that are lost:

score =

<severity level weight>

x <secure FortiGate multiplier>

For example, if the check finds two critical FortiClient vulnerabilities, the score is calculated with the following equation:

-50

x 2

= -100 points

Scores are not affect by checks that do not apply to your network. For example, if there are no FortiAP devices in the Security Fabric, no points will be added or subtracted for the FortiAP firmware version check.