Security rating
The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.
To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.
The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.
The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.
The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies. Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results.
Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.
The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.
Users can also export the reports as CSV or JSON files by clicking the Export dropdown.
To exit the current view, click the icon beside the scorecard title to return to the summary view. |
For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.
The following licensing options are available for security rating checks:
The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. On licensed FortiGates, ratings scores can be submitted to and received from FortiGuard for ranking networks by percentile. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service. |
Security rating check scheduling
Security rating checks by default are scheduled to run automatically every four hours.
To disable automatic security checks using the CLI:
config system global security-rating-run-on-schedule disable end
To manually run a report using the CLI:
# diagnose report-runner trigger
Opt out of ranking
Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.
To opt out of submitting the score using the CLI:
config system global set security-rating-result-submission {enable | disable} end
Logging the security rating
The results of past security checks is available in Log & Report > Events by selecting Security Rating Events from the event type dropdown list.
An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate that summarize the results of a check, and show detailed information for the individual tests.
To configure security rating logging using the CLI:
config log eventfilter set security-rating enable end
Multi VDOM mode
In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.
On the report scorecards, the Scope column shows the VDOM or VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.
The security rating event log is available on the root VDOM.