Fortigate STIG Hardning – Firewall STIG V1R3
Introduction
Firewall security is a cornerstone of any robust network defense strategy. To ensure compliance with Department of Defense (DoD) standards, organizations must implement configurations that meet the Firewall Security Technical Implementation Guide (STIG) Version 1, Release 3 (V1R3) requirements.
This post focuses on applying these STIG controls to Fortinet FortiGate firewalls, providing guidance on hardening configurations, enforcing access controls, and aligning with best practices for secure firewall deployment. By following these recommendations, you can reduce vulnerabilities and maintain a security posture that meets stringent DoD and industry standards.
Download Excel with all STIG for Fortigate –> HERE
STIG
Most of V1R3 can be enforced with FortiGate config.
A subset of requirements also depend on things outside the box: central audit server/SIEM, org-defined lists (CAL/VAs), roles (ISSM/ISSO/SCA), incident processes, etc.
Below I list only the V1R3 requirements where part of the requirement cannot be solved by FortiGate config alone.
V1R3 Requirements That Go Beyond FortiGate Configuration
Not every STIG control can be satisfied by device settings alone. Some require supporting infrastructure, policies, and operational processes. Here are the key examples:
1. FNFG-FW-000045 – Queue logs locally when the audit server is unreachable
Configuration: Enable local logging with disk overwrite and set up remote logging to FortiAnalyzer or syslog in reliable mode.
Operational: A central audit or log server must exist and be reachable. The organization also needs a retention policy and a process for exporting logs off the firewall.
2. FNFG-FW-000050 – Protect logs in transit to the audit server
Configuration: Use encrypted and reliable syslog or FortiAnalyzer with TLS or IPsec, strong encryption algorithms, and certificates.
Operational: The audit server must support secure syslog and be configured correctly. Certificate lifecycle management—issuing, rotating, and revoking—is handled by PKI and change management, not the firewall.
3. FNFG-FW-000055 and FNFG-FW-000060 – Prevent unauthorized modification or deletion of logs
Configuration: Restrict log access through admin profiles and forward logs to a tamper-resistant system.
Operational: Harden the log destination systems and enforce access controls. Policies should define who can access logs, and procedures must cover backup, retention, and integrity checks.
4. FNFG-FW-000070, 000075, 000110, 000150 – DoS detection and response
Configuration: Apply DoS policies, enable IPS/AV fail-closed, and generate alerts for suspected DoS conditions. Configure automation for email or SNMP traps.
Operational: Large-scale DDoS mitigation often happens upstream with ISPs or cloud services. Incident response processes must define who monitors alerts, escalation paths, and actions such as contacting ISPs or blocking prefixes.
5. FNFG-FW-000085 – Filter traffic based on CAL and vulnerability assessments
Configuration: Implement firewall policies that enforce DMZ and enclave segmentation.
Operational: Maintain an up-to-date Connection Approval List and run vulnerability assessments. Translate findings into firewall policy requirements.
6. FNFG-FW-000100 – Send logs to a central audit server
Configuration: Configure logging to FortiAnalyzer or syslog with the correct format and facility.
Operational: The audit server must be properly sized, deployed, and backed up. Monitoring and analysis happen outside the firewall.
7. FNFG-FW-000105 – Real-time alert when audit server communication fails
Configuration: Set up automation stitches to trigger alerts when log transmission errors occur. Configure email or SNMP actions.
Operational: Ensure mail and alerting infrastructure exists and that alerts reach the right roles. Procedures must define what happens when alerts are received.
8. FNFG-FW-000125 – Block all outbound management traffic when acting as a premise firewall
Configuration: Create explicit deny policies for outbound management protocols.
Operational: The architecture must clearly define the firewall’s role and what constitutes management traffic.
9. FNFG-FW-000130 – Restrict traffic entering the management network
Configuration: Use firewall and local-in policies to allow only authorized management sources.
Operational: Define which networks are authorized and ensure segmentation exists upstream.
10. FNFG-FW-000135 – Inspect all traffic at the application layer
Configuration: Apply NGFW features such as application control, IPS, AV, SSL inspection, and web filtering.
Operational: Decide what SSL traffic can be inspected, manage signature sets, and tune performance.
11. FNFG-FW-000145 – Reverse path and anti-spoofing
Configuration: Enable anti-spoofing settings and configure uRPF or equivalent.
Operational: Maintain accurate routing documentation and coordinate with upstream networks to avoid breaking legitimate traffic.
12. FNFG-FW-000150 – Alert ISSM on DoS incidents
Configuration: Tie automation and alerting to DoS and IPS events.
Operational: Define who the ISSM is, how to reach them, and what steps they take when alerts occur.
13. FNFG-FW-000155 – Allow authorized users to perform packet capture
Configuration: Use admin profiles to control access to packet capture features.
Operational: Define which roles are authorized, how captures are stored and deleted, and audit their use.
14. FNFG-FW-000020, 000025, 000030, 000035, 000040, 000160, 000165 – Log content and coverage
Configuration: Ensure logs include all required fields and enable logging on both accepted and denied traffic.
Operational: Review and correlate logs, enforce retention policies, and maintain audit processes.
Bottom line: FortiGate configuration provides enforcement, logging, and technical controls. V1R3 still expects supporting infrastructure, defined roles, documented processes, and architectural decisions. These cannot be solved by configuration alone.
CLI Examples
TRAFFIC LOGGING – CONTENT & COVERAGE FNFG-FW-000020 / 000025 / 000030 / 000035 / 000040 /FNFG-FW-000160 / 000165
# Global traffic log behaviour
config log setting
set fwpolicy-implicit-log enable # Log implicit deny
set log-invalid-packet enable # Log invalid packets
set local-in-logging enable # Log local-in traffic
set resolve-ip enable # Make logs human-readable
set resolve-port enable
end
# Local log to disk (used also for FNFG-FW-000045)
config log disk setting
set status enable
set diskfull overwrite # Continue logging when disk full
end
# Example: forward traffic logs to a central syslog server (also see 000045/000050/000100)
config log syslogd setting
set status enable
set server "10.20.30.40" # Central audit / SIEM
set mode reliable
set enc-algorithm high # Encrypted / integrity-protected (000050)
# set certificate "Syslog-TLS-Cert" # If using mutual auth with TLS
set facility local7
set format default
end
# Example: also log to FortiAnalyzer (central audit server)
config log fortianalyzer setting
set status enable
set server "faz01.site.example"
set reliable enable
set enc-algorithm high
end
Code language: PHP (php)FIREWALL OBJECTS FOR POLICY FILTERING FNFG-FW-000005 / 000015 / 000085 / 000115 / 000120 / 000125 / 000130
config firewall address
edit "MGMT_NET"
set subnet 10.10.10.0 255.255.255.0
next
edit "REMOTE_MGMT_HOSTS"
set subnet 192.0.2.0 255.255.255.0 # Example remote VPN admin net
next
edit "INTERNAL_ENCLAVE"
set subnet 10.20.0.0 255.255.0.0 # Internal protected network
next
edit "UNTRUSTED_NETS"
set subnet 0.0.0.0 0.0.0.0 # Catch-all for untrusted
next
end
config firewall service group
edit "MGMT_SERVICES"
set member "HTTPS" "SSH" "PING" # Adjust to allowed mgmt services
next
end
Code language: CSS (css)FILTERING POLICIES – INGRESS, EGRESS & MANAGEMENT FNFG-FW-000005 / 000015 / 000085 / 000115 / 000120 / 000125 / 000130
config firewall policy
edit 10
set name "INTERNET_to_INTERNAL_ALLOWED"
set srcintf "wan1"
set dstintf "lan"
set srcaddr "UNTRUSTED_NETS"
set dstaddr "INTERNAL_ENCLAVE"
set action accept
set schedule "always"
set service "HTTPS" "HTTP" "DNS" # Example allowed apps
set logtraffic all # Log sessions (start+end)
set logtraffic-start enable
next
# Default deny for all other inbound to INTERNAL_ENCLAVE
edit 11
set name "INTERNET_to_INTERNAL_DENY"
set srcintf "wan1"
set dstintf "lan"
set srcaddr "UNTRUSTED_NETS"
set dstaddr "INTERNAL_ENCLAVE"
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
next
end
# 3.2 Egress filters – traffic leaving INTERNAL_ENCLAVE (FNFG-FW-000120)
config firewall policy
edit 20
set name "INTERNAL_to_INTERNET_ALLOWED"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "INTERNAL_ENCLAVE"
set dstaddr "UNTRUSTED_NETS"
set action accept
set schedule "always"
set service "HTTPS" "HTTP" "DNS" "NTP"
set logtraffic all
set logtraffic-start enable
next
end
# 3.3 Block outbound management traffic from MGMT_NET (FNFG-FW-000125)
config firewall policy
edit 30
set name "MGMT_NET_to_INTERNET_DENY"
set srcintf "mgmt"
set dstintf "wan1"
set srcaddr "MGMT_NET"
set dstaddr "UNTRUSTED_NETS"
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
next
end
# 3.4 VPN access to management network – limit to authorized mgmt hosts (FNFG-FW-000015 / 000130)
config firewall policy
edit 40
set name "VPN_MGMT_ACCESS"
set srcintf "vpn-mgmt" # Your IPsec/SSL VPN interface
set dstintf "mgmt" # Mgmt interface / network
set srcaddr "REMOTE_MGMT_HOSTS"
set dstaddr "MGMT_NET"
set action accept
set schedule "always"
set service "MGMT_SERVICES"
set logtraffic all
set logtraffic-start enable
next
endCode language: JavaScript (javascript)DISABLE UNNECESSARY INTERFACE SERVICES FNFG-FW-000065
config system interface
edit "wan1"
set allowaccess ping # No HTTPS/SSH/etc from Internet
# set allowaccess ping https ssh # (Only if explicitly needed)
next
edit "lan"
set allowaccess ping # No extra services unless required
next
edit "mgmt"
set allowaccess https ssh ping # OOB mgmt only, from trusted nets
next
endCode language: JavaScript (javascript)DOS PROTECTION & BANDWIDTH MANAGEMENT FNFG-FW-000070 / 000075 / 000110 / 000150
config firewall DoS-policy
edit 1
set name "WAN1_DOS_PROTECT"
set interface "wan1"
set srcaddr "UNTRUSTED_NETS"
set dstaddr "INTERNAL_ENCLAVE"
set service "ALL"
set status enable
config anomaly
edit "icmp_flood"
set status enable
set action block
set threshold 1000
next
edit "syn_flood"
set status enable
set action block
set threshold 2000
next
edit "udp_flood"
set status enable
set action block
set threshold 2000
next
end
next
end
# IPS / AV fail-closed behaviour (FNFG-FW-000090 / 000110)
config ips global
set fail-open disable
end
config system global
set av-failopen off
set av-failopen-session disable
endCode language: JavaScript (javascript)ANTI-SPOOFING / REVERSE PATH FNFG-FW-000145
config system settings
set asymroute disable
set asymroute-icmp disable
set asymroute6 disable
set asymroute6-icmp disable
endCode language: JavaScript (javascript)LOG PROTECTION – WHO CAN MODIFY OR DELETE LOGS FNFG-FW-000050 / 000055 / 000060
# Create an admin profile with NO access to logs
config system accprofile
edit "NO-LOG-ACCESS"
set secfa read
set netgrp read
set fwgrp read
set loggrp none # No access to log / report
next
end
# Assign to admins that must not be able to view/modify logs
config system admin
edit "operator-no-logs"
set accprofile "NO-LOG-ACCESS"
set remote-auth enable
# set user-group "OPS-NO-LOGS"
next
endCode language: PHP (php)CENTRAL AUDIT SERVER & ALERTS FNFG-FW-000045 / 000100 / 000105 / 000150
Already configured above:
- Local disk logging enabled and set to overwrite (000045)
- Syslog / FortiAnalyzer logging with reliable transport and encryption (000050 / 000100)
Example Automation Stitch to alert when FAZ / syslog goes down
(Values are placeholders – adjust for real log IDs and email settings.)
config system automation-action
edit "EMAIL-ISSM"
set action-type email
set email-to "[email protected]"
set email-subject "FortiGate Alert: Logging or DoS Event"
set email-body "Check FortiGate logs: logging path or DoS event triggered."
set smtp-server "10.30.40.10"
set smtp-port 25
next
end
config system automation-trigger
# Trigger on FortiAnalyzer / syslog issues
edit "FAZ_or_SYSLOG_DOWN"
set event-type event-log
# set logid-list <LOGID_FA_DOWN> <LOGID_SYSLOG_ERROR> # Fill in actual log IDs
next
# Trigger on DoS events
edit "DOS_EVENT"
set event-type event-log
# set logid-list <LOGID_DOS_ATTACK_DETECTED>
next
end
config system automation-stitch
edit "ALERT_ON_LOGGING_OR_DOS"
set trigger "FAZ_or_SYSLOG_DOWN" "DOS_EVENT"
set action "EMAIL-ISSM"
set status enable
next
endCode language: PHP (php)APPLICATION-LAYER INSPECTION / SESSION HELPERS FNFG-FW-000135
# Example: ensure session helpers exist for application protocols
# (Only needed if defaults were changed or removed.)
config system session-helper
edit 1
set name "ftp"
set protocol 6 # TCP
set port 21
next
# Add additional helpers if required by your environment
# edit <n>
# set name "<protocol-name>"
# set protocol <6|17>
# set port <port>
# next
endCode language: PHP (php)PACKET CAPTURE CAPABILITY FNFG-FW-000155
This control is mostly procedural – you typically use:
diagnose sniffer packet “” 4 0 a
or GUI “Network → Packet Capture”.
No long-lived config block is strictly required, so no static config here.