Mondoo
Docs
Network Devices

Assess Fortinet FortiOS Security with cnspec

Secure and enforce policy for Fortinet FortiGate firewalls running FortiOS

Rely on cnspec to ensure your Fortinet FortiGate firewalls running FortiOS follow recommended security and operational best practices, such as verifying firmware versions, checking for available updates, and assessing device configuration.

Prerequisites

To test a FortiOS device with cnspec, you must have:

Give cnspec access to your FortiGate device

To scan a FortiGate device, cnspec connects through the FortiOS REST API. You need to create an API token for authentication.

Create a REST API token

To create a REST API token in FortiOS:

  1. Log in to the FortiGate web interface.
  2. Navigate to System > Administrators.
  3. Click Create New > REST API Admin.
  4. Configure the administrator profile with appropriate permissions.
  5. Copy the generated API token.

For detailed instructions, see the FortiOS REST API documentation.

Test your connection

Before running a full scan, verify that cnspec can connect by opening a cnspec shell:

cnspec shell fortios --hostname DEVICE_IP --token 'API_TOKEN'

If cnspec connects successfully and shows a prompt, you're ready to scan.

Scan FortiOS devices

To scan a FortiGate device, use the cnspec scan command. For DEVICE_IP, substitute the hostname or IP address of the device. For API_TOKEN, substitute your REST API token:

cnspec scan fortios --hostname DEVICE_IP --token 'API_TOKEN'

To skip TLS certificate verification (for self-signed certificates):

cnspec scan fortios --hostname DEVICE_IP --token 'API_TOKEN' --insecure

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result.

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

To assess your FortiGate devices against Mondoo's security recommendations, enable the Mondoo FortiOS Security policy. It covers firmware version checks, system configuration, and more. To learn how to enable policies, read Policy Hub. You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Example checks

You can interactively explore and test checks using the cnspec shell. To open a shell connected to your FortiGate device:

cnspec shell fortios --hostname DEVICE_IP --token 'API_TOKEN'

Below are some example checks you can run from the shell.

Check the firmware version

cnspec> fortios.system.firmware.current { version major minor patch build }
fortios.system.firmware.current: {
  version: "7.2.4"
  major: 7
  minor: 2
  patch: 4
  build: 1396
}

Ensure the firmware is at a specific version

cnspec> fortios.system.firmware.current.version == "7.2.5"
[failed] fortios.system.firmware.current.version == "7.2.5"
  expected: == "7.2.5"
  actual:   "7.2.4"

List available firmware updates

cnspec> fortios.system.firmware.available { version releaseType maturity }
fortios.system.firmware.available: [
  0: {
    version: "7.2.5"
    releaseType: "GA"
    maturity: "Mature"
  }
]

Learn more

Cisco

Secure and enforce policy for Cisco IOS XR/XE and NX-OS network devices

AIX

Assess AIX Security with cnspec

On this page

PrerequisitesGive cnspec access to your FortiGate deviceCreate a REST API tokenTest your connectionScan FortiOS devicesUnderstand scan outputExample checksCheck the firmware versionEnsure the firmware is at a specific versionList available firmware updatesLearn more