Assess Fortinet FortiOS Security with cnspec
Secure and enforce policy for Fortinet FortiGate firewalls running FortiOS
Rely on cnspec to ensure your Fortinet FortiGate firewalls running FortiOS follow recommended security and operational best practices, such as verifying firmware versions, checking for available updates, and assessing device configuration.
Prerequisites
To test a FortiOS device with cnspec, you must have:
- cnspec installed on your workstation
- Network access to the FortiGate management interface
- A REST API token for authentication
Give cnspec access to your FortiGate device
To scan a FortiGate device, cnspec connects through the FortiOS REST API. You need to create an API token for authentication.
API setup instructions
Create a REST API token
To create a REST API token in FortiOS:
- Log in to the FortiGate web interface.
- Navigate to System > Administrators.
- Click Create New > REST API Admin.
- Configure the administrator profile with appropriate permissions.
- Copy the generated API token.
For detailed instructions, see the FortiOS REST API documentation.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell fortios --hostname DEVICE_IP --token 'API_TOKEN'If cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--hostname | Hostname or IP address of the FortiOS device |
--token, -t | REST API Bearer token for authentication |
--insecure, -k | Skip TLS certificate verification |
Scan FortiOS devices
To scan a FortiGate device, use the cnspec scan command. For DEVICE_IP, substitute the hostname or IP address of the device. For API_TOKEN, substitute your REST API token:
cnspec scan fortios --hostname DEVICE_IP --token 'API_TOKEN'To skip TLS certificate verification (for self-signed certificates):
cnspec scan fortios --hostname DEVICE_IP --token 'API_TOKEN' --insecureScan with Mondoo FortiOS policies
Mondoo Platform users: In the Mondoo Console, go to Findings > Policies, search for "FortiOS", and add the policy. It covers firmware version checks, system configuration, and more. All future scans of your FortiGate devices automatically evaluate against it. To learn more, read Manage Policies.
You can also create your own policies to meet your specific requirements.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your FortiGate device:
cnspec shell fortios --hostname DEVICE_IP --token 'API_TOKEN'Below are some example queries and checks you can run from the shell.
Retrieve firmware information
cnspec> fortios.system.firmware
fortios.system.firmware: {
current: fortios.system.firmware.versionInfo
available: [...]
}Check the firmware version
cnspec> fortios.system.firmware.current { version major minor patch build }
fortios.system.firmware.current: {
version: "7.2.4"
major: 7
minor: 2
patch: 4
build: 1396
}Ensure the firmware is at a specific version
cnspec> fortios.system.firmware.current.version == "7.2.5"
[failed] fortios.system.firmware.current.version == "7.2.5"
expected: == "7.2.5"
actual: "7.2.4"List available firmware updates
cnspec> fortios.system.firmware.available { version releaseType maturity }
fortios.system.firmware.available: [
0: {
version: "7.2.5"
releaseType: "GA"
maturity: "Mature"
}
]Learn more
-
To learn about all the FortiOS resources and properties you can query, read the FortiOS Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about FortiOS, see the Fortinet documentation.