Secure Fortinet FortiOS with cnspec
Scan Fortinet FortiGate firewalls running FortiOS against security and compliance best practices with cnspec.
Scan your Fortinet FortiGate firewalls running FortiOS to find security risks before they become incidents. cnspec evaluates firmware versions, available updates, system configuration, and dozens of other FortiOS controls.
Prerequisites
To test a FortiOS device with cnspec, you must have:
- cnspec installed on your workstation
- Network access to the FortiGate management interface
- A REST API token for authentication
Give cnspec access to your FortiGate device
To scan a FortiGate device, cnspec connects through the FortiOS REST API. You need to create an API token for authentication.
API setup instructions
Create a REST API token
To create a REST API token in FortiOS:
- Log in to the FortiGate web interface.
- Navigate to System > Administrators.
- Click Create New > REST API Admin.
- Configure the administrator profile with appropriate permissions.
- Copy the generated API token.
For detailed instructions, see the FortiOS REST API documentation.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell fortios --hostname DEVICE_IP --token 'API_TOKEN'If cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--hostname | Hostname or IP address of the FortiOS device |
--token, -t | REST API Bearer token for authentication |
--insecure, -k | Skip TLS certificate verification |
Scan FortiOS devices
To scan a FortiGate device, use the cnspec scan command. For DEVICE_IP, substitute the hostname or IP address of the device. For API_TOKEN, substitute your REST API token:
cnspec scan fortios --hostname DEVICE_IP --token 'API_TOKEN'To skip TLS certificate verification (for self-signed certificates):
cnspec scan fortios --hostname DEVICE_IP --token 'API_TOKEN' --insecureScan with the Mondoo FortiOS Security policy
Mondoo maintains an out-of-the-box Fortinet FortiOS Security policy that checks firmware versions, available updates, system configuration, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "FortiOS", and add the policy. All future scans of your FortiGate devices automatically evaluate against it. To learn more, read Manage Policies.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan fortios --hostname DEVICE_IP --token 'API_TOKEN' \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-fortios-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your FortiGate device:
cnspec shell fortios --hostname DEVICE_IP --token 'API_TOKEN'Below are some example queries and checks you can run from the shell.
Retrieve firmware information
cnspec> fortios.system.firmware
fortios.system.firmware: {
current: fortios.system.firmware.versionInfo
available: [...]
}Check the firmware version
cnspec> fortios.system.firmware.current { version major minor patch build }
fortios.system.firmware.current: {
version: "7.2.4"
major: 7
minor: 2
patch: 4
build: 1396
}Ensure the firmware is at a specific version
cnspec> fortios.system.firmware.current.version == "7.2.5"
[failed] fortios.system.firmware.current.version == "7.2.5"
expected: == "7.2.5"
actual: "7.2.4"List available firmware updates
cnspec> fortios.system.firmware.available { version releaseType maturity }
fortios.system.firmware.available: [
0: {
version: "7.2.5"
releaseType: "GA"
maturity: "Mature"
}
]Learn more
-
To learn about all the FortiOS resources and properties you can query, read the FortiOS Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about FortiOS, see the Fortinet documentation.