Synced from Priyam Patel's repository.
Focused on:
- Enhancing the python implementation
- Exanded CIS Controls checks
- Additional Best Practices checks
- Including Hostname and Firmware levels in report
- Store output in a dedicated folder
- Scanning multiple config files at same time
- Split out check definitions into own file for easier maintenance
- Enhanced logging, auditing, and validation
This tool automates the process of checking FortiGate firewall configurations against CIS (Center for Internet Security) benchmarks. It helps security professionals and network administrators to:
- Audit FortiGate configurations for security best practices
- Identify potential security misconfigurations
- Generate detailed reports in both CSV and HTML formats
- Track compliance with CIS security standards
This tool is available in two implementations:
- Bash script (
fortigate_cis_checker.sh) - Python script (
fortigate_cis_checker.py)
Choose the implementation that best suits your environment and requirements.
- Automated checking of 50+ CIS benchmark controls
- Detailed pass/fail status for each control
- Current configuration status
- Specific recommendations for failed checks
- HTML report with color-coded results
- CSV output for further analysis
- Summary statistics of overall compliance
- Configuration location guidance for failed checks
- Bash shell environment (version 4.0 or higher)
- Access to FortiGate configuration file
- Read permissions for the configuration file
- Minimum 100MB free disk space for reports
- Internet connectivity (optional, for updates)
- Python 3.6 or higher
- Required Python packages:
pip install argparse logging typing pip install tqdm - Access to FortiGate configuration file
- Read permissions for the configuration file
- Download the script:
The script generates two output files in the current directory:
- CSV Report:
AUDIT_YYYYMMDD_HHMMSS.csv - HTML Report:
AUDIT_YYYYMMDD_HHMMSS.html
The script checks various security aspects including:
- DNS Configuration
- Intra-zone Traffic Settings
- Management Services Configuration
- Banner Settings
- System Time and NTP
- Firmware Status
- USB Port Security
- TLS Configuration
- Password Policies
- SNMP Settings
- Admin Access Controls
- High Availability Settings
- Firewall Policies
- Security Profiles
- Logging Configuration
- And many more...
The HTML report includes:
- Summary statistics
- Detailed results table
- Color-coded pass/fail indicators
- Current configuration values
- Specific recommendations for failed checks
- Configuration location guidance for failed checks
For failed checks, the report shows:
- Status: FAIL
- Current: Location: [configuration path]
- Recommendation: [specific fix details]
For passed checks, the report shows:
- Status: PASS
- Current: [actual configured value]
- Recommendation: N/A
This project is licensed under the MIT License - see the LICENSE file for details.
1.0.0
- This tool is designed for FortiGate version 7.0.x configurations
- Results may vary for other versions
- Always review results and recommendations before implementing changes
- Backup your configuration before making any changes
Common issues and solutions:
- Permission denied
chmod +x fortigate-csi-check.sh- Invalid configuration file
- Ensure the configuration file is in plain text format
- Verify file permissions
- Check for file corruption