Fortinet Security Audits: How PJ Networks Performs Security Audits for Fortinet Rugged Firewalls

I’ve worked in this industry for decades (network admin since ’93, wired networks with coax cables when cables were still a thing). Were there to see the Slammer worm tear through networks. Today, I have my own cybersecurity firm, and trust me, threats aren’t slowing down. If anything, they’re nastier, shrewder and more relentless.

One thing I’ve learned? The weakest mistake is your best security.

And when companies contact us — particular banks (which, fun fact, we’ve been working plenty of recently) to audit their Fortinet rugged firewalls, we don’t mess about. We are not simply ticking boxes for compliance purposes. We are proactively searching for genuine, exploitable vulnerabilities ahead of attackers.

Let us discuss auditing Fortinet rugged firewalls and what is the difference between a proper security audit and a watered-down “scan and forget” audit.

Quick Take

So if you’re a bit time-poor, here’s how we do Fortinet firewall security audits at PJ Networks.

• Baseline Check – We check firewall rule sets and security policies for misconfigurations.
• Firmware & Patching – No patches on firmware = unlimited zero-day buffet for hackers. We make sure that patches are applied on time.
• Zero-Trust Hardening – Trust by default is rotten. We enforce principle of least privilege.

We perform real world attacks, not a generic vulnerability scan.

• Logging & Monitoring Review – If you don’t log it, you can’t detect it. Make sure the logging is set up properly

Alright. Now, let’s get into details.

Audit Framework

We first lay out an outline for our audit before we touch any firewall setting.

While there are many tools associated with cybersecurity, cybersecurity is about processes, not just tools. We don’t simply run scans and throw reports at you. We take a proactive approach to detection, that is, we try to think like an attacker:

1. Reconnaissance & Discovery:
   • Which open ports and services expose data?
   • Do default credentials exist and have not been changed? (Yes, this still happens)
2. Configuration Assessment:
   • Firewall rules — is it whitelisted?
   • Traffic Segmentation – Ensure correct enforcement of rules?
   • Are the services with high risk exposed without any reason?
3. Patch & Firmware Compliance:
   • Any old versions of FortiOS?
   • Are any known CVEs hanging around in your deployment?
4. Checks for Zero-Trust & Least Privilege
   • Who has access to what?
   • Are you over-provisioned with administrative roles?

Why we do this: PJ Networks doesn’t do checkbox compliance audits — we do security. Attackers don’t worry about compliance, they worry about exploitable misconfigurations.

Our Process

Every company we audit is individual—but our methodology remains the same.

1. Firewall Rule Analysis (The Messy Middle)

   One of the most common mistakes I see? Bloated firewall rulesets. Over time, admins add temporary exceptions and “just in case” rules that are never removed.

   • Implicit allow rules hiding in the wrong places.
   • Overly permissive access controls (e.g. ALLOW ANY/ANY rules — yuck).
   • Dormant firewall policies — rules that haven’t been touched for years.

   And, yes, we do occasionally see rules that allow all inbound traffic from the internet to admin interfaces. If your Fortigate web management console is exposed online, we have to talk.

2. Firmware & Patch Audit (Outdated = Vulnerable)

   I really cannot say this enough—you really should update your firmware. Fortinet firewalls that are out of date are especially attractive to attackers.

   • FortiOS versions are checked against known exploits.
   • We check that your firmware updates were applied correctly (incomplete updates = very bad).
   • Auto-updates must be monitored, not assumed.
3. Exploitation Simulation (Attacker Testing)

   We don’t passively audit configurations—we engage your firewalls as a real adversary would.

   • Port scanning & service enumeration — what is out there?
   • Brute forcing weak credentials – YES this still works on some networks.
   • Man-in-the-middle attacks — sniffing traffic to see if messages are encrypted;
   • Gaining exploitation of known Fortinet vulnerabilities (in a controlled way of course).

   There’s nothing like putting your defenses to the test to find gaps.

4. SHOAM (Secure Health Oriented Advanced Messaging) Logging, Monitoring, & Alerting (If You Don’t Log It, It Didn’t Happen)

   You don’t put a firewall in place just to ward off direct attacks. It should also tell you who is poking around.

   • We verify that logging is correctly enabled (it is often disabled because of storage issues).
   • We initiate intrusion attempts and monitor for alerts.
   • We make sure that logs are actively being monitored—still not just collected and archived.

   A firewall that does not tell you who and when is attacking you is flying blind.

Conclusion

A good security audit is not a one-time activity — it’s a continuous process.

Here’s what we know here at PJ Networks:

• Firewalls are not “set it and forget it” solutions. They require frequent audits to remain effective.
• Attackers don’t read the compliance checklists. This is why we do not only follow compliance but actual security.
• Always better to be proactive in security. If you’re responding to an attack, you’re already in response mode.

I’ve been in this industry long enough to watch the same mistakes get made over and over—misconfigurations, unpatched firmware, weak access controls. And attackers? They thrive on these lapses.

If you work with Fortinet rugged firewalls: When did you last perform a proper security audit?

And when the answer just isn’t recent enough — let’s do something about it.