the best practices can be filling an entire page. Most important is to truly know what the rule set is doing and then to minimize access.
Firewall rulesets are evaluated top-down and will, if no rules match, drop this traffic.
"Traffic" here means srcIP:srcport<>dstIP:dstport (and FSSO group, if any). That set will always be evaluated anew if not already known to the firewall in that combination.
You need to know the network that the firewall is protecting. Expected traffic from outside to inside may be allowed, explain why is it expected?
Sometimes I see rule sets that seem to use only one source interface to one destination interface (wan) which I personally think is a no-go-design unless there is another firewall segregating traffic before this firewall. It should be physically different interfaces for different networks.
On FortiGate you can have security profiles that will be executed after the firewall policy match, these can help to increase security, but only if you got deep inspection running and working.
The valuable information will also be only valuable if you know exactly what to explain.
For authentication part "diag firewall auth list" gives some output for what users are authenticated to the firewall (if any). Other commands depend very well on what is to be displayed.
If I were an auditor and would ask random questions, I would ask for example:
- If the printer here is disconnected and I attach my laptop, would I have access to company resources?
- Are your network switches or the firewalls physically accessible to anyone? Is there level of access enforcement?
- If an employee infects his or her system with malware, how can you contain it quickly and effective? How will you see this in the firewall logs? Will you receive any report? FortiAnalyzer can help here if available and properly set up with the FortiGate.
Hope that gives a little guide. This is by no means complete, but has some things listed that I'd expect.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.