Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

indicators in fortigate

Good morning friends, a question.

I know many here are Fortigate administrators. Do you manage security indicators when you perform daily, weekly, or monthly firewall reviews? or what methodology you use.

Since when carrying out reviews on clients' perimeter equipment, I make a report of improvements in their configurations. But I would like to apply what are indicators.


I appreciate your comments


Hello @unknown1020 ,


Managing security indicators is an excellent practice for maintaining a robust security posture, especially when you're responsible for firewall administration. These indicators can help you quantify the effectiveness of your security measures and identify areas for improvement. 


Monitor the amount of inbound and outbound traffic. Anomalies could indicate a security incident.

Blocked Connections: Track the number of connections that the firewall has blocked, categorized by reason for blocking 

Allowed Connections: Monitor the number and types of connections that are allowed, especially from outside the network.

Threat Detection: Number of detected threats like malware, intrusions, or data exfiltration attempts.

Configuration Changes: Track any changes made to the firewall configuration, who made them, and why.

System Health: CPU usage, memory usage, and other performance metrics can also be important indicators.

Incident Response Time: Measure how long it takes to respond to and mitigate security incidents detected by the firewall.

False Positives/Negatives: Track these as they can indicate the effectiveness of your security policies.


Focus on real-time indicators like traffic volume, blocked connections, and system health. Investigate any immediate anomalies.  Look at trends in the data. Are the number of blocked connections going up? Are you seeing new types of threats? Review any configuration changes made during the week. y regularly reviewing these indicators and adjusting your security policies accordingly, you can greatly improve the effectiveness of your firewall and your overall security posture.




ecurity Indicators for Firewall Reviews:

  1. Blocked Traffic: Count of blocked malicious connections and threats.
  2. Allowed Traffic: Data volume and connections, especially from new sources.
  3. Rule Base: Check for wildcard rules, unused rules, and rules without logging.
  4. Configuration Changes: Track any changes, especially unauthorized ones.
  5. VPN Metrics: Monitor active VPN connections and failed attempts.
  6. Incident Metrics: Count incidents due to firewall issues and response times.
  7. Software/Patch Levels: Monitor firmware version and patch delays.
  8. System Performance: Track CPU/memory usage and system downtimes.
  9. Backup Metrics: Date of the last successful backup and failover events.
  10. Access Metrics: Monitor admin users and failed login attempts.

Methodology Tip: Consider frameworks like NIST or ISO/IEC 27001 for structured approaches.

Presentation: Use visuals, provide context, and recommend specific actions based on the metrics. Tailor to each organization's unique needs.

Siddhanth Poojary
Top Kudoed Authors