FortiGate Configuration Audit

Audit your FortiGate config
in 60 seconds.

Upload your FortiOS .conf export. Get a posture score, prioritized risks, PSIRT-matched firmware CVEs, and ready-to-paste CLI fixes — without installing an agent or handing anyone API access.

Start Free ScanSee Demo

No agent, no API key, no deployment. Raw config parsed in memory and discarded.

One file, one minute

System → Configuration → Backup → Local PC. Drag the .conf file in. Full posture report in under 60 seconds. No VDOM or admin API plumbing.

🎯

Zero false positives on VIPs

The engine is VIP-aware and interface-reachability-aware. Port-forward VIPs and disconnected wan2/dmz interfaces never create phantom findings.

🛡

PSIRT CVEs tied to your config

Firmware is matched against Fortinet PSIRT, CISA KEV and NVD. Vulnerabilities are only surfaced if the affected feature (SSL-VPN, web filter, IPS) is actually enabled.

What CRWLR finds in a FortiGate config

Policies from ANY→ANY, wide-open zone pairs, overly permissive service groups, and bidirectional policies that shouldn't be
SSL/TLS inspection gaps — internet-facing policies without deep-inspection, certificate-inspection-only blind spots, bypass lists that swallow traffic
Security profile depth — AV off, IPS in monitor-only, web filter with default-allow categories, DNS filter disabled, app-control bypassed
NAT and VIP hygiene — overlapping VIPs, central-NAT misconfigurations, hairpin exposure, risky services exposed through VIPs (RDP, SSH, SMB, Telnet)
Zone segmentation — flat networks, DMZ→Trust violations, guest isolation gaps, inter-VLAN sprawl, east-west coverage analysis
IPsec and SSL-VPN crypto — weak DH groups (1, 2, 5), IKEv1 aggressive mode, PSK strength, disabled tunnels left in config, SSL-VPN without MFA
Admin plane — trusted-hosts missing, 2FA off, idle-timeout too long, admin-scp/admin-https reachable from wan, weak password policy
Logging completeness — syslog off, disk logging full, missing event categories, no SNMP v3, NTP not set or pointing to public pool
Firmware CVE exposure — FortiOS version cross-referenced with PSIRT; safe upgrade targets recommended deterministically from vendor data, not guessed
Multi-hop attack paths — compound risk chains (external → DMZ → trust via weak east-west policy) with pivot awareness and service scoring
Sample finding— what you get per issue
HIGH

SSL-VPN reachable from ANY without MFA

Policy allows SSL-VPN ingress from 0.0.0.0/0 and the authentication scheme does not require a second factor. Fortinet PSIRT: FG-IR-24-046 applies at your current firmware.

config user fortitoken
  # register tokens for all admin/ssl-vpn users
end
config authentication scheme
  edit "sslvpn-mfa"
    set method form
    set fsso disable
    set require-two-factor enable
  next
end
config vpn ssl settings
  set auth-scheme "sslvpn-mfa"
end

Every finding ships with the exact CLI block above, the line-of-config that triggered it, the CVE reference, and a plain-English explanation of why it matters.

Frequently asked

Which FortiGate versions and models are supported?

Any FortiGate device that exports a text configuration (.conf) from FortiOS. Tested against configs from FortiOS 6.x through 7.6 on 60F, 100F, 200F, 400F, 600F, 1100E and 3000-series platforms. VDOM and non-VDOM configs are both handled.

How do I export my FortiGate configuration?

From the GUI: System → Configuration → Backup → Local PC (unencrypted). From the CLI: execute backup config flash <path>. Unencrypted config only — CRWLR cannot analyse encrypted backups.

What does CRWLR actually check in a FortiGate config?

140 checks spanning policy hygiene, zone segmentation, NAT and VIP hygiene, SSL/TLS inspection coverage, security profile depth (AV, IPS, web filter, DNS), IPsec and SSL-VPN crypto, admin access hardening (trusted-hosts, 2FA, timeout), logging completeness, and firmware CVE exposure. Full list at /security.

Is my FortiGate configuration stored anywhere?

No. The raw config is parsed in memory and discarded at the end of the scan. Only the normalized findings, scores, and per-policy analysis are persisted to your tenant. This is an architectural guarantee, not a policy.

Does CRWLR check FortiOS CVEs?

Yes. Firmware is matched against CISA KEV, NVD, and the Fortinet PSIRT advisory feed, deduplicated across sources. CVEs are filtered to only those that affect features actually enabled in your config — a vulnerability in SSL-VPN is only flagged if SSL-VPN is configured.

Will CRWLR produce false positives on VIPs or port-forwards?

No. The engine is VIP-aware: findings that would be false alarms on a destination-NAT VIP are suppressed, and risky-service-via-VIP is flagged with per-service remediation guidance. Disconnected interfaces are excluded from reachability checks so unused wan2/dmz ports never create phantom findings.

Can I use this across dozens of FortiGates for MSP work?

Yes. CRWLR supports bulk import, scheduled re-scans, per-firewall finding acknowledgements, and a fleet dashboard that rolls firmware/config/exposure risk into a composite score across your whole estate.

Do I get CLI fixes or just findings?

CLI fixes. Every finding includes the exact FortiOS CLI commands to remediate it — paste-ready, with the relevant config-block context (config firewall policy / edit / set / next / end).

Upload your FortiGate config. See the gaps in 60 seconds.

No credit card. No agent to install. The raw config never touches our storage.

Start Free Scan →
HomePalo Alto auditSophos auditCheck Point auditCisco ASA auditCheck coverageHow we handle your datavs. SkyboxBlog
FortiGate Firewall Configuration Audit — 60 Seconds | CRWLR