Firewall Best Practices Basic Firewall Configurations   DNS Filter  Daily Operations  Remote Access  User and Authentication  Security Profiles Ease Fortinet FortiGate Management with Tufin  FAQs Conclusion

Firewall Best Practices

Fortinet FortiGate firewalls are powerful next-generation firewalls (NGFWs) that strengthen network security, improve routing efficiency, and scale with enterprise needs. With advanced Zero Trust capabilities, including ZTNA, VPN tunnels, and application control, a well-implemented FortiGate firewall policy protects your subnets, routers, and network devices from cyber threats.

But with so many firewall rules, security profiles, and configuration options, administrators can struggle to optimize performance. This guide provides a step-by-step checklist of FortiGate firewall policies and best practices to secure your environment, simplify policy configuration, and streamline troubleshooting.

Basic Firewall Configurations  

When deploying your FortiGate firewall, ensure your config covers essential protections:

  • NAT mode to hide internal IP addresses in LAN, DMZ, and VLAN resources.
  • Load the latest FortiOS firmware.
  • Configure system basics: hostname, SNMP system name, device name in HA.
  • Synchronize system time with NTP or PTP servers.
  • Create strong authentication credentials and enable SSH/CLI or GUI management securely.
  • Assign proper incoming interface, outgoing interface, and subnet settings.

DNS Filter 

FortiGate firewall DNS filtering allows granular policy configuration for web filtering, blocking malicious domains, and managing internet access.

Options include:

  • FortiGuard filtering and botnet detection.
  • Safe search and external category/domain lists.
  • IP/URL block lists and DNS translation.

Applied within a firewall policy, DNS filters override web filters to ensure only authorized traffic passes.

Daily Operations 

Day-to-day firewall management requires visibility into network traffic and constant policy validation.

Change Management

Implement a formal change management process:

  • Document the purpose of each firewall policy.
  • Track policy changes, affected services, and address objects.
  • Define risks, mitigation, and contingency plans.
  • Backup the config and maintain version control.

Performance monitoring 

Leverage SNMP, NetFlow, or sFlow to detect:

  • Abnormal traffic flows.
  • High CPU, bandwidth spikes, or SD-WAN anomalies.
  • Potential cybersecurity threats like malware or unauthorized access attempts.

Remote Access 

FortiGate supports secure VPN deployment for remote access users.

SSL VPN 

You can deploy the SSL VPN in:

  • Tunnel mode: full encryption of client traffic.
  • Web mode: browser-based wi-fi access with SSL encryption.

IPsec VPN 

  • Use policy- or route-based IPsec VPN for vpn tunnels.
  • Define destination address, NAT, and policy configuration.
  • Apply security profiles to enforce implicit deny for all untrusted traffic.

User and Authentication 

Reduce unauthorized access with Fortinet authentication options:

  • FortiOS local accounts with usernames/passwords.
  • LDAP/Active Directory integration for user groups.
  • RADIUS for centralized access control and accounting.
  • SAML SSO for federated identity and cloud apps.

Apply the principle of least privilege with specific policies per user or group.

Security Profiles

A FortiGate firewall policy is only as strong as its applied security profiles. Tune these for stronger cyber defense:

  • Web filtering and content control.
  • Antivirus/UTM for malware detection.
  • Application control for business applications.
  • IPS/IDS to prevent exploits.

These profiles, combined with implicit deny rules, strengthen your security posture and block cyberattacks in real time.

Ease Fortinet FortiGate Management with Tufin 

Tufin integrates with FortiManager and FortiGate firewalls, providing centralized policy management across multi-vendor networks (including Cisco, Palo Alto, and Check Point).

  • Automate firewall policy optimization.
  • Enforce consistent security policies across vDOMs, AWS, IPv4/IPv6, and hybrid cloud.
  • Improve compliance with PCI DSS and other frameworks.

FAQs

What is a FortiGate firewall policy?

A firewall policy defines how traffic flows between interfaces (LAN, DMZ, VLAN, or WAN). Using policy rules, administrators allow or deny traffic based on IP addresses, ports, apps, and users.

How do you optimize FortiGate firewall rules?

Best practices include removing redundant rules, segmenting long policies, automating audits, and using FortiManager or Tufin for centralized policy management and rule cleanup.

What are common FortiGate troubleshooting steps?

Check firewall rule sets, run packet captures, verify NAT/SNAT/DNAT, and ensure address objects and permissions are configured correctly. Use CLI commands for deep inspection.

How does Fortinet improve remote access security?

By combining SSL VPN, IPsec VPN, authentication, and security profiles, FortiGate firewall policies secure distributed users across cloud, SD-WAN, and on-premises networks.

Why integrate FortiGate with Tufin?

Integration automates firewall management, validates compliance, and reduces manual errors by enforcing consistent policy configurations across multi-vendor, hybrid environments.

Conclusion

Optimizing your FortiGate firewall policy requires careful planning, detailed policy configurations, and automation. From DNS filtering to VPN tunnels and application control, Fortinet provides a robust framework to enforce network security and prevent malware, data breaches, and unauthorized access.

With Tufin, you can automate firewall rule optimization, simplify policy management, and ensure compliance—so your security teams focus on strategy, not endless troubleshooting. Request a demo today.

Ready to Learn More

Get a Demo