
I just pushed a major update to one of my open-source tools — and this one comes from real pain felt on real audits.
If you've ever stared at a 10,000-line FortiGate config backup trying to manually check whether every accept policy has an IPS sensor, whether your IKEv1 tunnel is using aggressive mode, whether your SSL-VPN has brute-force protection, or whether someone left the SNMP community string set to 'public' with no host restriction — this tool does all of that automatically, in seconds, against any FortiGate backup file.
📌 Repo: https://github.com/jafartavana01/fortigate-utm-analyzer
━━━━━━━━━━━━━━━━━━━━━━
What is this project?
━━━━━━━━━━━━━━━━━━━━━━
FortiGate UTM Security Analyzer is a zero-dependency Python CLI tool that reads a plain-text FortiGate configuration backup — the output of 'show full-configuration' — and produces severity-tagged security reports across every layer of the firewall.
No pip installs. No API keys. No cloud. You point it at a .conf file and it generates structured .txt reports and a scored executive summary with JSON export.
python3 utm.py -c firewall.conf --all
That one command runs 200+ security checks across 25 audit domains and tells you exactly what's misconfigured, at what severity, and why it matters.
━━━━━━━━━━━━━━━━━━━━━━
What's new in v3.0
━━━━━━━━━━━━━━━━━━━━━━
The big change in v3.0 is full FortiOS 8.0 support. Fortinet made a breaking change in the SSL/SSH profile structure starting in 7.x — they moved from a flat config to per-protocol sub-blocks. So instead of one global 'inspection-method' field, you now have 'https.status', 'ftps.min-allowed-ssl-version', 'imaps.untrusted-server-cert', 'ssh.inspect-all' and so on. The old parser missed all of this silently. v3.0 auto-detects the config format and applies the right check set regardless of whether you're running 6.x, 7.x, or 8.0.
Same story for the AV profile — FortiOS 8.0 moved to per-protocol sub-blocks for antivirus settings, outbreak prevention, FortiSandbox submission, quarantine, and the Content Disarm & Reconstruction (CDR) engine settings. All of that is now parsed and audited correctly.
Beyond the parser fixes, v3.0 adds 13 completely new audit domains that weren't in any previous version:
→ WAF profile — checks for OWASP Top 10 signature coverage, HTTP method restrictions, URL access rules, and request size constraints. Most engineers attach a WAF profile and never check whether signatures are actually configured.
→ IKE Global — this is one that catches people off guard. You can lock down individual VPN tunnels perfectly, but if 'config system ike' still allows IKEv1 aggressive mode globally, any new tunnel someone creates inherits that weakness. One global setting, one check.
→ SNMP audit — full community string audit including default name detection (public/private/admin), host restriction checks, and SNMPv3 auth-proto/priv-proto/security-level. SNMPv3 with no-auth-no-priv is literally the same as SNMPv1 — flagged CRITICAL.
→ LLM Profile (FortiOS 8.0) — brand new in FortiOS 8.0. Checks whether policies handling AI/LLM API traffic have DLP enabled, PII detection, prompt injection blocking, and jailbreak detection. As AI traffic becomes standard in enterprise environments this is going to matter a lot.
→ System DNS — DNSSEC validation status, DNS-over-TLS for the FortiGate's own resolver, primary/secondary redundancy.
→ SSH hardening — scans 'config system ssh-config' for weak cipher algorithms (arcfour, 3DES, blowfish), weak MACs (MD5, SHA-1), and weak key exchange groups (DH group1, group14).
→ Password Policy block — the dedicated 'config system password-policy' block that most people don't know exists, separate from system global. Checks min-length, must-contain complexity, expiry, and reuse prevention.
→ Security Fabric — CSF group password (missing = any device can join), certificate-based authorization, device detection.
→ DoS Policy — checks whether flood protection rules are even configured. No DoS policies at all = flagged MEDIUM automatically.
→ IPv6 — 'firewall policy6' and 'firewall local-in-policy6' are now both audited with the same checks as their IPv4 equivalents. IPv6 local-in policies are where most people have the widest open management plane.
→ FortiGuard fail-open modes — if your FortiGuard cloud service goes unreachable and your AV/IPS/webfilter fail-open is set to 'pass', traffic flows without inspection. Flagged MEDIUM.
→ Logging expanded — now checks FA1/FA2/FA3, syslogd1 through syslogd4, per-category event filter (admin config changes, system events, VPN tunnel events, endpoint events), disk logging behavior, and disk-full action.
→ Email Filter, Video Filter, File Filter, Virtual Patch — all new, each with dedicated weakness checks.
━━━━━━━━━━━━━━━━━━━━━━
The scoring model
━━━━━━━━━━━━━━━━━━━━━━
Every finding is tagged CRITICAL / HIGH / MEDIUM / INFO. The executive summary computes a risk score:
Score = (CRITICAL × 10) + (HIGH × 5) + (MEDIUM × 2) + (INFO × 0.5)
And maps to a risk tier: CRITICAL / HIGH / MEDIUM / LOW.
Running it against the sample config (intentionally misconfigured to demonstrate everything):
Risk Rating : CRITICAL
Risk Score : 545.0
CRITICAL: 5 HIGH: 58 MEDIUM: 82 INFO: 82
The --summary flag also writes a _SUMMARY.json file — machine-readable, so you can pipe it into Splunk, a Python script, or a CI/CD pipeline if you want to automate this across a fleet of devices.
━━━━━━━━━━━━━━━━━━━━━━
How to run it
━━━━━━━━━━━━━━━━━━━━━━
git clone https://github.com/jafartavana01/fortigate-utm-analyzer.git
cd fortigate-utm-analyzer
python3 utm.py -c your_fortigate_backup.conf --all
The tool works on any FortiGate config from 6.x through 8.0. No version detection needed — the parsers handle format differences automatically.
Common targeted workflows:
VPN hardening review
python3 utm.py -c fw.conf -vpn -sslvpn -s --summary
Management plane security
python3 utm.py -c fw.conf -s -log -ha --summary
Data plane / UTM coverage
python3 utm.py -c fw.conf -f -i -av -utm --summary
━━━━━━━━━━━━━━━━━━━━━━
Why I built this
━━━━━━━━━━━━━━━━━━━━━━
Manual FortiGate config reviews are slow, inconsistent, and easy to get wrong under time pressure. The same misconfigurations show up on audit after audit — UTM disabled on accept policies, IKEv1 aggressive mode still running, SSL-VPN with no login lockout, admin accounts with no trusted host restrictions and no 2FA, SNMP community strings nobody changed from the default.
This tool doesn't replace a proper security assessment. But it eliminates the mechanical part — you get a prioritized finding list in seconds, and can spend your time on the things that actually need human judgment.
Star the repo if it's useful, and feel free to open issues or PRs if you want to add checks for your own environment.
🔗 https://github.com/jafartavana01/fortigate-utm-analyzer
Top comments (0)