



Fortinet’s FortiGate Next-Generation Firewalls are the backbone of security for thousands of Indian enterprises — from mid-size manufacturers in Pune to banks in Mumbai and IT parks in Bengaluru. Yet a persistent, uncomfortable truth sits in almost every managed security engagement PJ Networks undertakes: the firewall is there, but it is rarely configured correctly.
Misconfigured firewalls are not a new story. But in 2024–2025, threat actors have become surgically precise at exploiting the gap between “firewall deployed” and “firewall hardened.” This article breaks down the most common FortiGate misconfiguration patterns we encounter, the real-world consequences, and a concrete hardening checklist your team can act on today.
Several factors converge to make this an urgent issue for Indian enterprises specifically:
The FortiGate GUI (HTTPS, port 443 or 8443) and SSH management should never be reachable from the public internet. Yet we regularly find organisations where the WAN interface has a firewall policy permitting TCP/443 inbound directly to the device itself — often because someone needed “quick access” from home during the pandemic and the rule was never removed.
The fix is straightforward: restrict management access to a dedicated out-of-band management VLAN or a jump host, and explicitly block all administrative ports on the WAN interface. Use trusted-host settings in FortiOS to whitelist only specific administrator source IPs.
FortiGate SSL-VPN is one of the most targeted attack surfaces in the threat landscape today. Attackers actively scan for exposed FortiGate SSL-VPN portals and attempt credential stuffing, or exploit known vulnerabilities in unpatched firmware. We have observed Indian enterprises still running FortiOS versions from 2021–2022 with known critical vulnerabilities fully unpatched.
Key actions:
Perimeter security is rightly focused on inbound threats, but attackers who establish an initial foothold need outbound connectivity to call home (C2), exfiltrate data, or download payloads. When outbound policies are configured as “permit any any,” the firewall provides zero friction to an attacker who is already inside.
Best practice: implement a default-deny outbound policy and explicitly allow only necessary application signatures. FortiGate’s Application Control and Web Filter features make this practical without breaking legitimate business traffic — but they must be turned on and actively managed.
A firewall that logs nothing — or logs to local disk only — is security theatre. Local logs fill up and rotate. When an incident occurs, the forensic evidence is gone.
Under CERT-In’s 2022 directive, organisations are required to maintain logs for 180 days and make them available to CERT-In on demand. This is impossible if logging is not centralised. Every FortiGate deployment should forward logs to a FortiAnalyzer instance or a SIEM in near-real-time.
FortiGate ships with powerful Intrusion Prevention System (IPS) capabilities and the ability to perform SSL/TLS deep inspection. Both are frequently left disabled because “they might break something.” The result: encrypted malware traffic flows through the firewall unchecked, and known exploit patterns are never detected.
A phased approach works well here: enable SSL inspection in certificate-inspection mode first (less disruptive), move to deep inspection for high-risk categories (cloud storage, file sharing), and build out exceptions for banking and government portals that pin certificates.
Fortinet releases security advisories regularly. In the past two years, several Critical (CVSS 9.x) vulnerabilities have been disclosed in FortiOS — including authentication bypass and remote code execution vulnerabilities. Organisations that do not have a patch management process tied to Fortinet’s PSIRT feed are flying blind.
Recommended practice: subscribe to Fortinet’s PSIRT RSS feed, treat any Critical or High advisory as a P1 change request, and target patching within 72 hours for internet-facing devices.
Use this checklist as a starting point for a quarterly firewall review. Each item maps to a specific FortiOS configuration change.
admin account should be renamed. Create named admin accounts for accountability.For Indian enterprises handling personal data — which is nearly every B2B organisation today — the Digital Personal Data Protection (DPDP) Act 2023 and CERT-In’s 2022 directive create a dual compliance obligation around data breaches.
A misconfigured firewall that enables a breach triggers both:
“We see this pattern repeatedly: the firewall was there. The budget was spent. But without active management — patching, log review, policy hygiene — it becomes a false sense of security rather than actual security.” — PJ Networks SOC Team
The hardening checklist above is not a one-time exercise. Firewall security is a continuous operational discipline — new CVEs emerge, business requirements change (new applications, new offices, new remote workers), and threat actor tactics evolve. Maintaining this discipline in-house requires dedicated security engineering resources that most Indian enterprises simply do not have.
This is the gap that managed security services fill. A Managed Security Service Provider (MSSP) with 24/7 NOC and SOC capabilities provides:
A FortiGate firewall is one of the most capable security platforms available to Indian enterprises. But capability unrealised is not security — it is a placebo. The organisations that are successfully defending against today’s threat actors are not those with the most expensive hardware; they are the ones that treat security as an ongoing operational commitment, not a capital expenditure checkbox.
If your organisation deployed a FortiGate in the last three years and has not done a structured configuration review since, now is the time. The threat actors scanning for exposed management interfaces and unpatched SSL-VPN portals are not waiting.
PJ Networks provides 24/7 managed security operations for Indian enterprises, including FortiGate management and hardening, ZTNA implementation, and full NOC/SOC monitoring. Our team works directly within your FortiGate environment to implement the hardening checklist above, set up centralised logging to meet CERT-In requirements, and monitor for threats around the clock. Contact us for a no-obligation FortiGate configuration review.