How to reduce the odds your clients with Fortigate firewalls get ransomware

If you read cyber news forums, you know that every now and then a new Fortigate zero day vulnerability is discovered.

This article goes over what buttons you need to click to dramatically reduce the odds your clients that have FortiGate firewalls get ransomware.

TLDR

Turn on automatic updates and disable admin access (SSH, HTTP, HTTPS, etc.) on your customers' WAN interfaces (after making sure you can access admin settings from the LAN or a VPN). Do this on all your customers FortiGate's.

Turn on Automatic Updates

***Disclaimer: if you upgrade to 7.6.3 or higher the SSL VPN goes away. Make sure your customer does not use the SSL VPN prior to upgrading firmware to this version.

If you have automatic updates on, your firewalls will automatically update so you don't have to work late manually patching them when a new vulnerability comes out.

Firmware version must be at least 7.2.1 for automatic updates

I recommend upgrading it to the current recommended firmware version for the model of your FortiGate: https://community.fortinet.com/fortigate-3/technical-tip-recommended-release-for-fortios-116639.

Use the upgrade path tool so you don't brick your FortiGate:

https://docs.fortinet.com/upgrade-tool/fortigate .

Make sure to download the config file and store it somewhere not on your customers network in case things go sideways when doing the upgrade.

Turn on Automatic Updates

You can turn on automatic updates under System > Firmware & Registration. Click the Automatic patch upgrades enabled or Automatic patch upgrades disabled button to open the Automatic Patch Upgrades pane.

From here you can set up automatic patch upgrades.

Disable Public Admin Access

Disclaimer: Prior to doing this, be 100% sure you can access your FortiGate's admin interfaces using another method (VPN, customers LAN via RMM) prior to turning off WAN admin access.

Disabling public admin access is a no brainer, but unfortunately a real problem. At least 5000 Fortigates have admin interfaces exposed as of 2025.

If you have FortiGate admin interfaces exposed to the web, I bet you a Crumbl Cookie that Russian IPs are brute forcing that interface all day.

To turn off public admin access go to Network > Interfaces > edit your wan interface under "Administrative Access". Most important is that SSH, HTTP, HTTPS, are unchecked.

Unless you use FMG, FTM or Security Fabric, uncheck those as well. If you don't know what these are, you probably do not use them. However confirm these are not needed before turning them off.

The admin interface settings on your WAN should look like below when you are done:

Check all of your FortiGate's and confirming that the WAN interface does not allow administrative access on any interfaces except ones you are 100% sure you need.

Bonus - SSL VPNs

SSL VPNs that authenticate to Active Directory are a common set up for FortiGate's.

Unfortunately this allows anyone to brute force your client's Active Directory 24/7.

Active Directory is usually pretty easy to get domain admin rights on if you have user access. In other words, if one of these brute force attempts succeeds, the chances of ransomware are high.

I recommend moving to IPsec VPNs that authenticate to Entra ID, P4cketSniff3r on Youtube has a good tutorial on this: https://www.youtube.com/watch?v=ByF3Ttni8Os.

Monitor your customers M365 sign-ins whether you use an ITDR or risky sign-in alerting with this set up.

About Me

I founded Lean Cybersecurity to help MSPs fix security gaps that would have led to real incidents.

From my experience, most MSPs are so busy they don't have time to security harden and fix security debt like a firewall admin interface being exposed.

Currently offering a pilot program, 20 hours of free security reviews for 5 MSPs.

If you have any questions about these tips or us, reach out at contact@leancybersec.com