Why SMEs Are Particularly Exposed to Firewall Misconfiguration Risk
The problem is not that SMEs use worse technology. A FortiGate firewall in a 50-person business is the same appliance used in enterprise environments. The problem is validation. Large organisations have dedicated security teams whose job includes verifying that configurations are correct and remain correct over time. SMEs typically do not, and neither do many of their IT providers. The result is that misconfigurations can persist undetected for months or years, invisible until they are exploited.
The gaps we see most consistently are not obscure edge cases. Management access left open on a WAN interface (meaning anyone on the internet can attempt to connect to the firewall’s administration portal). Trusted hosts not configured, so admin accounts are not restricted to known management addresses. FortiGuard not connected or failing to update, which is the equivalent of running antivirus with definitions from last quarter. Insecure protocol versions still enabled on VPN and admin portals. Logging disabled on specific policies. Each of these is a straightforward misconfiguration. Each creates a real opportunity for an attacker.
The CIS Benchmark Standard for FortiGate Security
The Center for Internet Security publishes benchmarks for specific security appliances — documented sets of configuration requirements representing industry consensus on what a hardened, properly configured device should look like. The FortiGate CIS benchmark covers the settings that matter most: account management, trusted access controls, update and subscription status, logging and audit configuration, and protocol security.
We have built a tool that takes a FortiGate configuration, runs it against the CIS benchmark, and produces a structured output showing what passes, what fails, and, for anything that fails, how severe the gap is. Where a finding is not applicable to a specific client’s environment, it can be marked as mitigated or excluded with a reason, so the output reflects the actual risk picture rather than a generic checklist. Critical vulnerabilities are flagged separately, including any relevant CVEs, with the same option to annotate where a workaround is in place.
The tool runs through our existing Unimus integration, which already captures FortiGate configuration backups across our managed network security estate. That means the benchmarking process does not require additional credentials or access beyond what is already in place for backup purposes, and it can be run on a regular schedule without manual intervention. A full audit can also be triggered on demand when a configuration change has been made and needs to be validated immediately.
Why We Built the CIS Benchmark Tool
The honest answer is that a client audit prompted the question: how do we know, with confidence, that every FortiGate we manage is correctly configured at any given point? Configuration drift is real. Changes get made during troubleshooting. New policies get added. Firmware updates occasionally reset settings. Without a systematic way to check against a defined standard, the answer to that question is essentially “we think so.”
That is not a good enough answer. The benchmark tool gives us a defined standard to measure against and a continuous process for verifying that we are meeting it. It is a mechanism to hold ourselves accountable to the standard of work that we deliver. When a client asks whether their FortiGate is securely configured, we can show them the output rather than offer reassurance. When a configuration change is made, we can validate it against the standard before it becomes a gap that goes unnoticed.
What FortiGate Benchmarking Looks Like for Clients
The benchmark output becomes part of the regular reporting conversation. It is reviewed monthly as a standard part of managed FortiGate service delivery, and it is available on demand between reviews. For IT managers, the technical detail shows exactly what is being checked and why each item matters. For business decision-makers, the summary is simpler: your firewall configurations are benchmarked against an international security standard, and here is where you stand.
This is part of a broader principle that runs through how Si Futures builds its monitoring and reporting environment. The goal is to make the service visible, not just to report on good news. If something is wrong, or drifting, or worth a conversation, it should surface in the reporting before it surfaces as an incident. Benchmarking FortiGate configurations against CIS standards is one part of that picture — it sits alongside the wider threat detection and response capability we build around every managed environment. It is continuous, it is structured, and it removes the assumption from a question that should have a definitive answer.
The difference between “we think the firewall is correctly configured” and “here is the benchmark output that shows it” is not just a technical distinction — it is the difference between assumption and accountability. For SMEs without a dedicated security team, that accountability has to come from their provider.
