A security policy from scratch for SMBs with FortiGate

FortiGate is one of the next-generation firewalls most preferred by small and medium-sized businesses. With hardware acceleration, a broad feature set and reasonable licensing cost, it builds a strong line of defense for SMBs. But a powerful device can quickly become an "open door" if poorly configured.

In this article we summarize the steps to take when setting up a new FortiGate from scratch, the most common mistakes and the small disciplines that keep it manageable over the long term.

1. Don't skip sizing

When choosing a FortiGate, the device merely "looking sufficient" isn't enough. Active user count, internet bandwidth and the security services to enable (IPS, antivirus, web filtering, SSL inspection) directly affect performance. Throughput can drop significantly especially with SSL inspection on; pick the wrong model and your network slows down.

2. Change the default password in the first minute

Be sure to change the device's default admin password and, if you use it, the default management port (HTTP/HTTPS). Avoid exposing the management interface over the WAN; where possible, grant access via VPN.

3. Invest in zones and VLANs

Putting all devices on the same flat network is the source of most future problems. Separate server, user, IoT and guest traffic into different VLANs; manage access between them with a default-deny policy, not default-allow.

4. Avoid the "Allow All" policy

"Any-any allow" rules written "temporarily" under the pressure of a quick setup often become permanent. Write user/group- and application-based rules from the start. Fewer rules, clearer rules: a comprehensible rule set makes future troubleshooting easier.

5. Enable UTM services at the right level

• IPS: active at least on server and external-facing edges
• Antivirus: on for HTTP/HTTPS and email traffic
• Web filtering: category-based, without harming the employee experience
• Application control: blocked for risky categories (P2P, anonymous proxy)

6. Plan logging from the start

Local device logs are limited; in a serious incident you may not be able to look back a week. Set up a syslog/SIEM or at least a FortiAnalyzer target. If you have Law 5651-compliant logging needs, a separate log architecture is required.

7. Harden VPN and remote access

If you've enabled SSL or IPSec VPN, be sure to add multi-factor authentication (MFA). Protect management access with a separate admin profile and IP restriction where possible.

8. Make backups a habit

Take a configuration backup after every major change and use version naming (e.g. FG60F-2026-06-03-after-vpn.conf). In a disaster, your recovery time drops to minutes.

9. Track firmware, but don't rush

The vendor releases versions quickly; don't jump to every one. Wait for patch releases (e.g. .4-.5 instead of .1, .2), verify in a test environment first, then move to production.

10. Keep a "change log"

Record every change in a single notebook (Excel, Notion, wiki — it doesn't matter) with date, reason and owner. Six months later the question "why was this rule open?" will definitely come up; have your answer ready.

If you're planning a more comprehensive Fortinet solution or Firewall & VPN project, our team is with you through the whole process, from assessment to managed service.