FortiGate Firewall Configuration Security Analyzer
A production-grade Python tool that automatically parses FortiGate configuration files (.conf and YAML export format), performs comprehensive security analysis on all firewall policies, zones, and services, and generates professional HTML, PDF, and JSON security reports.
- Name: Cuma KURT
- Email: cumakurt@gmail.com
- LinkedIn: linkedin.com/in/cuma-kurt-34414917
- GitHub: github.com/cumakurt/forti_rule_police
- Dual Format Parser — Supports both
.conf(config/edit/set) and YAML export format; auto-detects format - FortiOS Parser — Full support for FortiOS 6.x and 7.x config syntax (including multi-line values: certificates, HTML)
- Risk Scoring Engine — Weighted scoring with multiplier methodology
- Zone Isolation Analysis — Zone-to-zone traffic matrix and violation detection
- Internet Exposure — Identifies all Internet-accessible services and VIP/DNAT mappings
- Target IP Analysis — Bidirectional access analysis for specified IPs (
target.txt) --only-targetMode — Filter reports to only rules matching target IPs/subnets (PCI scope, audit focus)- MITRE ATT&CK Mapping — Findings mapped to ATT&CK techniques
- HTML Report — Dark-themed, interactive SOC-style report with Plotly charts and DataTables
- PDF Report — Professional, printable A4 report with executive summary and findings
- Traffic Flow Graphs — NetworkX-based zone connectivity analysis
| CLI Analysis | HTML Report | Risk Findings |
|---|---|---|
 |
 |
 |
| Zone Matrix | PDF Report | Target Analysis |
|---|---|---|
 |
 |
 |
| Duplicate Rules | Executive Summary |
|---|---|
 |
 |
forti_rule_police/
├── forti_rule_police.py # CLI entry point (Click + Rich)
├── requirements.txt # Dependencies
├── target.txt # Target IPs for bidirectional analysis
├── img/ # Screenshots for documentation
│
├── config/
│ └── settings.py # Application constants and configuration
│
├── models/ # Data models (dataclasses)
│ ├── policy.py # FirewallPolicy
│ ├── zone.py # Interface, Zone
│ ├── address.py # Address, AddressGroup
│ ├── service.py # Service, ServiceGroup, VirtualIP
│ └── risk.py # RiskFinding, RiskLevel
│
├── utils/ # Shared utilities
│ ├── logger.py # Structured JSON logger (SIEM-compatible)
│ ├── ip_utils.py # IP/CIDR helpers
│ └── port_utils.py # Port/service reference database
│
├── parser/ # FortiOS config parsers
│ ├── config_parser.py # Core FortiOS block parser
│ ├── policy_parser.py # Firewall policy extractor
│ ├── zone_parser.py # Interface/zone extractor
│ ├── address_parser.py # Address object extractor
│ ├── service_parser.py # Service object extractor
│ └── nat_parser.py # VIP/NAT rule extractor
│
├── analyzer/ # Analysis engines
│ ├── risk_analyzer.py # Risk scoring engine
│ ├── zone_analyzer.py # Zone isolation analysis
│ ├── traffic_flow_analyzer.py # NetworkX traffic flow graphs
│ ├── internet_exposure_analyzer.py # Internet exposure analysis
│ └── target_analyzer.py # Target IP bidirectional analysis
│
├── reporter/ # Report generators
│ ├── html_reporter.py # Jinja2 + Plotly HTML report
│ ├── pdf_reporter.py # ReportLab PDF report
│ └── templates/
│ └── report_base.html # Dark SOC-theme HTML template
│
└── output/ # Generated reports
└── *.html / *.pdf
git clone https://github.com/cumakurt/forti_rule_police.git
cd forti_rule_police
python3 -m venv venv
source venv/bin/activate # Linux/macOS
# venv\Scripts\activate # Windows
pip install -r requirements.txt# Basic analysis — both HTML and PDF
python forti_rule_police.py --config firewall.conf
# With target IP analysis
python forti_rule_police.py --config firewall.conf --targets target.txt
# Report only for rules matching target IPs/subnets (requires --targets)
python forti_rule_police.py --config firewall.conf --targets target.txt --only-target
# Custom output directory
python forti_rule_police.py --config firewall.conf --targets target.txt --output ./reports/
# HTML only
python forti_rule_police.py --config firewall.conf --format html
# PDF only
python forti_rule_police.py --config firewall.conf --format pdf
# JSON only (machine-readable, SIEM/API)
python forti_rule_police.py --config firewall.conf --format json
# All formats (default: html + pdf + json)
python forti_rule_police.py --config firewall.conf --format all
# Specific VDOM (multi-VDOM environments)
python forti_rule_police.py --config firewall.conf --vdom production
# Verbose logging
python forti_rule_police.py --config firewall.conf --verbose
# Full help
python forti_rule_police.py --helpCopy target.txt.example to target.txt and add IP addresses or CIDR subnets — one per line. Comments start with #.
# Web Servers
192.168.10.10
192.168.10.11
# Database Subnet
10.20.30.0/24
# Management Host
172.16.1.100The analyzer will determine for each target:
- Inbound traffic — which rules allow access to this IP, from where, on which ports
- Outbound traffic — which rules allow this IP to reach other destinations
- Internet accessibility — whether the host is reachable from WAN
- Lateral movement risk — whether DMZ or other untrusted zones can reach this host
When --only-target is used together with --targets, the tool produces a filtered report that includes only firewall rules whose source or destination overlaps with the IPs/subnets in the target file. All findings, zone violations, exposed services, duplicates, and traffic flows are restricted to these rules.
python forti_rule_police.py --config firewall.conf --targets target.txt --only-targetUse this when you need a focused security assessment for specific hosts or subnets (e.g., critical servers, PCI scope, or audit targets).
Risk_Score = base_weight × Σ(multipliers)
Base Weights:
ANY-ANY Accept: 9.0
Management Internet Exposure: 9.5
Internet → Internal (no UTM): 7.0
DMZ → LAN: 7.5
DMZ → Management: 9.0
No Logging: 5.0
Insecure Protocol: 4.0
Multipliers:
srcaddr = all: ×2.0
dstaddr = all: ×1.5
service = ALL: ×1.8
logtraffic = off: ×1.4
No UTM (Internet): ×1.2
Score → Level:
0.0 – 2.9 → INFO
3.0 – 4.9 → LOW
5.0 – 6.9 → MEDIUM
7.0 – 8.9 → HIGH
9.0+ → CRITICAL
| Check | Description |
|---|---|
| ANY-ANY rule detection | Catches unrestricted bypass rules |
| Internet → Management | Management interface exposure |
| Internet → Internal | Direct WAN to LAN access |
| DMZ → LAN isolation | Zone isolation violations |
| No logging | Visibility gaps |
| No UTM/IPS | Unprotected Internet traffic |
| Insecure protocols | Telnet, FTP, HTTP, SNMPv1/v2 |
| VIP/DNAT resolution | Real internal IP exposure mapping |
| Disabled rules | Residual attack surface |
| Finding | Technique |
|---|---|
| Internet RDP access | T1021.001, T1133 |
| Internet SSH access | T1021.004, T1133 |
| DMZ → LAN | T1021, T1210 |
| ANY-ANY rule | T1190 |
| Logging disabled | T1562.004 |
| Telnet/FTP use | T1040 |
| HTTP management | T1040, T1557 |
- FortiOS 6.x
- FortiOS 7.x (including 7.4)
- Multi-VDOM configurations supported
--only-target— Filter reports to only rules matching target file IPs/subnets; excludesall/anywildcards- WAN detection fix — Removed hardcoded
port1as WAN; now uses configrolefield only .confmulti-line parsing — Correctly parses certificates, HTML buffers, and other multi-line quoted values- Parser robustness — Resolved shlex fallback warnings when parsing
.conffiles
- Initial release: risk scoring, zone isolation, internet exposure, target analysis, HTML/PDF/JSON reports
Contributions are welcome. Please open an Issue or submit a Pull Request. See CONTRIBUTING.md for guidelines.
- FortiGate CLI Reference — FortiOS 7.4
- NIST SP 800-41: Firewall Guidelines
- CIS Benchmark for FortiGate
- MITRE ATT&CK Framework
- SANS Firewall Checklist
This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0).
See the LICENSE file for details.
- You may use, modify, and distribute this software
- You must disclose source code of modified versions when providing network services
- You must preserve license and copyright notices
Version: 1.1.0 | March 2026