Your FortiGate Is Deployed. It's Probably Not Tuned. Here's What That Costs You.

A FortiGate at the edge of your network is not a security control. A correctly configured, continuously tuned FortiGate is a security control. Across the Saudi mid-market, the gap between those two states is the single most common — and most expensive — finding in our network and security assessments.

The pattern is consistent. A capable system integrator delivers the firewall, runs through a deployment checklist, validates basic connectivity, hands over credentials, and moves on. Six months later, the appliance is online, traffic is flowing, the dashboard is green, and nobody has touched the policy table since go-live. Threat protection licences are paid for in full. Half of them are not enabled. The other half are running on default profiles that block almost nothing of consequence.

This article is the diagnostic. If your organisation operates FortiGate firewalls in Riyadh, Jeddah, the Eastern Province, or anywhere across the Kingdom, the seven issues below are statistically likely to be present in your environment right now. Each one is fixable in days, not months. Together, they are the difference between owning a firewall and being protected by one.

1. Deep SSL inspection is not enabled — so your NGFW is inspecting nothing

More than 90% of enterprise web traffic is encrypted. A FortiGate without deep SSL/TLS inspection enabled cannot see inside that traffic. Application control, web filtering, intrusion prevention, antivirus, and DLP all become decorative. They scan the unencrypted 10% and miss the rest.

Deep inspection is non-trivial to deploy correctly — it requires a properly distributed CA certificate, exception lists for banking, government, and healthcare destinations, and capacity sized for the actual decryption load. It is not a tick-box exercise. But running an NGFW without it is paying enterprise licensing for a stateful packet filter.

2. Security profiles are configured but not applied

This is the most common single finding we see. The administrator has configured an antivirus profile, a web filter profile, an IPS profile, an application control profile — and then left them sitting in the profile library, never bound to a firewall policy. Traffic flows. Profiles do nothing.

A FortiGate's security inspection only happens when a profile is explicitly applied to the policy that the traffic matches. "Configured" is not the same as "active." Every internet-bound policy should be carrying, at minimum, an antivirus profile, an IPS profile, an application control profile, a web filter profile, and a DNS filter profile. Anything less is intentional, documented exposure.

3. IPS signatures are stale or running in monitor-only mode

Two failure modes here, both common. The first: FortiGuard IPS signature updates are not being received because the licence has lapsed, the device cannot reach the FortiGuard cloud, or proxy settings are blocking the update path. The second: the IPS profile exists, signatures are current, but every action is set to "monitor" rather than "block." The firewall sees the attack, logs the attack, and lets the attack through.

A weekly check that signatures are updating, that critical and high-severity signatures are set to block (not monitor), and that exception lists are documented and reviewed — none of this is sophisticated. All of it is rare in environments without an active managed services relationship.

4. Default credentials, shared admin accounts, and no two-factor

The FortiGate web interface and SSH console are management surfaces that need to be treated like the crown jewels they are. We routinely find shared administrator accounts, no MFA on management access, weak password policies, no IP allowlisting on the management interface, and HTTPS administrative access exposed to the public internet. Each is its own finding. In combination, they are the path most attackers take to disable the firewall before launching the rest of the attack.

The control set is well documented: per-administrator accounts with role-based privileges, MFA enforced via FortiToken or third-party TOTP, HTTPS administrative access restricted to internal management VLANs only, SSH disabled on external interfaces, and trusted host lists configured per administrator.

5. No segmentation between user, server, IoT, and OT zones

A FortiGate is, among other things, a segmentation engine. The vast majority of mid-market deployments we audit are configured as a perimeter device only — one inside zone, one outside zone, and a flat internal network behind it. Lateral movement between user endpoints, servers, printers, IP cameras, and (in industrial environments) OT systems is unrestricted because there are no internal policies to restrict it.

A modern FortiGate deployment uses VLAN-aware policies to segment user traffic from server traffic, server traffic from data centre traffic, IT from OT, and IoT/CCTV onto isolated zones with explicitly defined east-west policies. This is the control that contains a phishing-driven endpoint compromise to one user instead of letting it reach the domain controller.

6. The Fortinet Security Fabric is half-deployed

FortiGate is one component of a much larger architecture. The platform is designed to integrate with FortiAnalyzer for centralised logging and reporting, FortiManager for multi-device policy management, FortiSIEM or FortiSOAR for correlation and automated response, FortiClient for endpoint integration, FortiAuthenticator for identity, FortiSandbox for unknown-threat detonation, and FortiEDR for advanced endpoint protection. Each integration multiplies the value of the others.

What we see in practice: standalone FortiGates with no FortiAnalyzer (so logs are kept on-box and rotated out within days), no FortiManager (so policy drift across multiple sites is unmanaged), and no integration with the customer's SIEM. The licences are paid; the architecture isn't built. Security Fabric integration is where the platform earns its premium.

7. No documented change management, no configuration backup discipline, no review cadence

The final finding is operational rather than technical. Policy tables grow over time. New rules are added on top of old ones. Temporary exceptions become permanent. Service accounts get added, services get retired, the rules to permit them stay. Within two years, a firewall policy table is an archaeological dig — nobody fully understands which rules are still required, which are dormant, and which are actively dangerous.

The discipline that prevents this: documented change management with a justification for every rule, automated configuration backups (FortiManager handles this natively), a quarterly policy review cycle, and unused-rule reporting to identify candidates for retirement. None of these are exotic. All of them are absent in the average mid-market deployment.

What this costs you

The financial cost of these gaps is rarely the licence price. It is the cost of an incident that the firewall was supposed to prevent — ransomware reaching production servers because lateral movement was unrestricted, business email compromise succeeding because deep inspection wasn't enabled to catch the malicious attachment, an OT environment compromised because IT and OT shared a flat network.

The compliance cost is also tangible. NCA ECC, the SAMA Cybersecurity Framework, and PDPL all require effective network segmentation, monitoring, and threat prevention. An auditor who asks for evidence of policy review, IPS efficacy reports, and segmentation documentation will not accept "we have a FortiGate" as the answer.

Where ITBuilders fits

ITBuilders is a Fortinet partner in Saudi Arabia with certified engineers who design, deploy, and operationally manage FortiGate environments end-to-end — not as a one-off project, but as a continuous capability. Recent engagements include a 130-branch FortiGate SD-WAN rollout, a multi-site FortiGate refresh covering 300+ switches and core security architecture, and FortiGate optimisation programmes for clients across financial services, manufacturing, and government.

What we deliver beyond the box:

Book a free FortiGate health check

We will run a structured assessment of your existing FortiGate deployment, identify which of the seven findings apply to your environment, and give you a prioritised remediation plan you can act on with us — or without us. No commitment.

Book your FortiGate health check → call 920-020-750, email [email protected], or visit itbuilders.com.sa.