Your FortiGate Is Running at 40%: The Hidden ROI Leak in Enterprise Firewalls

After 12+ years of deploying and managing FortiGate firewalls across Indian enterprise — banks, manufacturers, IT companies, government agencies — our engineering team can tell you with certainty that the vast majority of organisations are using their FortiGate at roughly 40% of its actual capability. They are paying for a full-featured next-generation firewall and using it as a basic packet filter with VPN.

This is not an exaggeration. At Ogma, we have completed over 350 FortiGate deployments and conduct free configuration reviews every week. The pattern is remarkably consistent: enterprises invest lakhs in FortiGate hardware and FortiGuard subscription bundles, then leave most of the licensed security features either disabled or misconfigured. The result is a massive hidden leak in security ROI — and a firewall that provides a fraction of the protection it was designed to deliver.

This article walks through exactly which features are being wasted, why it happens, what it costs, and how to fix it.

The 7 FortiOS Features Most Enterprises Leave Disabled

These are not theoretical gaps. These are the findings we see repeatedly in real-world FortiGate configuration reviews across Indian enterprise networks.

1. SSL/TLS Deep Inspection

This is the single most impactful feature that enterprises leave disabled — and the one that undermines almost every other security control on the firewall.

Modern internet traffic is overwhelmingly encrypted. Over 95% of web traffic uses HTTPS. When SSL deep inspection is disabled, your FortiGate cannot see inside encrypted traffic. This means your IPS engine, antivirus scanner, web filter, and application control are all operating blind on the majority of traffic passing through your firewall. A malware payload delivered over HTTPS will sail through your FortiGate completely undetected.

What we typically find: most enterprises have SSL inspection set to certificate-inspection mode — which only checks the certificate validity but does not decrypt and inspect the actual content. This gives a false sense of security. The FortiGate logs show "SSL inspected" traffic, but no actual content inspection has occurred.

Full SSL deep inspection requires deploying the FortiGate's CA certificate to endpoint devices and handling certificate pinning exceptions for specific applications (banking apps, government portals). This is a one-time configuration effort that most IT teams avoid because they fear it will break applications. In our experience, with proper exception handling, deep inspection works seamlessly — and the security improvement is dramatic.

2. Intrusion Prevention System (IPS)

The IPS engine is included in every FortiGuard subscription bundle — Enterprise, UTP, and ATP. It maintains a database of thousands of attack signatures that gets updated multiple times daily by Fortinet's FortiGuard Labs. When properly configured, it detects and blocks exploits, buffer overflows, SQL injections, and protocol-level attacks in real time.

What we typically find: IPS is either completely disabled, set to monitor-only mode (detects but does not block), or using an outdated signature database because automatic updates were never configured. In monitor-only mode, the FortiGate dutifully logs every attack it detects — and then allows it through. This is the firewall equivalent of having a security camera that records intruders but never locks the door.

The fix is straightforward: enable IPS in block mode on all internet-facing policies, configure automatic signature updates, and tune the sensitivity to eliminate false positives over a 2-week observation period. The IPS engine in modern FortiOS is highly accurate — false positive rates are far lower than they were 5 years ago.

3. Application Control

Application Control identifies and controls over 4,000 applications by inspecting traffic at the application layer — regardless of port or protocol. It can distinguish between Zoom, Teams, Slack, WhatsApp, BitTorrent, and thousands of other applications, allowing you to create policies like "allow Microsoft 365 but block personal cloud storage" or "limit YouTube bandwidth to 10 Mbps during business hours."

What we typically find: Application Control is either not configured at all, or it is set to a default profile that allows everything. Organisations that purchased FortiGate specifically for application visibility are running it with a configuration that provides no application-level control whatsoever. The default "allow all" profile exists as a starting template — it was never meant to be the production configuration.

4. SD-WAN SLA Probes and Traffic Steering

Many Indian enterprises have upgraded to FortiGate models with SD-WAN capability and are paying for SD-WAN licensing. SD-WAN is designed to intelligently route traffic across multiple ISP links based on real-time performance metrics — latency, jitter, packet loss. It can automatically failover critical applications to the best-performing link and route bulk traffic to the cheapest link.

What we typically find: SD-WAN is licensed and the multiple ISP links are connected, but zero SLA probes are configured. Without SLA probes, the FortiGate has no way to measure link quality in real time. Traffic is being routed using static routes or simple ECMP load balancing — exactly the same as a basic router. The entire SD-WAN investment is wasted.

Configuring SLA probes takes 15 minutes. You define health-check servers (Google DNS, Fortinet servers, or your own endpoints), set thresholds for latency and packet loss, and create SD-WAN rules that steer specific applications to the best-performing link. The improvement in application performance — especially for VoIP, video conferencing, and cloud applications — is immediate and measurable.

5. DNS Filtering and Botnet C&C Protection

DNS filtering is included in the FortiGuard Web Filtering license. It blocks access to malicious domains at the DNS level — before a connection is even established. Botnet C&C (Command and Control) protection identifies and blocks traffic to known botnet infrastructure, preventing compromised endpoints from communicating with their controllers.

What we typically find: DNS filtering is not enabled. Botnet C&C protection is not enabled. These are checkbox-level configurations in the security profile — they take 2 minutes to enable — but they are consistently left off. The result is that if an employee clicks a phishing link or malware establishes a foothold, the FortiGate has no mechanism to block the DNS resolution to the malicious domain or the subsequent C&C communication.

6. Security Fabric and Automation Stitches

FortiOS Security Fabric allows the FortiGate to integrate with other Fortinet products (FortiSwitch, FortiAP, FortiClient, FortiAnalyzer, FortiSandbox) for coordinated threat response. Automation Stitches allow you to create automated actions triggered by security events — for example, automatically quarantining an endpoint when malware is detected, or sending an alert to a Slack channel when a critical IPS event fires.

What we typically find: Security Fabric is not configured. Automation Stitches are nonexistent. Even organisations that have FortiSwitch, FortiAP, and FortiClient deployed alongside their FortiGate are running each product as a standalone island with no integration. The FortiGate detects a threat, logs it, and does nothing. The switch continues forwarding traffic from the compromised endpoint. The access point continues providing connectivity. There is zero automated response.

7. Admin Multi-Factor Authentication and Trusted Hosts

FortiOS supports multi-factor authentication for administrative access using FortiToken (hardware or mobile), email-based OTP, or integration with external authentication servers. Trusted Hosts restricts admin login to specific IP addresses or subnets.

What we typically find: admin accounts use single-factor password authentication with no Trusted Host restrictions. This means anyone who obtains (or guesses) the admin password can log into the FortiGate management interface from anywhere on the internet — if HTTPS management is exposed on the WAN interface, which it frequently is. This is not a theoretical risk. FortiGate admin interface compromises are a documented attack vector that threat actors actively exploit.

Enabling FortiToken MFA for admin accounts takes 10 minutes. Configuring Trusted Hosts to restrict admin access to your management VLAN takes 5 minutes. Together, they eliminate the most common administrative attack vector on FortiGate appliances.

The Dollar Math: What This Actually Costs You

Let us do the arithmetic on a typical mid-enterprise deployment.

Consider an organisation running a FortiGate with a UTP (Unified Threat Protection) bundle. This bundle includes: IPS, Application Control, Web Filtering, Antivirus, Anti-Spam, and SSL Inspection support. The annual subscription cost varies by model — for a FortiGate 100F/200F class appliance common in Indian mid-enterprise, the UTP bundle runs approximately $3,000 to $8,000 per year per appliance.

If the organisation is using only basic web filtering and the firewall function (which requires no subscription at all), they are utilising roughly 15-20% of their subscription value. The IPS engine — not used. Application Control — not configured. Antivirus scanning — ineffective without SSL deep inspection. Anti-Spam — not relevant if email does not traverse the firewall.

For an organisation running 3-5 FortiGate appliances across multiple sites with UTP or ATP bundles, the wasted subscription value easily reaches $10,000 to $30,000 per year — every year, for the entire duration of the subscription. Over a typical 3-year hardware lifecycle, that is $30,000 to $90,000 in security capability that was purchased, paid for, and never activated.

And this does not account for the security cost — the breaches, data loss, and compliance failures that could have been prevented by the features that were already licensed and sitting dormant in the configuration.

Why This Happens

After hundreds of deployments, we have identified five root causes:

1. Deploy-and-forget culture. The FortiGate is installed by a reseller or integrator during the initial deployment. The focus is on getting the network running — internet access, VPN tunnels, basic routing. Advanced security features are left for "Phase 2" which never happens. Two years later, the configuration has not been touched.

2. Staff turnover. The engineer who deployed the FortiGate leaves the organisation. The replacement inherits a running configuration they did not build and do not fully understand. They are reluctant to change anything because the network is working. Institutional knowledge about the deployment intent, the licensed features, and the planned security hardening walks out the door with the original engineer.

3. Fear of breaking things. SSL deep inspection is the classic example. IT teams know they should enable it, but they fear it will break banking websites, government portals, or internal applications that use certificate pinning. Rather than investing the effort to configure proper exceptions, they leave SSL inspection in certificate-only mode indefinitely. The same fear applies to IPS — "what if it blocks legitimate traffic?" — leading to perpetual monitor-only mode.

4. FortiOS complexity. FortiOS is a powerful operating system that grows more capable with every release. A FortiGate 200F running FortiOS 7.4 has hundreds of configurable parameters across dozens of feature areas. Without dedicated Fortinet training (NSE 4-7 certifications), most network engineers use only the features they are comfortable with — which typically means firewall policies and VPN.

5. No baseline audit. Organisations have no mechanism to compare their running configuration against a security baseline. They do not know what they are missing because they have never measured it. The FortiGate dashboard shows green health indicators because the appliance is functioning — but functioning is not the same as fully utilised.

The Ogma FortiGate Config Analyzer

This is exactly the problem we built our configuration analyzer to solve.

Ogma's FortiGate Config Analyzer is an AI-powered audit tool that evaluates your running FortiGate configuration against a 40-point checklist derived from the CIS Benchmark for FortiGate and Fortinet's own best-practice guidelines. It examines every critical configuration area:

• Security policies: Are policies following least-privilege? Are there default "allow all" rules? Are policies ordered correctly for optimal processing?
• SSL/TLS inspection: Is deep inspection enabled? Which traffic is exempted and why? Are certificate exceptions properly scoped?
• IPS configuration: Is IPS in block mode? Are signatures current? Is the IPS profile applied to all relevant policies?
• Antivirus and web filtering: Are profiles active? Is flow-based or proxy-based inspection configured appropriately?
• VPN hardening: Are deprecated ciphers disabled? Is DPD (Dead Peer Detection) configured? Are IKE versions current?
• Admin security: Is MFA enabled? Are Trusted Hosts configured? Is the management interface exposed on WAN?
• Logging and SIEM integration: Are logs being sent to FortiAnalyzer or a SIEM? Is logging enabled on all policies? Are traffic logs capturing sufficient detail?
• Firmware currency: Is the FortiOS version current? Are there known CVEs in the running version?
• SD-WAN optimization: Are SLA probes configured? Are traffic steering rules defined? Is link quality being measured?
• FortiGuard subscription status: Are all licensed services active and receiving updates?

The analyzer produces a prioritised report showing exactly which features are underutilised, what the security impact is, and step-by-step remediation instructions specific to your FortiOS version and deployment.

How It Works

The process is straightforward:

1. Export your configuration: Run execute backup config on your FortiGate (or download from the GUI) — this produces a text file with your complete running configuration.
2. We analyze it: Our AI-powered analyzer parses the configuration, evaluates every parameter against the 40-point benchmark, and identifies gaps.
3. Live review session: In a 1-hour live session with one of our NSE-certified engineers, we walk through every finding, explain the security impact, and provide specific remediation commands.
4. Remediation support: If needed, our engineers can implement the recommended changes during a scheduled maintenance window — or guide your team through the process.

We offer this as a free 1-hour configuration review — limited to 5 slots per week — because we know from experience that once organisations see the gap between their current configuration and what their FortiGate is capable of, they want to fix it.

What a Fully Optimized FortiGate Looks Like

To illustrate the difference, consider a BFSI organisation running four FortiGate 200F appliances with ATP (Advanced Threat Protection) bundles across their headquarters and three branch offices.

Before the config review:

• SSL inspection: certificate-only mode (no content inspection)
• IPS: monitor-only (logging attacks but not blocking)
• Application Control: default profile (allow all)
• SD-WAN: dual ISP connected, static routes only, no SLA probes
• DNS filtering: disabled
• Botnet C&C protection: disabled
• Admin access: single password, no MFA, no Trusted Hosts
• Logging: local disk only, no SIEM integration
• Automation Stitches: none configured

After Ogma's config review and a 2-day optimization engagement:

• SSL deep inspection enabled on all internet-bound policies with targeted exceptions for 12 certificate-pinned applications
• IPS switched to block mode with auto-updating signatures
• Application Control configured with department-specific policies
• SD-WAN SLA probes active on all ISP links with application-aware traffic steering
• DNS filtering and Botnet C&C protection enabled
• FortiToken MFA enabled for all admin accounts, Trusted Hosts restricted to management VLAN
• Log forwarding configured to FortiAnalyzer with real-time alerting
• Automation Stitches: compromised endpoint quarantine, critical event alerting

The result: the organisation activated every feature they were already paying for. Their security posture improved dramatically — with zero additional licensing cost. The only investment was the engineering time to configure what was already there.

Take the First Step

If you are running FortiGate appliances and have never had your configuration audited against CIS Benchmarks and Fortinet best practices, you are almost certainly leaving significant security capability — and significant subscription investment — on the table.

Ogma's free FortiGate configuration review takes 1 hour of your time and gives you a complete picture of where you stand. We have been Fortinet partners for over 12 years, our engineers hold NSE 4 through NSE 7 certifications, and we have deployed and managed FortiGate across 350+ enterprise environments in India.

Book your free FortiGate config review here — or contact our team to discuss a comprehensive firewall optimization engagement.