Fortinet Firewalls: Best Practices for Securing Servers

I’ve been in this business a long time — since before networking meant laying coaxial cables and praying the BNC connectors didn’t multiple-vibrato themselves from the jack. Server security back then? Mostly just to make sure nobody stepped on the wires. Now, it’s a battlefield.

If you’re not securing your servers properly, you’re basically propping your front door open with a neon sign that says, “Hack me.”

My favorite tools for locking it down, Fortinet Firewalls. I’ve rolled these into everything from massive enterprise networks to small IT shops over the years. Securely set up, they’re rock solid — misconfigured, though, well… I’ve seen a few disasters.

Let’s follow up on protecting your servers with Fortinet firewalls, not just using it plugged in but being tuned to create bulletproof security.

Why Server Security Matters

I still remember cleaning up after the Slammer worm. It swept through SQL servers like a wildfire, and there was no mercy in how it exploited open ports and unpatched systems. That was 2003. You’d think we’d know better, but — nope.

I still see open RDP ports, weak firewall rules in addition to default accounts out in corporate networks today. If you do not acknowledge server security, you are playing with fire.

That’s why it’s non-negotiable to lock down your servers:

• Financial damage. A breach can cost a company millions – if you think that’s an exaggeration, find any CFO that has experienced one.
• Reputation loss. Your clients had faith in you to protect their data! Lose it, and they’re gone.
• Regulatory nightmares. Compliance fines (GDPR, HIPAA, PCI-DSS) are not only irritating—they sting.
• Zero-day exploits. Attackers are not waiting for you to patch—they are scanning now.

Let’s be real—AI-powered threats are overrated, but automation has made attacks faster and more efficient than ever. It’s not just script kiddies anymore — it’s business.

Time to fight back.

Fortinet Firewall Setup Best Practices

How to Optimize Your Fortinet Firewall

Getting the most out of your Fortinet firewall isn’t just about powering it on and walking away. This is what I do to configure server protection on the FortiGate devices every time I set them up:

1. Block Unused Ports (Deny by Default)

Treat every open port as a source of security risk. Because it is. Focus on the logical incoming (and, if possible, outgoing) network traffic or user interactions that you control to an extent — be it SSH, RDP, database traffic, or whatever you need. Block everything else. Period.

2. Next-Generation Features (Intrusion Prevention, AV, Web Filtering)

• IPS (Intrusion Prevention System): Blocks known attack patterns. Just enable it, trust me.
• Antivirus & File Scanning: Detects malware that may be hidden in that traffic.
• Web Filtering: Whether or not you are a good corporate citizen, people will try and download garbage, so you block access to risky sites from within your network.

3. Set Up Accurate Segmentation (Don’t Group Everything in One!)

• Set up a dedicated VLAN for servers, which is separate from the workstation VLANs.
• Get your role-based access controls in place – your finance team should not be touching your dev servers.
• Filter East-West (because unicorns exist within an enterprise).

4. Feverously Implement Two-Factor Authentication (Even for Admins!)

• Admin credentials are getting stolen all the time. 2FA prevents most takeover attempts in their tracks.
• FortiToken is awesome — but I’ll accept anything above just a password.

5. Monitor Logs Like a Hawk

• Configure FortiAnalyzer (or at minimum Syslog forwarding).
• Find anomalies—logins at unusual times, failures to auth, connections to strange IPs.
• Use automated alerts — otherwise you will miss something.

6. Restrict Remote Management (And NEVER Over the Internet!)

Admin access shall be internal-only. Period. If you have to manage remotely, use a VPN with MFA on it.

7. Frequent Firmware Updates (Not a Once-a-Year Thing)

Every time there’s a firmware release, it comes out to fix something—typically security vulnerabilities. Avoid “set and forget”—define maintenance windows and keep your artifacts up to date.

Real-World Use Cases

Three major banks just migrated to a zero-trust model with FortiGate firewalls.

• A large amount of access at branch servers—microsegmentation for the win.
• Used old firewall configs with holes — tightened rules with FortiGate’s security fabric.
• Exposed legacy systems on the Internet (seriously, why do people do this?!) — moved to VPN-only access.

End result? A tremendous reduction in attack surface.

Another example: a manufacturing firm suffering from recurring ransomware attacks.

• They had open RDP ports all over the place.
• Personal devices were actually plugged into the network, circumventing security.
• Closed all external ports, security policies, and hardened Fortinet firewall rules.

No more ransomware since.

Fortinet Deployment Services with PJ Networks

I’ve done countless Fortinet deployments over the years, but if there’s one consistent thing I can tell you, it’s that improperly configured setups lead to more breaches than flawed firewalls.

At PJ Networks, we:

• Assess your current setup. Where are the risks? What’s unnecessary?
• Optimize firewall rules. Less clutter, more security.
• Implement zero-trust architectures. Less trust by default: more rules.
• Provide ongoing monitoring. Because security is not a one-off thing.

If your firewall is just a mountain of cables and is not tailored to your needs, you are wasting its potential and putting your servers at risk.

Quick Take

1. What you do: Shut down a port if it’s not needed.
2. Using FortiGate IPS, AV & web filtering to prevent threats before they hit servers.
3. Make it flat, segment all the things!
4. Set MFA to admins and remote access.
5. Review logs to identify anomalous behavior.
6. Never publish Admin services (RDP, SSH) directly to Internet.
7. Always keep your firmware updated.

Conclusion

Your servers are the backbone of your business, and attacking the backbone has always been an attacker’s fancy. Don’t make their job easy. It’s not plug-and-play, though, a properly configured Fortinet firewall is a night-and-day difference.

You have to tweak it, track it, and upgrade it regularly. I’ve been here since our modem used to go beep, beep, beep—believe me, the threats have gotten much smarter. Must get smart with security.

Join us on a lot as we take you through configuring & securing your Fortinet firewalls with PJ Networks. Let’s get things locked down — before someone else does it for you.