Detecting & Preventing Lateral Movement Attacks With Fortinet Firewalls

Was there back when a solid perimeter high-five was the pick to click. Then came Slammer. That was when I realized we were doing network security all wrong. We weren’t protecting inside the network — just keeping the bad things out. Zoom forward to today, and attackers are no longer just trying to break in. They are getting in one way or another (phishing, unpatched vulnerabilities, bad credentials — take your pick) and then moving laterally.

With appropriate configuration, Fortinet firewalls can block this type of attack in its track. But you have to configure them correctly. Let’s break this down.

What is Lateral Movement?

Lateral movement is what occurs once an attacker infiltrates your network. They don’t simply stop at the first machine — they explore, escalate privileges, and get to the valuable systems. It’s what makes ransomware, data leaks and internal threats so deadly.

Here is a sparse outline of the attacker’s playbook:

• Compromise an endpoint – Perhaps it’s malware, perhaps it’s a stolen credential. Either way, they’re in.
• Escalate privileges – Because user access is for chumps, get admin access.
• Lateral Movement — Tunneling their way to more essential systems—database servers, financial records, up-slops (yes, attackers breach storage systems before executing ransomware).
• Exfiltrate or encrypt – Exfiltrate and your data is theirs, encrypt and your data is useless to you.

Now—Fortinet can stop this. Let’s talk about how.

How Fortinet Firewalls Detect Internal Threats

If you are like the vast majority, you think of firewalls as a “keep bad guys out” tool. Cool, but that’s a 1990s mindset, bro. (And I should know—I was running voice/data over PSTN in those days.) Firewalls are present in the network today as well. If you’re only hardening the perimeter, you’re already late.

Fortinet firewalls assist in three major ways:

• Internal Segmentation — This is the big one. So rather than having this single flat network where everything can talk to everything, Fortinet lets you segment traffic internally. A compromised endpoint shall never connect to the database servers. Period.
• Threat Intelligence & AI-powered Detection – Fortinet has good threat intelligence. Their firewalls recognize suspicious lateral movements—such as a workstation suddenly attempting to RDP into a domain controller—by turning real-world attack data into signs of attack.
• Zero Trust Network Access (ZTNA) – Authentication and authorization on each connection, not just at logon. Want to SSH into a server? Your identity had better check out first.

Random thing: I recently worked on zero-trust architecture changes for three banks with FortiGate firewalls and the biggest problem? Their internal systems were fully exposed. After all the movement of MFA security awareness training, they still had gaps because once trusted every device on the inside could talk. Not anymore.

Best Practices to Prevent Lateral Movement

Let’s get specific. Now if you want to truly use Fortinet firewalls to avoid lateral movement here are the things that need to happen:

1. ISFW Configuration (Internal Segmentation)

• Do segmentation between network zones (Create multiple VLANs)
• Firewall policy to prevent unwanted internal traffic
• Egress default-deny — only allowed traffic is established.

No more “flat” networks. A breached marketing laptop should not be able to access HR’s file shares.

2. Watch All East-West Traffic (Attackers Love It)

• Most network monitoring is North-South traffic (Internet to last internal)
• Lateral movement occurs within—to the East and West.
• Use FortiAnalyzer and FortiSIEM to log internal firewall activity and detect strange behavior.

Or if a workstation that never hits the ERP server suddenly SPOMPS it? That’s worth investigating.

3. FortiGate + FortiClient ZTNA

• Enable per-session authentication
• Microsegment high-value assets (your financial servers should mistrust everything by default—even on the inside).
• Two-factor everything that is important.

If your database server has no MFA and is segmented—you are playing with fire.

4. Bait & Honeypots (Let The Adversary Do Their Own Work)

• FortiDeceptor (Create decoy systems that lure attackers for lateral movement).
• If an “employee laptop” attempts to RDP into a bogus finance server, boom — you have an alert as it happens.

It’s similar to setting a mousetrap: if anything attempts to “move laterally” toward a false target, you know it was not supposed to be there.

5. Automate Threat Response (Because You’re Never Going to Be Fast Enough)

• Automate threat response with FortiSOAR™.
• Leverage automatic quarantine rules so that if a device is behaving strangely, it gets quarantined.
• Integrate endpoint security with FortiGate – disconnect infected machines in real time.

Attackers don’t wait around. Neither should your firewall.

Security Solutions for PJ Networks

This is why we set up Fortinet firewalls for our clients—real security isn’t only about stopping threats at the edge. It’s about stopping them before they go further.

At PJ Networks, we:

• Use Fortinet firewalls to design and implement segmented network architectures.
• Deploy zero-trust configurations so access isn’t presumed — even internally.
• Anomaly detection to alert managed security for lateral movement movement in real time.

We recently locked down a financial institution that had an antiquated, absolutely flat network (and I do mean everything could speak to everything). Once they adopted microsegmentation using Fortinet, their risk was significantly reduced. Even if malware gets in now? It’s stuck.

Quick Take

• Lateral movement is what turns small breaches into massive disasters.
• Fortinet firewalls can’t stop at the edge because they stop inside the network.
• Best defenses: segmentation, East-West traffic monitoring, zero-trust access.
• Automate response where feasible — threats are faster than humans.

Conclusion

Here’s the thing — the majority of businesses are still focused on “keeping attackers out.” That’s outdated. They’re already in. Phishing, zero-days and misconfiguration are just a few ways breaches occur.

What matters now is how quickly you identify and contain the threat.

When configured correctly, Fortinet’s firewall solutions make lateral movement almost impossible. But mere dumping in a FortiGate box will not be sufficient. These are the policies, segmentation, the detection tools, like a FortiAnalyzer and FortiDeceptor, that truly defend internal networks.

Think your network isn’t susceptible? Every single one of the breached companies who got breached.

Schedule a time to make a real security plan with Fortinet firewalls. Let’s talk.