After managing a small number of Fortigates for a handful of years I have came up with two rules that I wished I would have known when I started. There are numerous best practices but these two have caused me the most pain recently.
- Never install a dot zero release of the Fortigate firmware and more specifically wait till .4 or .5 or later before upgrading. For example if you are on 6.2.7 and would like to upgrade to the latest currently at this time it is 6.4.x wait until 6.4.5. Each main release branch includes large number of new features and each of the dot releases include fixes. I have made the mistake twice when starting out and the firewalls became unstable and difficult to maintain and upgrade.
- Always use zones for building policies. Zones allow you to add and remove interfaces from a zone and inherit all policies associated with that zone. If you build policies directly against interfaces when you need to add interfaces that fall into similar zones you have to rebuild all of those policies for the new interface vs adding the interface to a zone and being done. Zones really shine when doing upgrades from one hardware platform to the next when interface names and counts differ. You can easily remove all interfaces from the zone transfer the config and add the new interfaces to the correct zone.
Those are two simple rules that would have saved me a lot of time.