The FortiGate Next-Generation Firewall (NGFW) are network firewalls powered by purpose-built security processing units (SPUs) including the latest NP7 (Network Processor 7). They enable security-driven networking, and are ideal network firewalls for hybrid and hyperscale data centers.
Fortinet NGFWs reduce cost and complexity by eliminating points products and consolidating industry-leading security capabilities such as secure sockets layer (SSL) inspection including the latest TLS1.3, web filtering, intrusion prevention system (IPS) to provide fully visibility and protect any edge. Fortinet NGFWs uniquely meet the performance needs of hyperscale and hybrid IT architectures, enabling organizations to deliver optimal user experience, and manage security risks for better business continuity.
Below are some of the basic CLI commands and initial configuration tasks in a FortiGate NGFW. Type the get system status to view the Fortigate serial number, operation mode, License status, System uptime, etc.
FortiGate-VM64 # get system status
Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: FGVMEVLBM63ZQG09
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
License Status: Valid
Evaluation License Expires: Tue May 4 02:20:49 2021
VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FortiGate-VM64
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1803
Release Version Information: GA
FortiOS x86-64: Yes
System time: Sat Apr 24 17:21:22 2021
Type ? to list all CLI options.
FortiGate-VM64 # show system ?
accprofile Configure access profiles for system administrators.
admin Configure admin users.
affinity-interrupt Configure interrupt affinity.
affinity-packet-redistribution Configure packet redistribution.
alias Configure alias command.
api-user Configure API users.
arp-table Configure ARP table.
auto-install Configure USB auto installation.
auto-script Configure auto script.
automation-action Action for automation stitches.
automation-destination Automation destinations.
automation-stitch Automation stitches.
automation-trigger Trigger for automation stitches.
autoupdate Configure automatic updates.
central-management Configure central management.
cluster-sync Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
console Configure console.
csf Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
custom-language Configure custom languages.
ddns Configure DDNS.
dhcp Configure DHCP.
dhcp6 Configure DHCPv6.
dns Configure DNS.
dns-database Configure DNS databases.
dns-server Configure DNS servers.
dscp-based-priority Configure DSCP based priority table.
email-server Configure the email server used by the FortiGate various things. For example, for sending email messages to users to support user authentication features.
external-resource Configure external resource.
fips-cc Configure FIPS-CC mode.
fortiguard Configure FortiGuard services.
fortisandbox Configure FortiSandbox.
fsso-polling Configure Fortinet Single Sign On (FSSO) server.
ftm-push Configure FortiToken Mobile push services.
geneve Configure GENEVE devices.
geoip-override Configure geographical location mapping for IP address(es) to override mappings from FortiGuard.
global Configure global attributes.
gre-tunnel Configure GRE tunnel.
ha Configure HA.
ha-monitor Configure HA monitor.
interface Configure interfaces.
ipip-tunnel Configure IP in IP Tunneling.
ips Configure IPS system settings.
ips-urlfilter-dns Configure IPS URL filter DNS servers.
ips-urlfilter-dns6 Configure IPS URL filter IPv6 DNS servers.
ipsec-aggregate Configure an aggregate of IPsec tunnels.
ipv6-neighbor-cache Configure IPv6 neighbor cache table.
ipv6-tunnel Configure IPv6/IPv4 in IPv6 tunnel.
link-monitor Configure Link Health Monitor.
lldp Configure LLDP.
mobile-tunnel Configure Mobile tunnels, an implementation of Network Mobility (NEMO) extensions for Mobile IPv4 RFC5177.
nat64 Configure NAT64.
nd-proxy Configure IPv6 neighbor discovery proxy (RFC4389).
netflow Configure NetFlow.
network-visibility Configure network visibility settings.
ntp Configure system NTP information.
object-tagging Configure object tagging.
password-policy Configure password policy for locally defined administrator passwords and IPsec VPN pre-shared keys.
password-policy-guest-admin Configure the password policy for guest administrators.
pppoe-interface Configure the PPPoE interfaces.
probe-response Configure system probe response.
proxy-arp Configure proxy-ARP.
replacemsg Configure replacement message.
replacemsg-group Configure replacement message groups.
replacemsg-image Configure replacement message images.
saml Global settings for SAML authentication.
sdn-connector Configure connection to SDN Connector.
sdwan Configure redundant Internet connections with multiple outbound links and health-check profiles.
session-helper Configure session helper.
session-ttl Configure global session TTL timers for this FortiGate.
settings Configure VDOM settings.
sflow Configure sFlow.
sit-tunnel Configure IPv6 tunnel over IPv4.
sms-server Configure SMS server for sending SMS messages to support user authentication.
snmp Configure SNMP.
speed-test-server Configure speed test server list.
sso-admin Configure SSO admin users.
standalone-cluster Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.
storage Configure logical storage.
switch-interface Configure software switch interfaces by grouping physical and WiFi interfaces.
tos-based-priority Configure Type of Service (ToS) based priority table to set network traffic priorities.
vdom-exception Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the defined VDOM scope.
vdom-link Configure VDOM links.
virtual-wire-pair Configure virtual wire pairs.
vne-tunnel Configure virtual network enabler tunnel.
vxlan Configure VXLAN devices.
wccp Configure WCCP.
zone Configure zones to group two or more interfaces. When a zone is created you can configure policies for the zone instead of individual interfaces in the zone.
FortiGate-VM64 # show system interface ?
name Name.
fortilink static 0.0.0.0 0.0.0.0 169.254.1.1 255.255.255.0 up disable aggregate enable
port1 static 0.0.0.0 0.0.0.0 192.168.1.160 255.255.255.0 up disable physical enable
port2 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical enable
port3 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical enable
ssl.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel enable
FortiGate-VM64 # show system interface port1
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.160 255.255.255.0
set allowaccess ping ssh http
set type physical
set snmp-index 1
next
end
The show full-configuration command to all the configuration settings.
FortiGate-VM64 # show full-configuration system
accprofile Configure access profiles for system administrators.
admin Configure admin users.
affinity-interrupt Configure interrupt affinity.
affinity-packet-redistribution Configure packet redistribution.
alias Configure alias command.
api-user Configure API users.
arp-table Configure ARP table.
auto-install Configure USB auto installation.
auto-script Configure auto script.
automation-action Action for automation stitches.
automation-destination Automation destinations.
automation-stitch Automation stitches.
automation-trigger Trigger for automation stitches.
autoupdate Configure automatic updates.
central-management Configure central management.
cluster-sync Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
console Configure console.
csf Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
custom-language Configure custom languages.
FortiGate-VM64 # show full-configuration
alertemail Alert email configuration.
antivirus AntiVirus configuration.
application Application control configuration.
authentication authentication
credential-store credential-store
dlp DLP configuration.
dnsfilter DNS filter configuration.
dpdk FortiOS DPDK Helper configuration.
emailfilter AntiSpam configuration.
endpoint-control Endpoint control configuration.
extender-controller FortiExtender controller configuration.
file-filter file-filter
firewall Firewall configuration.
ftp-proxy FTP proxy configuration.
icap ICAP client configuration.
ips IPS configuration.
log Log configuration.
nsxt NSX-T configuration.
report Report configuration.
router Router configuration.
ssh-filter SSH filter configuration.
switch-controller External FortiSwitch configuration.
system System operation configuration.
user Authentication configuration.
voip VoIP configuration.
vpn VPN configuration.
waf Web Application Firewall configuration.
wanopt WAN optimization configuration.
web-proxy Web proxy configuration.
webfilter Web filter configuration.
wireless-controller Wireless access point configuration.
FortiGate-VM64 # show full-configuration system
accprofile Configure access profiles for system administrators.
admin Configure admin users.
affinity-interrupt Configure interrupt affinity.
affinity-packet-redistribution Configure packet redistribution.
alias Configure alias command.
api-user Configure API users.
arp-table Configure ARP table.
auto-install Configure USB auto installation.
auto-script Configure auto script.
automation-action Action for automation stitches.
automation-destination Automation destinations.
automation-stitch Automation stitches.
automation-trigger Trigger for automation stitches.
autoupdate Configure automatic updates.
central-management Configure central management.
cluster-sync Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
console Configure console.
csf Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
custom-language Configure custom languages.
ddns Configure DDNS.
dhcp Configure DHCP.
dhcp6 Configure DHCPv6.
dns Configure DNS.
dns-database Configure DNS databases.
dns-server Configure DNS servers.
dscp-based-priority Configure DSCP based priority table.
email-server Configure the email server used by the FortiGate various things. For example, for sending email messages to users to support user authentication features.
external-resource Configure external resource.
fips-cc Configure FIPS-CC mode.
fortiguard Configure FortiGuard services.
fortisandbox Configure FortiSandbox.
fsso-polling Configure Fortinet Single Sign On (FSSO) server.
ftm-push Configure FortiToken Mobile push services.
geneve Configure GENEVE devices.
geoip-override Configure geographical location mapping for IP address(es) to override mappings from FortiGuard.
global Configure global attributes.
gre-tunnel Configure GRE tunnel.
ha Configure HA.
ha-monitor Configure HA monitor.
interface Configure interfaces.
ipip-tunnel Configure IP in IP Tunneling.
ips Configure IPS system settings.
ips-urlfilter-dns Configure IPS URL filter DNS servers.
ips-urlfilter-dns6 Configure IPS URL filter IPv6 DNS servers.
ipsec-aggregate Configure an aggregate of IPsec tunnels.
ipv6-neighbor-cache Configure IPv6 neighbor cache table.
ipv6-tunnel Configure IPv6/IPv4 in IPv6 tunnel.
link-monitor Configure Link Health Monitor.
lldp Configure LLDP.
mobile-tunnel Configure Mobile tunnels, an implementation of Network Mobility (NEMO) extensions for Mobile IPv4 RFC5177.
nat64 Configure NAT64.
nd-proxy Configure IPv6 neighbor discovery proxy (RFC4389).
netflow Configure NetFlow.
network-visibility Configure network visibility settings.
ntp Configure system NTP information.
object-tagging Configure object tagging.
password-policy Configure password policy for locally defined administrator passwords and IPsec VPN pre-shared keys.
password-policy-guest-admin Configure the password policy for guest administrators.
pppoe-interface Configure the PPPoE interfaces.
probe-response Configure system probe response.
proxy-arp Configure proxy-ARP.
replacemsg Configure replacement message.
replacemsg-group Configure replacement message groups.
replacemsg-image Configure replacement message images.
saml Global settings for SAML authentication.
sdn-connector Configure connection to SDN Connector.
sdwan Configure redundant Internet connections with multiple outbound links and health-check profiles.
session-helper Configure session helper.
session-ttl Configure global session TTL timers for this FortiGate.
settings Configure VDOM settings.
sflow Configure sFlow.
sit-tunnel Configure IPv6 tunnel over IPv4.
sms-server Configure SMS server for sending SMS messages to support user authentication.
snmp Configure SNMP.
speed-test-server Configure speed test server list.
sso-admin Configure SSO admin users.
standalone-cluster Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.
storage Configure logical storage.
switch-interface Configure software switch interfaces by grouping physical and WiFi interfaces.
tos-based-priority Configure Type of Service (ToS) based priority table to set network traffic priorities.
vdom-exception Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the defined VDOM scope.
vdom-link Configure VDOM links.
virtual-wire-pair Configure virtual wire pairs.
vne-tunnel Configure virtual network enabler tunnel.
vxlan Configure VXLAN devices.
wccp Configure WCCP.
zone Configure zones to group two or more interfaces. When a zone is created you can configure policies for the zone instead of individual interfaces in the zone.
FortiGate-VM64 # show full-configuration system interface port1
config system interface
edit "port1"
set vdom "root"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-service disable
set ip 192.168.1.160 255.255.255.0
set allowaccess ping ssh http
set fail-detect disable
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set dedicated-to none
set ring-rx 0
set ring-tx 0
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set disconnect-threshold 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias ''
set security-mode none
set device-identification disable
set lldp-reception vdom
set lldp-transmission vdom
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set vrrp-virtual-mac disable
set role undefined
set snmp-index 1
set secondary-IP disable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-mgmt-vlan 4094
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set swc-first-create 0
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set vrrp-virtual-mac6 disable
set vrip6_link_local ::
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set speed auto
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
next
end
Configuration Backups
I've changed the FortiGate hostname: FG-1 to perform a configuration backup and restore.
FortiGate-VM64 # config sys global
FortiGate-VM64 (global) # set hostname FG-1
FortiGate-VM64 (global) # end
FG1 #
To backup the FortiGate configuration in the GUI, go to admin > Configuration > Backup.
Select
Backup to: Local PC > leave Encryption deselected (gray toggle) > Save
File > click OK.
It's good practice to always perform routine backup on the FortiGate device. An encrypted backup file hampers Fortinet support in their troubleshooting since they won't be able to read the backup file (and if you also forget the password). Consider saving backup files in plain-text and store them in a secure server instead.
I changed again the
hostname to: FORTIGATE-1
FG-1 # config sys global
FG-1 (global) # set hostname FORTIGATE-1
FG-1 (global) # end
FORTIGATE-1 #
To restore the configuration from backup, go to admin > Configuration > Restore.
Select Restore from: Local PC > search/select the config file (.conf) > Upload > OK.
A confirmation message will be presented. Click OK to continue.
The
FortiGate will auto reboot.
The web page will time out. Refresh the web GUI and re-login.
Notice the hostname: FG-1 was reverted back and displayed in the web page tab and under Dashboard > Status > System Information.
Configuring Administrator Accounts
To configure a new user administrator profile with read-only access, go to System > Admin Profiles > Create New.
Notice there are two Admin Profiles created by default: prof_admin and super_admin.
Below are the Access Permissions in the prof_admin profile.
Below are the Access Permissions in super_admin profile.
Notice none of the Access Control Permissions are configurable (grayed out).
For the new Admin Profile, type a Name: Sec_Admin_Prof > optionally type a Comment > set all Access Control Permissions to: Read except for Security Profile: Read/Write > click OK.
Create a new administrator account and assign to the Admin Profile just created, go to System > Administrators > Create New > Administrator.
Notice the admin with Admin Profile: super_admin is created by default.
Type
the username: sec-admin > select Type: Local User > type Password:
fortinet (type twice to confirm and click the eye icon to view clear text
password) > select Administrator Profile: Sec_Admin_Prof > leave the
other settings in default (deselected) > click OK.
Logout the current admin account (upper right corner) and login using the new sec-admin account.
I explored the web GUI options and noticed it can only view (read-only) some of the FortiGate options, i.e. Interfaces, System Settings while some options are configurable (read-write), i.e. Hostname, Time zone, Security Profiles.
You can restrict certain trusted subnets to manage the FortiGate. I was initially able to SSH from 192.168.1.140 (Cisco CSRv router).
CSRv#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 192.168.1.140 YES NVRAM up up
GigabitEthernet2 unassigned YES TFTP administratively down down
CSRv#ssh -l admin 192.168.1.160
Password:
FG-1 #
Login using the admin account, go to System > Administrators > select admin > click Edit (with pencil icon).
Enable/toggle: Restrict login to trusted hosts > type Trusted Host 1: 192.168.1.100/32 (Windows 10) > click OK.
You can add more host IP or subnet by clicking the plus (+) icon.
I wasn't able to SSH from CSRv router afterwards.
CSRv#ssh -l admin 192.168.1.160
[Connection to 192.168.1.160 aborted: error status 0]
I added the CSRv IP address 192.168.1.140 via the FortiGate CLI.
FG-1 # config system admin
FG-1 (admin) # edit admin
FG-1 (admin) # set trusthost2 192.168.1.140/32
FG-1 (admin) # end
To view the current users, issue a get system info admin status command.
FG-1 # get system info
admin admin
FG-1 # get system info admin
ssh Show SSH status.
status Show logged in administrators.
FG-1 # get system info admin status
Index User name Login type From
Logged in users: 3
USERNAME TYPE FROM TIME
admin http 192.168.1.100 Mon May 3 19:29:15 2021
admin ssh 192.168.1.100 Mon May 3 19:40:26 2021
admin ssh 192.168.1.140 Mon May 3 19:41:49 2021
If you get an Evaluation license has expired error, just perform a factory reset and re-configure the FortiGate VM.
FG-1 # exec factoryreset // NO SPACE IN factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n)y
Once the initial management interface and HTTPS access is configured, perform a configuration restore. Go to admin (upper right corner) > Configuration > Restore.
Select Restore from: Local PC > click Upload > select .conf file > click OK.
The FortiGate will auto reboot and will get disconnected. Just refresh the web browser after 5 minutes.
