πŸ“‘ Quick Navigation

πŸ”₯ FortiGate Tut for System Admins

A comprehensive guide for navigating, configuring, and troubleshooting Fortinet FortiGate firewalls. Perfect for system administrators and FortiGate engineers.

1. Core Concepts & Modes

Operational vs Configuration

  • Operational (run-time) commands – monitoring, troubleshooting
  • Example: get system performance status, diagnose debug application httpsd -1
  • Configuration commands – change device config
  • Example: config firewall policy

VDOMs (Virtual Domains)

  • Single VDOM: smaller deployments
  • Multi-VDOM: MSSP / multi-tenant / large enterprise
  • Enter VDOM: config vdom β†’ edit <vdom_name>

Check VDOM mode:

get system status | grep -i vdom

CLI Access Methods

  • Console: direct serial / USB
  • SSH: ssh admin@<ip>
  • HTTPS GUI: https://<ip>:443

CLI Modes

Global config:

config global

Within a VDOM:

config vdom
edit root   # or other VDOM name

Command help:

?           # list commands at current level
show ?      # show options

Tip: Auto-complete with Tab or ? after part of a command.

3. High-Level GUI Map

(Labels can move slightly between FortiOS versions, but structure is similar.)

  • Dashboard – System info, interfaces, resource usage, widgets
  • Network – Interfaces, static routes, SD-WAN, DNS, DHCP, Policy Routes, Routing Monitor
  • System – Administrators, Settings, HA, SNMP, NTP, Certificates, Firmware, Config
  • Policy & Objects – Firewall policies, Addresses, Services, Schedules, Virtual IPs (DNAT), IP Pools (SNAT), Internet Service DB
  • Security Profiles – AV, Web Filter, Application Control, IPS, SSL Inspection, DNS Filter, Email Filter
  • VPN – IPsec, SSL-VPN, interfaces, portals, users/groups
  • Log & Report – Local logs, FortiAnalyzer/Cloud, traffic logs, event logs
  • User & Authentication – Users & User Groups, FSSO, RADIUS/LDAP, 2FA
  • WiFi & Switch Controller – FortiAPs, managed switches, SSIDs, VLANs (if supported model)

4. Interface & Routing Basics

Show Interfaces (CLI)

get system interface                         # summary
show system interface                        # config with comments
show system interface <name>                 # single interface config

Typical interface config:

config system interface
    edit "port1"
        set mode static
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping https ssh http fgfm
    next
end

Show Routes

get router info routing-table all
get router info routing-table details
get router info routing-table details 8.8.8.8    # lookup specific destination

DNS / NTP / Hostname

config system global
    set hostname "FGT-Branch01"
    set timezone 04          # example
end

config system dns
    set primary 1.1.1.1
    set secondary 8.8.8.8
end

config system ntp
    set ntpsync enable
    set server-mode disable
    config ntpserver
        edit 1
            set server "pool.ntp.org"
        next
    end
end

5. Static Routes

Basic Default Route

config router static
    edit 0
        set dst 0.0.0.0 0.0.0.0
        set gateway 203.0.113.1
        set device "wan1"
        set distance 10
    next
end

Static Route to Internal Network

config router static
    edit 0
        set dst 10.10.0.0 255.255.255.0
        set device "lan"
    next
end

No gateway needed when the network is directly connected on that interface.

Static Route to a Remote Network Behind Next Hop

config router static
    edit 0
        set dst 172.16.20.0 255.255.255.0
        set gateway 10.0.0.2
        set device "lan"
        set distance 10
    next
end

6. Hairpin / U-Turn Routing

On FortiGate, hairpin/NAT reflection is usually handled with VIP + policy, not just routing.

Scenario

  • Internal clients: 10.0.0.0/24 on port1 (lan)
  • Internal web server: 10.0.0.10
  • Public IP/VIP: 203.0.113.10 on wan1
  • Clients use the public FQDN/IP even from inside (hairpin).

VIP (DNAT) – Same as normal inbound

config firewall vip
    edit "web-vip"
        set extip 203.0.113.10
        set mappedip "10.0.0.10"
        set extintf "wan1"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end

Hairpin Policy – LAN to WAN VIP

config firewall policy
    edit 0
        set name "LAN-to-Web-Hairpin"
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "web-vip"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set nat enable
    next
end
Note: No extra static route is usually needed; traffic enters on lan, is DNAT'd to 10.0.0.10, and hairpins back internally.

Hairpin with Policy Route (Optional Advanced Style)

You can use a policy route to steer traffic destined for the public IP back to an internal interface.

config router policy
    edit 1
        set input-device "lan"
        set src 10.0.0.0 255.255.255.0
        set dst 203.0.113.10 255.255.255.255
        set output-device "lan"
        set gateway 10.0.0.10
    next
end

7. OSPF Routing

Enable OSPF Process (Global)

config router ospf
    set router-id 1.1.1.1
end

Advertise Connected Networks via OSPF

Option A – Interface-based:

config router ospf
    config ospf-interface
        edit "lan-ospf"
            set interface "lan"
            set network-type broadcast
        next
        edit "wan1-ospf"
            set interface "wan1"
            set network-type broadcast
        next
    end
end

Option B – Network statements:

config router ospf
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.0.0.0 255.255.255.0
            set area 0.0.0.0
        next
        edit 2
            set prefix 192.0.2.0 255.255.255.0
            set area 0.0.0.0
        next
    end
end

Check OSPF Status

get router info ospf status
get router info ospf neighbor
get router info ospf route

8. BGP Routing

Basic BGP Setup

Scenario:

  • Local ASN: 65001
  • Peer ASN: 65002
  • Local IP on wan1: 203.0.113.2
  • Peer IP: 203.0.113.1
  • We want to announce 10.0.0.0/24.
config router bgp
    set as 65001
    set router-id 203.0.113.2

    config neighbor
        edit "203.0.113.1"
            set remote-as 65002
            set update-source "wan1"
        next
    end

    config network
        edit 1
            set prefix 10.0.0.0 255.255.255.0
        next
    end
end

Route Maps / Filtering (Simple Example)

config router route-map
    edit "OUT-TO-PEER"
        config rule
            edit 1
                set match-ip-address "LOCAL-NETS"
                set set-metric 10
            next
        end
    next
end

config router prefix-list
    edit "LOCAL-NETS"
        config rule
            edit 1
                set prefix 10.0.0.0 255.255.255.0
                set ge 24
                set le 24
            next
        end
    next
end

config router bgp
    config neighbor
        edit "203.0.113.1"
            set remote-as 65002
            set route-map-out "OUT-TO-PEER"
        next
    end
end

Check BGP Status

get router info bgp summary
get router info bgp neighbors
get router info bgp network
get router info routing-table bgp

9. Firewall Policies & NAT

Listing Policies

GUI: Policy & Objects β†’ Firewall Policy

CLI:

show firewall policy
get firewall policy
get firewall policy | grep -f <pattern>

Creating a Basic Policy (CLI)

config firewall policy
    edit 0
        set name "LAN-to-WAN"
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set logtraffic all
    next
end

Key flags:

  • set nat enable – source NAT (typically to WAN IP / IP pool)
  • set logtraffic all or utm – enable logging

10. VIP (DNAT) & NAT

VIP for DNAT

Example: map external 203.0.113.10:443 to internal 10.0.0.10:443

config firewall vip
    edit "web-vip"
        set extip 203.0.113.10
        set mappedip "10.0.0.10"
        set extintf "wan1"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end

config firewall policy
    edit 0
        set name "WAN-to-Web"
        set srcintf "wan1"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "web-vip"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set nat disable
    next
end

11. Security Profiles (UTM)

Typical profile attach points: Firewall Policy set av-profile, set webfilter-profile, etc.

Attach Profiles to Policy (CLI)

config firewall policy
    edit 10
        set name "LAN-to-Internet Secure"
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set av-profile "default"
        set webfilter-profile "default"
        set application-list "default"
        set ssl-ssh-profile "certificate-inspection"
        set logtraffic all
    next
end
Note: Actual profile names vary by device/config.

12. VPN Essentials

IPsec Site-to-Site – Quick CLI Skeleton

Phase1:

config vpn ipsec phase1-interface
    edit "HQ-Branch"
        set interface "wan1"
        set peertype any
        set remote-gw 198.51.100.10
        set psksecret "StrongSharedKey123"
        set proposal aes256-sha256
        set dhgrp 14
    next
end

Phase2:

config vpn ipsec phase2-interface
    edit "HQ-Branch-p2"
        set phase1name "HQ-Branch"
        set src-subnet 10.0.0.0 255.255.255.0
        set dst-subnet 10.10.0.0 255.255.255.0
        set proposal aes256-sha256
    next
end

Policy:

config firewall policy
    edit 0
        set name "LAN-to-Branch"
        set srcintf "lan"
        set dstintf "HQ-Branch"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Route (if needed):

config router static
    edit 0
        set dst 10.10.0.0 255.255.255.0
        set device "HQ-Branch"
    next
end

SSL-VPN Key Bits

  • Portal: what users see (web/rdp bookmarks, tunnel mode)
  • Realm / Listening interface
  • User groups assigned to portals/policies

Check SSL-VPN sessions:

diagnose vpn ssl vpn-list

13. Monitoring & Troubleshooting

System Health

get system performance status
get system status
diagnose hardware deviceinfo nic <port>
diagnose sys top-summary
diagnose sys top         # 'q' to quit

Check Interfaces / Links

get system interface
diagnose netlink interface list
execute ping 8.8.8.8
execute traceroute 8.8.8.8

Policy Lookup (Which rule is hit?)

diagnose firewall iprope lookup addr <src-ip> <dst-ip> <port> <proto>
# proto: 6 = TCP, 17 = UDP, etc.

Example:

diagnose firewall iprope lookup addr 10.0.0.10 8.8.8.8 53 17

Session Table

diagnose sys session list
diagnose sys session list | grep -f <ip>
diagnose sys session filter src 10.0.0.10
diagnose sys session filter dst 8.8.8.8
diagnose sys session filter clear
diagnose sys session list

Debug Flow (Core for Traffic Troubleshooting)

1. Clear / prepare:

diagnose debug reset
diagnose debug disable
diagnose debug flow filter clear
diagnose debug flow filter addr 10.0.0.10        # or src/dst-port etc.
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug enable
diagnose debug flow trace start 100

2. Generate test traffic from the client.

3. Stop debug:

diagnose debug disable
diagnose debug reset

Look for:

  • Policy IDs hit
  • NAT translation
  • Drop reasons (e.g., iprope_in_check(), Denied by forward policy, reverse path check fail)

14. Logs

Configure Remote Logging (Syslog / FortiAnalyzer / Cloud)

Example – Syslog:

config log syslogd setting
    set status enable
    set server "192.0.2.10"
    set port 514
    set facility local7
    set format default
end

Enable logging in policies (set logtraffic all).

Viewing Logs (GUI)

  • Log & Report β†’ Forward Traffic
  • Log & Report β†’ Event, VPN, Security, etc.
  • Use filters: src/dst IP, interface, policy ID, action.

15. Admin & RBAC

Local Admin Accounts

config system admin
    edit "netops"
        set password <secure_password>
        set accprofile "read-only"   # or "prof_admin", "super_admin", or custom
        set vdom "root"
        set trusthost1 10.0.0.0 255.255.255.0  # optional
    next
end

Change Admin HTTPS / SSH Ports

config system global
    set admin-port 8443
    set admin-sport 2222
end

Remember to update firewall rules and management docs.

16. HA Clustering (Short Overview)

  • Modes: Active-Passive, Active-Active (less common now)
  • Key Settings: group-name, group-id, hbdev (heartbeat interfaces), priority, override (enable/disable)

Skeleton:

config system ha
    set mode a-p
    set group-name "FGT-HA"
    set group-id 1
    set hbdev "port3" 50 "port4" 50
    set priority 200
    set override enable
end

Check HA status:

get system ha status
diagnose sys ha status

17. Backup, Restore & Firmware

Backup Config

  • GUI: System β†’ Configuration β†’ Backup
  • CLI:
execute backup config tftp fgt-config-20260117.conf 192.0.2.10
execute backup config usb fgt-config-20260117.conf

Restore Config

execute restore config tftp fgt-config-20260117.conf 192.0.2.10

Upgrade Firmware (CLI – simplified)

execute backup config flash backup-before-upgrade.conf
execute restore image tftp <firmware-file.out> 192.0.2.10

Follow Fortinet's official upgrade path per FortiOS Release Notes.

18. Common "Gotchas" Checklist

No internet:

  • Check interface link (get system interface, LEDs)
  • Default route present? (get router info routing-table all)
  • Policy LANβ†’WAN exists, action accept, nat enable?
  • DNS reachable?

Service not reachable from internet:

  • VIP defined correctly (ext/dst IPs, ports, interface)?
  • Matching WANβ†’LAN policy with VIP as destination?
  • Upstream router/ISP pointing traffic to FortiGate?
  • Server's local firewall (Windows firewall, etc.)?

VPN:

  • Phase1 and Phase2 up? (diagnose vpn tunnel list)
  • Quick mode selectors (phase2 src/dst subnets) match on both sides?
  • Routes present for remote networks?
  • Policies for traffic over VPN interfaces?

19. Quick "Which Route Is Used?" Commands

  • Full routing table: get router info routing-table all
  • Static routes only: get router info routing-table static
  • BGP routes: get router info routing-table bgp
  • OSPF routes: get router info routing-table ospf
  • Lookup for a specific destination: get router info routing-table details 8.8.8.8
πŸŽ“ Pro Tip: Bookmark this page and keep it handy during FortiGate deployments, troubleshooting sessions, and when studying for Fortinet certifications (NSE4+).