Quick Navigation
FortiGate Deployment Modes
- NAT/Route Mode
- Default mode. FortiGate acts as a Layer 3 router and firewall. Interfaces have IP addresses. Performs routing and NAT between zones. Required for VPN, SD-WAN, and most features.
- Transparent Mode
- Layer 2 bridge mode. Interfaces have no IP addresses (except management). No NAT, no routing. Insert inline without re-addressing the network. Firewall policies still enforce on bridged traffic.
- get system status | grep 'Operation Mode'
- Show whether FortiGate is operating in NAT/Route mode or Transparent mode. Output: 'Operation Mode: NAT' or 'Operation Mode: Transparent'.
- VDOM Mode
- Virtual Domain — divide one FortiGate into multiple logical firewalls. Each VDOM has independent interfaces, routing, and policies. Used for multi-tenant or segmented environments.
- Interface types
- Physical, VLAN (802.1Q sub-interface), Aggregate (LACP bonding), Redundant (active-standby bonding), Loopback (always-up virtual), Software Switch (L2 bridge of physical ports)
System Administration
- config system admin
- Configure administrator accounts. Set password, profile, trusted hosts, and access method (GUI/CLI/API).
- Trusted hosts
- config system admin → edit admin → set trusthost1 10.10.10.0/24. Restricts logins to specified source IPs only. Lock-out risk: always include your current management subnet.
- config system interface
- Configure interface IP, admin access, role, and aliases. set allowaccess https ssh ping sets permitted management protocols.
- Firmware backup before upgrade
- execute backup config ftp <filename> <FTP_IP> [user] [pass] — OR — GUI: System > Firmware > Backup. Always back up config before firmware upgrade.
- execute restore image ftp
- execute restore image ftp <filename> <FTP_IP> — download firmware image and schedule upgrade. Requires reboot to apply.
- Factory reset
- execute factoryreset — resets all config. Default management IP: 192.168.1.99. Default credentials: admin / (no password).
- HA configuration
- config system ha → set mode a-p (active-passive) or a-a (active-active) → set group-name → set password → set monitor (monitored interfaces) → set hbdev (heartbeat interfaces)
- diagnose sys ha status
- Show HA cluster status: primary/secondary role, serial numbers, heartbeat interface status, and sync state.
Firewall Policies
- Policy matching order
- Top-to-bottom. First matching policy wins. Implicit deny-all at the bottom. Never-match policies below a broad allow are dead — reorder or delete them.
- config firewall policy
- config firewall policy → edit <id> → set name → set srcintf → set dstintf → set srcaddr → set dstaddr → set service → set action accept|deny → set schedule → next
- Enable NAT on policy
- set nat enable — enables SNAT (overload with interface IP by default). set ippool enable + set poolname <pool> — uses a named IP pool instead of interface IP.
- Apply security profiles to policy
- set utm-status enable → set av-profile <name> → set webfilter-profile <name> → set ips-sensor <name> → set application-list <name> → set ssl-ssh-profile <name>
- set inspection-mode proxy|flow
- Per-policy inspection mode. proxy: full content buffering, all UTM features including DLP with full file analysis. flow: stream inspection, lower latency. In FortiOS 7.6, DLP supports both modes (set feature-set {flow|proxy} in dlp profile) — proxy mode provides deeper analysis.
- diagnose debug flow trace
- Step-by-step packet trace showing policy lookup, NAT, and routing. ALWAYS use a filter: diagnose debug flow filter addr <IP> — then diagnose debug flow show function-name enable — then diagnose debug enable
- diagnose sniffer packet <intf> 'host <IP>' 4
- Tcpdump-style packet capture. Run before debug flow to confirm traffic is arriving on the expected interface. Verbose level 4 shows headers.
NAT Configuration
- IP Pool types (SNAT)
- Overload: many-to-one PAT (most common). One-to-one: each internal IP gets a dedicated external IP. Fixed Port Range: allocates port ranges per source IP. Port Block Allocation: dynamic port block allocation.
- config firewall ippool
- config firewall ippool → edit <name> → set type overload|one-to-one|fixed-port-range|port-block-allocation → set startip <IP> → set endip <IP>
- Virtual IP (VIP) for DNAT
- Maps external IP/port to internal server IP/port. VIP must be referenced as the DESTINATION address in a firewall policy. Creating a VIP alone does not open access.
- config firewall vip
- config firewall vip → edit <name> → set type static-nat → set extip <external_IP> → set mappedip <internal_IP> → set extintf <WAN_interface> → set portforward enable → set extport 80 → set mappedport 8080
- Central NAT mode
- Separate SNAT and DNAT tables (config firewall central-snat-map). Mutually exclusive with per-policy NAT per VDOM. More scalable for large deployments with many NAT rules.
- NAT46 / NAT64
- NAT46: translate IPv4 clients to IPv6 servers. NAT64: translate IPv6 clients to IPv4 servers. Configured under config firewall vip46 and vip64.
Authentication and FSSO
- Local user accounts
- config user local → edit <username> → set type password → set passwd <password>. Add user to a user group for use in firewall policies.
- LDAP server configuration
- config user ldap → edit <name> → set server <IP> → set dn 'dc=example,dc=com' → set bind-type regular → set username 'cn=svc_fortigate,ou=service' → set password <pwd>
- RADIUS server configuration
- config user radius → edit <name> → set server <IP> → set secret <shared_secret>. RADIUS authentication for VPN users, admin login, and captive portal.
- User groups
- config user group → edit <name> → set member <local_user1> <local_user2> → config match → edit 1 → set server-name <LDAP_server> → set group-name 'CN=VPN_Users,OU=Groups,DC=...'
- FSSO Collector Agent mode
- Windows agent installed on a server, reads Security Event Log from DCs via WMI. FortiGate connects to Collector Agent (TCP 8000). More reliable for large AD environments.
- FSSO Agentless mode
- FortiGate directly polls DCs via WMI (no agent). Simpler but generates more DC traffic. config user fsso-polling → edit <DC_name> → set server <DC_IP> → set user <domain\user> → set password <pwd>
- diagnose debug fsso
- diagnose debug application authd -1 — shows FSSO authentication events and login/logoff messages. Use to verify FSSO is receiving user logins from AD.
- diagnose firewall auth list
- Lists all active authenticated users: IP address, username, authentication method, and timeout timer.
Security Profiles
- Antivirus profile (proxy mode)
- config antivirus profile → edit <name> → set inspection-mode proxy → config http → set options scan → set archive-block encrypted → end. Buffers full file for scanning.
- Antivirus profile (flow mode)
- config antivirus profile → edit <name> → set inspection-mode flow-based. Streams packets through AV engine. Faster but cannot scan encrypted archives.
- Web filter profile
- config webfilter profile → edit <name> → config ftgd-wf → config filters → edit 1 → set category <cat_id> → set action block. FortiGuard cloud lookup for URL categories.
- Web filter static URL filter
- config webfilter urlfilter → edit <name> → config entries → edit 1 → set url 'www.example.com' → set type simple|wildcard|regex → set action block|allow|monitor
- Application control profile
- config application list → edit <name> → config entries → edit 1 → set category <cat_id> → set action block|allow|monitor|shape. Blocks by Layer 7 DPI signature, not URL.
- IPS sensor
- config ips sensor → edit <name> → config entries → edit 1 → set severity high critical → set action block → set status enable. Override specific signatures with custom entries.
- DNS filter profile
- config dnsfilter profile → edit <name> → set ftgd-dns enable → config ftgd-dns-filters → edit 1 → set category <cat_id> → set action block. Blocks DNS resolution for malicious/unwanted domains.
- DLP profile (flow or proxy feature-set)
- config dlp profile → edit <name> → set feature-set {flow|proxy} → config rule → edit 1 → set sensor <dlp_sensor_name> → set action block|allow|log → end. FortiOS 7.6 supports both flow and proxy feature-sets. Proxy mode provides full content buffering for deeper analysis; flow mode uses stream-based scanning. DLP archiving requires proxy mode.
SSL/SSH Inspection
- SSL inspection modes
- Certificate Inspection: validates cert only, no decrypt. No CA cert needed on endpoints. Cannot inspect content. Deep Inspection: decrypt + inspect + re-encrypt. CA cert MUST be trusted by endpoints.
- config firewall ssl-ssh-profile
- config firewall ssl-ssh-profile → edit 'deep-inspection' → set ssl-invalid-server-cert-action block|allow|ignore → config https → set ports 443 → set status deep-inspection
- SSL inspection CA cert
- The FortiGate uses its local CA certificate to re-sign decrypted content. Download the CA cert from System > Certificates and push to all endpoints via GPO or MDM to prevent browser warnings.
- SSL exemptions
- Exempt specific domains or IP ranges from deep inspection (banking apps, certificate-pinned apps). config firewall ssl-ssh-profile → edit <name> → config ssl-exempt → edit 1 → set type domain → set domain 'bank.com'
- SSH inspection
- Inspects SSH sessions. Can block specific SSH algorithms or port forwarding. set ssh-policy-check enable enables command logging and policy application to SSH sessions.
- Apply SSL profile to policy
- In the firewall policy: set ssl-ssh-profile 'deep-inspection'. Must be explicitly set — policies do NOT inherit SSL inspection by default.
Routing and SD-WAN
- config router static
- config router static → edit 1 → set dst 0.0.0.0/0 → set gateway 203.0.113.1 → set device wan1 → set distance 10 → set priority 0. Lower distance = preferred. Lower priority = preferred.
- Policy route (PBR)
- config router policy → edit 1 → set input-device internal → set src 10.1.1.0/24 → set dst 0.0.0.0/0 → set output-device wan2. Evaluated BEFORE routing table.
- get router info routing-table all
- Display full routing table including all installed routes with source, distance, metric, and next-hop.
- SD-WAN members
- config system sdwan → config members → edit 1 → set interface wan1 → set gateway 203.0.113.1 → edit 2 → set interface wan2 → set gateway 198.51.100.1
- SD-WAN Performance SLA
- config system sdwan → config health-check → edit 'ISP_Health' → set server '8.8.8.8' → set protocol ping → set update-static-route enable → set members 1 2 → set latency-threshold 100 → set packet-loss-threshold 5
- SD-WAN rules (traffic steering)
- config system sdwan → config service → edit 1 → set name 'Best_Quality' → set mode best-quality (or load-balance|manual|priority) → set health-check 'ISP_Health' → set member 1 2
- OSPF configuration
- config router ospf → set router-id 10.0.0.1 → config area → edit 0.0.0.0 → config network → edit 1 → set prefix 192.168.1.0/24 → set area 0.0.0.0
- BGP configuration
- config router bgp → set as 65001 → set router-id 10.0.0.1 → config neighbor → edit 203.0.113.1 → set remote-as 65002 → set update-source wan1
IPsec VPN
- IPsec Phase 1 (IKEv1)
- config vpn ipsec phase1-interface → edit <name> → set interface wan1 → set ike-version 1 → set keylife 86400 → set peertype any|one → set psksecret <PSK> → set proposal aes256-sha256 → set dhgrp 14
- IPsec Phase 2 (route-based)
- config vpn ipsec phase2-interface → edit <name> → set phase1name <p1_name> → set proposal aes256-sha256 → set pfs enable → set dhgrp 14 → set keylifeseconds 3600. No proxy IDs needed for route-based.
- IPsec Phase 2 (policy-based)
- config vpn ipsec phase2-interface → edit <name> → set phase1name <p1_name> → set src-subnet 10.0.1.0/24 → set dst-subnet 10.0.2.0/24. Proxy IDs must match on both peers.
- Route-based VPN static route
- config router static → edit 1 → set dst 10.0.2.0/24 → set device <tunnel_interface_name>. Traffic to 10.0.2.0/24 is routed into the IPsec tunnel interface.
- diagnose vpn ike gateway list
- Show IKE Phase 1 SA status: peer IP, auth method, IKE version, established time, and SA status (established/connecting/failed).
- diagnose vpn tunnel list
- Show IPsec Phase 2 SA status: tunnel name, remote IP, encryption/integrity algorithms, bytes in/out, and lifetime remaining.
- diagnose debug application ike -1
- Enable real-time IKE debug output. Use with diagnose debug enable. Verbose — use only for active troubleshooting. Disable with diagnose debug application ike 0 after troubleshooting.
- IKEv2 Phase 1 config
- config vpn ipsec phase1-interface → edit <name> → set ike-version 2 → set proposal aes256-sha256 → set dhgrp 14 19 → set psksecret <PSK>. IKEv2 combines Phase 1 and initial Phase 2 in fewer messages.
SSL VPN
- SSL VPN settings
- config vpn ssl settings → set servercert 'self-sign' → set tunnel-ip-pools <ip_pool_name> → set dns-server1 8.8.8.8 → set port 443 → set idle-timeout 300
- SSL VPN portal (tunnel mode)
- config vpn ssl web portal → edit 'full-access' → set tunnel-mode enable → set web-mode disable → set split-tunneling enable → config split-tunneling-routing-address → edit 1 → set addr 192.168.0.0/16
- SSL VPN portal (web mode)
- config vpn ssl web portal → edit 'web-only' → set web-mode enable → set tunnel-mode disable → config bookmark-group → (add internal web app bookmarks). No FortiClient required.
- SSL VPN firewall policy (required)
- config firewall policy → edit <id> → set srcintf ssl.root → set dstintf internal → set srcaddr all → set dstaddr 192.168.1.0/24 → set action accept → set groups <vpn_user_group>. Required for users to reach internal resources.
- get vpn ssl monitor
- Show active SSL VPN sessions: username, IP address, assigned tunnel IP, connection duration, and bytes transferred.
- Split tunneling
- set split-tunneling enable in portal config — only subnets in split-tunneling-routing-address go through VPN. All other internet traffic uses local connection. set split-tunneling disable sends ALL traffic through VPN.
- SSL VPN IP pool
- config firewall ippool → edit 'SSLVPN_Pool' → set type overload → set startip 10.10.10.1 → set endip 10.10.10.254. This pool is referenced in SSL VPN settings as tunnel-ip-pools.
Troubleshooting Commands
- diagnose debug flow filter addr
- diagnose debug flow filter addr 192.168.1.100 — set filter to trace only packets from/to this IP. Always filter before enabling debug flow on production systems.
- Debug flow trace sequence
- 1) diagnose debug flow filter addr <IP> 2) diagnose debug flow show function-name enable 3) diagnose debug flow show iprope enable 4) diagnose debug enable 5) Generate traffic 6) diagnose debug disable
- Debug flow output: policy lookup
- iprope_in_check() shows which policy matched: 'find policy … id=<policy_id> (deny/accept)'. id=0 means implicit deny. Look for 'drop' reason in output.
- diagnose sniffer packet
- diagnose sniffer packet wan1 'host 8.8.8.8 and icmp' 4 10 — capture 10 packets on wan1 matching ICMP to 8.8.8.8. Levels 1-6: 6 = full hex dump.
- get system session list
- Show active session table entries. Filter: get system session list | grep 192.168.1.100. Verifies traffic is being processed and NAT translation.
- diagnose ip route list
- Show kernel routing table including SD-WAN route cache entries. Complements get router info routing-table all.
- FortiGate support log
- execute log filter device disk → execute log display — view local disk logs. diagnose log test — generate test log entries to verify logging is working.
- diagnose debug reset
- Reset all active debug filters. Run after troubleshooting to stop debug output and remove filters. diagnose debug disable also stops output.