By | 03/02/2016

Out of the box setup


Port 1 / Internal interface –

DHCP often enabled in port 1 / internal interface

Change admin password

Default username: admin / <blank>

config system admin
 edit admin
  set password PASSWORD

Switch modes

Two available modes – need to be setup as a first step

Interface – Each internal interface acts as a L3 interface with it’s own IP

Switch – All internal interfaces work as a L2 switch

config system global
set internal-switch-mode [interface/switch]


Fortiguard provides updates and access to the different security services.

  • Packages updates for Antivirus, IPS, etc – uses HTTPS to download them
  • Queries to Fortiguard servers for Web filter, Antispam – uses port UDP 53 or UDP 8888

Force to register:

exec update-now

Debug problems with the registration:

diag debug app update -1
diag debug en

Configuration basics


config system interface
 edit port X
  set ip X.X.X.X/M
  set allowaccess services


Check status:

get system status
config log disk setting

If status is needs format:

execute formatlogdisk



Firewall Admin Operation

Reset admin password

  1. Restart Fortigate device phisically
  2. Through console, login with the following information before 14 seconds
    • user: maintainer
    • pass: bcpbSERIALNUMBER


Reset to factory defaults

execute factoryreset

Export – Import configuration

Configuration specific per model although the configuration file can be edited (first text line) to be accepted by other models.

Sequence keys

CTRL+L – clear screen

CTRL+C – Abort command and exit


execute ping-options source IP
execute ping IP
execute traceroute IP

Ping-options also impact on execute traceroute command

Basic troubleshooting

show system interface
show system interface portX
show route static
show full-configuration
show full-configuration system interface portX

get system status 
get system performance status
diagnose system session filter clear
diagnose system session filter dport PORT
diagnose system session filter dst IP
diagnose system session ?
diagnose system session list
diagnose system session clear

diagnose ip arp list
get router info routing-table all
get router info routing-table database
get router info kernel
diagnose ip address list

diagnose system session stat

diagnose debug crashlog read
diagnose debug rating

diagnose firewall statistics show
diagnose system top [refresh in s]
diagnose system top-summary
diagnose hardware deviceinfo nic portX

Add additional monitors to the GUI:

config system global
 set gui-utm-monitors enable
 set gui-?

Other commands

execute reboot


Logging and Monitoring

Types of Logs

  • Traffic Log – Traffic forward, local, invalid and multicast
  • Event Log – System, User, Network (Router, VPN, Wifi)
  • Security Log – Antivirus, Web Filter, IPS, etc

Display logs on the cli

exe log display
exe log filterk

Alert emails to send emails based on log events

SMTP configuration needs to be done on the cli:

config system email-server
 set type custom
 set reply-to (email)
 set server (IP or FQDN)
 set port (connection port)
 set source-ip (interface ip)
 set authenticate [enable|disable]
 set security [none|starttls|smtps]

Alert email setup is done in the GUI

Packet Capture (CLI)

diag sniff packet interface 'filter' level
diag sniff packet any 'dst host' 4
diag sniff packet any 'host and icmp' 4
diag sniff packet any 'tcp[13]&2==2' 4
diag sniff packet any 'host and (port 21 or port ??)' 4

Level  – 1 to 6
Interface – physical or logical name

Export to Wireshark CAP file – requires a external pl script:


Packet flow debug

diag debug flow show function enable
diag debug flow show console enable
diag debug flow filter addr IP
diag debug flow filter port PORTNUM
diag debug enable
diag debug flow trace start 20

It’s possible to combine packet flow and sniffer outputs

Session information

diag sys session filter dst IP
diag sys session list




Packet Handling

Phase 1 – Ingress

  • Denial of service sensor
  • Packet integrity check
  • IPSec tunnel match
  • Destination NAT
  • Routing

Phase 2 – Stateful Inspection

  • Management Traffic
  • Policy lookup
    • Session tracking
    • Session helpers
    • SSL VPN
    • User Authentication
    • Traffic Shaping

Phase 3 – UTM Scanning

  • Flow-based inspection
    • IPS
    • Application Control
    • Email Filtering
    • Web Filtering
    • Antivirus
  • Proxy-based inspection
    • VoIP Inspection
    • Data Leak Prevention
    • Email Filtering
    • Web Filtering
    • Antivirus
    • ICAP

Phase 4 – Egress

  • IPSec
  • Source NAT
  • Routing


Inspection modes

  • Proxy based
  • Flow based




SSL VPN Access modes

  • Web-only – limited to a few protocols
  • Port Forward – based on proxy setup
  • Tunnel – Forti SSL client


diag debug reset
diag vpn ike log-filter ?
diag debug application ike 255
diag debug enable
diag vpn tunnel list


Electing the Master

HA Override disable

  • Monitored Ports
  • Greater Uptime
  • Greater Priority
  • Greater Serial #

Force failover:

Master> diagnose sys ha reset-uptime


HA Override enable

  • Monitored Ports
  • Greater Priority
  • Greater Uptime
  • Greater Serial #

Failback to Master will be automatically when it’s online again.



!check HA status
diagnose sys ha status
diagnose sys ha showcsum

!access to slave member from the master
execute ha manage ?
execute ha manage <HA_unit_index>

!check configuration syncronization
diagnose sys ha showcsum



diag test app ipsm <number>

SSL Inspection

In order to do full SSL inspection, for the owned servers, it’s required to install the private key certificate in the Fortigate, so it can show the right CA to the user when accessing the system.

For clients accessing public SSL systems, a SSL.Proxy certificate needs to be created and signed internally (no public CAs will sign it). The local CA will need to be installed in the clients as well (AD GPO for example) and then the HTTPs pages won’t show a warning, but they won’t be signed by the right public CA, the certificates will be issued by the internal CA.

Network Acceleration


Fortimanager  / Fortianalyzer

Required ports:

Debug device discovery:

diagnose debug application depmanager 255
diagnose debug enable




Quick Start Guide