FortiGate initial configuration using CLI

This post outlines the essential minimum configuration steps for a FortiGate firewall using the CLI to enable internet access. The configuration covers:

  • Setting the hostname
  • Configuring interfaces
  • Creating a static default route
  • Defining firewall address objects
  • Setting up firewall policies
  • Configuring Central Source NAT (SNAT)

Configuration

  • Boot the Fortigate device and connect using the console port
  • When prompted to login, the username is admin and there is no password.

The Fortigate will prompt to change the password, set a secure password.

Configure hostname

The command config system global sets the hostname for the FortiGate.

config system global
 set hostname FGT6
 end

Make sure you enter the command end to apply the configuration change.

Configure interfaces

Configure the LAN and WAN interface with the basic IP address, description, role and allowaccess commands.

The interface roles define the logical function of a network interface, especially in the context of Security Fabric, SD-WAN, and GUI-based configurations. While not always required for CLI-based setups, they are very important for Security Fabric, ZTNA, FortiAnalyzer integration, and central management scenarios.

The allowaccess command controls which management protocols are allowed to connect to an interface, ssh/https would generally be restricted on WAN facing interfaces but allowed on the LAN/mgmt. interfaces.

To configure the interfaces run the command config system interface and then edit <interface name>.

config system interface
 edit "port2"
  set vdom "root"
  set ip 192.168.3.1 255.255.255.0
  set allowaccess ping https ssh
  set type physical
  set description "LAN"
  set role lan

Enter the command next to apply the configuration and stay in config system interface mode and allows configuration on the next interface.

 edit "port3"
  set vdom "root"
  set ip 192.168.20.16 255.255.255.0
  set allowaccess ping
  set type physical
  set description "INET"
  set role wan
end

Enter the command end to apply the configuration and exit config system interface mode.

Configure the static routing

At a minimum, a default route must be configured on the FortiGate to enable network reachability. The command config router static specifies the destination as 0.0.0.0/0, along with the next-hop gateway IP address and the outgoing interface.

config router static
 edit 1
  set dst 0.0.0.0/0.0.0.0      
  set gateway 192.168.20.1
  set device "port3"
  next
end

Configure firewall address objects

The command config firewall address in FortiGate is used to define address objects, which represent IP addresses, subnets, FQDNs, ranges, or geographic locations. These address objects are then used in firewall policies, NAT rules etc.

Configure firewall address object to represent the internal LAN.

config firewall address
 edit "LAN"
 set associated-interface "port2"
 set color 1
 set subnet 192.168.3.0 255.255.255.0
 next
end

Firewall Mode

FortiGate firewalls supports two operating modes, Profile-based and Policy-based mode. By default, the FortiGate is using the traditional profile-based mode.

  • Profile-based mode, security features like antivirus, web filtering, and application control are configured as separate profiles and then linked to firewall policies as needed. This mode provides granular control over security profiles and is ideal for environments requiring advanced customization and flexibility in inspection modes. It also supports complex NAT configurations and is often preferred for its detailed control options.
  • Policy-based mode simplifies the configuration by allowing applications and web filtering categories to be directly added to security policies without the need to first create and configure Application Control or Web Filtering profiles. This mode is particularly suited for organizations with simpler networks or for teams migrating from other firewall systems where policy-based approaches are common.

Profile-based mode is often preferred for its granular control and flexibility, while Policy-based mode is favored for its simplicity and ease of use

This configuration will use the default Profile based mode.

The config firewall policy command in FortiGate is used to create, edit, and manage firewall policies, which define how traffic is allowed or denied between interfaces, zones, or VDOMs.

config firewall policy
 edit 1
  set name "Internet"
  set uuid 426bb2da-573f-51f0-616d-385678c01ade
  set srcintf "port2"
  set dstintf "port3"
  set action accept
  set srcaddr "LAN"
  set dstaddr "all"
  set schedule "always"
  set service "HTTP" "HTTPS" "DNS"
  set logtraffic all
 next
 edit 2
  set name "Ping"
  set srcintf "port2"
  set dstintf "port3"
  set action accept
  set srcaddr "LAN"
  set dstaddr "all"
  set schedule "always"
  set service "PING"
  set logtraffic all
 next
end

For reference the Firewall mode can be changed using the following command.

config system settings
 set ngfw-mode profile-based|policy-based

FGT6 (settings) # set ngfw-mode
profile-based    Application and web-filtering are configured using profiles applied to policy entries.
policy-based     Application and web-filtering are configured as policy match conditions.

Configure central source NAT

When private IP addresses are used on the internal LAN, Network Address Translation (NAT) is necessary to convert them into public IP addresses for external communication. The FortiGate can perform this translation using either its outgoing interface IP (egress IP) or a defined pool of public IP addresses.

Central NAT is an alternative to the traditional “per-policy” NAT. It provides a centralised and consistent way to manage source NAT (SNAT) and destination NAT (DNAT) separately from firewall policies

Enable Central NAT

config system settings
 set central-nat enable

Configure SNAT for the Internal LAN network.

config firewall central-snat-map
 edit 1
 set srcintf "port2"
 set dstintf "port3"
 set orig-addr "LAN"
 set dst-addr "all"
 next
end

Verification

Verification commands such as logs and reports are much easier to view using the GUI.

  • From the GUI navigate to Log & Report > Forward Traffic

From this page we can confirm traffic is flowing through the firewall and allow or denied. The Policy ID page confirms the firewall rule traffic matched.

  • From the GUI navigate to Policy & Objects > Firewall Policy

From this page we can confirm the configuration of the firewall rules configured via the CLI and on the far right of the page, a hit count is displayed.

  • From the GUI navigate to Policy & Objects >Central SNAT

From this page we can confirm the configuration of the SNAT rule configured via the CLI.

  • From the GUI navigate to Network > Static Routes

From this page we can confirm the configured default static route and edit if required.

 

  • To view the routing table from the CLI, run the command get router info routing-table all
FGT6 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 192.168.20.1, port3, [1/0]
C       192.168.3.0/24 is directly connected, port2
C       192.168.20.0/24 is directly connected, port3T
Tags: , ,