FortiOS 5.6 Getting Started

3
2
1
FortiOS™ Handbook - Getting Started

VERSION 5.6.6
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE
https://video.fortinet.com
FORTINET KNOWLEDGE BASE
http://kb.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTINET NSE INSTITUTE (TRAINING)

https://training.fortinet.com/
FORTIGUARD CENTER
https://fortiguard.com
FORTICAST
http://forticast.fortinet.com
END USER LICENSE AGREEMENT AND PRIVACY POLICY

https://www.fortinet.com/doc/legal/EULA.pdf
https://www.fortinet.com/corporate/about-us/privacy.html
FEEDBACK
Email: techdoc@fortinet.com
November 19, 2018
FortiOS™ Handbook - Getting Started
01-566-142188-20180913
TABLE OF CONTENTS
Change log 7
Getting started 8
Differences between Models 8
What's New in FortiOS 5.6 9
FortiOS 5.6.3 9
Administrator password changes (414927) 9
Support FortiOS to allow user to select domain when logging a FG into FortiCloud
(452350) 9
FortiOS 5.6.1 9
VM License visibility improvement (423347) 9
FortiView Dashboard Widget (434179) 10
Controls added to GUI CLI console (422623) 11
FortiExplorer icon enhancement (423838) 11
FortiOS 5.6 11
Licenses 14
FortiCloud 14
Fortinet Security Fabric 15
Administrators 15
CPU 16
Memory 16
Sessions 17
Bandwidth 17
Virtual Machine 18
Changing inspection modes (flow-based or proxy-based) 18
Transparent Web proxy mode 19
NGFW profile-based and NGFW policy-based modes 19
Change to CLI console (396225) 20
System Information Dashboard widget WAN IP Information enhancement (401464) 20
CLI and GUI changes to display FortiCare registration information (395254) 20
Improved GUI for Mobile Screen Size & Touch Interface (355558) 21
Setup Wizard removed 21
Installation 22
Quick installation using DHCP 23
Installing a FortiGate in NAT mode 24
NAT mode vs. Transparent mode 24
Standard installation in NAT mode 24
Redundant Internet installation 25
Using a Virtual Wire Pair 26
Using the GUI 28
Connecting to the GUI using a web browser 28
Menus 29
Dashboard 31
Feature Visibility 34
Enabling/disabling features 34
Security Features Presets 34
Tables 35
Navigation 35
Filters 35
Column settings 35
Copying objects 35
Editing objects 36
Text Strings 37
Entering text strings (names) 37
Entering numeric values 38
Using the CLI 39
Connecting to the CLI 39
Connecting to the CLI using a local console 39
Enabling access to the CLI through the network (SSH or Telnet) 40
Connecting to the CLI using SSH 41
Connecting to the CLI using Telnet 42
CLI-only features 43
Command syntax 44
Terminology 44
Indentation 45
Notation 45
Sub-commands 47
Example of table commands 49
Permissions 52
Increasing the security of administrator accounts 52
Tips 53
FortiExplorer for iOS 61
Getting started with FortiExplorer 61
Connecting FortiExplorer to a FortiGate via USB 61
Connecting FortiExplorer to a FortiGate via WiFi 65
Upgrading to FortiExplorer Pro 66
LED Specifications 67
Sample FortiGate faceplates 67
LED status codes 68
About alarm levels 69
LED status codes for ports 70
Inspection Mode 71
Changing inspection and policy modes 71
NGFW policy mode 71
Proxy mode and flow mode antivirus and web filter profile options 73
Basic Administration 75
Registration 75
System Settings 75
Default administrator password 75
Settings 76
Administrator password retries and lockout time 78
Passwords 79
Password policy 80
Firmware 81
Backing up the current configuration 81
Downloading firmware 81
Testing new firmware 82
Upgrading the firmware 83
Reverting to a previous firmware version 85
Installing firmware from a system reboot - CLI 86
Restoring firmware from a USB key - CLI 87
Configuration revision 88
Controlled upgrade 88
Configuration Backups 88
Backing up the configuration using the GUI 89
Backing up the configuration using the CLI 89
Backup and restore the local certificates 90
Restore a configuration 90
Configuration revision 91
Restore factory defaults 92
FortiGuard 92
Support Contract and FortiGuard Subscription Services 93
Verifying your connection to FortiGuard 93
Configuring AntiVirus and IPS Options 95
Manual updates 96
Automatic updates 96
Sending malware statistics to FortiGuard 98
Configuring Web Filtering and Email Filtering Options 98
Email filtering 98
Online Security Tools 99
FortiCloud 99
Registration and Activation 100
Enabling logging to FortiCloud 100
Logging into the FortiCloud portal 101
Cloud Sandboxing 101
Troubleshooting your FortiGate Installation 102
Resources 104
Best Practices 104
The Fortinet Video Library 104
The FortiOS Handbook 104
Change log
Date Change description
November 19, 2018 Removed details about using SCP and included links to the KB article How to
download/upload a FortiGate configuration file using secure file copy (SCP).
October 26, 2018 Corrected an error in Configuration Backups on page 88.
September 13, 2018 Initial FortiOS 5.6.6 release.
September 10, 2018 Correction to "Restoring firmware from a USB key - CLI" on page 87.
June 21, 2018 Initial FortiOS 5.6.5 release.
April 26, 2018 Initial FortiOS 5.6.4 release.
March 23, 2018 Update to Inspection Mode re: SSH inspection support.
February 13, 2018 Updated FortiExplorer for iOS content to be iOS-specific.
December 7, 2017 Made change to table in Inspection Mode section (Mantis 462280)
December 5, 2017 FortiOS 5.6.3 release. See "FortiOS 5.6.3" on page 9
October 17, 2017 Updates and edits throughout the chapter.
October 11, 2017 Added detail to Dashboard in Using the GUI section.
September 28, 2017 Added information to Registration.
September 7, 2017 Edited Administrator password retries and lockout time in System Settings.
August 18, 2017 Added new information for features first appearing FortiOS 5.6.1 and added link
to Fortinet Cookbook Hardware page to the Getting Started Introduction.
August 17, 2017 Initial FortiOS 5.6.2 release.
July 27, 2017 FortiOS 5.6.1 document release. See "FortiOS 5.6.1" on page 9
April 26, 2017 Removed some extra text from page 15.
April 20, 2017 FortiOS 5.6 document release. See "FortiOS 5.6" on page 11
Getting Started 7
Fortinet Technologies Inc.
Getting started
This guide explains how to get started with a FortiGate, and examines basic configuration tasks and best
practices in these sections:
l Installation discusses installing a FortiGate in your network.

l Using the GUI highlights features of the graphical user interface (GUI).
l Using the CLI provides a high level overview of the command line interface (CLI) for FortiOS.
l FortiExplorer for iOS provides instructions for connecting to a FortiGate using the FortiExplorer for iOS app.
l FortiGate Inspection Mode summarizes proxy-based and flow-based inspection modes.
l FortiGate LED Specifications presents a short guide to LED status indicators.
l Basic Administration explains basic tasks for setting up a new FortiGate and for updating firmware.
l Resources provides a list of documents to help you with more advanced FortiGate configurations.
Differences between Models
Before you get started, note that not all FortiGate models have the same features. This is especially true of the
desktop or entry-level models: FortiGate / FortiWiFi models 30 to 90. If you are using one of these FortiGate
models, you may have some difficulties accessing certain features.
Preliminary information on entry-level models is available below:
The entry-level, or desktop, models can connect to the internet in two simple steps. They also have a number of
features that are only available using the CLI, rather than appearing in the GUI.
l Quick installation using DHCP

l CLI-only features
Consult your model's Quick Start Guide, hardware manual, or the Feature / Platform
Matrix for further information about features that vary by model.
FortiGate models differ principally by the names used and the features available:
l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
interface used for the local area network is called lan, while on other units it is called internal.
l Certain features are not available on all models. Additionally, a particular feature may be available only through the
CLI on some models, while that same feature may be viewed in the GUI on other models.
If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System
> Feature Visibility and confirm that the feature is enabled. For more information, see Feature Visibility on
page 34.
8 Getting Started
What's New in FortiOS 5.6
This chapter describes new features added to FortiOS 5.6.0, 5.6.1, and 5.6.3.
FortiOS 5.6.3
These features first appeared in FortiOS 5.6.3.
Administrator password changes (414927)

The existing Change Password dialog that appears in the GUI is updated to reflect the new look of the password
change prompt at login.
l Added inline validation for checking password policy and password reuse
l Changed style to match new login prompt password change
l Fixed issue where fDialog would close slide out on submission failure
Support FortiOS to allow user to select domain when logging a FG into FortiCloud
(452350)
Support has been added to show a list of all possible FortiCloud domains that the FortiGate can be served by.
Syntax
execute fortiguard-log domain
This command is typically used for testing purposes, and so it will not appear when entering execute
fortiguard-log ?.
FortiOS 5.6.1
These features first appeared in FortiOS 5.6.1.
VM License visibility improvement (423347)

VM License GUI items have changed as follows:
l Added VM widget to Global > Dashboard. Includes the following:

l License status and type.
l CPU allocation usage.
l License RAM usage.
l VMX license information (if the VM supports VMX).
l If the VM license specifies 'unlimited' the progress bar is blank.
Getting Started 9
FortiOS 5.6.1 What's New in FortiOS 5.6
l If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
l Widget is shown by default in the dashboard of a FortiOS VM device.
l Removed VM information from License widget at Global > Dashboard.
l License info and Upload License button provided on page Global > System > FortiGuard.
l Updated 'Upload VM License' page:
l Added license RAM usage and VMX instance usage.
l Replaced file input component.
CLI Syntax
config sys admin
edit <name>
config gui-dashboard
edit <1>
set name <name>
config widget
edit <2>
set type {vminfo | ...} <- new option
set x-pos <2>
set y-pos <1>
set width <1>
set height <1>
next
end
next
end
next
end
FortiView Dashboard Widget (434179)

Added a new widget type to the dashboard for top level FortiView. FortiView widgets have report-by, sort-by,
visualization, timeframe properties, and filters subtable in the CLI.
Supported FortiViews include Source, Destination, Application, Country, Interfaces, Policy, Wifi Client, Traffic
Shaper, Endpoint Vulnerability, Cloud User, Threats, VPN, Websites, and Admin and System Events.
Bubble, table, chord chart, and country visualizations are supported in the widget.
Widgets can be saved from a filtered FortiView page on to a dashboard.
Syntax
config system admin
config gui-dashboard
config widget
set type fortiview
set report-by {source | destination | country | intfpair | srcintf | dstintf |
policy | wificlient | shaper | endpoint | application | cloud | web | threat
| system | unauth | admin | vpn}
set timeframe {realtime | 5min | hour | day | week}
set sort-by <string>
set visualization {table | bubble | country | chord}
config filters
set key <filter_key>
10 Getting Started
What's New in FortiOS 5.6 FortiOS 5.6
set value <filter_value>

end
end
end
end
end
Where:
l report-by = Field to aggregate the data by.

l timeframe = Timeframe period of reported data.
l sort-by = Field to sort the data by.
l visualization = Visualization to use.
Controls added to GUI CLI console (422623)

FortiOS 5.6.1 introduces new options in the browser CLI console to export the console history. Options are now
available to Clear console, Download, and Copy to clipboard.
FortiExplorer icon enhancement (423838)

FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons
and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing
a web GUI page from within the FortiExplorer iOS app).
The following locations were affected: Policy List, Policy Dialogue, Address List, Address Dialogue, Virtual IP list,
Virtual IP Dialogue.
FortiOS 5.6
These features first appeared in FortiOS 5.6.
The FortiOS 5.6 Dashboard has a new layout with a Network Operations Center (NOC) view with a focus on
alerts. Widgets are interactive; by clicking or hovering over most widgets, the user can get additional information
or follow links to other pages.
Enhancements to the GUI dashboard and its widgets are:
l Multiple dashboard support.

l VDOM and global dashboards.
l Updated resize control for widgets.
l Notifications moved to the top header bar (moved existing dashboard notifications to the header and added
additional ones).
l Reorganization of Add Widget dialog.
l New Host Scan Summary widget.
l New Vulnerabilities Summary widget that displays endpoint vulnerability information much like the FortiClient
Getting Started 11
FortiOS 5.6 What's New in FortiOS 5.6
Enterprise Management Server (EMS) summary.

l Multiple bug fixes.
Features that were only visible through old dashboard widgets have been placed elsewhere in the GUI:
l Restore configuration.
l Configuration revisions.
l Firmware management.
l Enabling / disabling VDOMs.
l Changing inspection mode.
l Changing operation mode.
l Shutdown / restart device.
l Changing hostname.
l Changing system time.
The following widgets are displayed by default:
l System Information
l Licenses
l FortiCloud
l Security Fabric
l Administrators
l CPU
l Memory
l Sessions
l Bandwidth
l Virtual Machine (on VMs and new to FortiOS 5.6.1)
The following optional widgets are available:
12 Getting Started
l Interface Bandwidth
l Disk Usage
l Security Fabric Risk
l Advanced Threat Protection Statistics
l Log Rate
l Session Rate
l Sensor Information
l HA Status
l Host Scan Summary
l Vulnerabilities Summary
l FortiView (new to FortiOS 5.6.1)
The following widgets have been removed:
l CLI Console
l Unit Operation
l Alert Message Console
System Information
FortiGuard WAN IP blacklist service is now online

The Fortiguard WAN IP blacklist service was not online in FortiOS 5.6.0. In FortiOS 5.6.1, a notification appears
on the Dashboard when WAN IP is blacklisted. Clicking on the notification (bell icon) brings up the blacklist
details.
Getting Started 13
Licenses
Hovering over the Licenses widget will cause status information (and, where applicable, database information)
on the licenses to be displayed for FortiCare Support, IPS & Application Control, AntiVirus, Web
Filtering, Mobile Malware, and FortiClient. The image below shows FortiCare Support information along
with the registrant's company name and industry.
Clicking in the Licenses widget will provide you with links to other pages, such as System > FortiGuard or
contract renewal pages.
FortiCloud
This widget displays FortiCloud status and provides a link to activate FortiCloud.
14 Getting Started
Fortinet Security Fabric

The Security Fabric widget is documented in the Security Fabric section of the What's New document.
Administrators
This widget allows you to view which administrators are logged in and how many sessions are active. The link
directs you to a page displaying active administrator sessions.
Getting Started 15
CPU
The real-time CPU usage is displayed for different timeframes.
Memory
Real-time memory usage is displayed for different time frames. Hovering over any point on the graph displays
percentage of memory used along with a timestamp.
16 Getting Started
Sessions
Bandwidth
Getting Started 17
Changing inspection modes (flow-based or proxy-based) What's New in FortiOS 5.6
Virtual Machine
FortiOS 5.6.1 introduces a VM widget with these features:
l License status and type.

l CPU allocation usage.
l License RAM usage.
l VMX license information (if the VM supports VMX).
l If the VM license specifies 'unlimited' the progress bar is blank.
l If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
l Widget is shown by default in the dashboard of a FortiOS VM device.
l Removed VM information from License widget at Global > Dashboard.
l License info and Upload License button provided on page Global > System > FortiGuard.
l Updated 'Upload VM License' page:
l Added license RAM usage and VMX instance usage.
l Replaced file input component.
Changing inspection modes (flow-based or proxy-based)
To change inspection modes, go to System > Settings and scroll down to Inspection Mode. You can select
Flow-based to operate in Flow mode or Proxy to operate in Proxy mode. Flow-based inspection is the default
inspection mode for FortiOS 5.6.
18 Getting Started
What's New in FortiOS 5.6 Transparent Web proxy mode
Transparent Web proxy mode
In proxy mode, FortiOS 5.6 functions just like FortiOS 5.4 with the addition of the new Transparent Web Proxy
mode. See New Operating mode for Transparent web proxy (386474) on page 1.
NGFW profile-based and NGFW policy-based modes
When you use Flow-based as the Inspection Mode, you have the option in FortiOS 5.6 to select an NGFW
Mode. Profile-based mode works the same as flow-based mode did in FortiOS 5.4
Flow-based inspection with profile-based NGFW mode is the default in FortiOS 5.6.
In the new NGFW Policy-based mode, you add applications and web filtering profiles directly to a policy without
having to first create and configure Application Control or Web Filtering profiles. When selecting NGFW policy-
based mode you can also select the SSL/SSH Inspection mode that is applied to all policies. See NGFW Policy
Mode (371602) on page 1.
When you use flow-based inspection, all proxy mode profiles are converted to flow mode, removing any proxy
settings. And proxy-mode only features (for example, Web Application Profile) are removed from the GUI.
If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Go to
System > VDOM. Click Edit for the VDOM you wish to change and select the Inspection Mode.
CLI syntax
The following CLI commands can be used to configure inspection and policy modes:
config system settings
set inspection-mode {proxy | flow}
set policy-mode {standard | ngfw}
end
Getting Started 19
NGFW profile-based and NGFW policy-based modes What's New in FortiOS 5.6
Change to CLI console (396225)

The CLI Console widget has been removed from FortiOS 5.6.0. It is accessed from the upper-right hand corner of
the screen and is no longer a pop-out window but a sliding window.
System Information Dashboard widget WAN IP Information enhancement (401464)

WAN IP and location data are now available in the System Information widget. Additionally, If the WAN IP is
blacklisted in the FortiGuard server, there will be a notification in the notification area, located in the upper right-
hand corner of the Dashboard. Clicking on the notification will open the WAN IP Blacklisted slider with the
relevant blacklist information.
CLI and GUI changes to display FortiCare registration information (395254)

The changes pertain to industry and organization size of the FortiGate's registered owner.
GUI Changes
l Add industry and organization size to FortiCare registration page
l Add company and industry to license widget tooltip for FortiCare
When you hover over the Licenses widget in the FortiOS 5.6 dashboard, you can see the company and industry
data, provided it has been entered in the FortiCare profile.
20 Getting Started
What's New in FortiOS 5.6 NGFW profile-based and NGFW policy-based modes
CLI Changes
Commands are added to diagnose forticare
dia forticare direct-registration product-registration -h
Options: a:A:y:C:c:T:eF:f:hI:i:l:O:o:p:P:z:R:r:S:s:t:v:
--<long> -<short>
account_id a:
address A:
city y:
company C:
contract_number c:
country_code T:
existing_account e
fax F:
first_name f:
help h
industry I:
industry_id i:
last_name l:
orgsize O:
orgsize_id o:
password p:
phone P:
postal_code z:
reseller R:
reseller_id r:
state S:
state_code s:
title t:
version v:
Improved GUI for Mobile Screen Size & Touch Interface (355558)
The FortiOS web GUI on mobile screens and include functionality for touch interfaces like tap to hold are
improved.
Setup Wizard removed
Previously, the Setup Wizard could be launched from the web GUI by selecting the button, located in the top
right corner. This button and the wizard in question has been removed.
Getting Started 21
Installation
This section discusses how to install your FortiGate and use it in your network, after completion of the initial setup
outlined in the FortiGate model’s Quick Start Guide.
The following topics are included in this section:
l Quick installation using DHCP

l Installing a FortiGate in NAT mode
l Using a Virtual Wire Pair
22 Getting Started
Installation Quick installation using DHCP
Quick installation using DHCP
Most of the FortiGate desktop models have a default configuration that includes a DHCP server on the lan (or
internal) interface and a security policy that securely allows all sessions from the internal network to reach the
Internet. Because of this, you can connect your desktop FortiGate to the Internet in two simple steps:
Note that, in order to use this installation method, your ISP must provide connectivity
with DHCP and accept DHCP requests without authentication. You must also use IPv4
to connect your FortiGate to the Internet.
1. Connect the FortiGate's wan interface to your ISP-supplied equipment, and connect the internal network to the
FortiGate’s default lan interface. Turn on the ISP’s equipment, the FortiGate, and the computers on the internal
network.
2. For computers on the internal network:
a. Windows Vista/7/8/10 users:
i. Go to Network and Sharing Center and select Change adapter settings.
ii. Open the Local Area Connection (Ethernet or Wi-Fi, whichever applies) and select Properties.
iii. Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties.
iv. Select Obtain an IP address automatically and Obtain DNS server address automatically.
v. Click OK.
b. Mac OS X users:
i. Go to System Preferences > Network and select your Ethernet connection.
ii. Set Configure IPv4 to Using DHCP.
Results
From any computer on the internal network, open a web browser and browse to any website to confirm successful
Internet connectivity.
Getting Started 23
Installing a FortiGate in NAT mode Installation
Installing a FortiGate in NAT mode
There are two main ways to install a FortiGate using network address translation (NAT)/Route mode: Standard
installation in NAT mode, where Internet access is provided by a single Internet service provider (ISP), and
Redundant Internet installation, where two ISPs are used.
NAT mode vs. Transparent mode

A FortiGate can operate in one of two modes: NAT or Transparent.
The most common of the two operating modes is NAT mode, where a FortiGate is installed as a gateway or
router between two networks. In most cases, it is used between a private network and the Internet. This allows
the FortiGate to hide the IP addresses of the private network using NAT. NAT mode is also used when two or
more ISPs provide the FortiGate with redundant Internet connections.
A FortiGate in Transparent mode is installed between the internal network and the router. In this mode, the
FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a
FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the
FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase
network protection but changing the configuration of the network itself is impractical.
For more information about Transparent Mode, see the Transparent Mode handbook.
Standard installation in NAT mode

In this configuration, a FortiGate is installed as a gateway or router between a private network and the Internet.
By using NAT, the FortiGate is able to hide the IP addresses of the private network.
24 Getting Started
Installation Installing a FortiGate in NAT mode
Redundant Internet installation

In this configuration, a WAN link interface is created that provides the FortiGate with redundant Internet
connections from two ISPs. The WAN link interface combines these two connections, allowing the FortiGate to
treat them as a single interface.
Installing a FortiGate with Redundant Internet
If you have previously configured your FortiGate using the standard installation, you
will have to delete all routes and policies referring to an interface that will be used to
provide redundant Internet. This includes the default Internet access policy that is
included on many FortiGate models.
1. Connect your ISP devices to your FortiGate’s Internet-facing interfaces (typically WAN1 and WAN2).
2. Go to Network > SD-WAN to create a WAN link interface, which is used to group multiple Internet connections
together so that the FortiGate can treat them as a single interface.
3. Set the interface's Status to Enable.
4. Under Interface, select Create New. Add WAN1 and enter the Gateway IP provided by your primary ISP. Do the
same for WAN2, but use the Gateway IP provided by your secondary ISP.
5. Select an appropriate method for the SD-WAN Usage from the following options, and Apply your changes when
finished:
l Bandwidth - A bandwidth cap is defined for active members of the SD WAN link.
l Volume - A volume ratio is set for each active member.
l Sessions - A sessions ratio is set for each active member.
6. Go to Network > Static Routes and create a new default route. Set Interface to the SD-WAN link.
7. Go to Policy & Objects > IPv4 Policy and select Create New to add a security policy that allows users on the
private network to access the Internet.
Getting Started 25
Using a Virtual Wire Pair Installation
Using a Virtual Wire Pair
A virtual wire pair consists of two interfaces that do not have IP addressing and are treated similar to a
transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded out the
other interface, provided that a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces
cannot be routed to the interfaces in a virtual wire pair.
Virtual wire pairs are useful for atypical topologies where MAC addresses do not behave normally. For example,
port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not
match the request’s MAC address pair.
Virtual wire pairing replaces the port pairing feature available in earlier firmware versions. Unlike port pairing,
virtual wire pairing can be used for FortiGates in both NAT and Transparent modes.
In the example configuration below, a virtual wire pair (consisting of port3 and port4) makes it easier to protect a
web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the
internal network will access the web server through the ISFW over the virtual wire pair.
Adding a virtual wire pair and virtual wire pair policy
Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate.
Before creating a virtual wire pair, make sure you have a different port configured to
allow admin access using your preferred protocol.
1. Go to Network > Interfaces and select Create New > Virtual Wire Pair.
2. Select the interfaces to add to the virtual wire pair. These interfaces cannot be part of a switch, such as the default
lan/internal interface.
3. (Optional) If desired, enable Wildcard VLAN .
4. Select OK.
5. Go to Policy & Objects > IPv4 Virtual Wire Pair Policy, select the virtual wire pair, and select Create New.
6. Select the direction that traffic is allowed to flow.
7. Configure the other firewall options as desired.
8. Select OK.
9. If necessary, create a second virtual wire pair policy to allow traffic to flow in the opposite direction.
26 Getting Started
Installation Using a Virtual Wire Pair
If you have a USB-wan interface, it will not be included in the interface list when
building a wired-pair.
Results
Traffic can now flow through the FortiGate using the virtual wire pair.
Getting Started 27
Using the GUI
This section presents an introduction to the FortiGate's graphical user interface (GUI), also called the web-based
manager.
The following topics are included in this section:
l Connecting to the GUI using a web browser

l Menus
l Dashboard
l Feature Visibility
l Tables
l Text Strings
Connecting to the GUI using a web browser
The graphical user interface is best displayed using a 1280 x 1024 resolution. Check
the FortiOS Release Notes for information about browser compatibility.
In order to connect to the GUI using a web browser, an interface must be configured to allow administrative
access over HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows
HTTPS access, with the IP address 192.168.1.99.
Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin
account’s password, use the default user name, admin, and leave the password field blank.
The GUI will now be displayed in your browser.
If you wish to use a different interface to access the GUI, do the following:
1. Go to Network > Interfaces and edit the interface you wish to use for access. Take note of its assigned IP
address.
2. Beside Administrative Access, select HTTPS, and any other protocol you require. You can also select HTTP,
although this is not recommended as the connection will be less secure.
3. Select OK.
4. Browse to the IP address using your chosen protocol.
Results
The GUI will now be displayed in your browser.
28 Getting Started
Using the GUI Menus
Menus
If you believe your FortiGate model supports a menu that does not appear in the GUI
as expected, go to System > Feature Visibility and ensure the feature is enabled.
For more information, see "Feature Visibility" on page 34.
The GUI contains the following main menus, which provide access to configuration options for most FortiOS
features:
Dashboard The dashboard displays various widgets that display important system
information and allow you to configure some system options.
For more information, see "Dashboard" on page 31.
Security Fabric Access the physical topology, logical topology, audit, and settings features
of the Fortinet Security Fabric.
For more information, see the Fortinet Security Fabric guide.
FortiView A collection of dashboards and logs that give insight into network traffic,
showing which users are creating the most traffic, what sort of traffic it is,
when the traffic occurs, and what kind of threat the traffic may pose to the
network.
For more information, see the FortiView handbook.
Network Options for networking, including configuring system interfaces and

routing options.
For more information, see the Networking handbook.
System Configure system settings, such as administrators, FortiGuard, and

certificates.
For more information, see the System Administration handbook.
Policy & Objects Configure firewall policies, protocol options, and supporting content for
policies, including schedules, firewall addresses, and traffic shapers.
For more information, see the Networking handbook.
Security Profiles Configure your FortiGate's security features, including AntiVirus, Web
Filtering, and Application Control.
For more information, see the Security Profiles handbook.
Getting Started 29
Menus Using the GUI
VPN Configure options for IPsec and SSL virtual private networks (VPNs).
For more information, see the IPsec VPN and SSL VPN handbooks.
User & Device Configure user accounts, groups, and authentication methods, including
external authentication and single sign-on (SSO).
WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the
wireless Access Point (AP) functionality of FortiWiFi and FortiAP units.
On certain FortiGate models, this menu has additional features allowing

for FortiSwitch units to be managed by the FortiGate.
For more information, see the FortiWiFi and FortiAP Configuration Guide
handbook.
Log & Report Configure logging and alert email as well as reports.
For more information, see the Logging and Reporting handbook.
Monitor View a variety of monitors, including the Routing Monitor, VPN monitors for
both IPsec and SSL, monitors relating to wireless networking, and more.
30 Getting Started
Using the GUI Dashboard
Dashboard
The FortiOS Dashboard consists of a network operations center (NOC) view with a focus on alerts. Widgets are
interactive; by clicking or hovering over most widgets, the user can get additional information or follow links to
other pages.
The dashboard and its widgets include:
l Multiple dashboard support.

l VDOM and global dashboards.
l Widget resize control.
l Notifications on the top header bar.
The following widgets are displayed by default:
Widget Description
System Information The System Information widget lists information relevant to the FortiGate
system, including Hostname, Serial Number, and Firmware.
Security Fabric The Security Fabric widget is documented in the Fortinet Security Fabric guide.
CPU The real-time CPU usage is displayed for different time frames.
Getting Started 31
Dashboard Using the GUI
Widget Description
License Status Hovering over the Licenses widget will display status information (and, where
applicable, database information) on the licenses for FortiCare Support, IPS &
Application Control, AntiVirus, Web Filtering, Mobile Malware, and
FortiClient.
Clicking in the Licenses widget will provide you with links to other pages, such as
System > FortiGuard or contract renewal pages.
FortiCloud This widget displays FortiCloud status and provides a link to activate FortiCloud.
Administrators This widget allows you to view which administrators are logged in and how many
sessions are active. The link directs you to a page displaying active administrator
sessions.
Memory Real-time memory usage is displayed for different time frames. Hovering over any
point on the graph displays percentage of memory used along with a timestamp.
Sessions Hovering over the Sessions widget allows you to view memory usage data over
time. Click on the down-arrow to change the timeframe displayed.
SPU (Security Processing Unit) percentage is displayed if your FortiGate includes

an SPU. Likewise, nTurbo percentage is displayed if supported by your
FortiGate. See the Hardware Acceleration chapter for details.
Bandwidth Hover over the Bandwidth widget to display bandwidth usage data over time.
Click on the down-arrow to change the timeframe displayed.
Bandwidth is displayed for both incoming and outgoing traffic.
Virtual Machine The VM widget (shown by default in the dashboard of a FortiOS VM device)
includes:
l License status and type

l CPU allocation usage
l License RAM usage
l VMX license information (if the VM supports VMX)
If the VM license specifies 'unlimited' the progress bar is blank. If the VM is in
evaluation mode, it is yellow (warning style) and the dashboard show evaluation
days used.
The following optional widgets are also available:
l FortiView
l Host Scan Summary
l Vulnerabilities Summary
l Botnet Activity
l HA Status
l Log Rate
32 Getting Started
Using the GUI Dashboard
l Session Rate
l Security Fabric Score
l Advanced Threat Protection Statistics
l Interface Bandwidth
Getting Started 33
Feature Visibility Using the GUI
Feature Visibility
Feature Visibility is used to control which features are visible in the GUI. This allows you to hide features that are
not being used. Some features are also disabled by default and must be enabled in order to configure them
through the GUI.
Feature Visibility only alters the visibility of these features, rather than their functionality. For example, disabling
web filtering on the Feature Visibility page does not remove web filtering from the FortiGate, but removes the
option of configuring web filtering from the GUI. Configuration options will still be available using the CLI.
Enabling/disabling features
Feature Visibility can be found at System > Feature Visibility. Ensure that all features you wish to configure in
the GUI are turned on, and that features you wish to hide are turned off. When you have finished, select Apply.
Security Features Presets

The main Security Features can be toggled individually, however six system presets (or Feature Sets) are
available:
l NGFW should be chosen for networks that require application control and protection from external attacks.
l ATP should be chosen for networks that require protection from viruses and other external threats.
l WF should be chosen for networks that require web filtering.
l NGFW + ATP should be chosen for networks that require protection from external threats and attacks.
l UTM should be chosen for networks that require protection from external threats and wish to use security features
that control network usage. This is the default setting.
l Custom should be chosen for networks that require customization of available features (including the ability to
select all features).
34 Getting Started
Using the GUI Tables
Tables
Many of the GUI pages contain tables of information that you can filter to display specific information.
Administrators with read and write access can define the filters.
Navigation
Some tables contain information and lists that span multiple pages. Navigation controls appear at the bottom of
the page.
Filters
Filters are used to locate a specific set of information or content within multiple pages. These are especially
useful in locating specific log entries. The specific filtering options vary, depending on the type of information in
the log.
To create a filter, select Add Filter at the top of the page. A list of the available fields for filtering will be shown.
Column settings
Column settings are used to select the types of information displayed on a certain page. Some pages have large
amounts of information available and not all content can be displayed on a single screen. Some pages may even
contain content that is irrelevant to you. Using column settings, you can choose to display only relevant content.
To view configure column settings, right-click the header of a column and select the columns you wish to view and
de-select any you wish to hide. After you have finished making your selections, click Apply (you may need to
scroll down the list to do so).
Any changes that you make to the column settings are stored in the unit’s configuration. To return columns to the
default state for any given page, right-click any header and select Reset Table.
Copying objects
In tables containing configuration objects, such as the policy table found at Policy & Objects > IPv4 Policy,
you have the option to copy an object. This allows you to create a copy of that object, which you can then
configure as needed. You can also reverse copy a policy to change the direction of the traffic impacted by that
policy.
To copy an object:
1. Select that object, then right-click to make a menu appear and select the Copy option.
2. Right-click the row in the table that is either above or below where you want the copied object to be placed, select
the Paste option and indicate Above or Below.
Reverse cloning works much the same way. Instead of selecting Copy, you will select Clone Reverse.
Once the policy is copied, you must give it a name, configure as needed, and enable it.
Getting Started 35
Tables Using the GUI
Editing objects
Some tables allow you to edit parts of the configuration directly on the table itself. For example, security features
can be added to an existing firewall policy from the policy list by clicking on the plus sign in the Security Profiles
column and selecting the desired profiles.
If this option is not immediately available, check to see that the column is not hidden (see Column settings).
Otherwise, you must select the object and open the policy by selecting the Edit option found at the top of the
page.
36 Getting Started
Using the GUI Text Strings
Text Strings
The configuration of a FortiGate is stored in the FortiOS configuration database. To change the configuration,
you can use the GUI or CLI to add, delete, or change configuration settings. These changes are stored in the
database as you make them. Individual settings in the configuration database can be text strings, numeric
values, selections from a list of allowed options, or on/off (enable/disable) settings.
Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a firewall address, the
name of an administrative user, and so on. You can enter any character in a FortiGate configuration text string,
except the following characters that present Cross-Site Scripting (XSS) vulnerabilities:
l “ (double quote)
l & (ampersand)
l ' (single quote)
l < (less than)
l > (greater than)
Most GUI text string fields make it easy to add an acceptable number of characters and prevent you from adding
the XSS vulnerability characters.
There is a different character limitation for VDOM names and hostnames. The only
valid characters are numbers (0-9), letters (a-z, A-Z), and special characters - (dash)
and _ (underscore).
From the CLI, you can also use the tree command to view the number of characters that are allowed in a name
field. For example, firewall address names can contain up to 64 characters. When you add a firewall address to
the GUI, you are limited to entering 64 characters in the firewall address name field. From the CLI you can enter
the following tree command to confirm that the firewall address name field allows 64 characters.
config firewall address
tree
-- [address] --*name (64)
|- uuid
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- country (3)
|- cache-ttl (0,86400)
|- wildcard
|- comment
|- visibility
|- associated-interface (36)
|- color (0,32)
|- [tags] --*name (65)
+- allow-routing
Getting Started 37
Text Strings Using the GUI
The tree command output also shows the number of characters allowed for other firewall address name
settings. For example, the fully qualified domain name (fqdn) field can contain up to 256 characters.
Entering numeric values

Numeric values set various sizes, rates, addresses, and other numeric values (e.g. a static routing priority of 10, a
port number of 8080, an IP address of 10.10.10.1). Numeric values can be entered as a series of digits without
spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1)
or, as in the case of MAC or IPv6 addresses, separated by colons (e.g. the MAC address 00:09:0F:B7:37:00).
Most numeric values are standard base-10 numbers, but some fields - again, such as MAC addresses - require
hexadecimal numbers.
Most GUI numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI
help text includes information about allowed numeric value ranges. Both the GUI and the CLI prevent you from
entering invalid numbers.
38 Getting Started
Using the CLI
The command line interface (CLI) is an alternative configuration tool to the GUI or web-based manager. While
the configuration of the GUI uses a point-and-click method, the CLI requires typing commands or uploading
batches of commands from a text file, like a configuration script.
This section explains common CLI tasks that an administrator does on a regular basis and includes the topics:
l Connecting to the CLI

l Command syntax
l Sub-commands
l Permissions
l Tips
Connecting to the CLI
You can access the CLI in three ways:
l Locally with a console cable — Connect your computer directly to the FortiGate unit’s console port. Local access is
required in some cases:
l If you are installing your FortiGate unit for the first time and it is not yet configured to connect to your network,
you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your
computer’s network settings for a peer connection.
l Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot
process has completed, making local CLI access the only viable option.
l Through the network — Connect your computer through any network attached to one of the FortiGate unit’s
network ports. The network interface must have enabled Telnet or SSH administrative access if you connect using
an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in the
GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out
window.
l Locally with FortiExplorer for iOS — Use the FortiExplorer app on your iOS device to configure, manage, and
monitor your FortiGate.
Connecting to the CLI using a local console

Local console connections to the CLI are formed by directly connecting your management computer or console to
the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:
l A computer with an available serial communications (COM) port.

l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.
l Terminal emulation software such as HyperTerminal for Microsoft Windows.
The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary with
other terminal emulators.
Getting Started 39
Connecting to the CLI Using the CLI
To connect to the CLI using a local serial console connection
1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serial
communications (COM) port on your management computer.
2. On your management computer, start HyperTerminal.
3. For the Connection Description, enter a Name for the connection, and select OK.
4. On the Connect using drop-down, select the communications (COM) port on your management computer you
are using to connect to the FortiGate unit.
5. Select OK.
6. Select the following Port settings and select OK.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
7. Press Enter or Return on your keyboard to connect to the CLI.

8. Type a valid administrator account name (such as admin) and press Enter.
9. Type the password for that administrator account and press Enter. (In its default state, there is no password for
the admin account.)
The CLI displays the following text:
Welcome!
Type ? to list available commands.
You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.
Enabling access to the CLI through the network (SSH or Telnet)

SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of
its RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through any
intermediary network.
If you do not want to use an SSH/Telnet client and you have access to the web-based
manager, you can alternatively access the CLI through the network using the CLI
Console widget in the web-based manager.
You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your
computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static
route to a router that can forward packets from the FortiGate unit to your computer. You can do this using either a
local console connection or the web-based manager.
Requirements
l A computer with an available serial communications (COM) port and RJ-45 port
l Terminal emulation software such as HyperTerminal for Microsoft Windows
40 Getting Started
Using the CLI Connecting to the CLI
l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package

l A network cable
l Prior configuration of the operating mode, network interface, and static route.
To enable SSH or Telnet access to the CLI using a local console connection
1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port,
or to a network through which your computer can reach the FortiGate unit.
2. Note the number of the physical network port.
3. Using a local console connection, connect and log into the CLI.
4. Enter the following command:
config system interface
edit <interface_str>
set allowaccess <protocols_list>
end
where:
l <interface_str> is the name of the network interface associated with the physical network port and
containing its number, such as port1.
l <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such
as https ssh telnet.
For example, to exclude HTTP, HTTPS, SNMP, and PING, and allow only SSH and Telnet administrative
access on port1, enter the following:
edit port1
set allowaccess ssh telnet
end
5. To confirm the configuration, enter the command to display the network interface’s settings.
show system interface <interface_str>
The CLI displays the settings, including the allowed administrative access protocols, for the network
interfaces.
Connecting to the CLI using SSH

Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your
management computer to connect to the CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units
support 3DES and Blowfish encryption algorithms for SSH.
Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH
connections. The following procedure uses PuTTY. Steps may vary with other SSH clients.
To connect to the CLI using SSH
1. On your management computer, start an SSH client.

2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH
administrative access.
3. Set a Port of 22.
Getting Started 41
Connecting to the CLI Using the CLI
4. For the Connection type, select SSH .

5. Select Open.
The SSH client connects to the FortiGate unit.
The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit
and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the
FortiGate unit but used a different IP address or SSH key. This is normal if your management
computer is directly connected to the FortiGate unit with no network hosts between them.
6. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you
have accepted the key.
7. The CLI displays a login prompt.
9. Type the password for this administrator account and press Enter.
The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter
CLI commands.
If three incorrect login or password attempts occur in a row, you will be disconnected.
If this occurs, wait one minute, then reconnect to attempt the login again.
Connecting to the CLI using Telnet

Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your
management computer to connect to the CLI.
Telnet is not a secure access method. SSH should be used to access the CLI from the
Internet or any other untrusted network.
Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet
connections.
To connect to the CLI using Telnet
1. On your management computer, start a Telnet client.

2. Connect to a FortiGate network interface on which you have enabled Telnet.
4. Type the password for this administrator account and press Enter.
The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter
CLI commands.
If three incorrect login or password attempts occur in a row, you will be disconnected.
If this occurs, wait one minute, then reconnect to attempt the login again.
42 Getting Started
CLI-only features
As you can see in the Feature / Platform Matrix, the entry level models have a number of features that are only
available using the CLI, rather than appearing in the GUI.
You can open the CLI console so that it automatically opens to the object you wish to configure. For example, to
edit a firewall policy, right-click on the policy in the policy list (Policy & Objects > IPv4 Policy) and select Edit
in CLI. The CLI console will appear, with the commands to access this part of the configuration added
automatically.
Once you have access to the CLI, you can enter instructions for specific tasks that can be found throughout the
FortiOS Handbook. Options are also available at the top of the CLI Console to Clear console, Download, and
Copy to clipboard.
Refer to the CLI Reference for a list of the available commands.
Getting Started 43
Command syntax Using the CLI
Command syntax
When entering a command, the CLI console requires that you use valid syntax and conform to expected input
constraints. It will reject invalid commands.
Fortinet documentation uses the conventions below to describe valid command syntax.
Terminology
Each command line consists of a command word that is usually followed by configuration data or other specific
item that the command uses or affects.
To describe the function of each word in the command line, especially if that nature has changed between
firmware versions, Fortinet uses terms with the following definitions.
Command syntax terminology
l Command — A word that begins the command line and indicates an action that the FortiGate unit should perform
on a part of the configuration or host on the network, such as config or execute. Together with other words,
such as fields or values, that end when you press the Enter key, it forms a command line. Exceptions include multi-
line command lines, which can be entered using an escape sequence.
Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations are
indicated by syntax notation.
l Sub-command — A kind of command that is available only when nested within the scope of another command.
After entering a command, its applicable sub-commands are available to you until you exit the scope of the
command, or until you descend an additional level into another sub-command. Indentation is used to indicate levels
of nested commands.
Not all top-level commands have sub-commands. Available sub-commands vary by their containing scope.
l Object — A part of the configuration that contains tables and /or fields. Valid command lines must be specific
enough to indicate an individual object.
l Table — A set of fields that is one of possibly multiple similar sets which each have a name or number, such as an
administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by
other parts of the configuration that use them.
44 Getting Started
Using the CLI Command syntax
l Field — The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.
Failure to configure a required field will result in an invalid object configuration error message, and the FortiGate
unit will discard the invalid table.
l Value — A number, letter, IP address, or other type of input that is usually your configuration setting held by a field.
Some commands, however, require multiple input values which may not be named but are simply entered in
sequential order in the same command line. Valid input types are indicated by constraint notation.
l Option — A kind of value that must be one or more words from of a fixed set of options.
Indentation
Indentation indicates levels of nested commands, which indicate what other sub-commands are available from
within the scope. For example, the edit sub-command is available only within a command that affects tables,
and the next sub-command is available only from within the edit sub-command:
edit port1
set status up
next
end
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as
<address_ipv4>, indicate which data types or string patterns are acceptable value input.
Command syntax notation
Convention Description
Square brackets [ ] An optional word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and its
accompanying option, such as verbose 3.
Curly braces { } A word or series of words that is constrained to a set of options delimited by
either vertical bars or spaces. You must enter at least one of the options,
unless the set of options is surrounded by square brackets [ ].
Options delimited by Mutually exclusive options. For example:

vertical bars |
{enable | disable}
indicates that you must enter either enable or disable, but must not
enter both.
Getting Started 45
Command syntax Using the CLI
Convention Description
Angle brackets < > A word constrained by data type. The angled brackets contain a
descriptive name followed by an underscore ( _ ) and suffix that indicates
the valid data type. For example, <retries_int>, indicates that you
should enter a number of retries as an integer.
Data types include:
l <xxx_name>: A name referring to another part of the configuration,

such as policy_A.
l <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
l <xxx_pattern>: A regular expression or word with wild cards that
matches possible variations, such as *@example.com to match all
email addresses ending in @example.com.
l <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
l <xxx_email>: An email address, such as admin@example.com.
l <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
l <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
l <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as 192.168.1.99 255.255.255.0.
l <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation
netmask separated by a slash, such as 192.168.1.1/24
l <xxx_ipv4range> : A hyphen ( - )-delimited inclusive range of IPv4
addresses, such as 192.168.1.1-192.168.1.255.
l <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as
3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
l <xxx_v6mask>: An IPv6 netmask, such as /96.
l <xxx_ipv6mask>: A dotted decimal IPv6 address and netmask
separated by a space.
l <xxx_str>: A string of characters that is not another data type, such as
P@ssw0rd. Strings containing spaces or special characters must be
surrounded in quotes or use escape sequences.
l <xxx_int>: An integer number that is not another data type, such as
15 for the number of minutes.
Options delimited by Non-mutually exclusive options. For example:

spaces
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any order,
in a space-delimited list, such as:
ping https ssh
46 Getting Started
Using the CLI Sub-commands
Sub-commands
Each command line consists of a command word that is usually followed by configuration data or other specific
item that the command uses or affects:
get system admin
Sub-commands are available from within the scope of some commands. When you enter a sub-command level,
the command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin
the command prompt becomes:

(admin)#
Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an
additional level into another sub-command.
For example, the edit sub-command is available only within a command that affects tables; the next sub-
command is available only from within the edit sub-command:
edit port1
set status up
next
end
Sub-command scope is indicated by indentation.
Available sub-commands vary by command. From a command prompt within config, two types of sub-
commands might become available:
l commands affecting fields

l commands affecting tables
Getting Started 47
Sub-commands Using the CLI
Commands for tables
clone <table> Clone (or make a copy of) a table from the current object.
For example, in config firewall policy, you could enter the

following command to clone security policy 27 to create security policy 30:
clone 27 to 30
In config antivirus profile, you could enter the following

command to clone an antivirus profile named av_pro_1 to create a new
antivirus profile named av_pro_2:
clone av_pro_1 to av_pro_2
clone may not be available for all tables.
delete <table> Remove a table from the current object.
For example, in config system admin, you could delete an

administrator account named newadmin by typing delete newadmin
and pressing Enter. This deletes newadmin and all its fields, such as
newadmin’s first-name and email-address.
delete is only available within objects containing tables.
edit <table> Create or edit a table in the current object.
For example, in config system admin:
• edit the settings for the default admin administrator account by typing
edit admin.
• add a new administrator account with the name newadmin and edit
newadmin‘s settings by typing edit newadmin.
edit is an interactive sub-command: further sub-commands are available

from within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
In objects such as security policies, <table> is a sequence number. To

create a new entry without the risk of overwriting an existing one, enter
edit 0. The CLI initially confirms the creation of entry 0, but assigns the
next unused number after you finish editing and enter end.
Save the changes to the current object and exit the config command.
end
This returns you to the top-level command prompt.
48 Getting Started
get List the configuration of the current object or table.
• In objects, get lists the table names (if present), or fields and their
values.
• In a table, get lists the fields and their values.
Remove all tables in the current object.
For example, in config user local, you could type get to see the list
of user names, then type purge and then y to confirm that you want to
delete all users.
purge is only available for objects containing tables.

purge
Caution: Back up the FortiGate before performing a purge. purge
cannot be undone. To restore purged tables, the configuration must be
restored from a backup.
Caution: Do not purge system interface or system admin tables.

purge does not provide default tables. This can result in being unable to
connect or log in, requiring the FortiGate unit to be formatted and restored.
rename <table> to <table> Rename a table.
For example, in config system admin, you could rename admin3 to

fwadmin by typing rename admin3 to fwadmin.
rename is only available within objects containing tables.
Display changes to the default configuration. Changes are listed in the

show
form of configuration commands.
Example of table commands

From within the system admin object, you might enter:
edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you are now within the
admin_1 table:
new entry 'admin_1' added
(admin_1)#
Commands for fields
abort Exit both the edit and/or config commands without saving the fields.
append Add an option to an existing list.
Getting Started 49
Sub-commands Using the CLI
end Save the changes made to the current table or object fields, and exit the config
command (to exit without saving, use abort instead).
List the configuration of the current object or table.

get
• In objects, get lists the table names (if present), or fields and their values.
• In a table, get lists the fields and their values.
move Move an object within a list, when list order is important. For example, rearranging
security policies within the policy list.
Save the changes you have made in the current table’s fields, and exit the edit
command to the object prompt (to save and exit completely to the root prompt, use
end instead).
next
next is useful when you want to create or edit several tables in the same object,
without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an object prompt.
select Clear all options except for those specified.
For example, if a group contains members A, B, C, and D and you remove all users
except for B, use the command select member B.
Set a field’s value.
For example, in config system admin, after typing edit admin, you could
type set password newpass to change the password of the admin administrator
set <field>
to newpass.
<value>
Note: When using set to change a field containing a space-delimited list, type the
whole new list. For example, set <field> <new-value> will replace the list with
the <new-value> rather than appending <new-value> to the list.
show Display changes to the default configuration. Changes are listed in the form of
configuration commands.
unselect Remove an option from an existing list.
unset <field> Reset the table or object’s fields to default values.
For example, in config system admin, after typing edit admin, typing unset
password resets the password of the admin administrator account to the default (in
this case, no password).
Example of field commands

From within the admin_1 table, you might enter:
set password my1stExamplePassword
50 Getting Started
to assign the value my1stExamplePassword to the password field. You might then enter the next
command to save the changes and edit the next administrator’s table.
Getting Started 51
Permissions Using the CLI
Permissions
Access profiles control which CLI commands an administrator account can access. Access profiles assign either
read, write, or no access to each area of FortiOS. To view configurations, you must have read access. To make
changes, you must have write access. So, depending on the account used to log in to the FortiGate, you may not
have complete access to all CLI commands. For complete access to all commands, you must log in with an
administrator account that has the super_admin access profile. By default the admin administrator account
has the super_admin access profile.
Administrator accounts, with the super_admin access profile are similar to a root administrator account that
always has full permission to view and change all FortiGate configuration options, including viewing and changing
all other administrator accounts and including changing other administrator account passwords.
Increasing the security of administrator accounts

Set strong passwords for all administrator accounts (including the admin account) and change passwords
regularly.
For more information about increasing the security of administrator accounts, see:
l Hardening your FortiGate
52 Getting Started
Using the CLI Tips
Tips
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
Help
To display brief help during command entry, press the question mark (?) key.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.
l Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions or
subsequent words, and to display a description of each.
Shortcuts and key commands
Keys Action
? List valid word completions or subsequent words.
If multiple words could complete your entry, display all possible completions with
helpful descriptions of each.
Tab Complete the word with the next available match.
Press the Tab key multiple times to cycle through available matches.
Up arrow, or Recall the previous command.

Ctrl + P
Command memory is limited to the current session.
Down arrow, or Recall the next command.

Ctrl + N
Left or Right Move the cursor left or right within the command line.
arrow
Ctrl + A Move the cursor to the beginning of the command line.
Ctrl + E Move the cursor to the end of the command line.
Ctrl + B Move the cursor backwards one word.
Ctrl + F Move the cursor forwards one word.
Ctrl + D Delete the current character.
Getting Started 53
Tips Using the CLI
Keys Action
Ctrl + C Abort current interactive commands, such as when entering multiple lines.
If you are not currently within an interactive command such as config or edit, this
closes the CLI connection.
\ then Enter Continue typing a command on the next line for a multi-line command.
For each line that you want to continue, terminate it with a backslash ( \ ). To complete
the command line, terminate it by pressing the spacebar and then the Enter key,
without an immediately preceding backslash.
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat.
Adding and removing options from lists

When adding options to a list, such as a user group, using the set command will remove the previous
configuration. For example, if you wish to add user D to a user group that already contains members A, B, and C,
the command would need to be set member A B C D. If only set member D was used, then all former
members would be removed from the group.
However, there are additional commands which can be used instead of set for changing options in a list.
Additional commands for lists
append Add an option to an existing list.
For example, append member would add user D to a user group while all previous
group members are retained
select Clear all options except for those specified.
For example, if a group contains members A, B, C, and D and you remove all users
except for B, use the command select member B.
unselect Remove an option from an existing list.
For example, unselect member A would remove member A from a group will all
previous group members are retained.
Environment variables
The CLI supports the following environment variables. Variable names are case-sensitive.
54 Getting Started
Using the CLI Tips
Environment variables
$USERFROM The management access type (ssh, telnet, jsconsole for the CLI Console
widget in the web-based manager, and so on) and the IP address of the administrator
that configured the item.
$USERNAME The account name of the administrator that configured the item.
$SerialNum The serial number of the FortiGate unit.
For example, the FortiGate unit’s host name can be set to its serial number:
config system global
set hostname $SerialNum
end
Special characters
The following special characters, also known as reserved characters, are not permitted in most CLI fields:
< > ( ) # ' “
You may be able to enter special characters as part of a string’s value by using a special command, enclosing it in
quotes, or preceding it with an escape sequence — in this case, a backslash ( \ ) character.
In other cases, different keystrokes are required to input a special character. If you need to enter ? as part of
config, you first need to input CTRL-V. If you enter ? without first using CTRL-V, the question mark has a
different meaning in the CLI; it will show available command options in that section.
For example, if you enter ? without CTRL-V:

edit "*.xe
token line: Unmatched double quote.
If you enter ? with CTRL-V:

edit "*.xe?"
new entry '*.xe?' added
Entering special characters
Character Keys
? Ctrl + V then ?
Tab Ctrl + V then Tab
Getting Started 55
Tips Using the CLI
Character Keys
Space Enclose the string in quotation marks: "Security

Administrator”.
(to be interpreted as part of a string value,
not to end the string) Enclose the string in single quotes: 'Security
Administrator'.
Precede the space with a backslash: Security\

Administrator.
' \'

not to end the string)
" \"

not to end the string)
\ \\
Using grep to filter get and show command output

In many cases, the get and show (and diagnose) commands may produce a large amount of output. If you
are looking for specific information in a large get or show command output, you can use the grep command to
filter the output to only display what you are looking for. The grep command is based on the standard UNIX
grep, used for searching text output based on regular expressions.
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the session list line number
in the output:
get system session list | grep -n tcp
Use the following command to display all lines in HTTP replacement message commands that contain URL
(upper or lower case):
show system replacemsg http | grep -i url
There are three additional options that can be applied to grep:

-A <num> After
-B <num> Before
-C <num> Context
The option -f is also available to support contextual output, in order to show the complete configuration. The
following example shows the difference in output when -f option is used versus when it is not.
56 Getting Started
Using the CLI Tips
Using -f:
show | grep -f ldap-group1
config user group
edit "ldap-group1"
set member "pc40-LDAP"
next
end
config firewall policy
edit 2
set srcintf "port31"
set dstintf "port32"
set srcaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "ldap-group1"
set dstaddr "all"
set service "ALL"
next
end
next
end
Without using -f:

show | grep ldap-group1
edit "ldap-group1"
set groups "ldap-group1"
Language support and regular expressions

Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature
of the item being configured. CLI commands, objects, field names, and options must use their exact ASCII
characters, but some items with arbitrary names or values may be input using your language of choice. To use
other languages in those cases, you must use the correct encoding.
Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it is
stored. If your input method encodes some characters differently than in UTF-8, your configured items may not
display or operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8,
matches may not be what you expect.
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as the symbol for the Japanese
yen ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with a
yen symbol therefore may not work it if the symbol is entered using the wrong encoding.
For best results, you should:
Getting Started 57
Tips Using the CLI
l use UTF-8 encoding, or

l use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters
that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other
encodings, or
l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.
HTTP clients may send requests in encodings other than UTF-8. Encodings usually
vary by the client’s operating system or input language. If you cannot predict the
client’s encoding, you may only be able to match any parts of the request that are in
English, because regardless of the encoding, the values for English characters tend to
be encoded identically. For example, English words may be legible regardless of
interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified
Chinese characters might only be legible if the page is interpreted as GB2312.
If you configure your FortiGate unit using other encodings, you may need to switch language settings on your
management computer, including for your web browser or Telnet/SSH client. For instructions on how to configure
your management computer’s operating system language, locale, or input method, see its documentation.
If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systems
interacting with the FortiGate unit also support the same encodings. You should also use the same encoding
throughout the configuration if possible in order to avoid needing to switch the language settings of the web-
based manager and your web browser or Telnet/SSH client while you work.
Similarly to input, your web browser or CLI client should normally interpret display output as encoded using UTF-
8. If it does not, your configured items may not display correctly in the GUI or CLI. Exceptions include items such
as regular expressions that you may have configured using other encodings in order to match the encoding of
HTTP requests that the FortiGate unit receives.
To enter non-ASCII characters in the CLI Console:
1. On your management computer, start your web browser and go to the URL for the FortiGate unit’s GUI.
2. Configure your web browser to interpret the page as UTF-8 encoded.
3. Log in to the FortiGate unit.
4. Open the CLI Console from the upper right-hand corner.
5. In the title bar of the CLI Console widget, click Edit (the pencil icon).
6. Enable Use external command input box and select OK.
7. The Command field appears below the usual input and display area of the CLI Console .
8. Type a command in this field and press Enter.
In the display area, the CLI Console widget displays your previous command interpreted into its character
code equivalent, such as:
edit \743\601\613\743\601\652
and the command’s output.
To enter non-ASCII characters in a Telnet/SSH client
1. On your management computer, start your Telnet or SSH client.

2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by each Telnet/SSH client. Consult the
documentation for your Telnet/SSH client.
58 Getting Started
Using the CLI Tips
3. Log in to the FortiGate unit.

4. At the command prompt, type your command and press Enter.
You may need to surround words that use encoded characters with single quotes ( ' ).
Depending on your Telnet/SSH client’s support for your language’s input methods and for sending
international characters, you may need to interpret them into character codes before pressing Enter.
For example, you might need to enter:

edit '\743\601\613\743\601\652'
5. The CLI displays your previous command and its output.
Screen paging
You can configure the CLI to pause after displaying each page’s worth of text when displaying multiple pages of
output. When the display pauses, the last line displays --More--. You can then either:
l press the spacebar to display the next page.

l type Q to truncate the output and return to the command prompt.
This may be useful when displaying lengthy output, such as the list of possible matching commands for
command completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of
your terminal emulator, you can simply display one page at a time.
To configure the CLI Console to pause display when the screen is full:
config system console
set output more
end
Baud rate
You can change the default baud rate of the local console connection.
To change the baud rate enter the following commands:

config system console
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
end
Editing the configuration file on an external host

You can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTP
server. Then edit the configuration file and restore it to the FortiGate unit.
Editing the configuration on an external host can be timesaving if you have many changes to make, especially if
your plain text editor provides advanced features such as batch changes.
To edit the configuration on your computer:
1. Use execute backup to download the configuration file to a TFTP server, such as your management
computer.
2. Edit the configuration file using a plain text editor that supports Unix-style line endings.
Getting Started 59
Tips Using the CLI
Do not edit the first line. The first line(s) of the configuration file (preceded by a #
character) contains information about the firmware version and FortiGate model. If
you change the model number, the FortiGate unit will reject the configuration file
when you attempt to restore it.
3. Use execute restore to upload the modified configuration file back to the FortiGate unit.
The FortiGate unit downloads the configuration file and checks that the model information is correct. If it is
correct, the FortiGate unit loads the configuration file and checks each command for errors. If a command is
invalid, the FortiGate unit ignores the command. If the configuration file is valid, the FortiGate unit restarts
and loads the new configuration.
60 Getting Started
FortiExplorer for iOS
FortiExplorer for iOS is a user-friendly application that helps you to quickly and easily configure, manage, and
monitor FortiGate appliances using an iOS device. FortiExplorer lets you rapidly provision, deploy, and monitor
Security Fabric components including FortiGate, FortiWiFi, and FortiAP devices.
FortiExplorer for iOS requires iOS 9.3 or later and is compatible with iPhone, iPad, and iPod Touch. It is
supported by FortiOS 5.6+ and is only available on the App Store for iOS devices.
Advanced features are available with the purchase of FortiExplorer Pro. Paid features include the ability to add
more than two devices and the ability to download firmware images from FortiCare.
Up to six members can use this app with 'Family Sharing' enabled in the App Store.
Firmware upload requires a valid firmware license. Users can download firmware for
models with a valid support contract.
Getting started with FortiExplorer
If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that
your iOS device is on the same network (see Connecting FortiExplorer to a FortiGate via WiFi). Otherwise, you
will need to physically connect your iOS device to the FortiGate using a USB cable (see below).
Connecting FortiExplorer to a FortiGate via USB

For the purpose of this document, we assume that you are just getting started; you do not have access to the
FortiGate over the wireless network, and the FortiGate is in its factory configuration.
1. Connect your iOS device to your FortiGate’s USB management port.

If prompted on your iOS device, Trust this 'computer'.
Getting Started 61
Getting started with FortiExplorer FortiExplorer for iOS
2. Open the FortiExplorer app and select your FortiGate from the list under USB Attached Device.
3. On the Login screen, select USB .
4. Enter the default Username (admin) and leave the Password field blank.
5. You can opt to Remember Password. Tap Done when you are ready.
FortiExplorer opens the FortiGate management interface to the Device Status page:
6. Go to Network > Interfaces and configure the WAN interface(s).

In the example, the wan1 interface Address mode is set to DHCP by default. Set it to Manual and enter its
Address, Netmask, and Default Gateway, and then Apply your changes.
62 Getting Started
FortiExplorer for iOS Getting started with FortiExplorer
7. (Optional) Configure Administrative Access to allow HTTP and HTTPS access.

This will allow administrators to access the FortiGate web-based manager using a web browser.
8. Go to Network > Interfaces and configure the local network (internal) interface.

Set the Address mode as before and configure Administrative Access if desired.
9. Configure a DHCP Server for the internal network subnet.
Return to the internal interface using the < button at the top of the screen.
10. Go to Network > Static Routes and configure the static route to the gateway.
Getting Started 63
11. Go to Policy & Objects > Policy and edit the Internet access policy. As a best practice, provide a Name for the
policy, enable the desired Security Profiles, and configure Logging Options. Select OK to finalize.
Running a Security Fabric Audit

The FortiGate is now configured in a very basic state. Once you've configured the other potential elements of
your network, such as other Interfaces, Schedules, or Managed FortiAPs, it is recommended that you run a
Security Fabric Audit to identify potential vulnerabilities and highlight best practices that could be used to
improve your network’s overall security and performance.
64 Getting Started
FortiExplorer for iOS Getting started with FortiExplorer
Follow the steps of the Security Fabric Audit (under Security Fabric > Audit) to determine a Security Score
for the selected device(s). The results should identify issues ranging from Medium to Critical importance, and
may provide recommended actions where possible.
Connecting FortiExplorer to a FortiGate via WiFi

If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that
your iOS device is on the same network. Assuming this is the case:
1. Open the FortiExplorer app and select Add from the Devices page.
2. Enter the Host information and appropriate Username and Password credentials. If necessary, change the
default Port number, and opt to Remember Password.
3. If the FortiGate device identity cannot be verified, click Connect at the prompt.
FortiExplorer opens the FortiGate management interface to the Device Status page.
Getting Started 65
Upgrading to FortiExplorer Pro

Paid features provided with the purchase of FortiExplorer Pro include the ability to add more than two devices and
the ability to download firmware images from FortiCare.
l To upgrade to FortiExplorer Pro, open the FortiExplorer app, go to Settings and select Upgrade to FortiExplorer
Pro. Follow the on-screen prompts.
66 Getting Started
LED Specifications
The following section includes information regarding FortiGate LED status indicators.
l Sample FortiGate faceplates

l LED status codes
l About alarm levels
l LED status codes for ports
Sample FortiGate faceplates
The faceplates indicate where the LEDs are typically found on desktop and mid-range FortiGate models.
FortiGate 60C
FortiGate 100D
Getting Started 67
LED status codes LED Specifications
FortiGate 30E
LED status codes
LABEL STATE MEANING
PWR Green Power is On.
Off Power is Off.
STA Green Normal status.
Flashing Green Booting Up. If the FortiGate has a reset button, Flashing Green also
means that the reset button was used.
Red The FortiGate has a critical alarm (see About Alarm Levels).
ALARM Off No alarms or the FortiGate has a minor alarm.
Amber The FortiGate has a major alarm.
Red The FortiGate has a critical alarm.

The status LED will also be red.
More information at About Alarm Levels.
68 Getting Started
LED Specifications About alarm levels
LABEL STATE MEANING
HA Green The FortiGate is operating in an FGCP HA cluster.
Red A failover has occurred. This usually means that one of the FotiGates
in an HA cluster has failed or that HA heartbeat communication
between the FortiGates in the HA cluster has failed or been
interrupted.
Off HA not configured.
Failover operation feature not available in all units.
WIFI Green Wireless port is active.
Flashing Green Wireless interface is transmitting and receiving data.
Off Wireless interface is down.
About alarm levels
Minor, major, and critical alarms are defined based on IPMI, ATCA, and Telco standards for naming alarms.
l A minor alarm (also called an IPMI non-critical (NC) alarm) indicates a temperature or a power level outside of the
normal operating range that is not considered a problem. In the case of a minor temperature alarm, the system
could respond by increasing fan speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for
example, a high temperature or a high power level) or a lower non-critical (LNC) threshold (for example, a low power
level). The LEDs do not indicate minor alarms since user intervention is not required.
l A major alarm (also called an IPMI critical or critical recoverable (CR) alarm) indicates that the system itself cannot
correct the cause for the alarm and that intervention is required. For example, the cooling system cannot provide
enough cooling to reduce the temperature. It could also mean that conditions (e.g. temperature) are approaching
the outside limit of the allowed operating range. A critical threshold can also be an upper critical (UC) threshold (e.g.
a high temperature or a high power level) or a lower critical (LC) threshold (e.g. a low power level).
l A critical alarm (also called an IPMI non-recoverable (NR) alarm) indicates detection of a temperature or power level
that is outside of the allowed operating range and could potentially cause physical damage.
Getting Started 69
LED status codes for ports LED Specifications
LED status codes for ports
TYPE OF PORT STATE MEANING
Ethernet Ports Green Connected.

Link / Activity
Flashing Green Transmitting and receiving data.
Off No link established.
On FortiGate models with front-facing ports, this LED is to the

left of the port. On FortiGate models with ports at the back of
the device, this LED is in the upper row.
SFP Ports Green Connected.
Flashing Green Transmitting and receiving data.
Off No link established.
Ethernet Ports Green Connected at 1Gbps.

Speed
Amber Connected at 100Mbps.
Off Not connected or connected at 10Mbps.
On FortiGate models with front-facing ports, this LED is to the

right of the port. On FortiGate models with ports at the back of
the device, this LED is in the lower row.
70 Getting Started
Inspection Mode
To control your FortiGate's security profile inspection mode in FortiOS 5.6, you can select Flow-based or Proxy
inspection modes from System > Settings. Having control over flow and proxy mode is helpful if you want to
ensure that only flow inspection mode is used.
In most cases proxy mode is preferred because more security profile features are available along with more
configuration options for these individual features. Some implementations, however, may require all security
profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy
mode inspection will not be used.
Setting up the FortiGate to operate in these new modes (or to operate in the other available operating
modes) involves going to System > Settings and changing the Inspection Mode and NGFW Mode.
NGFW mode simplifies applying application control and web filtering to traffic by allowing you to add applications
and web filtering profiles directly to policies.
Transparent proxy allows you to apply web authentication to HTTP traffic without using the explicit proxy.
Changing inspection and policy modes

To change inspection modes, go to System > Settings. You can select Flow-based to operate in flow mode or
Proxy to operate in proxy mode.
NGFW policy mode
When you select Flow-based as the Inspection Mode, you have the option to select an NGFW Mode. Profile-
based mode works the same as flow-based mode did in FortiOS 5.4.
In Policy-based mode, you add applications and web filtering profiles directly to a policy without having to first
create and configure Application Control or Web Filtering profiles.
When you change to Flow-based inspection, all proxy mode profiles are converted to flow mode, removing any
proxy settings. In addition, proxy-mode only features (for example, Web Application Profile) are removed from the
GUI.
If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Go to
System > VDOM. Click Edit for the VDOM you wish to change and select the Inspection Mode.
CLI syntax
The following CLI command can be used to configure inspection and policy modes:
config system settings
set inspection-mode {proxy | flow}
set policy-mode {standard | ngfw}
end
Getting Started 71
Inspection Mode
Security profile features mapped to inspection mode

The table below lists FortiOS security profile features and shows whether they are available in flow-based or
proxy-based inspection modes.
Security Profile Feature Flow-based inspection Proxy-based inspection
AntiVirus x x
Web Filter x x
DNS Filter x x
Application Control x x
Intrusion Protection x x
Anti-Spam x
Data Leak Protection x
VoIP x
ICAP x
Web Application Firewall x
FortiClient Profiles x x
Proxy Options x x
SSL Inspection x x
SSH Inspection x
Web Rating Overrides x x
Web Profile Overrides x
From the GUI, you can only configure antivirus and web filter security profiles in proxy mode. From the CLI, you
can configure flow-based antivirus profiles, web filter profiles, and DLP profiles and they will appear on the GUI
and include their inspection mode setting. Flow-based profiles created when in flow mode are still available when
you switch to proxy mode.
In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning is
still done with the same engines and to the same accuracy, but some inspection options are limited or not
available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when
switching between flow and proxy mode.
Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In
this case the appropriate session helper is used (for example, the SIP session helper).
72 Getting Started
Inspection Mode
Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you
can't save security profiles that are set to proxy mode.
You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a
VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will
not be visible from the GUI.
Proxy mode and flow mode antivirus and web filter profile options
The following tables list the antivirus and web filter profile options available in proxy and flow modes.
Antivirus features in proxy and flow mode
Feature Proxy Flow
Scan Mode (Quick or Full) x
Detect viruses (Block or Monitor) x x
Inspected protocols x (all relevant protocols are inspected)
Inspection Options x x
(not available for quick scan mode)
Treat Windows Executables in Email Attachments as x x

Viruses
Send Files to FortiSandbox Appliance for Inspection x x
Use FortiSandbox Database x x
Include Mobile Malware Protection x x
Web Filter features in proxy and flow mode
Feature Proxy Flow
FortiGuard category based filter x x

(show, allow, monitor,
block)
Category Usage Quota x
Allow users to override blocked categories (on some models) x
Search Engines x
Getting Started 73
Inspection Mode
Feature Proxy Flow
Enforce 'Safe Search' on Google, Yahoo!, x

Bing, Yandex
Restrict YouTube Access x
Log all search keywords x
Static URL Filter x x
Block invalid URLs x
URL Filter x x
Block malicious URLs discovered by x x

FortiSandbox
Web Content Filter x x
Rating Options x x
Allow websites when a rating error occurs x x
Rate URLs by domain and IP Address x x
Block HTTP redirects by rating x
Rate images by URL x
Proxy Options x
Restrict Google account usage to specific x

domains
Provide details for blocked HTTP 4xx and 5xx

x
errors
HTTP POST Action x
Remove Java Applets x
Remove ActiveX x
Remove Cookies x
Filter Per-User Black/White List x
74 Getting Started
Basic Administration
This section contains information about basic FortiGate administration that can be done after you have installed
the unit in your network.
While this section mainly focuses on accomplishing tasks with the GUI, some tasks include instructions to use the
CLI. You can access the CLI using the GUI or FortiExplorer, or via SSH or Telnet connection. For more
information about the CLI, see Using the CLI.
Registration
In order to have full access to Fortinet Support and FortiGuard Services, you must register your FortiGate.
Registering your FortiGate:
1. Go to the Dashboard and locate the Licenses widget.

2. Click on FortiCare Support to display a pop-up window and Register.
3. In the pop-up window, either use an existing Fortinet Support account or create a new one. Select your Country
and Reseller.
4. Select OK.
FortiGate platforms do not impose any limitations on the number or type of customers, users, devices, IP
addresses, or number of VPN clients being served by the platform. Such factors are limited solely by the hardware
capacity of each given model.
System Settings
There are several system settings that should be configured once your FortiGate is installed:
l Default administrator password

l Settings
l Changing the host name
l Central Management
l System Time
l Administration Settings
l Password Policy
l View Settings
l Administrator password retries and lockout time
Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In
order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this
account.
Getting Started 75
System Settings Basic Administration
To change the default password:
1. Go to System > Administrators.

2. Edit the admin account.
3. Select Change Password.
4. Enter the New Password and re-enter the password for confirmation.
5. Select OK.
For details on selecting a password and password best practices, see the section on Passwords.
It is also recommended to change the user name of this account; however, since you cannot change the user
name of an account that is currently in use, a second administrator account will need to be created in order to do
this. For more information about creating and using administrator accounts, see the Administrators section of the
System Administration chapter.
Settings
Settings can be accessed by going to System > Settings. On this page, you can change the Host name,
designate the centralized security management for your FortiGate in Central Management, set the system time
and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout
in Administration Settings, designate the Password Policy, and manage display options and designate
inspection mode in View Settings.
Changing the host name

The host name of your FortiGate appears in the Hostname row in the System Information widget on the
Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP
system name.
To change the host name on the FortiGate
Go to System > Settings and type in the new name in the Host name row. The only administrators that can
change a FortiGate’s host name are administrators whose admin profiles permit system configuration write
access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate
from others in the cluster.
Central Management
You can manage any size Fortinet security infrastructure, from a few devices to thousands of appliances, by using
FortiManager or FortiCloud. You can configure your FortiGate for either of these centralized security
management services through Central Management. Be sure that you have registered your device with the
FortiManager appliance or FortiCloud host. For more information on configuring your FortiGate for Central
Management, see Adding a FortiGate to FortiManager or FortiCloud.
System Time
For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either
manually set the system time and date or configure the FortiGate to automatically synchronize with a Network
Time Protocol (NTP) server.
76 Getting Started
Basic Administration System Settings
NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the
FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that
logs and other time-sensitive settings on the FortiGate are correct.
The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate
will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might
change after the FortiGate has successfully obtained the time from a configured NTP server.
By default, FortiOS has the daylight savings time configuration enabled. The system
time must be manually adjusted after daylight saving time ends. To disable DST,
enter the following commands in the CLI:
set dst disable
end
To set the date and time
1. Go to the System > Settings.

2. Under System Time, select your Time Zone by using the drop-down menu.
3. Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization,
you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
4. If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup
device as local NTP server.
5. Select Apply.
Administration Settings
In order to improve security, you can change the default port configurations for administrative connections to the
FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as
https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the
URL would be https://192.168.1.99:99.
To configure the port settings:
1. Go to System > Settings.
2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed.
You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
3. Select Apply.
When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is
unique. If a conflict exists with a particular port, a warning message will appear.
By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents
someone from using the GUI if the management PC is left unattended.
To change the idle timeout
2. In the Administration Settings section, enter the time in minutes in the Idle timeout field.
3. Select Apply.
Getting Started 77
System Settings Basic Administration
Password Policy
The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With
this policy, you can enforce regular changes and specific criteria for a password including:
l minimum length between 8 and 64 characters.

l if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l if the password must contain numbers (1, 2, 3).
l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
l where the password applies (admin or IPsec or both).
l the duration of the password before a new one must be specified.
To create a password policy - GUI
2. Configure Password Policy settings as required.
3. Click Apply.
If you add a password policy or change the requirements on an existing policy, the next time that administrator
logs into the FortiGate, they are prompted to update their password to meet the new requirements before
proceeding to log in.
For information about recovering a lost password and enhancements to the process, see: Resetting a lost Admin
password.
View Settings
Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.
To change the language, go to System > Settings. Select the language you want from the Language drop-
down list: English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified
Chinese, or Korean. For best results, you should select the language that is used by the management computer.
To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20
and 1,000. The default is 50 lines per page.
Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change
your theme, select the color from the Theme drop-down list.
This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode,
then you need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.
Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of
three attempts to log into their account before locking the account for a set amount of time.
Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can
try to enter a password again (admin-lockout-duration) can be configured within the CLI.
To configure the lockout options:

set admin-lockout-threshold <failed_attempts>
78 Getting Started
Basic Administration Passwords
set admin-lockout-duration <seconds>

end
The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The
admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and
4294967295 seconds.
Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the
FortiGate unit.
Example:
To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five

minute duration before the administrator can try to log in again, enter the commands:
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
If the time span between the first failed login attempt and the admin-lockout-
threshold failed login attempt is less than admin-lockout-duration, the
lockout will be triggered.
Passwords
Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the
password, consider the following to ensure better security:
l Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words
or phrases.
l Use numbers in place of letters, for example, passw0rd.
l Administrator passwords can be up to 64 characters.
l Include a mixture of letters, numbers, and upper and lower case.
l Use multiple words together, or possibly even a sentence, for example keytothehighway.
l Use a password generator.
l Change the password regularly and always make the new password unique and not a variation of the existing
password, such as changing from password to password1.
l Make note of the password and store it in a safe place away from the management computer, in case you forget it
or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation,
or leaves the company. Alternatively, have two different admin logins.
Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove
the password before the downgrade, then log in after the downgrade and re-configure the password.
Getting Started 79
Passwords Basic Administration
Password policy
The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With
this policy, you can enforce regular changes and specific criteria for a password including:
l minimum length between 8 and 64 characters.

l if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l if the password must contain numbers (1, 2, 3).
l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
l where the password applies (admin or IPsec or both).
l the duration of the password before a new one must be specified.
To create a password policy - GUI
2. Configure Password Policy settings as required.
3. Click Apply.
If you add a password policy or change the requirements on an existing policy, the next time that administrator
logs into the FortiGate, they are prompted to update their password to meet the new requirements before
proceeding to log in.
For information about recovering a lost password and enhancements to the process, see: Resetting a lost Admin
password.
80 Getting Started
Basic Administration Firmware
Firmware
Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After
you have registered your FortiGate unit, you can download firmware updates from the support web site,
https://support.fortinet.com.
Before you install any new firmware, be sure to follow the steps below:
l Review the Release Notes for a new firmware release.

l Review the Upgrade Paths Tool to make sure the upgrade from your current image to the desired new image is
supported.
l Backup the current configuration, including local certificates.
l Test the new firmware until you are satisfied that it applies to your configuration.
Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings
or unexpected issues.
Only FortiGate admin users and administrators whose access profiles contain system
read and write privileges can change the FortiGate firmware.
Backing up the current configuration

You should always back up the configuration before installing new firmware, in case you need to restore your
FortiGate configuration.
To create a local backup:
1. Open to the administrator's dropdown menu in the top-right corner of the GUI and select Configuration
> Backup.
2. Choose either Local PC or USB Disk to save the configuration file. The USB option will not be available if there
is no USB drive in the USB port.
3. If desired, select Encryption.
4. Select OK.
For more information, see Configuration Backups.
Downloading firmware
Firmware images for all FortiGate units are available on the Fortinet Customer Support website,
https://support.fortinet.com.
To download firmware:
1. Log into the site using your user name and password.
2. Go to Download > Firmware Images.
3. A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the
firmware you wish to upgrade your FortiGate unit to.
4. Select Download.
Getting Started 81
Firmware Basic Administration
Firmware can also be downloaded using FTP; however, as FTP is not an encrypted file
transferring protocol, HTTPS downloading is recommended.
5. Navigate to the folder for the firmware version you wish to use.
6. Select your FortiGate model from the list. If your unit is a FortiWiFi, the firmware will have a filename starting with
'FWF'.
7. Save the firmware image to your computer.
Testing new firmware

The integrity of firmware images downloaded from Fortinet's support portal can be verified using a file checksum.
A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused
by errors in transfer or by file modification. A list of expected checksum values for each build of released code is
available on Fortinet’s support portal.
Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic
redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.
Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an
image, the running OS will generate a signature and compare it with the signature attached to the image. If the
signatures do not match, the new OS will not load.
Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to
system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with
the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit
restarts, it operates with the originally installed firmware image using the current configuration. If the new
firmware image operates successfully, you can install it permanently using the procedure explained in Testing
new firmware on page 82.
To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null
modem cable. This procedure temporarily installs a new firmware image using your current configuration.
For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface.
The TFTP server should be on the same subnet as the internal interface.
To test the new firmware image:
1. Connect to the CLI using an RJ-45 to DB-9 or null modem cable.

2. Make sure the TFTP server is running.
3. Copy the new firmware image file to the root directory of the TFTP server.
4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping command.
5. Enter the following command to restart the FortiGate unit:
execute reboot
6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series
of system startup messages appears:
Press any key to display configuration menu....
82 Getting Started
7. Immediately press any key to interrupt the system startup.
You have only three (3) seconds to press any key. If you do not press a key quickly
enough, the FortiGate unit reboots and you must log in and repeat the execute
reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8. Type G to get the new firmware image from the TFTP server. The following message appears:
Enter TFTP server address [192.168.1.168]:
9. Type the address of the TFTP server and press Enter. The following message appears:
Enter Local Address [192.168.1.188]:
10. Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same
network as the TFTP server.
Make sure you do not enter the IP address of another device on this network.
The following message appears:

Enter File Name [image.out]:
11. Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the
FortiGate unit and the following appears.
Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
12. Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new
firmware image, but with its current configuration.
You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the
FortiGate unit will resume using the firmware that was running before you installed the test firmware.
Upgrading the firmware

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with
the firmware release you are installing. After you install new firmware, make sure that antivirus and attack
definitions are up to date. You can also use the CLI command execute update-now to update the antivirus
and attack definitions.
Always remember to back up your configuration before making any changes to the
firmware.
Be sure to read the topics on downloading and testing firmware before upgrading.
Getting Started 83
To upgrade the firmware - GUI:
1. Log into the GUI as the admin administrative user.

2. Go to System > Firmware.
3. Under Upload Firmware, select Browse and locate the firmware image file.
4. Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays
the FortiGate login. This process takes a few minutes.
You can also upgrade firmware using Secure File Copy (SCP). See How to
download/upload a FortiGate configuration file using secure file copy (SCP).
You enable SCP support using the following command:

set admin-scp enable
end
For more information about this command and about SCP support, see config system
global.
To upgrade the firmware - CLI:
Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.

3. Log into the CLI.
4. Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the
computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <filename> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of
the TFTP server. For example, if the firmware image file name is image.out and the IP address of
the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
The FortiGate unit responds with the message:

This operation will replace the current firmware version!
Do you want to continue? (y/n)
6. Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts.
This process takes a few minutes.
7. Reconnect to the CLI.
8. Update antivirus and attack definitions, by entering:
execute update-now
84 Getting Started
Reverting to a previous firmware version

The following procedure reverts the FortiGate unit to its factory default configuration and deletes any
configuration settings. If you are reverting to a previous FortiOS version, you might not be able to restore the
previous configuration from the backup configuration file.
Always remember to back up your configuration before making any changes to the
firmware.
To revert to a previous firmware version - GUI:
1. Log into the GUI as the admin user.

2. Go to System > Firmware.
3. Under Upload Firmware, select Browse and locate the firmware image file.
4. Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration,
restarts, and displays the FortiGate login. This process takes a few minutes.
To revert to a previous firmware version - CLI:
Before beginning this procedure, it is recommended that you:
l Backup the FortiGate unit system configuration using the command

execute backup config.
l Backup the IPS custom signatures using the command execute
backup ipsuserdefsig.
l Backup web content and email filtering lists.
To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.

2. Copy the firmware image file to the root directory of the TFTP server.
3. Log into the FortiGate CLI.
4. Make sure the FortiGate unit can connect to the TFTP server by using the execute ping command.
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of
the TFTP server. For example, if the firmware image file name is imagev28.out and the IP
address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image28.out 192.168.1.168
The FortiGate unit responds with this message:

6. Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the
following appears:
Get image from tftp server OK.
Getting Started 85
Check image OK.

This operation will downgrade the current firmware version!
7. Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and
restarts. This process takes a few minutes.
8. Reconnect to the CLI.
9. To restore your previous configuration, if needed, use the command:
execute restore config <name_str> <tftp_ipv4>
10. Update antivirus and attack definitions using the command:
execute update-now
Installing firmware from a system reboot - CLI

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously
reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI.
This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this
procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current
firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null
modem cable. This procedure reverts the FortiGate unit to its factory default configuration.
For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The
TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure, ensure you backup the FortiGate unit configuration.
If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from
the backup configuration file.
Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with
the firmware release you are installing. After you install new firmware, make sure that antivirus and attack
definitions are up to date.
To install firmware from a system reboot:
1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
4. Make sure the internal interface is connected to the same network as the TFTP server.
5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer
running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
6. Enter the following command to restart the FortiGate unit.
execute reboot
The FortiGate unit responds with the following message:

This operation will reboot the system!
86 Getting Started
7. Type y. As the FortiGate unit starts, a series of system startup messages appears. When the following messages
appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
You have only three (3) seconds to press any key. If you do not press a key quickly
enough, the FortiGate unit reboots and you must log in and repeat the execute
reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8. Type G to get to the new firmware image form the TFTP server. The following message appears:
Enter TFTP server address [192.168.1.168]:
9. Type the address of the TFTP server and press Enter. The following message appears:
Enter Local Address [192.168.1.188]:
10. Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP
address that is valid for the network to which the interface is connected.
Make sure you do not enter the IP address of another device on this network.
The following message appears:

Enter File Name [image.out]:
11. Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and a message similar to the following
appears:
Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
12. Type D. The FortiGate unit installs the new firmware image and restarts. The installation might take a few
minutes to complete.
Restoring firmware from a USB key - CLI

1. Log into the CLI.
2. Enter the following command to restore an unencrypted configuration file:
execute restore image usb Restore image from USB disk.
{string} Image file name on the USB disk.
The FortiGate unit responds with the following message:
Getting Started 87
Configuration Backups Basic Administration

3. Type y.
Configuration revision
You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher.
Revision control requires either a configured central management server or the local hard drive, if your FortiGate
has this feature. Typically, configuration backup to local drive is not available on lower-end models.
The central management server can either be a FortiManager unit or FortiCloud.
If central management is not configured on your FortiGate unit, a message appears instructing you to either:
l Enable central management, or

l obtain a valid license.
When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of
saved revisions of those backed-up configurations appears.
Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and
selecting Configuration > Revisions.
Controlled upgrade
Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the
FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will
automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to
do an upgrade simultaneously to all devices using FortiManager or script.
To load the firmware for later installation - CLI:

execute restore secondary-image {ftp | tftp | usb} <filename_str>
To set the FortiGate unit so that when it reboots, the new firmware is loaded, use the CLI command . . .
execute set-next-reboot {primary | secondary}
where {primary | secondary} is the partition with the preloaded firmware.
Configuration Backups
Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In
some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware,
which will erase the existing configuration. In these instances, the configuration on the device will have to be
recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique
SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a
system backup.
It is also recommended that you backup the configuration after any future changes are made, to ensure you have
the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s
firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved
configuration.
88 Getting Started
Basic Administration Configuration Backups
Always backup the configuration and store it on the management computer or off-site. You have the option to
save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last
two are configurable through the CLI only.
If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that
if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual
VDOMs will not appear.
You can also backup and restore your configuration using Secure File Copy (SCP).
See How to download/upload a FortiGate configuration file using secure file copy
(SCP).
You enable SCP support using the following command:

set admin-scp enable
end
For more information about this command and about SCP support, see config system
global.
Backing up the configuration using the GUI

1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to
the FortiManager using the CLI.
3. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global)
or only a specific VDOM configuration (VDOM).
4. If backing up a VDOM configuration, select the VDOM name from the list.
5. Select Encryption.
Encryption must be enabled on the backup file to back up VPN certificates.
6. Enter a password and enter it again to confirm it. You will need this password to restore the file.
7. Select OK.
8. The web browser will prompt you for a location to save the configuration file. The configuration file will have a
.conf extension.
Backing up the configuration using the CLI

Use one of the following commands:
execute backup config management-station <comment>
or:
execute backup config usb <backup_filename> [<backup_password>]
or for FTP, note that port number, username are optional depending on the FTP site:
execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>]
[<password>]
or for TFTP:
execute backup config tftp <backup_filename> <tftp_servers> <password>
Getting Started 89
Configuration Backups Basic Administration
Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>
Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file.
The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and
accessible to the FortiGate before you enter the command.
To back up the local certificates:
Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>
where:
l <cert_name> is the name of the server certificate.

l <filename> is a name for the output file.
l <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates - GUI:
1. Move the output file from the TFTP server location to the management computer.
2. Go to System > Certificates and select Import.
3. Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
4. Select Upload. Browse to the location on the management computer where the exported file has been saved,
select the file and select Open.
5. If required, enter the Password needed to upload the exported file.
6. Select OK.
To restore the local certificates - CLI:
Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>
Restore a configuration
Should you need to restore a configuration file, use the following steps:
To restore the FortiGate configuration - GUI:
1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the
FortiManager using the CLI.
3. Enter the path and file name of the configuration file, or select Browse to locate the file.
4. Enter a password if required.
90 Getting Started
Basic Administration Configuration Backups
5. Select Restore.
To restore the FortiGate configuration - CLI:

execute restore config management-station normal 0
or:
execute restore config usb <filename> [<password>]
or for FTP, note that port number, username are optional depending on the FTP site:
execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>]
[<password>]
or for TFTP:
execute restore config tftp <backup_filename> <tftp_server> <password>
The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the
configuration has been restored.
Troubleshooting
During the installation, some possible errors may occur, but the solutions are usually straightforward.
Error message Reason and Solution
Configuration file error This error occurs when attempting to upload a configuration file that is
incompatible with the device. This may be due to the configuration file being for a
different model or being saved from a different version of firmware.
Solution: Upload a configuration file that is for the correct model of FortiGate
device and the correct version of the firmware.
Invalid password When the configuration file is saved, it can be protected by a password. The
password entered during the upload process is not matching the one associated
with the configuration file.
Solution: Use the correct password if the file is password protected.
Configuration revision
You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher.
Revision control requires either a configured central management server or the local hard drive, if your FortiGate
has this feature. Typically, configuration backup to local drive is not available on lower-end models.
The central management server can either be a FortiManager unit or FortiCloud.
If central management is not configured on your FortiGate unit, a message appears instructing you to either:
l Enable central management, or

l obtain a valid license.
When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of
saved revisions of those backed-up configurations appears.
Getting Started 91
FortiGuard Basic Administration
Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and
selecting Configuration > Revisions.
Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh
configuration. There are two options when restoring factory defaults. The first resets the entire device to the
original out-of-the-box configuration.
You can reset using the CLI by entering the command:

execute factoryreset
When prompted, type y to confirm the reset.
Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use
the following command:
execute factoryreset2
FortiGuard
The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam, and IPS
definitions to your FortiGate. FortiGuard Subscription Services provides comprehensive Unified Threat
Management (UTM) security solutions to enable protection against content and network level threats.
The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As
vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat
Research Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true
zero-day protection from new and emerging threats. The FortiGuard Network has data centers around the world
located in secure, high availability locations that automatically deliver updates to the Fortinet security platforms
to protect the network with the latest information.
FortiGuard provides a number of services to monitor world-wide activity and provide the best possible security,
including:
l Intrusion Prevention System (IPS) - IPS uses a customizable database of more than 4000 known threats to stop
attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system
to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity
signatures for complete application control.
l Application Control - Application Control allows you to identify and control applications on networks and
endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over
application traffic, even traffic from unknown applications and sources. Application Control is a free FortiGuard
service and the database for Application Control signatures is separate from the IPS database (Botnet Application
signatures are still part of the IPS signature database since these are more closely related with security issues and
less about application detection). Application Control signature database information is displayed under the
System > FortiGuard page in the FortiCare section.
Please note that while the Application Control profile can be used for free, signature
database updates require a valid FortiGuard subscription.
92 Getting Started
Basic Administration FortiGuard
l AntiVirus -The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the
latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both
new and evolving threats from gaining access to your network and protects against vulnerabilities.
l Web Filtering - Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous
web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can
expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-
time updates enable you to apply highly-granular policies that filter web access based on six major categories and
nearly 80 micro-categories, over 45 million rated web sites, and more than two billion web pages - all continuously
updated.
l Vulnerability Scanning - FortiGuard Services provide comprehensive and continuous updates for vulnerabilities,
remediation, patch scan, and configuration benchmarks.
l Email Filtering - The FortiGuard Antispam Service uses both a sender IP reputation database and a spam
signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and
block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided
continuously via the FDN.
l Messaging Services - Messaging Services allow a secure email server to be automatically enabled on your
FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone
numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a
slight time delay on receiving messages.
l DNS and DDNS - The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once
subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the
FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server.
Configure the DDNS server settings using the CLI command:
config system fortiguard
set ddns-server-ip
set ddns-server-port
end
Support Contract and FortiGuard Subscription Services

The FDN support Contract is available under System > FortiGuard.
The License Information area displays the status of your FortiGate’s support contract.
You can also manually update the AntiVirus and IPS engines.
Verifying your connection to FortiGuard

If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify that
communication to the FDN is working. Before any troubleshooting, ensure that the FortiGate has been registered
and subscribed to the FortiGuard services.
Verification - GUI:
The simplest method to check that the FortiGate is communicating with the FDN, is to check the License
Information dashboard widget. Any subscribed services should have a green check mark beside them indicating
that connections are successful. Any other icon indicates a problem with the connection, or you are not
subscribed to the FortiGuard services.
You can also view the FortiGuard connection status by going to System > FortiGuard.
Getting Started 93
Verification - CLI:
You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI
command to ping the FDN for a connection:
execute ping guard.fortinet.net
You can also use the following diagnose command to find out what FortiGuard servers are available:
diagnose debug rating
From this command, you will see output similar to the following:
Locale : english
License : Contract
Expiration : Sun Jul 24 20:00:00 2011
Hostname : service.fortiguard.net
-=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost

69.20.236.180 0 10 -5 77200 0 42
69.20.236.179 0 12 -5 52514 0 34
66.117.56.42 0 32 -5 34390 0 62
80.85.69.38 50 164 0 34430 0 11763
208.91.112.194 81 223 D -8 42530 0 8129
216.156.209.26 286 241 DI -8 55602 0 21555
An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard
servers are responding to DNS replies to service FortiGuard.net, but the INIT requests are not reaching FDS
services on the servers.
The rating flags indicate the server status:
D Indicates the server was found via the DNS lookup of the hostname. If the hostname returns
more than one IP address, all of them will be flagged with 'D' and will be used first for INIT
requests before falling back to the other servers.
I Indicates the server to which the last INIT request was sent.
F The server has not responded to requests and is considered to have failed.
T The server is currently being timed.
The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list,
regardless of weight. When a packet is lost, it will be resent to the next server in the list.
The weight for each server increases with failed packets and decreases with successful packets. To lower the
possibility of using a distant server, the weight is not allowed to dip below a base weight, which is calculated as
the difference in hours between the FortiGate and the server, multiplied by 10. The further away the server, the
higher its base weight and the lower in the list it will appear.
Port assignment
The FortiGate contacts FDN for the latest list of FDN servers by sending UDP packets with typical source ports of
1027 or 1031, and destination port 8888. The FDN reply packets have a destination port of 1027 or 1031.
94 Getting Started
If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result,
the FortiGate will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use higher-
numbered ports, using the CLI command:
set ip-src-port-range <start port>-<end port>
end
where the <start port> and <end port> are numbers ranging of 1024 to 25000.
For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the
following range:
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact your ISP to determine
the best range to use. Push updates might be unavailable if:
l there is a NAT device installed between the unit and the FDN, and/or
l your unit connects to the Internet using a proxy server.
Configuring AntiVirus and IPS Options

Go to System > FortiGuard, and scroll down to the AntiVirus & IPS Updates section to configure the
antivirus and IPS options for connecting and downloading definition files.
Accept push Select to allow updates to be sent automatically to your FortiGate. New definitions will
updates be added as soon as they are released by FortiGuard.
Use override Appears only if Accept push updates is enabled.

push
Enable to configure an override server if you cannot connect to the FDN or if your
organization provides updates using their own FortiGuard server. Once enabled,
enter the following:
l Enter the IP address and port of the NAT device in front of your FortiGate. FDS will
connect to this device when attempting to reach the FortiGate.
l The NAT device must be configured to forward the FDS traffic to the FortiGate on
UDP port 9443.
Scheduled Enable for updates to be sent to your FortiGate at a specific time. For example, to
Updates minimize traffic lag times, you can schedule the update to occur on weekends or after
work hours.
Note that a schedule of once a week means any urgent updates will not be pushed
until the scheduled time. However, if there is an urgent update required, select the
Update Now button.
Getting Started 95
Improve IPS Enable to help Fortinet maintain and improve IPS signatures. The information sent to
quality the FortiGuard servers when an attack occurs can be used to keep the database
current as variants of attacks evolve.
Use extended IPS Regular IPS database protects against the latest common and in-the-wild attacks.
signature Extended IPS database includes protection from legacy attacks.
package
Update AV & IPS Select to manually initiate an FDN update.

Definitions
Manual updates
To manually update the signature definitions file, you need to first go to the Support web site at
https://support.fortinet.com. Once logged in, select Download > FortiGuard Service Updates. The browser
will present you the most current IPS and AntiVirus signature definitions which you can download.
Once downloaded to your computer, log into the FortiGate to load the definition file.
To load the definition file onto the FortiGate:
1. Go to System > FortiGuard.
2. In the License Information table, select the Upgrade Database link in either the Application Control
Signature, IPS, or AntiVirus row.
3. In the pop-up window, select Upload and locate the downloaded file and select Open.
The upload may take a few minutes to complete.
Automatic updates
The FortiGate can be configured to request updates from FDN on a scheduled basis, or via push notification.
Scheduling updates
Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular
basis, ensuring that you do not forget to check for the definition files yourself.
Updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit
applies the new signature database, Ideally, schedule updates during off-peak hours, such as evenings or
weekends, when network usage is minimal, to ensure that the network activity will not suffer from the added
traffic of downloading the definition files.
To enable scheduled updates - GUI:
1. Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.

2. Enable Scheduled Updates.
3. Select the frequency of updates.
4. Select Apply.
96 Getting Started
To enable scheduled updates - CLI:

config system autoupdate schedule
set status enable
set frequency {every | daily | weekly}
set time <hh:mm>
set day <day_of_week>
end
Push updates
Push updates enable you to get immediate updates when new viruses or intrusions have been discovered and
new signatures created. This ensures that the latest signature will be sent to the FortiGate as soon as possible.
When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new
signature definition file available. The FortiGate then initiates a download of the definition file, similar to the
scheduled update.
To ensure maximum security for your network, you should have a scheduled update as well as enable the push
update, in case an urgent signature is created, and your cycle of the updates only occurs weekly.
To enable push updates - GUI:

2. Enable Accept push updates.
3. Select Apply.
To enable push updates - CLI:

config system autoupdate push-update
set status enable
end
Push IP override
If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update
notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to
map to the external port of the NAT device.
Generally speaking, if there are two FortiGate devices, the following steps need to be completed on the
FortiGate NAT device to ensure the FortiGate on the internal network receives the updates:
l Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Policy
& Objects > Virtual IPs.
l Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding
virtual IP.
l Configure the FortiGate on the internal network with an override push IP and port.
On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.
To enable push update override- GUI:

2. Enable Accept push updates.
3. Enable Use override push.
Getting Started 97
4. Enter the virtual IP address configured on the NAT device.

5. Select Apply.
To enable push updates - CLI:

config system autoupdate push-update
set status enable
set override enable
set address <vip_address>
end
Sending malware statistics to FortiGuard

To support following malware trends and making zero-day discoveries, FortiGate units send encrypted statistics
to FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running
on your FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and
security effectiveness by moving inactive signatures to an extended signature database.
The statistics include some non-personal information that identifies your FortiGate and its country. The
information is never shared with external parties. You can choose to disable the sharing of this information by
entering the following CLI command:
set fds-statistics disable
end
Configuring Web Filtering and Email Filtering Options

Go to System > FortiGuard, and scroll down to Filtering to set the size of the caches and ports.
Web Filter Cache Set the Time To Live (TTL) value. This is the number of seconds the
FortiGate will store a blocked IP or URL locally, saving time and network
access traffic, checking the FortiGuard server. Once the TTL has expired,
the FortiGate will contact an FDN server to verify a web address. The TTL
must be between 300 and 86400 seconds.
Anti-Spam Cache Set the TTL value (see above).
FortiGuard Filtering Port Select the port assignments for contacting the FortiGuard servers.
Filtering Service Indicates the status of the filtering service. Select Check Again if the
Availability filtering service is not available.
Request re-evaluation of a Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter
URL's category service.
Email filtering
The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-
Spam filtering enabled, the FortiGate verifies incoming email sender addresses and IPs against the database,
and takes the necessary actions as defined within the antivirus profiles.
98 Getting Started
Basic Administration FortiCloud
Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while
easing load on the FortiGuard servers, aiding in a quicker response time for less common email address
requests.
By default, the anti-spam cache is enabled. The cache includes a TTL value, which is the amount of time an
email address will stay in the cache before expiring. You can change this value to shorten or extend the time
between 5 and 1,440 minutes.
To modify the antispam cache TTL - GUI:
1. Go to System > FortiGuard.
2. Under Filtering, enable Anti-Spam Cache.
3. Enter the TTL value in minutes.
4. Select Apply.
To modify the Anti-Spam filter TTL - CLI:

config system fortiguard
set antispam-cache-ttl <integer>
end
Further antispam filtering options can be configured to block, allow, or quarantine specific email addresses.
These configurations are available through the Security Profiles > Anti-Spam menu.
Online Security Tools

The FortiGuard online center provides a number of online security tools, including but not limited to:
l URL lookup — By entering a website address, you can see if it has been rated and what category and
classification it is filed as. If you find your website or a site you commonly go to has been wrongly categorized, you
can use this page to request that the site be re-evaluated.
https://fortiguard.com/webfilter
l Threat Encyclopedia — Browse the Fortiguard Labs extensive encyclopedia of threats. Search for viruses, botnet
C&C, IPS, endpoint vulnerabilities, and mobile malware.
https://www.fortiguard.com/encyclopedia
l Application Control — Browse the Fortiguard Labs extensive encyclopedia of applications.
https://fortiguard.com/appcontrol
FortiCloud
FortiCloud is a hosted security management and log retention service for FortiGate devices. It gives you
centralized reporting, traffic analysis, configuration management, and log retention without the need for
additional hardware or software.
FortiCloud offers a wide range of features:
l Simplified central management — FortiCloud provides a central web-based management console to manage
individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiCloud management
subscription is straightforward. FortiCloud has detailed traffic and application visibility across the whole network.
Getting Started 99
FortiCloud Basic Administration
l Hosted log retention with large default storage allocated — Log retention is an integral part of any security
and compliance program but administering a separate storage system is burdensome. FortiCloud takes care of this
automatically and stores the valuable log information in the cloud. Each device is allowed up to 200GB of log
retention storage. Different types of logs can be stored including Traffic, System Events, Web, Applications, and
Security Events.
l Monitoring and alerting in real time — Network availability is critical to a good end-user experience. FortiCloud
enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential
issues. Alerting mechanisms can be delivered via email.
l Customized or pre-configured reporting and analysis tools — Reporting and analysis are your eyes and
ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can
be tailored to your specific reporting and compliance requirements. For example, you may want to look closely at
application usage or website violations. The reports can be emailed as PDFs and can cover different time periods.
l Maintain important configuration information uniformly — The correct configuration of the devices within
your network is essential to maintaining an optimum performance and security posture. In addition, maintaining the
correct firmware (operating system) level allows you to take advantage of the latest features.
l Service security — All communication (including log information) between the devices and the clouds is
encrypted. Redundant data centers are always used to give the service high availability. Operational security
measures have been put in place to make sure your data is secure — only you can view or retrieve it.
Registration and Activation
Before you can activate a FortiCloud account, you must first register your device.
FortiCloud accounts can be registered manually through the FortiCloud website, https://www.forticloud.com, but
you can easily register and activate your account directly from your FortiGate.
Activating your FortiCloud Account
1. On your device’s dashboard, in the FortiCloud widget, select the Activate button in the status field.
2. A dialogue asking you to register your FortiCloud account appears. Select Create Account, enter your
information, view and accept the terms and conditions, and select OK.
3. A second dialogue window appears, asking you to enter your information to confirm your account. This sends a
confirmation email to your registered email. The dashboard widget then updates to show that confirmation is
required.
4. Open your email, and follow the confirmation link it contains.
Results
A FortiCloud page will open, stating that your account has been confirmed. The Activation Pending message on
the dashboard will change to state the type of account you have (‘1GB Free’ or ‘200GB Subscription’), and will
provide a link to the FortiCloud portal.
Enabling logging to FortiCloud

1. Go to Log & Report > Log Settings.
2. Enable Send Logs to FortiCloud.
100 Getting Started

Basic Administration FortiCloud
3. Select Test Connectivity to ensure that your FortiGate can connect to the registered FortiCloud account.
4. Scroll down to GUI Preferences, set Display Logs/FortiView From, to see FortiCloud logs within the
FortiGate's GUI.
Logging into the FortiCloud portal

Once logging has been configured and you have registered your account, you can log into the FortiCloud portal
and begin viewing your logging results. There are two methods to reach the FortiCloud portal:
l If you have direct networked access to the FortiGate, you can simply open your Dashboard and check the License
Information widget. Next to the current FortiCloud connection status will be a link to reach the FortiCloud Portal.
l If you do not currently have access to the FortiGate’s interface, you can visit the FortiCloud website
(https://forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiCloud
account you are connecting to and then you will be granted access. Connected devices can be remotely configured
using the Scripts page in the Management Tab, useful if an administrator may be away from the unit for a long
period of time.
Cloud Sandboxing
FortiCloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows
suspicious files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is
found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature
database.
Cloud sandboxing is configured by going to Security Fabric > Settings. After enabling Sandbox Inspection,
select the FortiSandbox type.
Sandboxing results are shown in a new tab called AV Submissions in the FortiCloud portal. This tab only
appears after a file has been sent for sandboxing.
For more information about FortiCloud, see the FortiCloud documentation.
Getting Started 101

Troubleshooting your FortiGate Installation
If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
1. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet

If you can’t connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. Refer to the
QuickStart Guide or see the section on the FortiExplorer for more details.
2. Check for equipment issues
Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for
information about connecting your FortiGate to the network. You will also find detailed information about the
FortiGate LED indicators.
3. Check the physical network connections
Check the cables used for all physical connections to ensure that they are fully connected and do not appear
damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that
device.
4. Verify that you can connect to the internal IP address of the FortiGate
Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping
the internal interface IP address; for example, ping 192.168.1.99.
If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface
but can't connect to the GUI, check the settings for administrative access on that interface.
5. Check the FortiGate interface configurations
Check the configuration of the FortiGate interface connected to the internal network by going to Network
> Interfaces and make sure Addressing mode is set to the correct mode.
6. Verify the security policy configuration
Go to Policy & Objects > IPv4 Policy and verify that the internal interface to Internet-facing interface security
policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure
that traffic has been processed (if this column does not appear, right-click on the title row, select Active
Sessions).
If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and that Use
Outgoing Interface Address is selected.
7. Verify that you can connect to the Internet-facing interface’s IP address
Ping the IP address of the FortiGate’s Internet-facing interface. If you cannot connect to the interface, the
FortiGate is not allowing sessions from the internal interface to Internet-facing interface.
8. Verify the static routing configuration
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor
and verify that the default route appears in the list as a static route. Along with the default route, you should see
two routes shown as Connected, one for each connected FortiGate interface.
9. Verify that you can connect to the gateway provided by your ISP
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact
your ISP to verify that you are using the correct gateway.
10. Verify that you can communicate from the FortiGate to the Internet
Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute
traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.
11. Verify the DNS configurations of the FortiGate and the PCs
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping
www.fortinet.com.
102 Getting Started

Troubleshooting your FortiGate Installation
If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that
the DNS server IP addresses are present and correct.
12. Confirm that the FortiGate can connect to the FortiGuard network
Once registered, the FortiGate obtains AntiVirus and Application Control and other updates from the FortiGuard
network. Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network.
First, check the License Information widget to make sure that the status of all FortiGuard services matches the
services that you have purchased.
Go to System > FortiGuard. Scroll down to Filtering Services Availability and select Check Again. After a
minute, the GUI should indicate a successful connection.
13. Consider changing the MAC address of your external interface
Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have
added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface
using the following CLI command:
edit <interface>
set macaddr <xx:xx:xx:xx:xx:xx>
end
end
14. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance. See the note below before
contacting support.
To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted,
type y to confirm the reset.
Getting Started 103

Resources
Here's a list of some resources you can check out next to help you get the most out of your newly installed and
configured FortiGate.
Best Practices
The Best Practices document is a collection of guidelines to ensure the most secure and reliable operation of
FortiGates in a customer environment. It is updated periodically as new issues are identified.
This document can be found at http://docs.fortinet.com/.
The Fortinet Video Library
The Fortinet Video Library contains video tutorials showing how to configure various Fortinet products, including
FortiGates.
The Fortinet Video Library can be found at http://video.fortinet.com. You can also subscribe to Fortinet's
YouTube channel.
The FortiOS Handbook
The FortiOS Handbook is the complete guide to FortiOS, covering a variety of FortiGate configurations. The
Handbook is available as a single complete document online. Handbook chapters are also available as
standalone documents.
The FortiOS Handbook can be found at http://docs.fortinet.com/.
104 Getting Started

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiOS 5.6 Getting Started

Uploaded by

Copyright:

Available Formats

FortiOS 5.6 Getting Started

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS 5.6 Getting Started

Uploaded by

Copyright:

Available Formats

3

FortiOS™ Handbook - Getting Started

FORTINET NSE INSTITUTE (TRAINING)

END USER LICENSE AGREEMENT AND PRIVACY POLICY

November 19, 2018

FortiOS™ Handbook - Getting Started

Date Change description

October 26, 2018 Corrected an error in Configuration Backups on page 88.

September 13, 2018 Initial FortiOS 5.6.6 release.

June 21, 2018 Initial FortiOS 5.6.5 release.

April 26, 2018 Initial FortiOS 5.6.4 release.

March 23, 2018 Update to Inspection Mode re: SSH inspection support.

February 13, 2018 Updated FortiExplorer for iOS content to be iOS-specific.

December 5, 2017 FortiOS 5.6.3 release. See "FortiOS 5.6.3" on page 9

October 17, 2017 Updates and edits throughout the chapter.

September 28, 2017 Added information to Registration.

August 17, 2017 Initial FortiOS 5.6.2 release.

l Installation discusses installing a FortiGate in your network.

Differences between Models

Preliminary information on entry-level models is available below:

l Quick installation using DHCP

These features first appeared in FortiOS 5.6.3.

Administrator password changes (414927)

These features first appeared in FortiOS 5.6.1.

VM License visibility improvement (423347)

l Added VM widget to Global > Dashboard. Includes the following:

FortiView Dashboard Widget (434179)

Widgets can be saved from a filtered FortiView page on to a dashboard.

set value <filter_value>

l report-by = Field to aggregate the data by.

Controls added to GUI CLI console (422623)

FortiExplorer icon enhancement (423838)

These features first appeared in FortiOS 5.6.

Enhancements to the GUI dashboard and its widgets are:

l Multiple dashboard support.

Enterprise Management Server (EMS) summary.

FortiGuard WAN IP blacklist service is now online

Fortinet Security Fabric

FortiOS 5.6.1 introduces a VM widget with these features:

l License status and type.

Changing inspection modes (flow-based or proxy-based)

Transparent Web proxy mode

NGFW profile-based and NGFW policy-based modes

Change to CLI console (396225)

System Information Dashboard widget WAN IP Information enhancement (401464)

CLI and GUI changes to display FortiCare registration information (395254)

Setup Wizard removed

The following topics are included in this section:

l Quick installation using DHCP

Quick installation using DHCP

Installing a FortiGate in NAT mode

NAT mode vs. Transparent mode

Standard installation in NAT mode

Redundant Internet installation

Installing a FortiGate with Redundant Internet

Using a Virtual Wire Pair

Adding a virtual wire pair and virtual wire pair policy

The following topics are included in this section:

l Connecting to the GUI using a web browser

Connecting to the GUI using a web browser