Listen to this Post
Introduction:
FortiGate firewalls are the backbone of enterprise network security, offering next-generation firewall (NGFW) capabilities that combine stateful inspection with application control, intrusion prevention, and advanced threat protection. For security professionals and network engineers, mastering the initial setup and hardening of these appliances is not just about connectivity—it’s about establishing a secure foundation that prevents lateral movement and unauthorized access from the moment the device goes live.
Learning Objectives:
- Configure basic FortiGate interfaces (WAN/LAN) and establish initial administrative access via HTTPS.
- Execute essential system hardening commands and security baseline configurations through the CLI.
- Verify operational status, interface connectivity, and implement basic firewall policies to control traffic flow.
You Should Know:
- Initial Access and Interface Configuration (GUI & CLI)
This section covers the core of the initial setup: connecting to the FortiGate, assigning IP addresses, and establishing administrative access. The process involves both the graphical interface for ease of use and the command-line interface (CLI) for precision and automation.
Step‑by‑step guide:
- Physical Connection: Connect your management PC to the FortiGate’s port1 (typically the internal interface) using an Ethernet cable. Configure your PC’s network adapter with a static IP in the default subnet (e.g., 192.168.1.2/24).
- Access GUI: Open a web browser and navigate to `https://192.168.1.99` (default IP). Accept the security warning regarding the self-signed certificate.
- Default Login: Use the default credentials: `admin` with no password (or a blank password). You will be prompted to change the password immediately.
- CLI Access (SSH): For command-line control, use an SSH client (like PuTTY on Windows or the terminal on Linux) to connect to the same IP. Authenticate with the admin credentials.
- Interface Configuration (CLI Equivalent): To configure the internal interface (LAN) via CLI:
config system interface edit port1 set ip 192.168.1.99 255.255.255.0 set allowaccess ping https ssh http next edit wan1 set mode static set ip [bash] [bash] set allowaccess ping set gateway [bash] next end
Note: For DHCP on WAN, set `mode dhcp` instead of static.
6. Linux/Windows Network Configuration (Client Side):
- Linux: `sudo ip addr add 192.168.1.2/24 dev eth0 && sudo ip link set eth0 up`
– Windows (PowerShell): `New-NetIPAddress -InterfaceAlias “Ethernet0” -IPAddress 192.168.1.2 -PrefixLength 24 -DefaultGateway 192.168.1.99`
2. System Hardening and Administrative Security
A default configuration is insecure. This step focuses on securing the management plane to prevent brute-force attacks, unauthorized access, and information leakage.
Step‑by‑step guide:
1. Change Admin Password (CLI):
config system admin edit admin set password "YourSecurePassword!" next end
2. Create a Limited Admin Account: Avoid using the `admin` account for daily tasks.
config system admin edit "sec_admin" set accprofile "read_only" Or "super_admin" for full access set password "AnotherStrongPassword!" next end
3. Restrict Administrative Access: Limit which IPs can manage the firewall.
config system admin edit admin set trusthost1 192.168.1.0 255.255.255.0 set trusthost2 [specific IP] 255.255.255.255 next end
4. Disable Unused Services: If you don’t use Telnet or SNMP, disable them to reduce the attack surface.
config system global set admin-telnet disable set admin-ssh-port 22 set admin-https-port 443 end
5. Enable HTTPS Strict-Transport-Security (HSTS): In the GUI under System > Settings, enable HSTS to force browsers to communicate only over HTTPS.
- Configuring Static Routes and DNS for Outbound Connectivity
For the FortiGate to route traffic to the internet (or other networks), a default route must be configured. Without this, internal clients cannot access external resources.
Step‑by‑step guide:
- Configure Default Route (CLI): Replace `wan1` with your external interface and the gateway with your ISP’s next-hop IP.
config router static edit 1 set device "wan1" set gateway [bash] set dst 0.0.0.0 0.0.0.0 next end
- Set DNS Servers: Configure DNS to enable the firewall to resolve domain names for updates and web filtering.
config system dns set primary 8.8.8.8 set secondary 1.1.1.1 set dns-over-tls enable end
- Verification: Test the configuration by pinging an external IP from the FortiGate CLI.
execute ping 8.8.8.8
If this fails, verify the WAN interface status (
get system interface physical) and the default gateway.
4. Implementing Basic Firewall Policies
Firewall policies are the rules that dictate which traffic is allowed or denied. A standard “LAN to WAN” policy permits internal users to access the internet, while a “WAN to LAN” policy (if any) should be strictly controlled.
Step‑by‑step guide:
- Create an Address Object (LAN Subnet): Define the source network.
config firewall address edit "LAN_Network" set subnet 192.168.1.0 255.255.255.0 next end
- Create the LAN-to-WAN Policy (CLI): This policy allows all traffic from the LAN to the internet, performing NAT (Network Address Translation).
config firewall policy edit 0 set name "LAN_to_WAN" set srcintf "port1" Internal interface set dstintf "wan1" External interface set srcaddr "LAN_Network" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
- Enable Logging for Security Visibility: In the GUI, under the policy, enable Log Violation Traffic and Log Allowed Traffic to monitor activity. From CLI, add:
set logtraffic all
- Windows/Linux Verification: From a client PC (192.168.1.2), attempt to ping an external IP. If it fails, check the policy order (first match wins) and ensure NAT is enabled.
5. Verification and System Health Checks
After configuration, verifying the operational status ensures that the firewall is functioning as intended and that no configuration errors exist.
Step‑by‑step guide:
1. Check Interface Status:
get system interface physical
Look for `up` next to the physical links and ensure `ip` and `status` are correct.
2. View Active Firewall Sessions: Monitor current traffic flowing through the device.
diagnose sys session list
This output can be verbose; use filters: `diagnose sys session filter src 192.168.1.2` then diagnose sys session list.
3. Verify Policy Execution:
diagnose firewall policy list
This shows the policy IDs and their order. Ensure your LAN-to-WAN policy is at the top if you have strict rules above it.
4. Check the System Log for Errors:
execute log display
Look for configuration errors, authentication failures, or hardware issues.
5. Perform a System Backup: Always back up your configuration before major changes.
execute backup config tftp [bash] [bash]
Alternatively, download the configuration from the GUI under System > Maintenance > Backup.
What Undercode Say:
- Initial setup is only the first step. While the GUI provides a quick start, mastering the FortiGate CLI is essential for automation, troubleshooting, and implementing advanced security features like IPS and application control. The commands provided form the bedrock of any secure deployment.
- Hardening is non-negotiable. The most common breach vector is misconfigured administrative access. Changing default credentials, restricting trusthosts, and disabling unused services are simple actions that drastically reduce the risk of compromise before the firewall even sees production traffic.
Prediction:
As organizations adopt hybrid work models, the role of the firewall is shifting from a perimeter device to a distributed security enforcement point. FortiGate’s integration with SD-WAN and cloud-based security services (SASE) will become standard. Professionals who can seamlessly blend initial FortiGate configurations with automated security policies—using tools like Ansible or the Fortinet API—will be the architects of resilient, next-generation networks, moving beyond static rules to dynamic, context-aware security.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sayed Hamza – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
