This glossary covers the essential terms you’ll encounter when working with FortiGate firewalls and their security policies:

• FortiGate: A security appliance developed by Fortinet that provides firewalling, VPN, antivirus, web filtering, intrusion prevention, and application control in a single platform.
• Firewall: A network security device that monitors and controls incoming and outgoing traffic based on predetermined security rules, acting as a barrier between trusted and untrusted networks.
• Firewall Policy: A rule or set of rules that determines what network traffic is allowed or denied between different network segments.
• NAT (Network Address Translation): A method that modifies network address information in packet headers, often used for IP address conservation and to hide internal network structures.
• UTM (Unified Threat Management): An approach that integrates multiple security features—such as antivirus, anti-spam, intrusion prevention, and web filtering—into a single device.
• Security Profile: A collection of security settings (e.g., antivirus, web filter, application control) that can be applied to firewall policies for enhanced threat protection.
• Zone: A logical grouping of interfaces on the firewall, used to simplify policy management by organizing interfaces with similar security requirements.
• Session: A communication exchange between two network endpoints, tracked by the firewall to enable stateful inspection of traffic.
• VDOM (Virtual Domain): A feature that allows a single FortiGate device to be split into multiple virtual firewalls, each with its own policies and configurations.
• Implicit Deny: The default security posture where any traffic not explicitly allowed by a policy is automatically denied.
• IPS (Intrusion Prevention System): A security feature that monitors network traffic for malicious activity and can block or alert on detected threats.
• VPN (Virtual Private Network): A secure, encrypted connection over a less secure network, such as the internet, often used to connect remote users or sites securely.

Below are typical firewall policy examples you might configure on a FortiGate firewall. These examples illustrate how to control different types of network traffic using source, destination, service, action, and security profiles:

• Allow Web Browsing: Permits users on the LAN to access web resources, with security scanning for threats.
• Block Social Media: Denies access to social media applications from the internal network.
• Allow VPN Access: Enables remote users to securely access internal resources via VPN, with added threat protection.
• Deny All: A default rule to block any traffic not explicitly allowed by previous policies.

Use this checklist to systematically troubleshoot issues with FortiGate firewalls and security policies:

• 1. Verify Physical and Network Connectivity:
  • Check interface status and cabling (Network → Interfaces or get system interface physical in CLI).
  • Ensure correct IP addressing, subnet mask, and gateway are configured.
• 2. Confirm Routing and NAT:
  • Check the routing table for correct routes to destination networks (get router info routing-table all).
  • Verify NAT settings on outbound policies if internet access is required.
• 3. Review Firewall Policies:
  • Ensure the relevant policy is enabled and ordered correctly (top-down evaluation).
  • Check source, destination, service, and action settings.
  • Make sure appropriate security profiles are applied as needed.
• 4. Analyze Logs and Sessions:
  • Enable and review logs for the affected policy (Policy & Objects → Firewall Policy → Logging Options).
  • Check Forward Traffic logs for denies or errors.
  • Use diagnose sys session list to inspect active sessions.
• 5. Use Diagnostic Tools:
  • Run diagnose debug flow to trace packet flow and identify where traffic is dropped.
  • Perform packet captures via GUI (Network → Packet Capture) or CLI (diagnose sniffer packet).
• 6. Check System Resources:
  • Monitor CPU, memory, and session count (get system performance status).
  • Address resource exhaustion if present.
• 7. Verify Firmware and Updates:
  • Ensure FortiOS firmware and security definitions (AV, IPS, Application Control) are up to date.
• 8. Confirm DNS and Time Settings:
  • Check DNS configuration and test resolution (execute ping google.com).
  • Verify system date and time are correct.
• 9. Test VPN and Remote Access (if applicable):
  • Check VPN tunnel status and logs for errors.
  • Debug VPN processes as needed (diagnose debug application ike -1 for IPsec, diagnose debug application sslvpn -1 for SSL-VPN).
• 10. Document and Escalate:
  • Record troubleshooting steps and findings.
  • Contact Fortinet support with detailed information if the issue persists.

Below is a collection of essential CLI commands that every FortiGate administrator should know for configuration, management, and troubleshooting of firewall and security policies. These commands provide quick access to system status, policy inspection, debugging, and more.

1. System Information and Status

• get system status - Displays general system information including firmware version, serial number, and uptime.
• get system performance top - Shows real-time CPU and memory usage statistics.
• get system interface physical - Lists physical interfaces and their status.
• get system arp - Displays the ARP table entries.

2. Firewall Policy Management

• show firewall policy - Lists all configured firewall policies.
• show firewall policy <policy_id> - Displays details of a specific firewall policy by ID.
• config firewall policy - Enters configuration mode for firewall policies to add, edit, or delete policies.
• edit <policy_id> - Selects a specific policy for editing within configuration mode.
• move <policy_id> before|after <policy_id> - Changes the order of firewall policies.

3. Session and Traffic Monitoring

• diagnose sys session list - Lists active sessions currently handled by the firewall.
• diagnose sys session clear - Clears all active sessions.
• diagnose debug flow - Enables packet flow debugging to trace how traffic is processed through policies.
• diagnose sniffer packet <interface> <filter> 4 - Captures packets on a specified interface with optional filter.

4. Debugging and Logs

• diagnose debug enable - Enables debugging output.
• diagnose debug disable - Disables debugging output.
• execute log filter category <category_id> - Filters logs by category.
• execute log display - Shows logs based on current filter settings.

5. Network and Routing

• get router info routing-table all - Displays the routing table entries.
• execute ping <ip_address> - Sends ICMP echo requests to test connectivity.
• execute traceroute <ip_address> - Traces the route packets take to a destination.

6. Configuration and Backup

• show full-configuration - Displays the entire device configuration.
• execute backup config flash <filename> - Backs up the current configuration to flash storage.
• execute restore config flash <filename> - Restores configuration from a backup file.

These commands are powerful tools for managing FortiGate firewalls efficiently and troubleshooting network issues effectively. Use them with care, especially commands that modify configurations or clear sessions.

Follow these best practices to strengthen your FortiGate firewall configuration, enhance security, and ensure reliable network protection:

• Change Default Settings: Always modify default usernames, passwords, and management ports. Use unique, complex passwords and restrict management access to trusted IPs only.
• Operate in NAT Mode: Use NAT mode to mask internal IP addresses and control cross-zone access, making it harder for attackers to map your network.
• Apply the Principle of Least Privilege: Only allow necessary traffic and services. Limit administrator privileges and regularly audit user access.
• Order Firewall Policies Carefully: Place specific deny rules above general allow rules. Policies are evaluated top-down; incorrect order can lead to unintended access[6].
• Enable Security Profiles: Attach antivirus, web filtering, application control, and intrusion prevention profiles to policies for comprehensive threat protection[5].
• Keep Firmware and Definitions Updated: Regularly update FortiOS firmware and FortiGuard security databases (AV, IPS, Application Control) to patch vulnerabilities and stay protected against new threats[5][10].
• Use Encrypted Management Access: Only allow management via secure protocols like HTTPS and SSH. Disable unencrypted protocols such as HTTP and Telnet[8].
• Enable Multi-Factor Authentication (MFA): Require MFA for all administrator and remote user logins to reduce the risk of unauthorized access[5][10].
• Regularly Back Up Configurations: Schedule automatic backups of your firewall configuration to secure storage for disaster recovery and troubleshooting[5][10].
• Monitor and Log All Traffic: Enable logging on all policies, especially denies. Regularly review logs for unusual activity or policy violations[10].
• Review and Clean Up Policies: Periodically review firewall rules and remove unused or redundant policies to minimize attack surfaces[8].
• Test and Validate Security Controls: Conduct regular penetration testing and vulnerability assessments to identify and remediate weaknesses[5].
• Enable SSL/TLS Deep Inspection: Inspect encrypted traffic to detect hidden threats, ensuring proper certificates are deployed to endpoints[5][8].
• Implement DoS Protection: Enable Denial of Service (DoS) policies to detect and block abnormal traffic patterns and mitigate attacks[5][9].
• Secure Physical Access: Place firewalls in secure locations to prevent tampering or unauthorized physical access[5].

Adhering to these best practices will help you maximize the security, performance, and reliability of your FortiGate firewall deployment.