FortiGate Firewall - Hack The Forum

Remove Administrative Access from any interface that absolutely is NOT necessary in FortiGate

Rinki Singh — Mon, 09 Feb 2026 17:21:44 +0000

Use the CLI to disable all unnecessary admin protocols.

Example: Remove HTTPS, SSH, and Telnet from port2

config system interface
edit "port2"
set allowaccess ping
next
end

set allowaccess ping keeps basic connectivity (optional).

How do you view all interfaces and their IPs in FortiGate Firewall

Rinki Singh — Mon, 09 Feb 2026 17:15:33 +0000

View all interfaces with configuration

show system interface

Displays all interface configurations, including:

Interface name
IP address / subnet
VLAN information (if applicable)
Administrative and operational status

Get a quick list of interfaces with IPs

get system interface physical

Show interface status and IPs

get system interface

How do you view all firewall policies in CLI in fortigate firewall

Rinki Singh — Mon, 09 Feb 2026 17:12:37 +0000

Show all policies with configuration

show firewall policy

Get summary of all policies

get firewall policy

To perform a graceful shutdown and restart of a Palo Alto firewall in HA mode

paul0000 — Fri, 29 Nov 2024 13:02:21 +0000

In a Palo Alto Networks firewall deployed in High Availability (HA) mode, performing a graceful shutdown and restart involves properly handling both the active and passive firewalls to minimize service disruption. The process ensures that the failover between the firewalls happens smoothly, and the HA pair maintains high availability during the maintenance operation.

Steps to Gracefully Shutdown and Restart a Palo Alto Firewall in HA Mode:

1. Identify the Active and Passive Units

In an HA setup, one firewall is active, handling all traffic, while the other is passive, standing by to take over in case the active unit fails.

To check the HA status and identify the active and passive units:

Log in to the Web Interface of the firewall.
- Navigate to Dashboard > High Availability to see the status of both units.
- The unit in the active state is the one currently processing traffic, and the unit in the passive state is idle.
Alternatively, you can use the CLI to verify HA status:
```
> show high-availability state
```
This will show which unit is active and which is passive.

2. Failover to the Passive Unit (Manual Failover)

Before shutting down or restarting the active firewall, you need to ensure that the passive unit becomes active to maintain service continuity.

To manually force a failover, follow these steps:

Via Web Interface:
1. Navigate to Device > High Availability > Operation.
2. Click Suspend Local Device. This will force the local device to become passive and allow the other unit to take over as the active device.
Via CLI: You can also manually suspend the local device using the following command:
```
> request high-availability state suspend
```

This will cause the passive firewall to become active. Ensure that traffic is now passing through the passive firewall.

3. Gracefully Shut Down the Active Firewall (Now the Passive Unit)

Once failover is successful and the passive unit has taken over as active, you can proceed to shut down the firewall that was previously active.

Via Web Interface:
1. Navigate to Device > Restart or Device > Shutdown.
2. Choose the Shutdown option if you want to completely power off the firewall, or select Restart if you just want to reboot it.
Via CLI: To shut down the firewall gracefully, use the following command:
```
> request shutdown
```
If you only want to reboot the device, use:
```
> request restart system
```

4. Wait for the Unit to Shutdown or Restart

Once the shutdown or restart command is issued, wait for the firewall to power down or reboot.
Note: The failover process should ensure that traffic continues to flow through the passive unit, which is now active.

5. Check HA Status

After the active firewall has been shut down or restarted, check that the passive unit (now active) is functioning correctly. Once the original active firewall comes back online, it will rejoin the HA pair as the passive unit.

Via CLI, you can check the HA state again to ensure everything is operating as expected:
```
> show high-availability state
```

This command will show you the current HA status, indicating which unit is active and which is passive.

6. Bring the Restarted Firewall Back into HA (if it was shut down)

After the firewall that was shut down or restarted comes back online, it will automatically rejoin the HA cluster as the passive unit. You can verify this by checking the HA state.

Via Web Interface: Go to Device > High Availability > General and ensure that the HA pair shows both units as synchronized.
Via CLI: You can use the following command to verify the synchronization:
```
> show high-availability sync-to-group
```

If the firewall does not automatically rejoin, you may need to manually commit the configuration or restart the HA process using the following CLI command:

This will synchronize the configurations between the two units.

RAVPN in Fortinet

kajal — Fri, 30 Aug 2024 19:17:42 +0000

RAVPN (Remote Access VPN) in Fortinet is a feature provided by Fortinet’s FortiGate firewalls that allows users to securely connect to a corporate network from a remote location. RAVPN facilitates secure access to internal resources, such as applications, files, and network services, for remote users by creating a virtual private network tunnel.

Here’s an overview of RAVPN in Fortinet:

Key Features of Fortinet RAVPN

Secure Remote Access:
- Encryption: Ensures secure communication between remote users and the corporate network using strong encryption methods.
- Authentication: Supports various authentication mechanisms, including username/password, two-factor authentication (2FA), and integration with external authentication servers.
Flexible VPN Protocols:
- IPsec VPN: Provides robust security using IPsec (Internet Protocol Security) for encrypting data and ensuring secure transmission over the internet.
- SSL VPN: Allows secure remote access through SSL (Secure Sockets Layer) encryption, often used for web-based applications and services.
Client and Device Support:
- FortiClient: A Fortinet-provided VPN client software that users can install on their devices for connecting to the RAVPN. It supports both Windows and macOS operating systems.
- Third-Party Clients: Support for various third-party VPN clients, ensuring compatibility with a wide range of devices and operating systems.
Granular Access Control:
- Policy-Based Access: Allows administrators to define granular access policies, specifying which resources or network segments remote users can access.
- Group Policies: Enables grouping of users and applying specific policies based on user roles or departments.
Integration with Fortinet Ecosystem:
- FortiAuthenticator: Integrates with FortiAuthenticator for enhanced user authentication and identity management.
- FortiGate: Works seamlessly with other Fortinet security solutions like FortiGate firewalls, FortiSandbox, and FortiAnalyzer for comprehensive network security.
Scalability and Performance:
- High Availability: Supports high availability configurations to ensure uninterrupted remote access.
- Load Balancing: Distributes VPN connections across multiple FortiGate devices to optimize performance and prevent bottlenecks.

How to Configure RAVPN in Fortinet

Prerequisites:
- Ensure you have a FortiGate device with the necessary firmware version that supports RAVPN.
- Install FortiClient on remote user devices, if required.
Setting Up IPsec VPN:
- Create a VPN Tunnel:
  - Go to the FortiGate GUI, navigate to VPN > IPsec Tunnels, and create a new tunnel.
  - Configure the tunnel settings, including IPsec protocol settings, local and remote gateways, and authentication details.
- Configure Firewall Policies:
  - Set up firewall policies to allow traffic from the VPN to internal resources.
  - Define rules to control access based on source/destination addresses and services.
Setting Up SSL VPN:
- Configure SSL VPN Settings:
  - Go to VPN > SSL-VPN Settings and configure the SSL VPN settings, including the port number, SSL certificate, and virtual IP settings.
- Create SSL VPN Portal:
  - Set up the SSL VPN portal to define the resources and applications accessible through the SSL VPN.
- Configure User Access:
  - Define user groups and access permissions for SSL VPN connections.
User Authentication:
- Set Up Authentication Mechanisms:
  - Configure authentication methods, including local authentication, LDAP, RADIUS, or integration with FortiAuthenticator for two-factor authentication.
Testing and Monitoring:
- Test VPN Connections:
  - Verify remote access by connecting through the VPN client and testing access to internal resources.
- Monitor VPN Activity:
  - Use the FortiGate monitoring tools to track VPN connections, view logs, and troubleshoot any issues.

Example Configuration for SSL VPN

Here’s a simplified example of setting up an SSL VPN on a FortiGate device:

Create SSL VPN Settings:

config vpn ssl settings set servercert "your_ssl_certificate" set tunnel-ip-pools "sslvpn_tunnel_ip_pool" set port 443 end

Configure SSL VPN Portal:

config vpn ssl web portal edit "your_portal_name" set split-tunneling enable set bookmark enable next end

Define SSL VPN User Group:

config user group 
           edit "ssl_vpn_users" 
                    set member "user1" "user2" 
           next 
end

Configure Firewall Policy:

config firewall policy

edit 1 set srcintf "ssl.root" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end

Benefits of Using Fortinet RAVPN

Enhanced Security:
- Provides secure access to corporate resources using encryption and authentication, protecting data from unauthorized access.
User Convenience:
- Allows remote users to access resources easily from anywhere, improving productivity and flexibility.
Comprehensive Control:
- Offers granular access control and integration with Fortinet’s security ecosystem, ensuring a unified approach to network security.
Scalability and Reliability:
- Supports high availability and load balancing, ensuring that remote access remains reliable and scalable as user demands grow.

In summary, Fortinet RAVPN offers a robust and secure solution for remote access to corporate networks. By leveraging IPsec and SSL VPN technologies, it provides flexible and reliable remote connectivity while integrating seamlessly with the Fortinet security ecosystem. Proper configuration and management of RAVPN can enhance security, user productivity, and network efficiency.

What is npu offload in Fortinet firewall?

FRTGT — Thu, 16 May 2024 01:07:47 +0000

NPU (Network Processing Unit) offload is a feature of Fortinet firewalls that allows certain network processing tasks to be handled by specialized hardware rather than the main CPU. This can improve the performance and efficiency of the firewall by allowing it to handle more traffic and perform complex tasks more quickly. Examples of tasks that can be offloaded to an NPU include packet filtering, VPN encryption/decryption, and network address translation (NAT).

In Fortinet firewalls, NPU (Network Processing Unit) offload refers to the capability of offloading certain network processing tasks to specialized hardware accelerators, namely NPUs. These NPUs are designed to handle specific types of network traffic efficiently, such as packet forwarding, security processing (like encryption/decryption, IPS/IDS, etc.), and other network-related operations.

By offloading these tasks to dedicated hardware, the firewall can achieve higher performance and throughput while maintaining security effectiveness. It helps in optimizing the utilization of the firewall's general-purpose CPU resources, allowing them to focus on more complex tasks and ensuring that the firewall can handle high volumes of traffic without becoming a bottleneck.

Overall, NPU offload enhances the performance and scalability of Fortinet firewalls, making them capable of handling demanding network environments more effectively.

NPU Processing in Fortigate

FRTGT — Wed, 15 May 2024 17:14:36 +0000

The NPU process is responsible for offloading certain networking tasks from the main CPU to dedicated hardware, such as packet forwarding, VPN encryption/decryption, and traffic shaping. This offloading helps improve performance and reduce the load on the main CPU.

To check the status of the VPN tunnels on the Fortigate device

paul0000 — Wed, 15 May 2024 12:04:42 +0000

To check the status of VPN tunnels on a FortiGate device, you can use the following command in the CLI (Command Line Interface):

get vpn ipsec tunnel summary

This command provides a summary of all IPsec VPN tunnels configured on the FortiGate device, including information such as tunnel name, local and remote gateway addresses, phase 1 and phase 2 status, uptime, and data transfer statistics.

Additionally, you can use the following command to list all VPN tunnels along with their detailed information:

diagnose vpn tunnel list

This command displays detailed information about all VPN tunnels, including tunnel ID, local and remote gateway addresses, phase 1 and phase 2 status, encryption algorithms, NAT traversal (NAT-T) status, and data transfer statistics.

These commands should help you check the status of VPN tunnels on your FortiGate device and troubleshoot any connectivity issues.

How to display the high availability (HA) status of the FortiGate unit

paul0000 — Wed, 15 May 2024 11:56:22 +0000

The "diagnose sys ha status" command in FortiGate is used to display the high availability (HA) status of the FortiGate unit in a high availability cluster. Here's what this command does and the information it provides:

HA Status: It provides an overview of the HA status of the FortiGate unit, indicating whether it is the primary unit or the secondary unit in the HA cluster.
HA Mode: It displays the HA mode configured for the cluster, such as active-passive or active-active.
HA Heartbeat: This section shows the heartbeat status between the primary and secondary units. A healthy heartbeat indicates proper communication between the cluster members.
HA Synchronization: It indicates the synchronization status of configuration and session information between the primary and secondary units. Synchronization ensures that both units have consistent configurations and session tables.
Failover Events: This section provides information about any failover events that have occurred, such as when the secondary unit takes over as the primary unit due to a failure or maintenance activity.
Cluster Configuration: It displays details about the HA cluster configuration, including cluster ID, cluster group ID, and virtual MAC address.

Here's an example output of the "diagnose sys ha status" command:

# diagnose sys ha status
Cluster ID: 1234567890
Cluster Group ID: 1
Virtual MAC: 00:09:0f:09:00:00
Mode: Active-Passive
Current virtual cluster members:
  1: hostname1 (primary) - 10.0.0.1
  2: hostname2 (secondary) - 10.0.0.2
Heartbeat Information:
  Status: Normal
  Last heartbeat sent: 10 seconds ago
  Last heartbeat received: 10 seconds ago
  Heartbeat errors: 0
Synchronization Information:
  Status: In Sync
  Last synchronization: 5 seconds ago
  Synchronization errors: 0
Failover Counters:
  Last failover: 2 days, 4 hours, 30 minutes ago
  Total failovers: 5

This output provides a comprehensive view of the HA status, including cluster configuration, heartbeat status, synchronization status, and failover events.

Deployment mode of Fortigate Firewall

paul0000 — Wed, 15 May 2024 11:51:44 +0000

The common deployment modes:

Transparent Mode: In this mode, the FortiGate unit operates as a transparent bridge, allowing it to seamlessly integrate into an existing network without requiring changes to IP addresses or network configurations. It can intercept and inspect traffic passing through it without modifying the network topology.
Gateway Mode: This is the default mode for FortiGate units. In gateway mode, the FortiGate device functions as a firewall and router, performing network address translation (NAT) and routing functions. It separates different network segments and controls traffic flow between them based on security policies.
Layer 2 Transparent Mode: Similar to transparent mode, but operates at Layer 2 of the OSI model. This mode maintains the original MAC addresses of packets passing through the FortiGate unit, allowing it to function seamlessly in Layer 2 networks.
VDOM (Virtual Domain) Mode: VDOMs enable the partitioning of a single FortiGate unit into multiple virtual firewalls, each with its own configuration settings, security policies, and interfaces. This is useful for service providers or organizations that need to provide firewall services to multiple customers or departments within a single device.
HA (High Availability) Mode: FortiGate devices can be deployed in a high availability configuration to provide redundancy and failover capabilities. In this mode, two FortiGate units operate in an active-passive configuration, with one unit serving as the primary firewall and the other as the standby. If the primary unit fails, the standby unit takes over seamlessly to ensure continuous network availability.
Cluster Mode: In cluster mode, multiple FortiGate units are interconnected to form a cluster, providing scalability, high availability, and load balancing. Traffic is distributed across the cluster members, and if one unit fails, the remaining units continue to handle traffic without interruption.
VDOMs in NAT/route mode: This mode allows you to configure VDOMs to operate in NAT/route mode, where each VDOM functions as an independent router with its own NAT and routing tables.