Foundational CLI Commands for Fortinet FortiGate Firewall Administration
System Identity and Localization
Establish the device hostnmae and interface language to standardize management operations. These settings define the administrative identity and localization preferences of the appliance.
config system global
set hostname "Perimeter-GW-01"
set language "chs"
end
Interface Addressing and Assignment
Configure logical interfaces with static addressing parameters. Each interface requires mode definition, IP allocation, and access permissions to ensure proper network segmentation and management access.
config system interface
edit "WAN_UPLINK"
set vdom "root"
set mode static
set ip 203.0.113.5 255.255.255.0
set allowaccess ping https ssh
set description "External ISP Connection"
next
edit "LAN_INTERNAL"
set vdom "root"
set mode static
set ip 172.16.10.1 255.255.255.0
set allowaccess ping https
set description "Corporate LAN Segment"
next
end
Static Routing Table Management
Define explicit routing entries to direct traffic flows. Static routes specify the destination network, subnet mask, next-hop gateway, and egress interface.
config router static
edit 10
set dst 0.0.0.0 0.0.0.0
set gateway 203.0.113.1
set device "WAN_UPLINK"
set comment "Default Gateway"
next
edit 20
set dst 10.20.0.0 255.255.0.0
set gateway 172.16.10.254
set device "LAN_INTERNAL"
set comment "Route to DMZ Zone"
next
end
Network Address Translasion Policies
Modern FortiOS implementations manage NAT operations through firewall policies. This approach integrates translation rules with security filtering, allowing for granular control over source, destination, and port-level mappings.
Source NAT Configuration
Implement source address translation to allow internal hosts to access external resources using a translated address.
config firewall policy
edit 100
set name "Outbound_Masquerade"
set srcintf "LAN_INTERNAL"
set dstintf "WAN_UPLINK"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set comments "SNAT for internal user traffic"
next
end
Destination NAT Configuration
Configure destination translation to publish internal services to external networks, mapping public IP addresses to private server addresses.
config firewall policy
edit 101
set name "Server_Publishing_HTTP"
set srcintf "WAN_UPLINK"
set dstintf "LAN_INTERNAL"
set srcaddr "all"
set dstaddr "Public_VIP_Object"
set action accept
set schedule "always"
set service "HTTP"
set dst-addr "Internal_Server_Real_IP"
set nat enable
set comments "DNAT for web server publication"
next
end
Port-Based Translation
Enable port forwarding rules to redirect traffic on specific destination ports to alternative ports on internal servers, facilitating multi-service hosting.
config firewall policy
edit 102
set name "Web_App_Port_Redirect"
set srcintf "WAN_UPLINK"
set dstintf "LAN_INTERNAL"
set srcaddr "all"
set dstaddr "Public_VIP_Object"
set action accept
set service "HTTP"
set portforward enable
set mappedport 8080
set dst-addr "Internal_Server_Real_IP"
set nat enable
set comments "Redirect external port 80 to internal port 8080"
next
end
Consolidated Deployment Script
The following script demonstrates a complete integration of system initialization, interface setup, routing, and NAT policy enforcement. This configuration establishes a functional gateway with distinct management interfaces, default routing, and secure translation rules.
! System Initialization
config system global
set hostname "HQ-Gateway"
end
! Interface Definitions
config system interface
edit "EXT_PORT"
set mode static
set ip 198.51.100.10 255.255.255.248
set allowaccess ping https
next
edit "INT_PORT"
set mode static
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https
next
end
! Routing Configuration
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 198.51.100.9
set device "EXT_PORT"
next
end
! NAT and Policy Enforcement
config firewall policy
edit 10
set name "Admin_DNAT"
set srcintf "EXT_PORT"
set dstintf "INT_PORT"
set srcaddr "Admin_Workstation"
set dstaddr "EXT_PORT_IP"
set service "HTTPS"
set dst-addr "Internal_Mgmt_Server"
set nat enable
next
edit 20
set name "Standard_SNAT"
set srcintf "INT_PORT"
set dstintf "EXT_PORT"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
