Home

Mastering FortiGate CLI: A Complete Guide to Configuration with PuTTY

.

In an era of sophisticated cyber threats, network security demands precision and control. While graphical interfaces offer convenience, the command-line interface (CLI) of a FortiGate firewall provides unparalleled power, speed, and flexibility for network professionals. Whether performing initial device setup, implementing complex security policies, or troubleshooting critical network issues, CLI proficiency is an essential skill for security administrators. This guide explores the practical methods for accessing and configuring your FortiGate firewall using the widely-adopted PuTTY terminal emulator, offering a bridge between foundational access and advanced configuration.

For network engineers, the ability to execute precise commands and automate configurations through the CLI is not just a technical advantage—it's often a necessity during outages when GUI access is unavailable or when deploying standardized configurations across multiple devices. The journey to CLI mastery begins with establishing a reliable connection, which can be accomplished through two primary methods: a direct console connection or a network-based SSH session.

Establishing Your Connection: Console vs. SSH

The Direct Console Connection: Your Lifeline for Initial Setup

A direct console connection is the fundamental access method, especially crucial during initial deployment or recovery scenarios. This hardware-level connection requires a physical cable (typically a USB-to-RJ-45 or DB-9-to-RJ-45 cable) linking your computer's serial port to the FortiGate's console port.

To establish this connection using PuTTY:

  1. Connect the console cable between your computer and the FortiGate.
  2. Open PuTTY and select "Serial" as the connection type.
  3. Configure the serial line with the correct COM port (check your Device Manager) and the following parameters, which are standard for most Fortinet devices:
    • Speed (baud): 9600
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow control: None

Once connected, press Enter to activate the CLI prompt. The default login is admin with a blank password, but you should immediately change this in a production environment.

Network-Based SSH Access: The Go-To for Remote Management

Once the FortiGate has basic network connectivity, Secure Shell (SSH) becomes the preferred method for remote CLI management. It offers the convenience of access from anywhere on your network. However, SSH access must first be enabled on at least one interface.

Enabling SSH via Console: From a console session, you must configure a network interface to allow SSH administrative access.

config system interface     edit "port1"         set mode static         set ip 192.168.1.99 255.255.255.0         append allowaccess ssh     next end

The command append allowaccess ssh adds the SSH protocol to the list of allowed administrative access methods on that interface. You can verify the settings with show system interface port1.

Connecting with PuTTY via SSH:

  1. In PuTTY, select "SSH" as the connection type.
  2. Enter the IP address of the enabled interface (e.g., 192.168.1.99) and ensure the port is set to 22.
  3. Click "Open." Upon the first connection, you'll see a security alert about the device's host key—this is expected. Accept it to proceed.
  4. Log in with your administrator credentials.

Table: Comparison of FortiGate CLI Access Methods

 
Access Method Use Case Required Prep Pros
Direct Console First-time setup, firmware recovery, network failure Console cable, correct COM port settings Always available, does not require network config
SSH over Network Daily management, remote configuration Interface with IP and SSH enabled in allowaccess Convenient, secure, remote access

Foundational CLI Configuration and Operations

Configuring a Basic Network Interface

A common first task is assigning an IP address to an interface. A frequent error, as noted in community discussions, is attempting to assign a network address (like 192.168.176.0) instead of a usable host address. Here is the correct procedure:

config system interface     edit "port1"         set mode static         set ip 192.168.176.1 255.255.255.0         set allowaccess ping https ssh     next end

This command sequence sets port1 to a static IP of 192.168.176.1/24 and allows Ping, HTTPS, and SSH access for management. Remember, the IP address must be a valid host address within the subnet.

Essential Commands for Navigation and Discovery

Navigating the CLI efficiently is key. The interface offers helpful features like command abbreviation (exe for execute) and tab completion. Here are vital commands for getting system information:

  • System Status: get system status displays firmware version, serial number, and operational mode.
  • Interface Overview: get system interface physical shows the link status (Up/Down) of all physical ports.
  • View Configuration: show system interface port1 displays the configuration for a specific interface. Use show full-configuration | grep -f port1 for a more detailed, tree-structured view.
  • Routing Table: get router info routing-table detail is essential for troubleshooting network connectivity.
  • Real-time Performance: get system performance status provides a snapshot of CPU and memory usage.

Securing Administrative Access

After basic connectivity is established, securing administrative access is critical. This involves creating custom administrator profiles with least-privilege permissions and restricting login sources.

config system admin     edit "admin"         set trusthost1 192.168.10.100 255.255.255.255     next end

This CLI command restricts the 'admin' account to logins only from the IP address 192.168.10.100. Similar restrictions can be configured in the GUI under System > Administrators.

Best Practices and Pro Tips

  • Always Backup Before Changes: There is no undo button in the CLI. Use execute backup config to create a backup before making significant changes.
  • Use Descriptive Comments: When writing scripts or making complex changes, use the set comments "Description" command within configuration nodes to document your work.
  • Test in a Lab First: If possible, test new CLI scripts and configurations in a non-production environment.
  • Master the diagnose Commands: Beyond get and show, the diagnose command suite is a powerful tool for real-time debugging and in-depth system analysis.

Frequently Asked Questions (FAQ)

Q: I'm connected via PuTTY, but the terminal is blank or unresponsive. What should I do? A: This is a common issue. First, check your physical cable and COM port settings for console connections. For SSH connections, verify the interface IP, that SSH is listed in the allowaccess setting, and that no firewall policy is blocking your management traffic. Ensure you are pressing Enter after connecting via console.

Q: Can I use both the CLI and the Web GUI simultaneously? A: Yes, you can. Changes made in one are immediately reflected in the other. However, if the same object is being edited in both places, the last change saved will overwrite the previous one.

Q: How do I assign an IP address to an interface via the CLI? A: Use the config system interface command sequence shown in the article. The most common mistake is using a network address (ending in .0) for the set ip command. Always use a valid host address (e.g., .1, .254) within the intended subnet.

Q: What is the difference between get, show, and diagnose commands? A: get commands are used to retrieve system status and operational information. show commands display the current configuration. diagnose commands are powerful tools for testing, debugging, and gathering deep diagnostic data about the system's state.

Q: How can I restrict which IP addresses administrators can log in from? A: This is done by configuring trusted hosts on the administrator account. You can do this in the GUI under System > Administrators or via the CLI using the set trusthost command within the config system admin section, as demonstrated above.