Back to FortiGate: Features, Deployment, and Best Practices

Network Security | By

In today’s world, cybersecurity threats are more sophisticated than ever. Simply relying on a traditional stateful firewall is no longer enough. That’s where FortiGate Next-Generation Firewalls (NGFW) come in, offering advanced inspection and modern threat protection to keep our network secure.

 

FortiGate combines traditional firewall capabilities with advanced security features such as deep packet inspection, intrusion prevention, SSL/TLS decryption, malware protection, and application control. Whether deployed on a physical appliance, virtual machine, or cloud environment, FortiGate provides flexible, scalable, and high-performance protection for modern networks.

 

This guide is designed to refresh my knowledge in FortiGate, covering:

  • Key security features and NGFW capabilities

  • Deployment options: physical, virtual, and cloud

  • Performance and sizing considerations for small – large businesses

  • Best practices for configuration and CLI usage

What Makes FortiGate a Next-Generation Firewall?

FortiGate goes beyond basic stateful inspection. Its core strength lies in combining traditional firewall functions with modern security features:

  • Deep Layer 7 Inspection: Differentiates applications and application types for precise control.

  • Malware Detection & Prevention: Includes NGFW threat protection and IPS, which uses preconfigured attack signatures updated in real-time via the cloud.

  • User and Device Authentication: Enhances policy enforcement and traffic classification.

  • SSL/TLS Inspection: Decrypts HTTPS traffic to monitor content securely.

  • URL Filtering: Controls web access based on categories or groups of websites.

  • Secure VPN Access: Supports IPSec and SSL VPN for connecting different network segments securely.

  • Management & Reporting: Provides secure administration and detailed analytics.

In short, FortiGate combines performance, visibility, and protection into a single solution for modern networks.

 

FortiGate Deployment Options – FortiGate can run on physical appliances, virtual machines, or cloud platforms, giving flexibility for different environments.

1. Physical Appliances

FortiGate physical appliances are organized into generations:

SeriesGenerationYearNotes
D1st Gen2014Old, already EOL
E2nd Gen2017NGFW capabilities
F3rd Gen2020NGFW
G4th Gen2024Latest NGFW

Key points:

  • Model numbers indicate performance. Higher numbers usually mean higher throughput (e.g., F40 vs F1000).

  • Entry-level models (30–90 series) may lack some advanced features. Models 100+ generally offer full NGFW capabilities.

  • Feature availability may vary slightly between GUI and CLI for configuration.

  • Performance is the ultimate factor when selecting a model.

You can compare models here.

 

2. Virtual Appliances

  • FortiGate VMs (VM00 through VMUL) run on your own hypervisor or cloud environment.

  • Performance depends on allocated CPU and memory. More resources = better inspection capabilities.

  • Ideal for cloud-first or software-defined networks.

3. Cloud Deployments

FortiGate can also be deployed on major cloud providers like AWS, GCP, OCI, and Alibaba Cloud, giving the same NGFW features in a scalable, virtual form.

Choosing the Right FortiGate Model

When selecting a FortiGate firewall, consider:

  1. Internet Bandwidth: The firewall must handle your traffic without becoming a bottleneck.

  2. Users & VPN Connections: Estimate how many devices and remote users will access your network.

  3. Security Features: Enabling IPS, antivirus, SSL inspection, and other services affects performance.

  4. Hardware Requirements: Check the number and speed of ports, form factor, and physical deployment needs.

  5. Future Growth: Plan for 3–5 years ahead to ensure scalability.

FortiGate Command-Line Interface (CLI)

While the GUI is user-friendly, some features are only fully accessible via the CLI. Understanding the CLI structure helps with advanced configuration and troubleshooting.

CLI Basics:

  • Navigation: Case-sensitive; use ? for help and Tab to auto-complete.

  • Config Commands: edit, append, unselect, unset, clear manage elements in lists.

  • Monitoring & Maintenance: exec for ping/traceroute, diag for troubleshooting.

  • Viewing Configs: show for configured elements, get for defaults and hidden values.

  • Filtering: grep can filter output like in Cisco devices.

Connectivity Options:

  • Console port

  • SSH (ensure enabled on the right interface)

  • GUI widget

  • FortiExplorer

You can review the full CLI reference here.

FortiGate provides flexible deployment options, modern threat protection, and scalable performance for small – large businesses. Selecting the right model requires understanding your bandwidth, users, security needs, hardware requirements, and growth plans. Combining these factors ensures your network stays secure today and in the years to come.

FortiGate Management Best Practices (Quick Guide)

Proper management access is critical to securing and maintaining your FortiGate. Below are the key options and best practices every administrator should follow.

Management Options

FortiGate supports three primary administration methods:

  • Web Interface (GUI)

    • Local access

    • Centralized management via FortiManager

  • Command Line Interface (CLI)

  • REST API

    • Useful for automation and scripting (API preview helps generate calls)

Secure Access Fundamentals

  • Management access is enabled per interface, so always restrict it to trusted networks only.

  • Change default credentials immediately (admin/admin).

  • Apply trusted host restrictions to limit which IPs can access the device.

Dedicated Management Interface

For better security, use a dedicated management port when available:

  • Management interfaces (e.g., mgmt, mgmt1, mgmt2):

    • Do NOT carry user traffic

    • Do NOT appear in the routing table

    • Are strictly for administrative access

    • Other interfaces:

    • Can be used for routing, firewall policies, and VDOM assignments

To dedicate a management interface:

 
config system interface
edit mgmt2
set dedicated-to management
 

Key Notes:

  • Only supported on specific models with dedicated mgmt ports

  • Prevents the interface from being used in firewall policies

  • Allows separate trusted host configuration for tighter control

Backup and Restore Best Practices

Always maintain regular configuration backups:

Backup options:

  • Local PC

  • USB disk

  • FTP/TFTP server

Important:

  • Standard backups do NOT include certificates (IPsec, SSL/TLS, user certs)

  • Export certificates separately if needed

Reset Options

  • Full Reset:

    • execute factoryreset

    • Wipes everything

  • Partial Reset:

    • execute factoryreset2

    • Retains interface and VDOM configuration

Recommendations

  • Use a dedicated management interface whenever possible

  • Restrict access using trusted hosts + non-standard ports

  • Prefer HTTPS/SSH only (disable HTTP/Telnet)

  • Automate backups and test restore procedures regularly

  • Use FortiManager or API for large-scale deployments

 

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe