DO NOT REPRINT

© FORTINET
Lab 1: Introduction to FortiGate

In this lab, you will learn about the FortiGate administration through the CLI and GUI. You will also back up and
restore a configuration file, as well as create a new administrator account and modify administrator access
permissions.

Objectives
l Access the FortiGate CLI.
l Back up and restore configuration files.
l Locate the FortiGate model and FortiOS firmware build in a configuration file.
l Create a new administrator user.
l Restrict administrator access.

Time to Complete
Estimated: 25 minutes

FortiGate Security 6.0 Lab Guide 19

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Working With the Command Line Interface

In this exercise, you will access a FortiGate device using the command line interface (CLI).

Explore the CLI

The next steps will help you get familiar with the FortiGate CLI.

To explore the CLI

1. In the VM List, from the box of the Local-FortiGate, click View VM to open the FortiGate console.
2. At the login prompt, enter admin.
3. In the Password field, type password, and then press enter.
4. Enter the following command:

get system status

This command displays basic status information about FortiGate. The output includes FortiGate's serial
number, operation mode, and so on. When the More prompt appears on the CLI, do one of the following:

To continue scrolling Space bar

To scroll one line at a time Enter

To exit Q

5. Enter the following command:

get ?

The ? character is not displayed on the screen.

This command shows all of the options that the CLI will accept after the # get command. Depending on the
command, you may need to enter additional words to completely specify a configuration option.

6. Press the up arrow key twice.

This displays the previous get system status command.

7. Try some of the control key sequences shown in the following table:

20 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Working
REPRINT
With the Command Line Interface Explore the CLI

© FORTINET
Action Command

Previous command Up Arrow

Next command Down Arrow

Beginning of line CTRL+A

End of line CTRL+E

Back one word CTRL+B

Forward one word CTRL+F

Delete current character CTRL+D

Clear screen CTRL+L

Abort command and exit CTRL+C

Auto repeat history CTRL+P

8. Enter the following command:

execute ?

This command lists all options that the CLI will accept after the execute command.

9. Type exe, and then press the Tab key.

Notice that the CLI completes the current word.

10. Press the space bar and then press the Tab key three times.
Each time you press the Tab key, the CLI replaces the second word with the next possible option for the
execute command, in alphabetical order.

You can abbreviate most commands. In presentations and labs, many of the
commands that you see will be in abbreviated form. For example, instead of typing
execute, you can type exe.

Use this technique to reduce the number of keystrokes that are required to enter a
command. Often, experts can configure FortiGate faster using the CLI than the GUI.

If there are other commands that start with the same characters, your abbreviation
must be long enough to be specific, so that FortiGate can distinguish them.
Otherwise, the CLI displays an error message about ambiguous commands.

11. On a fresh line, enter the following command to view the port3 interface configuration (hint: try using the shortcuts
you just learned about):

show system interface port3

12. Enter the following command:

show full-configuration system interface port3

FortiGate Security 6.0 Lab Guide 21

Fortinet Technologies Inc.
DO Explore
NOTthe REPRINT
CLI Exercise 1: Working With the Command Line Interface

© FORTINET
Stop and think!
Compare both outputs. How are they different?

The show full-configuration command displays all the configuration settings for the interface.
The show command displays only those values that are different from the default values.

22 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuration Backups

In this exercise, you will learn how to generate and restore clear-text and encrypted configuration backups. The
configuration files produced by backups, allow you to restore to an earlier FortiGate configuration.

Restore Configuration From a Backup

Now, you will restore a configuration from a backup.

To restore a configuration from a backup

1. In the VM List, from the box of the Local-Windows, click View VM.
2. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.

You can also access the Local-FortiGate GUI from the Firefox browser bookmarks
bar.

All the lab exercises were tested running Mozilla Firefox on the Local-Windows and
Remote-Windows VMs. To get consistent results, you should use Firefox to access
both the Internet and the FortiGate GUIs in this virtual environment.

FortiGate Security 6.0 Lab Guide 23

Fortinet Technologies Inc.
DO Restore
NOTConfiguration
REPRINT From a Backup Exercise 2: Configuration Backups

© FORTINET
3. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

4. Click Upload to select the backup configuration file from your local PC.

5. Click Desktop > Resources > FortiGate-Security > Introduction > local-initial.conf, and then click
Open.
6. Click OK.
7. Click OK to reboot.
After your browser uploads the configuration, FortiGate reboots automatically. This takes approximately 30
to 45 seconds.

8. When the Local-FortiGate GUI login page reappears after reboot, log in with the user name admin and password
password.
9. Click Network > Interfaces and verify that the network interface settings were restored.

10. Click Network > Static Routes and verify that the default route was restored.

24 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuration
REPRINT Backups Back Up and Encrypt a Configuration File

© FORTINET

Back Up and Encrypt a Configuration File

Always back up the configuration file before making changes to FortiGate (even if the change seems minor or
unimportant). There is no undo. You should carefully consider the pros and cons of an encrypted backup before
you begin encrypting backups. While your configuration, including things like private keys, remains private, an
encrypted file hampers troubleshooting because Fortinet support cannot read the file. Consider saving backups in
plain-text and storing them in a secure place instead.

Now, you will create an encrypted file with the backup of the FortiGate's current configuration.

To save an encrypted configuration backup

1. Continuing on the Local-FortiGate GUI, in the upper-right corner, click admin, and then click Configuration >
Backup.
2. On the Backup System Configuration page, enable Encryption.
3. In the Password field, enter fortinet and repeat in the Confirm password field.

4. Click OK.
5. Select Save File and click OK.
The Firefox browser saves the encrypted configuration file in the Downloads folder, by default.

You can access downloaded files by clicking the blue down arrow in the top right of
the browser.

FortiGate Security 6.0 Lab Guide 25

Fortinet Technologies Inc.
DO Restore
NOTan Encrypted
REPRINT Configuration Backup Exercise 2: Configuration Backups

© FORTINET
Restore an Encrypted Configuration Backup

Restoring from backup allows you to return to a previous configuration. As a word of caution, if you cannot recall
the password required to decrypt the backup, you will not be able to restore to this backup! Ensure that you record
the password and store it in a secure place.

Now, you will restore the configuration backup that you created in the previous procedure.

Take the Expert Challenge!

Restore the configuration from the encrypted backup.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Compare the Headers of Two Configuration Files on page 26.

To restore an encrypted configuration backup

1. Continuing on the Local-FortiGate GUI, in the upper-right corner, click admin, and then click Configuration >
Restore.
2. On the Restore System Configuration page, click Upload.
3. Browse to your Downloads folder and select the configuration file that you created in the previous procedure.
4. In the Password field, type fortinet, and then click OK.
5. Click OK to confirm that you want to restore the configuration.
FortiGate reboots.

Compare the Headers of Two Configuration Files

When troubleshooting issues, or when having to restore FortiGate to an earlier OS version or build, it is useful to
know where to find this information in a configuration file. This exercise will show you where to find the version
and build number in a configuration file.

Now, you will open and compare two configuration files using Notepad++.

To compare the headers of two configuration files

1. On Local-Windows, in the Windows task bar, click the Notepad++ icon.

2. Click File > Open and browse to the Downloads folder to open the encrypted configuration file.
3. Click File > Open and browse to the initial configuration file:
Desktop\Resources\FortiGate-Security\Introduction\local-initial.conf

The configuration file opens in a second tab in Notepad++.

26 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuration
REPRINT Backups Compare the Headers of Two Configuration Files

© FORTINET
4. Compare the headers in the two files.

In both the clear-text and encrypted configuration files, the top line acts as a header,
listing the firmware and model that this configuration belongs to.

5. Close the two tabs in Notepad++ and close the application.

FortiGate Security 6.0 Lab Guide 27

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring Administrator Accounts

FortiGate offers many options for configuring administrator privileges. For example, you can specify the IP
addresses that administrators are allowed to connect from.

In this exercise, you will work with administrator profiles and administrator user accounts. An administrator profile
is a role that is assigned to an administrator user that defines what the user is permitted to do on the FortiGate
GUI and CLI.

Configure a User Administrator Profile

Now, you will create a new user administrator profile that has read-only access for most of the configuration
settings.

To configure a user administrator profile

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click System > Admin Profiles.
3. Click Create New.
4. In the Name field, type Security_Admin_Profile.
5. In the permissions table, set Security Profile to Read-Write, but set all other permissions to Read.
6. Click OK to save the changes.

Create an Administrator Account

Now, you will create a new administrator account. You will assign the account to the administrator profile you
created previously. The administrator will have read-only access to most of the configuration settings.

To create an administrator account

1. Continuing on the Local-FortiGate GUI, click System > Administrators.
2. Click Create New and then click Administrator to add a new administrator account.
3. On the New Administrator page, configure the following settings:

Field Value

User Name Security

Type Local User

Password fortinet

28 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT Administrator Accounts Test the New Administrator Account

© FORTINET
Field Value

Confirm Password fortinet

Administrator Profile Security_Admin_Profile

Administrator names and passwords are case sensitive. You can't include characters
such as < > ( ) # " in an administrator account name.

3. Click OK to save the changes.

Test the New Administrator Account

In this procedure, you will confirm that the new administrator account has read-write access to only the security
profiles configuration.

To test the new administrator account

1. Continuing on the Local-FortiGate GUI, click admin and then Logout to log out of the admin account's GUI
session.

2. Log back in to the Local-FortiGate GUI with the user name Security and password fortinet.
3. Explore the permissions that you have in the GUI.
You should see that this account can configure only security profiles.

4. Log out of the GUI once done.

FortiGate Security 6.0 Lab Guide 29

Fortinet Technologies Inc.
DO Restrict
NOTAdministrator
REPRINT Access Exercise 3: Configuring Administrator Accounts

© FORTINET
Restrict Administrator Access

Now, you will restrict access for FortiGate administrators. Only administrators connecting from a trusted subnet
will be allowed access. This is useful if you need to restrict the access points from which administrators connect to
FortiGate.

To restrict administrator access

1. Log back in to the Local-FortiGate GUI with the user name admin and password password.
2. Click System > Administrators.
3. Edit the admin account.
4. Enable Restrict login to trusted hosts, and set Trusted Host 1 to the address 10.0.2.0/24.
5. Click OK to save the changes.

Test the Restricted Access

Now, you will verify that administrators outside the subnet 10.0.2.0/24 can't access FortiGate.

To test the restricted access

1. Continuing on Local-Windows, log out of the Local-FortiGate GUI session as the admin user.
2. Try to log in to the admin account again with password password. 
What is the result this time?

Stop and think!

Why do you receive an authentication failure message?

Because you are trying to connect from the 10.0.1.10 address, you shouldn't be able to connect. This is
because you restricted logins to only the source IP addresses in the list of trusted hosts.

3. In the VM List, from the box of the Local-FortiGate, click View VM to open the FortiGate console.
4. Log in as admin with password password.
5. Enter the following CLI commands to add 10.0.1.0/24 as the second trusted IP subnet (Trusted Host 2) to
the admin account:

config system admin

edit admin
set trusthost2 10.0.1.0/24
end

6. Return to the Local-Windows VM.

7. Open a browser and try to log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and
password password.
You should be able to log in.

30 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.