GUI & CLI – What You May Not Know

Example

If you wanted these columns in this order, Policy ID, Source Addresses, Destination Addresses, Security Profiles, Policy Comment. You would enter the command:

config system settings

set gui-default-policy-columns policyid srcaddr dstaddr profile comments

 

 

Naming Rules and Restrictions

The following are the specific rules that are obeyed by the FortiGate. Duplicate Name Issues:

  • A VLAN cannot have the same name as a physical interface.
  • An Address must not have the same name as an Address Group.
  • An Address or Address Group must not have the same name as a Virtual IP Address.
  • A Service cannot have the same name as a Service Group.
  • A VLAN must not have the same name as a VDOM.
  • A VLAN or VDOM must not have the same name as a Zone.

 

Try to make each firewall object name as unique as possible so that it cannot be con- fused with another object.

 

Character Restrictions

A name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), spaces, and the special characters – and _. Other characters are not allowed

The special characters < > ( ) $ # ” ‘ are allowed only in the following fields:

  • Passwords
  • Replacement message
  • Firewall policy description
  • IPS customized signature
  • Antivirus blocked file pattern
  • Web Filter banned word
  • Spam filter banned word
  • interface PPPoE client user name
  • modem dialup account user name
  • modem dialup telephone number

FortiOS allows spaces in just about all object name fields, but caution is good practice. The parsing of a configuration file can cause side effects if spaces or other special characters are used where the system is not expecting them.

A proven standard practice is recommended to help prevent potential issues. When naming objects, only use characters that are alphanumeric (a- z, A-Z, 0-9) and where there is the temptation to use spaces in a name, use the ‘-‘ (dash) and ‘_’ (underscore).

 

Numeric Values

Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal numbers.

Most web-based manager numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.

 

Selecting options from a list

If a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly.

 

Enabling or disabling options

If a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable.

 

To Enable or Disable Optionally Displayed Features

There are a number of features in the web-based manager that can be configured to either be displayed if you are likely to use them or disabled if you have no need to see them. The ones that may be relevant to the function of the Firewall are:

  • Central NAT Table
  • Dynamic Profile
  • Explicit Proxy
  • Implicit Firewall Policies
  • IPv6
  • Load Balance
  • Local In Policy

 

You can enable or disable these features by going to System > Admin > Settings or by using the following CLI options:

 

config system global

set gui-ap-profile {disable | enable}

set gui-central-nat-table {disable | enable}

set gui-dns-database {disable | enable}

set gui-dynamic-profile-display {disable | enable}

set gui-icap {disable | enable}

set gui-implicit-id-based-policy {disable | enable}

set gui-implicit-policy {disable | enable} set gui-ipsec-manual-key {enable | disable} set gui-ipv6 {enable | disable}

set gui-lines-per-page <gui_lines>

set gui-load-balance {disable | enable}

set gui-object-tags {disable | enable}

set gui-policy-interface-pairs-view {enable | disable}

set gui-voip-profile {disable | enable}

end

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

One thought on “GUI & CLI – What You May Not Know

  1. Yorkshire-Matt

    Helpful article, just a pity that the software as usual does not live up to the theory.
    Versions 5.6.13, 6.2.7 and 6.4.5 using set gui-default-policy-columns policyid srcintf srcaddr dstintf dstaddr service hit_count bytes active_sessions does not result in the srcintf srcaddr dstintf dstaddr being displayed in either Interface Pair or Sequence view.

    Fortinet TAC suggested I raise a request ticket for a new feature

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.