GUI & CLI – What You May Not Know

Example

If you wanted these columns in this order, Policy ID, Source Addresses, Destination Addresses, Security Profiles, Policy Comment. You would enter the command:

config system settings

set gui-default-policy-columns policyid srcaddr dstaddr profile comments

 

 

Naming Rules and Restrictions

The following are the specific rules that are obeyed by the FortiGate. Duplicate Name Issues:

  • A VLAN cannot have the same name as a physical interface.
  • An Address must not have the same name as an Address Group.
  • An Address or Address Group must not have the same name as a Virtual IP Address.
  • A Service cannot have the same name as a Service Group.
  • A VLAN must not have the same name as a VDOM.
  • A VLAN or VDOM must not have the same name as a Zone.

 

Try to make each firewall object name as unique as possible so that it cannot be con- fused with another object.

 

Character Restrictions

A name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), spaces, and the special characters – and _. Other characters are not allowed

The special characters < > ( ) $ # ” ‘ are allowed only in the following fields:

  • Passwords
  • Replacement message
  • Firewall policy description
  • IPS customized signature
  • Antivirus blocked file pattern
  • Web Filter banned word
  • Spam filter banned word
  • interface PPPoE client user name
  • modem dialup account user name
  • modem dialup telephone number

FortiOS allows spaces in just about all object name fields, but caution is good practice. The parsing of a configuration file can cause side effects if spaces or other special characters are used where the system is not expecting them.

A proven standard practice is recommended to help prevent potential issues. When naming objects, only use characters that are alphanumeric (a- z, A-Z, 0-9) and where there is the temptation to use spaces in a name, use the ‘-‘ (dash) and ‘_’ (underscore).

 

Numeric Values

Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal numbers.

Most web-based manager numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.

 

Selecting options from a list

If a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly.

 

Enabling or disabling options

If a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable.

 

To Enable or Disable Optionally Displayed Features

There are a number of features in the web-based manager that can be configured to either be displayed if you are likely to use them or disabled if you have no need to see them. The ones that may be relevant to the function of the Firewall are:

  • Central NAT Table
  • Dynamic Profile
  • Explicit Proxy
  • Implicit Firewall Policies
  • IPv6
  • Load Balance
  • Local In Policy

 

You can enable or disable these features by going to System > Admin > Settings or by using the following CLI options:

 

config system global

set gui-ap-profile {disable | enable}

set gui-central-nat-table {disable | enable}

set gui-dns-database {disable | enable}

set gui-dynamic-profile-display {disable | enable}

set gui-icap {disable | enable}

set gui-implicit-id-based-policy {disable | enable}

set gui-implicit-policy {disable | enable} set gui-ipsec-manual-key {enable | disable} set gui-ipv6 {enable | disable}

set gui-lines-per-page <gui_lines>

set gui-load-balance {disable | enable}

set gui-object-tags {disable | enable}

set gui-policy-interface-pairs-view {enable | disable}

set gui-voip-profile {disable | enable}

end

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.