Category Archives: Fortigate

Clearing DNS cache on a FortiGate

Open terminal and run this code. diag test app dnsproxy 1

Other options.

  • 1. Clear DNS cache
  • 2. Show stats
  • 3. Dump DNS setting
  • 4. Reload FQDN
  • 5. Requery FQDN
  • 6. Dump FQDN
  • 7. Dump DNS cache
  • 8. Dump DNS DB
  • 9. Reload DNS DB
  • 10. Dump secure DNS policy/profile
  • 11. Dump Botnet domain
  • 12. Reload Secure DNS setting
  • 13. Show Hostname cache
  • 14. Clear Hostname cache
  • 15. Show SDNS rating cache
  • 16. Clear SDNS rating cache
  • 17. DNS debug bit mask
  • 18. DNS debug obj mem
  • 99. Restart dnsproxy worker
Leave a comment

Posted by on July 17, 2022 in Fortigate


Tags: , , , ,

Fortigate 40C Format and upgrade firmware via CLI

To format and upgrade a firmware on Fortigate 40C, We will need 3 types of cables.


1. Connect console cable to console port of the Fortigate.
Use a serial to USB converter and connect to a USB on your laptop.
2. Connect USB cable (same cable we use with printers) to mng port of the fortigate.
3. Connect ethernet cable to port 5 (This port is special i think).
connect other end to your laptop.

Now all connections are in place.

Give your laptop an IP (manually): – – no need for Gateway
( you can use any IP, but i suggest to use this.)

Install 3 softwares,
1. Putty (link)
2. tftpd32 (link)
3. fortiexplorer (link)

if you have a Config backup, open it with a text editor.

You will see the build number and version of the firmware for that specific config file.
Download the firmware from FortiNet website.

For ease of use we can put all these files in a folder:
(in my case C:\Users\MyName\Desktop\Fortigate_40c_Format)

make a copy of the firmware file,
Rename the firmware file to image.out

Open TFTPD32.
Set the interface to the one to which we gave the IP
Set the root directory by clicking “Browse” on the tftp server window, and select
the folder with our files.
(in my case C:\Users\MyName\Desktop\Fortigate_40c_Format)


Open putty.
Set connection type to serial. and enter the COM port.
serial connection properties:
8 bits
no parity
1 stop bit
9600 baud (For a FortiGate-300, use 115,000 baud.)

You can find the COM port number from:
Right-click-Computer > Manage > Devices >
This will list all COM ports. Note the number for USB-Serial-connection. in my case it was COM4.

Now click connect on Putty.
Turn the power off and then on at the FortiGate unit.

Stuff will start to pop up on the console screen.
When the console displays

“Press any key to display configuration menu.”
Press any key.

[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,B,Q,or H:

these opetions will come.
Select F for now to format the boot device.

[note: Some console prompts in this procedure include a default value in square brackets, e.g., [image.out]. To use this default value, just press Enter.]

When format is finished, device will restart.
Do the same. When you reach this options. This time select G.
“Get firmware image from TFTP server.”

it will ask for IP of TFTP server. if you gave the same IP as above just click enter.
"Enter TFTP server address []: "
(if you gave another IP to your laptop, type the ip at the prompt
example: "Enter TFTP server address []:")

now the console will ask for IP of the fortigate. enter to proceed with default value.
"Enter local address []: "

Now give the name of the firmware file.
Enter firmware image file name [image.out]:
(since we renamed our file to image.out we can just press enter)

The Fortigate downloads the firmware from the TFTP server and displays a message similar to the following:

MAC:001122B15D94 (MAC of your laptop)
########################### (transfer progress)
Total 28385179 bytes data downloaded.(firmware file size)
Verifying the integrity of the firmware image.. (verification stage)

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
type D to make load the firmware as the default firmware.

(if the download fails after the integrity check with the error message:
invalid compressed format (err=1) )

The fortigate downloads the firmware from the TFTP server.
Then installs the firmware and restarts.
The time required varies by the size of the file and the speed of your network connection.

Now we have installed the firmware.

Open the FortiExplorer software. this will detect the connected device (through mng USB cable)

Select web GUI from the given options.
Login with default password.
Username: admin
Password: (blank)

if you can login and the window is loading fine. You can restore your config file through the GUI.
this app gives you non IP dependend connection to the device. (Console acces otherwise called out of bound access).

In my experience I found that the app is slow for real stuff. So this is what I did.
There is an option to do basic configuration through a wizard. select this and set IP, username, and password etc. Basic stuff no need to care much, we will replace this config in coming steps.

when finished. make sure the IP of your laptop and fortigate are on the same subnet.

Open a browser window and type in the IP address of the device.
Login with your username and password. (the one we set above)

In the main window (dashboard) you will see option to restore a configuration.
selct ‘restore’, then choose the Backup config file. then click restore.
Fortigate will apply the configuration and restart.

You can see these happening on your console window. (just watch don’t type anything)
then it will say firewall is initialising…

you can do another thing. ping to to the fortigate IP with the -t operator.

Ping -t
wait until you start getting results for the ping.

Open the web browser window.
if the IP you gave when setting basic config through the wizard and the IP in your config files are different,
after the upgrade you need to use the IP in your config file.

login with your old username and password (from the backup config).
The username and password are the ones you used while you had the old configuration.

thats it.
Now you have formated the device.
installed a firmware.
loaded a backup configuration.

Now register your device through the portal to activare your forticare licences.

Leave a comment

Posted by on January 12, 2021 in Fortigate


Create VLAN in fortigate 30D

By default all ports are members of a hardware switch. remove one of the port from the switch. for example port 4. Now we will create our VLANs under this port.

fgt#config system interface
fgt(interface)#edit <vlan-name>#if vlan-name not exist, vlan will be created.
fgt(<vlan-name>)#set interface lan4 #assign this vlan to the lan4 port.
fgt(<vlan-name>)#set ip <give an ip in vlan range/24>#set ip for the vlan port
fgt(<vlan-name>)#set vlanid <id># set VLAN ID
#Vlan ID and Name are not same,eg. Vlan-Name = Wireless, VlanID= 70
Leave a comment

Posted by on January 5, 2021 in Fortigate


DMZ – with vlan 100D + 30D

DMZ – with vlan 100D + 30D

This post discuss how we managed to isolate each of our servers to its own network (vlan).

In this scenario, We have 2 firewalls in place for some reason.
Fortigate 30D and Fortigate 100D. All wan-side incoming traffic will be received by 30D. 30D will then send them to the servers based on the Virtual IP configuration (port forwarding).
The reply packets from servers will go out through the 100D fortigate (100D is the gateway).

  1. Create and assign vlan in switch port.
    create a vlan for each server. Then assign them to the port to which the physical servers are connected.
    on cisco:
    #Switchport mode access
    #switchport access vlan
  2. create vlan in esxi:
    open esxi server,
    select physical server and goto configurations tab,
    selct networing on left panel then click on properties
    click add, select virual machine, give a network lable and vlan ID. (network label: name for the vlan)
  3. assign the vlan to VM:
    select VM
    right clik – edit server
    select netowrk adapter
    change network label.(select the vlan label created in step 2)
  4. Open the server and make necessory changes
    Change RDP port in server.
    give ip address in the vlan range.
    set default gateway 100D
  5. open 30D and Add vlan.
    basically we need to create a vlan port and assign an ip in vlan range.
  6. OPEN 30D- create virtual IPs and group
    Policy and object
    virtual IP
    create virtual ip ( rdp,http,https )
    create virtual ip group, for example:server-vlan-group. #Change RDP port in server.
  7. create wan-incoming policy on 30D
    incoming:WAN port
    Outgoing interface: VlanInterface
    destination: server-vlan-group( virtual ip group )
    schedule: always
    action: accept
    security profile: select default.
  8. Open 100D and create vlan.
    open vdom
    network – interfaces – create new – interface
    name: vlanname
    interface: new vlan will come under this interface.
    Vlan ID: give vlan number
    vitual domain: select your vdom
    role: LAN
    IP/Network: IP address/Subnet mask for the vlan port
    administrationve access: give none.
  9. create address for vlan subnet in 100D. example: DMZ01
    or create a device-address for the server.
  10. create lan-wan policy on 100D:
    Name: give a name
    incoming int: vlan interface
    outgoing int: WAN port
    source:name of address group we created in step 9
    select security profiles.
Leave a comment

Posted by on January 5, 2021 in Fortigate


VDOM with load-balancing FortiGate 100D

2 WAN connection combines to provide internet for a VDOM in fortigate. How to configure this is explained below.

Created VDOM for Wifi

Global > System > VDOM > Create New
Virtual Domain: Wifi
Inspection Mode: Proxy


Assigned ports to VDOM wifi

Before moving ports to vdom, Make sure there are no reference to those ports from policies, routes, etc. Also make sure the ports have no IP assigned.

Global > Network > Interfaces >
Select and interface and Edit> change virtual domain of the interface.

In our case there is two WAN ports and and a LAN port for our Wifi topology.
(Port9 = LAN, Port 11 & Port 12 = WAN )

Now we need to create load balancing to combine the speed of both WAN connections. We can do this through FortiGate SD-WAN option.

Go to VDOM Wifi > Networ > SD-WAN > Enable SD-WAN
Click create New.
Seq1: Port 11 – Gateway IP is the IP of the 1st modem.
Seq2: Port 12 – Gateway IP is the IP of the 2nd Modem.

Select load balancing algorithm as “Volume”
Set the volume weight to 1 on both WAN connections.

Apply the changes.

Now create a SD-WAN status check.
It will check wan connection health against an external server.

Goto VDOM Wifi > Network > SD-WAN Status check> Create new
Name: Give a name
Protocol: Ping

Leave other stuff default. Then click ok. This will ocationally ping the google server through
the ports in SD-WAN to check the health of the connection.

Goto VDOM Wifi > Network > Static Routes
Device: sd-wan
Admin distance:10
status: enabled

then press OK.

Assign a policy to allow traffic.
Goto VDOM Wifi > Policy and Objects> IPv4 policy > Create New
Name: Wireless devices
Incoming int: LAN port of the VDOM (port 9)
OutGoing int: SD-WAN
Select appropriate for Source, Destination, Schedule,Service, and Action.
Nat: on
Apply security profiles.
Log allowed traffic: log all sessions.

Now when we assign a new device to this policy the user will be able to access internet through the SD-WAN interface.

Leave a comment

Posted by on October 15, 2020 in Fortigate


FortiGate: Upgrading the firmware via CLI

To use the following procedure, you must have a TFTP or FTP server that FortiDB can connect to. You must also log in using the “admin” administrator account.

  1. Start the FTP or TFTP server.
  2. Copy the new firmware image file to the FTP or TFTP server.
  3. Log into the CLI.
  4. Verify that FortiDB can connect to the FTP or TFTP server. For example, if the IP address of the TFTP server is, enter the CLI command:
    execute ping
  5. Enter the following command to copy the firmware image from the TFTP server to FortiDB:
    execute restore image ftp  
    execute restore image tftp  

    Where is the name and location of the firmware image file and or is the IP address of the FTP or TFTP server. For example, if the firmware image file name is image.out and the IP address of the FTP or TFTP server is, enter:

    execute restore image tftp image.out

    FortiDB responds with the message:

    This operation will replace the current firmware version!
    Do you want to continue? (y/n)
  6. Type y. FortiDB downloads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.
  7. Reconnect to the CLI.
  8. To confirm the new firmware image is successfully installed, enter:
    get system status
Leave a comment

Posted by on January 17, 2018 in Fortigate


Tags: , ,