Adding Fortinet Firewall Device

Prerequisites

General prerequisites:
- Ensure communication between AppViewX and the firewall is enabled.
- Valid firewall account details, including API tokens/keys and user credentials, are necessary.
IP Address/FQDN: IP address or FQDN
User Privilege: Username/Password
Services and Port for AppViewX Communication: Port number 22 (SSH)
Note: For Visual Workflow action items, you will require credentials with write privilege.

Configuring FortiGate Firewall Device

To add a FortiGate device:

Go to (Menu) > CERT+ > Device Management.
By default, the ADC tab opens.
Select the Firewall tab.
Click the + (Add) icon located on the top right corner.
The Add page appears.
Select the Fortinet vendor from the left side bar.

Enter the field information in the General Information section.

Table 1. Field and Description Table
Field	Description
CI name	Name of the CI.
Platform	Select Fortigate.
*Device name	Unique custom identifier of your device.
Onboarding Group	Select the onboarding group to assign the device. Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
Communication	The communication mode that firewall devices can be added to AppViewX. The possible communication modes are: IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected. FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
*IP address/FQDN	Enter the IP address or FQDN based on the selected communication mode.
Data center	The data center on which the device has been hosted. Select a datacenter from the dropdown list or enter a data center name.
Cert sync	Provision to discover and manage the SSL certificates from the firewall devices. The possible cert syncs are: Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc. Monitored - All SSL certificates will be discovered and will not have any CA-related communication. Ignored - No SSL certificates will be discovered from the firewall device. Note: The certification sync is based on the license applied.
*SSH Port	By default, it is 22.
*: Mandatory fields

Enter the field information in the Credentials section:

Table 2. Field and Description Table
Field	Description
*Credential type	Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the drop-down list: Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected. AppViewX Credential List - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication. If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential Type from the dropdown list. If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault. To create a credential list, see Creating Credential List in the Platform User Guide.
*Username	Username for the firewall device when you select the Manual Entry credential type.
*Password	Valid password for the firewall device when you select the Manual Entry credential type. Note: Use strong passwords for secure device communication. Your password can be of any length with a combination of alpha-numerical, symbols, and special characters.
Api token	Enter the API token.
*: Mandatory fields

Enter the field information in the Certificate specific details section.

Table 3. Field and Description Table
Field	Description
Discover Private Keys	Select the check box to discover certificates along with private keys. If the device has many certificates, this may take a bit longer.
Private Key Default Password	Enter the default password.

Enter the field information in the Secondary device information section as follows:
- Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.
- Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.
- Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.
Note:
- By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
- By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing and management can be seamlessly handled in AppViewX.
Click the Save button to add a Firewall device.

Note: To discard the changes, click the Cancel button.

A pop-up message is displayed as Device added successfully.

CLI Commands

Minimum required permissions

Version of device: 6.x or above
License type: Cert+ Only 16
Device management
Network > Configuration > Read Only (Communication and version check)
Certificate discovery
- System > Configuration > Read/Write (System Local Certificates, System Setting)
- VPN > Read (VPN Profiles)
- Firewall > Others > Read (SSL/SSH Inspection Profile)
- User & Device > Read (User Authentication Setting Profile)
Certificate Push and Bind
- System > Configuration > Read/Write (Push to System Local Certificates, Bind System Server Certificate)
- VPN > Read/Write (Bind to VPN Setting Profile, VPN Ipsec profile)
- Firewall > Others > Read/Write (Bind to SSL/SSH Inspection Profile)
- User & Device > Read/Write (Bind to User Authentication Setting Profile)


Operation	Command	Description
System Status	`get system status`	Displays system information such as firmware version, VDOM status, and system mode.
Configure VDOM	`config vdom`	Enters VDOM configuration mode to manage Virtual Domains.
Edit configurations	`edit ?`	Enters edit mode for a specific configuration object (e.g., VDOM, interface, etc.).
End	`end`	Ends the current configuration mode and applies changes.
Switch to global	`config global`	Switches to the global configuration context.
Configure System’s console	`config system console`	Used to configure console settings; often used with set output standard for terminal output.
Set output to standard	`set output standard`	Sets the console output format to standard (non-JSON or non-table).
Show full CA certs (VPN)	`show full-configuration vpn certificate ca`	Displays full configuration of CA certificates used in VPN.
Show full CA certs	`show full-configuration certificate ca`	Displays full configuration of CA certificates in the system.
Show full local certs (VPN)	`show full-configuration vpn certificate local`	Displays full configuration of local VPN certificates.
Show full local certs	`show full-configuration certificate local`	Displays full configuration of local certificates in the system.
Show IPSec VPN config	`show vpn ipsec {CONFIGURATIONS}`	Displays IPsec VPN configurations.
Show SSL VPN settings	`show vpn ssl settings`	Displays current SSL VPN settings.
Show user settings	`show user setting`	Displays user authentication settings.
Show SSL/SSH profiles	`show firewall ssl-ssh-profile`	Displays SSL/SSH inspection profiles used in firewall policies.
List CA cert names (VPN)	`show full-configuration vpn certificate ca ?`	Lists available CA certificate names in VPN configuration.
List CA cert names	`show full-configuration certificate ca ?`	Lists available CA certificate names in the system configuration.
List local cert names (VPN)	`show full-configuration vpn certificate local ?`	Lists available local certificate names for VPN.
List local cert names	`show full-configuration certificate local ?`	Lists available local certificate names configured on the device (non-VPN).
Set CA certificate	`set ca \"{CERT_CONETNT}\"`	Sets the CA certificate content during certificate configuration.
Set private key	`set private-key \"{PVT_KEY_CONETNT}\"`	Sets the private key content for a certificate.
Set certificate content	`set certificate \"{CERT_CONETNT}\"`	Sets the actual certificate content.
Set password	`set password`	Sets a password (often used when importing password-protected keys/certs).
Unset password	`unset password`	Removes a previously set password from the configuration.
Configure SSL VPN settings	`config vpn ssl settings`	Enters configuration mode for SSL VPN settings.
Unset SSL VPN cert	`unset servercert`	Removes the currently configured SSL VPN server certificate.
Set SSL VPN cert	`set servercert {CERT_NAME}`	Sets the server certificate for SSL VPN.
Configure SSL/SSH profile	`config firewall ssl-ssh-profile`	Enters configuration mode for SSL/SSH inspection profiles.
Unset SSL/SSH cert	`unset server-cert`	Removes the configured certificate from the SSL/SSH profile.
Set SSL/SSH cert	`set server-cert {CERT_NAME}`	Sets the server certificate for SSL/SSH inspection.
Configure global settings	`config system global`	Enters system-wide global configuration mode.
Set admin portal cert	`set admin-server-cert {CERT_NAME}`	Sets the certificate used for the FortiGate admin GUI (HTTPS portal).
Configure user settings	`config user setting`	Enters configuration mode for user authentication settings.
Set user auth cert	`set auth-cert {CERT_NAME}`	Sets the certificate used for user authentication.
Configure IPsec VPN	`config vpn ipsec`	Enters IPsec VPN configuration mode.
Append cert to IPsec VPN	`append certificate {CERT_NAME}`	Appends a certificate to the IPsec VPN configuration.
Generate certificate	`execute vpn certificate local generate`	Generate a local certificate on the device.

Pushing Server Certificates to the Device

The certificate can be pushed to the device in only PEM format.

Note: Starting from FortiOS version 5.4 and above, when pushing a certificate to FortiGate, if a certificate with the intended name is already present, a timestamp is automatically appended to the certificate name. This ensures the new certificate is successfully imported without conflict, while retaining the original.

Warning:

FortiGate does not allow importing a certificate that has already been imported earlier—even if you attempt to import it again under a different name or context. FortiOS maintains a checksum or fingerprint of certificates.

If a certificate with the same cryptographic material already exists in the system (for example, with the same subject, serial number, and public key), it will reject duplicates to prevent redundancy or configuration conflicts.

Profiles will be discovered irrespective of the cert sync option selected during device addition or during an on-demand discovery. The following profiles will be discovered currently in AppViewX:

Shared location: Denotes a push-only operation which pushes a certificate to the end device.
Profile convention : {DeviceName}::System/Vdom name
SSL VPN Settings: SSL VPN allows remote users to securely connect to the corporate network using an encrypted SSL tunnel via a web portal or FortiClient. Apushed certificate can be associated to SSL-VPN setting if it is enabled.
Profile convention : {DeviceName}::System/Vdom name::SSL VPN Setting:SSL VPN Setting
SSL/SSH Inspection Profile: SSL/SSH inspection profiles inspect encrypted traffic (HTTPS/SSH) for threats or policy enforcement. Apushed certificate can be associated to any inspection profile if it is configured with Protecting SSL Server option.
Profile convention : {DeviceName}::System/Vdom name::SSL/SSH Inspection Profile:{Inspection profile name}
System Setting Https Server Certificate: This controls which certificate is used to secure access to the FortiGate administrative web interface. Apushed certificate can be associated to the System administration setting server certificate.
Profile convention : {DeviceName}::System::System Setting Https Server Certificate
User Authentication settings: Defines how users authenticate to FortiGate (e.g., captive portal, VPN, web portal). Ensures only clients with valid certificates can authenticate, enhancing security. Apushed certificate can be associated to the User authentication setting server certificate.
Profile convention : {DeviceName}::System:User Authentication settings:User Authentication settings
IPSec VPN Profile: IPSec VPN allows site-to-site or remote client VPN connections using the IPSec protocol suite. Apushed certificate can be associated to the IpSec tunnel configured in the device.
Profile convention : {DeviceName}::System:IPSec VPN Profile:{TUNNEL_NAME}

Backing Up Certificates

Before a bind operation, a backup will be taken for the currently associated certificate so that a rollback can be performed once the new certificate is associated.

Binding Certificates

Certificates can be bound for profile connectors. These connectors include all the connectors other than the shared location connector.

The selected selected certificate will be pushed to the shared location first and then the certificate will be associated to the selected profile.

Rolling Back Certificates

In the event of a rollback, the system restores the previous state by unbinding the current certificate, pushing and binding the backed-up certificates to the selected profile.

CSR Generation

Note: Generation of CSR can be performed for a FortiGate device during certificate enrollment. The Partition name, CSR File Name, and Key File Name have to be provided.

Minimum Privileges required in FortiManager

JSON API Access

Required for JSON API operations, it enables AppViewX to communicate with FortiManager through REST API calls. (System Settings -> Administrator -> Edit Administrator).

Required access: Read/Write

System Settings Access

Required to manage system certificates and configurations. (System Settings > Admin Profiles > Edit Administrator)

Required access: Read/Write

Configuring FortiManager Firewall Device

To add a FortiManager device:

Go to (Menu) > CERT+ > Device Management.
By default, the ADC tab opens.
Select the Firewall tab.
Click the + (Add) icon located on the top right corner.
The Add page appears.
Select the Fortinet vendor from the left side bar.

Enter the field information in the General Information section.

Table 4. Field and Description Table
Field	Description
CI name	Name of the CI.
Platform	Select FortiManager.
*Device name	Unique custom identifier of your device.
Communication	The communication mode that firewall devices can be added to AppViewX. The possible communication modes are: IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected. FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
*IP address/FQDN	Enter the IP address or FQDN based on the selected communication mode.
Data center	The data center on which the device has been hosted. Select a datacenter from the dropdown list or enter a data center name.
Cert sync	Provision to discover and manage the SSL certificates from the firewall devices. The possible cert syncs are: Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc. Monitored - All SSL certificates will be discovered and will not have any CA-related communication. Ignored - No SSL certificates will be discovered from the firewall device. Note: The certification sync is based on the license applied.
*SSH Port	By default, it is 22.
*HTTPS Port	By default, it is 443. Note: Any change in port configuration is captured in audit logs.
*: Mandatory fields

Enter the field information in the Credentials section:

Table 5. Field and Description Table
Field	Description
*Credential type	Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the drop-down list: Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected. Credential List - AppViewX - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication. If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential Type from the dropdown list. If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault. To create a credential list, see Creating Credential List in the Platform User Guide.
*Username	Username for the firewall device when you select the Manual Entry credential type.
*Password	Valid password for the firewall device when you select the Manual Entry credential type. Note: Use strong passwords for secure device communication. Your password can be of any length with a combination of alpha-numerical, symbols, and special characters.
*: Mandatory fields

Enter the field information in the Secondary device information section as follows:
- Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.
- Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.
- Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.
Note:
- By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
- By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing, and management can be seamlessly handled in AppViewX.
Click the Save button to add a Firewall device.

Note: To discard the changes, click the Cancel button.

A pop-up message is displayed as Device added successfully.

Discovering Certificates

Discovery (on-demand and scheduled) of certificates from the FortiManager certificate repository including:
- Local certificates
- Local CA certificates

The system creates the following certificate profiles with correct naming conventions:


Certificate Profile	Naming Convention
System Local	`deviceName::FortiManager::System`
HTTPS & Web Service	`deviceName::FortiManager::System::AdminServerCertificate`
SAML SSO IdP (when enabled)	`deviceName::FortiManager::System::SamlIdp`
HA Cluster	`deviceName::FortiManager::System::HA`

When config sync is triggered and cert sync is enabled, the system automatically:
- Initiates certificate discovery
- Creates/updates corresponding profiles
- Maintains the association between certificates and profiles
Note: Certificates from FortiGate devices managed by FortiManager are currently not supported in this integration.
Frame application connectors for the server certificates based on the profile it was discovered from. (Default connector is overridden by Profile connectors.)

Pushing Server Certificates to the Device

Note: The certificates can be pushed to the FortiManager device only in PEM format.

Parameters

Certificate File Name: Mandatory parameter specifying the name for the certificate file on the device

Push Root and Intermediate Certificates

Functionality: Root and intermediate certificates can be included with the server certificate during push operation
Import Behaviour:
- Server certificate imported to local cert store
- Trust certificates (root/intermediate) imported to local ca cert store

File Naming Requirements

File name is mandatory for all certificates in the chain.
Each certificate in the chain requires a unique file name.
If any of the specified names already exists on the device, the push operation will fail
Overwrite Option: Can be resolved by checking the overwrite option to replace existing certificates
Private Key In Device option: Used to map certificate to a CSR file in FortiManager. When selected, the CSR file in the device will be updated with the certificate content.

Trust Certificate Push

All trust certificates will be imported to the local ca certificate store on the FortiManager device.

Naming and Override Behavior

Same file naming requirements apply as server certificate push.
Mandatory file names for all trust certificates being pushed.
Push operation fails if certificate names already exist on device.
Overwrite Option: Available to replace existing trust certificates with the same names.

Binding Certificates

Certificates can be bound to profile connectors in FortiManager. Certificate binding is supported for the following profiles:

Admin Server Certificate
SAML Identity Provider
High Availability (HA)

After the push operation, the certificate will be referenced using the pushed certificate name in the FortiManager configuration. This ensures proper association between the certificate and the specific profile functionality.

Backing Up and Rolling Back Certificates

Backup and rollback operations are not supported because FortiManager does not expose the private key content of the server certificates. Therefore, it is not possible to backup or restore the previous state of the certificates in case of a rollback.

CSR Generation

The FortiManager CSR generation feature allows users to create Certificate Signing Requests (CSR) directly on FortiManager devices through SSH connectivity.

Note: Command Format: execute certificate local generate [filename] [bitlength] [commonname] [country] [state] [locality] [organization] [organizationunit] [email]

Parameters

CSR File Name: Mandatory parameter specifying the name for the CSR file on the device.

Once CSR generation is successful and signed certificate is received from CA, the certificate has to be pushed back to the device with the same CSR file name with PrivateKeyInDevice option selected to map the certificate correctly.

Note:

Implementation supports only RSA key generation; no support for EC/DSA or any other key type.
Supported bit lengths for RSA key type: 512, 1024, 1536, 2048, 3072, 4096

CLI Commands

CSR generation

Generate CSR in the device:

execute certificate local generate <name> <key_size> <CN> <C> <ST> <L> <O> <OU>
        <email>

Get CSR file content : show system certificate local <csr_file_name>

APIs

POST https://$HOST:$HTTPS_PORT/jsonrpc: This is the standard format of the API URLs triggered in FortiManager for all the use cases.

Standard payload format:

{
  "id": <id>,
  "method": "<method, could be exec, add, update>",
  "params": [
      {
          "url": "URL for the request",
          "data": {
              <Data required for the request>
          }
      }
  ],
  "session": <session_id>
}


Operation	Method	URL	Data	Description
Login using json rpc	exec	/sys/login/user	`{ "user": {USER_NAME}, "passwd": {PASSWORD} }`	A login operation is required in order to get a session ID.
System Status	get	/cli/global/system/status	`{ }`	Displays system information such as firmware version and system mode.
Show local certs	get	/cli/global/system/certificate/local	`{ }`	Displays full configuration of local server certificates. (Private key of the certificates are masked in the response).
Show local CA certs	get	/cli/global/system/certificate/ca	`{ }`	Displays full configuration of local CA certificates in the system.
Show system admin settings	get	/cli/global/system/admin/setting	`{ }`	Displays the system admin setting details.
Show HA settings	get	/cli/global/system/ha	`{ }`	Displays the HA setting details.
Show SAML Idp settings	get	/cli/global/system/saml	`{ }`	Displays the SAML Idp setting details.
Add/Update local server certificate	add/update	/cli/global/system/certificate/local	`{ "certificate": "{CERTIFICATE_CONTENT}", "name": "{CERTIFICATE_FILE_NAME}", "private-key": "{PRIVATE_KEY_CONTENT}" }`	To import a server certificate with a private key to local store.
Add/Update local CA certificate	add/set	/cli/global/system/certificate/local/ca	`{ "certificate": "{CERTIFICATE_CONTENT}", "name": "{CERTIFICATE_FILE_NAME}" }`	To import a trusted CA certificate to local ca store.
Modify system admin server certificate	update	/cli/global/system/admin/setting	`{ "admin_server_cert": "{CERTIFICATE_FILE_NAME}" }`	To modify the admin server certificate mapped to the FortiManager UI portal.
Modify HA certificate	update	/cli/global/system/ha	`{ "local-cert": "{CERTIFICATE_FILE_NAME}" }`	To modify certificate mapped to the HA setting.
Modify SAML Idp certificate	update	/cli/global/system/saml	`{ "cert": "{CERTIFICATE_FILE_NAME}" }`	To modify certificate mapped to the SAML Idp setting.

Troubleshooting

Device goes to unresolved state after onboarding

The device might enter an unresolved state due to connectivity issues from the AppViewX installed node or CC node. In such cases, follow these steps:

Attempt to establish an SSH connection from the AppViewX installed node or CC node to the FortiManager server.
Verify if there is proper connectivity between the nodes and the FortiManager server. Check for the JSON API access provided for the user onboarded in AppViewX.

Device addition with FQDN fails when using external vault

When adding a firewall device with FQDN in AppViewX, the credentials are fetched from the external vaults via device FQDN. A dot (.) is automatically added at the end of the FQDN for firewalls in AppViewX during the credential lookup process.

Note:

The credentials configured in the external vault must have a dot (.) at the end of the FQDN to match the lookup pattern used by AppViewX.
If the FQDN of the device is test.avx.com, then the credential entry in external vault should be configured as: test.avx.com.

Validating the Device

After adding the device, you can validate the device by searching device in the device inventory.

Go to Menu > CERT+ > Device Management.
By default, the ADC tab opens.
Click the Firewall tab.
Search the device name and validate whether the device is added successfully.