Adding a Fortinet Firewall Device

Prerequisites

General prerequisites:
- Ensure communication between AppViewX and the firewall is enabled.
- Valid firewall account details, including API tokens/keys and user credentials, are necessary.
IP Address/FQDN: IP address or FQDN
User Privilege: Username/Password
Services and Port for AppViewX Communication: Port number 22 (SSH)
Note: For Visual Workflow action items, you will require credentials with write privilege.

Configuring Fortinet Firewall Device

To add a Fortinet device:

Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
By default, the Firewall tab opens.
In the Firewall tab, click (Add) icon located upper right corner.
The Add page appears.
Select the Fortinet vendor from the left side bar.

Enter the field information in the General Information section.

Table 1. Field and Description Table
Field	Description
CI name	Name of the CI.
Platform	Select from the following options: Fortigate FortiManager
*Device name	Unique custom identifier of your device.
Data center	The data center on which the device has been hosted. Select a Datacenter from the dropdown list or enter a data center name.
Communication	The communication mode that firewall devices can be added to AppViewX. The possible communication modes are: IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected. FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
*IP address/FQDN	Enter the IP address or FQDN based on the selected communication mode.
Data center	Select from an existing list or enter a new data center.
Cert sync	Provision to discover and manage the SSL certificates from the firewall devices. The possible Cert syncs are: Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc. Monitored - All SSL certificates will be discovered and will not have any CA-related communication. Ignored - No SSL certificates will be discovered from the firewall device. Note: The certification sync is based on the license applied.
*SSH Port	By default, it is 22.
*: Mandatory fields

Enter the field information in the Credentials section:

Table 2. Field and Description Table
Field	Description
*Credential type	Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the drop-down list: Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected. AppViewX Credential List - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication. If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential Type from the dropdown list. If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault. To create a credential list, see Creating Credential List in the Platform User Guide.
*Username	Username for the firewall device when you select the Manual Entry credential type.
*Password	Valid password for the firewall device when you select the Manual Entry credential type. Note: Use strong passwords for secure device communication. Your Passwords can be of any length with a combination of alpha-numerical, symbols, and special characters.
Api token	Enter the API token.
*: Mandatory fields

Enter the field information in the Certificate specific details section:

Table 3. Field and Description Table
Field	Description
Discover Private Keys	Select the check box.
Private Key Default Password	Enter the default password.

Enter the field information in the Secondary device information section as follows:
- Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.
- Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.
- Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.
Note:
- By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
- By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing and management can be seamlessly handled in AppViewX.
Click the Save button to add an Firewall device.
Note:
- To discard the changes, click the Cancel button.
A pop-up message is displayed as Device added successfully.

Validating the Device

After adding the device, you can validate the device by searching device in the device inventory.

Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
By default, the Firewall tab opens.
Search the device name and validate whether the device is added successfully.

CLI Commands

Minimum required permissions

Version of device: 6.x or above
License type: Cert+ Only 16
Device management
Network > Configuration > Read Only (Communication and version check)
Certificate discovery
- System > Configuration > Read/Write (System Local Certificates, System Setting)
- VPN > Read (VPN Profiles)
- Firewall > Others > Read (SSL/SSH Inspection Profile)
- User & Device > Read (User Authentication Setting Profile)
Certificate Push and Bind
- System > Configuration > Read/Write (Push to System Local Certificates, Bind System Server Certificate)
- VPN > Read/Write (Bind to VPN Setting Profile, VPN Ipsec profile)
- Firewall > Others > Read/Write (Bind to SSL/SSH Inspection Profile)
- User & Device > Read/Write (Bind to User Authentication Setting Profile)


Operation	Command	Description
System Status	`get system status`	Displays system information such as firmware version, VDOM status, and system mode.
Configure VDOM	`config vdom`	Enters VDOM configuration mode to manage Virtual Domains.
Edit configurations	`edit ?`	Enters edit mode for a specific configuration object (e.g., VDOM, interface, etc.).
End	`end`	Ends the current configuration mode and applies changes.
Switch to global	`config global`	Switches to the global configuration context.
Configure System’s console	`config system console`	Used to configure console settings; often used with set output standard for terminal output.
Set output to standard	`set output standard`	Sets the console output format to standard (non-JSON or non-table).
Show full CA certs (VPN)	`show full-configuration vpn certificate ca`	Displays full configuration of CA certificates used in VPN.
Show full CA certs	`show full-configuration certificate ca`	Displays full configuration of CA certificates in the system.
Show full local certs (VPN)	`show full-configuration vpn certificate local`	Displays full configuration of local VPN certificates.
Show full local certs	`show full-configuration certificate local`	Displays full configuration of local certificates in the system.
Show IPSec VPN config	`show vpn ipsec {CONFIGURATIONS}`	Displays IPsec VPN configurations.
Show SSL VPN settings	`show vpn ssl settings`	Displays current SSL VPN settings.
Show user settings	`show user setting`	Displays user authentication settings.
Show SSL/SSH profiles	`show firewall ssl-ssh-profile`	Displays SSL/SSH inspection profiles used in firewall policies.
List CA cert names (VPN)	`show full-configuration vpn certificate ca ?`	Lists available CA certificate names in VPN configuration.
List CA cert names	`show full-configuration certificate ca ?`	Lists available CA certificate names in the system configuration.
List local cert names (VPN)	`show full-configuration vpn certificate local ?`	Lists available local certificate names for VPN.
List local cert names	`show full-configuration certificate local ?`	Lists available local certificate names configured on the device (non-VPN).
Set CA certificate	`set ca \"{CERT_CONETNT}\"`	Sets the CA certificate content during certificate configuration.
Set private key	`set private-key \"{PVT_KEY_CONETNT}\"`	Sets the private key content for a certificate.
Set certificate content	`set certificate \"{CERT_CONETNT}\"`	Sets the actual certificate content.
Set password	`set password`	Sets a password (often used when importing password-protected keys/certs).
Unset password	`unset password`	Removes a previously set password from the configuration.
Configure SSL VPN settings	`config vpn ssl settings`	Enters configuration mode for SSL VPN settings.
Unset SSL VPN cert	`unset servercert`	Removes the currently configured SSL VPN server certificate.
Set SSL VPN cert	`set servercert {CERT_NAME}`	Sets the server certificate for SSL VPN.
Configure SSL/SSH profile	`config firewall ssl-ssh-profile`	Enters configuration mode for SSL/SSH inspection profiles.
Unset SSL/SSH cert	`unset server-cert`	Removes the configured certificate from the SSL/SSH profile.
Set SSL/SSH cert	`set server-cert {CERT_NAME}`	Sets the server certificate for SSL/SSH inspection.
Configure global settings	`config system global`	Enters system-wide global configuration mode.
Set admin portal cert	`set admin-server-cert {CERT_NAME}`	Sets the certificate used for the FortiGate admin GUI (HTTPS portal).
Configure user settings	`config user setting`	Enters configuration mode for user authentication settings.
Set user auth cert	`set auth-cert {CERT_NAME}`	Sets the certificate used for user authentication.
Configure IPsec VPN	`config vpn ipsec`	Enters IPsec VPN configuration mode.
Append cert to IPsec VPN	`append certificate {CERT_NAME}`	Appends a certificate to the IPsec VPN configuration.
Generate certificate	`execute vpn certificate local generate`	Generate a local certificate on the device.

Pushing Server Certificates to the Device

The certificate can be pushed to the device in only PEM format.

Note: Starting from FortiOS version 5.4 and above, when pushing a certificate to FortiGate, if a certificate with the intended name is already present, a timestamp is automatically appended to the certificate name. This ensures the new certificate is successfully imported without conflict, while retaining the original.

Warning:

Fortigate does not allow importing a certificate that has already been imported earlier—even if you attempt to import it again under a different name or context. FortiOS maintains a checksum or fingerprint of certificates.

If a certificate with the same cryptographic material already exists in the system (for example, with the same subject, serial number, and public key), it will reject duplicates to prevent redundancy or configuration conflicts.

Profiles will be discovered irrespective of the cert sync option selected during device addition or during an on-demand discovery. The following profiles will be discovered currently in AppViewX:

Shared location: Denotes a push-only operation which pushes a certificate to the end device.
Profile convention : {DeviceName}::System/Vdom name
SSL VPN Settings: SSL VPN allows remote users to securely connect to the corporate network using an encrypted SSL tunnel via a web portal or FortiClient. Apushed certificate can be associated to SSL-VPN setting if it is enabled.
Profile convention : {DeviceName}::System/Vdom name::SSL VPN Setting:SSL VPN Setting
SSL/SSH Inspection Profile: SSL/SSH inspection profiles inspect encrypted traffic (HTTPS/SSH) for threats or policy enforcement. Apushed certificate can be associated to any inspection profile if it is configured with Protecting SSL Server option.
Profile convention : {DeviceName}::System/Vdom name::SSL/SSH Inspection Profile:{Inspection profile name}
System Setting Https Server Certificate: This controls which certificate is used to secure access to the Fortigate administrative web interface. Apushed certificate can be associated to the System administration setting server certificate.
Profile convention : {DeviceName}::System::System Setting Https Server Certificate
User Authentication settings: Defines how users authenticate to Fortigate (e.g., captive portal, VPN, web portal). Ensures only clients with valid certificates can authenticate, enhancing security. Apushed certificate can be associated to the User authentication setting server certificate.
Profile convention : {DeviceName}::System:User Authentication settings:User Authentication settings
IPSec VPN Profile: IPSec VPN allows site-to-site or remote client VPN connections using the IPSec protocol suite. Apushed certificate can be associated to the IpSec tunnel configured in the device.
Profile convention : {DeviceName}::System:IPSec VPN Profile:{TUNNEL_NAME}

Backing Up Certificates

Before a bind operation, a backup will be taken for the currently associated certificate so that a rollback can be performed once the new certificate is associated.

Binding Certificates

Certificates can be bound for profile connectors. These connectors include all the connectors other than the shared location connector.

The selected selected certificate will be pushed to the shared location first and then the certificate will be associated to the selected profile.

Rolling Back Certificates

In the event of a rollback, the system restores the previous state by unbinding the current certificate, pushing and binding the backed-up certificates to the selected profile.

CSR Generation

Note: Generation of CSR can be performed for a Fortigate device during certificate enrollment. The Partition name, CSR File Name, and Key File Name have to be provided.