How to Configure a Fortinet FortiGate Firewall as an Internet Gateway from Scratch
Most FortiGate guides show you one or two config pieces and assume the rest is obvious. This one doesn’t. Starting from a factory-fresh appliance, you’ll build a fully functional internet gateway with WAN, LAN, NAT, DHCP, DNS, firewall policy, and baseline security profiles — step by step, with the exact CLI commands and GUI paths. By the end, hosts on your LAN can reach the internet, traffic is inspected, and the configuration is hardened enough for a small-to-mid-size production environment.
May 2026 | ⏱ 25 min read | FortiOS 7.4.x / 7.6.x • NAT Mode • Firewall Policy • Security Profiles | ⚙ Network Engineers / IT Administrators
What You’ll Build
|
• WAN interface (static, DHCP, or PPPoE) |
• Outbound firewall policy with security profiles |
⚠ Before You Start
• A supported FortiGate appliance (60F, 80F, 100F, 200F, or any current model) running FortiOS 7.4.x or 7.6.x
• Console cable or initial web GUI access over the default management IP (192.168.1.99)
• ISP WAN details: static IP/gateway/DNS, or DHCP, or PPPoE credentials
• Active Fortinet license (UTP or Enterprise bundle) for security services to update signatures
• Network diagram showing your WAN subnet, LAN subnet(s), and any VLAN requirements
Steps in This Guide
|
Step 1. First Login & Admin Password Step 2. Hostname, DNS & NTP Step 3. WAN Interface Configuration Step 4. LAN Interface Configuration Step 5. VLAN Sub-interfaces (optional) Step 6. DHCP Server on LAN Step 7. Default Route |
Step 8. Outbound Firewall Policy with NAT Step 9. Security Profiles (IPS, AV, Web, App) Step 10. SSL/TLS Inspection Step 11. DNS Filter Step 12. Admin Hardening & SSH Step 13. Verification & Testing FAQ |
|
Step 1 of 13 First Login & Admin Password |
|
Connect a PC to port1 (or the dedicated management port on larger models). Set the PC’s IP address to 192.168.1.100/24 with gateway 192.168.1.99. Open a browser and navigate to https://192.168.1.99. Accept the self-signed certificate warning.
Default credentials: Username: admin, Password: (blank). FortiOS will force you to set a password immediately on first login. Set a strong password — minimum 12 characters, mixed case, numbers, special characters.
If you prefer CLI from day one (recommended for repeatability), connect a console cable to the Console port (RJ-45, 9600 baud, 8-N-1) and use PuTTY or similar terminal emulator.
# First login via console or web GUI — set admin password
FGT-60F login: admin Password: [press Enter — blank] You are forced to change your password. Please enter a new password. New Password: ************ Confirm Password: ************
|
Step 2 of 13 Hostname, System DNS & NTP |
⚙️ |
Set a meaningful hostname so log messages and management sessions identify which device you’re connected to. Configure system DNS (used by the FortiGate itself for FQDN resolution in policies and for FortiGuard updates). Set NTP — accurate time is critical for log correlation, certificate validity, and security event timestamps.
GUI Path: System › Settings
Set Hostname, then scroll to DNS and NTP sections. Configure as needed.
CLI:
# Set hostname
config system global set hostname FGT-HQ-GW set timezone 04 # 04 = US/Eastern; run 'diagnose sys timezone list' for all options end
# Configure system DNS (FortiGate's own DNS for management traffic and FQDN resolution)
config system dns set primary 8.8.8.8 set secondary 8.8.4.4 set dns-over-tls disable # enable if your DNS resolver supports DoT end
# Configure NTP
config system ntp set ntpsync enable set type custom config ntpserver edit 1 set server "pool.ntp.org" next edit 2 set server "time.cloudflare.com" next end set syncinterval 60 end
Verify NTP sync: diagnose sys ntp status — look for “synchronized: yes” and stratum ≤ 3. Without accurate time, log timestamps are unreliable and FortiGuard licensing checks can fail.
|
Step 3 of 13 WAN Interface Configuration |
|
Connect your ISP modem or router to port1 (the WAN interface on most FortiGate models). The WAN interface configuration depends on how your ISP delivers connectivity. Three common scenarios are covered below.
GUI Path: Network › Interfaces › Edit port1
Set Role to WAN, configure addressing mode, and set allowed management services (limit to ping only on WAN in production).
Scenario A — Static IP from ISP
config system interface edit "port1" set mode static set ip 203.0.113.10 255.255.255.252 # your ISP-assigned IP and mask set allowaccess ping set role wan set description "WAN - ISP Static" next end
Scenario B — DHCP from ISP (Cable/Fiber with DHCP)
config system interface edit "port1" set mode dhcp set allowaccess ping set role wan set description "WAN - DHCP" next end # Verify DHCP lease received diagnose ip address list
Scenario C — PPPoE (DSL, some Fiber ISPs)
config system interface edit "port1" set mode pppoe set pppoe-username "yourISPusername@isp.com" set pppoe-password "yourISPpassword" set allowaccess ping set role wan set description "WAN - PPPoE" next end # Check PPPoE session status diagnose ip address list get system interface port1
Dual WAN / SD-WAN note: If you have a second ISP connection on port2, this guide covers a single WAN setup. For SD-WAN with dual ISP links, add both interfaces to the SD-WAN zone (Network › SD-WAN) and configure performance SLAs and rules separately.
|
Step 4 of 13 LAN Interface Configuration |
|
Most FortiGate models have a hardware switch zone (internal/lan) grouping ports 2–5 (or similar). You can use this as a flat LAN or break individual ports out for routing/VLANs. For this guide, we’ll configure the internal zone as a single flat LAN network — 192.168.10.0/24.
GUI Path: Network › Interfaces › Edit internal (or lan)
# Configure the LAN interface (hardware switch / internal)
config system interface edit "internal" set ip 192.168.10.1 255.255.255.0 set allowaccess ping https ssh set role lan set description "LAN - Corporate Network" next end
On models where port1–portN are all individual routed interfaces (larger models like 100F, 200F, 400F), configure a specific LAN port directly:
config system interface edit "port2" set mode static set ip 192.168.10.1 255.255.255.0 set allowaccess ping https ssh set role lan set description "LAN - Corporate" next end
Allowaccess on LAN: Enable https ssh on the LAN interface for initial management access. Once you have a dedicated management interface or out-of-band access, remove ssh from the main LAN interface. Never enable https or ssh on the WAN interface in production.
|
Step 5 of 13 — Optional VLAN Sub-interfaces (Segmented LAN) |
|
If you need separate network segments (corporate, guest, IoT, servers), create VLAN sub-interfaces on the LAN port. Each VLAN gets its own IP address (which becomes the default gateway for that VLAN) and its own firewall policy rules.
# Create VLAN sub-interfaces on port2 (or internal)
config system interface edit "VLAN10-Corporate" set vdom "root" set ip 192.168.10.1 255.255.255.0 set allowaccess ping https ssh set type vlan set vlanid 10 set interface "port2" set role lan set description "Corporate Users" next edit "VLAN20-Guest" set vdom "root" set ip 192.168.20.1 255.255.255.0 set allowaccess ping set type vlan set vlanid 20 set interface "port2" set role lan set description "Guest WiFi" next edit "VLAN30-IoT" set vdom "root" set ip 192.168.30.1 255.255.255.0 set allowaccess ping set type vlan set vlanid 30 set interface "port2" set role lan set description "IoT Devices" next end
Connect port2 to a managed switch configured with 802.1Q trunking for VLAN 10, 20, and 30. Access ports on the switch connect to end devices in their respective VLANs. If skipping VLANs, ignore this step and proceed to Step 6 using the single internal interface.
|
Step 6 of 13 DHCP Server on LAN Interface |
|
Configure the FortiGate to serve DHCP leases to LAN clients. Exclude the gateway IP and any other static assignments from the DHCP range. Set a short enough lease time that you’ll get the IP back promptly when a device leaves, but not so short that devices are constantly renewing (3600–86400 seconds is typical).
GUI Path: Network › DHCP Servers › Create New
# DHCP server for the corporate LAN (internal or VLAN10)
config system dhcp server edit 1 set dns-service default # use FortiGate itself as DNS relay set default-gateway 192.168.10.1 set netmask 255.255.255.0 set interface "internal" # or "VLAN10-Corporate" set lease-time 86400 # 24 hours in seconds config ip-range edit 1 set start-ip 192.168.10.100 set end-ip 192.168.10.200 next end set domain "corp.local" config dns-server set dns-server1 192.168.10.1 # FortiGate as DNS for filtering end next end
If you created VLAN sub-interfaces, add a separate DHCP server for each VLAN (edit 2 for VLAN20, edit 3 for VLAN30) with the appropriate interface name, gateway, and IP range.
Verify DHCP leases: show system dhcp server — Active leases appear in Network › DHCP Servers › View Leases. Connect a test workstation to the LAN and verify it gets an IP in the 192.168.10.100–200 range.
|
Step 7 of 13 Default Route |
|
Without a default route, the FortiGate has no path for traffic destined for unknown destinations (i.e., the internet). If your WAN is DHCP, FortiOS typically installs a default route automatically when it gets a lease. For static IP, you must create it manually. For PPPoE, the route is added after the PPPoE session comes up.
GUI Path: Network › Static Routes › Create New
# Static WAN: manual default route pointing to ISP gateway
config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway 203.0.113.9 # your ISP gateway IP set device "port1" set distance 10 set comment "Default route to ISP" next end
# DHCP WAN: the default route is usually auto-installed, but verify:
get router info routing-table all # Look for: S* 0.0.0.0/0 [10/0] via <ISP-gateway>, port1
Test connectivity from the FortiGate: execute ping 8.8.8.8. If this succeeds, the FortiGate itself can reach the internet. If it fails, check the WAN interface IP assignment and the default route. LAN clients can’t reach the internet yet — that requires the firewall policy and NAT in Step 8.
|
Step 8 of 13 — Critical Outbound Firewall Policy with NAT |
|
This is the policy that permits LAN clients to reach the internet and applies PAT (NAT overload) to translate private IP addresses to the FortiGate’s public WAN IP. Without this policy, all LAN traffic is silently dropped. There is no default allow rule — FortiGate denies everything by default.
GUI Path: Policy & Objects › Firewall Policy › Create New
| Field | Value |
| Name | LAN-to-WAN-Internet |
| Incoming Interface | internal (or VLAN10-Corporate) |
| Outgoing Interface | port1 (WAN) |
| Source | all (or a specific address object for your LAN subnet) |
| Destination | all |
| Service | ALL (or specific services: HTTP, HTTPS, DNS) |
| Action | ACCEPT |
| NAT | Enable — Use Outgoing Interface Address |
CLI Equivalent:
config firewall policy edit 1 set name "LAN-to-WAN-Internet" set srcintf "internal" # or "VLAN10-Corporate" set dstintf "port1" # WAN interface set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable # PAT using WAN interface IP set logtraffic all # log all traffic (can change to utm for less volume) set comments "LAN users outbound internet access" next end
If you created VLANs, create a separate policy for each VLAN’s internet access. You can also create inter-VLAN policies to control which VLANs can reach each other — by default, VLANs cannot reach each other without an explicit policy.
Test after this step: LAN clients should now be able to ping 8.8.8.8 and browse the web. Verify: diagnose sniffer packet port1 "host 8.8.8.8" 4 from the FortiGate CLI to see if traffic is flowing through the WAN interface. Also check the policy hit count in Policy & Objects › Firewall Policy — the counter should increment when clients browse.
|
Step 9 of 13 Security Profiles — IPS, Antivirus, Web Filter & Application Control |
|
The firewall policy from Step 8 permits traffic but doesn’t inspect it. Security profiles attach inspection capabilities to policies. FortiOS ships with default profiles that are a reasonable starting point. You’ll attach these profiles to the LAN-to-WAN policy.
9a. IPS Profile
Use the built-in default IPS profile for initial deployment. It blocks high-severity signatures and monitors medium. Start in this mode, check logs for false positives, then tune specific signatures. GUI Path: Security Profiles › Intrusion Prevention
# The "default" IPS sensor is pre-configured — just attach it to the policy
# To view it:
show ips sensor default
9b. Antivirus Profile
The default AV profile scans HTTP, HTTPS (with SSL inspection), FTP, and email protocols for malware. Start with flow-based inspection for performance. Switch to proxy-based only if you need deeper file buffering. GUI Path: Security Profiles › AntiVirus
9c. Web Filter Profile
Create or modify a web filter profile that blocks high-risk categories. GUI Path: Security Profiles › Web Filter
config webfilter profile edit "corporate-webfilter" set comment "Block malware and adult content, monitor social" config ftgd-wf unset exempt-quota config filters edit 1 set category 26 # Malware set action block next edit 2 set category 61 # Phishing set action block next edit 3 set category 4 # Adult/Explicit set action block next edit 4 set category 7 # Gambling set action block next edit 5 set category 55 # Hacking set action block next end end set https-replacemsg enable next end
9d. Application Control Profile
GUI Path: Security Profiles › Application Control
config application list edit "corporate-appcontrol" set comment "Block P2P and high-risk apps" config entries edit 1 set category 21 # P2P set action block next edit 2 set category 6 # Proxy — anonymizers set action block next edit 3 set category 25 # Remote Access (monitor) set action monitor next end next end
9e. Attach All Profiles to the Firewall Policy
GUI Path: Policy & Objects › Firewall Policy › Edit policy 1 › Security Profiles section
config firewall policy edit 1 set ips-sensor "default" set av-profile "default" set webfilter-profile "corporate-webfilter" set application-list "corporate-appcontrol" set ssl-ssh-profile "certificate-inspection" # updated in Step 10 set utm-status enable set logtraffic utm next end
Performance note: Each security profile adds CPU processing overhead. On small models (40F, 60F), enable all profiles but monitor CPU and memory under load. If CPU consistently hits 80%+ with full traffic, consider disabling proxy-based AV scanning and use flow-based instead, or move to a larger model. Use get system performance status to monitor.
|
Step 10 of 13 SSL/TLS Inspection |
|
Most web traffic is HTTPS. Without SSL inspection, IPS, AV, web filter, and app control work with limited visibility inside encrypted connections. Two modes: Certificate Inspection (lighter — reads the SNI and certificate for categorization without decrypting content) and Full SSL Inspection (deep packet inspection — decrypts, inspects, re-encrypts; requires distributing the FortiGate’s CA certificate to clients).
Option A — Certificate Inspection (Recommended Starting Point)
No client configuration needed. FortiGate reads the TLS handshake (SNI, certificate CN) for categorization but doesn’t decrypt content. Use the built-in certificate-inspection profile. This is what you set in Step 9e above.
Option B — Full SSL Deep Inspection (Maximum Visibility)
The FortiGate decrypts HTTPS, inspects content, and re-encrypts. Clients must trust the FortiGate CA certificate or they’ll see browser warnings. GUI Path: Security Profiles › SSL/SSH Inspection
config firewall ssl-ssh-profile edit "deep-inspection-corporate" set comment "Full SSL inspection for corporate users" set ssl-exemptions-log enable config https set status deep-inspection set ports 443 end config ssl-exempt edit 1 set type wildcard-fqdn set wildcard-fqdn "*.google.com" # exempt banking/SSO domains next edit 2 set type wildcard-fqdn set wildcard-fqdn "*.microsoft.com" next end next end
Distribute the FortiGate CA Certificate to Clients (Full Inspection Only)
GUI Path: System › Certificates › Local › Fortinet_CA_SSL › Download
# On a Windows domain controller, deploy via Group Policy:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities > Import # Then update the policy in Step 9e to use deep inspection profile: config firewall policy edit 1 set ssl-ssh-profile "deep-inspection-corporate" next end
|
Step 11 of 13 DNS Filter |
|
DNS filtering intercepts DNS queries and blocks malicious domains before any TCP connection is established. It’s lightweight, works without SSL inspection, and is particularly effective against malware C2 (command-and-control) domains. Configure the FortiGate as the DNS proxy for LAN clients (which the DHCP server already points to 192.168.10.1 as DNS).
GUI Path: Security Profiles › DNS Filter › Create New
config dnsfilter profile edit "dns-security" set comment "Block malware/botnet/phishing at DNS layer" set block-botnet enable config ftgd-dns config filters edit 1 set category 26 # Malware set action block next edit 2 set category 61 # Phishing set action block next edit 3 set category 71 # Botnet C&C set action block next end end next end
Enable DNS proxy on the LAN interface and attach the DNS filter profile to the firewall policy:
# Enable DNS service on FortiGate (it acts as DNS proxy for LAN clients) config system dns-database # empty is fine — FortiGate forwards external queries to system DNS servers end # Attach DNS filter to firewall policy config firewall policy edit 1 set dnsfilter-profile "dns-security" next end # Enable FortiGate DNS proxy on LAN interface config system interface edit "internal" set allowaccess ping https ssh dns # add dns to allowaccess next end
|
Step 12 of 13 Admin Account Hardening & SSH |
|
A firewall with weak admin credentials or open management access defeats everything else you’ve configured. Harden the admin account, restrict which interfaces allow management access, set session timeouts, and create a dedicated read-only monitoring account.
# Set admin account security settings
config system global set admintimeout 30 # auto-logout after 30 minutes idle set admin-ssh-port 22 # consider changing to non-standard port set admin-https-redirect enable # redirect HTTP to HTTPS set admin-server-cert "self-sign" # use your signed cert if available end
# Create a trusted host list for the admin account (only allow management from these IPs)
config system admin edit "admin" set password "YourStrongPassword123!" set trusthost1 192.168.10.10 255.255.255.255 # admin workstation IP set trusthost2 192.168.10.0 255.255.255.0 # or the whole management subnet next end
# Create a read-only monitoring account
config system admin edit "monitor" set password "MonitorPassword456!" set accprofile "prof_admin" # use read-only profile or create one set vdom "root" set trusthost1 192.168.10.0 255.255.255.0 next end
# Disable management access on the WAN interface (should already be off, confirm)
config system interface edit "port1" set allowaccess ping # ONLY ping on WAN — no https, ssh, snmp next end
SSH Key-Based Authentication
For better SSH security, disable password authentication and use SSH public key pairs. Generate a key pair on your workstation, then import the public key to the FortiGate admin account.
# On your workstation (Linux/macOS):
ssh-keygen -t ed25519 -C "admin@fortigate" # Copy the content of ~/.ssh/id_ed25519.pub
# On FortiGate — import the public key to admin account:
config system admin edit "admin" set ssh-public-key1 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5... admin@workstation" next end
Run the Security Fabric Security Rating
GUI Path: Security Fabric › Security Rating. This runs an automated audit of your configuration against security best practices and scores it. Any findings in the Critical or High categories should be addressed before production deployment. The rating also flags expired licenses, weak passwords, and common misconfigurations.
|
Step 13 of 13 Verification & Testing |
|
Work through this checklist to confirm all configuration components are functioning correctly before handing the device over to production use.
| Test | Command / Action | Expected Result |
| WAN interface has IP | get system interface port1 | IP address shown, status up |
| Default route present | get router info routing-table all | S* 0.0.0.0/0 via port1 |
| FortiGate can ping internet | execute ping 8.8.8.8 | 5/5 packets received |
| FortiGate resolves DNS | execute nslookup google.com | Returns IP addresses |
| LAN client gets DHCP | Connect PC to LAN port | IP in 192.168.10.100-200 range |
| LAN client reaches internet | Browse to http://www.google.com | Page loads successfully |
| NAT is working | diagnose ip nat status | Active NAT sessions visible |
| Web filter blocks malware | Browse to testmyids.com or a blocked category | FortiGate block page shown |
| FortiGuard licenses active | diagnose autoupdate versions | All services: contract=valid |
| NTP synchronized | diagnose sys ntp status | synchronized: yes, stratum ≤ 3 |
Essential Diagnostic Commands
# Live packet capture on WAN interface (Ctrl+C to stop) diagnose sniffer packet port1 "host 8.8.8.8" 4 # Check active firewall sessions diagnose sys session list | grep 8.8.8.8 # View policy hit counters diagnose firewall policy 0 list # Check IPS engine status diagnose ips status | head # Check CPU and memory usage get system performance status # View FortiGuard license status get system fortiguard-service # Real-time traffic dashboard (GUI only): # Dashboard > FortiView > Traffic # Monitor > Traffic > Interfaces (per-interface bandwidth graph)
Common Issues & Fixes
| Symptom | Likely Cause | Fix |
| LAN client has no internet but FortiGate can ping internet | Firewall policy missing or NAT disabled | Check Policy & Objects › Firewall Policy; verify NAT is enabled on the LAN-to-WAN policy |
| Client can ping 8.8.8.8 but DNS fails (can’t browse) | DNS port 53 blocked, or DHCP assigned wrong DNS server | Verify DHCP hands out 192.168.10.1 as DNS; check allowaccess on internal includes dns; verify UDP 53 is permitted in the policy service |
| Browser shows certificate warning on HTTPS sites | Full SSL inspection enabled but CA cert not distributed to clients | Either switch to certificate-inspection mode, or distribute Fortinet_CA_SSL certificate to all clients via Group Policy |
| FortiGuard license shows “unreachable” | WAN interface not up, or outbound to *.fortiguard.net blocked | Verify WAN is up and can reach the internet; check for egress ACLs blocking 443/8888 UDP to Fortinet servers |
| PPPoE session keeps dropping | LCP keepalives not responding, or ISP PPPoE timeout | Set set pppoe-unnumbered-negotiate enable or check ISP PPPoE keepalive settings; set interface disc-retry-count |
| High CPU on small FortiGate under load | Proxy-based AV or IPS processing all traffic in software | Switch AV to flow-based mode; reduce IPS signature count by creating a custom sensor for your environment; verify NP ASIC offloading is enabled (show firewall policy | grep np-acce) |
Frequently Asked Questions
Do I need a FortiGuard license for basic internet gateway functionality?
No. The firewall, NAT, routing, and DHCP work without any license. What requires an active license: IPS signature updates, AV database updates, web filter category lookups, application signature updates, FortiSandbox cloud, and DNS filter category lookups. Without licenses, these features use the last-downloaded signatures, which become stale over time. For production deployment, a UTP (Unified Threat Protection) or Enterprise bundle is strongly recommended.
How do I allow inbound access to an internal server (web server, mail server)?
Create a Virtual IP (VIP) object mapping the external IP/port to the internal server IP/port: Policy & Objects › Virtual IPs › Create New. Then create a firewall policy with the source interface as port1 (WAN), destination as the VIP object, and the required service. The VIP handles destination NAT (DNAT); the policy controls access. Example: map external port 443 to internal 192.168.10.50:443 for a web server.
What is the difference between flow-based and proxy-based inspection mode?
Flow-based (NGFW mode) inspects packets as they flow through without buffering entire files. Faster, lower latency, lower memory usage. Uses NP ASIC acceleration on supported models. Proxy-based buffers and reassembles entire files or sessions before inspecting. More thorough detection (catches split-content attacks) but adds latency and consumes more CPU/memory. For most deployments, flow-based is the right default. Use proxy-based only where compliance requires the deeper inspection and your hardware can support it.
How do I back up the configuration after completing setup?
GUI: Dashboard › System Information widget › Backup. Download as a .conf file. CLI: execute backup config tftp fortigate-config.conf 192.168.10.10 (requires TFTP server). Automate backups using FortiManager or a scheduled script using the FortiGate REST API. Keep backups encrypted — the config file contains password hashes and shared secrets. Store at least three backup generations off-device.
Can I manage multiple FortiGates from a single interface?
Yes. Cisco’s equivalent of vManage for Fortinet is FortiManager. It provides centralized policy management, configuration deployment, firmware upgrades, and compliance reporting across dozens to thousands of FortiGate devices. For smaller environments (up to 3 FortiGates), Fortinet Cloud Management (FortiCloud) provides basic centralized management free. For distributed SD-WAN deployments, FortiManager includes the SD-WAN Orchestrator for managing overlay VPN and SD-WAN policies at scale.
What’s the fastest way to verify what a specific traffic flow does on the FortiGate?
The Policy Lookup tool: Policy & Objects › Firewall Policy › Policy Lookup. Enter source IP, destination IP, port, and protocol to see which policy matches and what action it takes. In CLI: diagnose firewall iprope lookup <src-ip> <dst-ip> <dport> <proto> <src-intf>. For live traffic: diagnose debug flow traces packets through the entire processing pipeline.
How do I view blocked traffic logs?
GUI: Log & Report › Traffic Log › Forward Traffic. Filter by Action = “Deny” or “Block.” For UTM events (IPS blocks, web filter blocks): Log & Report › Security Events. For real-time monitoring: FortiView › Threats shows active detected threats. Send logs to FortiAnalyzer for long-term retention and correlation. The FortiGate’s internal disk logging has limited capacity — rely on FortiAnalyzer or syslog for production logging that meets retention requirements.
What You’ve Configured
| WAN + LAN | Interfaces configured for your ISP connectivity type (static, DHCP, PPPoE) and a LAN segment with DHCP server serving 192.168.10.0/24 |
| Routing + NAT | Default route via WAN, PAT overload translating all LAN traffic to the WAN IP for internet access |
| Firewall Policy | Outbound policy permitting LAN-to-internet traffic with full logging; implicit deny for all other directions |
| Security Profiles | IPS, Antivirus, Web Filter (blocks malware/phishing/adult), Application Control (blocks P2P/anonymizers), DNS Filter (blocks C2/botnet), SSL inspection |
| Hardening | Admin trusted host restriction, SSH key auth, NTP sync, management access limited to LAN only, Security Rating review |
