FortiGate Config Generator

Appliance & namingSet the FortiOS compatibility range, firewall model, hostname, and HTTPS management port.

FortiOS version Model Hostname (with Asset ID) Admin HTTPS port

Enable virtual-switch-vlan when supported

Virtual-switch-vlan

On FortiGate models that include a built-in hardware switch (this tool treats sub‑100F desktop models that way), FortiOS can expose a global knob config system global → set virtual-switch-vlan enable. When it applies, it allows VLAN interfaces to be layered on that hardware switch in the way FortiOS documents for those platforms—useful when you want per‑VLAN L3 interfaces while keeping ports in the integrated switch fabric.

This generator only emits that line when the option is checked, the selected model is modeled with a built-in switch, and the FortiOS target is 5.4 or newer. If you leave it off, the device keeps the factory default for that setting (often disabled). Turn it off if your runbook forbids it or you are standardizing on a different VLAN design (for example dedicated software switches only).

LAN & WANDefine the LAN switch, member ports, WAN count, DHCP/static/PPPoE modes, and SD-WAN gateway details.

LAN IPv4 CIDR LAN switch name LAN member ports

Only chassis-numbered LAN jacks (not WAN, DMZ, or FortiLink A/B) appear here. Labels match the digits on the unit; FortiOS names are in the tooltip. Each jack can be assigned to one role only.

Number of WAN links

WiFi & guest networksAdd staff AP uplinks and a guest VLAN without hand-writing switch and interface objects.

Add Separate Wifi Virtual Switch

Separate WiFi interface

When this box is checked, the template provisions a second software switch (default name “WiFi”) on physical member ports you choose, gives it its own IPv4 subnet, and—when DHCP generation is enabled—can build a DHCP scope on that switch. Staff APs or uplinks plug into those member ports instead of the main LAN switch, so WiFi traffic hits its own FortiOS interface object.

That separation lets you apply different policies, DHCP options, and SD‑WAN membership than the corporate LAN. The tool enforces that WiFi members cannot overlap LAN or WAN ports. Leave the box off if all internal access (including APs) should remain on the primary LAN switch only.

WiFi switch name WiFi CIDR WiFi member ports

Only chassis-numbered jacks not on LAN or WAN. FortiOS names are in the tooltip.

Add Guest VLAN

Guest CIDR Guest VLAN ID Guest interface name

Management & securityControl local management, admin bootstrap, default-account handling, baseline hardening, DHCP, and DNS. NTP sync (FortiGuard) is always included in the generated config.

Management IP Management HTTPS port WAN management FQDN

Create admin user

Administrator setup

Additional options appear here when you enable account creation.

Admin username Admin access profile Admin password Confirm password

Remove default admin?

Remove default `admin` account

FortiGate ships with a built-in super‑admin user named admin. After this tool creates your new administrator (see fields above), checking this option adds a follow‑up config system admin block that runs delete admin so the factory account no longer exists.

For safety, the generator does not queue that delete if your new username is still admin (you cannot delete the account you are editing). The generated file also warns that the delete will fail if you are still logged into the GUI or SSH as admin—log out, sign in as the new username, then paste or re‑run the delete section.

Uncheck this if you intend to keep admin alongside a second account, or if you will remove it manually later.

Disable default admin globally

In FortiOS hardening discussions, “disable default admin globally” usually means you want the appliance to stop relying on the factory admin super‑account as a day‑to‑day login, and instead use individually named administrators with least‑privilege profiles—often together with deleting or locking that built‑in account once a replacement exists.

This generator records your choice in the exported answers JSON. Today it does not emit a dedicated extra CLI stanza for this flag beyond what you already get from Create admin user plus Remove default admin? (which deletes admin when safe). If your written standard still requires a specific FortiOS command for global default‑admin restrictions, add that fragment manually or extend this tool.

Disable bootloader maintainer account

Bootloader maintainer account

Some FortiGate platforms ship with a maintainer / bootloader recovery login path that can reset lost admin access when someone has physical or console access. That is valuable during emergencies, but many security baselines require disabling it once controlled break‑glass procedures exist.

When Apply baseline hardening is on and this box is checked, this generator either prints a short comment (FortiOS 7.2.4+ / 7.4+ where the maintainer mechanism was removed at the platform level) or emits config system global with set admin-maintainer disable on older targets where the setting still exists. If baseline hardening is off, nothing is written for maintainer even if this stays checked.

Apply baseline hardening

Baseline hardening

“Baseline hardening” is the master switch in this generator for a bundle of conservative management defaults. When it is on, the script emits the related config system global lines for admin Telnet (if “Disable admin Telnet” is checked), HTTPS and console idle timeouts, and TLS 1.2/1.3 restriction (when that sub‑option is checked and FortiOS is new enough).

Other checkboxes in this section—maintainer handling, GUI IPv6 off, LLDP off, and SNMP off—still have their own toggles, but in the generated CLI their matching blocks are only emitted when baseline hardening is enabled. If you turn baseline hardening off, those SNMP/LLDP snippets are skipped even if their boxes stay checked, so review both controls together.

Disable admin Telnet

FortiOS can expose a Telnet listener for remote CLI administration. Telnet is unencrypted, so credentials and configuration details traverse the network in plaintext if it is ever enabled.

This generator emits set admin-telnet disable under config system global when Apply baseline hardening is on and this box is checked. If baseline hardening is off, the Telnet line is not written even if this remains checked.

TLS 1.2 and 1.3 only

This maps to set admin-https-ssl-versions tlsv1-2 tlsv1-3 in config system global, which stops the device from negotiating legacy SSL/TLS versions for the HTTPS management interface.

The line is emitted only when Apply baseline hardening is enabled, this checkbox is on, and the selected FortiOS target is 6.4 or newer (older trains did not support the same attribute shape in this generator). Pair this with updated management clients; very old browsers or scripts that insist on TLS 1.0/1.1 will fail to load the GUI.

Disable SNMP

Simple Network Management Protocol lets operators poll the FortiGate for metrics, interface tables, and sysInfo. Disabling it shrinks the attack surface on management LANs where no SNMP collector is used.

This generator writes config system snmp sysinfo with set status disable when both Apply baseline hardening and this checkbox are enabled. SNMP remains active in the output if baseline hardening is turned off, regardless of this box.

Disable GUI IPv6

When combined with Apply baseline hardening, this adds config system settings with set gui-ipv6 disable, which hides IPv6-oriented controls in the FortiGate GUI to reduce accidental dual-stack policy mistakes on networks that are IPv4-only operationally.

On FortiOS 6.0 and later in this template, the same stanza also sets set inspection-mode flow where applicable. This is not a substitute for a full IPv6 rollout plan; it only affects the management experience and related global settings emitted here. If baseline hardening is off, this block is skipped.

Disable LLDP

Link Layer Discovery Protocol advertises identity, port description, and management capabilities to directly connected neighbors. That is convenient for automated documentation, but it also leaks topology details to anything on the wire that listens for LLDP frames.

When enabled together with Apply baseline hardening, this option adds config system lldp with set status disable for FortiOS 5.4 and newer. If baseline hardening is off, no LLDP block is written even if this stays checked.

Generate DHCP servers

When enabled, the script builds one config system dhcp server entry per active internal interface that has a usable IPv4 scope: the LAN switch, the optional WiFi switch (if configured), and the optional guest VLAN interface (if configured).

Each server uses the interface’s address as the default gateway, derives the subnet mask from your CIDR, allocates a single contiguous ip-range between the network and broadcast addresses (skipping the gateway when it would collide), sets dns-service default, and omits DHCP entirely for /31 or shorter prefixes where a range cannot be formed. Turn this off if you will point clients to an external DHCP appliance or want to author DHCP by hand.

Configure system DNS

This writes config system dns with the primary and secondary resolvers taken from the Day-one internet fields (defaults 8.8.8.8 / 8.8.4.4 unless you change them). The FortiGate itself uses these servers for features that rely on system DNS resolution.

The same DNS stanza is also emitted when Minimal LAN to SD-WAN policy with NAT and DNS is checked—even if this box is off—because that workflow expects working resolver settings for health checks and client traffic. If both are off, no system DNS block is generated.

Admin idle timeout Console timeout

Day-one internetOptionally generate the minimal LAN, WiFi, and guest policies needed for outbound SD-WAN access.

Minimal LAN to SD-WAN policy with NAT and DNS

Minimal LAN to SD-WAN policy (NAT)

When enabled, this generator appends a compact config firewall policy section that allows traffic from your LAN switch (and the optional WiFi / guest interfaces, if configured) toward the SD-WAN zone used in this template. Each rule accepts all addresses and services, enables set nat enable so sessions can egress via SD-WAN, enables flow inspection mode on FortiOS 6+, and logs all traffic for visibility.

If a guest VLAN is configured, a higher-priority deny rule is inserted first so guests cannot reach the corporate LAN subnet object. Because outbound access depends on working DNS for health probes and clients, turning this on also forces a config system dns block using the primary/secondary fields in the Day-one section—even if “Configure system DNS” is unchecked. Review policy order and object names before merging into an existing policy package.

DNS primary DNS secondary

Generated config

Review before applying. Partial configs may conflict with existing objects, policy order, or interface names.

0 lines

Import JSON

Ready.

Appliance & namingSet the FortiOS compatibility range, firewall model, hostname, and HTTPS management port.

Virtual-switch-vlan

LAN & WANDefine the LAN switch, member ports, WAN count, DHCP/static/PPPoE modes, and SD-WAN gateway details.

WiFi & guest networksAdd staff AP uplinks and a guest VLAN without hand-writing switch and interface objects.

Separate WiFi interface

Management & securityControl local management, admin bootstrap, default-account handling, baseline hardening, DHCP, and DNS. NTP sync (FortiGuard) is always included in the generated config.

Administrator setup

Remove default admin account

Disable default admin globally

Bootloader maintainer account

Baseline hardening

Disable admin Telnet

TLS 1.2 and 1.3 only

Disable SNMP

Disable GUI IPv6

Disable LLDP

Generate DHCP servers

Configure system DNS

Day-one internetOptionally generate the minimal LAN, WiFi, and guest policies needed for outbound SD-WAN access.

Minimal LAN to SD-WAN policy (NAT)

Remove default `admin` account