FortiGate Field Guide
A working FortiGate practice spends most of its time in four lanes: getting back into a box you’ve been locked out of, building configuration that survives a reboot, planning the SSL VPN exit Fortinet has now committed to, and running tunnel diagnostics from the CLI when the GUI gives you a green icon and nothing else. This page is the ordered path through those lanes — the posts here are written from production deployments on FortiOS 7.4 and 7.6, with specific commands and the failure modes that actually happen.
If you’re new to the site, this is a more useful starting point than the chronological post archive — it groups the FortiGate work by where you are in the lifecycle of the device, not when the post was published.
On this page
Recovery & access
The first thing that goes wrong on a FortiGate that’s been in production for two years is that nobody remembers the admin password. SSH stops being an option, the GUI bounces you, and you need physical access to the device. The recovery path on FortiOS 7.6 — console cable into the USB-C port, maintainer account login within a 60-second window, password reset from CLI — is short but unforgiving. Get the timing wrong and the maintainer account locks until the next reboot.
→ FortiGate Admin Password Reset on FortiOS 7.6 (60F Console Method) — full step-by-step including the case-sensitive bcpb<SERIAL_NUMBER> format and the five most common ways the recovery fails.
Configuration
Two configuration tasks come up on every FortiGate engagement: segmenting the box into VDOMs so guest, IoT, and corporate traffic don’t share a routing table, and building IPsec site-to-site tunnels to other vendors’ firewalls. Both are well-documented in the vendor PDFs, but the parts that actually decide whether the change goes well — interface allocation before you flip multi-VDOM mode, traffic-selector alignment between FortiGate Phase 2 and ASA crypto-map ACL — are the parts the docs gloss over.
→ How to Configure FortiGate VDOM (FortiOS 7.4): Complete Guide with Inter-VDOM Routing — full walkthrough of enabling multi-VDOM mode, creating a Guest VDOM for guest/IoT, the inter-VDOM link, and the routing and policy work on both sides. Includes the “Object is in use” error you’ll hit if you try to reassign an interface without cleaning up its references first.
→ FortiGate IPsec Site-to-Site VPN to Cisco ASA on FortiOS 7.4 — IKEv2 tunnel with AES-256/SHA-256 and DH group 14, both sides of the config, and the no SA proposal chosen / TS_UNACCEPTABLE failure modes that catch most builds in Phase 2.
Migration planning
Fortinet is removing SSL VPN. Not deprecating it — actively removing the binaries from specific model and firmware combinations, with the 7.4.x line and FortiOS 7.6.3 as the headline cutoffs. Behind the removal is a documented string of high-severity CVEs (FG-IR-22-398, FG-IR-23-097, FG-IR-24-015, and others) that made the SSL VPN portal Fortinet’s most-exploited surface. The replacement is IPsec dialup with IKEv2 for tunnel-mode users, or ZTNA for web-mode portals — and the licensing and endpoint implications for each path are different.
The migration itself is a configuration job. The hard part is the audit before the configuration: which model on what firmware, who’s actually connected (versus provisioned), what auth chain breaks silently when the protocol changes, what the upstream UDP filtering looks like from the networks your users actually connect from.
→ FortiGate SSL VPN Migration Checklist: What to Audit Before You Touch Anything (FortiOS 7.6) — five pre-migration audit buckets (license/firmware/model, endpoints, auth chain, network, change planning), the rollback decision thresholds you should write into the change ticket before the window opens, and the silent failures that show up the morning after cutover.
Troubleshooting
When a tunnel won’t come up or drops at random, the FortiGate GUI gives you a red icon and nothing actionable. The CLI flow is always the same: Phase 1 first (diagnose vpn ike gateway list), then Phase 2 (diagnose vpn tunnel list), then debug IKE only if you need to see the negotiation packet-by-packet — and always disable debug afterward.
→ Cómo verificar un túnel IPsec en FortiGate por CLI (FortiOS 7.4.4) — Spanish — diagnostic flow for FortiGate ↔ Cisco ASA tunnels, ordered from quickest to most invasive: diagnose vpn ike gateway list → diagnose vpn tunnel list → IKE debug → ESP/IKE sniffer → routing-table check → iprope lookup for policy matching. Maps directly onto the configuration covered in the IPsec site-to-site post above.
Beyond this guide
The four posts above are the curated path. For the full set of FortiGate-tagged writing as it grows — including new posts as they’re published — the auto-generated archive lives at /posts/tag/fortigate/.