Fortinet Feature Requests

I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to an SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…

This is a living list. I’ll update it every time I discover something new.

  • [IPv6] One single policy rule set for both protocols (IPv4 and IPv6), not different policies. (Really a major design flaw!)
  • [MGMT] I want to be able to ping the wan interface from any without presenting the ssh/https login prompt to anyone, too. Currently, if I am allowing an administrator to come from ::0/0 (or, both ping and ssh/https (etc.) are reachable. Though the login can be limited, I don’t want that anybody knows that there is a FortiGate in place.
  • [MGMT] Configuration Revisions: It would be great to have a list of the last x full-configurations or configuration steps that were done on the firewall. Even better, a compare feature between two configurations, e.g., the one from yesterday compared to the one from last week.
  • [VPN] There is no way to find out the actual used Diffie-Hellman groups for either phase 1 of IKE or phase 2 (PFS) of IPsec. The only way to find out which proposal is chosen, the tunnel must be set “down” while capturing the IKE/IPsec packets on the CLI. There should be a “get …” command that shows not only the used symmetric ciphers and algorithms, but also the used DH groups.
  • [USER] The great two-factor authentication, e.g., via SMS, is only working for users with their phone number configured locally on the FortiGate. This feature is not available for users within LDAP groups, even though their numbers are present at the AD. That is, if the 2FA features must be used, every (!) user must be created locally on the FortiGate, too.
  • [DNS] The FortiGate can be used as a DNS proxy. It forwards DNS queries to its recursive DNS server. It would be great if it could also do iterative DNS queries with DNSSEC validation. This would increase some kind of security (authentication) for all users behind a FortiGate.
  • [GUI] IPv6 settings through the GUI, e.g., router advertisements, DHCPv6, OSPFv6. Currently, only the mere IPv6 address can be entered.
  • [GUI] Fields for more than one Syslog server.
  • [GUI] The Log Config -> Alert E-mail page is only visible if an SMTP server is specified under System -> Config -> Advanced. This is really confusing when searching after the alert email settings.
  • [GUI] The Security Log should be visible anytime, not only after security events. It is confusing that it is hidden by default.
  • [GUI] It is great to “select columns to display” within the policies. However, after each logout the columns are set to its default values. Why?
  • [GUI] Missing option within the user definition to “Enable Two-factor Authentication” for SMS. This must be done via the CLI. You can configure a SMS number but not enable it for two-factor authentication. Where is the sense?


One of my main problems with FortiGate is the GUI. There are so many features that are not accessible through the GUI. (Even though everything is enabled within System -> Config -> Features.) Some really good technical persons might be able to configure everything through the CLI, but I am selling firewalls to “normal” IT guys that also manage Windows AD, AV, APT, MDM, routers, mail, DNS, end users, etc. Everything that’s not included in the GUI is simply not present.

Fortinet, why aren’t you improving your GUI?

3 thoughts on “Fortinet Feature Requests

  1. Hello Johannes,

    We solves your feature request
    “I want to be able to ping the wan interface from any without allowing ssh access from any, too.”
    with this configuration:
    – access-profice “no-access” with NO permission
    – access-profile “admin” (default) with all permission
    – user “ping_only” with accessprofile “no-access” and no ip restriction
    – user “admin” with accessprofile “admin” with ip restriction
    – wan1 interface allowed SSH and ping

    CLI example:
    config system accprofile
    edit “no_access”
    set comments “to have a profile for ping and suspended admin-users”
    config system admin
    edit “ping_only”
    set accprofile “no_access”
    set password ENC ***I=do=not=want=to=publish=the=password=here***
    edit “admin”
    set trusthost1
    set ip6-trusthost1 2001:db8:cafe::/48
    set accprofile “super_admin”
    set password ENC ***I=do=not=want=to=publish=the=password=here***


    1. Hi Ulrich,

      thanks for your effort. Unluckily this is not exaclty what I need. I have updated my description above. That is: I want to be able to ping from any while not presenting the login page to any, too. With your example anyone can ping (good), but the login prompt is showing up, too, that is, anyone know that there is a FortiGate in place. I want that the ssh daemon is NOT listening on the wan1 interface at all…


      1. Hi Johannes,
        if you set only “PING” as allowed management protocol on external interface, this works as expected.
        And yes, an administrator from a know ip-range is not able to login with SSH or HTTPS now…


Leave a Reply

Your email address will not be published. Required fields are marked *