weave
module · Networking

Fortinet

Comprehensive Fortinet FortiGate control plane — firewall (policy, address, address-group, service, service-group, VIP, IP pool, traffic shaper, proxy policy), system (interface, zone, admin, DNS / NTP / settings / global), routing (static, policy, BGP, OSPF), VPN (IPsec phase-1, SSL-VPN portals), security profiles (antivirus, web filter, IPS, application control, DNS filter), users (local, group, LDAP, RADIUS, SAML), sessions, logs, live route table.

Namespace: weave fortinet Env: FORTIOS_HOSTNAME
54
Commands
32
State kinds
Networking
Category
1
API docs

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Variable Description Status
FORTIOS_HOSTNAMERequired for authentication.required
FORTIOS_ACCESS_TOKENRequired for authentication.required
FORTINET_VDOMDefault virtual domain (overridable per command with --vdom). Defaults to 'root'.optional
WEAVE_INSECURE_TLSSet to 1 to skip TLS verification on FortiGates with self-signed certs.optional

Sanity-check the wiring:

weave secrets check
weave fortinet --help
weave doctor   # reports FORTIOS_HOSTNAME status

Capabilities

What this module can do, by entity and verb. means a working CLI surface; · means not (yet) wired.

Entity findlistshowdosnapshotdiffapply
address·····
address-group··
addresses····
admin···
antivirus-profile··
application-list···
auth-rule······
bgp····
bgp-config······
config······
dns-settings···
dnsfilter-profile···
global-settings···
interface··
interface-stats·······
ip-pool···
ips-sensor···
ipsec-tunnel···
ldap-server···
local-user··
log······
ntp-settings···
ospf····
ospf-config······
policies····
policy···
policy-route···
proxy-policies····
proxy-policy······
radius-server···
route······
saml-provider···
service··
service-group···
session······
ssl-vpn-portal···
ssl-vpn-settings······
static-route···
system······
system-settings···
traffic-shaper···
user·····
user-group···
vip··
webfilter-profile···
zone···

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (8)

find address

read

Find an address object by name.

weave fortinet find address <name>

find address-group

read

Find an address group by name.

weave fortinet find address-group <name>

find antivirus-profile

read

Find an antivirus profile by name.

weave fortinet find antivirus-profile <name>

find interface

read

Find a system interface by name.

weave fortinet find interface <name>

find local-user

read

Find a local firewall user by name.

weave fortinet find local-user <name>

find policy

read

Find a firewall policy by id or name.

weave fortinet find policy <identifier>

find service

read

Find a custom service by name.

weave fortinet find service <name>

find vip

read

Find a virtual IP (NAT) by name.

weave fortinet find vip <name>

list (31)

list address-groups

read

List address groups.

weave fortinet list address-groups <arg>

list addresses

read

List address objects.

weave fortinet list addresses <arg>

list admins

read

List system administrators.

weave fortinet list admins <arg>

list antivirus-profiles

read

List antivirus security profiles.

weave fortinet list antivirus-profiles <arg>

list application-lists

read

List application control lists.

weave fortinet list application-lists <arg>

list auth-rules

read

List firewall authentication rules.

weave fortinet list auth-rules <arg>

list dnsfilter-profiles

read

List DNS filter profiles.

weave fortinet list dnsfilter-profiles <arg>

list interfaces

read

List system interfaces.

weave fortinet list interfaces <arg>

list ip-pools

read

List IP pools (SNAT).

weave fortinet list ip-pools <arg>

list ips-sensors

read

List IPS sensors.

weave fortinet list ips-sensors <arg>

list ipsec-tunnels

read

List IPsec phase-1 tunnels.

weave fortinet list ipsec-tunnels <arg>

list ldap-servers

read

List LDAP servers (bind passwords excluded from output).

weave fortinet list ldap-servers <arg>

list local-users

read

List local users in the user database.

weave fortinet list local-users <arg>

list logs

read

Pull recent log entries from the FortiGate logdisk.

weave fortinet list logs <arg>

list policies

read

List firewall policies.

weave fortinet list policies <arg>

list policy-routes

read

List policy routes.

weave fortinet list policy-routes <arg>

list proxy-policies

read

List explicit proxy policies.

weave fortinet list proxy-policies <arg>

list radius-servers

read

List RADIUS servers (secrets excluded).

weave fortinet list radius-servers <arg>

list routes

read

List the active IPv4 route table (live state).

weave fortinet list routes <arg>

list saml-providers

read

List SAML identity providers.

weave fortinet list saml-providers <arg>

list service-groups

read

List service groups.

weave fortinet list service-groups <arg>

list services

read

List custom firewall services.

weave fortinet list services <arg>

list sessions

read

List active sessions (firewall session table).

weave fortinet list sessions <arg>

list ssl-vpn-portals

read

List SSL-VPN web portals.

weave fortinet list ssl-vpn-portals <arg>

list static-routes

read

List static routes (cmdb).

weave fortinet list static-routes <arg>

list traffic-shapers

read

List traffic shapers.

weave fortinet list traffic-shapers <arg>

list user-groups

read

List user groups.

weave fortinet list user-groups <arg>

list users

read

List authenticated firewall users (live state).

weave fortinet list users <arg>

list vips

read

List virtual IPs (NAT entries).

weave fortinet list vips <arg>

list webfilter-profiles

read

List webfilter security profiles.

weave fortinet list webfilter-profiles <arg>

list zones

read

List system zones.

weave fortinet list zones <arg>

show (8)

show bgp-config

read

Show BGP routing config.

weave fortinet show bgp-config <arg>

show dns-settings

read

Show system DNS configuration.

weave fortinet show dns-settings <arg>

show global-settings

read

Show global system settings.

weave fortinet show global-settings <arg>

show ntp-settings

read

Show system NTP configuration.

weave fortinet show ntp-settings <arg>

show ospf-config

read

Show OSPF routing config.

weave fortinet show ospf-config <arg>

show policy

read

Show full detail for one firewall policy.

weave fortinet show policy <policy-id>

show ssl-vpn-settings

read

Show SSL-VPN server settings.

weave fortinet show ssl-vpn-settings <arg>

show system-settings

read

Show per-VDOM system settings.

weave fortinet show system-settings <arg>

do (6)

do backup-config

write

Download a full FortiGate config backup.

weave fortinet do backup-config <output>

do disable-policy

write

Disable a firewall policy by id.

weave fortinet do disable-policy <policy-id>

do enable-policy

write

Enable a firewall policy by id.

weave fortinet do enable-policy <policy-id>

do flush-sessions

write

Flush sessions matching a policy id.

weave fortinet do flush-sessions <arg>

do kick-user

write

Kick an authenticated firewall user by username.

weave fortinet do kick-user <username>

do reboot

write

Reboot the FortiGate (graceful).

weave fortinet do reboot <arg>

watch (1)

watch interface-stats

write

Poll one interface's RX/TX counters.

weave fortinet watch interface-stats <arg>
snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diffapply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/fortinet/.

policies

snapshot diff apply

IPv4 firewall policies (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: policies
items:
  - # <fields specific to this kind — see snapshot output>

addresses

snapshot diff apply

Address objects (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: addresses
items:
  - # <fields specific to this kind — see snapshot output>

address-groups

snapshot diff apply

Address groups (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: address-groups
items:
  - # <fields specific to this kind — see snapshot output>

services

snapshot diff apply

Custom firewall services (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: services
items:
  - # <fields specific to this kind — see snapshot output>

service-groups

snapshot diff apply

Service groups (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: service-groups
items:
  - # <fields specific to this kind — see snapshot output>

vips

snapshot diff apply

Virtual IPs (NAT entries) — full apply.

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: vips
items:
  - # <fields specific to this kind — see snapshot output>

ip-pools

snapshot diff apply

SNAT IP pools (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: ip-pools
items:
  - # <fields specific to this kind — see snapshot output>

traffic-shapers

snapshot diff apply

Traffic shapers (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: traffic-shapers
items:
  - # <fields specific to this kind — see snapshot output>

proxy-policies

snapshot diff apply

Explicit-proxy policies (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: proxy-policies
items:
  - # <fields specific to this kind — see snapshot output>

interfaces

snapshot diff apply

System interfaces (per-interface apply; create/delete disabled — hardware-bound).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: interfaces
items:
  - # <fields specific to this kind — see snapshot output>

zones

snapshot diff apply

System zones (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: zones
items:
  - # <fields specific to this kind — see snapshot output>

admins

snapshot diff apply

System administrators (full apply; passwords stripped).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: admins
items:
  - # <fields specific to this kind — see snapshot output>

dns-settings

snapshot diff apply

System DNS singleton.

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: dns-settings
items:
  - # <fields specific to this kind — see snapshot output>

ntp-settings

snapshot diff apply

System NTP singleton.

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: ntp-settings
items:
  - # <fields specific to this kind — see snapshot output>

system-settings

snapshot diff apply

Per-VDOM system settings singleton.

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: system-settings
items:
  - # <fields specific to this kind — see snapshot output>

global-settings

snapshot diff apply

Global system settings (snapshot + diff only — apply intentionally disabled).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: global-settings
items:
  - # <fields specific to this kind — see snapshot output>

ssl-vpn-portals

snapshot diff apply

SSL-VPN web portals (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: ssl-vpn-portals
items:
  - # <fields specific to this kind — see snapshot output>

ipsec-tunnels

snapshot diff apply

IPsec phase-1 tunnels (full apply; PSKs stripped).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: ipsec-tunnels
items:
  - # <fields specific to this kind — see snapshot output>

static-routes

snapshot diff apply

Static routes (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: static-routes
items:
  - # <fields specific to this kind — see snapshot output>

policy-routes

snapshot diff apply

Policy routes (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: policy-routes
items:
  - # <fields specific to this kind — see snapshot output>

bgp

snapshot diff apply

BGP routing config (snapshot + diff only — apply too complex for a generic helper).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: bgp
items:
  - # <fields specific to this kind — see snapshot output>

ospf

snapshot diff apply

OSPF routing config (snapshot + diff only).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: ospf
items:
  - # <fields specific to this kind — see snapshot output>

antivirus-profiles

snapshot diff apply

Antivirus profiles (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: antivirus-profiles
items:
  - # <fields specific to this kind — see snapshot output>

webfilter-profiles

snapshot diff apply

Webfilter profiles (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: webfilter-profiles
items:
  - # <fields specific to this kind — see snapshot output>

ips-sensors

snapshot diff apply

IPS sensors (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: ips-sensors
items:
  - # <fields specific to this kind — see snapshot output>

application-lists

snapshot diff apply

Application control lists (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: application-lists
items:
  - # <fields specific to this kind — see snapshot output>

dnsfilter-profiles

snapshot diff apply

DNS filter profiles (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: dnsfilter-profiles
items:
  - # <fields specific to this kind — see snapshot output>

local-users

snapshot diff apply

Local users (full apply; passwords stripped — set via FortiGate CLI).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: local-users
items:
  - # <fields specific to this kind — see snapshot output>

user-groups

snapshot diff apply

User groups (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: user-groups
items:
  - # <fields specific to this kind — see snapshot output>

ldap-servers

snapshot diff apply

LDAP servers (full apply; bind passwords stripped).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: ldap-servers
items:
  - # <fields specific to this kind — see snapshot output>

radius-servers

snapshot diff apply

RADIUS servers (full apply; shared secrets stripped).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: radius-servers
items:
  - # <fields specific to this kind — see snapshot output>

saml-providers

snapshot diff apply

SAML identity providers (full apply).

Scope
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: fortinet
kind: saml-providers
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Quarterly policy + address audit

Snapshot the policy + address objects, commit to git, diff next quarter.

weave fortinet snapshot policies
weave fortinet snapshot addresses
weave fortinet snapshot address-groups
git add .weave-state/fortinet && git commit -m 'firewall audit Q1'
# … next quarter …
weave fortinet diff policies   # any drift?

Migrate a service from VLAN A to VLAN B

Edit one address object, push it, verify sessions match the new path.

weave fortinet snapshot addresses
$EDITOR .weave-state/fortinet/address/items.yaml   # change subnet
weave fortinet diff addresses
weave fortinet apply addresses --yes
weave fortinet list sessions --limit=200   # confirm new src/dst pairs

Disable a noisy policy and flush its sessions

Pause policy + drop existing sessions in one breath.

weave fortinet do disable-policy 17 --yes
weave fortinet do flush-sessions --policy-id=17 --yes

Pre-upgrade config snapshot

Back up the running config + capture all state kinds before a firmware bump.

weave fortinet do backup-config ./fw01-pre-upgrade.conf --scope=global --yes
weave fortinet snapshot policies
weave fortinet snapshot static-routes
weave fortinet snapshot ipsec-tunnels   # PSKs stripped — safe to commit
git commit -am 'pre-upgrade snapshot fw01'

Multi-VDOM rollout

Apply the same address-group change across two VDOMs.

$env:FORTINET_VDOM='root'; weave fortinet snapshot address-groups
$env:FORTINET_VDOM='dmz';  weave fortinet snapshot address-groups
$EDITOR .weave-state/fortinet/address-group/items.yaml
$env:FORTINET_VDOM='root'; weave fortinet apply address-groups --yes
$env:FORTINET_VDOM='dmz';  weave fortinet apply address-groups --yes

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource weave equivalent
fortios_firewall_policyweave fortinet list/find/show policy / snapshot policies / do enable/disable-policy
fortios_firewall_addressweave fortinet list/find addresses / snapshot addresses
fortios_firewall_addrgrpweave fortinet list/find address-group / snapshot address-groups
fortios_firewall_service_customweave fortinet list/find services / snapshot services
fortios_firewall_service_groupweave fortinet list service-groups / snapshot service-groups
fortios_firewall_vipweave fortinet list/find vips / snapshot vips
fortios_firewall_ippoolweave fortinet list ip-pools / snapshot ip-pools
fortios_firewall_shaper_traffic_shaperweave fortinet list traffic-shapers / snapshot traffic-shapers
fortios_firewall_proxy_policy / fortios_firewall_proxy_addressweave fortinet list proxy-policies / snapshot proxy-policies
fortios_system_interfaceweave fortinet list/find interfaces / snapshot interfaces
Apply update-only; create/delete disabled (hardware-bound).
fortios_system_zoneweave fortinet list zones / snapshot zones
fortios_system_adminweave fortinet list admins / snapshot admins
Passwords stripped; rotate via FortiGate CLI.
fortios_system_dnsweave fortinet show dns-settings / snapshot dns-settings
fortios_system_ntpweave fortinet show ntp-settings / snapshot ntp-settings
fortios_system_settingsweave fortinet show system-settings / snapshot system-settings
fortios_system_globalweave fortinet show global-settings / snapshot global-settings
Snapshot + diff only — apply intentionally disabled (too risky).
fortios_vpn_ipsec_phase1interface / phase2interfaceweave fortinet list ipsec-tunnels / snapshot ipsec-tunnels
PSKs stripped on snapshot.
fortios_vpn_ssl_settingsweave fortinet show ssl-vpn-settings
fortios_vpn_ssl_web_portalweave fortinet list ssl-vpn-portals / snapshot ssl-vpn-portals
fortios_router_staticweave fortinet list static-routes / snapshot static-routes / list routes (live)
fortios_router_policyweave fortinet list policy-routes / snapshot policy-routes
fortios_router_bgpweave fortinet show bgp-config / snapshot bgp
Snapshot + diff only — apply too complex for a generic helper.
fortios_router_ospfweave fortinet show ospf-config / snapshot ospf
Snapshot + diff only.
fortios_antivirus_profileweave fortinet list/find antivirus-profiles / snapshot antivirus-profiles
fortios_webfilter_profileweave fortinet list webfilter-profiles / snapshot webfilter-profiles
fortios_ips_sensorweave fortinet list ips-sensors / snapshot ips-sensors
fortios_application_listweave fortinet list application-lists / snapshot application-lists
fortios_dnsfilter_profileweave fortinet list dnsfilter-profiles / snapshot dnsfilter-profiles
fortios_user_localweave fortinet list/find local-users / snapshot local-users
Passwords stripped from snapshots.
fortios_user_groupweave fortinet list user-groups / snapshot user-groups
fortios_user_ldapweave fortinet list ldap-servers / snapshot ldap-servers
Bind passwords stripped.
fortios_user_radiusweave fortinet list radius-servers / snapshot radius-servers
Shared secrets stripped.
fortios_user_saml / fortios_user_tacacsweave fortinet list saml-providers / snapshot saml-providers
fortios_firewall_authentication_ruleweave fortinet list auth-rules
fortios_system_ha(skipped)
HA configuration is physical-pair-bound, not state-friendly.
fortios_system_sdwan / fortios_wan*(skipped)
SD-WAN link load balancing is too complex for a generic round-trip.
fortios_wireless_controller_*(skipped)
Wireless controller (FortiAP) is not used in most deployments.
fortios_log_* settings / fortios_fortianalyzer*(skipped)
Log forwarding / vendor integrations — low operator traffic.
(sessions / live logs / interface stats / config backup / reboot / kick-user)weave fortinet list sessions / list logs / watch interface-stats / do backup-config / do reboot / do kick-user
Operational verbs unique to weave — no Terraform equivalent.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including FORTIOS_HOSTNAME) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave fortinet diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/fortinet. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.