Skills
skills/rsx129921/fortinetskills/read-configs

read-configs

SKILL.md

Fortinet: Reading Configs

Overview

This skill guides working with FortiGate .conf snapshot files on disk. Use it to find settings, explain what config means, compare a setting across sites, or produce a cross-site diff table.

Config snapshots live at: infra/docs/network/firewalls/ Filename pattern: {site}fw01_{YYYYMMDD}.conf

Fleet Inventory

Site Config file prefix Hostname
cdw cdwfw01 cdwfw01.cdw.net.elotouch.com
dal dalfw01 dalfw01.dal.net.elotouch.com
kno knofw01 knofw01.kno.net.elotouch.com
itl itlfw01 itlfw01.itl.net.elotouch.com
mil milfw01 milfw01.mil.net.elotouch.com
jp jpfw01 jpfw01.jp.net.elotouch.com
tw twfw01 twfw01.tw.net.elotouch.com
suz suzfw01 suzfw01.suz.net.elotouch.com
sha shafw01 shafw01.sha.net.elotouch.com
bel belfw01 belfw01.bel.net.elotouch.com

Always use the most recent file per site (highest YYYYMMDD).

FortiOS Config Format

FortiOS configs are hierarchical text. The structure:

config <section-name>          # opens a config block
    edit "<object-name>"       # opens a named object (string) — OR —
    edit <integer>             # opens an indexed object (e.g., policies use integers)
        set <key> <value>      # sets a field
        config <nested>        # nested block (e.g., config ipv6 inside an interface)
            ...
        end
    next                       # closes this edit entry
end                            # closes the config block

Key rules:

  • Named objects (interfaces, VPN tunnels, address objects) use edit "quoted-name"
  • Indexed objects (firewall policies, static routes) use edit <integer>
  • unset <key> means the key is cleared/default — treat as absent
  • ENC <base64> values are encrypted secrets — never log or surface these
  • Line 1 #config-version=... contains model, FortiOS version, opmode

Finding Config Sections

Use these grep patterns to locate sections by line number, then Read with offset:

What you want Grep pattern
System global ^config system global
All interfaces ^config system interface
A specific interface edit "PORT-NAME" (within system interface block)
Firewall policies ^config firewall policy
Address objects ^config firewall address
Address groups ^config firewall addrgrp
Static routes ^config router static
BGP config ^config router bgp
VPN phase1 tunnels ^config vpn ipsec phase1-interface
VPN phase2 tunnels ^config vpn ipsec phase2-interface
DNS settings ^config system dns
NTP settings ^config system ntp
Admin accounts ^config system admin

Workflow:

  1. Grep for the section pattern to get the starting line number
  2. Read the file from that offset — use a limit of 200-500 lines for a section
  3. Look for the matching end (at the same indentation level) to know where the section ends

Extracting a Named Object

To find a specific named object (e.g., interface "external", VPN tunnel "EV-AWS-00"):

  1. Find the section start line (e.g., ^config system interface)
  2. Within that section, Grep for edit "OBJECT-NAME"
  3. Read from that edit line through the next next keyword at the same indentation

Cross-Site Diff Workflow

To compare a config section across all 10 sites:

  1. Glob all .conf files: infra/docs/network/firewalls/*.conf
  2. For each site, keep only the latest file (max YYYYMMDD per prefix)
  3. Grep each file for the section of interest to get its start line
  4. Read each file at that offset to extract the section
  5. Build a comparison table: rows = sites, columns = key fields being compared
  6. Highlight differences — identical values across all sites can be collapsed to a note

What to skip in diffs (FortiOS defaults/boilerplate):

  • set uuid ... (auto-generated, always different)
  • set vrf 0, set arpforward enable, set broadcast-forward disable
  • IPv6 blocks (config ipv6 ... end) unless explicitly asked
  • set snmp-index <N> (auto-assigned)
  • set estimated-upstream-bandwidth 0, set measured-upstream-bandwidth 0
  • set eap-supplicant disable, set switch-controller-igmp-snooping-*

Focus diff on meaningful fields:

  • IPs, masks, gateways
  • allowaccess values
  • action, srcaddr, dstaddr, service (policies)
  • proposal, dhgrp, ike-version (VPN)
  • distance, priority, device (routes)

Output Format

Single object lookup: Present the relevant fields in a small table or quoted config block. Explain what each field means in plain English.

Cross-site diff: Use a markdown table:

| Field         | cdw        | dal        | kno        | ... |
|---------------|------------|------------|------------|-----|
| ip            | 10.43.10.1 | 10.44.10.1 | 10.45.10.1 | ... |
| allowaccess   | ping https | ping https | ping https | ... |
| status        | up         | **down**   | up         | ... |

Bold or flag values that differ from the majority.

Weekly Installs
1
Repository
rsx129921/fortinetskills
First Seen
14 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail
Installed on
amp1
cline1
opencode1
cursor1
kimi-cli1
codex1