Managing FortiGate with Claude Code: AI-Powered Firewall Administration

Why AI + FortiGate?

Managing FortiGates at scale means dealing with hundreds of policies, VPN tunnels, address objects, and compliance requirements. The FortiGate REST API is powerful but verbose — a single firewall policy creation requires a carefully crafted JSON payload with nested objects for source interfaces, destination addresses, services, and UTM profiles.

This is exactly where Claude Code shines. As an AI coding assistant running in your terminal, it can generate, validate, and execute API calls against your FortiGate infrastructure — turning natural language intent into precise configuration changes.

In this article, I will walk through practical workflows for using Claude Code to manage FortiGate environments, from read-only auditing to automated policy management.

Setting Up Secure API Access

Before letting any automation tool anywhere near your firewall, security comes first. Create a dedicated API user with the minimum required permissions:

config system accprofile
    edit "api_readonly"
        set secfabgrp read
        set ftviewgrp read
        set authgrp read
        set sysgrp read
        set netgrp read
        set loggrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
    next
end

config system api-user
    edit "claude-audit"
        set accprofile "api_readonly"
        set vdom "root"
        config trusthost
            edit 1
                set ipv4-trusthost 10.0.0.100/32
            next
        end
    next
end

Key principles: always use trusthost restrictions to limit which IPs can use the token, use the Authorization header (never URL parameters — they leak into logs), and start with read-only access until you have confidence in your workflows.

The FortiGate API Landscape

FortiGate exposes two API namespaces that map to different use cases:

CMDB API (/api/v2/cmdb/) handles configuration — firewall policies, address objects, VPN settings, routing, security profiles. It mirrors the CLI hierarchy directly: config firewall policy becomes /api/v2/cmdb/firewall/policy.

Monitor API (/api/v2/monitor/) provides runtime data — system status, active sessions, VPN tunnel states, routing tables, config backups. Mostly read-only with some operational actions like bouncing VPN tunnels.

Claude Code can navigate both fluently. Ask it to "check which VPN tunnels are down" and it will query the monitor API. Ask it to "create a policy allowing HTTPS from the internal network to the DMZ" and it will craft the correct CMDB API call.

Practical Use Case: Policy Auditing

One of the highest-value, lowest-risk workflows is policy auditing. With a read-only API token, Claude Code can pull your entire ruleset and analyze it for common issues:

# Replace with your details
FGT_IP="192.168.1.99"
API_TOKEN="your_api_token_here"

curl -sk -H "Authorization: Bearer $API_TOKEN" "https://$FGT_IP/api/v2/cmdb/firewall/policy?vdom=root" | python3 -c "
import json, sys

try:
    # Load the JSON response
    data = json.load(sys.stdin)
    
    # Check if the API call was actually successful
    if data.get('http_status') != 200:
        print(f'API Error: {data.get(\'http_status\')} - {data.get(\'error\', \'Unknown Error\')}')
        sys.exit(1)

    policies = data['results']
    print(f'Scanning {len(policies)} policies...')
    print('-' * 40)

    for p in policies:
        issues = []
        
        # Security Checks
        if p.get('logtraffic') == 'disable':
            issues.append('NO_LOGGING')
        if any(a.get('name') == 'all' for a in p.get('srcaddr', [])):
            issues.append('SRC_ANY')
        if any(a.get('name') == 'all' for a in p.get('dstaddr', [])):
            issues.append('DST_ANY')
        if any(s.get('name') == 'ALL' for s in p.get('service', [])):
            issues.append('SVC_ALL')
        if p.get('status') == 'disable':
            issues.append('DISABLED')

        # Print only if issues found
        if issues:
            pid = p.get('policyid', 'N/A')
            pname = p.get('name', 'Unnamed')
            print(f'Policy {pid} ({pname}): \t{' '.join(issues)}')

except json.JSONDecodeError:
    print('Failed to decode JSON. Check your API Token and URL.')
"

In practice, you would simply tell Claude Code: "Audit my FortiGate policies for overly permissive rules, missing logging, and disabled policies" — and it will generate and execute this kind of analysis, presenting the results in plain language with specific remediation recommendations.

Config Backup and Diff Analysis

Claude Code excels at interpreting configuration changes. Download a backup via the API:

# Replace with your details
FGT_IP="192.168.1.99"
API_TOKEN="your_api_token_here"
OUT_FILE="backup-20260217.conf"

# 1. Perform the backup
curl -k -H "Authorization: Bearer $API_TOKEN" \
"https://$FGT_IP/api/v2/monitor/system/config/backup?scope=global" \
-o "$OUT_FILE"

# 2. Verify the backup is valid
# FortiGate configs usually start with "#config-version"
if head -n 1 "$OUT_FILE" | grep -q "#config-version"; then
    echo "Backup Successful: $OUT_FILE"
else
    echo "Backup Failed. File contains API error:"
    cat "$OUT_FILE"
    rm "$OUT_FILE" # Delete the corrupt file
fi

Then ask Claude Code to diff two backups and explain the changes. Unlike a raw diff output, it can tell you: "A new admin account was created, two firewall policies were modified to allow additional services, and the SSL VPN idle timeout was reduced from 300 to 30 seconds." It flags security-relevant changes and identifies potentially risky modifications.

VPN Tunnel Management

Managing IPsec VPN tunnels across multiple sites is a common pain point. Claude Code can query tunnel status, identify which tunnels are down, and even bring them back up:

# Replace with your details
FGT_IP="192.168.1.99"
API_TOKEN="your_api_token_here"

# Check all tunnel statuses
curl -sk -H "Authorization: Bearer $API_TOKEN"   "https://$FGT_IP/v2/monitor/vpn/ipsec"

# Bring up a specific tunnel
curl -sk -X POST -H "Authorization: Bearer $API_TOKEN"   "https://$FGT_IP/v2/monitor/vpn/ipsec/tunnel_up"   -d '{"p1name": "DC-to-Branch01"}'

A typical workflow: "Check all VPN tunnels and bring up any that are down, then verify the routing table has the expected routes." Claude Code chains the monitor API calls, correlates tunnel status with routing entries, and reports the results.

Compliance Checking

CIS publishes specific benchmarks for FortiGate. Combined with open-source tools like fortigate-security-auditor, Claude Code can run compliance checks against your configuration and interpret the results:

• Admin password policies and idle timeouts

• Strong crypto settings for management access (TLS 1.2+)

• VPN encryption standards (AES-256, SHA-256, DH group 14+)

• Logging to external syslog/SIEM

• NTP synchronization

• USB firmware installation disabled

Rather than reading through a raw CSV audit report, Claude Code translates findings into actionable items prioritized by risk.

Leveraging the Ecosystem

Claude Code is not limited to raw API calls. It can generate and work with the entire Fortinet automation ecosystem:

• Ansible playbooks using the fortinet.fortios collection for repeatable configuration management

• Terraform configurations with the fortinetdev/fortios provider for infrastructure-as-code

• Python scripts using pyfortiapi or the official fortiosapi for custom workflows

• FortiManager MCP server for direct AI-to-API integration managing multiple devices

The FortiManager MCP (Model Context Protocol) server is particularly interesting — it exposes 590 API operations as tools that Claude Code can invoke directly, covering device management, policy deployment, ADOM operations, and security profiles across your entire Fortinet fabric.

Security Guardrails

Using AI to manage firewalls demands careful guardrails:

1. Start read-only. Use a read-only API profile for all auditing and monitoring tasks. Only create write-capable tokens when you have established trust in the workflow.

2. Review before apply. Have Claude Code generate the API calls or CLI commands, review them, then execute as a separate step.

3. Backup before changes. Always download a config backup via API before any modification.

4. Limit blast radius. Use VDOMs to create staging environments. Test changes there before applying to production.

5. Audit everything. FortiGate logs all API access — ensure log forwarding to your SIEM is enabled and monitored.

6. Network segmentation. API access should only be available from a dedicated management network, never from general user VLANs.

Getting Started

The lowest-friction way to start is with a read-only API token and a simple health check: "Show me the system status, check for any down VPN tunnels, and list any firewall policies with logging disabled."

From there, build confidence by automating backup routines, running compliance checks, and gradually expanding to configuration management — always with review gates and rollback plans in place.

The combination of Claude Code's ability to understand intent and FortiGate's comprehensive API creates a workflow that is both more efficient and more auditable than manual CLI management. Security should be an enabler — and AI-powered automation, done right, makes that a reality.