This article explains how to quickly build and apply a default configuration on a FortiGate-VM (deployed on-premises) using a locally hosted open-source Language Model (LLM). For this example, phi4:latest is used as LLM.

This guide does not apply to FortiGate-VM instances hosted in public cloud environments—only to those on private, on-premises hypervisors such as KVM.

Prerequisites:

• FortiGate-VM on KVM. It is necessary to have the FortiGate-VM image adequately installed and running on KVM.
• Open-Source LLM (phi4:latest).
• Download and pre-deploy phi4:latest locally.
• Ensure to have the environment (GPU/CPU resources, Python dependencies, etc.) to run the model.

Basic Networking Requirements:

• Confirm the IP address range to assign to the FortiGate-VM.
• Know the default gateway IP (for example, 192.168.0.1).
• Identify the DNS server IP addresses if they differ from the example below.

Why Use phi4:latest:
• Open-Source: phi4:latest is an open-source model, ensuring better control over data and configuration generation.
• Local Deployment: Ideal for on-premises environments where data privacy or air-gapped networks are crucial.
• Quick Configuration: Speeds up the initial setup process, reducing manual CLI input.

1. Launch the local LLM interface or script using the environment already set it up: In this example, it would be Ollama Plus as fronted Open-WebUI:

• https://ollama.com/library/phi4.
• https://github.com/open-webui/open-webui

2. Provide to the model phi4:latest a prompt to generate a default FortiGate-VM configuration. See below point 4 for an example of a prompt.
3. Include the desired IP address, subnet mask, default gateway, and DNS servers in the prompt.
4. Review the output for accuracy.

Example Prompt:
Generate the initial configuration for a FortiGate-VM on KVM with static IP 192.168.0.100/24 on port1, gateway 192.168.0.1, and primary DNS 208.91.112.53, secondary DNS 208.91.112.52. Enable access for ping, HTTPS, SSH, SNMP, HTTP, and Fortimanager (fgfm).'

Initial Configuration for FortiGate-VM Deployed on KVM.

Step 1: Configure Interface 'port1':

config system interface
    edit "port1"
        set mode static
        set ip 192.168.0.100/24
        set allowaccess ping https ssh snmp http fgfm
     next
end

Step 2: Configure the default gateway (Replace <class_ip> with the actual gateway IP):

config router static
    edit 1
        set device "port1"
        set gateway <class_ip>
    next
end

Step 3: Configure DNS Servers:

config system DNS
    set primary 208.91.112.53
    set secondary 208.91.112.52
end

Post-Configuration Tasks:

Save the configuration
end

1. Copy and paste the relevant commands into the CLI.
2. Replace <class_ip> or any placeholder tokens with the gateway IP address.
3. Save the configuration.
4. Verify the Configuration:

• Web GUI Access: Open a browser and navigate to https://192.168.0.100 (or the configured IP) to access the FortiGate GUI.
• License Check: Ensure a valid license is uploaded or the device can validate against a FortiManager if the environment is closed.
• Connectivity Test: Ping an external IP or domain to confirm network access.
• Traffic Handling: Verify that traffic flows appropriately through the FortiGate.

Troubleshooting
If it is not possible to connect to the GUI, re-check:

• IP/Subnet Mask: Ensure the PC is on the same subnet.
• Access Permissions: Confirm the necessary services are enabled (ping, ssh, https, etc.).

If DNS resolution fails, ensure the DNS servers are reachable.

Verification:

• After saving, access the FortiGate GUI via a web browser using the IP address configured on port1.
• Navigate to: https://192.168.0.100
• Confirm that the license is uploaded or validated against a FortiManager if in a closed environment.
• Test network connectivity
• Ensure the FortiGate-VM can reach external networks and handle traffic as expected.

Conclusion:
A locally deployed, open-source LLM like phi4:latest can significantly expedite the initial configuration process for a FortiGate-VM in on-premises deployments. By providing the LLM with the correct prompt and then verifying the output, it is possible to quickly apply a working baseline configuration, saving time and reducing manual errors.