<h2>Summary</h2><p>FortiOS 8.0 deeply embeds <strong>FortiAI-Assist</strong> intelligent assistant into the FortiGate operating system for the first time, providing network security administrators with generative AI-powered operational assistance capabilities. This article provides a systematic deep analysis of FortiAI's technical architecture, deployment methods, business workflows, and licensing models based on FortiOS 8.0 official documentation, helping technical teams fully understand this new feature.</p><p><strong>Key Finding</strong>: FortiOS 8.0's FortiAI is not a standalone web application interaction assistant, but a <strong>RAG (Retrieval-Augmented Generation) system</strong> deeply integrated with FortiGate, supporting documentation Q&A, troubleshooting diagnostics, and CLI command generation and execution. The system supports both FortiAI and OpenAI as AI providers, and uses a subscription-based Token billing model.</p><h2>1. Product Positioning and Functional Overview</h2><h3>1.1 FortiAI-Assist Positioning in FortiOS 8.0</h3><p>According to FortiOS 8.0 official documentation:</p><blockquote><p>FortiAI-Assist is now embedded in FortiOS, and FortiOS includes the FortiAI assistant and CLI Code Lab tool to provide RAG-enhanced documentation support, automated diagnostic analysis, and CLI script execution.</p></blockquote><p>FortiAI-Assist is an AI assistance tool launched by Fortinet in FortiOS 8.0, with core positioning including three aspects:</p><figure class="table">
| Functional Dimension | Specific Description |
|---|---|
| RAG-Enhanced Documentation Support | Retrieval-augmented generation based on FortiOS technical documentation, answering administrators' product operation questions |
| Automated Diagnostic Analysis | Directly reads FortiGate logs or analyzes debug output provided by administrators for troubleshooting |
| CLI Script Execution | Generates FortiGate CLI commands through natural language, and edits and executes them in CLI Code Lab |
| Product | FortiAI Form | Main Functions |
|---|---|---|
| FortiOS 8.0 | Embedded AI Assistant + CLI Code Lab | Documentation Q&A, troubleshooting diagnostics, CLI generation and execution |
| FortiWeb | Standalone AI Assistant Panel | Log analysis, configuration guidance, IP reputation queries |
| FortiADC | Standalone AI Assistant Panel | Configuration guidance, log analysis, Text-to-Script |
| FortiManager | Standalone AI Assistant Panel | Configuration assistance, VPN script generation, IoT device management |
| FortiGate Type | Memory Requirement | Subscription Requirement |
|---|---|---|
| FortiGate Hardware Devices | More than 2GB RAM | FortiCare Premium Support |
| FortiGate-VM S-series | More than 2GB RAM | FortiCare Premium OR Enterprise/UTP/ATP Bundle (any one) |
diagnose sys license list</p><h4>Step 2: Select and Enable AI Provider</h4><p>FortiOS 8.0 supports two AI providers, administrators can choose based on requirements:</p><p><strong>Method A: Use FortiAI (Fortinet Native AI)</strong></p><ol><li>In the FortiOS GUI top banner, click the <strong>FortiAI</strong> icon</li><li>In the popup <strong>AI Model Selection</strong> dialog, select <strong>FortiAI</strong></li><li>Click <strong>OK</strong> to confirm</li></ol><p>FortiAI provider includes the following features:</p><ul><li><strong>2,000,000 starting Tokens</strong> per device per month</li><li>Additional Tokens can be purchased as needed</li><li>Purchased Tokens are <strong>shared</strong> across all devices under the same FortiCare account</li></ul><p><strong>Method B: Use OpenAI (Third-party AI)</strong></p><ol><li>Click the <strong>FortiAI</strong> icon in the GUI</li><li>Select <strong>OpenAI</strong> and fill in configuration information: API Key, Model name (such as gpt-5.2), Project ID, Organization ID</li></ol><p>Or configure via CLI:</p><p>config system admin
edit "admin"
set vdom "root"
set accprofile "super_admin"
set gui-llm-provider openai
set openai-api-key <your-api-key>
set openai-api-key-part2 <key-part2>
set openai-model "gpt-5.2"
set openai-project-id "<project-ID>"
set openai-org-id "<organization-ID>"
next
end</p><p><strong>Note</strong>: When using OpenAI, Tokens are billed directly from the OpenAI account, and FortiOS does not provide usage tracking.</p><h4>Step 3: Configure Administrator Access Permissions</h4><p>FortiAI-Assist access permissions are controlled through <strong>Admin Profiles</strong>:</p><p><strong>GUI Configuration Method</strong>:</p><ol><li>Navigate to <strong>System > Admin Profiles</strong></li><li>Double-click the admin profile to edit (such as prof_admin)</li><li>Enable/disable <strong>Allow using AI Assistant</strong></li><li>Click <strong>OK</strong> to save</li></ol><p><strong>CLI Configuration Method</strong>:</p><p>config system accprofile
edit "admin-withAI"
set comments "Admin with AI Assistant access"
set secfabgrp read-write
# ... other permission settings ...
set gui-ai-assistant enable
next
end</p><p><strong>Permission Notes</strong>:</p><ul><li>Even if the admin profile disables AI Assistant, the FortiAI icon <strong>remains visible</strong> in the GUI banner, but administrators cannot submit queries or receive responses</li><li>The
super_admin profile <strong>cannot edit</strong> this setting (always allowed)</li><li>FortiAI uses the <strong>same permissions as the logged-in administrator</strong> when calling FortiOS REST API</li></ul><h4>Step 4: (Optional) Enable Data Masking</h4><p>Sensitive data masking is an important privacy protection feature:</p><ol><li>In the FortiAI chat window, click the data masking icon</li><li>When enabled, the following sensitive information will be replaced with placeholders before sending to the AI provider: IP addresses, MAC addresses, Email addresses, Phone numbers, URLs</li></ol><p>Enabled state: Chat window shows <strong>✓</strong> icon; Disabled state: Shows <strong>×</strong> icon</p><h4>Step 5: Access CLI Code Lab</h4><p>CLI Code Lab is FortiAI's companion tool for generating, editing, and executing CLI commands:</p><p><strong>Access Methods</strong>:</p><ul><li>Method 1: Access from GUI banner - Click CLI Console > CLI Code Lab</li><li>Method 2: Access from FortiAI returned commands - When FortiAI returns CLI commands, click the Edit button to open CLI Code Lab</li></ul><p>CLI Code Lab interface includes: <strong>Left pane</strong> (editable CLI command input area), <strong>Right pane</strong> (command execution output area), <strong>Execute button</strong> (execute commands, requires secondary confirmation), <strong>Commit changes button</strong> (save configuration changes)</p><h2>3. Business Process Deep Analysis</h2><h3>3.1 User Interaction Process</h3><p>FortiAI-Assist's user interaction follows a <strong>Q&A → Analysis → Execution</strong> three-stage model:</p><ul><li><strong>Stage 1 - Q&A Interaction</strong>: User inputs natural language queries or instructions</li><li><strong>Stage 2 - System Analysis</strong>: LLM + RAG processing, local data analysis</li><li><strong>Stage 3 - Configuration/Diagnostic Execution</strong>: CLI Code Lab executes commands</li></ul><h3>3.2 System Processing Flow</h3><h4>3.2.1 Documentation-Based Q&A Process</h4><p>When users ask product operation questions, the system uses a <strong>RAG architecture</strong>:</p><ol><li>User query</li><li>Query vectorization (embedding model processing)</li><li>Document retrieval (matching relevant document fragments)</li><li>Context assembly</li><li>LLM generates response</li><li>Returns response with sources</li></ol><p>According to official documentation: "When FortiAI uses FortiAI as the AI provider, the following FortiOS documents are used to provide answers: <strong>FortiOS Administration Guide</strong>, <strong>FortiOS CLI Reference</strong>. FortiAI also checks its answers against the FortiGate to ensure the results are suitable for the specific model."</p><p><strong>RAG Knowledge Base</strong> includes: FortiOS Administration Guide, FortiOS CLI Reference</p><p><strong>Model Validation Mechanism</strong>: Generated responses are cross-validated with the target FortiGate device to ensure generated configuration commands are applicable to that specific model.</p><h4>3.2.2 Diagnostic Analysis Process</h4><p>For troubleshooting scenarios, the system supports a <strong>hybrid analysis mode</strong>:</p><ul><li>User describes problem → FortiAI returns diagnostic CLI commands</li><li>User pastes debug output/log files → FortiAI analyzes and identifies root cause</li></ul><p><strong>Typical Troubleshooting Example</strong>:</p><p>User input: "troubleshoot issue ipsec vpn tunnel to-headoffice is down"</p><p>System returns:</p><p>Your debug is definitive: IKEv2 AUTH fails
- authentication failed
- PSK auth failed: probable pre-shared key mismatch
- initiator receives AUTHENTICATION_FAILED</p><h4>3.2.3 CLI Command Generation and Execution Process</h4><ol><li>User inputs natural language requirement, example: "configure this fgt to block social media"</li><li>LLM generates CLI commands</li><li>User supplements environment information, example: "lan interface port2, update existing policy 1"</li><li>LLM adjusts commands based on context</li><li>User clicks Edit to open CLI Code Lab</li><li>Edit commands in CLI Code Lab and click Execute</li><li>System executes commands after secondary confirmation</li><li>Execution results displayed in right pane</li><li>User clicks Commit changes to save configuration</li></ol><h3>3.3 Session Management Mechanism</h3><h4>Token Consumption and Context</h4><p>According to official documentation: "Because the FortiAI assistant uses session history to inform its responses, queries that are a part of a long session will use more tokens than new conversations."</p><p><strong>Context Management Rules</strong>:</p><ul><li>Historical messages in the same session are sent to the LLM as context</li><li>When message history reaches the limit, it will be <strong>compressed</strong> (may lose some information)</li><li>Compressed history will reduce response accuracy</li><li>LLM <strong>does not remember</strong> content from different sessions</li></ul><p><strong>Recommendation</strong>: When handling unrelated tasks, <strong>create a new session</strong> to get more accurate responses.</p><h4>Chat History Management</h4><figure class="table">
</figure><h2>4. Large Model Architecture Deep Analysis</h2><h3>4.1 Dual AI Provider Architecture</h3><p>FortiOS 8.0's FortiAI adopts a <strong>dual-provider architecture</strong>, providing flexibility choices for administrators:</p><h4>4.1.1 FortiAI Provider (Fortinet Native)</h4><figure class="table">Function Description Chat History View historical session list, click to restore and view Export Chat Export current conversation as JSON Export Thread Export complete thread (including timestamps, message IDs, etc.)
</figure><h4>4.1.2 OpenAI Provider (Third-party)</h4><figure class="table">Feature Description Token Source Fortinet cloud service Starting Quota 2,000,000 Tokens per device per month Additional Purchase Available, shared across account devices RAG Knowledge Base Built-in FortiOS documentation Model Validation Cross-validation with target device
</figure><p><strong>CLI Configuration Options</strong>:</p><p>config system adminFeature Description API Configuration Need to configure API Key yourself Model Selection Can choose GPT-5.2 and other models Billing Method Billed directly from OpenAI account Cost Control No usage tracking within FortiOS
edit <admin-name>
set gui-llm-provider {fortiai | openai}
set openai-api-key <password>
set openai-api-key-part2 <password>
set openai-model <string>
set openai-project-id <string>
set openai-org-id <string>
next
end</p><h3>4.2 RAG Architecture Analysis</h3><h4>4.2.1 RAG Component Composition</h4><p>FortiAI-Assist's RAG system contains the following core components:</p><figure class="table">
| Component | Function Description |
|---|---|
| Document Library | FortiOS Administration Guide + CLI Reference |
| Vector Database | Stores vector embeddings of document fragments |
| Retriever | Matches relevant document fragments based on user query |
| Generator (LLM) | Generates responses based on retrieval results |
| Validation Layer | Cross-validates command applicability with target device |
| Analysis Type | Input Source | Processing Method |
|---|---|---|
| Log Analysis | FortiGate local logs | Direct read and analysis |
| Debug Output | Administrator paste | Parse and identify root cause |
| Configuration Validation | Target device status | Cross-validate command applicability |
| Requirement Item | Specification |
|---|---|
| Memory Requirement | More than 2GB RAM |
| Subscription Requirement | FortiCare Premium Support |
| Starting Tokens | 2,000,000 per device per month |
| Additional Tokens | Purchasable, shared within account devices |
| Requirement Item | Specification |
|---|---|
| Memory Requirement | More than 2GB RAM |
| Subscription Requirement | FortiCare Premium OR Enterprise Bundle OR UTP Bundle OR ATP Protection Bundle |
| Type | Description |
|---|---|
| FortiGate models (≤2GB RAM) | Do not support FortiAI functionality |
| Devices without subscription | Cannot use FortiAI |
| Trial License | May not be available (depending on specific terms) |
| Consumption Source | Description |
|---|---|
| User Input (Prompt) | Counted by character/word count |
| LLM Output (Response) | Counted by generated text volume |
| Session History | Longer context means more consumption |
| Strategy | Description | Example |
|---|---|---|
| Concise and Specific | Avoid lengthy descriptions | ❌ "Can you please help me create a firewall address for 10.0.0.1..." ✅ "Create firewall addresses for 10.0.0.1 and awesome-domain.com" |
| Use Filter Conditions | Narrow query scope | Specify specific interface names, time ranges |
| Use FortiOS Terminology | Precisely match functions | Use "quarantine device" instead of "block this device" |
| Reuse Session Context | Reduce repetitive explanations | Follow up in the same thread instead of opening new sessions |
| Billing Dimension | FortiAI (Fortinet) | OpenAI |
|---|---|---|
| Starting Quota | 2,000,000 Tokens/month/device | None (pay-as-you-go) |
| Additional Purchase | Supported, shared across devices | Purchase API Key yourself |
| Usage Tracking | Visible within FortiOS | Need to check in OpenAI platform |
| Overflow Handling | Suspend access | Continue billing/reject requests |
| Data Type | Masking Example |
|---|---|
| IP Address | 192.168.1.100 → [IP_1] |
| MAC Address | AA:BB:CC:DD:EE:FF → [MAC_1] |
| Email Address | user@example.com → [EMAIL_1] |
| Phone Number | 123-456-7890 → [PHONE_1] |
| URL | https://example.com → [URL_1] |
| Configuration Item | Default Value | Description |
|---|---|---|
gui-ai-assistant | disable | AI assistant usage permission |
| super_admin | Always allowed | Cannot modify this profile |
| Parameter | Specification |
|---|---|
| FortiOS Version | 8.0.0 and above |
| Hardware Requirement | FortiGate models with more than 2GB RAM |
| Network Requirement | Internet access |
| License Requirement | FortiCare Premium (or equivalent Bundle) |
edit <profile-name>
set gui-ai-assistant {enable | disable}
next
end</p><h4>Configure OpenAI Provider</h4><p>config system admin
edit <admin-name>
set gui-llm-provider {fortiai | openai}
set openai-api-key <password>
set openai-api-key-part2 <password>
set openai-model <string>
set openai-project-id <string>
set openai-org-id <string>
next
end</p><h3>8.3 Token Quota (FortiAI Provider)</h3><figure class="table">
| FortiGate Type | Starting Tokens/Month | Scalability |
|---|---|---|
| Hardware Devices | 2,000,000 | Purchasable, shared across devices |
| VM S-series | Same as above | Same as above |
| Value Dimension | Specific Embodiment |
|---|---|
| Cost Reduction and Efficiency | Natural language interaction lowers CLI learning barrier |
| Rapid Diagnosis | Automatically analyzes debug output, accelerates fault localization |
| Configuration Automation | CLI Code Lab enables command generation-editing-execution integration |
| Security and Control | Permission isolation + data masking ensures operational security |
| Scenario | Recommended AI Provider | Reason |
|---|---|---|
| Need RAG documentation support | FortiAI | Built-in FortiOS knowledge base |
| High-frequency use, familiar with FortiOS | FortiAI | Token sharing saves costs |
| Already have OpenAI account | OpenAI | Reuse existing resources |
| Need GPT advanced models | OpenAI | Can choose GPT-5.2 and other models |
Why it Matters
FortiOS 8.0's FortiAI represents a significant innovation in network security operations, deeply integrating generative AI capabilities into the firewall operating system, significantly lowering the technical barrier for network administrators and improving operational efficiency.
DECISION
For enterprises using FortiGate, it is recommended to evaluate the practical application scenarios of FortiAI-Assist, prioritize pilots in troubleshooting and configuration automation areas, and decide whether to expand deployment scope based on usage results.
PREDICT
In the future, FortiAI may further enhance integration capabilities with FortiAnalyzer and FortiSIEM, evolving from intelligent operations to intelligent security operations centers, while potentially introducing more AI model choices and localized deployment options.
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)