Summary
FortiOS 8.0 deeply embeds FortiAI-Assist intelligent assistant into the FortiGate operating system for the first time, providing network security administrators with generative AI-powered operational assistance capabilities. This article provides a systematic deep analysis of FortiAI's technical architecture, deployment methods, business workflows, and licensing models based on FortiOS 8.0 official documentation, helping technical teams fully understand this new feature.
Key Finding: FortiOS 8.0's FortiAI is not a standalone web application interaction assistant, but a RAG (Retrieval-Augmented Generation) system deeply integrated with FortiGate, supporting documentation Q&A, troubleshooting diagnostics, and CLI command generation and execution. The system supports both FortiAI and OpenAI as AI providers, and uses a subscription-based Token billing model.
1. Product Positioning and Functional Overview
1.1 FortiAI-Assist Positioning in FortiOS 8.0
According to FortiOS 8.0 official documentation:
FortiAI-Assist is now embedded in FortiOS, and FortiOS includes the FortiAI assistant and CLI Code Lab tool to provide RAG-enhanced documentation support, automated diagnostic analysis, and CLI script execution.
FortiAI-Assist is an AI assistance tool launched by Fortinet in FortiOS 8.0, with core positioning including three aspects:
| Functional Dimension | Specific Description |
|---|---|
| RAG-Enhanced Documentation Support | Retrieval-augmented generation based on FortiOS technical documentation, answering administrators' product operation questions |
| Automated Diagnostic Analysis | Directly reads FortiGate logs or analyzes debug output provided by administrators for troubleshooting |
| CLI Script Execution | Generates FortiGate CLI commands through natural language, and edits and executes them in CLI Code Lab |
1.2 Comparison with FortiAI in Other Fortinet Products
It is important to note that: FortiOS 8.0's FortiAI has functional differences compared to FortiAI in FortiWeb, FortiADC, and FortiManager.
| Product | FortiAI Form | Main Functions |
|---|---|---|
| FortiOS 8.0 | Embedded AI Assistant + CLI Code Lab | Documentation Q&A, troubleshooting diagnostics, CLI generation and execution |
| FortiWeb | Standalone AI Assistant Panel | Log analysis, configuration guidance, IP reputation queries |
| FortiADC | Standalone AI Assistant Panel | Configuration guidance, log analysis, Text-to-Script |
| FortiManager | Standalone AI Assistant Panel | Configuration assistance, VPN script generation, IoT device management |
2. Device Deployment Guide (Step by Step)
2.1 Hardware and Licensing Requirements
According to official documentation, FortiAI-Assist has clear requirements for hardware and subscriptions:
Supported FortiGate Models
| FortiGate Type | Memory Requirement | Subscription Requirement |
|---|---|---|
| FortiGate Hardware Devices | More than 2GB RAM | FortiCare Premium Support |
| FortiGate-VM S-series | More than 2GB RAM | FortiCare Premium OR Enterprise/UTP/ATP Bundle (any one) |
Important Limitation: FortiGate models with memory equal to or less than 2GB do not support FortiAI-Assist functionality.
Network Requirements
- FortiGate device must be able to access the Internet
- For establishing communication with FortiAI cloud service or OpenAI API
2.2 Deployment Steps
Step 1: Verify License Status
Before enabling FortiAI, confirm that the FortiGate device is registered and bound to a valid FortiCare Premium license:
# Check license status via CLI diagnose sys license list
Step 2: Select and Enable AI Provider
FortiOS 8.0 supports two AI providers, administrators can choose based on requirements:
Method A: Use FortiAI (Fortinet Native AI)
- In the FortiOS GUI top banner, click the FortiAI icon
- In the popup AI Model Selection dialog, select FortiAI
- Click OK to confirm
FortiAI provider includes the following features:
- 2,000,000 starting Tokens per device per month
- Additional Tokens can be purchased as needed
- Purchased Tokens are shared across all devices under the same FortiCare account
Method B: Use OpenAI (Third-party AI)
- Click the FortiAI icon in the GUI
- Select OpenAI and fill in configuration information: API Key, Model name (such as gpt-5.2), Project ID, Organization ID
Or configure via CLI:
config system admin edit "admin" set vdom "root" set accprofile "super_admin" set gui-llm-provider openai set openai-api-key <your-api-key> set openai-api-key-part2 <key-part2> set openai-model "gpt-5.2" set openai-project-id "<project-ID>" set openai-org-id "<organization-ID>" next end
Note: When using OpenAI, Tokens are billed directly from the OpenAI account, and FortiOS does not provide usage tracking.
Step 3: Configure Administrator Access Permissions
FortiAI-Assist access permissions are controlled through Admin Profiles:
GUI Configuration Method:
- Navigate to System > Admin Profiles
- Double-click the admin profile to edit (such as prof_admin)
- Enable/disable Allow using AI Assistant
- Click OK to save
CLI Configuration Method:
config system accprofile edit "admin-withAI" set comments "Admin with AI Assistant access" set secfabgrp read-write # ... other permission settings ... set gui-ai-assistant enable next end
Permission Notes:
- Even if the admin profile disables AI Assistant, the FortiAI icon remains visible in the GUI banner, but administrators cannot submit queries or receive responses
- The `super_admin` profile cannot edit this setting (always allowed)
- FortiAI uses the same permissions as the logged-in administrator when calling FortiOS REST API
Step 4: (Optional) Enable Data Masking
Sensitive data masking is an important privacy protection feature:
- In the FortiAI chat window, click the data masking icon
- When enabled, the following sensitive information will be replaced with placeholders before sending to the AI provider: IP addresses, MAC addresses, Email addresses, Phone numbers, URLs
Enabled state: Chat window shows ✓ icon; Disabled state: Shows × icon
Step 5: Access CLI Code Lab
CLI Code Lab is FortiAI's companion tool for generating, editing, and executing CLI commands:
Access Methods:
- Method 1: Access from GUI banner - Click CLI Console > CLI Code Lab
- Method 2: Access from FortiAI returned commands - When FortiAI returns CLI commands, click the Edit button to open CLI Code Lab
CLI Code Lab interface includes: Left pane (editable CLI command input area), Right pane (command execution output area), Execute button (execute commands, requires secondary confirmation), Commit changes button (save configuration changes)
3. Business Process Deep Analysis
3.1 User Interaction Process
FortiAI-Assist's user interaction follows a Q&A → Analysis → Execution three-stage model:
- Stage 1 - Q&A Interaction: User inputs natural language queries or instructions
- Stage 2 - System Analysis: LLM + RAG processing, local data analysis
- Stage 3 - Configuration/Diagnostic Execution: CLI Code Lab executes commands
3.2 System Processing Flow
3.2.1 Documentation-Based Q&A Process
When users ask product operation questions, the system uses a RAG architecture:
- User query
- Query vectorization (embedding model processing)
- Document retrieval (matching relevant document fragments)
- Context assembly
- LLM generates response
- Returns response with sources
According to official documentation: "When FortiAI uses FortiAI as the AI provider, the following FortiOS documents are used to provide answers: FortiOS Administration Guide, FortiOS CLI Reference. FortiAI also checks its answers against the FortiGate to ensure the results are suitable for the specific model."
RAG Knowledge Base includes: FortiOS Administration Guide, FortiOS CLI Reference
Model Validation Mechanism: Generated responses are cross-validated with the target FortiGate device to ensure generated configuration commands are applicable to that specific model.
3.2.2 Diagnostic Analysis Process
For troubleshooting scenarios, the system supports a hybrid analysis mode:
- User describes problem → FortiAI returns diagnostic CLI commands
- User pastes debug output/log files → FortiAI analyzes and identifies root cause
Typical Troubleshooting Example:
User input: "troubleshoot issue ipsec vpn tunnel to-headoffice is down"
System returns:
Your debug is definitive: IKEv2 AUTH fails - authentication failed - PSK auth failed: probable pre-shared key mismatch - initiator receives AUTHENTICATION_FAILED
3.2.3 CLI Command Generation and Execution Process
- User inputs natural language requirement, example: "configure this fgt to block social media"
- LLM generates CLI commands
- User supplements environment information, example: "lan interface port2, update existing policy 1"
- LLM adjusts commands based on context
- User clicks Edit to open CLI Code Lab
- Edit commands in CLI Code Lab and click Execute
- System executes commands after secondary confirmation
- Execution results displayed in right pane
- User clicks Commit changes to save configuration
3.3 Session Management Mechanism
Token Consumption and Context
According to official documentation: "Because the FortiAI assistant uses session history to inform its responses, queries that are a part of a long session will use more tokens than new conversations."
Context Management Rules:
- Historical messages in the same session are sent to the LLM as context
- When message history reaches the limit, it will be compressed (may lose some information)
- Compressed history will reduce response accuracy
- LLM does not remember content from different sessions
Recommendation: When handling unrelated tasks, create a new session to get more accurate responses.
Chat History Management
| Function | Description |
|---|---|
| Chat History | View historical session list, click to restore and view |
| Export Chat | Export current conversation as JSON |
| Export Thread | Export complete thread (including timestamps, message IDs, etc.) |
4. Large Model Architecture Deep Analysis
4.1 Dual AI Provider Architecture
FortiOS 8.0's FortiAI adopts a dual-provider architecture, providing flexibility choices for administrators:
4.1.1 FortiAI Provider (Fortinet Native)
| Feature | Description |
|---|---|
| Token Source | Fortinet cloud service |
| Starting Quota | 2,000,000 Tokens per device per month |
| Additional Purchase | Available, shared across account devices |
| RAG Knowledge Base | Built-in FortiOS documentation |
| Model Validation | Cross-validation with target device |
4.1.2 OpenAI Provider (Third-party)
| Feature | Description |
|---|---|
| API Configuration | Need to configure API Key yourself |
| Model Selection | Can choose GPT-5.2 and other models |
| Billing Method | Billed directly from OpenAI account |
| Cost Control | No usage tracking within FortiOS |
CLI Configuration Options:
config system admin edit <admin-name> set gui-llm-provider {fortiai | openai} set openai-api-key <password> set openai-api-key-part2 <password> set openai-model <string> set openai-project-id <string> set openai-org-id <string> next end
4.2 RAG Architecture Analysis
4.2.1 RAG Component Composition
FortiAI-Assist's RAG system contains the following core components:
| Component | Function Description |
|---|---|
| Document Library | FortiOS Administration Guide + CLI Reference |
| Vector Database | Stores vector embeddings of document fragments |
| Retriever | Matches relevant document fragments based on user query |
| Generator (LLM) | Generates responses based on retrieval results |
| Validation Layer | Cross-validates command applicability with target device |
4.2.2 Retrieval Augmentation Mechanism
Document Sources: Official documentation clearly states: "When FortiAI uses FortiAI as the AI provider, the following FortiOS documents are used to provide answers: FortiOS Administration Guide, FortiOS CLI Reference."
RAG Workflow:
- Indexing Phase: Chunking and vectorizing official documentation
- Retrieval Phase: After user query vectorization, match Top-K relevant fragments with vector database
- Assembly Phase: Assemble user query + retrieved fragments + system prompt into complete prompt
- Generation Phase: LLM generates response based on assembled context
- Validation Phase: Check if generated commands are applicable to target FortiGate model
4.2.3 Local Data Analysis Capability
Different from pure documentation Q&A, FortiAI also supports local data analysis:
| Analysis Type | Input Source | Processing Method |
|---|---|---|
| Log Analysis | FortiGate local logs | Direct read and analysis |
| Debug Output | Administrator paste | Parse and identify root cause |
| Configuration Validation | Target device status | Cross-validate command applicability |
4.3 Deployment Mode Analysis
4.3.1 Cloud Processing Mode
Characteristics:
- LLM inference completed in Fortinet cloud
- Requires Internet connection
- Supports RAG document retrieval
4.3.2 Direct Third-party Mode
Characteristics:
- LLM inference completed on OpenAI servers
- No FortiOS documentation knowledge base enhancement
- Need to manage OpenAI account and fees yourself
5. Authorization and Billing Model
5.1 Authorization Requirements
According to official documentation, FortiAI-Assist authorization requirements are as follows:
FortiGate Hardware Devices
| Requirement Item | Specification |
|---|---|
| Memory Requirement | More than 2GB RAM |
| Subscription Requirement | FortiCare Premium Support |
| Starting Tokens | 2,000,000 per device per month |
| Additional Tokens | Purchasable, shared within account devices |
FortiGate-VM S-series
| Requirement Item | Specification |
|---|---|
| Memory Requirement | More than 2GB RAM |
| Subscription Requirement | FortiCare Premium OR Enterprise Bundle OR UTP Bundle OR ATP Protection Bundle |
Unsupported Scenarios
| Type | Description |
|---|---|
| FortiGate models (≤2GB RAM) | Do not support FortiAI functionality |
| Devices without subscription | Cannot use FortiAI |
| Trial License | May not be available (depending on specific terms) |
5.2 Token Billing Mechanism
Token Consumption Rules
| Consumption Source | Description |
|---|---|
| User Input (Prompt) | Counted by character/word count |
| LLM Output (Response) | Counted by generated text volume |
| Session History | Longer context means more consumption |
Official Explanation: "When you use the FortiAI assistant, the text in both the prompt (input) and the response (output) is processed as tokens." "Because the FortiAI assistant uses session history to inform its responses, queries that are a part of a long session will use more tokens than new conversations."
Token Best Practices
Token saving strategies recommended by official documentation:
| Strategy | Description | Example |
|---|---|---|
| Concise and Specific | Avoid lengthy descriptions | ❌ "Can you please help me create a firewall address for 10.0.0.1..." ✅ "Create firewall addresses for 10.0.0.1 and awesome-domain.com" |
| Use Filter Conditions | Narrow query scope | Specify specific interface names, time ranges |
| Use FortiOS Terminology | Precisely match functions | Use "quarantine device" instead of "block this device" |
| Reuse Session Context | Reduce repetitive explanations | Follow up in the same thread instead of opening new sessions |
Token Exhaustion Handling
When monthly Token quota is exhausted:
- FortiAI access is temporarily suspended
- Need to wait for next billing cycle reset
- Additional purchased Tokens are not subject to this limit
5.3 Billing Comparison of Different AI Providers
| Billing Dimension | FortiAI (Fortinet) | OpenAI |
|---|---|---|
| Starting Quota | 2,000,000 Tokens/month/device | None (pay-as-you-go) |
| Additional Purchase | Supported, shared across devices | Purchase API Key yourself |
| Usage Tracking | Visible within FortiOS | Need to check in OpenAI platform |
| Overflow Handling | Suspend access | Continue billing/reject requests |
6. Security and Privacy Protection
6.1 Data Masking Mechanism
FortiAI supports sensitive information masking before sending data to AI providers:
Masked Data Types
| Data Type | Masking Example |
|---|---|
| IP Address | 192.168.1.100 → [IP_1] |
| MAC Address | AA:BB:CC:DD:EE:FF → [MAC_1] |
| Email Address | user@example.com → [EMAIL_1] |
| Phone Number | 123-456-7890 → [PHONE_1] |
| URL | https://example.com → [URL_1] |
Masking Control
- Click icon to toggle in FortiAI chat window
- ✓ icon = Masking enabled
- × icon = Masking disabled
- Recommend always enabling in scenarios containing sensitive information
6.2 Permission Control
Administrator Permission Isolation
"FortiAI calls the FortiOS REST APIs with the same permissions as the logged in administrator."
This means:
- AI assistant cannot exceed admin profile permissions
- Even if high-privilege commands are generated, execution is still restricted by permissions
- Different administrators see different scopes of responses based on their profiles
Admin Profile Configuration
| Configuration Item | Default Value | Description |
|---|---|---|
| `gui-ai-assistant` | disable | AI assistant usage permission |
| super_admin | Always allowed | Cannot modify this profile |
7. Practical Application Scenario Examples
7.1 Scenario 1: IPsec VPN Tunnel Troubleshooting
Topology Background: Two FortiGates configured with IPsec site-to-site VPN, tunnel status is down
Troubleshooting Steps:
- In FortiAI chat window, input: "troubleshoot issue ipsec vpn tunnel to-headoffice is down"
- FortiAI returns diagnostic commands for collecting IKE debug logs
- Administrator executes commands in SSH session, collects log output
- Paste log output back to FortiAI chat window
- FortiAI analyzes logs and returns diagnostic results
7.2 Scenario 2: Configure Firewall Policy Using OpenAI
Requirement: Block social media access through web filter
Operation Steps:
- Enable OpenAI as AI provider
- Input natural language requirement: "configure this fgt to block social media by webfilter"
- FortiAI returns CLI commands, can supplement information to optimize: "lan interface port2. wan interface port1. update existing policy 1 instead of creating a new one"
- Click Edit to open commands in CLI Code Lab
- Edit commands and click Execute
- System executes after confirmation, output results displayed in right pane
- Click Commit changes to save configuration
8. Technical Specifications Summary
8.1 System Requirements
| Parameter | Specification |
|---|---|
| FortiOS Version | 8.0.0 and above |
| Hardware Requirement | FortiGate models with more than 2GB RAM |
| Network Requirement | Internet access |
| License Requirement | FortiCare Premium (or equivalent Bundle) |
8.2 CLI Command Summary
Enable AI Assistant Permission
config system accprofile edit <profile-name> set gui-ai-assistant {enable | disable} next end
Configure OpenAI Provider
config system admin edit <admin-name> set gui-llm-provider {fortiai | openai} set openai-api-key <password> set openai-api-key-part2 <password> set openai-model <string> set openai-project-id <string> set openai-org-id <string> next end
8.3 Token Quota (FortiAI Provider)
| FortiGate Type | Starting Tokens/Month | Scalability |
|---|---|---|
| Hardware Devices | 2,000,000 | Purchasable, shared across devices |
| VM S-series | Same as above | Same as above |
9. Summary and Recommendations
9.1 Core Value
FortiOS 8.0's FortiAI-Assist brings the following core values to FortiGate administrators:
| Value Dimension | Specific Embodiment |
|---|---|
| Cost Reduction and Efficiency | Natural language interaction lowers CLI learning barrier |
| Rapid Diagnosis | Automatically analyzes debug output, accelerates fault localization |
| Configuration Automation | CLI Code Lab enables command generation-editing-execution integration |
| Security and Control | Permission isolation + data masking ensures operational security |
9.2 Selection Recommendations
| Scenario | Recommended AI Provider | Reason |
|---|---|---|
| Need RAG documentation support | FortiAI | Built-in FortiOS knowledge base |
| High-frequency use, familiar with FortiOS | FortiAI | Token sharing saves costs |
| Already have OpenAI account | OpenAI | Reuse existing resources |
| Need GPT advanced models | OpenAI | Can choose GPT-5.2 and other models |
9.3 Notes
- Token Management: For high-frequency usage scenarios, recommend enabling data masking and streamlining sessions
- Permission Control: Recommend disabling AI Assistant for non-administrator accounts
- Network Security: Ensure HTTPS communication security between FortiGate and AI services
- Compliance Requirements: When using OpenAI, pay attention to data cross-border compliance
References
- Fortinet. "FortiAI assistant and CLI Code Lab" - FortiOS 8.0.0 New Features. https://docs.fortinet.com/document/fortigate/8.0.0/new-features/018007/fortiai-assistant-and-cli-code-lab
- Fortinet. "FortiAI Assistant for FortiADC 8.0.2" - FortiADC New Features. https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/6b854031-36c8-11f0-a9d0-d2b0d2e22f7d/fortiadc-v8.0.2-new-features.pdf
- Fortinet. "Protecting GenAI access using application control" - FortiGate Administration Guide. https://docs.fortinet.com/document/fortigate/latest/administration-guide/679448/protecting-genai-access-using-application-control
- Fortinet. "FortiOS 8.0 New Features Overview" - FortiGate / FortiOS. https://docs.fortinet.com/document/fortigate/8.0.0/new-features
- Fortinet. "Using FortiAI" - FortiADC Administration Guide. https://docs.fortinet.com/document/fortiadc/latest/administration-guide/330090/using-fortiai
Why it Matters
FortiOS 8.0's FortiAI represents a significant innovation in network security operations, deeply integrating generative AI capabilities into the firewall operating system, significantly lowering the technical barrier for network administrators and improving operational efficiency.
DECISION
For enterprises using FortiGate, it is recommended to evaluate the practical application scenarios of FortiAI-Assist, prioritize pilots in troubleshooting and configuration automation areas, and decide whether to expand deployment scope based on usage results.
PREDICT
In the future, FortiAI may further enhance integration capabilities with FortiAnalyzer and FortiSIEM, evolving from intelligent operations to intelligent security operations centers, while potentially introducing more AI model choices and localized deployment options.
💬 Comments (0)