Automating Fortinet Firewalls with Terraform
How to manage enterprise firewall rules as code — eliminating change advisory boards for routine updates.
At Darden, our Fortinet FortiGate firewalls sat between every spoke and the hub. Every application team needed firewall rules, and every rule required a change ticket, CAB approval, and manual implementation by the network team. The process took 2-3 weeks for a single rule.
The Terraform Provider
The fortinetdev/fortios Terraform provider lets you manage firewall policies, addresses, address groups, and services declaratively. Combined with our existing IaC pipeline, application teams could now submit firewall rules as pull requests.
The Workflow
- App team adds firewall rule to their Terraform config
- PR triggers plan — shows exactly what will change
- Security team reviews the diff (not a Word document)
- Merge triggers apply — rule deployed in minutes, not weeks
Safety Mechanisms
- Policy validation — Custom Sentinel policies prevent overly permissive rules (no "any any allow")
- Ordering preservation — Terraform manages rule priority to prevent conflicts
- Rollback capability — Previous state can be restored in seconds via git revert
- Audit trail — Every change tracked in git with author, reviewer, and timestamp
Results
Firewall rule deployment: 2-3 weeks → same-day. CAB meetings for routine rules: eliminated. Security team visibility: dramatically improved (reviewing code diffs vs. spreadsheets).