FortiManager 5.6.0 Administration Guide

FortiManager - Administration Guide
VERSION 5.6.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
January 19, 2018
FortiManager 5.6.0 Administration Guide
02-560-400706-20180119
TABLE OF CONTENTS
Change Log
Introduction
FortiManager features
FortiManager feature set
FortiAnalyzer feature set
About this document
FortiManager documentation
What’s New
FortiManager 5.6.0
Security Fabric management
Policy packages
VPN Manager
FortiAP Manager performance improvements
FortiGuard Package management usability
FMG-VM minimum configuration check
Add-on license for high-end appliances
FortiManager Architecture
Inside the FortiManager system
Communication protocols and devices
Object database and devices
ADOMs and devices
Key features of the FortiManager system
Security Fabric
Configuration revision control and tracking
Centralized management
Administrative domains
Local FortiGuard service provisioning
Firmware management
Scripting
Logging and reporting
Fortinet device life cycle management
GUI
Connecting to the GUI
GUI overview
16
17
17
17
18
18
18
20
20
20
21
21
21
21
21
22
23
24
24
25
26
28
28
28
28
28
28
28
28
28
28
30
30
31
Panes
Color themes
Full-screen mode
Switching between ADOMs
Using the right-click menu
Avatars
Showing and hiding passwords
Security considerations
Restricting GUI access by trusted host
Other security considerations
Restarting and shutting down
Getting Started
Configuring the FortiManager
Adding devices
Installing to managed devices
Enabling central management
Monitoring managed devices
Network
Configuring network interfaces
Disabling ports
Changing administrative access
Static routes
RAID Management
Supported RAID levels
Configuring the RAID level
Monitoring RAID status
Swapping hard disks
Adding hard disks
Administrative Domains
Default ADOMs
Organizing devices into ADOMs
Enabling and disabling the ADOM feature
ADOM device modes
ADOM modes
Managing ADOMs
Creating ADOMs
Assigning devices to an ADOM
Assigning administrators to an ADOM
Editing an ADOM
Deleting ADOMs
ADOM versions
Global database version
32
33
34
34
34
34
35
35
35
35
35
37
37
37
38
38
39
40
40
41
41
42
43
43
46
46
47
48
49
49
49
50
50
51
51
53
55
56
56
57
57
58
Concurrent ADOM access
Locking an ADOM
Upgrading an ADOM
Workflow Mode
Enable or disable workflow mode
Workflow approval
Workflow sessions
Administrators
Trusted hosts
Monitoring administrators
Disconnecting administrators
Managing administrator accounts
Creating administrators
Editing administrators
Deleting administrators
Restricted administrators
Administrator profiles
Permissions
Creating administrator profiles
Editing administrator profiles
Deleting administrator profiles
Authentication
Public Key Infrastructure
Managing remote authentication servers
LDAP servers
RADIUS servers
TACACS+ servers
Remote authentication server groups
Global administration settings
Password policy
Password lockout and retry attempts
GUI language
Idle timeout
Two-factor authentication
Configuring FortiAuthenticator
Configuring FortiManager
Device Manager
ADOMs
Adding devices
Adding devices using the wizard
Adding devices manually
Add a VDOM to a device
59
59
60
61
61
62
62
69
69
69
70
70
71
74
75
75
82
83
86
87
88
88
88
90
91
92
93
94
95
97
98
98
99
99
99
102
103
104
104
105
111
111
Adding a security fabric group
Import policy wizard
Adding FortiAnalyzer devices
Adding FortiAnalyzer devices with the wizard
Importing devices
Importing detected devices
Importing and exporting device lists
Configuring devices
Configuring a device
Out-of-Sync device
Configuring VDOMs
Using the device dashboard
View system dashboard for managed/logging devices
View system interfaces
CLI-Only Objects menu
System dashboard widgets
Installing to devices
Using the Install Wizard to install policy packages and device settings
Using the Install Wizard to install device settings only
View a policy package diff
Managing devices
Using the quick status bar
Customizing columns
Refreshing a device
Editing device information
Replacing a managed device
Setting unregistered device options
Using the CLI console for managed devices
Displaying security fabric topology
Managing device configurations
View configurations for device groups
Checking device configuration status
Managing configuration revision history
Device groups
Default device groups
Add device groups
Manage device groups
Firmware
View firmware for device groups
Upgrade firmware for device groups
Firmware Management
License
112
113
114
116
118
118
119
120
120
121
121
124
124
125
126
127
129
130
131
132
132
133
133
134
134
136
136
137
137
138
138
139
140
144
144
144
144
145
145
145
145
147
View licenses for device groups
License Management
Add-on license
Provisioning Templates
System templates
Threat Weight templates
Certificate templates
Scripts
Enabling scripts
Configuring scripts
Script syntax
Script history
Script samples
SD-WAN Link Load Balance
Enabling central monitoring of load balancing
Creating load balancing profiles
Manage load balancing profiles
Creating profiles for checking WAN link status
Manage profiles for checking WAN link status
FortiExtender
Centrally managed
FortiMeter
Overview
Points
Authorizing metered VMs
Monitoring VMs
FortiGate chassis devices
Viewing chassis dashboard
Log and file storage
Disk space allocation
Log and file workflow
Automatic deletion
Logs for deleted devices
Log storage policy
Configure log storage
Storage statistics
Policy & Objects
About policies
Policy theory
Global policy packages
Policy workflow
Provisioning new devices
147
147
149
149
149
151
152
154
155
155
158
162
162
183
183
183
184
185
186
186
186
188
188
189
189
190
191
192
197
197
198
199
200
200
201
202
204
205
206
207
207
207
Day-to-day management of devices
Display options
Managing policy packages
Create new policy packages
Create new policy package folders
Edit a policy package or folder
Clone a policy package
Remove a policy package or folder
Assign a global policy package
Install a policy package
Schedule a policy package install
Reinstall a policy package
Export a policy package
Policy package installation targets
Perform a policy consistency check
View logs related to a policy rule
Managing policies
Creating policies
Editing policies
IP policies
NAT policies
Proxy policy
Central SNAT
Central DNAT
DoS policy
Interface policy
Multicast policy
Local in policy
Traffic shaping policy
Managing objects and dynamic objects
Create a new object
Map a dynamic object
Map a dynamic device group
Remove an object
Edit an object
Clone an object
Search objects
Find unused objects
Find and merge duplicate objects
CLI-Only objects
FortiToken configuration example
FSSO user groups
208
208
208
209
210
210
211
211
211
212
212
213
214
215
215
216
217
219
219
224
230
231
234
235
240
242
243
244
245
246
247
248
249
250
250
250
250
251
251
251
251
252
Interface mapping
ADOM revisions
VPN Manager
Overview
Enabling central VPN management
IPsec VPN Communities
Managing IPsec VPN communities
Creating IPsec VPN communities
VPN community settings
Monitoring IPsec VPN tunnels
Map View
IPsec VPN gateways
Managing VPN gateways
Creating managed gateways
Creating external gateways
VPN security policies
Defining policy addresses
Defining security policies
SSL VPN
Manage SSL VPNs
Portal profiles
Monitor SSL VPNs
AP Manager
Managed APs
Quick status bar
Managing APs
FortiAP groups
Authorizing and deauthorizing FortiAP devices
Assigning profiles to FortiAP devices
Rogue APs
Connected clients
Monitor
Clients Monitor
Health Monitor
Map View
WiFi templates
AP profiles
SSIDs
WIDS profiles
FortiClient Manager
How FortiManager fits into endpoint compliance
FortiTelemetry
254
255
258
258
259
260
260
261
262
269
269
271
271
271
276
278
278
278
279
279
282
288
289
289
290
291
295
296
296
297
299
300
300
301
302
303
303
307
313
317
318
318
Viewing devices
Enabling FortiTelemetry on interfaces
Enabling endpoint control on interfaces
Assigning FortiClient profile packages to devices
Monitor
Monitoring FortiClient endpoints
Monitoring FortiClient endpoints by compliance status
Monitoring FortiClient endpoints by interface
Exempting non-compliant FortiClient endpoints
FortiClient profiles
Viewing profile packages
Viewing FortiClient profiles
Creating FortiClient profile packages
Creating FortiClient profiles
Editing FortiClient profiles
Deleting FortiClient profiles
Importing FortiClient profiles
Assigning profile packages
FortiGuard
Settings
Connecting the built-in FDS to the FDN
Operating as an FDS in a closed network
Configuring devices to use the built-in FDS
Matching port settings
Handling connection attempts from unregistered devices
Configuring FortiGuard services
Enabling push updates
Enabling updates through a web proxy
Overriding default IP addresses and ports
Scheduling updates
Accessing public FortiGuard web and email filter servers
Logging events related to FortiGuard services
Logging FortiGuard antivirus and IPS updates
Logging FortiGuard web or email filter events
Restoring the URL or antispam database
Licensing status
Package management
Receive status
Service status
Query server management
Receive status
Query status
319
319
320
320
320
320
322
322
322
323
323
324
324
325
328
328
328
329
330
331
335
336
338
338
338
339
339
340
341
341
342
343
343
343
344
345
346
346
347
348
348
349
Firmware images
350
FortiSwitch Manager
352
Managed Switches
Quick status bar
Managing FortiSwitches
Authorizing and deauthorizing FortiSwitch devices
Assigning templates to FortiSwitch devices
Monitor
FortiSwitch Templates
FortiSwitch templates
FortiSwitch VLANs
FortiAnalyzer Features
Enable or disable FortiAnalyzer features
Viewing policy rules
FortiView
How ADOMs affect the FortiView pane
Logs used for FortiView
FortiView summary list and description
Using FortiView
FortiView summary page
Viewing FortiView summaries
Filtering FortiView summaries
Viewing related logs
Exporting filtered summaries
Viewing Indicators of Compromise information
Monitoring resource usage of devices
Examples of using FortiView
Finding application and user information
Finding unsecured wireless access points
Analyzing and reporting on network traffic
Viewing vulnerabilities with high severity and frequency
NOC
NOC Dashboard
Using the NOC dashboard
Customizing the NOC dashboard
NOC dashboards and widgets
Security Monitor
WiFi Monitor
System Performance
Log View
Types of logs collected for each device
Log messages
352
353
353
356
356
357
358
358
360
367
368
368
370
370
370
370
374
374
376
378
379
379
380
381
381
381
381
382
382
383
383
384
385
386
386
387
388
389
389
390
Viewing the log message list of a specific log type
Viewing log message details
Customizing displayed columns
Filtering log messages
Viewing historical and real-time logs
Viewing raw and formatted logs
Custom views
Downloading log messages
Creating charts
Log groups
Log Browse
Importing a log file
Downloading a log file
Deleting log files
Event Management
How ADOMs affect events
Predefined event handlers
Logs used for events
Event handlers
Managing event handlers
List of predefined event handlers
Enabling event handlers
Creating custom event handlers
Create New Handler pane
Filtering event handlers
Searching event handlers
Resetting to factory defaults
Events
Event summaries
Filtered event list
Event details
Acknowledging events
Event calendar
Reports
How ADOMs affect reports
Predefined reports, templates, charts, and macros
Logs used for reports
How charts and macros extract data from logs
How auto-cache works
Generating reports
Viewing completed reports
Enabling auto-cache
391
391
392
392
394
394
395
395
396
397
397
398
398
399
400
400
400
400
400
400
401
407
407
409
410
410
411
411
411
412
413
413
414
415
415
415
416
416
416
416
417
417
Grouping reports
Retrieving report diagnostic logs
Scheduling reports
Creating reports
Creating reports from report templates
Creating reports by cloning and editing
Creating reports without using a template
Reports Settings tab
Customizing report cover pages
Reports Layout tab
Filtering report output
Managing reports
Organizing reports into folders
Importing and exporting reports
Report template library
Creating report templates
Viewing sample reports for predefined report templates
Managing report templates
List of report templates
Chart library
Creating charts
Managing charts
Macro library
Creating macros
Managing macros
Datasets
Creating datasets
Viewing the SQL query for an existing dataset
Managing datasets
Output profiles
Creating output profiles
Managing output profiles
Report languages
Predefined report languages
Adding language placeholders
Managing report languages
Report calendar
Viewing all scheduled reports
Managing report schedules
System Settings
Dashboard
Customizing the dashboard
418
418
419
419
419
420
420
421
423
424
428
428
429
429
430
430
431
431
431
433
433
436
437
437
438
439
439
440
440
441
441
443
443
443
443
444
444
444
445
446
446
448
System Information widget
System Resources widget
License Information widget
Unit Operation widget
CLI Console widget
Alert Messages Console widget
Log Receive Monitor widget
Insert Rate vs Receive Rate widget
Log Insert Lag Time widget
Receive Rate vs Forwarding Rate widget
Disk I/O widget
Logging Topology
High Availability
Configuring HA options
Monitoring HA status
Upgrading the FortiManager firmware for an operating cluster
Certificates
Local certificates
CA certificates
Certificate revocation lists
Fetcher Management
Fetching profiles
Fetch requests
Synchronizing devices and ADOMs
Fetch monitoring
Event Log
Event log filtering
Task Monitor
SNMP
SNMP agent
SNMP v1/v2c communities
SNMP v3 users
SNMP MIBs
SNMP traps
Fortinet & FortiManager MIB fields
Mail Server
Syslog Server
Meta Fields
Device logs
Configuring rolling and uploading of logs using the GUI
Configuring rolling and uploading of logs using the CLI
File Management
448
454
455
456
456
456
457
457
458
458
459
459
460
462
467
467
468
468
471
472
473
473
474
476
477
477
479
480
481
481
483
485
487
488
489
490
492
493
494
495
497
498
Advanced Settings
499
Change Log
Change Log
16
Date
Change Description
2017 07 27
Initial release.
2017-08-17
Clarified that ADOMs must be locked for device-level changes when workflow enabled.
2017-08-21
Clarified that global policy packages can be assigned to ADOMs of the same version
as the global database or the next higher major release.
2017-09-01
Restricted administrator information updated and expanded.
2017-09-07
Updated List of predefined event handlers and added details about generic text filter
operators.
2017-09-11
Updated policy package information for version 5.6 and later ADOMs.
2017-11-29
Added note to clarify that you cannot add a FortiAnalyzer device to FortiManager when
ADOMs are enabled and ADOM mode is set to Advanced.
2018-01-19
Updated Event Management > Event handlers > Creating custom event handlers.
Administration Guide
Fortinet Technologies Inc.
Introduction
FortiManager Security Management appliances allow you to centrally manage any number of Fortinet Network
Security devices, from several to thousands, including FortiGate, FortiWiFi, and FortiAP devices. Network
administrators can better control their network by logically grouping devices into administrative domains
(ADOMs), efficiently applying policies and distributing content security/firmware updates. FortiManager is one of
several versatile Network Security Management Products that provide a diversity of deployment types, growth
flexibility, advanced customization through APIs and simple licensing.
FortiManager features
FortiManager provides the following features:
l
l
l
l
l
l
l
l
l
l
l
Provides easy centralized configuration, policy-based provisioning, update management, and end-to-end network
monitoring for your Fortinet installation,
Segregate management of large deployments easily and securely by grouping devices and agents into geographic
or functional ADOMs,
Manage units in a Security Fabric group as if they were a single device and display the security fabric topology,
Reduce your management burden and operational costs with fast device and agent provisioning, detailed revision
tracking, and thorough auditing capabilities,
Easily manage complex mesh and star VPN environments while leveraging FortiManager as a local distribution
point for software and policy updates,
Seamless integration with FortiAnalyzer appliances provides in-depth discovery, analysis, prioritization and
reporting of network security events,
Quickly create and modify policies/objects with a consolidated, drag and drop enabled, in-view editor,
Script and automate device provisioning, policy pushing, etc. with JSON APIs or build custom web portals with the
XML API,
Leverage powerful device profiles for mass provisioning and configuration of managed devices,
Centrally control firmware upgrades and content security updates from FortiGuard Center Threat Research &
Response,
Deploy with either a physical hardware appliance or virtual machine with multiple options to dynamically increase
storage
FortiManager system architecture emphasizes reliability, scalability, ease of use, and easy integration with thirdparty systems.
FortiManager feature set
The FortiManager feature set includes the following modules:
l
Device Manager
l
Policy & Objects
l
AP Manager
l
FortiClient Manager
Administration Guide
Fortinet Technologies Inc.
17
Introduction
About this document
l
VPN Manager
l
FortiGuard
l
FortiSwitch Manager
l
System Settings
FortiAnalyzer feature set
The FortiAnalyzer feature set can be enabled in FortiManager. The FortiAnalyzer feature set includes the
following panes:
l
FortiView
l
NOC
l
Log View
l
Event Management
l
Reports
The FortiAnalyzer feature set is disabled by default. To enable the features, turn it on
from the dashboard (see System Information widget on page 448), or use the
following CLI commands:
config system global
set faz-status enable
end
Changing faz status will affect FAZ feature in FMG. If you
continue, system will reboot to add/remove FAZ feature.
Do you want to continue? (y/n) y
About this document
This document describes how to configure and manage your FortiManager system and the devices that it
manages.
The FortiManager documentation assumes that you have one or more FortiGate units and documentation for the
FortiGate unit. It also assumes that you are familiar with configuring your FortiGate units before using the
FortiManager system. Where FortiManager system features or parts of features are identical to the FortiGate
unit’s, the FortiManager system documentation refers to the FortiGate unit documentation for further
configuration assistance with that feature.
FortiManager documentation
The following FortiManager product documentation is available:
l
l
18
FortiManager Compatibility
This document identifies FortiManager software support for FortiOS.
FortiManager Release Notes
This document describes new features and enhancements in the FortiManager system for the release, and
lists resolved and known issues. This document also defines supported platforms and firmware versions.
Administration Guide
Fortinet Technologies Inc.
FortiManager documentation
l
l
l
l
l
l
l
l
l
l
Introduction
FortiManager Upgrade Guide
This document describes how to upgrade FortiManager.
FortiManager device QuickStart Guides
These documents are included with your FortiManager system package. Use these document to install and
begin working with the FortiManager system and FortiManager Graphical User Interface (GUI).
FortiManager VM Install Guide
This document describes installing FortiManager VM in your virtual environment.
FortiManager Administration Guide
This document describes how to set up the FortiManager system and use it to manage supported Fortinet
units. It includes information on how to configure multiple Fortinet units, configure and manage the FortiGate
VPN policies, monitor the status of the managed devices, view and analyze the FortiGate logs, update the
virus and attack signatures, provide web filtering and email filter service to the licensed FortiGate units as a
local FortiGuard Distribution Server (FDS), control firmware revisions and update the firmware images of the
managed units.
FortiManager Online Help
You can get online help from the FortiManager GUI. FortiManager online help contains detailed procedures
for using the FortiManager GUI to configure and manage FortiGate units.
FortiManager CLI Reference
This document describes how to use the FortiManager Command Line Interface (CLI) and contains references
for all FortiManager CLI commands.
FortiManager and FortiAnalyzer Event Log Reference
This document describes the log messages available with FortiManager when local logging is enabled.
FortiManager JSON API Reference
This document lists all of the objects available with the FortiManager JSON Application Programming
Interface. The document is only available on the FNDN site at https://fndn.fortinet.net/.
FortiManager JSON API Diff
This document lists all of the objects that were added, modified, and removed between the current and
previous release of the FortiManager JSON Application Programming Interface. The document is only
available on the FNDN site at https://fndn.fortinet.net/.
FortiManager XML API Reference
This document describes how to use the legacy XML-based FortiManager Application Programming Interface
to obtain information from the FortiManager unit.
Administration Guide
Fortinet Technologies Inc.
19
What’s New
FortiManager version 5.6 includes the following new features and enhancements. Always review all sections in
the FortiManager Release Notes prior to upgrading your device.
Not all features/enhancements listed below are supported on all models.
FortiManager 5.6.0
FortiManager version 5.6.0 includes the following new features and enhancements:
Security Fabric management
Managed FortiGate Security Fabric cluster
You can now manage FortiGates in a Security Fabric cluster as if they are a single device. See Adding a security
fabric group on page 112.
You can also view the topology of the FortiGate Security Fabric cluster from Device Manager. See Displaying
security fabric topology on page 137.
FortiSwitch Manager
A new FortiSwitch Manager module that supports provisioning templates, central deployments and status
monitoring for managed switches is available. See FortiSwitch Manager on page 352.
Managed FortiAnalyzer
You can now use the new Add FortiAnalyzer device wizard to add a FortiAnalyzer unit to FortiManager to better
support managed devices with logging enabled. See Adding FortiAnalyzer devices on page 114.
You cannot add a FortiAnalyzer unit to FortiManager when ADOMs are enabled and
ADOM mode is set to Advanced.
When you add a FortiAnayzer device to FortiManager with ADOMs disabled, all devices with logging enabled will
automatically send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to FortiManager,
and the FortiAnalyzer device limit must be equal to or greater than the number of devices managed by
FortiManager.
When you add a FortiAnayzer device to FortiManager with ADOMs enabled, all devices with logging enabled in
the ADOM will automatically send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to
20
Administration Guide
Fortinet Technologies Inc.
FortiManager 5.6.0
What’s New
each ADOM, and the FortiAnalyzer device limit must be equal to or greater than the number of devices managed
by FortiManager ADOM.
After you add a FortiAnalyzer device to FortiManager by using the Add FortiAnalyzer device wizard, you can use
FortiManager to remotely access FortiView , Log View , Events Managements, and Reports on the managed
FortiAnalyzer unit.
Policy packages
Central DNAT
Central DNAT is now available on a per policy package level. You can add a central DNAT entry by creating a new
Virtual IP or by using an existing Virtual IP. These DNAT entries are shared amongst all the policy packages. See
Central DNAT on page 235.
Traffic shaping policy package for ADOMs
FortiManager now supports global traffic shaping policies that allow both header and footer traffic shaping
policies.
FortiManager also supports traffic shaping policy packages at the ADOM level.
See Traffic shaping policy on page 245.
VPN Manager
Set priority on VPN Gateway interface
You can set priority on VPN Gateway Interface from the FortiManager GUI by using the Advanced Options
section. The priority information is now saved in the generated VPN routes. See VPN Manager on page 258.
VPN Gateways on Google map
Display VPN gateways on Google map and monitor the VPN tunnel traffic in real-time. See Map View on
page 269.
FortiAP Manager performance improvements
The performance of AP Manager for managing deployments with more than 10,000 FortiAP units has been
improved. See AP Manager on page 289.
FortiGuard Package management usability
You can view the service status by managed device or by installed package. See Service status on page 347.
FMG-VM minimum configuration check
For FMG-VM running in VMware hypervisor, the FortiManager GUI displays a warning if the VM installation does
not meet the minimum required 2x vCPU and 4GB memory. See System Resources widget on page 454.
Administration Guide
Fortinet Technologies Inc.
21
What’s New
FortiManager 5.6.0
Add-on license for high-end appliances
22
l
Allows additional devices/vdom on high-end appliances; additional devices are added in batches of 100
l
Up to 100,000 devices/vdoms maximum on FMG-3900E
l
Up to 8,000 devices/vdoms maximum on FMG-3000F
Administration Guide
Fortinet Technologies Inc.
FortiManager Architecture
FortiManager is an integrated platform for the centralized management of products in a Fortinet security
infrastructure. FortiManager provides centralized policy-based provisioning, configuration and update
management for FortiGate, FortiWiFi, FortiAP, and other devices. For a complete list of supported devices, see
the FortiManager Release Notes.
To reduce network delays and to minimize external Internet usage, a FortiManager installation can also act as an
on-site FortiGuard Distribution Server (FDS) for your managed devices and FortiClient agents to download
updates to their virus and attack signatures, and to use the built-in web filtering and email filter services.
You can also optionally enable the FortiAnalyzer features, which enables you to analyze logs for managed
devices and generate reports.
FortiManager scales to manage up to 5000 devices and virtual domains (VDOMs) from a single FortiManager
interface. It is primarily designed for medium to large enterprises and managed security service providers.
Using a FortiManager device as part of an organization’s Fortinet security infrastructure can help minimize both
initial deployment costs and ongoing operating expenses. It allows fast device provisioning, detailed revision
tracking, and thorough auditing.
Following is a diagram that shows an overview of the main FortiManager elements: Device Manager, FortiGuard,
and FortiAnalyzer features. FortiManager includes a central database that stores elements for Policy & Objects,
AP Manager, VPN Manager, FortiClient Manager, and FortiSwitch Manager, and you can install these elements
to devices through Device Manager.
Administration Guide
Fortinet Technologies Inc.
23
FortiManager Architecture
Inside the FortiManager system
Inside the FortiManager system
FortiManager is a robust system with multiple communication protocols and layers to help you effectively
manage your Fortinet security infrastructure.
Communication protocols and devices
FortiManager communicates with managed devices by using several protocols. Device Manager, FortiGuard
Manager, and FortiAnalyzer Features each use a different protocol to communicate with managed devices.
Device Manager
Device Manager contains all devices that are managed by the FortiManager unit. You can create new device
groups, provision and add devices, and install policy packages and device settings. Device Manager
communicates with devices by using the FortiGate-FortiManager (FGFM) protocol. See Device Manager on
page 103.
FortiGuard Manager
FortiGuard Manager communicates with devices by using the FortiGuard protocol.
FortiAnalyzer features
When FortiAnalyzer features are enabled for the FortiManager unit, the FortiView , NOC , Log View , Event
Management, and Reports panes are available. FortiAnalyzer features include tools for viewing and analyzing
log messages, and the feature communicates with devices by using the logging protocol.
24
Administration Guide
Fortinet Technologies Inc.
Inside the FortiManager system
FortiManager Architecture
Object database and devices
FortiManager includes an object database to store all of the objects that you create. You can use the objects in
the following panes and apply the objects to devices: l
Policy & Objects
l
AP Manager
l
VPN Manager
l
FortiClient Manager
l
FortiSwitch Manager
Policy & Objects
The Policy & Objects pane contains all of your global and local policy packages and objects, and configuration
revisions. Objects created for the Policy & Objects pane are stored in the objects database.See Policy & Objects
on page 204.
AP Manager
The AP Manager pane lets you view and configure FortiAP access points as well as FortiExtender wireless
WAN extenders. Objects created for the AP Manager pane are stored in the objects database. See AP Manager
on page 289.
Administration Guide
Fortinet Technologies Inc.
25
FortiManager Architecture
Inside the FortiManager system
VPN Manager
The VPN Manager pane lets you centrally manage IPsec VPN and SSL-VPN settings. Objects created for the
VPN Manager pane are stored in the objects database. See VPN Manager on page 258.
FortiClient Manager
The FortiClient Manager pane lets you manage FortiClient profiles and monitor FortiClient endpoints that are
registered to FortiGate devices. Objects created for the FortiClient Manager pane are stored in the objects
database. See FortiClient Manager on page 317.
FortiSwitch Manager
The FortiSwitch Manager pane lets you manage and monitor FortiSwitch devices, and configure FortiSwitch
templates and VLANs. Objects created for the FortiSwitch Manager pane are stored in the objects database. See
FortiSwitch Manager on page 352.
ADOMs and devices
The Device Manager pane is used to install policy packages to devices. When ADOMs are enabled, the Device
Manager pane is used to install policy packages to the devices in an ADOM.
Policy packages can include header policies and footer policies. You can create header and footer policies by
using the global ADOM. The global ADOM allows you to create header and footer policies once, and then assign
the header and footer policies to multiple policy packages in one or more ADOMs.
For example, a header policy might block all network traffic to a specific country, and a footer policy might start
antivirus software. Although you have unique policy packages in each ADOM, you might want to assign the same
header and footer policies to all policy packages in all ADOMs.
Following is a visual summary of the process and a description of what occurs in the global ADOM layer, ADOM
layer, and device manager layer.
26
Administration Guide
Fortinet Technologies Inc.
Inside the FortiManager system
FortiManager Architecture
Global ADOM layer
The global ADOM layer contains two key pieces: the global object database and all header and footer policies.
Header and footer policies are used to envelop policies within each individual ADOM. These are typically invisible
to users and devices in the ADOM layer. An example of where this would be used is in a carrier environment,
where the carrier would allow customer traffic to pass through their network but would not allow the customer to
have access to the carrier’s network assets.
ADOM layer
The ADOM layer is where FortiManager manages individual devices, VDOMs, or groups of devices. It is inside
this layer where policy packages and folders are created, managed, and installed on managed devices. Multiple
policy packages and folders can be created here. The ADOM layer contains one common object database per
ADOM, which contains information such as addresses, services, antivirus and attack definitions, and web filtering
and email filter.
Device manager layer
The device manager layer records information on devices that are centrally managed by the FortiManager unit,
such as the name and type of device, the specific device model, its IP address, the current firmware installed on
the unit, the device’s revision history, and its real-time status.
Administration Guide
Fortinet Technologies Inc.
27
FortiManager Architecture
Key features of the FortiManager system
Key features of the FortiManager system
Security Fabric
FortiManager can recognize a Security Fabric group of devices and display all units in the group on the Device
Manager pane, and you can manage the units in the Security Fabric group as if they were a single device. See
Adding a security fabric group on page 112.You can also display the security fabric topology. See Displaying
security fabric topology on page 137.
Configuration revision control and tracking
Your FortiManager unit records and maintains the history of all configuration changes made over time. Revisions
can be scheduled for deployment or rolled back to a previous configuration when needed.
Centralized management
FortiManager can centrally manage the configurations of multiple devices from a single console. Configurations
can then be built in a central repository and deployed to multiple devices when required.
Administrative domains
FortiManager can segregate management of large deployments by grouping devices into geographic or
functional ADOMs. See Administrative Domains on page 49.
Local FortiGuard service provisioning
A FortiGate device can use the FortiManager unit for antivirus, intrusion prevention, web filtering, and email
filtering to optimize performance of rating lookups, and definition and signature downloads. See FortiGuard on
page 330.
Firmware management
FortiManager can centrally manage firmware images and schedule managed devices for upgrade.
Scripting
FortiManager supports CLI or Tcl based scripts to simplify configuration deployments. See Scripts on page 154.
Logging and reporting
FortiManager can also be used to log traffic from managed devices and generate Structured Query Language
(SQL) based reports. FortiManager also integrates FortiAnalyzer logging and reporting features.
Fortinet device life cycle management
The management tasks for devices in a Fortinet security infrastructure follow a typical life cycle:
28
Administration Guide
Fortinet Technologies Inc.
Key features of the FortiManager system
l
l
l
l
FortiManager Architecture
Deployment: An administrator completes configuration of the Fortinet devices in their network after initial
installation.
Monitoring: The administrator monitors the status and health of devices in the security infrastructure, including
resource monitoring and network usage. External threats to your network infrastructure can be monitored and alerts
generated to advise.
Maintenance: The administrator performs configuration updates as needed to keep devices up-to-date.
Upgrading: Virus definitions, attack and data leak prevention signatures, web and email filtering services, and
device firmware images are all kept current to provide continuous protection for devices in the security
infrastructure.
See also Getting Started on page 37.
Administration Guide
Fortinet Technologies Inc.
29
GUI
You can use the GUI to configure most FortiManager settings, such as the date, time, and the host name. You
can also use the GUI to reboot and shut down the FortiManager unit.
Connecting to the GUI
The FortiManager unit can be configured and managed using the GUI or the CLI. This section will step you
through connecting to the unit via the GUI.
To connect to the GUI:
1. Connect the FortiManager unit to a management computer using an Ethernet cable.
2. Configure the management computer to be on the same subnet as the internal interface of the FortiManager unit:
l
IP address: 192.168.1.X
l
Netmask: 255.255.255.0
3. On the management computer, start a supported web browser and browse to https://192.168.1.99.
4. Type admin in the Name field, leave the Password field blank, and click Login.
5. If ADOMs are enabled, the Select an ADOM pane is displayed. Click an ADOM to select it.
The FortiManager home page is displayed.
6. Click a tile to go to that pane. For example, click the Device Manager tile to go to the Device Manager pane.
If the network interfaces have been configured differently during installation, the URL
and/or permitted administrative access protocols (such as HTTPS) may no longer be in
their default state.
For information on enabling administrative access protocols and configuring IP addresses, see Configuring
network interfaces on page 40.
If the URL is correct and you still cannot access the GUI, you may also need to
configure static routes. For details, see Static routes on page 42.
When the system is busy during a database upgrade or rebuild, you will receive a
message in the GUI log-in pane. The message will include the estimated completion
time.
After logging in for the first time, you should create an administrator account for yourself and assign the Super_
User profile to it. Then you should log into the FortiManager unit by using the new administrator account. See
Managing administrator accounts on page 70 for information.
30
Administration Guide
Fortinet Technologies Inc.
GUI overview
GUI
GUI overview
When you log into the FortiManager GUI, the following home page of tiles is displayed:
Select one of the following tiles to display the respective pane. The available tiles will vary, depending on the
privileges of the current user.
Device Manager
Manage devices, VDOMs, groups, firmware images, device licenses, and
scripts. You can also configure system, threat weight, and Certificate templates,
and view real-time monitor data. See Device Manager on page 103.
Policy & Objects
Configure policy packages and objects. For more information, see Policy &
Objects on page 204.
AP Manager
Configure and manage FortiAP access points. For more information, see AP
Manager on page 289.
FortiClient Manager
Manage FortiClient profiles and monitor FortiClient endpoints that are registered
to FortiGate devices. See FortiClient Manager on page 317.
VPN Manager
Configure and manage VPN connections. You can create VPN topologies and
managed/external gateways. For more information, see VPN Manager on
page 258.
FortiGuard
Manage communication between devices and the FortiManager using the
FortiGuard protocol. See FortiGuard on page 330.
FortiSwitch Manager
Configure and manage FortiSwitch devices. For more information, see
FortiSwitch Manager on page 352.
Administration Guide
Fortinet Technologies Inc.
31
GUI
GUI overview
FortiView
View summaries of log data in graphical formats. For example, you can view top
threats to your network, top sources of network traffic, top destinations of
network traffic and so on. For each summary view, you can drill down into details
for the event. See FortiView on page 370.
This pane is only available when FortiAnalyzer features are enabled.
NOC
View network security, WiFi security, and system performance in real-time. You
can select what activities to monitor in customizable dashboards. See NOC on
page 383.
This pane is only available when FortiAnalyzer features are enabled.
Log View
View logs for managed devices. You can display, download, import, and delete
logs on this page. You can also define custom views and create log groups. See
Log View on page 389.
This pane is only available when FortiAnalyzer features are enabled.
Event Management
Configure and view events for logging devices. See Event Management on
page 400.
This pane is only available when FortiAnalyzer features are enabled.
Reports
Generate reports. You can also configure report templates, schedules, and
output profiles, and manage charts and datasets. See Reports on page 415.
This pane is only available when FortiAnalyzer features are enabled.
System Settings
Configure system settings such as network interfaces, administrators, system
time, server settings, and others. You can also perform maintenance and
firmware operations. See System Settings on page 446.
The top-right corner of the home page includes a variety of possible selections:
ADOM
If ADOMs are enabled, the required ADOM can be selected from the dropdown list.
If enabled, ADOMs can also be locked or unlocked.
The ADOMs available from the ADOM menu will vary depending on the privileges of
the current user.
HA status
If HA is enabled, the status is shown.
admin
Click to change the password or log out of the GUI.
Notification
Click to display a list of notifications. Select a notification from the list to take action on
the issue.
Help
Click to open the FortiManager online help, or view the About information for your
device (Product, Version, and Build Number).
Panes
In general, panes have four primary parts: the banner, toolbar, tree menu, and content pane.
32
Administration Guide
Fortinet Technologies Inc.
GUI overview
GUI
Banner
Along the top of the page; includes the home button (Fortinet logo), tile menu, ADOM
menu (when enabled), admin menu, notifications, and help button.
Tree menu
On the left side of the screen; includes the menus for the selected pane.
Content pane
Contains widgets, lists, configuration options, or other information, depending on the
pane, menu, or options that are selected. Most management tasks are handled in the
content pane.
Toolbar
Directly above the content pane; includes options for managing content in the content
pane, such as Create New and Delete.
The Device Manager pane includes a quick status bar on the top of the content pane that provides quick
information on the state of the devices in the current device group. Clicking a status updates the content pane to
display the relevant devices. See Device Manager on page 103 for more information.
To switch between panes, either select the home button to return to the home page, or select the tile menu then
select a new tile.
Color themes
You can choose a color theme for the FortiManager GUI. For example, you can choose a color, such as blue or
plum, or you can choose an image, such as summer or autumn. See Global administration settings on page 95.
Administration Guide
Fortinet Technologies Inc.
33
GUI
GUI overview
Full-screen mode
You can view several panes in full-screen mode. When a pane is in full-screen mode, tree menu on the left side of
the screen is hidden.
Click the Full Screen button in the toolbar to enter full-screen mode, and press the Esc key on your keyboard to
exit full-screen mode.
Switching between ADOMs
When ADOMs are enabled, you can move between ADOMs by selecting an ADOM from the ADOM menu in the
banner.
ADOM access is controlled by administrator accounts and the profile assigned to the administrator account.
Depending on your account privileges, you might not have access to all ADOMs. See Managing administrator
accounts on page 70 for more information.
Using the right-click menu
Options are sometimes available using the right-click menu. Right-click an item in the content pane, or within
some of the tree menus, to display the menu that includes various options similar to those available in the
toolbar.
In the following example on the Device Manager pane, you can right-click a device in the content pane, and
select Install Config, Import Policy, Edit, Run Script, and so on.
Avatars
When FortiClient sends logs to FortiManager with FortiAnalyzer features enabled, an avatar for each user can be
displayed in the Source column in the FortiView and Log View panes. FortiManager can display an avatar when
the following requirements are met:
l
FortiClient is managed by FortiGate or FortiClient EMS with logging to FortiManager enabled.
l
FortiClient sends logs and a picture of each user to FortiManager.
If FortiManager cannot find the defined picture, a generic, gray avatar is displayed.
34
Administration Guide
Fortinet Technologies Inc.
Security considerations
GUI
You can also optionally define an avatar for FortiManager administrators. See
Creating administrators on page 71.
Showing and hiding passwords
In some cases you can show and hide passwords by using the toggle icon. When you can view the password, the
Toggle show password icon is displayed: When you can hide the password, the Toggle hide password icon is displayed: Security considerations
You can take steps to prevent unauthorized access and restrict access to the GUI.
Restricting GUI access by trusted host
To prevent unauthorized access to the GUI you can configure administrator accounts with trusted hosts. With
trusted hosts configured, the administrator user can only log into the GUI when working on a computer with the
trusted host as defined in the administrator account. You can configure up to ten trusted hosts per administrator
account. See Administrators on page 69 for more details.
Other security considerations
Other security consideration for restricting access to the FortiManager GUI include the following:
l
Configure administrator accounts using a complex passphrase for local accounts
l
Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI
l
Configure the administrator profile to only allow read/write permission as required and restrict access using readonly or no permission to settings which are not applicable to that administrator
l
Configure the administrator account to only allow access to specific ADOMs as required
l
Configure the administrator account to only allow access to specific policy packages as required.
Restarting and shutting down
Always use the operation options in the GUI or the CLI commands to reboot and shut down the FortiManager
system to avoid potential configuration problems.
To restart the FortiManager unit from the GUI:
1. Go to System Settings > Dashboard.
2. In the Unit Operation widget, click the Restart button.
Administration Guide
Fortinet Technologies Inc.
35
GUI
Restarting and shutting down
3. Enter a message for the event log, then click OK to restart the system.
To restart the FortiManager unit from the CLI:
1. From the CLI, or in the CLI Console widget, enter the following command:
execute reboot
The system will be rebooted.
Do you want to continue? (y/n)
2. Enter y to continue. The FortiManagersystem will restart.
To shutdown the FortiManager unit from the GUI:
1. Go to System Settings > Dashboard.
2. In the Unit Operation widget, click the Shutdown button.
3. Enter a message for the event log, then click OK to shutdown the system.
To shutdown the FortiManager unit from the CLI:
1. From the CLI, or in the CLI Console widget, enter the following command:
execute shutdown
The system will be halted.
Do you want to continue? (y/n)
2. Enter y to continue. The FortiManager system will shutdown.
To reset the FortiManager unit:
1. From the CLI, or in the CLI Console widget, enter the following command:
execute reset all-settings
This operation will reset all settings to factory defaults
Do you want to continue? (y/n)
2. Enter y to continue. The device will reset to factory default settings and restart.
To reset logs and re-transfer all SQL logs to the database:
1. From the CLI, or in the CLI Console widget, enter the following command:
execute reset-sqllog-transfer
WARNING: This operation will re-transfer all logs into database.
Do you want to continue? (y/n)
2. Enter y to continue. All SQL logs will be resent to the database.
36
Administration Guide
Fortinet Technologies Inc.
Getting Started
This chapter provides an overview of how to configure a FortiManager device. It also provides an overview of
adding devices to FortiManager as well as configuring and monitoring managed devices.
After you configure IP addresses and administrator accounts for the FortiManager
unit, you should log in again by using the new IP address and your new administrator
account.
Configuring the FortiManager
Following is an overview of how to configure a FortiManager device.
To configure FortiManager devices:
1. Connect to the GUI. See Connecting to the GUI on page 30.
2. Configure IP addresses. See Configuring network interfaces on page 40.
3. Configure the RAID level, if the FortiManager unit supports RAID. See RAID Management on page 43.
Adding devices
After you configure the FortiManager device, you should plan the network topology, configure ADOMs, configure
administrative accounts, and then add the devices that you want to manage.
The number of devices that can be managed depends on the device model and license. An add-on license can be
purchased for some high end devices to increase that number of device that can be managed. See Add-on
license on page 149 for more information.
It is recommended that you import the policy from the device when you add the device to FortiManager.
FortiManager uses the imported policy to automatically create a policy package for that device.
To add devices:
1. Plan your network topology.
2. Configure administrative domains. See Administrative Domains on page 49.
3. Configure administrator accounts. See Managing administrator accounts on page 70.
4. Add devices to FortiManager. See Adding devices on page 104.
5. If not done when you added the device, import the policy from each online device to FortiManager. See Import
policy wizard on page 113.
A policy package is automatically created for the device based on the policy. You can view the policy package
on the Policy & Objects pane.
Administration Guide
Fortinet Technologies Inc.
37
Getting Started
Installing to managed devices
After initially importing policies from the device, all changes related to policies and
objects should be made in Policy & Objects on the FortiManager.
Making changes directly on the FortiGate device will require reimporting policies to
resynchronize the policies and objects.
Installing to managed devices
After you add devices to FortiManager, you can configure objects and policies, and use policy packages to install
the objects and policies to one or more devices.
If you imported a policy from a device, you can edit and create policies for the imported policy package, and then
install the updated policy package back to the device. Alternately you can create and configure a new policy
package. You can install a policy package to multiple devices.
If you want to install device-specific settings, you can configure the settings by using the device dashboard on the
Device Manager pane. When you install to the device, the device-specific settings are pushed to the device.
To install to devices:
1. Create or edit objects. See Create a new object on page 247 or Edit an object on page 250.
2. Create or edit policies in a policy package to select the objects. See Creating policies on page 219 or Editing
policies on page 219.
You can create or edit policies in the policy package that was automatically created for the device when you
imported its policy. Alternately, you can create a new policy package in which to define policies. See Create
new policy packages on page 209.
3. Ensure that the installation targets for the policy package include the correct devices. See Policy package
installation targets on page 215.
4. Edit device-specific settings by using the device dashboard on the Device Manager pane. See Using the device
dashboard on page 124.
5. Install the policy package and device settings to devices by using the Installation Wizard. See Installing to devices
on page 129.
Enabling central management
FortiManager includes the option to enable central management for each of the following elements:
l
SD-WAN link load balance: see SD-WAN Link Load Balance on page 183
l
VPN: see VPN Manager on page 258
When central management is enabled, you can configure settings once, and then install the settings to one or
more devices.
When central management is disabled, you must configure the settings for each device, and then install the
settings to each device.
38
Administration Guide
Fortinet Technologies Inc.
Monitoring managed devices
Getting Started
To use central management:
1. Enable central management for SD-WAN link load balance and/or VPN.
2. Configure the settings.
3. Install the settings to one or more devices.
Monitoring managed devices
FortiManager includes many options for monitoring managed devices. Following is a sample of panes that you
can use to monitor managed devices:
l
Quick status bar—see Using the quick status bar on page 133
l
Device dashboard—see Using the device dashboard on page 124
l
Device configurations—see Managing device configurations on page 138
l
Policy packages—see Managing policy packages on page 208
l
AP Manager pane—see Monitor on page 300
l
FortiClient Manager pane—see Monitoring FortiClient endpoints on page 320
l
FortiSwitch Manager pane—see FortiSwitch Manager on page 352
When optional centralized features are enabled, you can also use the following panes to monitor the centralized
features for managed devices:
l
WAN LLB pane—see SD-WAN Link Load Balance on page 183
l
VPN Manager pane—see VPN Manager on page 258
When FortiAnalyzer features are enabled on the FortiManager device, you can also view and analyze log
messages from managed devices by using the FortiView , Log View , Event Management, and Reports panes.
See FortiAnalyzer Features on page 367.
Administration Guide
Fortinet Technologies Inc.
39
Network
The network settings are used to configure ports for the FortiManager unit. You should also specify what port and
methods that an administrators can use to access the FortiManager unit. If required, static routes can be
configured.
The default port for FortiManager units is port 1. It can be used to configure one IP address for the FortiManager
unit, or multiple ports can be configured with multiple IP addresses for improved security.
You can configure administrative access in IPv4 or IPv6 and include settings for HTTPS, HTTP, PING, SSH,
TELNET, SNMP, and Web Service.
You can prevent unauthorized access to the GUI by creating administrator accounts with trusted hosts. With
trusted hosts configured, the administrator can only log in to the GUI when working on a computer with the
trusted host as defined in the administrator account. For more information, see Trusted hosts on page 69 and
Managing administrator accounts on page 70.
Configuring network interfaces
Fortinet devices can be connected to any of the FortiManager unit's interfaces. The DNS servers must be on the
networks to which the FortiManager unit connects, and should have two different IP addresses.
If the FortiManager unit is operating as part of an HA cluster, it is recommended to configure interfaces dedicated
for the HA connection / synchronization. However, it is possible to use the same interfaces for both HA and device
management. The HA interface will have /HA appended to its name.
The following port configuration is recommended:
l
l
Use port1 for device log traffic, and disable unneeded services on it, such as SSH, TELNET, Web Service, and so
on.
Use a second port for administrator access, and enable HTTPs, Web Service, and SSH for this port. Leave other
services disabled.
To configured port 1:
1. Go to System Settings > Network. The System Network Management Interface pane is displayed.
2. Configure the following settings for port1, then click Apply to apply your changes.
40
Administration Guide
Fortinet Technologies Inc.
Configuring network interfaces
Network
Name
Displays the name of the interface.
IP Address/Netmask
The IP address and netmask associated with this interface.
IPv6 Address
The IPv6 address associated with this interface.
Administrative Access
Select the allowed administrative service protocols from: HTTPS, HTTP,
PING, SSH, Telnet, SNMP, and Web Service.
IPv6 Administrative Access
Select the allowed IPv6 administrative service protocols from: HTTPS,
HTTP, PING, SSH, Telnet, SNMP, and Web Service.
Service Access
Select the Fortinet services that are allowed access on this interface.
These include FortiGate Updates and Web Filtering. By default all service
access is enabled on port1, and disabled on port2.
Default Gateway
The default gateway associated with this interface.
Primary DNS Server
The primary DNS server IP address.
Secondary DNS Server
The secondary DNS server IP address.
To configure additional ports:
1. Go to System Settings > Network and click All Interfaces. The interface list opens.
2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in
the toolbar. The Edit System Interface pane is displayed.
3. Configure the settings as required.
4. Click OK to apply your changes.
The port name, default gateway, and DNS servers cannot be changed from the Edit
System Interface pane. The port can be given an alias if needed.
Disabling ports
Ports can be disabled to prevent them from accepting network traffic
To disable a port:
1. Go to System Settings > Network and click All Interfaces. The interface list opens.
2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in
the toolbar. The Edit System Interface pane is displayed.
3. In the Status field, click Disable
4. Click OK to disable the port.
Changing administrative access
Administrative access defines the protocols that can be used to connect to the FortiManager through an
interface. The available options are: HTTPS, HTTP, PING, SSH, TELNET, SNMP, and Web Service.
Administration Guide
Fortinet Technologies Inc.
41
Network
Static routes
To change administrative access:
1. Go to System Settings > Network and click All Interfaces. The interface list opens.
2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in
the toolbar. The Edit System Interface pane is displayed.
3. Select one or more access protocols for the interface for IPv4 and IPv6, if applicable.
4. Click OK to apply your changes.
Static routes
Static routes can managed from the routing tables for IPv4 and IPv6 routes.
The routing tables can be accessed by going to System Settings > Network and clicking Routing Table and IPv6
Routing Table.
To add a static route:
1. From the IPv4 or IPv6 routing table, click Create New in the toolbar. The Create New Network Route pane
opens.
2. Enter the destination IP address and netmask, or IPv6 prefix, and gateway in the requisite fields.
3. Select the network interface that connects to the gateway from the dropdown list.
4. Click OK to create the new static route.
To edit a static route:
1. From the IPv4 or IPv6 routing table: double-click on a route, right-click on a route then select Edit from the pop-up
menu, or select a route then click Edit in the toolbar. The Edit Network Route pane opens.
2. Edit the configuration as required. The route ID cannot be changed.
3. Click OK to apply your changes.
To delete a static route or routes:
1. From the IPv4 or IPv6 routing table, right-click on a route then select Delete from the pop-up menu, or select a
route or routes then click Delete in the toolbar.
2. Click OK in the confirmation dialog box to delete the selected route or routes.
42
Administration Guide
Fortinet Technologies Inc.
RAID Management
RAID helps to divide data storage over multiple disks, providing increased data reliability. For FortiManager
devices containing multiple hard disks, you can configure the RAID array for capacity, performance, and/or
availability.
The RAID Management tree menu is only available on FortiManager devices that
support RAID.
Supported RAID levels
FortiManager units with multiple hard drives can support the following RAID levels:
See the FortiManager datasheet to determine your devices supported RAID levels.
Linear RAID
A Linear RAID array combines all hard disks into one large virtual disk. The total space available in this option is
the capacity of all disks used. There is very little performance change when using this RAID format. If any of the
drives fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost.
RAID 0
A RAID 0 array is also referred to as striping. The FortiManager unit writes information evenly across all hard
disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any
single drive fails, the data on that drive cannot be recovered. This RAID level is beneficial because it provides
better performance, since the FortiManager unit can distribute disk writing across multiple disks.
l
Minimum number of drives: 2
l
Data protection: No protection
RAID 0 is not recommended for mission critical environments as it is not fault-tolerant.
RAID 1
A RAID 1 array is also referred to as mirroring. The FortiManager unit writes information to one hard disk, and
writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of
only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no
single point of failure. Should any of the hard disks fail, there are backup hard disks available.
Administration Guide
Fortinet Technologies Inc.
43
RAID Management
Supported RAID levels
l
Minimum number of drives: 2
l
Data protection: Single-drive failure
One write or two reads are possible per mirrored pair. RAID 1 offers redundancy of
data. A re-build is not required in the event of a drive failure. This is the simplest RAID
storage design with the highest disk overhead.
RAID 1s
A RAID 1 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard
disk fails, within a minute of the failure the hot spare is substituted for the failed drive, integrating it into the RAID
array and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the new
hot spare. The total disk space available is the total number of disks minus two.
RAID 5
A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiManager unit writes information
evenly across all drives but additional parity blocks are written on the same stripes. The parity block is staggered
for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For
example, with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5
performance is typically better with reading than with writing, although performance is degraded when one disk
has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced
and the FortiManager unit will restore the data on the new disk by using reference information from the parity
volume.
l
Minimum number of drives: 3
l
Data protection: Single-drive failure
RAID 5s
A RAID 5 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard
disk fails, within a minute of the failure, the hot spare is substituted for the failed drive, integrating it into the RAID
array, and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the
new hot spare. The total disk space available is the total number of disks minus two.
RAID 6
A RAID 6 array is the same as a RAID 5 array with an additional parity block. It uses block-level striping with two
parity blocks distributed across all member disks.
l
Minimum number of drives: 4
l
Data protection: Up to two disk failures.
RAID 6s
A RAID 6 with hot spare array is the same as a RAID 5 with hot spare array with an additional parity block.
RAID 10
RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk
space available is the total number of disks in the array (a minimum of 4) divided by 2, for example:
44
Administration Guide
Fortinet Technologies Inc.
Supported RAID levels
RAID Management
l
2 RAID 1 arrays of two disks each,
l
3 RAID 1 arrays of two disks each,
l
6 RAID1 arrays of two disks each.
One drive from a RAID 1 array can fail without the loss of data; however, should the other drive in the RAID 1
array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible.
l
Minimum number of drives: 4
l
Data protection: Up to two disk failures in each sub-array.
Alternative to RAID 1 when additional performance is required.
RAID 50
RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The
total disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides
increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5
array can fail without the loss of data.
l
Minimum number of drives: 6
l
Data protection: Up to one disk failure in each sub-array.
Higher fault tolerance than RAID 5 and higher efficiency than RAID 0.
RAID 50 is only available on models with 9 or more disks. By default, two groups are
used unless otherwise configured via the CLI. Use the diagnose system raid
status CLI command to view your current RAID level, status, size, groups, and hard
disk drive information.
RAID 60
A RAID 60 (6+ 0) array combines the straight, block-level striping of RAID 0 with the distributed double parity of
RAID 6.
l
Minimum number of drives: 8
l
Data protection: Up to two disk failures in each sub-array.
High read data transaction rate, medium write data transaction rate, and slightly lower
performance than RAID 50.
Administration Guide
Fortinet Technologies Inc.
45
RAID Management
Configuring the RAID level
Configuring the RAID level
Changing the RAID level will delete all data.
To configure the RAID level:
1. Go to System Settings > RAID Management.
2. Click Change in the RAID Level field. The RAID Settings dialog box is displayed.
3. From the RAID Level list, select a new RAID level, then click OK.
The FortiManager unit reboots. Depending on the selected RAID level, it may take a significant amount of
time to generate the RAID array.
Monitoring RAID status
To view the RAID status, go to System Settings > RAID Management. The RAID Management pane displays
the RAID level, status, and disk space usage. It also shows the status, size, and model of each disk in the RAID
array.
The Alert Message Console widget, located in System Settings > Dashboard,
provides detailed information about RAID array failures. For more information see
Alert Messages Console widget on page 456.
Summary
Shows summary information about the RAID array.
Graphic
46
Displays the position and status of each disk in the RAID array. Hover the
cursor over each disk to view details.
Administration Guide
Fortinet Technologies Inc.
Swapping hard disks
RAID Management
RAID Level
Displays the selected RAID level.
Click Change to change the selected RAID level. When you change the
RAID settings, all data is deleted.
Status
Displays the overall status of the RAID array.
Disk Space
Usage
Displays the total size of the disk space, how much disk space is used, and
how much disk space is free.
Disk Management
Shows information about each disk in the RAID array.
Disk Number
Disk Status
Identifies the disk number for each disk.
Displays the status of each disk in the RAID array.
Ready: The hard drive is functioning normally.
l
l
l
l
l
l
Rebuilding: The FortiManager unit is writing data to a newly added hard
drive in order to restore the hard drive to an optimal state. The
FortiManager unit is not fully fault tolerant until rebuilding is complete.
Initializing: The FortiManager unit is writing to all the hard drives in the
device in order to make the array fault tolerant.
Verifying: The FortiManager unit is ensuring that the parity data of a
redundant drive is valid.
Degraded: The hard drive is no longer being used by the RAID controller.
Inoperable: One or more drives are missing from the FortiManager unit.
The drive is no longer available to the operating system. Data on an
inoperable drive cannot be accessed.
Size (GB)
Displays the size, in GB, of each disk.
Disk Model
Displays the model number of each disk.
Swapping hard disks
If a hard disk on a FortiManager unit fails, it must be replaced. On FortiManager devices that support hardware
RAID, the hard disk can be replaced while the unit is still running - known as hot swapping. On FortiManager units
with software RAID, the device must be shutdown prior to exchanging the hard disk.
To identify which hard disk failed, read the relevant log message in the Alert Message Console widget. See Alert
Messages Console widget on page 456.
Electrostatic discharge (ESD) can damage FortiManager equipment. Only perform the
procedures described in this document from an ESD workstation. If no such station is
available, you can provide some ESD protection by wearing an anti-static wrist or ankle
strap and attaching it to an ESD connector or to a metal part of a FortiManager
chassis.
Administration Guide
Fortinet Technologies Inc.
47
RAID Management
Adding hard disks
When replacing a hard disk, you need to first verify that the new disk is the same size
as those supplied by Fortinet and has at least the same capacity as the old one in the
FortiManager unit. Installing a smaller hard disk will affect the RAID setup and may
cause data loss. Due to possible differences in sector layout between disks, the only
way to guarantee that two disks have the same size is to use the same brand and
model.
The size provided by the hard drive manufacturer for a given disk model is only an
approximation. The exact size is determined by the number of sectors present on the
disk.
To hot swap a hard disk on a device that supports hardware RAID:
1. Remove the faulty hard disk.
2. Install a new disk.
The FortiManager unit automatically adds the new disk to the current RAID array. The status appears on the
console. The RAID Management pane displays a green checkmark icon for all disks and the RAID Status
area displays the progress of the RAID re-synchronization/rebuild.
Once a RAID array is built, adding another disk with the same capacity will not affect
the array size until you rebuild the array by restarting the FortiManager unit.
Adding hard disks
Some FortiManager units have space to add more hard disks to increase your storage capacity.
Fortinet recommends you use the same disks as those supplied by Fortinet. Disks of
other brands will not be supported by Fortinet. For information on purchasing extra
hard disks, contact your Fortinet reseller.
To add more hard disks:
1. Obtain the same disks as those supplied by Fortinet.
2. Back up the log data on the FortiManager unit.
You can also migrate the data to another FortiManager unit, if you have one. Data migration reduces system
down time and the risk of data loss.
3. Install the disks in the FortiManager unit.
If your unit supports hot swapping, you can do so while the unit is running. Otherwise the unit must be shut
down first. See Unit Operation widget on page 456 for information.
4. Configure the RAID level. See Configuring the RAID level on page 46.
5. If you backed up the log data, restore it.
48
Administration Guide
Fortinet Technologies Inc.
Administrative Domains
Administrative domains (ADOMs) enable administrators to manage only those devices that they are specifically
assigned, based on the ADOMs to which they have access. When the ADOM mode is advanced, FortiGate
devices with multiple VDOMs can be divided among multiple ADOMs.
Administrator accounts can be tied to one or more ADOMs, or denied access to specific ADOMs. When a
particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account.
Super user administrator accounts, such as the admin account, can see and maintain all ADOMs and the
devices within them.
When FortiAnalyzer features are enabled, each ADOM specifies how long to store and how much disk space to
use for its logs. You can monitor disk utilization for each ADOM and adjust storage settings for logs as needed.
The maximum number of ADOMs you can add depends on the FortiManager system model. Please refer to the
FortiManager data sheet for more information.
By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by administrators with the
Super_User profile. See Administrators on page 69.
Non-FortiGate devices, except for FortiAnalyzer devices, are automatically located in
specific ADOMs for their device type. They cannot be moved to other ADOMs.
One FortiAnalyzer device can be added to each ADOM. For more information, see
Adding FortiAnalyzer devices on page 114.
Default ADOMs
FortiManager includes default ADOMs for specific types of devices. When you add one or more of these devices
to the FortiManager, the devices are automatically added to the appropriate ADOM, and the ADOM becomes
selectable. When a default ADOM contains no devices, the ADOM is not selectable.
For example, when you add a FortiClient EMS device to the FortiManager, the FortiClient EMS device is
automatically added to the default FortiClient ADOM. After the FortiClient ADOM contains a FortiClient EMS
device, the FortiClient ADOM is selectable when you log into FortiManager or when you switch between ADOMs.
You can view all of the ADOMs, including default ADOMs without devices, on the System Settings > All ADOMs
pane.
Organizing devices into ADOMs
You can organize devices into ADOMs to allow you to better manage these devices. Devices can be organized by
whatever method you deem appropriate, for example:
l
l
l
Firmware version: group all devices with the same firmware version into an ADOM.
Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different
region into another ADOM.
Administrative users: group devices into separate ADOMs based for specific administrators responsible for the
group of devices.
Administration Guide
Fortinet Technologies Inc.
49
Administrative Domains
l
Enabling and disabling the ADOM feature
Customers: group all devices for one customer into an ADOM, and devices for another customer into another
ADOM.
Enabling and disabling the ADOM feature
By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by super user
administrators.
When ADOMs are enabled, the Device Manager, Policy & Objects, AP Manager, FortiClient Manager, and
VPN Manager panes are displayed per ADOM. If FortiAnalyzer features are enabled, the FortiView, Log View,
Event Management, and Reports panes are also displayed per ADOM. You select the ADOM you need to work in
when you log into the FortiManager unit. Switching between ADOMs on page 34.
ADOMs must be enabled to support FortiMail and FortiWeb logging and reporting.
When a FortiMail or FortiWeb device is promoted to the DVM table, the device is
added to their respective default ADOM and will be visible in the left-hand tree menu.
FortiGate and FortiCarrier devices cannot be grouped into the same ADOM.
FortiCarrier devices are added to a specific default FortiCarrier ADOM.
To enable the ADOM feature:
1. Log in to the FortiManager as a super user administrator.
2. Go to System Settings > Dashboard.
3. In the System Information widget, toggle the Administrative Domain switch to ON.
You will be automatically logged out of the FortiManager and returned to the log in screen.
To disable the ADOM feature:
1. Remove all the devices from all non-root ADOMs. That is, add all devices to the root ADOM.
2. Delete all non-root ADOMs. See Deleting ADOMs on page 57.
Only after removing all the non-root ADOMs can ADOMs be disabled.
3. Go to System Settings > Dashboard.
4. In the System Information widget, toggle the Administrative Domain switch to OFF.
You will be automatically logged out of the FortiManager and returned to the log in screen.
The ADOMs feature cannot be disabled if ADOMs are still configured and have
managed devices in them.
ADOM device modes
An ADOM has two device modes: Normal (default) and Advanced.
50
Administration Guide
Fortinet Technologies Inc.
ADOM modes
Administrative Domains
In Normal mode, you cannot assign different FortiGate VDOMs to different ADOMs. The FortiGate unit can only
be added to a single ADOM.
In Advanced mode, you can assign a VDOM from a single device to a different ADOM. This allows you to analyze
data for individual VDOMs, but will result in more complicated management scenarios. It is recommended only
for advanced users.
To change from Advanced mode back to Normal mode, you must ensure no FortiGate VDOMs are assigned to
an ADOM.
To change the ADOM device mode:
1. Go to System Settings > Advanced > Advanced Settings.
2. In the ADOM Mode field, select either Normal or Advanced.
3. Select Apply to apply your changes.
ADOM modes
When creating an ADOM, the mode can be set to Normal or Backup.
Normal mode ADOMs
When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make
changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their
own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a
diff revision on the change to the FortiManager using the FGFM protocol.
Backup mode ADOMs
When creating an ADOM in Backup Mode, the ADOM is consider Read Only, where you are not able to make
changes to the ADOM and managed devices from the FortiManager. Changes are made via scripts which are run
on the managed device, or through the device’s GUI or CLI directly. Revisions are sent to the FortiManager when
specific conditions are met:
l
Configuration change and session timeout
l
Configuration change and log out
l
Configuration change and reboot
l
Manual configuration backup from the managed device.
Backup mode enables you to configure an ADOM where all the devices that are added to the ADOM will only
have their configuration backed up. Configuration changes cannot be made to the devices in backup ADOM. You
can push any existing revisions to managed devices. You can still monitor and review the revision history for these
devices, and scripting is still allowed for pushing scripts directly to FortiGate units.
Managing ADOMs
To create and manage ADOMs, go to System Settings > All ADOMs.
Administration Guide
Fortinet Technologies Inc.
51
Administrative Domains
Managing ADOMs
The ADOMs feature must be enabled before ADOMs can be created or configured.
See Enabling and disabling the ADOM feature on page 50.
52
Create New
Create a new ADOM. See Creating ADOMs on page 53.
Edit
Edit the selected ADOM. This option is also available from the right-click
menu. See Editing an ADOM on page 56.
Delete
Delete the selected ADOM or ADOMs. You cannot delete default ADOMs.
This option is also available from the right-click menu. See Deleting
ADOMs on page 57.
Enter ADOM
Switch to the selected ADOM. This option is also available from the rightclick menu.
More
Select Expand Devices to expand all of the ADOMs to show the devices in
each ADOM. Select Collapse Devices to collapses the device lists. Select
Upgrade to upgrade the ADOM; see ADOM versions on page 57. These
options are also available from the right-click menu.
Search
Enter a search term to search the ADOM list.
Name
The name of the ADOM.
ADOMs are listed in the following groups: Central Management, Backup
Mode (if there are any backup mode ADOMs), and Other Device Types. A
group can be collapsed or expanded by clicking the triangle next to its
name.
Firmware Version
The firmware version of the ADOM. Devices in the ADOM should have the
same firmware version.
See ADOM versions on page 57 for more information.
Administration Guide
Fortinet Technologies Inc.
Managing ADOMs
Administrative Domains
Central VPN
Whether or not central VPN management is enabled for the ADOM.
Allocated Storage
The amount of hard drive storage space allocated to the ADOM.
Devices
The number of devices and VDOMs that the ADOM contains.
The device list can be expanded or by clicking the triangle.
Creating ADOMs
To create a new ADOM, you must be logged in as a super user administrator.
Consider the following when creating ADOMs:
l
l
l
l
l
l
You can only create ADOMs when you are using an administrator account that is assigned the Super_User
administrative profile.
The maximum number of ADOMs you can create depends on the specific FortiManager model. Refer to the
FortiManager data sheet for information on the maximum number of devices and ADOMs your model supports.
You can add a device to only one ADOM. You cannot add a device to multiple ADOMs.
You cannot add FortiGate and FortiCarrier devices to the same ADOM. FortiCarrier devices are added to a specific,
default FortiCarrier ADOM.
You can add one or more VDOMs from a FortiGate device to one ADOM. If you want to add individual VDOMs from
a FortiGate device to different ADOMs, you must first enable advanced device mode. See ADOM device modes on
page 50.
When FortiAnalyzer features are enabled, you can configure how an ADOM handles log files from its devices. For
example, you can configure how much disk space an ADOM can use for logs, and then monitor how much of the
allotted disk space is used. You can also specify how long to keep logs indexed in the SQL database and how long
to keep logs stored in a compressed format.
To create an ADOM
1. Ensure that ADOMs are enabled. See Enabling and disabling the ADOM feature on page 50.
2. Go to System Settings > All ADOMs.
3. Click Create New in the toolbar. The Create New ADOM pane is displayed.
Administration Guide
Fortinet Technologies Inc.
53
Administrative Domains
Managing ADOMs
4. Configure the following settings, then click OK to create the ADOM.
54
Name
Type a name that will allow you to distinguish this ADOM from your other
ADOMs. ADOM names must be unique.
Type
Select either FortiGate or FortiCarrier from the dropdown menu. The
ADOM type cannot be edited.
Other device types are added to their respective default ADOM upon
registering with FortiManager.
Version
Select the version of the devices in the ADOM. The ADOM version cannot
be edited.
Devices
Add a device or devices with the selected versions to the ADOM. The
search field can be used to find specific devices. See Assigning devices to
an ADOM on page 55.
Central Management
Select the VPN checkbox to enable central VPN management.
Select the SD-WAN checkbox to enable central WAN link load balancing.
This option is only available when the Mode is Normal.
Mode
Select Normal mode if you want to manage and configure the connected
FortiGate devices from the FortiManager GUI. Select Backup mode if you
want to backup the FortiGate configurations to the FortiManager, but
configure each FortiGate locally.
See ADOM modes on page 51 for more information.
Default Device Selection for
Install
Select either Select All Devices/Groups or Specify Devices/Groups.
This option is only available when the Mode is Normal.
Data Policy
Specify how long to keep logs in the indexed and compressed states.
This section is only available when FortiAnalyzer features are enabled. See
FortiAnalyzer Features on page 367.
Administration Guide
Fortinet Technologies Inc.
Managing ADOMs
Administrative Domains
Keep Logs for
Analytics
Specify how long to keep logs in the indexed state.
During the indexed state, logs are indexed in the SQL database for the
specified amount of time. Information about the logs can be viewed in the
FortiView, Event Management, and Reports modules. After the specified
amount of time expires, Analytics logs are automatically purged from the
SQL database.
Keep Logs for
Archive
Specify how long to keep logs in the compressed state.
During the compressed state, logs are stored in a compressed format on
the FortiManager unit. When logs are in the compressed state, information
about the log messages cannot be viewed in the FortiView , Event
Management, or Reports modules. After the specified amount of time
expires, Archive logs are automatically deleted from the FortiManager unit.
Disk Utilization
Specify how much disk space to use for logs.
This section is only available when FortiAnalyzer features are enabled. See
FortiAnalyzer Features on page 367.
Maximum
Allowed
Specify the maximum amount of FortiManager disk space to use for logs,
and select the unit of measure.
The total available space on the FortiManager unit is shown.
For more info about the maximum available space for each FortiManager
unit, see Disk space allocation on page 197.
Analytics :
Archive
Specify the percentage of the allotted space to use for Analytics and
Archive logs.
Analytics logs require more space than Archive logs. For example, a setting
of 70% and 30% indicates that 70% of the allotted disk space will be used
for Analytics logs, and 30% of the allotted space will be used for Archive
logs. Select the Modify checkbox to change the setting.
Alert and Delete
When Usage
Reaches
Specify at what data usage percentage an alert messages will be generated
and logs will be automatically deleted. The oldest Archive log files or
Analytics database tables are deleted first.
The number of ADOMs that can be created depends on the FortiManager model. For
more information, see the FortiManager data sheet at
https://www.fortinet.com/products/management/fortimanager.html.
Assigning devices to an ADOM
To assign devices to an ADOM you must be logged in as a super user administrator. Devices cannot be assigned
to multiple ADOMs.
To assign devices to an ADOM:
1. Go to System Settings > All ADOMs.
2. Double-click on an ADOM, right-click on an ADOM and then select the Edit from the menu, or select the ADOM
then click Edit in the toolbar. The Edit ADOM pane opens.
3. Click Select Device. The Select Device list opens on the right side of the screen.
Administration Guide
Fortinet Technologies Inc.
55
Administrative Domains
Managing ADOMs
4. Select the devices that you want to add to the ADOM. Only devices with the same version as the ADOM can be
added. The selected devices are displayed in the Devices list.
If the ADOM mode is Advanced you can add separate VDOMs to the ADOM as well as units.
5. When done selecting devices, click Close to close the Select Device list.
6. Click OK.
The selected devices are removed from their previous ADOM and added to this one.
Assigning administrators to an ADOM
Super user administrators can create other administrators and either assign ADOMs to their account or exclude
them from specific ADOMs, constraining them to configurations and data that apply only to devices in the
ADOMs they can access.
By default, when ADOMs are enabled, existing administrator accounts other than
admin are assigned to the root domain, which contains all devices in the device list.
For more information about creating other ADOMs, see Creating ADOMs on page 53.
To assign an administrator to specific ADOMs:
1. Log in as a super user administrator. Other types of administrators cannot configure administrator accounts when
ADOMs are enabled.
2. Go to System Settings > Admin > Administrator.
3. Double-click on an administrator, right-click on an administrator and then select the Edit from the menu, or select
the administrator then click Edit in the toolbar. The Edit Administrator pane opens.
4. Edit the Administrative Domain field as required, either assigning or excluding specific ADOMs.
5. Select OK to apply your changes.
The admin administrator account cannot be restricted to specific ADOMs.
Editing an ADOM
To edit an ADOM you must be logged in as a super user administrator. The ADOM type and version cannot be
edited. For the default ADOMs, the name cannot be edited.
To edit an ADOM:
1. Go to System Settings > All ADOMs.
2. Double-click on an ADOM, right-click on an ADOM and then select Edit from the menu, or select the ADOM then
click Edit in the toolbar. The Edit ADOM pane opens.
3. Edit the settings as required, and then select OK to apply the changes.
56
Administration Guide
Fortinet Technologies Inc.
ADOM versions
Administrative Domains
Deleting ADOMs
To delete an ADOM, you must be logged in a super-user administrator (see Administrator profiles on page 82),
such as the admin administrator.
Prior to deleting an ADOM:
l
l
l
All devices must be removed from the ADOM. Devices can be moved to another ADOM, or to the root ADOM. See
Assigning devices to an ADOM on page 55.
Global policy packages assigned to the ADOM must be unassigned. See Assign a global policy package on
page 211.
References to the ADOM must be removed from administrator accounts (or the accounts deleted). See Assigning
administrators to an ADOM on page 56.
To delete an ADOM:
1. Go to System Settings > All ADOMs.
2. Ensure that the ADOM or ADOMs being deleted have no devices in them.
3. Select the ADOM or ADOMs you need to delete.
4. Click Delete in the toolbar, or right-click and select Delete.
5. Click OK in the confirmation box to delete the ADOM or ADOMs.
Default ADOMs cannot be deleted.
ADOM versions
ADOMs can concurrently manage FortiGate units running FortiOS 5.2, 5.4, and 5.6, allowing devices running
these versions to share a common database. This allows you to continue to manage an ADOM as normal while
upgrading the devices within that ADOM.
This feature can be used to facilitate upgrading to new firmware.
Importing policies from devices running higher versions than the ADOM is not
supported. Installation to devices running higher versions is supported.
FortiManager 5.6 supports FortiOS 5.2, 5.4, and 5.6 ADOMs. For a complete list of
supported devices and firmware versions, see the FortiManager Release Notes.
Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that are in
that ADOM. This version is selected when creating a new ADOM (see Creating ADOMs on page 53), and can be
updated only after all of the devices within the ADOM have been updated to the same FortiOS firmware version.
The general steps for upgrading an ADOM containing multiple devices running FortiOS 5.2 from 5.2 to 5.4 are as
follows:
Administration Guide
Fortinet Technologies Inc.
57
Administrative Domains
ADOM versions
1. In the ADOM, upgrade one of the FortiGate units to FortiOS 5.4, and then resynchronize the device. See
Firmware on page 145 for more information.
All of the ADOM objects, including Policy Packages, remain as 5.2 objects.
2. Upgrade the rest of the FortiGate units in the ADOM to FortiOS 5.4.
3. Upgrade the ADOM to 5.4. See Upgrading an ADOM on page 60 for more information.
All of the database objects will be converted to 5.4 format, and the GUI content for the ADOM will change to
reflect 5.4 features and behavior.
An ADOM can only be upgraded after all the devices within the ADOM have been
upgraded.
Global database version
The global database is reset when the database version is edited. The database is not reset when the global
database ADOM is upgraded using the Upgrade command.
The global database ADOM should only be upgraded after all the ADOMs that are
using a global policy package have been upgraded.
To upgrade the global database ADOM:
1. Go to System Settings > All ADOMs.
2. Select Global Database then click More > Upgrade in the toolbar, or right-click Global Database and select
Upgrade.
If the ADOM has already been upgraded to the latest version, this option will not be available.
3. Click OK in the Upgrade ADOM dialog box.
4. After the upgrade finishes, click Close to close the dialog box.
To edit the global database version:
Editing the global database version will reset the database. All global policy packages
will be lost. This should only be used when starting to use the global database for the
first time, or when resetting the database is required.
1. Go to System Settings > All ADOMs.
2. Select Global Database then click Edit in the toolbar, or right-click Global Database and select Edit. The Edit
Global Database window opens.
3. Select the version.
4. Click OK to save the setting.
5. A confirmation dialog box will be displayed. Click OK to continue.
58
Administration Guide
Fortinet Technologies Inc.
Concurrent ADOM access
Administrative Domains
Concurrent ADOM access
Concurrent ADOM access is controlled by enabling or disabling the workspace function. Concurrent access is
enabled by default. To prevent multiple administrators from making changes to the FortiManager database at the
same time and causing conflicts, the workspace function must be enabled.
When workspace mode is enabled, concurrent ADOM access is disabled. An administrator must lock the ADOM
before they can make device-level changes to it, and only one administrator can hold the lock at a time, while
other administrators have read-only access. Optionally, ADOM lock override can be enabled, allowing an
administrator to unlock an ADOM that is locked by another administrator. See Locking an ADOM on page 59
When workspace is disabled, concurrent ADOM access is enabled, and multiple administrators can log in and
make changes to the same ADOM at the same time.
To enable workspace mode, and disable concurrent ADOM access:
1. Enter the following CLI commands:
config system global
set workspace-mode normal
end
To disable workspace mode, and enable concurrent ADOM access:
1. Enter the following CLI commands:
config system global
set workspace-mode disabled
Warning: disabling workspaces may cause some logged in users to lose their unsaved
data. Do you want to continue? (y/n) y
end
After changing the workflow mode, your session will end and you will be required to log
back in to the FortiManager.
Locking an ADOM
If workspace is enabled, you must lock an ADOM prior to performing device-level changes to it. If you are making
changes at the ADOM level, you can leave the ADOM unlocked and lock policy packages or objects
independently.
The padlock icon, shown next to the ADOM name on the banner and in the All ADOMs list, will turn from gray to
green when you lock an ADOM. If it is red, it means that another administrator has locked the ADOM.
Optionally, ADOM lock override can be enabled, allowing an administrator to unlock an ADOM that has been
locked by another administrator and discard all of their unsaved changes.
Administration Guide
Fortinet Technologies Inc.
59
Administrative Domains
Upgrading an ADOM
To lock an ADOM:
l
l
Ensure that you are in the specific ADOM that you will be editing (top right corner of the GUI), then select Lock from
the banner.
Or, go to System Settings > All ADOMs, right-click on an ADOM, and select Lock from the right-click menu.
The ADOM will now be locked, allowing you to make changes to it and preventing other administrators from
making changes unless lock override is enabled. The lock icon will turn into a green locked padlock. For other
administrators
To unlock an ADOM:
l
Ensure you have saved any changes you may have made to the ADOM then select Unlock ADOM from the banner.
l
Or, go to System Settings > All ADOMs, right-click on an ADOM, and select Lock from the right-click menu.
If there are unsaved changes to the ADOM, a dialog box will give you the option of saving or discarding your
changes before unlocking the ADOM. The ADOM will now be unlocked, allowing any administrator to lock the
ADOM and make changes.
To enable or disable ADOM lock override:
Enter the following CLI commands:
config system global
set lock-prempt {enable | disable}
end
Upgrading an ADOM
To upgrade an ADOM, you must be logged in as a super user administrator.
An ADOM can only be upgraded after all the devices within the ADOM have been
upgraded. See ADOM versions on page 57 for more information.
To upgrade an ADOM:
1. Go to System Settings > All ADOMs.
2. Right-click on an ADOM and select Upgrade, or select an ADOM and then select More > Upgrade from the
toolbar.
If the ADOM has already been upgraded to the latest version, this option will not be available.
3. Select OK in the confirmation dialog box to upgrade the device.
If all of the devices within the ADOM are not already upgraded, the upgrade will be aborted and an error
message will be shown. Upgrade the remaining devices within the ADOM, then return to step 1 to try
upgrading the ADOM again.
60
Administration Guide
Fortinet Technologies Inc.
Workflow Mode
Administrative Domains
Workflow Mode
Workflow mode is used to control the creation, configuration, and installation of policies and objects. It helps to
ensure all changes are reviewed and approved before they are applied.
When workflow mode is enabled, the ADOM must be locked and a session must be started before policy, object,
or device changes can be made in an ADOM. Workflow approvals must be configured for an ADOM before any
sessions can be started in it.
Once the required changes have been made, the session can either be discarded and the changes deleted, or it
can be submitted for approval. The session can also be saved and continued later, but no new sessions can be
created until the saved session has been submitted or discarded.
When a session is submitted for approval, email messages are sent to the approvers, who can then approve or
reject the changes directly from the email message. Sessions can also be approved or rejected by the approvers
from within the ADOM itself.
Sessions must be approved in the order they were created.
If one approver from each approval group approves the changes, then another email message is sent, and the
changes are implemented. If any of the approvers reject the changes, then the session can be repaired and
resubmitted as a new session, or discarded. When a session is discarded, all later sessions are also discarded.
After multiple sessions have been approved, a previous session can be reverted to, undoing all the later sessions.
The changes made in a session can be viewed at any time from the session list in the ADOM by selecting View
Diff. The ADOM does not have to be locked to view the differences.
Enable or disable workflow mode
Workflow mode can only be enabled or disabled from the CLI.
After changing the workflow mode, your session will end, and you will be required to
log back in to the FortiManager.
To enable or disable workflow mode:
1. Go to System Settings > Dashboard.
2. In the CLI Console widget enter the following CLI commands in their entirety:
config system global
set workspace-mode {workflow | disable}
end
When workspace-mode is workflow, Device Manager and Policy & Objects are
read-only. You must lock the ADOM to create a new workflow session.
Administration Guide
Fortinet Technologies Inc.
61
Administrative Domains
Workflow Mode
Workflow approval
Workflow approval matrices specify which users must approve or reject policy changes for each ADOM.
Up to eight approval groups can be added to an approval matrix. One user from each approval group must
approve the changes before they are accepted. An approval email will automatically be sent to each member of
each approval group when a change request is made.
Email notifications are automatically sent to each approver, as well as other administrators as required. A mail
server must be configured, see Mail Server on page 490, and each administrator must have a contact email
address configured, see Managing administrator accounts on page 70.
This menu is only available when workspace-mode is set to workflow.
To create a new approval matrix:
1. Go to System Settings > Admin > Approval Matrix.
2. Click Create New.
3. Configure the following settings:
ADOM
Select the ADOM from the dropdown list.
Approval Group
Select to add approvers to the approval group. Select the add icon to create
a new approval group. Select the delete icon to remove an approval group.
At least one approver from each group must approve the change for it to be
adopted.
Send an Email Notification
to
Select to add administrators to send email notifications to.
Mail Server
Select the mail server from the dropdown list.
A mail server must already be configured. See Mail Server on page 490.
4. Click OK to create the approval matrix.
Workflow sessions
Administrators use workflow sessions to make changes to policies and objects. The session is then submitted for
review and approval or rejection by the administrators defined in the ADOMs workflow approval matrix.
62
Administration Guide
Fortinet Technologies Inc.
Workflow Mode
Administrative Domains
Administrators with the appropriate permissions will be able to approve or reject any pending requests. When
viewing the session list, they can choose any pending sessions, and click the approve or reject buttons. They can
also add a comment to the response. A notification will then be sent to the administrator that submitted the
session and all of the approvers.
You cannot prevent administrators from approving their own workflow sessions.
If the session was approved, no further action is required. If the session was rejected, the administrator will need
to either repair or discard the session.
The Global Database ADOM includes the Assignment option, for assigning the global policy package to an
ADOM. Assignments can only be created and edited when a session is in progress. After a global database
session is approved, the policy package can be assigned to the configured ADOM. A new session will be created
on the assigned ADOM and automatically submitted; it must be approved for the changes to take effect.
A session can be discarded at any time before it is approved.
After multiple sessions have been submitted or approved, a previously approved session can be reverted to,
undoing all the later sessions. This creates a new session at the top of the session list that is automatically
submitted for approval.
A workflow approval matrix must be configure for the ADOM to which the session
applies before a workflow session can be started. See Workflow approval on page 62.
Starting a workflow session
A workflow session must be started before changes can be made to the policies and objects. A session can be
saved and continued at a later time, discarded, or submitted for approval.
While a session is in progress, devices cannot be added or installed.
To start a workflow session:
1. Ensure that you are in the correct ADOM.
2. Go to Policy & Objects.
3. Click Lock in the banner. The padlock icon changes to a locked state and the ADOM is locked.
4. From the Sessions menu, select Session List. The Session List dialog box opens; see The session list on
page 66.
5. Click Create New Session.
Administration Guide
Fortinet Technologies Inc.
63
Administrative Domains
Workflow Mode
6. Enter a name for session, add a comment describing the session, then click OK to start the session. You can now
make the required changes to the policy packages and objects. See Policy & Objects on page 204.
Saved sessions
A session can be saved and continued later.
A new session cannot be started until the in-progress or saved session has either been
submitted for approval or discarded.
To save your session:
While currently working in a session, click Save in the toolbar. After saving the session, the ADOM will remain
locked, and you can continue to edit it.
To continue a saved session:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects and lock the ADOM.
3. Go to Sessions > Session List. The Session List dialog box opens.
4. Click Continue Session In Progress to continue the session.
Submitting a session
When all the required changes have been made, the session can be submitted for approval. A session must be
open to be submitted for approval.
When the session is submitted, email messages are sent to all of the approvers and other administrators defined
in the approval matrix (see Workflow approval on page 62), and the ADOM is automatically unlocked.
To submit a session for approval:
1. Select Sessions > Submit.
2. Enter the following in the Submit for Approval dialog box:
Comments
Enter a comment describing the changes that have been made in this
session.
Attach configuration
change details
Select to attach configuration change details to the email message.
3. Click OK to submit the session.
64
Administration Guide
Fortinet Technologies Inc.
Workflow Mode
Administrative Domains
Submitting a session
When all the required changes have been made, the session can be submitted for approval. A session must be
open to be submitted for approval.
When the session is submitted, email messages are sent to all of the approvers and other administrators defined
in the approval matrix (see Workflow approval on page 62), and the ADOM is automatically unlocked.
To submit a session for approval:
1. Select Sessions > Submit.
2. Enter the following in the Submit for Approval dialog box:
Comments
Enter a comment describing the changes that have been made in this
session.
Attach configuration
change details
Select to attach configuration change details to the email message.
3. Click OK to submit the session.
Approving or rejecting a session
Sessions can be approved or rejected by the members of the approval groups either directly from the email
message that is generated when the session is submitted, or from the session list. A session that has been
rejected must be repaired or discarded before the next session can be approved.
When a session is approved or rejected, new email messages are sent out.
To approve or reject a session from the email message:
1. If the configuration changes HTML file is attached to the email message, open the file to review the changes.
2. Select Approve this request or Reject this request to approve or reject the request. You can also Select Login
FortiManager to process this request to log in to the FortiManager and approve or reject the session from the
session list.
A web page will open showing the basic information, approval matrix, and session log for the session,
highlighting if the session was approved or rejected. A new email message will also be sent containing the
same information.
3. On the last line of the session log on the web page, select Click here to add comments to add a comment about
why the session was approved or rejected.
To approve a session from the session list:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects and lock the ADOM.
3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 66.
4. Select a session that can be approved from the list.
5. Optionally, click View Diff to view the changes that you are approving.
6. Click Approve.
7. Enter a comment in the Approve Session pop-up, then click OK to approve the session.
Administration Guide
Fortinet Technologies Inc.
65
Administrative Domains
Workflow Mode
To reject a session from the session list:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects and lock the ADOM.
3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 66.
4. Select a session that can be rejected from the list.
5. Optionally, click View Diff to view the changes that you are rejecting.
6. Click Reject.
7. Enter a comment in the Reject Session pop-up, then click OK to reject the session.
Repairing a rejected session
When a session is rejected, it can be repaired to correct the problems with it.
To repair a workflow session:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects and lock the ADOM.
3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 66.
4. Select a rejected session, then click Repair.
A new session is created and started, with the changes from the rejected session, so it can be corrected.
Reverting a session
A session can be reverted to after other sessions have been submitted or approved. If this session is approved, it
will undo all the changes made by later sessions, though those sessions must be approved before the reverting
session can be approved. You can still revert to any of those sessions without losing their changes.
When a session is reverted, a new session is created and automatically submitted for approval.
To revert a session:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects and lock the ADOM.
3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 66.
4. Select the session, then click Revert.
The session list
To view the session list, In Policy & Objects, go to Sessions > Session List. Different options will be available
depending on the various states of the sessions (in progress, approved, etc.). When an ADOM is unlocked, only
the comments and View Diff command are available.
66
Administration Guide
Fortinet Technologies Inc.
Workflow Mode
Administrative Domains
The following options and information are available:
Approve
Approve the selected session. Enter comments in the Approve Session dialog
box as required.
Reject
Reject the selected session. Enter comments in the Reject Session dialog box
as required. A rejected session must be repaired before the next session in the
list can be approved.
Discard
Discard the selected session. If a session is discarded, all later sessions are also
discarded.
Repair
Repair the selected rejected session. A new session will be created and added to
the top of the session list with the changes from the rejected session so they can
be repaired as needed.
Revert
Revert back to the selected session, undoing all the changes made by later
sessions. A new session will be created, added to the top of the session list, and
automatically submitted for approval.
View Diff
View the changes that were made prior to approving or rejecting the session.
Select details to view specific changes within a policy package.
ID
A unique number to identify the session.
Name
The user-defined name to identify the session. The icon shows the status of the
session: waiting for approval, approved, rejected, repaired, or in progress. Hover
the cursor over the icon to see a description.
User
The administrator who created the session.
Date Submitted
The date and time the session was submitted for approval.
Administration Guide
Fortinet Technologies Inc.
67
Administrative Domains
68
Workflow Mode
Approved/...
The number of approval groups that have approved the session out of the
number of groups that have to approve the session. Hover the cursor over the
table cell to view the group members.
Comments
The comments for the session. All the comments are shown on the right of the
dialog box for the selected session. Session approvers can also add comments
to the selected session without having to approve or reject the session.
Create New Session
Select to create a new workflow session. This option is not available when a
session has been saved or is already in progress.
Continue Session in
Progress
Select to continue a session that was previously saved or is already in progress.
This option is only available when a session is in progress or saved.
Continue Without
Session
Select to continue without starting a new session. When a new session is not
started, all policy and objects are read-only.
Administration Guide
Fortinet Technologies Inc.
Administrators
The System Settings > Admin menu enables you to configure administrator accounts, access profiles, remote
authentication servers, and adjust global administrative settings for the FortiManager unit.
Administrator accounts are used to control access to the FortiManager unit. Local and remote authentication is
supported, as well as two-factor authentication. Administrator profiles define different types of administrators and
the level of access they have to the FortiManager unit, as well as the devices registered to it.
Global administration settings, such as the GUI language and password policies, can be configured on the Admin
Settings pane. See Global administration settings on page 95 for more information.
In workflow mode, approval matrices can be create and managed on the Approval Matrix pane. See Workflow
approval on page 62 for more information.
Trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network by further restricting
administrative permissions. In addition to knowing the password, an administrator must connect only through the
subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one
trusted host IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiManager unit does not respond to administrative
access attempts from any other hosts. This provides the highest security. If you leave even one administrator
unrestricted, the unit accepts administrative access attempts on any interface that has administrative access
enabled, potentially exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply to both the GUI and to the CLI when accessed through SSH. CLI access
through the console connector is not affected.
If you set trusted hosts and want to use the Console Access feature of the GUI, you
must also set 127.0.0.1/255.255.255.255 as a trusted host.
Monitoring administrators
The Admin Session List lets you view a list of administrators currently logged in to the FortiManager unit.
To view logged in administrators:
1. Go to System Settings > Dashboard.
2. In the System Information widget, in the Current Administrators field, click the Current Session List button. The
Admin Session List opens in the widget.
The following information is available:
User Name
Administration Guide
Fortinet Technologies Inc.
The name of the administrator account. Your session is indicated by (current).
69
Administrators
Managing administrator accounts
IP Address
The IP address where the administrator is logging in from. This field also displays the
logon type (GUI, jsconsole, SSH, or telnet).
Start Time
The date and time the administrator logged in.
Time Out (mins)
The maximum duration of the session in minutes (1 to 480 minutes).
Disconnecting administrators
Administrators can be disconnected from the FortiManager unit from the Admin Session List.
To disconnect administrators:
1. Go to System Settings > Dashboard.
2. In the System Information widget, in the Current Administrators field, click the Current Session List button. The
Admin Session List opens in the widget.
3. Select the administrator or administrators you need to disconnect.
4. Click Delete in the toolbar, or right-click and select Delete.
The selected administrators will be automatically disconnected from the FortiManager device.
Managing administrator accounts
Go to System Settings > Admin > Administrator to view the list of administrators and manage administrator
accounts.
Only administrators with the Super_User profile can see the complete administrators list. If you do not have
certain viewing permissions, you will not see the administrator list. When ADOMs are enabled, administrators can
only access the ADOMs they have permission to access.
The following options are available:
70
Create New
Create a new administrator. See Creating administrators on page 71.
Edit
Edit the selected administrator. See Editing administrators on page 74.
Administration Guide
Fortinet Technologies Inc.
Managing administrator accounts
Administrators
Delete
Delete the selected administrator or administrators. See Deleting
administrators on page 75.
Column Settings
Change the displayed columns.
Table View/Tile View
Change the view of the administrator list.
Table view shows a list of the administrators in a table format. Tile view
shows a separate card for each administrator in a grid pattern.
Search
Search the administrators.
Change Password
Change the selected administrator's password. This option is only available
from the right-click menu. See Editing administrators on page 74.
The following information is shown:
User Name
The name the administrator uses to log in.
Type
The user type, as well as if the administrator is restricted or uses a
wildcard.
Profile
The profile applied to the administrator. See Administrator profiles on
page 82
ADOMs
The ADOMs the administrator has access to or is excluded from.
Policy Packages
The policy packages the administrator can access.
Comments
Comments about the administrator account. This column is hidden by
default.
Email
The contact email associated with the administrator. This column is hidden
by default.
Phone
The contact phone number associated with the administrator. This column
is hidden by default.
Trusted IPv4 Hosts
The IPv4 trusted host(s) associated with the administrator. See Trusted
hosts on page 69.
Trusted IPv6 Hosts
The IPv6 trusted host(s) associated with the administrator. See Trusted
hosts on page 69. This column is hidden by default.
Creating administrators
To create a new administrator account, you must be logged in to an account with sufficient privileges, or as a
super user administrator.
You need the following information to create an account:
Administration Guide
Fortinet Technologies Inc.
71
Administrators
l
Managing administrator accounts
Which authentication method the administrator will use to log in to the FortiManager unit. Local, remote, and Public
Key Infrastructure (PKI) authentication methods are supported.
l
What administrator profile the account will be assigned, or what system privileges the account requires.
l
If ADOMs are enabled, which ADOMs the administrator will require access to.
l
If using trusted hosts, the trusted host addresses and network masks.
For remote or PKI authentication, the authentication must be configured before you
create the administrator. See Authentication on page 88 for details.
To create a new administrator:
1. Go to System Settings > Admin > Administrators.
2. Click Create New in the toolbar. The New Administrator pane is displayed.
3. Configure the following settings, and then click OK to create the new administrator.
User Name
Enter the name the administrator will use to log in.
Avatar
Apply a custom image to the administrator.
Click Add Photo to select an image already loaded to the FortiManager, or
to load an new image from the management computer.
If no image is selected, the avatar will use the first letter of the user name.
72
Comments
Optionally, enter a description of the administrator, such as their role,
location, or the reason for their account.
Admin Type
Select the type of authentication the administrator will use when logging
into the FortiManager unit. One of: LOCAL, RADIUS, LDAP, TACACS+,
PKI, or Group. See Authentication on page 88 for more information.
Administration Guide
Fortinet Technologies Inc.
Managing administrator accounts
Server or Group
Administrators
Select the RADIUS server, LDAP server, TACACS+ server, or group, as
required.
The server must be configured prior to creating the new administrator.
This option is not available if the Admin Type is LOCAL or PKI.
Wildcard
Select this option to set the password as a wildcard. Only one administrator
on the FortiManager can use a wildcard.
This option is not available if the Admin Type is LOCAL or PKI.
Subject
Enter a comment for the PKI administrator.
This option is only available if the Admin Type is PKI.
CA
Select the CA certificate from the dropdown list.
This option is only available if the Admin Type is PKI.
Required two-factor
authentication
Select to enable two-factor authentication.
New Password
Enter the password.
This option is only available if the Admin Type is PKI.
This option is not available if Wildcard is selected.
If the Admin Type is PKI, this option is only available when Require twofactor authentication is selected.
If the Admin Type is RADIUS, LDAP, or TACACS+, the password is only
used when the remote server is unreachable.
Confirm Password
Enter the password again to confirm it.
This option is not available if Wildcard is selected.
If the Admin Type is PKI, this option is only available when Require twofactor authentication is selected.
Admin Profile
Select an administrator profile from the list. The profile selected
determines the administrator’s access to the FortiManager unit’s features.
See Administrator profiles on page 82.
Administrative Domain
Choose the ADOMs this administrator will be able to access.
l
l
l
All ADOMs: The administrator can access all the ADOMs.
All ADOMs except specified ones: The administrator cannot access the
selected ADOMs.
Specify: The administrator can access the selected ADOMs.
If the Admin Profile is Super_User, then the setting will be All ADOMs.
This field is available only if ADOMs are enabled. See Administrative
Domains on page 49.
Administration Guide
Fortinet Technologies Inc.
73
Administrators
Policy Package Access
Managing administrator accounts
Choose the policy packages this administrator will have access to.
l
All Packages: The administrator can access all the packages.
l
Specify: The administrator can access the selected packages.
This option is only available when the Admin Profile is not a Restricted
Admin profile. See Restricted administrators on page 75.
Web Filter Profile
Select the web filter profiles that the restricted administrator will be able to
edit.
This option is only available when the Admin Profile is set to a Restricted
Admin profile. Security profiles can be configured by going to Policy &
Objects > Object Configuration. See Managing objects and dynamic
objects on page 246.
IPS Sensor
Select the IPS profiles that the restricted administrator will be able to edit.
This option is only available when the Admin Profile is set to a Restricted
Admin profile. Security profiles can be configured by going to Policy &
Objects > Object Configuration. See Managing objects and dynamic
objects on page 246.
Application Sensor
Select the application control profiles that the restricted administrator will
be able to edit.
This option is only available when the Admin Profile is set to a Restricted
Admin profile. Security profiles can be configured by going to Policy &
Objects > Object Configuration. See Managing objects and dynamic
objects on page 246.
Trusted Hosts
Optionally, turn on trusted hosts, then enter their IP addresses and
netmasks. Up to ten IPv4 and ten IPv6 hosts can be added.
See Trusted hosts on page 69 for more information.
Meta Fields
Optionally, enter the new administrator's email address and phone
number.
The email address is also used for workflow session approval notifications,
if enabled. See Workflow Mode on page 61.
Editing administrators
To edit an administrator, you must be logged in as a super user administrator. The administrator's name cannot
be edited. An administrator's password can be changed using the right-click menu, if the password is not a
wildcard.
To edit an administrator:
1. Go to System Settings > Admin > Administrators.
2. Double-click on an administrator, right-click on an administrator and then select Edit from the menu, or select the
administrator then click Edit in the toolbar. The Edit Administrator pane opens.
3. Edit the settings as required, and then select OK to apply the changes.
74
Administration Guide
Fortinet Technologies Inc.
Managing administrator accounts
Administrators
To change an administrator's password:
1. Go to System Settings > Admin > Administrators.
2. Right-click on an administrator and select Change Password from the menu. The Change Password dialog box
opens.
3. If you are editing the admin administrator's password, enter the old password in the Old Password field.
4. Enter the new password for the administrator in the New Password and Confirm Password fields.
5. Select OK to change the administrator's password.
The current administrator's password can also be changed from the admin menu in the
GUI banner. See GUI on page 30 for information.
Deleting administrators
To delete an administrator or administrators, you must be logged in as a super user administrator. The admin
administrator cannot be deleted.
To delete an administrator or administrators:
1. Go to System Settings > Admin > Administrators.
2. Select the administrator or administrators you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Select OK in the confirmation box to delete the administrator or administrators.
Restricted administrators
Restricted administrator accounts are used to delegate management of Web Filter, IPS, and Application Control
profiles, and then install those objects to their assigned ADOM.
Restricted administrators cannot be used when workflow mode is enabled. See Workflow Mode on page 61.
When a restricted administrators logs in to the FortiManager, they enter the Restricted Admin Mode. This mode
consists of a simplified GUI where they can make changes to the profiles that they have access to, and then
install those changes using the Install command in the toolbar, to their designated ADOM.
Administration Guide
Fortinet Technologies Inc.
75
Administrators
Managing administrator accounts
To create a restricted administrator:
1. Create an administrator profile with the Type set to Restricted Admin and the required permissions selected. See
Creating administrator profiles on page 86.
2. Create a new administrator and select the restricted administrator profile for the Admin Profile, then select the
specific ADOM and profiles that the administrator can manage. See Creating administrators on page 71
Web Filter
Select a web filter profile from the tree menu to edit the profile details. Click Apply to apply any changes to the
profile.
76
Name
The profile name.
Comment
Optionally, enter a description of the profile.
Administration Guide
Fortinet Technologies Inc.
Managing administrator accounts
Advanced Options
Administrators
Configure advanced options, including:
l
https-replacemsg: enable/disable
l
replacemsg-group: select a group from the list
l
web-filter-activex-log: enable/disable
l
web-filter-command-block-log: enable/disable
l
web-filter-cookie-removal-log: enable/disable
l
web-filter-js-log: enable/disable
l
web-filter-jscript-log: enable/disable
l
web-filter-referer-log: enable/disable
l
web-filter-unknown-log: enable/disable
l
web-filter-vbs-log: enable/disable
l
wisp: enable/disable
l
wisp-algorithm: auto-learning, primary-secondary, or round-robin
Inspection Mode
Select Proxy or Flow Based.
Log all URLs
Select to log all URLs.
FortiGuard Categories
Select FortiGuard categories.
Right-click on a category to change the action: Allow , Block, Warning,
Monitor, Authenticate, or, if available, Disable.
Use the filter drop-down menu to filter the categories shown in the table
based on the action.
Allow Users to override
blocked categories
Select to allow users to override blocked categories.
This option is only available if Inspection Mode is Proxy.
Override Permit
Select the override permits: bannedword-override, contenttype-checkoverride, fortiguard-wf-override, and urlfilter-override.
Groups that can
override
Select groups that can override blocked categories.
Profile can
switch to
Select profiles that the user can switch to.
Switch applies to
Select what the switch applies to: ask, browser, ip, user, or user-group.
Switch Duration
Select the switch duration, either ask or constant.
Duration
Enter the duration of the switch.
This option is only available if Switch Duration is constant.
Administration Guide
Fortinet Technologies Inc.
77
Administrators
Managing administrator accounts
Enforce 'Safe Search' on
Google, Yahoo!, Bing, Yandex
Select to enforce Safe Search.
Restrict YouTube Access
Select to restrict access to YouTube. Select Strict or Moderate.
This option is only available if Inspection Mode is Proxy.
This option is only available if Inspection Mode is Proxy.
Log all search keywords
Select to log all search keywords.
This option is only available if Inspection Mode is Proxy.
Block Invalid URLs
Select to block invalid URLs.
This option is only available if Inspection Mode is Proxy.
URL Filter
Select to enable URL filters.
Select URL filters from the dropdown list, and/or create and manage filters
in the table.
Block malicious URLs discovered by FortiSandbox
Select to block URLs that FortiSandbox deems malicious.
Web Content Filter
Select to apply web content filters. Click Add to add filters to the table. Edit
and delete filters as required.
Allow Websites When a Rat- Select to allow access to websites if a rating error occurs.
ing Error Occurs
Rate URLs by Domain and
IP Address
Select to rate URLs by both their domain and IP address.
Block HTTP Redirects by
Rating
Select to block HTTP redirects based on the site's rating.
Rate Images by URL
(Blocked images will be
replaced with blanks)
Select to rate images based on the URL.
Restrict Google account
usage to specific domains
Select to restrict Google account usage to specific domains. Click Add to
add the domains to the table.
This option is only available if Inspection Mode is Proxy.
This option is only available if Inspection Mode is Proxy.
This option is only available if Inspection Mode is Proxy.
Provide Details for Blocked
HTTP 4xx and 5xx Errors
78
Select to receive details about blocked HTTP errors.
This option is only available if Inspection Mode is Proxy.
Administration Guide
Fortinet Technologies Inc.
Managing administrator accounts
HTTP POST Action: Block
Administrators
Select to set the HTTP POST action to block.
This option is only available if Inspection Mode is Proxy.
Remove Java Applet Filter
Select to remove the Java applet filter.
This option is only available if Inspection Mode is Proxy.
Remove ActiveX Filter
Select to remove the ActiveX filter.
This option is only available if Inspection Mode is Proxy.
Remove Cookie Filter
Select to remove the cookie filter.
This option is only available if Inspection Mode is Proxy.
Intrusion Prevention
Select an IPS profile from the tree menu to edit the profile details. Click Apply to apply any changes to the profile.
Administration Guide
Fortinet Technologies Inc.
79
Administrators
Managing administrator accounts
Name
The profile name.
Comment
Optionally, enter a description of the profile.
IPS Signatures
Click Add Signatures to add IPS signatures to the table. The signatures list
can be filtered to simplify adding them.
To add or edit a signature's IP exemptions, select a signature then click
Edit IP Exemptions.
Right-click on a signature to change the action (Pass, Monitor, Block,
Reset, Default, or Quarantine), and to enable or disable Packet Logging.
80
Administration Guide
Fortinet Technologies Inc.
Managing administrator accounts
IPS Filters
Administrators
Click Add Filter to add IPS filters to the table. The filters list can be
searched and filtered to simplify adding them.
Right-click on a signature to change the action (Pass, Monitor, Block,
Reset, Default, or Quarantine), and to enable or disable Packet Logging.
Rate Based Signatures
Enable the required rate based signatures, then configure its options:
Threshold, Duration, Track By, Action, and Block Duration.
Advanced Options
Enable or disable blocking malicious URLs.
Application Control
Select an application control profile from the tree menu to edit the profile details. Click Apply to apply any
changes to the profile.
Name
The profile name.
Comment
Optionally, enter a description of the profile.
Categories
Select the action to take for each of the available categories: Allow , Monitor, Block, Traffic Shaping, Quarantine, or Reset.
Application Overrides
Click Add Signatures to add application override signatures to the table.
The signatures list can be filtered to simplify adding them.
Right-click on a signature to change the action (Allow , Monitor, Block,
Traffic Shaping, Quarantine, or Reset).
Administration Guide
Fortinet Technologies Inc.
81
Administrators
Filter Overrides
Administrator profiles
Click Add Filter to add filter overrides to the table. The filters list can be
searched and filtered to simplify adding them.
Right-click on an override to change the action (Allow , Monitor, Block,
Traffic Shaping, Quarantine, or Reset).
Deep Inspection of Cloud
Applications
Select to enable deep inspections of cloud applications.
Allow and Log DNS Traffic
Select to allow and log DNS traffic.
Replacement Messages for
HTTP-based Applications
Select to enable replacement messages for HTTP based applications.
Logging of Other Applications
Select to enable the logging of other applications.
Logging of Unknown
Applications
Select to enable the logging of unknown applications.
Advanced Options
Configure advanced options:
l
p2p-black-list: Select from bittorent, edonkey, and skype.
l
replacemsg-group: Select an option from the dropdown list.
Administrator profiles
Administrator profiles are used to control administrator access privileges to devices or system features. Profiles
are assigned to administrator accounts when an administrator is created. The profile controls access to both the
FortiManager GUI and CLI.
There are four predefined system profiles:
Restricted_User
Restricted user profiles have no system privileges enabled, and have
read-only access for all device privileges.
Standard_User
Standard user profiles have no system privileges enabled, and have
read/write access for all device privileges.
Super_User
Super user profiles have all system and device privileges enabled. It cannot
be edited.
Package_User
Package user profile have read/write policy and objects privileges enabled,
and have read-only access for system and other privileges.
These profiles cannot be deleted, but standard and restricted profiles can be edited. New profiles can also be
created as required. Only super user administrators can manage administrator profiles. Package user
administrators can view the profile list.
82
Administration Guide
Fortinet Technologies Inc.
Administrator profiles
Administrators
Go to System Settings > Admin > Profile to view and manage administrator profiles.
The following options are available:
Create New
Create a new administrator profile. See Creating administrator profiles on
page 86.
Edit
Edit the selected profile. See Editing administrator profiles on page 87.
Delete
Delete the selected profile or profiles. See Deleting administrator profiles
on page 88.
Search
Search the administrator profiles list.
The following information is shown:
Name
The name the administrator uses to log in.
Type
The profile type, either System Admin or Restricted Admin.
Description
A description of the system and device access permissions allowed for the
selected profile.
Permissions
The below table lists the default permissions for the predefined administrator profiles.
When Read-Write is selected, the user can view and make changes to the FortiManager system. When ReadOnly is selected, the user can only view information. When None is selected, the user can neither view or make
changes to the FortiManager system.
Setting
System Settings
system-setting
Administration Guide
Fortinet Technologies Inc.
Predefined Administrator Profile
Super User
Standard
User
Restricted User Package User
Read-Write
None
None
Read-Only
83
Administrators
Administrator profiles
Setting
Predefined Administrator Profile
Super User
Standard
User
Restricted User Package User
Administrative Domain
adom-switch
Read-Write
Read-Write
None
Read-Write
FortiGuard Center
fgd_center
Read-Write
None
None
Read-Only
License
Management
fgd-centerlicensing
Read-Write
None
None
Read-Only
Firmware
Management
fgd-centerfmw-mgmt
Read-Write
None
None
Read-Only
Advanced
fgd-centeradvanced
Read-Write
None
None
Read-Only
Read-Write
Read-Write
Read-Only
Read-Write
Add/Delete
Devices/Groups
device-op
Read-Write
Read-Write
None
Read-Write
Retrieve
Configuration
from Devices
configretrieve
Read-Write
Read-Write
Read-Only
Read-Only
Revert
Configuration
from Revision
History
config-revert
Read-Write
Read-Write
Read-Only
Read-Only
Terminal Access
term-access
Read-Write
Read-Write
Read-Only
Read-Only
Manage Device
Configuration
device-config
Read-Write
Read-Write
Read-Only
Read-Write
Device Manager
device-manager
84
Administration Guide
Fortinet Technologies Inc.
Administrator profiles
Setting
Administrators
Predefined Administrator Profile
Super User
Standard
User
Restricted User Package User
Provisioning
Templates
device-profile
Read-Write
Read-Write
Read-Only
Read-Write
SD-WAN
device-wanlink-loadbalance
Read-Write
Read-Write
Read-Only
Read-Write
Read-Write
Read-Write
Read-Only
Read-Write
Global Policy
Packages &
Objects
global-policypackages
Read-Write
Read-Write
None
Read-Write
Assignment
assignment
Read-Write
None
None
Read-Only
Policy Packages &
Objects
adom-policypackages
Read-Write
Read-Write
Read-Only
Read-Write
Policy Check
consistencycheck
Read-Write
Read-Write
Read-Only
Read-Only
Install Policy Package or
Device Configuration
deploy-management
Read-Write
Read-Write
Read-Only
Read-Write
Import Policy Package
import-policy-packages
Read-Write
Read-Write
Read-Only
Read-Write
Interface Mapping
intf-mapping
Read-Write
Read-Write
Read-Only
Read-Write
AP Manager
device-ap
Read-Write
Read-Write
Read-Only
Read-Write
FortiClient Manager
device-forticlient
Read-Write
Read-Write
Read-Only
Read-Write
Policy & Objects
policy-objects
Administration Guide
Fortinet Technologies Inc.
85
Administrators
Administrator profiles
Setting
Predefined Administrator Profile
Super User
Standard
User
Restricted User Package User
FortiSwitch Manager
device-fortiswitch
Read-Write
Read-Write
Read-Only
Read-Write
VPN Manager
vpn-manager
Read-Write
Read-Write
Read-Only
Read-Write
Log View/FortiView/NOC
log-viewer
Read-Write
Read-Write
Read-Only
Read-Only
Event Management
event-management
Read-Write
Read-Write
Read-Only
Read-Only
Reports
report-viewer
Read-Write
Read-Write
Read-Only
Read-Only
realtime-monitor
Read-Write
Read-Write
Read-Only
read-passwd
Read-Write
None
None
CLI only settings
Read-Only
The Log View/FortiView/NOC , Event Management, and Reports settings are only
available when FortiAnalyzer features are enabled. See FortiAnalyzer Features on
page 367.
Creating administrator profiles
To create a new administrator profile, you must be logged in to an account with sufficient privileges, or as a super
user administrator.
To create a custom administrator profile:
1. Go to System Settings > Admin > Profile.
2. Click Create New in the toolbar. The New Profile pane is displayed.
86
Administration Guide
Fortinet Technologies Inc.
Administrator profiles
Administrators
3. Configure the following settings, and then click OK to create the new administrator profile.
Profile Name
Enter a name for this profile.
Description
Optionally, enter a description for this profile. While not a requirement, a
description can help to know what the profiles is for, or the levels it is set to.
Type
Select the type of profile, either System Admin or Restricted Admin.
Permission
Select which permissions to enable from Web Filter Profile, Application
Filter, and IPS Sensor.
This option is only available when Type is Restricted Admin. See
Restricted administrators on page 75 for information.
Permissions
Select None, Read Only, or Read-Write access for the categories as
required.
This option is only available when Type is System Admin.
Editing administrator profiles
To edit an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user
administrator. The profile's name cannot be edited. The Super_User profile cannot be edited, and the predefined
Administration Guide
Fortinet Technologies Inc.
87
Administrators
Authentication
profiles cannot be delete.
To edit an administrator:
1. Go to System Settings > Admin > Profile.
2. Double-click on a profile, right-click on a profile and then select Edit from the menu, or select the profile then click
Edit in the toolbar. The Edit Profile pane opens.
3. Edit the settings as required, and then select OK to apply the changes.
Deleting administrator profiles
To delete a profile or profiles, you must be logged in to an account with sufficient privileges, or as a super user
administrator. The predefined profiles cannot be deleted.
To delete a profile or profiles:
1. Go to System Settings > Admin > Profile.
2. Select the profile or profiles you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Select OK in the confirmation box to delete the profile or profiles.
Authentication
The FortiManager system supports authentication of administrators locally, remotely with RADIUS, LDAP, or
TACACS+ servers, and using PKI. Remote authentication servers can also be added to authentication groups
that administrators can use for authentication.
To use PKI authentication, you must configure the authentication before you create the administrator accounts.
See Public Key Infrastructure on page 88 for more information.
To use remote authentication servers, you must configure the appropriate server entries in the FortiManager unit
for each authentication server in your network. New LDAP remote authentication servers can be added and linked
to all ADOMs or specific ADOMs. See LDAP servers on page 91, RADIUS servers on page 92, and TACACS+
servers on page 93 for more information.
Public Key Infrastructure
Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of
peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators
only need a valid X.509 certificate for successful authentication; no username or password is necessary.
To use PKI authentication for an administrator, you must configure the authentication before you create the
administrator accounts. You will also need the following certificates:
l
l
88
an X.509 certificate for the FortiManager administrator (administrator certificate)
an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA
Certificate)
Administration Guide
Fortinet Technologies Inc.
Authentication
Administrators
To get the CA certificate:
1. Log into your FortiAuthenticator.
2. Go to Certificate Management > Certificate Authorities > Local CAs.
3. Select the certificate and select Export in the toolbar to save the ca_fortinet.com CA certificate to your
management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.
To get the administrator certificate:
1. Log into your FortiAuthenticator.
2. Go to Certificate Management > End Entities > Users.
3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management
computer. The saved CA certificate’s filename is admin_fortinet.com.p12. This PCKS#12 file is password
protected. You must enter a password on export.
To import the administrator certificate into your browser:
1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
2. Select the file admin_fortinet.com.p12 and enter the password used in the previous step.
To import the CA certificate into the FortiManager:
1. Log into your FortiManager.
2. Go to System Settings > Certificates > CA Certificates.
3. Click Import, and browse for the ca_fortinet.com.crt file you saved to your management computer. The
certificate is displayed as CA_Cert_1.
To create a new PKI administrator account:
1. Go to System Settings > Admin > Administrator.
2. Click Create New. The New Administrator dialog box opens.
See Creating administrators on page 71 for more information.
3. Select PKI for the Admin Type.
4. Enter a comment in the Subject field for the PKI administrator.
5. Select the CA certificate from the dropdown list in the CA field.
6. Click OK to create the new administrator account.
PKI authentication must be enabled via the FortiManager CLI with the following
commands:
config system global
set clt-cert-reg enable
end
When connecting to the FortiManager GUI, you must use HTTPS when using PKI
certificate authentication.
Administration Guide
Fortinet Technologies Inc.
89
Administrators
Authentication
When both set clt-cert-req and set admin-https-pki-required are
enabled, only PKI administrators can connect to the FortiManager GUI.
Managing remote authentication servers
The FortiManager system supports remote authentication of administrators using LDAP, RADIUS, and TACACS+
remote servers. To use this feature, you must configure the appropriate server entries for each authentication
server in your network, see LDAP servers on page 91, RADIUS servers on page 92, and TACACS+ servers on
page 93 for more information.
Remote authentication servers can be added, edited, deleted, and added to authentication groups (CLI only).
Go to System Settings > Admin > Remote Authentication Server to manage remote authentication servers.
The following options are available:
Create New
Add an LDAP, RADIUS, or TACACS+ remote authentication server. See
LDAP servers on page 91, RADIUS servers on page 92, and TACACS+
servers on page 93.
Edit
Edit the selected remote authentication server. See Editing remote
authentication servers on page 90.
Delete
Delete the selected remote authentication server or servers. See Deleting
remote authentication servers on page 91.
The following information is displayed:
Name
The name of the server.
Type
The server type: LDAP, RADIUS, or TACACS+.
ADOM
The administrative domain(s) which are linked to the remote authentication
server.
Details
Details about the server, such as the IP address.
Editing remote authentication servers
To edit a remote authentication server, you must be logged in to an account with sufficient privileges, or as a
super user administrator. The server's name cannot be edited.
90
Administration Guide
Fortinet Technologies Inc.
Authentication
Administrators
To edit a remote authentication server:
1. Go to System Settings > Admin > Remote Authentication Server.
2. Double-click on a server, right-click on a server and then select Edit from the menu, or select the server then click
Edit in the toolbar. The Edit Server pane for that server type opens.
3. Edit the settings as required, and then select OK to apply the changes.
See LDAP servers on page 91, RADIUS servers on page 92, and TACACS+ servers on page 93 for more
information.
Deleting remote authentication servers
To delete a remote authentication server or servers, you must be logged in to an account with sufficient
privileges, or as a super user administrator.
To delete a remote authentication server or servers:
1. Go to System Settings > Admin > Remote Authentication Server.
2. Select the server or servers you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Select OK in the confirmation box to delete the server or servers.
LDAP servers
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that
may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of
a data-representation scheme, a set of defined operations, and a request/response network.
If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the
FortiManager unit sends the administrator’s credentials to the LDAP server for authentication. If the LDAP server
can authenticate the administrator, they are successfully authenticated with the FortiManager unit. If the LDAP
server cannot authenticate the administrator, the FortiManager unit refuses the connection.
To use an LDAP server to authenticate administrators, you must configure the server before configuring the
administrator accounts that will use it.
To add an LDAP server:
1. Go to System Settings > Admin > Remote Authentication Server.
2. Select Create New > LDAP Server from the toolbar. The New LDAP Server pane opens.
Administration Guide
Fortinet Technologies Inc.
91
Administrators
Authentication
3. Configure the following settings, and then click OK to add the LDAP server.
Name
Enter a name to identify the LDAP server.
Server Name/IP
Enter the IP address or fully qualified domain name of the LDAP server.
Port
Enter the port for LDAP traffic. The default port is 389.
Common Name Identifier
The common name identifier for the LDAP server. Most LDAP servers use
cn. However, some servers use other common name identifiers such as
UID.
Distinguished Name
The distinguished name is used to look up entries on the LDAP server.
The distinguished name reflects the hierarchy of LDAP database object
classes above the common name identifier. Clicking the query
distinguished name icon will query the LDAP server for the name and open
the LDAP Distinguished Name Query window to display the results.
Bind Type
Select the type of binding for LDAP authentication: Simple, Anonymous,
or Regular.
User DN
When the Bind Type is set to Regular, enter the user DN.
Password
When the Bind Type is set to Regular, enter the password.
Secure Connection
Select to use a secure LDAP server connection for authentication.
Protocol
When Secure Connection is enabled, select either LDAPS or STARTTLS.
Certificate
When Secure Connection is enabled, select the certificate from the
dropdown list.
Administrative Domain
Choose the ADOMs this server will be linked to: All ADOMs, or Specify for
specific ADOMs.
RADIUS servers
Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system.
When users connect to a server they type a user name and password. This information is passed to a RADIUS
server, which authenticates the user and authorizes access to the network.
92
Administration Guide
Fortinet Technologies Inc.
Authentication
Administrators
You can create or edit RADIUS server entries in the server list to support authentication of administrators. When
an administrator account’s type is set to RADIUS, the FortiManager unit uses the RADIUS server to verify the
administrator password at log on. The password is not stored on the FortiManager unit.
To use a RADIUS server to authenticate administrators, you must configure the server before configuring the
administrator accounts that will use it.
To add a RADIUS server:
1. Go to System Settings > Admin > Remote Authentication Server.
2. Select Create New > RADIUS Server from the toolbar. The New RADIUS Server pane opens.
3. Configure the following settings, and then click OK to add the RADIUS server.
Name
Enter a name to identify the RADIUS server.
Server Name/IP
Enter the IP address or fully qualified domain name of the RADIUS server.
Port
Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS
servers use port 1645.
Server Secret
Enter the RADIUS server secret.
Secondary Server Name/IP
Enter the IP address or fully qualified domain name of the secondary
RADIUS server.
Secondary Server Secret
Enter the secondary RADIUS server secret.
Authentication Type
Select the authentication type the RADIUS server requires. If you select the
default ANY, FortiManager tries all authentication types.
TACACS+ servers
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides
access control for routers, network access servers, and other network computing devices via one or more
centralized servers. It allows a client to accept a user name and password and send a query to a TACACS
authentication server. The server host determines whether to accept or deny the request and sends a response
back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49.
If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+
server, the FortiManager unit contacts the TACACS+ server for authentication. If the TACACS+ server can
authenticate the administrator, they are successfully authenticated with the FortiManager unit. If the TACACS+
server cannot authenticate the administrator, the connection is refused by the FortiManager unit.
Administration Guide
Fortinet Technologies Inc.
93
Administrators
Authentication
To use a TACACS+ server to authenticate administrators, you must configure the server before configuring the
administrator accounts that will use it.
To add a TACACS+ server:
1. Go to System Settings > Admin > Remote Authentication Server.
2. Select Create New > TACACS+ Server from the toolbar. The New TACACS+ Server pane opens.
3. Configure the following settings, and then click OK to add the TACACS+ server.
Name
Enter a name to identify the TACACS+ server.
Server Name/IP
Enter the IP address or fully qualified domain name of the TACACS+
server.
Port
Enter the port for TACACS+ traffic. The default port is 49.
Server Key
Enter the key to access the TACACS+ server. The server key can be a
maximum of 16 characters in length.
Authentication Type
Select the authentication type the TACACS+ server requires. If you select
the default ANY, FortiManager tries all authentication types.
Remote authentication server groups
Remote authentication server groups can be used to extend wildcard administrator access. Normally, the
wildcard administrator can only be created for a single server. If multiple servers of different types are grouped
the wildcard administrator can be applied to all of the servers in the group.
Multiple servers of the same type can be grouped to act as backups - if one server fails, the administrator can still
be authenticated by another server in the group.
To use a server group to authenticate administrators, you must configure the group before configuring the
administrator accounts that will use it.
Remote authentication server groups can only be managed using the CLI. For more information, see the
FortiManager CLI Reference.
To create a new remote authentication server group:
1. Open the admin group command shell:
config system admin group
2. Create a new group, or edit an already create group:
edit <group name>
3. Add remote authentication servers to the group:
set member <server name> <server name> ...
94
Administration Guide
Fortinet Technologies Inc.
Global administration settings
Administrators
4. Apply your changes:
end
To edit the servers in a group:
1. Enter the following CLI commands:
config system admin group
edit <group name>
set member <server name> <server name> ...
end
Only the servers listed in the command will be in the group.
To remove all the servers from the group:
1. Enter the following CLI commands:
config system admin group
edit <group name>
unset member
end
All of the servers in the group will be removed.
To delete a group:
1. Enter the following CLI commands:
config system admin group
delete <group name>
end
Global administration settings
The administration settings page provides options for configuring global settings for administrator access to the
FortiManager device. Settings include:
l
Ports for HTTPS and HTTP administrative access
In order to improve security, you can change the default port configurations for administrative connections to
the FortiManager. When connecting to the FortiManager unit when the port has changed, the port must be
included, such as https://<ip_address>:<port>. For example, if you are connecting to the
FortiManager unit using port 8080, the URL would be https://192.168.1.99:8080. When you change
to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique.
l
Idle timeout settings
By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents
someone from using the GUI if the management computer is left unattended.
l
GUI language
The language the GUI uses. For best results, you should select the language used by the management
computer.
l
GUI theme
The default color theme of the GUI is Blueberry. You can choose another color or an image.
Administration Guide
Fortinet Technologies Inc.
95
Administrators
l
Global administration settings
Password policy
Enforce password policies for administrators.
l
Display options
Display or hide advanced configuration options in the GUI. Only the admin administrator can configure these
options.
Only super user administrators can access and configure the administration settings.
The settings are global and apply to all administrators of the FortiManager unit.
To configure the administration settings:
1. Go to System Settings > Admin > Admin Settings.
2. Configure the following settings as needed, then click Apply to save your changes to all administrator accounts:
Administration Settings
96
HTTP Port
Enter the TCP port to be used for administrative HTTP access. Default: 80.
Select Redirect to HTTPS to redirect HTTP traffic to HTTPS.
HTTPS Port
Enter the TCP port to be used for administrative HTTPS access. Default:
443.
HTTPS & Web
Service Server
Certificate
Select a certificate from the dropdown list.
Idle Timeout
Enter the number of minutes an administrative connection can be idle
before the administrator must log in again, from 1 to 480 (8 hours). See
Idle timeout on page 99 for more information.
Administration Guide
Fortinet Technologies Inc.
Global administration settings
Administrators
View Settings
Language
Select a language from the dropdown list. See GUI language on page 98
for more information.
Theme
Select a theme for the GUI. The selected theme is not applied until you
click Apply, allowing to you to sample different themes. Default: Blueberry.
Password Policy
Click to enable administrator password policies. See Password policy on
page 97 and Password lockout and retry attempts on page 98 for more
information.
Minimum Length
Select the minimum length for a password, from 8 to 32 characters.
Default: 8.
Must Contain
Select the types of characters a password must contain.
Admin Password
Expires after
Select the number of days a password is valid for, after which it must be
changed.
Display Options on GUI
Click to expand the display options.
Show Script
Display the Script menu item.
This menu is located on the Device Manager pane. This is an advanced
FortiManager feature.
Show Add
Multiple Button
Display the Add Multiple Devices option.
This option is located on the Device Manager > Devices & Groups pane,
under the More option in the toolbar. This is an advanced FortiManager
feature.
Show Device List
Import/Export
Select to display the Import Device List and Export Device List buttons.
This option is located on the Device Manager > Devices & Groups pane,
under the More option in the toolbar. This is an advanced FortiManager
feature.
Password policy
You can enable and configure password policy for the FortiManager.
To configure the password policy:
1. Go to System Settings > Admin > Admin Settings.
2. Click to enable Password Policy.
3. Configure the following settings, then click Apply to apply to password policy.
Minimum Length
Specify the minimum number of characters that a password must be, from 8 to 32.
Default: 8.
Must Contain
Specify the types of characters a password must contain: uppercase and lowercase
letters, numbers, and/or special characters.
Administration Guide
Fortinet Technologies Inc.
97
Administrators
Admin Password
Expires after
Global administration settings
Specify the number of days a password is valid for. When the time expires, an
administrator will be prompted to enter a new password.
Password lockout and retry attempts
By default, the number password retry attempts is set to three, allowing the administrator a maximum of three
attempts at logging in to their account before they are locked out for a set amount of time (by default, 60
seconds).
The number of attempts and the default wait time before the administrator can try to enter a password again can
be customized. Both settings can be configured using the CLI.
To configure the lockout duration:
1. Enter the following CLI commands:
config system global
set admin-lockout-duration <seconds>
end
To configure the number of retry attempts:
1. Enter the following CLI commands:
config system global
set admin-lockout-threshold <failed_attempts>
end
Example
To set the lockout threshold to one attempt and set a five minute duration before the administrator can try to log
in again, enter the following CLI commands:
config system global
set admin-lockout-duration 300
set admin-lockout-threshold 1
end
GUI language
The GUI supports multiple languages, including:
l
English
l
Simplified Chinese
l
Traditional Chinese
l
Japanese
l
Korean
By default, the GUI language is set to Auto Detect, which automatically uses the language used by the
management computer. If that language is not supported, the GUI defaults to English. For best results, you
should select the language used by the operating system on the management computer.
For more information about language support, see the FortiManager Release Notes.
98
Administration Guide
Fortinet Technologies Inc.
Two-factor authentication
Administrators
To change the GUI language:
1. Go to System Settings > Admin > Admin Settings.
2. Under the View Settings, In the Language field, select a language, or Auto Detect, from the dropdown list.
3. Click Apply to apply the language change.
Idle timeout
To ensure security, the idle timeout period should be short. By default, administrative sessions are disconnected
if no activity takes place for five minutes. This idle timeout is recommended to prevent anyone from using the
GUI on a PC that was logged in to the GUI and then left unattended. The idle timeout period can be set from 1 to
480 minutes.
To change the idle timeout:
1. Go to System Settings > Admin > Admin Settings.
2. Change the Idle Timeout period as required.
3. Click Apply.
Two-factor authentication
To configure two-factor authentication for administrators you will need the following:
l
FortiManager
l
FortiAuthenticator
l
FortiToken
Configuring FortiAuthenticator
On the FortiAuthenticator, you must create a local user and a RADIUS client.
Before proceeding, ensure you have configured your FortiAuthenticator, created a
NAS entry for your FortiManager, and created or imported FortiTokens.
For more information, see the Two-Factor Authenticator Interoperability Guide and
FortiAuthenticator Administration Guide in the Fortinet Document Library.
Create a local user:
1. Go to Authentication > User Management > Local Users.
2. Click Create New in the toolbar.
3. Configure the following settings:
Username
Enter a user name for the local user.
Password creation
Select Specify a password from the dropdown list.
Password
Enter a password. The password must be a minimum of 8 characters.
Administration Guide
Fortinet Technologies Inc.
99
Administrators
Two-factor authentication
Password confirmation
Re-enter the password. The passwords must match.
Allow RADIUS
authentication
Enable to allow RADIUS authentication.
Role
Select the role for the new user.
Enable account expiration
Optionally, select to enable account expiration. For more information see
the FortiAuthenticator Administration Guide.
4. Click OK to continue to the Change local user page.
5. Configure the following settings, then click OK.
Disabled
Select to disable the local user.
Password-based
authentication
Leave this option selected. Select [Change Password] to change the
password for this local user.
Token-based authentication
Select to enable token-based authentication.
Deliver token
code by
Select to deliver token by FortiToken, email, or SMS.
Click Test Token to test the token.
Allow RADIUS
authentication
Select to allow RADIUS authentication.
Enable account expiration
Optionally, select to enable account expiration. For more information see
the FortiAuthenticator Administration Guide.
User Role
Role
Select either Administrator or User.
Full Permission
100
Select to allow Full Permission, otherwise select the admin profiles to apply
to the user. This option is only available when Role is Administrator.
Administration Guide
Fortinet Technologies Inc.
Two-factor authentication
Administrators
Web service
Select to allow Web service, which allows the administrator to access the
web service via a REST API or by using a client application. This option is
only available when Role is Administrator.
Restrict admin
login from
trusted
management
subnets only
Select to restrict admin login from trusted management subnets only, then
enter the trusted subnets in the table. This option is only available when
Role is Administrator.
Allow LDAP
Browsing
Select to allow LDAP browsing. This option is only available when Role is
User.
Create a RADIUS client:
1. Go to Authentication > RADIUS Service > Clients.
2. Click Create New in the toolbar.
3. Configure the following settings, then click OK.
Name
Enter a name for the RADIUS client entry.
Client name/IP
Enter the IP address or Fully Qualified Domain Name (FQDN) of the
FortiManager.
Secret
Enter the server secret. This value must match the FortiManager RADIUS
server setting at System Settings > Admin > Remote Authentication
Server.
First profile name
See the FortiAuthenticator Administration Guide.
Description
Enter an optional description for the RADIUS client entry.
Apply this profile based on
RADIUS attributes
Select to apply the profile based on RADIUS attributes.
Authentication method
Select Enforce two-factor authentication from the list of options.
Username input format
Select specific user name input formats.
Realms
Configure realms.
Allow MAC-based
authentication
Optional configuration.
Check machine
authentication
Select to check machine based authentication and apply groups based on
the success or failure of the authentication.
Enable captive portal
Enable various portals.
EAP types
Optional configuration.
Administration Guide
Fortinet Technologies Inc.
101
Administrators
Two-factor authentication
For more information, see the FortiAuthenticator Administration Guide, available in
the Fortinet Document Library.
Configuring FortiManager
On the FortiManager, you need to configure the RADIUS server and create an administrator that uses the
RADIUS server for authentication.
Configure the RADIUS server:
1. Go to System Settings > Admin > Remote Authentication Server.
2. Click Create New > RADIUS in the toolbar.
3. Configure the following settings, then click OK.
Name
Enter a name to identify the FortiAuthenticator.
Server Name/IP
Enter the IP address or fully qualified domain name of your
FortiAuthenticator.
Server Secret
Enter the FortiAuthenticator secret.
Secondary Server Name/IP
Enter the IP address or fully qualified domain name of the secondary
FortiAuthenticator, if applicable.
Secondary Server Secret
Enter the secondary FortiAuthenticator secret, if applicable.
Port
Enter the port for FortiAuthenticator traffic.
Authentication Type
Select the authentication type the FortiAuthenticator requires. If you select
the default ANY, FortiManager tries all authentication types.
Note: RADIUS server authentication for local administrator users stored in
FortiAuthenticator requires the PAP authentication type.
Create the administrator:
1. Go to System Settings > Admin > Administrator.
2. Click Create New from the toolbar.
3. Configure the settings, selecting the previously added RADIUS server from the RADIUS Server dropdown list.
See Creating administrators on page 71.
4. Click OK to save the settings.
Test the configuration:
1. Attempt to log in to the FortiManager GUI with your new credentials.
2. Enter your user name and password and click Login.
3. Enter your FortiToken pin code and click Submit to log in to the FortiManager.
102
Administration Guide
Fortinet Technologies Inc.
Device Manager
Use the Device Manager pane to add, configure, and manage devices.
This topic covers navigating the Device Manager pane, adding devices, and managing devices. It also covers
managing FortiExtender wireless WAN extenders.
Additional configuration options and short-cuts are available using the right-click
content menu. Right-click the mouse on different parts of the navigation panes on the
GUI page to access these context menus.
If workspace or workflow is enabled, the ADOM must be locked before changes can be
made. See Locking an ADOM on page 59.
The Device Manager pane includes the following tabs in the blue banner:
Device & Groups
Add, configure, and view managed and logging devices. Use the toolbar to
add devices, devices groups, and launch the install wizard. See Adding
devices on page 104. The Device & Groups tab also contains a quick
status bar for a selected device group. See Using the quick status bar on
page 133.
Firmware
View information about firmware for devices as well as upgrade firmware.
See Firmware on page 145.
License
View license information for devices as well as push license updates to
devices. See License on page 147.
Provisioning Templates
Configure provisioning templates. For information on system, Threat
Weight, FortiClient, and certificate templates, see Provisioning Templates
on page 149.
Administration Guide
Fortinet Technologies Inc.
103
Device Manager
ADOMs
Scripts
Create new or import scripts. Scripts is disabled by default. You can enable
this advanced configuration option in System Systems > Admin >
Admin Settings. Select Show Script to enable on this option in the Device
Manager pane. See Scripts on page 154.
SD-WAN
Configure profiles for load balancing SD-WAN links and monitor loadbalancing profiles. The SD-WAN tab is displayed only when central SDWAN Link load balancing is enabled. See SD-WAN Link Load Balance on
page 183.
FortiExtender
View and configure FortiExtender. See FortiExtender on page 186.
ADOMs
You can organize connected devices into ADOMs to better manage the devices. ADOMs can be organized by:
l
l
l
l
Firmware version: group all 5.4 devices into one ADOM, and all 5.2 devices into another.
Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a separate
region into another ADOM.
Administrator users: group devices into separate ADOMs based for specific administrators responsible for the group
of devices.
Customers: group all devices for one customer into an ADOM, and devices for another customer into another
ADOM.
FortiAnalyzer, FortiCache, FortiClient, FortiDDos, FortiMail, FortiManager, FortiSandbox, FortiWeb, Chassis,
and FortiCarrier devices are automatically placed in their own ADOMs.
Each administrator profile can be customized to provide read-only, read/write, or restrict access to various ADOM
settings. When creating new administrator accounts, you can restrict which ADOMs the administrator can access,
for enhanced control of your administrator users. For more information on ADOM configuration and settings, see
Administrative Domains on page 49.
For information on adding devices to an ADOM by using the Add Device wizard, see
Adding devices using the wizard on page 105.
Adding devices
You must add devices to the FortiManager system to use FortiManager to manage the devices. You must also
enable Central Management on the managed device by using FortiOS. You can add an existing, operational
device or an unregistered device. You can also provision a new device.
You can add individual devices or multiple devices. Adding devices using the Add Device wizard gives you more
configuration options than using Add Multiple devices.
For a device that is currently online, use the Add Device wizard, select Discover, and follow the steps in the
wizard. Adding an existing device does not result in an immediate connection to the device. Device connection
104
Administration Guide
Fortinet Technologies Inc.
Adding devices
Device Manager
happens only when you successfully synchronize the device. To provision a new device which is not yet online,
use the Add Device wizard and select Add Model Device.
Adding an operating FortiGate HA cluster to the Device Manager pane is similar to adding a standalone device.
Type the IP address of the master device, the FortiManager handles a cluster as a single managed device.
Adding devices using the wizard
You can add devices to the FortiManager unit by using the Add Device wizard. You can use the wizard to
discover devices or add model devices to your FortiManager unit.
You cannot use the Add Device wizard to add FortiAnalyzer to FortiManager. You
must use the Add FortiAnalyzer wizard instead. See Adding FortiAnalyzer devices on
page 114.
Use the Discover option for devices that are currently online and discoverable on your network.
Use the Add Model Device option to add a device that is not yet online. You can configure a model device to
automatically register with FortiManager when the device is online.
When configuring a model device to automatically promote or register with
FortiManager, add the model device to FortiManager by using a pre-shared key. When
the device connects to FortiManager, run the execute central-mgmt
register-device <FMGSN> <KEY> command from the FortiGate console. The
device is automatically promoted or registered, and the configuration of the matched
model device is applied.
For FortiOS 5.4.1 or earlier, you must run the execute central-mgmt
register-device <FMGSN> <KEY> <username> <password> command.
To confirm that a device model or firmware version is supported by current firmware
version running on FortiManager run the following CLI command:
diagnose dvm supported-platforms list
Adding a device using Discover mode
The following steps will guide you through the Add Device wizard phases to add a device using Discover mode.
FortiManager will not be able to communicate with the FortiGate if offline mode is
enabled. Enabling offline mode will prevent FortiManager from discovering devices.
To add a device using Discover mode:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Device Manager > Device & Groups.
Administration Guide
Fortinet Technologies Inc.
105
Device Manager
Adding devices
3. Click Add Device. The wizard opens.
4. Select Discover. Type the IP address, user name, and password for the device, then click Next.
FortiManager probes the IP address on your network to discover device details, including:
106
l
IP address
l
Host name
l
Serial number
l
Device model
l
Firmware version and build
l
High Availability status
l
Administrator user name
Administration Guide
Fortinet Technologies Inc.
Adding devices
Device Manager
5. Configure the following settings:
Name
Type a unique name for the device. The device name cannot contain
spaces or special characters.
Description
Type a description of the device (optional).
System Template
System templates can be used to centrally manage certain device-level
options from a central location. If required, assign a system template using
the dropdown menu. Alternatively, you can select to configure all settings
per-device inside Device Manager. For more information, see Provisioning
Templates on page 149.
Add to Groups
Select to add the device to any predefined groups.
6. Click Next.
The wizard discovers the device, and performs some or all of the following checks:
l
Discovering device
l
Creating device database
l
Initializing configuration database
l
Retrieving configuration
l
Retrieving support data
l
Updating group membership
l
Successfully add device
l
Check device status
After the wizard completes the checks, you are asked to choose whether to import policies and objects for the
device now or later.
7. Click Import Later to finish adding the device and close the wizard
If you click Import Now, the wizard continues. The next step in the wizard depends on whether you are
importing a FortiGate VDOM.
Administration Guide
Fortinet Technologies Inc.
107
Device Manager
Adding devices
If you are importing a FortiGate VDOM, the following page is displayed with import options for the VDOM.
Select an option, and click Next.
If you are not importing a FortiGate VDOM, the following page is displayed.
8. Set the following options, and click Next:
a. In the Policy Selection section, select Import All or Select Policies and Profile Groups to Import.
b. In the Object Selection section, select Import only policy dependent objects or Import all objects.
c. Check the device interface mappings.
d. Select or clear the Add mappings for all unused device interfaces checkbox.
The list of objects that will be updated is displayed.
108
Administration Guide
Fortinet Technologies Inc.
Adding devices
Device Manager
9. Click Next.
A detailed summary of the import is shown. Click Download Import Report to download a report of the
import. The report is only available on this page.
10. Click Finish to finish adding the device and close the wizard.
Adding a model device
The following steps will guide you through the Add Device wizard phases to add a device using Add Model
Device mode.
To confirm that a device model or firmware version is supported by the FortiManager's
current firmware version, run the following CLI command:
diagnose dvm supported-platforms list
Administration Guide
Fortinet Technologies Inc.
109
Device Manager
Adding devices
When adding devices to product-specific ADOMs, you can only add that product type
to the ADOM. When selecting to add a non-FortiGate device to the root ADOM, the
device will automatically be added to the product specific ADOM.
To add a model device:
1. If ADOMs are enabled, select the ADOM to which you want to add the device.
2. Go to Device Manager > Device & Groups.
3. Click Add Device. The Add Device wizard displays.
4. Click Add Model Device and enter the following information:
Add Model Device
Device will be added using the chosen model type and other explicitly
entered information.
Name
Type a descriptive name for the device. This name is displayed in the
Device Name column. Each device must have a unique name, otherwise
the wizard will fail.
Link Device By
The method by which the device will be added, either Serial Number or
Pre-Shared Key.
Serial Number or PreShared Key
Type the device serial number or pre-shared key. This field is mandatory.
If using a pre-shared key, each device must have a unique pre-shared key.
You can change the pre-shared key after adding the model device. See
Editing device information on page 134.
Device Model
Select the device model from the list. If linking by serial number, the serial
number must be entered before selecting a device model.
Firmware Version
Select the device’s firmware version from the dropdown list.
5. Click Next. The device is created in the FortiManager database.
6. Click Finish to exit the wizard.
110
Administration Guide
Fortinet Technologies Inc.
Adding devices
Device Manager
A device added using the Add Model Device option has similar dashboard options as a device added using
the Discover option. As the device is not yet online, some options are not available.
Adding devices manually
You can manually add devices to the FortiManager unit. The process requires the following steps:
l
l
In FortiOS, you must enable central management on the device by adding the IP address of the FortiManager unit.
As a result, the device is displayed on the FortiManager GUI in the root ADOM on the Device Manager pane in the
Unregistered Devices list.
In FortiManager, you must manually add unregistered devices. As a result, the device is registered with the
FortiManager unit, and you can use FortiManager to manage the device.
When ADOMs are enabled, the device must be assigned to an ADOM when it is registered.
To manually add devices:
1. In FortiOS, enable central management for the device.
2. In FortiManager, select the root ADOM, and go to Device Manager.
3. In the tree menu, click Unregistered Devices. The content pane displays the unregistered devices.
4. Select the unregistered device or devices, then click Add. The Add Device dialog box opens.
5. If ADOMs are enabled, select the ADOM in the Add the following device(s) to ADOM list. If ADOMs are disabled,
select root.
6. Type the login and password for the device or devices.
7. Click OK to register the device or devices.
The device or devices are added.
Add a VDOM to a device
To add a VDOM to a managed FortiGate device, right-click on the content pane for a particular device and select
Add VDOM from the pop-up menu.
The number of VDOMs you can add is dependent on the device model. For more
information, see the Maximum Values Table in the Fortinet Document Library.
To add a VDOM to a FortiGate device:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, click the group. The devices in the group are displayed in the content pane.
3. In the content pane, right-click a device, and select Add VDOM.
Administration Guide
Fortinet Technologies Inc.
111
Device Manager
Adding devices
4. Configure the following options, and click OK.
Name
Type a name for the new virtual domain.
Description
Optionally, enter a description of the VDOM.
Enable
Select to enable the VDOM.
Operation Mode
Select either NAT or Transparent.
Inspection Mode
Select an inspection mode.
Interface Members
Click to select each port one by one.
Adding a security fabric group
Before you can add a security fabric group to FortiManager, you must create the security fabric group in FortiOS.
For more information, see the FortiOS Handbook.
You must add to FortiManager the root FortiGate for the security fabric group as well as all FortiGate members of
the security fabric group. Although you can add the root and member FortiGate units in any order to
FortiManager, the added units are only recognized as part of a security fabric group after you add the root
FortiGate.
See also Displaying security fabric topology on page 137.
To add a security fabric group: 1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Device Manager > Device & Groups.
3. Add the root FortiGate unit for the security fabric group. See Adding a device using Discover mode on page 105.
4. Add each FortiGate unit that is a member of the security fabric group. See Adding a device using Discover mode
on page 105.
5. In the Device Manager content pane, right-click the root FortiGate unit, and select Refresh.
FortiManager retrieves information about the security fabric group via the root FortiGate unit. All units are
displayed in a security fabric group. The Security Fabric icon identifies the group, and the group name is the
serial number for the root FortiGate in the group. Within the group, a * at the end of the device name
112
Administration Guide
Fortinet Technologies Inc.
Adding devices
Device Manager
identifies the root FortiGate in the group.
Import policy wizard
On the Device Manager > Device & Groups pane, right-click a device, and select Import Policy to launch the
Import Device wizard. This wizard allows you to import interface maps, policy databases, and objects.
After initially importing policies from the device, make all changes related to policies
and objects in Policy & Objects on the FortiManager.
Making changes directly on the FortiGate device will require reimporting policies to
resynchronize the policies and objects.
Device Interface
The Device Interface page allows you to choose an ADOM interface for each device interface. When importing
configuration from a device, all enabled interfaces require a mapping.
Interface maps will be created automatically for unmapped interfaces.
Select Add mapping for all unused device interfaces to automatically create interface maps for unused
interfaces.
Policy
The policy page allows you to create a new policy package for import.
Select a folder from the dropdown menu, specify a policy package name, then configure the following options:
Policy Package Name
Administration Guide
Fortinet Technologies Inc.
Type a name for the policy package.
113
Device Manager
Adding FortiAnalyzer devices
Folder
Select a folder on the dropdown menu.
Policy Selection
Select to import all, or select specific policies and policies groups to import.
Object Selection
Select Import only policy dependent objects to import policy dependent
objects only for the device.
Select Import all objects to import all objects for the selected device.
Object
The object page will search for dependencies, and reports any conflicts it detects.If conflicts are detected, you
must decide whether to use the FortiGate value or the FortiManager value. If there are conflicts, you can select
View Details to view details of each individual conflict, or you can download an HTML conflict file to view all the
details about the conflicts. Duplicates will not be imported.
Click Next to view the objects that are ready to be imported, and then click Next again to proceed with importing.
Import
Objects are imported into the common database, and the policies are imported into the selected package. Click
Next to continue to the summary.
The import process removes all policies that have FortiManager generated policy IDs,
such as 1073741825, that were previously learned by the FortiManager device. The
FortiGate unit may inherit a policy ID from the global header policy, global footer
policy, or VPN console.
Summary
The summary page allows you to download the import device summary results. It cannot be downloaded from
anywhere else.
Adding FortiAnalyzer devices
You can add FortiAnalyzer devices to FortiManager and manage them. When you add a FortiAnalyzer device to
FortiManager, FortiManager automatically enables FortiAnalyzer features. FortiAnalyzer and FortiManager must
be running the same OS version, at least 5.6 or later.
For information about FortiAnalyzer features, see FortiAnalyzer Features on page 367. See also View logs
related to a policy rule on page 216 and Viewing policy rules on page 368.
If FortiAnalyzer features are enabled, you cannot add a FortiAnalyzer units
to the FortiManager. See FortiAnalyzer Features on page 367.
In addition, you cannot add a FortiAnalyzer unit to the FortiManager when
ADOMs are enabled and ADOM mode is set to Advanced.
114
Administration Guide
Fortinet Technologies Inc.
Adding FortiAnalyzer devices
Device Manager
ADOMs disabled
When you add a FortiAnayzer device to FortiManager with ADOMs disabled, all devices with logging enabled can
send logs to the FortiAnalyzer device. You can add only one FortiAnalyzer device to FortiManager, and the
FortiAnalyzer device limit must be equal to or greater than the number of devices managed by FortiManager.
When you add additional devices with logging enabled to FortiManager, the managed devices can send logs to
the FortiAnalyzer device. The new devices display in the Device Manager pane on FortiAnalyzer unit when
FortiManager synchronizes with the FortiAnalyzer unit.
ADOMs enabled
When you add a FortiAnalyzer device to FortiManager with ADOMs enabled, all devices with logging enabled in
the ADOM can send logs to the FortiAnalyzer device. Following are the guidelines for adding a FortiAnalyzer
device to FortiManager when ADOMs are enabled:
l
l
l
l
You can add one FortiAnalyzer device to each ADOM, and the FortiAnalyzer device limit must be equal to or greater
than the number of devices in the ADOM.
The same ADOM name and settings must exist on the FortiAnalyzer device and FortiManager. The wizard
synchronizes these settings for you if there is a mismatch.
The logging devices in the FortiAnalyzer ADOM and FortiManager ADOM must be the same. The wizard
synchronizes these settings for you.
You cannot add the same FortiAnalyzer device to multiple ADOMs.
When you add additional devices with logging enabled to an ADOM in FortiManager, the managed devices can
send logs to the FortiAnalyzer device in the ADOM. The new devices display in the Device Manager pane on the
FortiAnalyzer unit when FortiManager synchronizes with the FortiAnalyzer unit.
Provisioning templates for log settings
After you add a FortiAnalyzer device to FortiManager, you can use FortiManager to enable logging for all
FortiGates in the root ADOM (when ADOMs are disabled) or the ADOM (when ADOMs are enabled) by using the
log settings in a system template. See System templates on page 149.
Legacy FortiAnalyzer ADOM
The FortiAnalyzer ADOM supports FortiAnalyzer units added to FortiManager before upgrading to FortiManager
5.6 and later. If you want to use the new functionality, you must delete the FortiAnalyzer unit from FortiManager
and add it by using the Add FortiAnalyzer wizard.
Log storage and configuration
Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on
the FortiAnalyzer device; you cannot change log storage settings using FortiManager.
Configuration and data for FortiAnalyzer features
When FortiManager manages a FortiAnalyzer unit, all configuration and data is kept on the FortiAnalyzer unit to
support the following FortiAnalyzer features: FortiView , Log View , Event Management, and Reports.
FortiManager remotely accesses the FortiAnalyzer unit to retrieve requested information for FortiAnalyzer
features. For example, if you use the Reports pane in FortiManager to create a report, the report is created on
the FortiAnalyzer unit and remotely accessed by FortiManager.
Administration Guide
Fortinet Technologies Inc.
115
Device Manager
Adding FortiAnalyzer devices
Adding FortiAnalyzer devices with the wizard
If the FortiAnalyzer unit is receiving logs from devices that are not managed by FortiManager, the wizard requires
you to add the devices to FortiManager by typing the IP address and login credentials for each device. Ensure
that you have the IP addresses and login credentials for each device before you start the wizard.
The Add FortiAnalyzer option is hidden when you cannot add a FortiAnalyzer unit to
the FortiManager unit. For example, the Add FortiAnalyzer option is hidden if you
have already added a FortiAnalyzer unit to the FortiManager unit (when ADOMs are
disabled) or to the ADOM (when ADOMs are enabled). You also cannot add a
FortiAnalyzer unit when you have enabled FortiAnalyzer features for the FortiManager
unit.
FortiManager and FortiAnalyzer must be running 5.6 or later, and the versions must be
the same on both devices.
To add a FortiAnalyzer device:
1. Confirm that the FortiAnalyzer device supports the number of devices managed by FortiManager.
l
l
If ADOMs are disabled, ensure that the FortiAnalyzer device limit is equal to or greater than the number of
devices managed by FortiManager.
If ADOMs are enabled, ensure that the FortiAnalyzer device limit is equal to or greater than the number of
devices in the ADOM.
2. If ADOMs are enabled, select the ADOM to which you want to add the device.
3. Go to Device Manager > Device & Groups.
4. Click Add Device > Add FortiAnalyzer. The wizard opens.
The Add FortiAnalyzer option is hidden if you've already added a FortiAnalyzer device.
5. Type the IP address, user name, and password for the device, then click Next.
FortiManager probes the IP address on your network to discover FortiAnalyzer device details, including:
116
Administration Guide
Fortinet Technologies Inc.
Adding FortiAnalyzer devices
l
IP address
l
Host name
l
Serial number
l
Device model
l
Firmware version (build)
l
High Availability status
l
Administrator user name
Device Manager
6. Configure the following settings if desired, and click Next:
Name
Type a unique name for the device. The device name cannot contain
spaces or special characters (optional).
Description
Type a description of the device (optional).
The wizard performs the following tasks:
l
l
Compares the ADOM name and configuration as well as devices between FortiAnalyzer and FortiManager
Verifies the devices in the Device Manager pane for FortiAnalyzer with the devices in the Device Manager
pane for FortiManager
If any discrepancies are found, information is displayed in the Status column, and you can resolve the
discrepancies by clicking the Synchronize ADOM and Devices button.
The following table describes the different statuses:
Administration Guide
Fortinet Technologies Inc.
117
Device Manager
Importing devices
Status
Description
FMG Only
The device was located in FortiManager, but not FortiAnalyzer. If you proceed with the
wizard, the device will be added to FortiAnalyzer too.
FAZ Only
The device was located in FortiAnalyzer, but not FortiManager. If you proceed with the
wizard, the device will be added to FortiManager too. The login and password for the
device is required to complete the wizard.
Sync
The device was located in both FortiAnalyzer and FortiManager without any
differences, and the wizard will synchronize the device between FortiManager and
FortiAnalyzer.
Mismatched
The device was located in both FortiAnalyzer and FortiManager with some
differences, and the wizard will synchronize the device settings between FortiManager
and FortiAnalyzer to remove the differences.
If the FortiManager ADOM does not exist on the FortiAnalyzer device, a warning is displayed. You can add
the ADOM and devices to FortiAnalyzer by clicking the Synchronize ADOM and Devices button.
7. Click Synchronize ADOM and Devices to continue.
a. If you are synchronizing devices from FortiAnalyzer to FortiManager, type the IP address and login for
each device, and click OK to synchronize the devices.
b. After the devices successfully synchronize, click OK to continue.
The devices, ADOM name, and ADOM version are synchronized between FortiAnalyzer and FortiManager.
8. Click Finish to close the wizard.
The FortiAnalyzer device is displayed on the Device Manager pane as a Managed FortiAnalyzer, and
FortiAnalyzer features are enabled.
After completing the wizard, ensure that you enable logging on the devices, so the managed FortiAnalyzer can
receive logs from the devices. You can enable logging by using the log settings in a system template. See System
templates on page 149.
Importing devices
You can import devices using the following methods:
l
Importing detected devices
l
Importing and exporting device lists
Importing detected devices
You can import detected devices for each device.
118
Administration Guide
Fortinet Technologies Inc.
Importing devices
Device Manager
To import detected devices:
1. Ensure that you are in the correct ADOM.
2. Go to the Device Manager tab, and from the Tools menu, click Global Display Options.
3. In the Detected Devices area, select Detected Devices, and click OK.
4. In the tree menu, select a device. The device dashboard is displayed.
5. Click Detected Devices. The Detected Devices pane is displayed.
6. Click Import.
Importing and exporting device lists
Using the Import Device List and Export Device List function, you can import or export a large number of
devices, ADOMs, device VDOMs, and device groups. The device list is a compressed text file in JSON format.
Advanced configuration settings such as dynamic interface bindings are not part of
import/export device lists. Use the backup/restore function to backup the
FortiManager configuration.
The Import and Export Device List features are disabled by default. To enable, go to
System Settings > Admin > Admin Settings, and select the Show Device List
Import/Export checkbox under Display Options on GUI.
Proper logging must be implemented when importing a list. If any add or discovery
operation fails, there must be appropriate event logs generated so you can trace what
occurred.
You can create the compressed text file by exporting a device list from FortiManager.
To export a device list:
1. Go to Device Manager > Device & Groups.
2. Select a device group, such as Managed FortiGates.
3. From the More menu, select Export Device List.
A device list in JSON format is exported in a compressed file (device_list.dat).
To import a device list:
1. Go to Device Manager > Device & Groups.
2. Select a device group, such as Managed FortiGates.
3. From the More menu, select Import Device List.
4. Click Browse and locate the compressed device list file (device_list.dat) that you exported from
FortiManager.
5. Click OK.
Administration Guide
Fortinet Technologies Inc.
119
Device Manager
Configuring devices
Configuring devices
You can configure the FortiGate units in three ways:
l
Per device, from the Device Manager dashboard toolbar.
l
Per VDOM, from the Device Manager dashboard toolbar.
l
Per provisioning template.
This section contains the following topics:
l
Configuring a device
l
Out-of-Sync device
l
Configuring VDOMs
Configuring a device
Configuring a FortiGate unit using the Device Manager dashboard toolbar is very similar to configuring FortiGate
units using the FortiGate GUI. You can also save the configuration changes to the configuration repository and
install them to other FortiGate units at the same time.
This document does not provide detailed procedures for configuring FortiGate units. See the FortiGate
documentation for complete information. The most up-to-date FortiGate documentation is also available in the
Fortinet Document Library.
To configure a FortiGate unit:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, select a device group.
3. In the content pane, select a device.
4. From the Install menu, select Install Config.
5. When the installation configuration is complete, click Finish.
The configuration changes are saved to the FortiManager device database instead of the FortiManager
repository represented by the Revision History window.
To view the history of the configuration installation, click the View History button in
the History column to open the Install History dialog box. This can be particularly
useful if the installation fails.
You can rename and reapply firewall objects after they are created and applied to a
firewall policy. When you do so, the FortiManager system will: delete all
dependencies, delete the object, recreate a new object with the same value, and
recreate the policy to reapply the new object.
Firewall policy reordering on first installation
On the first discovery of a FortiGate unit, the FortiManager system will retrieve the unit's configuration and load it
into the Device Manager. After you make configuration changes and install them, you may see that the
FortiManager system reorders some of the firewall policies in the FortiGate unit’s configuration file.
This behavior is normal for the following reasons:
120
Administration Guide
Fortinet Technologies Inc.
Configuring devices
l
l
Device Manager
The FortiManager system maintains the order of policies in the actual order you see them and manipulate them in
the GUI, whereas the FortiGate unit maintains the policies in a different order (such as order of creation).
When loading the policy set, the FortiManager system re-organizes the policies according to the logical order as
they are shown in the user interface. In other words, FortiManager will group all policies that are organized within
interface pairs (internal -> external, port1 -> port3, etc.).
The FortiManager system does not move policies within interface pairs. It will only move the configuration
elements so that policies with the same source/destination interface pairs are grouped together.
This behavior would only be seen:
l
l
On the first installation.
When the unit is first discovered by the FortiManager system. If using the FortiManager system to manage the
FortiGate unit from the start, you will not observe the policy reordering behavior.
Out-of-Sync device
FortiManager is able to detect when the settings were changed on the FortiGate and synchronize back to the
related policy and object settings. This allows you to know when the policy package is out-of-sync with what is
installed on the FortiGate.
When a change is made to the FortiGate, FortiManager displays an out-of-sync dialog box.
Select the View Diff icon to view the changes between the FortiGate and FortiManager.
You can select to accept, revert the modification, or decide later.
When accepting remote changes, all local configurations will be replaced by remote
configurations. When reverting, the FortiGate will be reset to the latest revision.
You can view details of the retrieve device configuration action in the Task Monitor. See Task Monitor on
page 480.
Configuring VDOMs
Virtual domains (VDOMs) enable you to partition and use your FortiGate unit as if it were multiple units. For more
information see the FortiOS Handbook available in the Fortinet Document Library.
VDOMs have their own dashboard and toolbar. You can configure the VDOM in the
same way that you can configure a device.
Delete
Select to remove this virtual domain. This function applies to all virtual
domains except the root.
Create New
Select to create a new virtual domain.
Administration Guide
Fortinet Technologies Inc.
121
Device Manager
Configuring devices
Management Virtual
Domain
Select the management VDOM and select Apply.
Name
The name of the virtual domain and if it is the management VDOM.
Virtual Domain
Virtual domain type.
IP/Netmask
The IP address and mask. Normally used only for Transparent mode.
Type
Either VDOM Link or Physical.
Access
HTTP, HTTPS, SSH, PING, SNMP, and/or TELNET.
Resource Limit
Select to configure the resource limit profile for this VDOM.
Creating and editing virtual domains
Creating and editing virtual domains in the FortiManagersystem is very similar to creating and editing VDOMs
using the FortiGate GUI.
You need to enable virtual domains before you can create one.
To enable virtual domains:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, select a device group.
3. In the lower tree menu, select a device. The device dashboard displays.
4. In the System Information widget, select the Enable link in the VDOM field.
To create a virtual domain:
1. In the Device Manager tab, display the device dashboard for the unit you want to configure.
2. From the System menu, select Virtual Domain.
3. Click Create New to create a new VDOM.
The Virtual Domain tab may not be visible in the content pane tab bar. See View
system dashboard for managed/logging devices on page 124 for more information.
After the first VDOM is created you can create additional VDOMs by right-clicking on the existing VDOM and
selecting Add VDOM from the right-click menu.
4. Complete the options, and clickOK to create the new VDOM.
Configuring inter-VDOM routing
By default, for two virtual domains to communicate it must be through externally connected physical interfaces.
Inter-VDOM routing creates a link with two ends that act as virtual interfaces, internally connecting the two virtual
domains.
Before configuring inter-VDOM routing:
122
Administration Guide
Fortinet Technologies Inc.
Configuring devices
Device Manager
l
You must have at least two virtual domains configured.
l
The virtual domains must all be in NAT mode.
l
Each virtual domain to be linked must have at least one interface or subinterface assigned to it.
To create a VDOM link:
1. In the Device Manager pane, display the device dashboard for the virtual domain.
2. From the System menu, select Interface.
3. Click Create New > VDOM Link. The New VDOM Link pane opens.
4. Enter the following information:
Name
Name of the VDOM link.
Interface #x
The interface number, either 1 or 0.
VDOM
Select the VDOM
IP/Netmask
Type the IP address and netmask for the VDOM.
Administrative Access
Select the allowed administrative service protocols from: HTTPS, HTTP,
PING, SSH, Telnet, SNMP, and Web Service.
Description
Optionally, type a description for the link.
5. Click OK to save your settings.
Deleting a virtual domain
Prior to deleting a VDOM, all policies must be removed from the VDOM. To do this, apply and install a blank, or
empty, policy package to the VDOM (see Create new policy packages on page 209). All objects related to the
VDOM must also be removed, such as routes, VPNs, and admin accounts.
To delete a VDOM:
1. In the Device Manager tab, display the device dashboard for the unit you want to configure.
2. From the System menu, select Virtual Domain.
Administration Guide
Fortinet Technologies Inc.
123
Device Manager
Using the device dashboard
3. Right-click on the VDOM and select Delete.
4. Click OK in the confirmation dialog box to delete the VDOM.
Using the device dashboard
You can view the dashboard and related information of all managed/logging and provisioned devices.
This section contains the following topics:
l
View system dashboard for managed/logging devices
l
View system interfaces on page 125
l
CLI-Only Objects menu
l
System dashboard widgets
View system dashboard for managed/logging devices
You can view information about individual devices in the Device Manager pane on the dashboard for each
device. This section describes the dashboard for a FortiGate unit.
To view the dashboard for managed/logging devices:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, select the device group, for example, Managed FortiGates. The list of devices display in the
content pane and in the bottom tree menu.
When the FortiAnalyzer feature set is enabled, the All FortiGates device group is
replaced with Managed FortiGates and Logging FortiGates. Managed FortiGates
include FortiGate devices, which are managed by FortiManager but do not send logs.
Logging FortiGates include FortiGate devices which are not managed, but do send
logs to FortiManager.
3. In the bottom tree menu, select a device. The System: Dashboard for the device displays in the content pane.
124
Administration Guide
Fortinet Technologies Inc.
Using the device dashboard
Device Manager
4. In the dashboard toolbar, click the tabs to display different options that you can configure for the device. See
Dashboard toolbar on page 125.
For information on configuring FortiGate settings locally on your FortiManager device, see the FortiOS
Handbook.
5. You can control what tabs are displayed by clicking Display Options. See Display Options on page 125.
Dashboard toolbar
The dashboard toolbar displays tabs that you can use to configure the device. The available tabs depends on the
device. You can choose what tabs to display by clicking display options.
The options available on the dashboard toolbar varies depending on what feature set
the device supports. If a feature is not enabled on the device the corresponding tab is
not available on the toolbar.
Display Options
You can customize panels at both the ADOM and device levels. Select Tools > Display Options to open the
Display Options dialog box to customize the available content at the ADOM level. Alternatively, you can select a
device, and then select Display Options to customize device tabs. You can select to inherit from ADOM or
customize.
The options available when customizing device tabs at the ADOM level will vary based
on the ADOM version.
To select all of the content panels in a particular category, select the checkbox beside the category name. To
reset a category selection, clear the checkbox.
To select all of the content panels, select Check All at the bottom of the window. To reset all of the selected
panels, select Reset to Default at the bottom of the window.
The available device tabs are dependent on the device model and settings configured
for that model. The following tables provide an overview and descriptions of common
dashboard toolbar panels, and content options.
View system interfaces
You can view interface information about individual devices in the Device Manager tab.
To view interfaces for a device:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, select the device group, for example, Managed FortiGates. The list of devices is displayed in
the content pane and in the bottom tree menu.
3. In the bottom tree menu, select a device. The dashboard for the device displays in the content pane.
4. From the System menu, select Interface. The System: Interface dashboard is displayed. The following options
are available:
Administration Guide
Fortinet Technologies Inc.
125
Device Manager
Using the device dashboard
Create New
Select to create a new interface or a VDOM link.
Edit Interface Map
Edit the selected interface.
Show/Hide Unmapped Zones
Show or hide unmapped zones.
Collapse All / Expand All
Click to collapse or expand all interfaces.
Interface
Name of the interface.
Type
Type of interface.
Mapped Policy Interface
Name of the policy, if the interface is mapped to a policy.
Addressing Mode
Type of addressing mode, either manual or DHCP.
IP/Netmask
IP address and netmask for the interface.
Access
Configured access to the interface.
Virtual Domain
Name of the virtual domain.
Status
Status of the interface. A green circle indicates that the interface is
online, and a red circle indicates that the interface is offline.
CLI-Only Objects menu
FortiManager includes a CLI-Only Objects menu in the Device Manager pane, which allows you to configure
device settings that are normally configured via the CLI on the device, as well as settings that are not available in
the FortiManager GUI.
To access the CLI-only objects menu:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, select a device group.
3. In the lower tree menu, select a device. The device dashboard is displayed in the content pane.
4. Click Display Options. The Display Options dialog box is displayed.
5. Select the CLI-Only Objects checkbox, and click OK. The CLI-Only Objects menu is displayed in the toolbar.
6. Click CLI-Only Objects.
The options available in the menu will vary from device to device depending on what
feature set the device supports. The options will also vary depending on the device
firmware version.
126
Administration Guide
Fortinet Technologies Inc.
Using the device dashboard
Device Manager
System dashboard widgets
The system dashboard widgets provide quick access to device information, and device connectivity with the
FortiManager system. The following widgets are available in FortiManager:
l
System Information
l
License Information
l
Connection Summary
l
Configuration and Installation Status
The following table provide a description of these dashboard widgets. Note that not all of the listed options will be
available on every device.
System Information
Host Name
The host name of the device.
Serial Number
The device serial number.
System Time
The device system time and date information.
Firmware Version
The device firmware version and build number.
Hardware Status
The number of CPUs and the amount of RAM for the device.
Operation Mode
Displays whether the device is in NAT or Central NAT operation mode.
Inspection Mode
Displays whether the device is in Proxy or Flow-Based inspection mode.
HA Mode
FortiGate HA configuration on FortiManager is read-only. Standalone
indicates non-HA mode. Active-Passive, Active-Active indicates the device
is operating in a cluster.
VDOM
The status of VDOMs on the device.
Session Information
Select View Session List to view the device session information.
Description
Descriptive information about the device.
Operation
Select Reboot to reboot the device or Shutdown to shut down the device.
License Information
VM License
The VM license information.
Support Contract
The support contract information and the expiry date. The support contract
includes the following: Registration, Hardware, Firmware, and Support
Level e.g. Enhanced Support, Comprehensive Support.
Administration Guide
Fortinet Technologies Inc.
127
Device Manager
Using the device dashboard
License Information
FortiGuard Services
The contract version, issue date and service status. FortiGuard Services
includes the following: Antivirus, Intrusion protection, Web filtering, and
Email filtering.
VDOM
The number of virtual domains that the device supports.
Connection Summary
IP
The IP address of the device.
Interface
The port used to connect to the FortiManager system.
Connecting User
The user name for logging in to the device.
Connectivity
The device connectivity status and the time it was last checked. A green
arrow means that the connection between the device and the FortiManager
system is up; a red arrow means that the connection is down.
Select Refresh to test the connection between the device and the
FortiManager system.
Connect to CLI via
Select the method by which you connect to the device CLI, either SSH or
TELNET.
Configuration and Installation Status
System Template
The system template associated with the device. Select Change to set this
value.
Database Configuration
Select View to display the configuration file of the FortiGate unit.
Total Revisions
Displays the total number of configuration revisions and the revision
history. Select Revision History to view device history. Select the revision
history icon to open the Revision Diff menu. You can view the diff from a
previous revision or a specific revision and select the output.
Sync Status
The synchronization status with the FortiManager.
Synchronized: The latest revision is confirmed as running on the device.
l
l
Out_of_sync: The configuration file on the device is not synchronized
with the FortiManager system.
Unknown: The FortiManager system is unable to detect which revision
(in revision history) is currently running on the device.
Select Refresh to update the Installation Status.
l
128
Administration Guide
Fortinet Technologies Inc.
Installing to devices
Device Manager
Configuration and Installation Status
Warning
Displays any warnings related to configuration and installation status.
None: No warning.
l
l
Unknown configuration version running on FortiGate: FortiGate
configuration has been changed!: The FortiManager system cannot
detect which revision (in Revision History) is currently running on the
device.
l
Unable to detect the FortiGate version: Connectivity error!
l
Aborted: The FortiManager system cannot access the device.
Installation Tracking
Device Settings
Status
l
l
Modified: Some configuration on the device has changed since the latest
revision in the FortiManager database. Select Save Now to install and
save the configuration.
UnModified: All configuration displayed on the device is saved as the
latest revision in the FortiManager database.
Installation
Preview
Select the icon to display a set of commands that will be used in an actual
device configuration installation in a new window.
Last Installation
Last Installation: The FortiManager system sent a configuration to the
device at the time and date listed.
Scheduled
Installation
Scheduled Installation: A new configuration will be installed on the device
at the date and time indicated.
Script Status
Select Configure to view script execution history.
Last Script Run
Displays the date when the last script was run against the managed device.
Scheduled Script
Displays the date when the next script is scheduled to run against the
managed device.
The information presented in the System Information, License Information,
Connection Summary, and Configuration and Installation Status widgets will vary
depending on the managed device model.
Installing to devices
l
l
l
To use the Install Wizard to install policy packages and device settings to one or more FortiGate devices, see Using
the Install Wizard to install policy packages and device settings on page 130.
To use the Install Wizard to install device settings only, see Using the Install Wizard to install device settings only
on page 131.
To reinstall a policy package without using the Install Wizard, see Reinstall a policy package on page 213.
Administration Guide
Fortinet Technologies Inc.
129
Device Manager
Installing to devices
Using the Install Wizard to install policy packages and device settings
You can use the Install Wizard to install policy packages and device settings to one or more FortiGate devices,
including any device-specific settings for the devices associated with that package.
To use the Install Wizard to install policy packages and device settings:
1. If using ADOMs, ensure you are in the correct ADOM.
2. In the toolbar, select Install Wizard or Install > Install Wizard.
3. Select Install Policy Package & Device Settings and specify the policy package and other parameters. Click
Next.
Policy Package
Select the policy package from the dropdown list.
Comment
Type an optional comment.
Create ADOM Revision
Select the checkbox to create an ADOM revision.
Revision Name
Type the revision name.
Revision
Comments
Type an optional comment.
Schedule Install
Select the checkbox to schedule the installation.
Date
Click the date field and select the date for the installation in the calendar
pop-up.
Time
Select the hour and minute from the dropdown lists.
4. On the next page, select one or more devices or groups to install, and click Next.
130
Administration Guide
Fortinet Technologies Inc.
Installing to devices
Device Manager
The select devices are validated. Validation includes validating the policy and object, the interface, and
installation preparation. Devices with validation errors are skipped for installation. The validation results are
displayed.
5. (Optional) Click the Install Preview button to view a preview of the installation and download a text file of the
installation preview details.
You can also download a text file of the installation preview details.
6. (Optional) Click the Policy Package Diff button to view the differences between the current policy and the policy
in the device.
See also View a policy package diff on page 132.
7. When validation is complete, click Install or Schedule Install (if you selected Schedule Install).
FortiManager displays the status of the installation and then lists the devices onto which the settings were
installed and any errors or warning that occurred during the installation process.
8. Click Finish to close the wizard.
Using the Install Wizard to install device settings only
You can use the Install Wizard to install device settings only to one or more FortiGate devices. The Install
Wizard includes a preview feature.
To use the Install Wizard to install device settings only:
1. If using ADOMs, ensure you are in the correct ADOM.
2. In the toolbar, select Install Wizard or Install > Install Wizard.
3. Select Install Device Settings (only) and if you want, type a comment. Click Next.
4. In the Device Settings page, select one or more devices to install, and click Next.
5. (Optional) Preview the changes:
a. Click Install Preview .
The Install Preview window is displayed. You have the option to download a text file of the settings.
b. Click Cancel to return to the installation wizard.
Administration Guide
Fortinet Technologies Inc.
131
Device Manager
Managing devices
6. Click Install.
FortiManager displays the status of the installation and then lists the devices onto which the settings were
installed and any errors or warning that occurred during the installation process.
You can click the View History and View Log buttons for more information.
7. Click Finish to close the wizard.
View a policy package diff
You can view the difference between the current policy package and the policy in the device by using Device
Manager.
The connection to the managed device must be up to view the policy package diff.
To view a policy package diff in Device Manager:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Device Manager> Device & Groups.
3. Right-click a device and select Policy Package Diff.
The Policy Package Diff window is displayed after data is gathered.
4. Beside Policy, click the Details link to display details about the policy changes.
5. In the Category row, click the Details link to display details about the specific policy changes.
6. Beside Policy Object, click the Details link to display details about the policy object changes.
7. Click Cancel to close the window.
Managing devices
Once a device has been added to the Device Manager pane, the configuration is available within other tabs in
the FortiManager system, such as Policy & Objects.
This section includes the following topics:
132
Administration Guide
Fortinet Technologies Inc.
Managing devices
Device Manager
l
Using the quick status bar
l
Customizing columns
l
Refreshing a device
l
Editing device information
l
Replacing a managed device
l
Setting unregistered device options
l
Using the CLI console for managed devices
Using the quick status bar
You can quickly view the status of devices on the Device Manager pane by using the quick status bar, which
contains the following information:
l
Devices Total
l
Devices Connection
l
Devices Device Config
l
Devices Policy Package
You can click each quick status to display only the devices referenced in the quick status.
To view the quick status bar:
1. Go to Device Manager > Device & Groups. The quick status bar is displayed.
2. In the tree menu, select a group. The devices for the group are displayed in the content pane, and the quick status
bar updates.
3. Click the menu on each quick status to filter the devices displayed on the content pane.
For example, click the menu for Device Config and select Modified. The content pane displays only devices
in the selected group with modified configuration files.
4. Click Devices Total to return to the main view.
Customizing columns
You can choose what columns display on the content pane for the Device Manager > Device & Groups pane.
Column settings are not available for all device types. The default columns also vary by device type.
You can filter columns that have a Filter icon. Column filters are not available for all columns.
The columns available in the Column Settings menu depends on features enabled in
FortiManager. When the FortiAnalyzer feature set is disabled, all related settings are
hidden in the GUI.
To customize columns:
1. Go to Device Manager > Device & Groups.
2. Click Column Settings and select the columns you want to display.
Administration Guide
Fortinet Technologies Inc.
133
Device Manager
Managing devices
Refreshing a device
Refreshing a device refreshes the connection between the selected devices and the FortiManager system. This
operation updates the device status and the FortiGate HA cluster member information.
To refresh a device:
1. In the content pane, select a device.
2. Select More > Refresh Device. The Update Device dialog box opens to show the refresh progress.
Editing device information
Use the Edit Device page to edit information about a device. The information and options available on the Edit
Device page depend on the device type, firmware version, and which features are enabled. Some settings only
display when the FortiAnalyzer feature set is enabled.
To edit information for a device or model device:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, select the device group.
3. In the content pane, select the device or model device, and click Edit. The Edit Device pane displays.
134
Administration Guide
Fortinet Technologies Inc.
Managing devices
Device Manager
4. Edit the device settings as required.
Name
The name of the device.
Description
Descriptive information about the device.
Company/Organization
Company or organization information.
Country
Type the country.
Province/State
Type the province or state.
City
Type the city.
Contact
Type the contact information.
Geographic Coordinates
Identifies the latitude and longitude of the device location to support
the interactive maps.
IP Address
The IP address of the device.
Pre-Shared Key
The model device’s pre-shared key. Select Show Pre-shared Key to
see the key. This option is only available when editing a model
device that was added with a pre-shared key.
Automatically link to real
device
Automatically register the device with FortiManager when the device
is online. This option is not available for FortiAnalyzer devices.
Admin User
The administrator user name.
Password
The administrator user password.
Device Information
Information about the device, including some or all of: serial
number, device model, firmware version, connected interface, HA
mode, cluster name, and cluster members.
Secure Connection
Select to enable a secure connection to the FortiGate device.
Include the ID for the device and a pre-shared key.
HA Mode
Displays whether the FortiGate unit is operating in standalone or
high availability mode.
Device Permissions
Specify the permissions for the FortiGate device. Select Logs,
DLP Archive, Quarantine, or IPS Packet Log.
5. After making the appropriate changes click OK.
Enable Secure Connection to secure OFTP traffic over IPsec. Enabling Secure
Connection increases the load on FortiManager. This feature is disabled by default.
Administration Guide
Fortinet Technologies Inc.
135
Device Manager
Managing devices
In an HA environment, if you enable Secure Connection on one cluster member, you
must enable Secure Connection on all cluster members.
Replacing a managed device
The serial number is verified before each management connection. If you replace a device, you must manually
change the serial number in the FortiManager system and re-deploy the configuration.
You can only reinstall a device that has a Retrieve button under the Revision History
tab.
View all managed devices from the CLI
To view all devices that are managed by your FortiManager, use the following command:
diagnose dvm device list
The output lists the number of managed devices, device type, OID, device serial number, VDOMs, HA status, IP
address, device name, and the ADOM to which the device belongs.
Changing the serial number from the CLI
If the device serial number was entered incorrectly using the Add Model Device wizard, you can replace the serial
number from the CLI only. Use the command:
execute device replace sn <device name> <serial number>
This command is also useful when performing an RMA replacement.
Setting unregistered device options
In 5.2, setting unregistered device options is from the CLI only. Type the following command lines to enable or
disable allowing unregistered devices to be registered with the FortiManager.
config system admin setting
(setting) set allow register [enable | disable]
(setting) set unreg_dev_opt add_allow_service
(setting) set unreg_dev_opt add_no_service
end
136
allow register
[enable | disable]
When the set allow register command is set to enable, you will
not receive the unregistered device dialog box.
unreg_dev_opt
Set the action to take when an unregistered device connects to
FortiManager.
add_allow_service
Add unregistered devices and allow service requests.
add_no_service
Add unregistered devices but deny service requests.
Administration Guide
Fortinet Technologies Inc.
Managing devices
Device Manager
When the set allow register command is set to disable, you will not receive
the unregistered device dialog box.
Using the CLI console for managed devices
You can access the CLI console of managed devices.
To use the CLI console:
1. Go to Device Manager.
2. In the tree menu, select a device group, and in the bottom of the tree menu, select a device. The device
dashboard displays.
3. On the Connection Summary widget Connect to CLI via line, select TELNET or SSH .
Connect to:
Shows the device that you are currently connected to. Select the dropdown
menu to select another device.
IP
The IP address of the connected device.
Telnet | SSH
Connect to the device via Telnet or SSH.
Connect | Disconnect
Connect to the device you select, or terminate the connection.
Close
Exit the CLI console.
You can cut (CTRL+C ) and paste (CTRL+V) text from the CLI console. You can also use CTRL+U to remove
the line you are currently typing before pressing ENTER .
Displaying security fabric topology
For security fabric devices, you can display the security fabric topology.
To display the security fabric topology:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Device Manager and click the Devices Total tab in the quick status bar.
3. Right-click a security fabric device and select Fabric Topology.
A pop-up window displays the security fabric topology for that device.
If you selected Fabric Topology by right-clicking a device within the security fabric group, the device is highlighted
in the topology. If you selected Fabric Topology by right-clicking the name of the security fabric group, no device is
highlighted in the topology.
Administration Guide
Fortinet Technologies Inc.
137
Device Manager
Managing device configurations
Managing device configurations
The FortiManager system maintains a configuration repository to manage device configuration revisions. After
modifying device configurations, you can save them to the FortiManager repository and install the modified
configurations to individual devices or device groups. You can also retrieve the current configuration of a device or
revert a device’s configuration to a previous revision.
This section contains the following topics:
l
View configurations for device groups
l
Checking device configuration status
l
Managing configuration revision history
View configurations for device groups
You can view configuration information for devices in a group on the Device Manager tab.
To view configurations:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, click the device group name, for example, Managed FortiGates. The devices in the group are
displayed in the content pane.
The following columns are displayed. You can filter columns that have a Filter icon.
138
Device Name
Name of the device
Config Status
Available for managed devices. Displays the status of the configuration for
the device.
Policy Package Status
Available for managed devices. Displays the status of the policy package
for the device
Hostname
Available for managed devices. Displays the host name for the device.
Administration Guide
Fortinet Technologies Inc.
Managing device configurations
Device Manager
IP Address
IP address of the device
Platform
Available for managed devices. Displays the platform of the device.
Description
Description of the device
Checking device configuration status
In the Device Manager pane, when you select a device, you can view that device’s basic information under the
device dashboard. You can also check if the current configuration file of the device stored in the FortiManager
repository is in sync with the one running on the device.
If you make any configuration changes to a device directly, rather than using the FortiManager system, the
configuration on the device and the configuration saved in the FortiManager repository will be out of sync. In this
case, you can re synchronize with the device by retrieving the configuration from the device and saving it to the
FortiManager repository.
You can use the following procedures when checking device configuration status on a FortiGate, FortiCarrier, or
FortiSwitch.
To check the status of a configuration installation on a FortiGate unit:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
The the Configuration and Installation Status widget shows the following information:
System Template
Displays the name of the selected system template. Click Change to
change the system template.
Database Configuration
Click View to display the database configuration file of the FortiGate unit.
Total Revisions
Displays the total number of configuration revisions and the revision
history.
Click Revision History to view device history. For details, see Managing
configuration revision history on page 140.
Click Revision Diff to compare revisions. For details, see Comparing
different configuration files on page 143.
Sync Status
The synchronization status with the FortiManager.
l
l
l
Synchronized: The latest revision is confirmed as running on the device.
Out_of_sync: The configuration file on the device is not synchronized
with the FortiManager system.
Unknown: The FortiManager system is unable to detect which revision
(in revision history) is currently running on the device.
Click Refresh to update the synchronization status.
Administration Guide
Fortinet Technologies Inc.
139
Device Manager
Warning
Managing device configurations
Displays any warnings related to configuration and installation status.
l
l
None: No warning.
Unknown configuration version running on FortiGate: FortiGate
configuration has been changed!: The FortiManager system cannot
detect which revision (in revision history) is currently running on the
device.
l
Unable to detect the FortiGate version: Connectivity error.
l
Aborted: The FortiManager system cannot access the device.
Installation Tracking
Device Settings Status
l
l
Modified: Some configuration on the device has changed since the latest
revision in the FortiManager database. Click Save Now to install and
save the configuration.
UnModified: All configuration displayed on the device is saved as the
latest revision in the FortiManager database.
Installation Preview
Click Preview to preview an actual device configuration installation,
including any errors and warnings.
Last Installation
Displays the last installation’s date, time, revision number, and the person
who did the installation.
Scheduled Installation
Displays the data and time when a new configuration will be installed on
the device.
Script Status
Last Script Run
Displays the date and time when the last script was run. Click View History
to see the script execution history.
Scheduled Script
Displays the date and time when the next script is scheduled to run.
Managing configuration revision history
The revision history repository stores all configuration revisions for a device. You can view the version history,
view configuration settings and changes, import files from a local computer, compare different revisions, revert to
a previous revision, and download configuration files to a local computer.
To view the revision history of a FortiGate unit:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
4. In the Total Revisions row, click Revision History.
In the Configuration Revision History dialog box, the following buttons are in the toolbar:
140
Administration Guide
Fortinet Technologies Inc.
Managing device configurations
Device Manager
View Config
View the configuration for the selected revision.
View Install Log
View the installation log for the selected revision.
Revision Diff
Show only the changes or differences between two versions of a
configuration file. For details, see Comparing different configuration files
on page 143.
Retrieve Config
View the current configuration running on the device. If there are
differences between the configuration file on the device and the
configuration file in the repository, a new revision is created and assigned a
new ID number.
More
From the More menu, you can select one of the following:
Download Factory Default
l
l
Revert
l
Delete
l
Rename
l
Import Revision
You can also right-click a revision to access the same options.
The following columns of information are displayed:
ID
The revision number. Double-click an ID to view the configuration file. You
can also click Download to save the configuration file.
Date & Time
The time and date when the configuration file was created.
Name
A name assigned by the user to make it easier to identify specific
configuration versions. You can rename configuration versions.
Created by
The name of the administrator account used to create the configuration
file.
Installation
Display the status of the installation.
N/A indicates that the revision was not sent to the device. The typical
situation is that the changes were part of a later revision that was sent out
to the device. For example, you make some changes and commit the
changes. Now you have a revision called ID1. Then you make more
changes and commit the changes again. Then you have a revision called
ID2, which also includes the changes you made in revision ID1. If you
install revision ID2, then the status of revision ID1 becomes N/A.
Comments
Administration Guide
Fortinet Technologies Inc.
Display the comment added to this configuration file when you rename the
revision.
141
Device Manager
Managing device configurations
To view the configuration settings on a FortiGate unit:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
4. In the Total Revisions row, click Revision History.
5. Select the revision, and click View Config. The View Configuration pane is displayed.
6. To download the configuration settings, click Download.
7. Click Return when you finish viewing.
To add a tag (name) to a configuration version on a FortiGate unit:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
4. In the Total Revisions row, click Revision History.
5. Right-click the revision, and select Rename.
6. Type a name in the Tag (Name) field.
7. Optionally, type information in the Comments field.
8. Click OK.
Downloading and importing a configuration file
You can download a configuration file and a factory default configuration file. You can also import a configuration
file into the FortiManager repository.
You can only import a configuration file that is downloaded from the FortiManager
repository, otherwise the import fails.
To download a configuration file:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
4. In the Total Revisions row, click Revision History.
5. Select the revision you want to download.
6. Click View Config > Download.
7. Select Regular Download or Encrypted Download. If you select Encrypted Download, type a password.
8. Click OK.
To download a factory default configuration file:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
142
Administration Guide
Fortinet Technologies Inc.
Managing device configurations
Device Manager
4. In the Total Revisions row, click Revision History.
5. In the toolbar, click Download Factory Default.
To import a configuration file from a local computer:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
4. In the Total Revisions row, click Revision History.
5. Right-click a revision and select Import Revision.
6. Click Browse and locate the file.
7. If the file is encrypted, select File is Encrypted, and type the password.
8. Click OK.
Comparing different configuration files
You can compare the changes or differences between two versions of a configuration file by using the Diff
function.
The Diff function behaves differently under certain circumstances.
For example, when a device is first added to the FortiManager system, the FortiManager system gets the
configuration file directly from the FortiGate unit and stores it as is. This configuration file is version/ID 1.
If you make changes to the device configuration in Device Manager and select Commit, the new configuration
file is saved as version/ID 2. If you use the Diff icon to view the changes/differences between version/ID 1 and
version/ID 2, you will be shown more changes than you have made.
This happens because the items in the file version/ID 1 are ordered as they are on the FortiGate unit.
Configurations of version/ID 2 are sequenced differently when they are edited and committed in Device
Manager. Therefore, when you compare version/ID 1 and version/ID 2, the Diff function sees every item in the
configuration file as changed.
If you take version/ID 2, change an item and commit it, the tag is changed to version/ID 3. If you use Diff with
version/ID 2 and version/ID 3, only the changes that you made are shown. This is because version/ID 2 and
version/ID 3 have both been sequenced in the same way in Device Manager.
To compare different configuration files:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
4. In the Total Revisions row, click Revision History.
5. Select a revision, and click Revision Diff in the toolbar.
6. Select another version for the diff.
7. In the Diff Output section, select Show Full File Diff, Show Diff Only, or Capture Diff to a Script.
Show Full File Diff shows the full configuration file and highlights all configuration differences.
Show Diff Only shows only configuration differences.
Capture Diff to a Script downloads the diff to a script.
Administration Guide
Fortinet Technologies Inc.
143
Device Manager
Device groups
8. Click Apply.
If you selected show diff, the configuration differences are displayed in colored highlights. If you selected
capture to a script, the script is saved in your downloads folder.
To revert to another configuration file:
1. Go to Device Manager > Device & Groups and select a device group.
2. In the lower tree menu, select a device. The content pane displays the device dashboard.
3. In the dashboard, locate the Configuration and Installation Status widget.
4. In the Total Revisions row, click Revision History.
5. Right-click the revision to which you want to revert, and click Revert.
The system immediately reverts to the selected revision.
Device groups
On the Device Manager > Device & Groups pane, you can create, edit, and delete device groups.
Default device groups
When you add devices to FortiManager, devices are displayed in default groups based on the type of device. For
example, all FortiGate devices are displayed in the Managed FortiGates group. You can create custom groups.
Add device groups
You can create a group and add devices to the group.
To add device groups:
1. Go to Device Manager > Device &Groups.
2. From the Device Group menu, select Create New.
3. Complete the options, and click OK.
A group name can contain only numbers (0-9), letters (a-z, A-Z), and limited special characters (- and _).
Manage device groups
You can manage device groups from the Device Manager > Device & Groups pane. From the Device Group
menu, select one of the following options:
144
Option
Description
Create New
Create a new device group.
Edit
Edit the selected device group. You cannot edit default device groups.
Delete
Delete the selected device group.
Administration Guide
Fortinet Technologies Inc.
Firmware
Device Manager
You must delete all devices from the group before you can delete the group. You must
delete all device groups from an ADOM before you can delete an ADOM.
Firmware
On the Device Manager > Firmware pane, you can view the firmware installed on managed devices. You can
also view whether a firmware upgrade is available and the upgrade history for devices.
View firmware for device groups
You can view firmware information for devices in a group.
To view firmware:
1. Go to Device Manager.
2. In the tree menu, select the device group name, for example, Managed FortiGates.
3. Click the Firmware tab.
For a description of the options, see Firmware Management on page 145.
Upgrade firmware for device groups
The firmware of the devices within a group can also be updated as a group.
To update device group firmware:
1. Go to Device Manager.
2. In the tree menu, select the device group name, for example, Managed FortiGates.
3. Click the Firmware tab.
4. Locate an applicable firmware image in the Available Upgrade list, then click Upgrade to upgrade all of the
devices in the group to that image.
The upgrade history is also shown and you can view more details by clicking All History.
Firmware Management
FortiGate device firmware can be updated from the Device Manager > Firmware pane. Upgrades can also be
scheduled to occur at a later date.
When Boot to Alternate Partition After Upgrade is selected, the inactive partition will
be upgraded.
In the Device Manager pane, select the Managed FortiGates group, then click the Firmware tab.
Administration Guide
Fortinet Technologies Inc.
145
Device Manager
Firmware
The following information and options are available:
Upgrade
Select to upgrade the selected device if the device can be upgraded.
View Release Notes
Select to view the release notes for the FortiOS version of the selected
device.
Imported Images
Select to display the imported images where you can import or delete
images.
Refresh
Refresh the list.
Column Settings
Click to select which columns to display or select Reset to Default to
display the default columns.
Device Name
The names of the FortiGate devices in the group, organized by firmware
version.
Platform
The device platform.
Current Build
The build installed in the device.
Upgrade Available
The current firmware version and build number of the firmware on the
device. If an update is available and can be applied to the device, Upgrade
can be selected to open the Upgrade Firmware dialog box.
Status
The status of the device's license. If the license has expired, the firmware
cannot be upgraded.
Upgrade History
Right-click a device and select Show Upgrade History to view the device’s
upgrade history.
To upgrade a device’s firmware:
1. Go to Device Manager.
2. In the tree menu, select a device group, and then click the Firmware tab.
3. Select a device or device group with an upgrade available that is licensed for firmware upgrades, then click
Upgrade in either the toolbar or in the Upgrade Available column. The Upgrade Firmware dialog box opens.
146
Administration Guide
Fortinet Technologies Inc.
License
Device Manager
4. Configure the following settings:
Upgrade to
Select a firmware version from the dropdown list.
Schedule Upgrade
Select to schedule the upgrade, then enter the date and time for the
upgrade, and select an action to take if the update fails:
l Cancel Upgrade
l
Boot From Alternate
Partition After Upgrade
Retry: enter the number of times to retry and the time between retries.
Selecting this option causes the device to reboot twice during the upgrade
process: first to upgrade the inactive partition, and second to boot back into
the active partition.
5. Click OK.
License
On the Device Manager > License pane, you can view license information for managed devices.
View licenses for device groups
You can view license information for devices in a group.
To view licenses:
1. Go to Device Manager.
2. In the tree menu, select a device group, and then click the License tab.
For a description of the options, see License Management on page 147.
License Management
You can check FortiGate device licenses in Device Manager > License.
In the Device Manager pane, select the Managed FortiGates group, then click the License tab.
Administration Guide
Fortinet Technologies Inc.
147
Device Manager
License
The following columns are displayed. You can filter columns that have a Filter icon.
Device Name
Name of the device
Serial Number
Serial number for the device
Firmware Version
Firmware version for the device
Support Contract
License status of the support contract. Hover over the license status to
display expiration details about the following support contracts: hardware,
firmware, enhanced support, and comprehensive support. License status
can include:
l N/A: No support contract
l
24/7: Support contract level that provides support 24 hours per day and 7
days per week
8/5: Support contract level
Hover the mouse over the cell to display details about the support contract.
l
FortiGuard Subscription
License status of FortiGuard. The status reflects the worst license status of
the individual components of the FortiGuard license. Hover over the license
status to display details about the following components: IPS & Application
Control, Antivirus, Web Filtering, and Email Filtering. License status can
include:
l All valid
l
Expires in <time>
l
Expired
Unknown
Hover the mouse over the cell to display details about the FortiGuard
subscription.
l
Service Status
License status of antivirus and IPS service:
Update Available
l
l
Up to Date
l
Expired
Unknown
Hover the mouse over the cell to display details about the service status.
l
Virtual Domains
Number of virtual domains. Click the cart icon to go to the Fortinet support
site (https://support.fortinet.com)
The following buttons are available on the toolbar:
Push Update
148
Push a license update to the selected device in the group.
Administration Guide
Fortinet Technologies Inc.
Provisioning Templates
Device Manager
Refresh
Refresh the list of devices in the group.
Export
Click to export the device list, device update details, and license details to a
PDF or CSV file format. A file in the selected format is downloaded to the
management computer.
Column Settings
Click to select which columns display on the License pane.
Add-on license
Add-on licenses can be purchased for high end FortiManager devices to increase the number of device that can
be managed. An add-on license can only be added using the CLI.
The below table lists the device that can have add-on licenses added, the number of devices the FortiManager
can manage by default, and the maximum number of devices that can be managed by adding add-on licenses.
Model
Normal license
With add-on license
FMG-3900E
10000
100000
FMG-3000F
4000
8000
FMG-4000E
4000
8000
To add an add-on license:
1. Purchase an add-on license (https://support.fortinet.com).
2. Open the license file in a text editor.
3. Connect to the CLI and run the following command:
execute add-on-license <license>
Where <license> is the license text, copied and pasted from the text editor.
4. After the system automatically reboots, check the License Information widget to confirm that the number of
Devices/VODMs that can be managed has increased. See License Information widget on page 455.
Provisioning Templates
Go to Device Manager > Provisioning Templates to access configuration options for the following templates:
l
System templates
l
Threat Weight templates
l
Certificate templates
System templates
The Device Manager > Provisioning Templates > System Templates pane allows you to create and manage
device profiles. A system template is a subset of a model device configuration. Each device or device group can
Administration Guide
Fortinet Technologies Inc.
149
Device Manager
Provisioning Templates
be linked with a system template. When linked, the selected settings come from the template and not from the
Device Manager database.
By default, there is one generic profile defined. System templates are managed in a similar manner to policy
packages. You can use the context menus to create new device profiles. You can configure settings in the widget
or import settings from a specific device.
Go to the Device Manager > Provisioning Templates > System Templates > default pane to configure system
templates.
System templates are available in 5.2, 5.4, and 5.6 ADOMs. Some settings may not
be available in all ADOM versions.
After making changes in a widget, click Apply to save your changes.
To close a widget, click the Close icon in the widget’s top right.
To select which widgets to display, click Toggle Widgets and select which widgets to display.
To import settings from another device, click the Import icon in the widget’s top right and select the device from
which to import.
The following widgets and settings are available:
150
Widget
Description
DNS
Primary DNS Server, Secondary DNS Server, Local Domain Name.
NTP Server
Synchronize with NTP Server and Sync Interval settings. You can select to use
the FortiGuard server or specify one or more other servers.
Alert Email
SMTP Server settings including server, authentication, SMTP user ID, and
password.
Administration Guide
Fortinet Technologies Inc.
Provisioning Templates
Device Manager
Widget
Description
Admin Settings
Web Administration Ports, Timeout Settings, and Web Administration.
SNMP
SNMP v1/v2 and SNMP v3 settings. In the toolbar, you can select to create, edit,
or delete the record.
To create a new SNMP, click Create New and specify the community name,
hosts, queries, traps, and SNMP events.
Replacement
Messages
You can customize replacement messages. Click Import to select a device and
the objects to import.
Log Settings
You can select Send Logs to FortiAnalyzer/FortiManager and/or Send Logs to
Syslog.
FortiGuard
Select Enable FortiGuard Security Updates to retrieve updates from FortiGuard
servers or from this FortiManager. You can define multiple servers and specify
Update, Rating, or Updates and Rating. You can also select Include Worldwide
FortiGuard Servers.
You can create, edit, or delete templates. Select System Templates in the tree to display the Create New, Edit,
Delete, and Import options in the content pane. You can also select the devices to be associated with the
template by selecting Assign to Device.
To assign a system template to a device:
1. Go to Device Manager > Provisioning Templates > System Templates.
2. In the content pane, select a template and click Assign to Device.
3. Select devices to assign to and click OK.
The devices assigned to the template are shown in the Assign to Device column.
Threat Weight templates
User or client behavior can sometimes increase the risk of being attacked or becoming infected. For example, if
one of your network clients receives email viruses on a daily basis while no other clients receive these
attachments, extra measures may be required to protect that client, or a discussion with the user about this issue
may be warranted.
Before you can decide on a course of action, you need to know the problem is occurring. Threat weight can
provide this information by tracking client behavior and reporting on activities that you determine are risky or
worth tracking.
Threat weight profiles can be created, edited, and assigned to devices. When Threat Weight Tracking is enabled,
the Log Allowed Traffic setting is enabled on all policies. For more information on configuring the Threat Weight
profile, see the FortiOS Handbook.
To create a new threat weight profile:
1. Go to the Device Manager > Provisioning Templates > Threat Weight.
2. Click Create New in the toolbar.
Administration Guide
Fortinet Technologies Inc.
151
Device Manager
Provisioning Templates
3. In the Create New Threat Weight pane, type a name for the profile.
4. Click OK to create the new threat weight profile.
To edit a threat weight profile:
1. Select a threat weight profile and click Edit. The Edit Threat Weightpane opens.
2. Adjust the threat levels as needed:
Log Threat Weight
Turn on threat weight tracking.
Reset
Reset all the threat level definition values to their defaults.
Import
Import threat level definitions from a device in the ADOM.
Application Protection
Adjust the tracking levels for the different application types that can be
tracked.
Intrusion Protection
Adjust the tracking levels for the different attack types that can be tracked.
Malware Protection
Adjust the tracking levels for the malware or botnet connections that can be
detected.
Packet Based Inspection
Adjust the tracking levels for failed connection attempts and traffic blocked
by firewall policies.
Web Activity
Adjust the tracking levels for various types of web activity.
Risk Level Values
Adjust the values for the four risk levels.
3. Click OK to save your changes.
To assign a threat weight profile to a device:
1. Select a threat weight profile and click Assign to Device.
2. Select devices to assign to and click OK.
The devices assigned to the template are shown in the Assign to Device column.
Certificate templates
The certificate templates menu allows you to create certificate templates for an external certificate authority (CA)
or the local FortiManager CA.
FortiManager includes a certificate authority server for each ADOM. When you create an ADOM, the private and
public key pair is created for the ADOM. The key pair is automatically used when you use FortiManager to define
IPsec VPNs or SSL-VPNs for a device.
When you add a device to an IPsec VPN or SSL-VPN topology with a certificate template that uses the
FortiManager CA, the local FortiManager CA is automatically used. No request for a pre-shared key (PSK) is
generated. When the IPsec VPN or SSL-VPN topology is installed to the device, the following process completes
automatically:
l
The FortiGate device generates a certificate signing request (CSR) file.
l
FortiManager signs the CSR file and installs the CSR file on the FortiGate device.
152
Administration Guide
Fortinet Technologies Inc.
Provisioning Templates
l
Device Manager
The CA certificate with public key is installed on the FortiGate device.
Certificate templates are available in 5.0, 5.2, 5.4 and later ADOMs. Some settings
may not be available in all ADOM versions.
The following options are available:
Create New
Create a new certificate template.
Edit
Edit a certificate template. Right-click a certificate template, and select
Edit.
Delete
Delete a certificate template. Right-click a certificate template, and select
Delete.
Generate
Create a new certificate from a device.
To create a new certificate template:
1. Go to Device Manager > Provisioning Templates > Certificate Templates.
2. Click Create New. The Create New Certificate Template pane opens.
3. Enter the following information:
Type
Specify whether the certificate uses an external or local certificate authority
(CA).
When you select External, you must specify details about online
SCEP enrollment.
When you select Local, you are using the FortiManager CA server.
Certificate Name
Type a name for the certificate.
Optional Information
Optionally, type the organization unit, organization, locality (city), province
or state, country or region, and email address.
Key Type
RSA is the default key type. This field cannot be edited.
Key Size
Select the key size from the dropdown list: 512 bit, 1024 bit, 1536 bit, or
2048 bit.
Online SCEP Enrollment
CA Server URL
Type the server URL for the external CA.
Challenge
Password
Type the challenge password for the external CA server.
4. Click OK to create the certificate template.
Administration Guide
Fortinet Technologies Inc.
153
Device Manager
Scripts
To edit a certificate template:
1. Select a certificate template, and click Edit.
2. Edit the settings as required in the Edit Certificate Template pane, and click OK.
To delete a certificate template:
1. Select a certificate template, and click Delete.
2. Click OK in the confirmation dialog box.
Scripts
Additional configuration options and short-cuts are available using the right-click
menu. Right-click the mouse on different navigation panes in the GUI page to access
these options.
FortiManager scripts enable you to create, execute, and view the results of scripts executed on FortiGate
devices, policy packages, the ADOM database, the global policy package, or the DB. Scripts can also be filtered
based on different device information, such as OS type and platform.
At least one FortiGate device must be configured in the FortiManager system for you to be able to use scripts.
Any scripts that are run on the global database must use complete commands. For
example, if the full command is config system global, do not use conf sys
glob.
Scripts can be written in one of two formats:
l
l
A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with
the number sign (#). A comment line will not be executed.
Tcl scripting commands to provide more functionality to your scripts including global variables and decision
structures.
When writing your scripts, it is generally easier to write them in a context-sensitive editor, and then cut and paste
them into the script editor on your FortiManager system. This can help avoid syntax errors and can reduce the
amount of troubleshooting required for your scripts.
For information about scripting commands, see the FortiGate CLI reference.
Before using scripts, ensure the console-output function has been set to
standard in the FortiGate CLI. Otherwise, scripts and other output longer than a
screen in length will not execute or display correctly.
When pushing a script from the FortiManager to the FortiGate with workspace
enabled, you must save the changes in the Policy & Objects tab.
154
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
Enabling scripts
You must enable scripts to make the Scripts option visible in the GUI.
To enable scripts:
1. Go to System Settings > Admin > Admin Settings.
2. In the Display Options on GUI section, select Show Scripts. For more information, see Global administration
settings on page 95.
3. Select Apply to apply your changes.
Configuring scripts
To configure, import, export, or run scripts, go to Device Manager > Scripts. The script list for your current
ADOM displays.
The following information displays:
Name
The user-defined script name.
Type
The script type, either CLI or Tcl.
Target
The script target which is one of the following:
l
Device Database
l
Policy Package, ADOM Database
l
Remote FortiGate Directly (via CLI)
Comments
User defined comment for the script.
Last Modified
The date and time the script was last modified.
The following options are available in the toolbar, in the More menu, or in the right-click menu.
Create New
Creates a new script.
Edit
Edits the selected script.
Delete
Immediately deletes the selected script.
Run Script
Runs the selected script. Select devices, databases, or policy packages and click Run
Now.
More
Click to access the following options:
Clone: Clone the select script.
l
Search
Administration Guide
Fortinet Technologies Inc.
l
Import CLI Script: Import a script from your management computer
l
Export: Exports the selected script as a .txt file to your management computer.
Enter a search term in the search field to search the scripts.
155
Device Manager
Scripts
Run a script
You can select to enable automatic script execution or create a recurring scheule for the script.
To run a script:
1. Go to Device Manager > Scripts.
2. Select the script, then right-click and select Run from the menu.
Scripts can also be re-run from the script execution history by selecting the run button.
See Script history on page 162 for information.
The Execute Script dialog box will open. This dialog box will vary depending on the script target. You will
either be able to select a device or devices (left image below), or a policy package (right image).
3. Select a device group or devices.
4. Select OK to run the script.
The Run Script dialog box will open, showing the progress of the operation and providing information on its
success or failure.
Scripts can also be run directly on a device using the right-click menu in Device
Manager > Device & Groups.
Add a script
To add a script to an ADOM:
1. Go to Device Manager > Scripts.
2. Select Create New, or right-click anywhere in the script list and select New from the menu, to open the Create
Script dialog box.
3. Enter the required information, then select OK to create the new script.
156
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
Script Name
Type a unique name for the script.
View Sample Script
This option points to the FortiManager online help. Browse to the
Advanced Features chapter to view sample scripts.
Comments
Optionally, type a comment for the script.
Type
Specify the type of script.
Run Script on
Select the script target. This settings will affect the options presented when
you go to run a script. The options include:
Script Detail
Advanced Device Filters
l
Device Database
l
Policy Package, ADOM Database
l
Remote FortiGate Directly (via CLI)
Type the script itself, either manually using a keyboard, or by copying and
pasting from another editor.
Select to adjust the advanced filters for the script. The options include:
Platform (select from the dropdown list)
l
l
Build
l
Device (select from the dropdown list)
l
Host name
l
SN
Edit a script
All of the same options are available when editing a script as when creating a new script, except the name of the
script cannot be changed.
To edit a script, either double click on the name of the script, or right-click on the script name and select Edit from
the menu. The Edit Script dialog box will open, allowing you to edit the script and its settings.
Clone a script
Cloning a script is useful when multiple scripts that are very similar.
To clone a script:
1. Go to Device Manager > Scripts.
2. Right-click a script, and select Clone.
The Clone Script pane opens, showing the exact same information as the original, except copy_ is
appended to the script name.
3. Edit the script and its settings as needed and select OK to create the clone.
Delete a script
To delete a script or scripts from the script list, select a script, or select multiple scripts by holding down the
control or Shift keys, right-click anywhere in the script list window, and select Delete from the menu. Select OK in
the confirmation dialog box to complete the deletion or, if select Cancel to cancel the delete.
Administration Guide
Fortinet Technologies Inc.
157
Device Manager
Scripts
Export a script
Scripts can be exported to text files on your local computer.
To export a script:
1. Go to Device Manager > Scripts.
2. Right-click a script, and select Export.
3. If prompted by your web browser, select a location to where save the file, or open the file without saving, then
select OK.
Import a script
Scripts can be imported as text files from your local computer.
To import a script:
1. Go to Device Manager > Scripts.
2. Select More > Import CLI Script from the toolbar. The Import CLI Script dialog box opens.
3. Drag and drop the script file onto the dialog box, or click Add Files and locate the file to be imported on your local
computer.
4. Click Import to import the script.
If the script cannot be read, due to an incorrect file type or other issue, an error message will be displayed
and the import process will be canceled.
Script syntax
Most script syntax is the same as that used by FortiOS. For information see the FortiOS CLI Reference,
available in the Fortinet Document Library.
Some special syntax is required by the FortiManager to run CLI scripts on devices.
Syntax applicable for address and address6
config firewall address
edit xxxx
...regular FOS command here...
config dynamic_mapping
edit "<dev_name>"-"<vdom_name>"
set subnet x.x.x.x x.x.x.x
next
end
Syntax applicable for ippool and ippool6
config firewall ippool
edit xxxx
...regular FOS command here...
config dynamic_mapping
158
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
edit "<dev_name>"-"<vdom_name>"
set startip x.x.x.x
set endip x.x.x.x
next
end
Syntax applicable for vip, vip6, vip46, and vip64
config firewall vip
edit xxxx
...regular FOS command here...
config dynamic_mapping
edit "<dev_name>"-"<vdom_name>"
set extintf "any"
set extip x.x.x.x-x.x.x.x
set mappedip x.x.x.x-x.x.x.x
set arp-reply enable|disable
next
end
Syntax applicable for dynamic zone
config dynamic interface
edit xxxx
set single-intf disable
set default-mapping enable|disable
set defmap-intf xxxx
config dynamic_mapping
edit "<dev_name>"-"<vdom_name>"
set local-intf xxxx
set intrazone-deny enable|disable
next
end
next
end
Syntax applicable for dynamic interface
config dynamic interface
edit xxxx
set single-intf enable
set default-mapping enable|disable
set defmap-intf xxxx
config dynamic_mapping
edit "<dev_name>"-"<vdom_name>"
set local-intf xxxx
set intrazone-deny enable|disable
next
end
next
end
Syntax applicable for dynamic multicast interface
config dynamic multicast interface
Administration Guide
Fortinet Technologies Inc.
159
Device Manager
Scripts
edit xxx
set description xxx
config dynamic_mapping
edit "fgtname"-"vdom"
set local-intf xxx
next
end
next
end
Syntax applicable for local certificate (dynamic mapping)
config dynamic certificate local
edit xxxx
config dynamic_mapping
edit "<dev_name>"-"global"
set local-cert xxxx
next
end
Syntax applicable for vpn tunnel
config dynamic vpntunnel
edit xxxx
config dynamic_mapping
edit "<dev_name>"-"<vdom_name>"
set local-ipsec "<tunnel_name>"
next
end
Syntax applicable for vpn console table
config vpnmgr vpntable
edit xxxx
set topology star|meshed|dial
set psk-auto-generate enable|disable
set psksecret xxxx
set ike1proposal 3des-sha1 3des-md5 ...
set ike1dhgroup XXXX
set ike1keylifesec 28800
set ike1mode aggressive|main
set ike1dpd enable|disable
set ike1nattraversal enable|disable
set ike1natkeepalive 10
set ike2proposal 3des-sha1 3des-md5
set ike2dhgroup 5
set ike2keylifetype seconds|kbyte|both
set ike2keylifesec 1800
set ike2keylifekbs 5120
set ike2keepalive enable|disable
set replay enable|disable
set pfs enable|disable
set ike2autonego enable|disable
set fcc-enforcement enable|disable
set localid-type auto|fqdn|user-fqdn|keyid|addressasn1dn
set authmethod psk|signature
set inter-vdom enable|disable
160
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
set certificate XXXX
next
end
Syntax applicable for vpn console node
config vpnmgr node
edit "1"
set vpntable "<table_name>"
set role hub|spoke
set iface xxxx
set hub_iface xxxx
set automatic_routing enable|disable
set extgw_p2_per_net enable|disable
set banner xxxx
set route-overlap use-old|use-new|allow
set dns-mode manual|auto
set domain xxxx
set local-gw x.x.x.x
set unity-support enable|disable
set xauthtype disable|client|pap|chap|auto
set authusr xxxx
set authpasswd xxxx
set authusrgrp xxxx
set public-ip x.x.x.x
config protected_subnet
edit 1
set addr xxxx xxxx ...
next
end
Syntax applicable for setting installation target on policy package
config firewall policy
edit x
...regular policy command here...
set _scope "<dev_name>"-"<vdom_name>"
next
end
Syntax applicable for global policy
config global header policy
...regular policy command here...
end
config global footer policy
...regular policy command here...
end
Administration Guide
Fortinet Technologies Inc.
161
Device Manager
Scripts
Script history
The execution history of scripts run on specific devices can be viewed from a device’s dashboard. The script log
can be viewed in the Task Monitor. The script execution history table also allows for viewing the script history, and
re-running the script.
To view the script execution history:
1. Go to Device Manager > Device & Groups.
2. In the tree menu, select the device group, for example, Managed FortiGates. The list of devices display in the
content pane and in the bottom tree menu.
3. In the bottom tree menu, select the device whose script history you want to view. The System: Dashboard for the
device displays in the content pane.
4. In the Configuration and Installation Status widget, select View History in the Script Status field to open the
Script Execution History pane.
5. To view the script history for a specific script, select the Browse icon in the far right column of the table to open
the Script History dialog box.
6. To re-run a script, select the Run script now icon in the far right column of the table. The script is re-run. See Run a
script on page 156.
7. Select Return to return to the device dashboard.
To view a script log:
1. Go to System Settings > Task Monitor.
2. Locate the script execution task whose log you need to view, and expand the task.
3. Select the History icon to open the script log window.
For more information, see Task Monitor on page 480.
Script samples
This section helps familiarize you with FortiManager scripts, provides some script samples, and provides some
troubleshooting tips.
The scripts presented in this section are in an easy to read format that includes:
l
the purpose or title of the script
l
the script itself
l
the output from the script (blank lines are removed from some output)
l
any variations that may be useful
l
which versions of FortiOS this script will execute on
Do not include \r in your scripts as this will cause the script to not process properly.
Script samples includes:
162
Administration Guide
Fortinet Technologies Inc.
Scripts
l
CLI scripts
l
Tcl scripts
Device Manager
CLI scripts
CLI scripts include only FortiOS CLI commands as they are entered at the command line prompt on a FortiGate
device. CLI scripts do not include Tool Command Language (Tcl) commands, and the first line of the script is not
“#!” as it is for Tcl scripts.
CLI scripts are useful for specific tasks such as configuring a routing table, adding new firewall policies, or getting
system information. These example tasks easily apply to any or all FortiGate devices connected to the
FortiManager system.
However, the more complex a CLI script becomes the less it can be used with all FortiGate devices - it quickly
becomes tied to one particular device or configuration. One example of this is any script that includes the specific
IP address of a FortiGate device’s interfaces cannot be executed on a different FortiGate device.
Samples of CLI scripts have been included to help get you started writing your own scripts for your network
administration tasks.
Error messages will help you determine the causes of any CLI scripting problems, and fix them. For more
information, see Error Messages on page 168.
The troubleshooting tips section provides some suggestions on how to quickly locate and fix problems in your CLI
scripts. For more information, see Troubleshooting Tips on page 168.
CLI script samples
There are two types of CLI scripts. The first type is getting information from your FortiGate device. The second
type is changing information on your FortiGate device.
Getting information remotely is one of the main purposes of your FortiManager system, and CLI scripts allow you
to access any information on your FortiGate devices. Getting information typically involves only one line of script
as the following scripts show.
To view interface information for port1:
Script
show system interface port1
Output
config system interface
edit "port1"
set vdom "root"
set ip 172.20.120.148 255.255.255.0
set allowaccess ping https ssh
set type physical
next
end
Variations
Remove the interface name to see a list that includes all the interfaces on the
FortiGate device including virtual interfaces such as VLANs.
Note
This script does not work when run on a policy package.
Administration Guide
Fortinet Technologies Inc.
163
Device Manager
Scripts
If the preceding script is used to be run on the FortiGate Directly (via CLI) or run on
device database on a FortiGate has the VDOM enabled. The script will have be
modified to the following:
config global
show system interface port1
end
Since running on device database does not yield any useful information.
View the log of script running on device: FortiGate-VM64-70
------- Executing time: 2013-10-15 13:27:32 -----Starting log (Run on database)
config global
end
Running script on DB success
------- The end of log ----------
The script should be run on the FortiGate Directly (via CLI).
View the log of script running on device: FortiGate-VM64-70
------- Executing time: 2013-10-15 13:52:02 -----Starting log (Run on device)
FortiGate-VM64 $ config global
FortiGate-VM64 (global) $ show system interface port1
config system interface
edit "port1"
set vdom "root"
set ip 10.2.66.181 255.255.0.0
set allowaccess ping https ssh snmp http telnet fgfm
auto-ipsec radius-acct probe-response capwap
set type physical
set snmp-index 1
next
end
FortiGate-VM64 (global) $ end
------- The end of log ----------
To view the entries in the static routing table. To get any useful information, the script
has to be re-written for the following if the VDOM is enabled for FortiGate and has to
be run on the FortiGate Directly (via CLI).
config vdom
edit root
show route static
next
end
164
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
Here is a sample run of the preceding script running on the FortiGate Directly (via CLI).
View the log of script running on device: FortiGate-VM64-70
------- Executing time: 2013-10-15 14:24:10 -----Starting log (Run on device)
FortiGate-VM64 $ config vdom
FortiGate-VM64 (vdom) $ edit root
current vf=root:0
FortiGate-VM64 (root) $ show route static
config router static
edit 1
set device "port1"
set gateway 10.2.0.250
next
end
FortiGate-VM64 (root) $ next
FortiGate-VM64 (vdom) $ end
------- The end of log ----------
To view the entries in the static routing table:
Script
show route static
Output
config router static
edit 1
set device "port1"
set gateway 172.20.120.2
next
edit 2
set device "port2"
set distance 7
set dst 172.20.120.0 255.255.255.0
set gateway 172.20.120.2
next
end
Variations
none
View information about all the configured FDN servers on this device:
Script
Administration Guide
Fortinet Technologies Inc.
config global
diag debug rating
end
165
Device Manager
Output
Scripts
View the log of script running on device: FortiGate-VM64
------- Executing time: 2013-10-15 14:32:15 -----Starting log (Run on device)
FortiGate-VM64 $ config global
FortiGate-VM64 (global) $ diagnose debug rating
Locale : english
License : Contract
Expiration : Thu Jan 3 17:00:00 2030
-=- Server List (Tue Oct 15 14:32:49 2013) -=IP Weight RTT Flags TZ Packets Curr Lost Total Lost
192.168.100.206 35 2 DIF -8 4068 72 305
192.168.100.188 36 2 F -8 4052 72 308
FortiGate-VM64 (global) $ end
------- The end of log ----------
Variations
Output for this script will vary based on the state of the FortiGate device. The
preceding output is for a FortiGate device that has never been registered.
For a registered FortiGate device without a valid license, the output would be similar
to:
Locale : english
License : Unknown
Expiration : N/A
Hostname : guard.fortinet.net
-=- Server List (Tue Oct 3 09:34:46 2006) -=IP Weight Round-time TZ Packets Curr Lost Total Lost
** None **
Setting FortiGate device information with CLI scripts gives you access to more settings and allows you more fine
grained control than you may have in the Device Manager. Also CLI commands allow access to more advanced
options that are not available in the FortiGate GUI. Scripts that set information require more lines.
Any scripts that you will be running on the global database must include the full CLI
commands and not use short forms for the commands. Short form commands will not
run on the global database.
Create a new account profile called policy_admin allowing read-only access to policy related
areas:
Script
166
config global
config system accprofile
edit "policy_admin"
set fwgrp read
set loggrp read
set sysgrp read
next
end
end
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
Output
View the log of script running on device:FortiGate-VM64
------- Executing time: 2013-10-16 13:39:35 -----Starting log (Run on device)
FortiGate-VM64 $ config global
FortiGate-VM64 (global) $ config system accprofile
FortiGate-VM64 (accprofile) $ edit "prof_admin"
FortiGate-VM64 (prof_admin) $ set fwgrp read
FortiGate-VM64 (prof_admin) $ set loggrp read
FortiGate-VM64 (prof_admin) $ set sysgrp read
FortiGate-VM64 (prof_admin) $ next
FortiGate-VM64 (accprofile) $ end
FortiGate-VM64 (global) $ end
------- The end of log ----------
Variations
This profile is read-only to allow a policy administrator to monitor this device’s
configuration and traffic.
Variations may include enabling other areas as read-only or write permissions based
on that account type’s needs.
With the introduction of global objects/security console (global database), you can run a CLI script on the
FortiManager global database in addition to running it on a FortiGate unit directly. Compare the following sample
scripts:
l
Running a CLI script on a FortiGate unit
config vdom
edit “root”
config firewall policy
edit 10
set srcintf “port5”
set dstintf “port6”
set srcaddr “all”
set dstaddr “all”
set status disable
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
l
Running a CLI script on the global database
config firewall policy
edit 10
set srcintf “port5”
set dstintf “port6”
set srcaddr "all"
set dstaddr "all"
set status disable
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
Administration Guide
Fortinet Technologies Inc.
167
Device Manager
Scripts
Error Messages
Most error messages you will see are regular FortiGate CLI error messages. If you are familiar with the CLI you
will likely recognize them.
Other error messages indicate your script encountered problems while executing, such as:
l
l
l
command parse error: It was not possible to parse this line of your script into a valid FortiGate CLI command.
Common causes for this are misspelled keywords or an incorrect command format.
unknown action: Generally this message indicates the previous line of the script was not executed, especially if
the previous line accesses an object such as “config router static”.
Device XXX failed-1: This usually means there is a problem with the end of the script. XXX is the name of
the FortiGate unit the script is to be executed on. If a script has no end statement or that line has an error in it you
may see this error message. You may also see this message if the FortiGate unit has not been synchronized by
deploying its current configuration.
Troubleshooting Tips
Here are some troubleshooting tips to help locate and fix problems you may experience with your scripts.
l
Check the script output. Generally the error messages displayed here will help you locate and fix the problem.
l
See the FortiGate CLI Reference for more information on all CLI commands.
l
l
l
l
l
l
l
There is a limit to the number of scripts allowed on the FortiManager unit. Try removing an old script before trying to
save your current one.
As mentioned at the start of this chapter, ensure the console more command is disabled on the FortiGate
devices where scripts execute. Otherwise a condition may occur where both the FortiGate device and the
FortiManager system are waiting for each other to respond until they timeout.
There should be no punctuation at the start or end of the lines.
Only whitespace is allowed on the same line as the command. This is useful in lining up end and next commands
for quick and easy debugging of the script.
Keep your scripts short. They are easier to troubleshoot and it gives you more flexibility. You can easily execute a
number of scripts after each other.
Use full command names. For example instead of “set host test” use “set hostname test”. This is required for any
scripts that are to be run on the global database.
Use the number sign (#) to comment out a line you suspect contains an error.
Tcl scripts
Tcl is a dynamic scripting language that extends the functionality of CLI scripting. In FortiManager Tcl scripts, the
first line of the script is “#!” as it is for standard Tcl scripts.
Do not include the exit command that normally ends Tcl scripts; it will prevent the
script from running.
This guide assumes you are familiar with the Tcl language and regular expressions, and instead focuses on how
to use CLI commands in your Tcl scripts. Where you require more information about Tcl commands than this
guide contains, please refer to resources such as the Tcl newsgroup, Tcl reference books, and the official Tcl
website at http://www.tcl.tk.
Tcl scripts can do more than just get and set information. The benefits of Tcl come from:
168
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
l
variables to store information,
l
loops to repeats commands that are slightly different each time
l
decisions to compare information from the device
The sample scripts in this section will contain procedures that you can combine to use your scripts. The samples
will each focus on one of four areas:
l
Tcl variables
l
Tcl loops
l
Tcl decisions
l
Tcl file IO
To enable Tcl scripting, use the following CLI commands:
config system admin setting
set show_tcl_script enable
end
Limitations of FortiManager Tcl
FortiManager Tcl executes in a controlled environment. You do not have to know the location of the Tcl
interpreter or environment variables to execute your scripts. This also means some of the commands normally
found in Tcl are not used in FortiManager Tcl.
Depending on the CLI commands you use in your Tcl scripts, you may not be able to run some scripts on some
versions of FortiOS as CLI commands change periodically.
Before testing a new script on a FortiGate device, you should backup that device’s
configuration and data to ensure it is not lost if the script does not work as expected.
Tcl variables
Variables allow you to store information from the FortiGate device, and use it later in the script. Arrays allow you
to easily manage information by storing multiple pieces of data under a variable name. The next script uses an
array to store the FortiGate system information.
Example: Save system status information in an array.
Script:
#!
proc get_sys_status aname {
upvar $aname a
puts [exec "# This is an example Tcl script to get the system status of the FortiGate\n"
"# " 15 ]
set input [exec "get system status\n" "# " 15 ]
# puts $input
set linelist [split $input \n]
# puts $linelist
foreach line $linelist {
if {![regexp {([^:]+):(.*)} $line dummy key value]} continue
switch -regexp -- $key {
Version {
Administration Guide
Fortinet Technologies Inc.
169
Device Manager
Scripts
regexp {FortiGate-([^ ]+) ([^,]+),build([\d]+),.*} $value dummy a(platform) a
(version) a(build)
}
Serial-Number {
set a(serial-number) [string trim $value]
}
Hostname {
set a(hostname) [string trim $value]
} }
}
}
get_sys_status status
puts "This machine is a $status(platform) platform."
puts "It is running version $status(version) of FortiOS."
puts "The firmware is build# $status(build)."
puts "S/N: $status(serial-number)"
puts "This machine is called $status(hostname)"
Output:
------- Executing time: 2013-10-21 09:58:06 -----Starting log (Run on device)
FortiGate-VM64 #
This machine is a VM64 platform.
It is running version v5.0 of FortiOS.
The firmware is build# 0228.
S/N: FGVM02Q105060070
This machine is called FortiGate-VM64
------- The end of log ----------
Variations:
Once the information is in the variable array, you can use it as part of commands you send to the FortiGate
device or to make decisions based on the information. For example:
if {$status(version) == 5.0} {
# follow the version 5.0 commands
} elseif {$status(version) == 5.0} {
# follow the version 5.0 commands
}
This script introduces the concept of executing CLI commands within Tcl scripts using the following method:
set input [exec "get system status\n" "# "]
This command executes the CLI command “get system status” and passes the result into the variable
called input. Without the “\n” at the end of the CLI command, the CLI command will not execute to provide
output.
In analyzing this script:
l
line 1 is the required #! to indicate this is a Tcl script
l
lines 2-3 open the procedure declaration
l
lines 4-5 puts the output from the CLI command into a Tcl variable as a string, and breaks it up at each return
character into an array of smaller strings
l
line 6 starts a loop to go through the array of strings
l
line 7 loops if the array element is punctuation or continues if its text
170
Administration Guide
Fortinet Technologies Inc.
Scripts
l
l
l
Device Manager
line 8 takes the output of line 7’s regular expression command and based on a match, performs one of the actions
listed in lines 9 through 17
lines 9-11 if regular expression matches ‘Version’ then parse the text and store values for the platform, version, and
build number in the named array elements
line 12-14 if regular expression matches ‘Serial-Number’ then store the value in an array element named that after
trimming the string down to text only
l
lines 15-17 is similar to line 12 except the regular expression is matched against ‘Hostname’
l
line 17-19 close the switch decision statement, the for each loop, and the procedure
l
line 20 calls the procedure with an array name of status
l
lines 21-25 output the information stored in the status array
Tcl loops
Even though the last script used a loop, that script’s main purpose was storing information in the array. The next
script uses a loop to create a preset number of users on the FortiGate device, in this case 10 users. The output is
only shown for the first two users due to space considerations.
Example: Create 10 users from usr0001 to usr0010:
Script:
#!
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# " 15]
}
set num_users 10
do_cmd "config vdom"
do_cmd "edit root"
do_cmd "config user local"
for {set i 1} {$i <= $num_users} {incr i} {
set name [format "usr%04d" $i]
puts "Adding user: $name"
do_cmd "edit $name"
do_cmd "set status enable"
do_cmd "set type password"
do_cmd "next"
}
do_cmd "end"
do_cmd "end"
do_cmd
do_cmd
do_cmd
do_cmd
"config vdom"
"edit root"
"show user local"
"end"
Output:
View the log of script running on device:FortiGate-VM64
------- Executing time: 2013-10-16 15:27:18 -----Starting log (Run on device)
config vdom
FortiGate-VM64 (vdom) #
edit root
current vf=root:0
FortiGate-VM64 (root) #
Administration Guide
Fortinet Technologies Inc.
171
Device Manager
Scripts
config user local
FortiGate-VM64 (local) #
Adding user: usr0001
edit usr0001
new entry 'usr0001' added
FortiGate-VM64 (usr0001) #
set status enable
FortiGate-VM64 (usr0001) #
set type password
FortiGate-VM64 (usr0001) #
next
FortiGate-VM64 (local) #
Adding user: usr0002
edit usr0002
new entry 'usr0002' added
FortiGate-VM64 (usr0002) #
set status enable
FortiGate-VM64 (usr0002) #
set type password
FortiGate-VM64 (usr0002) #
next
Variations:
There are a number of uses for this kind of looping script. One example is to create firewall policies for each
interface that deny all non-HTTPS and non-SSH traffic by default. Another example is a scheduled script to loop
through the static routing table to check that each entry is still reachable, and if not remove it from the table.
This script loops 10 times creating a new user each time whose name is based on the loop counter. The format
command is used to force a four digit number.
In analyzing this script:
l
line 1 is the required #! to indicate this is a Tcl script
l
lines 2-4 open CLI command wrapper procedure
l
line 5 declares the number of users to create
l
line 6 gets the FortiGate ready for entering local users
l
line 7 opens the for loop that will loop ten times
l
line 8 sets the user name based on the incremented loop counter variable
l
line 9 is just a comment to the administrator which user is being created
l
lines 10-13 create and configure the user, leaving the CLI ready for the next user to be added
l
line 14 ends the for loop
l
line 15 ends the adding of users in the CLI
l
line 16 executes a CLI command to prove the users were added properly
Tcl decisions
Tcl has a number of decision structures that allow you to execute different CLI commands based on what
information you discover.
This script is more complex than the previous scripts as it uses two procedures that read FortiGate information,
make a decision based on that information, and then executes one of the CLI sub-scripts based on that
information.
172
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
Example: Add information to existing firewall policies.
Script:
#!
# need to define procedure do_cmd
# the second parameter of exec should be "# "
# If split one command to multiple lines use "\" to continue
proc do_cmd {cmd} {
puts [exec "$cmd\n" "# "]
}
foreach line [split [exec "show firewall policy\n" "# "] \n] {
if {[regexp {edit[ ]+([0-9]+)} $line match policyid]} {
continue
} elseif {[regexp {set[ ]+(\w+)[ ]+(.*)\r} $line match key value]} {
lappend fw_policy($policyid) "$key $value"
}
}
do_cmd "config firewall policy"
foreach policyid [array names fw_policy] {
if {[lsearch $fw_policy($policyid){diffservcode_forward 000011}] == -1} {
do_cmd "edit $policyid"
do_cmd "set diffserv-forward enable"
do_cmd "set diffservcode-forward 000011"
do_cmd "next"
}
}
do_cmd "end"
Variations:
This type of script is useful for updating long lists of records. For example if the FortiOS version adds new
keywords to user accounts, you can create a script similar to this one to get the list of user accounts and for each
one edit it, add the new information, and move on to the next.
This script uses two decision statements. Both are involved in text matching. The first decision is checking each
line of input for the policy ID and if its not there it skips the line. If it is there, all the policy information is saved to
an array for future use. The second decision searches the array of policy information to see which polices are miss
In analyzing this script:
l
l
line 1 is the required #! to indicate this is a Tcl script
line 2-8 is a loop that reads each policy’s information and appends only the policy ID number to an array variable
called fw_policy
l
line 9 opens the CLI to the firewall policy section to prepare for the loop
l
line 10 starts the for each loop that increments through all the firewall policy names stored in fw_policy
l
line 11 checks each policy for an existing differvcode_forward 000011 entry - if its not found lines 12-15 are
executed, otherwise they are skipped
l
line 12 opens the policy determined by the loop counter
l
line 13-14 enable diffserv_forward, and set it to 000011
l
line 15 saves this entry and prepares for the next one
l
line 16 closes the if statement
l
line 17 closes the for each loop
l
line 18 saves all the updated firewall policy entries
Administration Guide
Fortinet Technologies Inc.
173
Device Manager
Scripts
Additional Tcl Scripts
Example: Get and display state information about the FortiGate device:
Script:
#!
#Run on FortiOS v5.00
#This script will display FortiGate's CPU states,
#Memory states, and Up time
puts [exec "# This is an example Tcl script to get the system performance of the
FortiGate\n" "# " 15 ]
set input [exec "get system status\n" "# " 15]
regexp {Version: *([^ ]+) ([^,]+),build([0-9]+),[0-9]+} $input dummy status(Platform)
status(Version) status(Build)
if {$status(Version) eq "v5.0"} {
puts -nonewline [exec "config global\n" "# " 30]
puts -nonewline [exec "get system performance status\n" "# " 30]
puts -nonewline [exec "end\n" "# " 30]
} else {
puts -nonewline [exec "get system performance\n" "#" 30]
}
Output:
------- Executing time: 2013-10-21 16:21:43 -----Starting log (Run on device)
FortiGate-VM64 #
config global
FortiGate-VM64 (global) # get system performance status
CPU states: 0% user 0% system 0% nice 90% idle
CPU0 states: 0% user 0% system 0% nice 90% idle
CPU1 states: 0% user 0% system 0% nice 90% idle
Memory states: 73% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Average sessions: 1 sessions in 1 minute, 2 sessions in 10 minutes, 2 sessions in 30
minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second
in last 10 minutes, 0 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 6 days, 1 hours, 34 minutes
FortiGate-VM64 (global) # end
FortiGate-VM64 #
------- The end of log ---------------- Executing time: 2013-10-21 16:16:58 ------
Example: Configure common global settings.
Script:
#!
#Run on FortiOS v5.00
#This script will configure common global, user group and ntp settings
#if you do not want to set a parameter, comment the
174
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
#corresponding set command
#if you want to reset a parameter to it's default
#value, set it an empty string
puts [exec "# This is an example Tcl script to configure global, user group and ntp
setting of FortiGate\n" "# " 15 ]
# global
set sys_global(admintimeout) ""
# user group
set sys_user_group(authtimeout) 20
# ntp
set sys_ntp(source-ip) "0.0.0.0"
set sys_ntp(ntpsync) "enable"
#procedure to execute FortiGate command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# " 30]
}
#config system global---begin
fgt_cmd "config global"
fgt_cmd "config system global"
foreach key [array names sys_global] {
if {$sys_global($key) ne ""} {
fgt_cmd "set $key $sys_global($key)"
} else {
fgt_cmd "unset $key"
}
}
fgt_cmd "end"
fgt_cmd "end"
#config system global---end
#config system user group---begin
fgt_cmd "config vdom"
fgt_cmd "edit root"
fgt_cmd "config user group"
fgt_cmd "edit groupname"
foreach key [array names sys_user_group] {
if {$sys_user_group($key) ne ""} {
fgt_cmd "set $key $sys_user_group($key)"
} else {
fgt_cmd "unset $key"
}
}
fgt_cmd "end"
fgt_cmd "end"
#config system user group---end
#config system ntp---begin
fgt_cmd "config global"
fgt_cmd "config system ntp"
foreach key [array names sys_ntp] {
if {$sys_ntp($key) ne ""} {
fgt_cmd "set $key $sys_ntp($key)"
} else {
fgt_cmd "unset $key"
}
}
Administration Guide
Fortinet Technologies Inc.
175
Device Manager
Scripts
fgt_cmd "end"
fgt_cmd "end"
#config system ntp---end
Output:
------- Executing time: 2013-10-22 09:12:57 -----Starting log (Run on device)
FortiGate-VM64 # config global
FortiGate-VM64 (global) # config system global
FortiGate-VM64 (global) # unset admintimeout
FortiGate-VM64 (global) # end
FortiGate-VM64 (global) # end
FortiGate-VM64 # config vdom
FortiGate-VM64 (vdom) # edit root
current vf=root:0
FortiGate-VM64 (root) # config user group
FortiGate-VM64 (group) # edit groupname
FortiGate-VM64 (groupname) # set authtimeout 20
FortiGate-VM64 (groupname) # end
FortiGate-VM64 (root) # end
FortiGate-VM64 # config global
FortiGate-VM64 (global) # config system ntp
FortiGate-VM64 (ntp) # set ntpsync enable
FortiGate-VM64 (ntp) # set source-ip 0.0.0.0
FortiGate-VM64 (ntp) # end
FortiGate-VM64 (global) # end
FortiGate-VM64 #
------- The end of log ----------
Example: Configure syslogd settings and filters.
Script:
#!
#Run on FortiOS v5.00
#This script will configure log syslogd setting and
#filter
#key-value pairs for 'config log syslogd setting', no
#value means default value.
set setting_list {{status enable} {csv enable}
{facility alert} {port} {server 1.1.1.2}}
#key-value pairs for 'config log syslogd filter', no
#value means default value.
puts [exec "# This is an example Tcl script to configure log syslogd setting and filter
setting of FortiGate\n" "# " 15 ]
set filter_list {{attack enable} {email enable} {severity} {traffic enable} {virus
disable}
{web enable}}
#set the number of syslogd server, "", "2" or "3"
set syslogd_no "2"
#procedure to execute FortiGate CLI command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# "]
}
#procedure to set a series of key-value pairs
proc set_kv kv_list {
foreach kv $kv_list {
176
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
set len [llength $kv]
if {$len == 0} {
continue
} elseif {$len == 1} {
fgt_cmd "unset [lindex $kv 0]"
} else {
fgt_cmd "set [lindex $kv 0] [lindex $kv 1]"
} } }
#configure log syslogd setting---begin
fgt_cmd "config global"
fgt_cmd "config log syslogd$syslogd_no setting"
set_kv $setting_list
fgt_cmd "end"
#configure log syslogd setting---end
#configure log syslogd filter---begin
fgt_cmd "config log syslogd$syslogd_no filter"
set_kv $filter_list
fgt_cmd "end"
#configure log syslogd filter---end
Output:
Starting log (Run on device)
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
# config global
(global) # config log syslogd2 setting
(setting) # set status enable
(setting) # set csv enable
(setting) # set facility alert
(setting) # unset port
(setting) # set server 1.1.1.2
(setting) # end
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
FortiGate-VM64
(global)
(filter)
(filter)
(filter)
(filter)
(filter)
(filter)
(filter)
(global)
#
#
#
#
#
#
#
#
#
config log syslogd2 filter
set attack enable
set email enable
unset severity
set traffic enable
set virus disable
set web enable
end
------- The end of log ----------
Example: Configure the FortiGate device to communicate with a FortiAnalyzer unit:
Script:
#!
#This script will configure the FortiGate device to
#communicate with a FortiAnalyzer unit
#Enter the following key-value pairs for 'config
#system fortianalyzer'
set status enable
set enc-algorithm high
#localid will be set as the hostname automatically
#later
Administration Guide
Fortinet Technologies Inc.
177
Device Manager
Scripts
puts [exec "# This is an example Tcl script to configure the FortiGate to communicate with
a FortiAnalyzer\n" "# " 15 ]
set server 1.1.1.1
#for fortianalyzer, fortianalyzer2 or
#fortianalyzer3, enter the corresponding value "",
#"2", "3"
set faz_no ""
#keys used for 'config system fortianalyzer', if you
#do not want to change the value of a key, do not put
#it in the list
set key_list {status enc-algorithm localid server }
##procedure to get system status from a FortiGate
proc get_sys_status aname {
upvar $aname a
set input [split [exec "get system status\n" "# "] \n]
foreach line $input {
if {![regexp {([^:]+):(.*)} $line dummy key value]} continue
set a([string trim $key]) [string trim $value]
}
}
#procedure to execute FortiGate command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# "]
}
#set the localid as the FortiGate's hostname
get_sys_status sys_status
set localid $sys_status(Hostname)
#config system fortianalyzer---begin
fgt_cmd "config global"
fgt_cmd "config log fortianalyzer$faz_no setting"
foreach key $key_list {
if [info exists $key] {
fgt_cmd "set $key [set $key]"
} else {
fgt_cmd "unset $key"
}
}
fgt_cmd "end"
fgt_cmd "end"
#config system fortianalyzer---end
Output:
Starting log (Run on device)
FortiGate-VM64 # config global
FortiGate-VM64 (global) # config log fortianalyzer setting
FortiGate-VM64 (setting) # set status enable
FortiGate-VM64 (setting) # set enc-algorithm high
FortiGate-VM64 (setting) # set localid FortiGate-VM64
FortiGate-VM64 (setting) # set server 1.1.1.1
FortiGate-VM64 (setting) # end
FortiGate-VM64 (global) # end
FortiGate-VM64 #
------- The end of log ---------
178
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
Example: Create custom IPS signatures and add them to a custom group.
Script:
#!
#Run on FortiOS v5.00
#This script will create custom ips signatures and
#change the settings for the custom ips signatures
puts [exec "# This is an example Tcl script to create custom ips signatures and change the
settings for the custom ips signatures on a FortiGate\n" "# " 15 ]
#Enter custom ips signatures, signature names are the
#names of array elements
set custom_sig(c1) {"F-SBID(--protocol icmp;--icmp_type 10; )"}
set custom_sig(c2) {"F-SBID(--protocol icmp;--icmp_type 0; )"}
#Enter custom ips settings
set custom_rule(c1) {{status enable} {action block} {log enable} {log-packet} {severity
high}}
set custom_rule(c2) {{status enable} {action pass} {log} {log-packet disable} {severity
low}}
#procedure to execute FortiGate command
proc fgt_cmd cmd {
puts -nonewline [exec "$cmd\n" "# "]
}
#procedure to set a series of key-value pairs
proc set_kv kv_list {
foreach kv $kv_list {
set len [llength $kv]
if {$len == 0} {
continue
} elseif {$len == 1} {
fgt_cmd "unset [lindex $kv 0]"
} else {
fgt_cmd "set [lindex $kv 0] [lindex $kv 1]"
}
} }
#config ips custom---begin
fgt_cmd "config vdom"
fgt_cmd "edit root"
fgt_cmd "config ips custom"
foreach sig_name [array names custom_sig] {
fgt_cmd "edit $sig_name"
fgt_cmd "set signature $custom_sig($sig_name)"
fgt_cmd "next"
}
fgt_cmd "end"
#config ips custom settings---begin
foreach rule_name [array names custom_rule] {
fgt_cmd "config ips custom"
fgt_cmd "edit $rule_name"
set_kv $custom_rule($rule_name)
fgt_cmd "end"
}
fgt_cmd "end"
#config ips custom settings---end
Output:
Starting log (Run on device)
Administration Guide
Fortinet Technologies Inc.
179
Device Manager
Scripts
FortiGate-VM64 # config vdom
FortiGate-VM64 (vdom) # edit root
current vf=root:0
FortiGate-VM64 (root) # config ips custom
FortiGate-VM64 (custom) # edit c1
set signature "F-SBID(--protocol icmp;--icmp_type 10; )"
FortiGate-VM64 (c1) # set signature "F-SBID(--protocol icmp;--icmp_type 10; )"
FortiGate-VM64 (c1) # next
FortiGate-VM64 (custom) # edit c2
FortiGate-VM64 (c2) # set signature "F-SBID(--protocol icmp;--icmp_type 0; )"
FortiGate-VM64 (c2) # next
FortiGate-VM64 (custom) # end
FortiGate-VM64 (root) # config ips custom
FortiGate-VM64 (custom) # edit c1
FortiGate-VM64 (c1) # set status enable
FortiGate-VM64 (c1) # set action block
FortiGate-VM64 (c1) # set log enable
FortiGate-VM64 (c1) # unset log-packet
FortiGate-VM64 (c1) # set severity high
FortiGate-VM64 (c1) # end
FortiGate-VM64 (root) # config ips custom
FortiGate-VM64 (custom) # edit c2
FortiGate-VM64 (c2) # set status enable
FortiGate-VM64 (c2) # set action pass
FortiGate-VM64 (c2) # unset log
FortiGate-VM64 (c2) # set log-packet disable
FortiGate-VM64 (c2) # set severity low
FortiGate-VM64 (c2) # end
FortiGate-VM64 (root) # end
FortiGate-VM64 #
------- The end of log ----------
Variations:
None.
Tcl file IO
You can write to and read from files using Tcl scripts. For security reasons there is only one directory on the
FortiManager where scripts can access files. For this reason, there is no reason to include the directory in the file
name you are accessing. For example “/var/temp/myfile” or “~/myfile” will cause an error, but “myfile” or “/myfile”
is OK.
The Tcl commands that are supported for file IO are: file, open, gets, read, tell, seek, eof, flush,
close, fcopy, fconfigure, and fileevent.
The Tcl file command only supports delete subcommand, and does not support the -force option.
There is 10MB of diskspace allocated for Tcl scripts. An error will be reported if this size is exceeded.
These files will be reset when the following CLI commands are run: exec format, exec reset
partition, or exec reset all. The files will not be reset when the firmware is updated unless otherwise
specified.
To write to a file:
180
Administration Guide
Fortinet Technologies Inc.
Scripts
Device Manager
Script
#!
set somefile [open “tcl_test” w]
puts $somefile "Hello, world!"
close $somefile
To read from a file:
Script
#!
set otherfile [open “tcl_test” r]
while {[gets $otherfile line] >= 0} {
puts [string length $line]
}
close $otherfile
Output
Hello, world!
These two short scripts write a file called tcl_test and then read it back.
Line 3 in both scripts opens the file either for reading (r) or writing (w) and assigns it to a filehandle (somefile or
otherfile). Later in the script when you see these filehandles, its input or output passing to the open file.
When reading from the file, lines 4 and 5 loop through the file line by line until it reaches the end of the file. Each
line that is read is put to the screen.
Both scripts close the file before they exit.
Troubleshooting Tips
This section includes suggestions to help you find and fix problems you may be having with your scripts.
l
l
Make sure the commands you are trying to execute are valid for the version of FortiOS running on your target
FortiGate device.
You should always use braces when evaluating code that may contain user input, to avoid possible security
breaches. To illustrate the danger, consider this interactive session:
% set userinput {[puts DANGER!]}
[puts DANGER!]
% expr $userinput == 1
DANGER!
0
% expr {$userinput == 1}
0
In the first example, the code contained in the user-supplied input is evaluated, whereas in the second the
braces prevent this potential danger. As a general rule, always surround expressions with braces, whether
using expr directly or some other command that takes an expression.
l
l
l
A number that includes a leading zero or zeros, such as 0500 or 0011, is interpreted as an octal number, not a
decimal number. So 0500 is actually 320 in decimal, and 0011 is 9 in decimal.
There is a limit to the number of scripts allowed on the FortiManager unit. Try removing an old script before trying to
save your current one.
Using the Tcl command “catch” you can add custom error messages in your script to alert you to problems during
the script execution. When catch encounters an error it will return 1, but if there is no error it will return 0. For
example:
Administration Guide
Fortinet Technologies Inc.
181
Device Manager
Scripts
if { [catch {open $someFile w} fid] } {
puts stderr "Could not open $someFile for writing\n$fid"
exit 1 ;# error opening the file!
} else {
# put the rest of your script here
}
Use Tcl script to access FortiManager’s device database or ADOM database
You can use Tcl script to access FortiManager’s device database or ADOM database (local database).
Example 1:
Run the Tcl script on an ADOM database for a specify policy package. For example, creating new a policy or
object:
Syntax
puts [exec_ondb "/adom/<adom_name>/pkg/<pkg_fullpath>"
"embedded cli commands" "# "]
Usage
puts [exec_ondb "/adom/52/pkg/default" "
config firewall address
edit port5_address
next
end
" "# "]
Example 2:
Run the Tcl script on the current ADOM database for a specify policy package. For example, creating a new policy
and object:
puts [exec_ondb "/adom/./pkg/<pkg_fullpath>" "embedded cli
commands" "# "]
Syntax
or
puts [exec_ondb "/pkg/<pkg_fullpath>" "embeded cli commands"
"# "]
Usage
puts [exec_ondb "/adom/./pkg/default" "
config firewall address
edit port5_address
next
end
" "# "]
Example 3:
Run Tcl script on a specific device in an ADOM:
Syntax
182
puts [exec_ondb "/adom/<adom_name>/device/<dev_name>"
"embedded cli commands" "# "]
Administration Guide
Fortinet Technologies Inc.
SD-WAN Link Load Balance
Usage
Device Manager
puts [exec_ondb "/adom/v52/device/FGT60CA" "
config global
config system global
set admintimeout 440
end
end
" "# "]
Example 4:
Run Tcl script on current devices in an ADOM:
Syntax
puts [exec_ondb "/adom/<adom_name>/device/." "embedded cli
commands" "# "]
Usage
puts [exec_ondb "/adom/v52/device/." "
config global
config system global
set admintimeout 440
end
end
" "# "]
exec_ondb cannot be run on the Global ADOM.
SD-WAN Link Load Balance
When central monitoring is enabled, you can use the Device Manager > WAN LLB > WAN Status Check
Profiles pane to monitor load-balancing profiles of WAN links. When central monitoring is disabled, you must
monitor load-balancing profiles by monitoring each device.
Enabling central monitoring of load balancing
You can enable centralized WAN link load balancing by editing an ADOM. You can use the Device Manager >
SD-WAN > SD-WAN Status Check Profiles pane for centrally monitoring WAN link load balancing.
To enable:
1. Go to System Settings > All ADOMs.
2. Right-click an ADOM, and select Edit.
3. Beside Central Management, select the SD-WAN checkbox.
4. Click OK. Central monitoring of WAN link load balancing is enabled for the ADOM.
Creating load balancing profiles
You can create a load balancing profile for WAN links of a device.
Administration Guide
Fortinet Technologies Inc.
183
Device Manager
SD-WAN Link Load Balance
To create a load balancing profile:
1. Ensure that you are in the correct ADOM.
2. Go to Device Manager > SD-WAN and click Create New. The New SD-WAN pane opens.
3. Configure the following options:
Device
Select a FortiGate device with WAN links.
Name
Displays the name of the profile.
Type
Displays the type of profile.
Administrative Status
Enable or disable the profile. Select Up to enable the profile, or select
Down to disable the profile.
SD-WAN
Load Balancing Algorithm
Select a load-balancing algorithm:
Volume
l
Interface Members
l
Sessions
l
Spillover
l
Source-Destination IP
l
Source IP
Specify the interface members for which you want to balance loads. The
interface members are derived from the FortiGate device.
Click Create New to add interfaces. Select the interface, gateway IP, and
status of the interface member, then click OK to add the interface member.
Interface members can also be edited and delete from the list.
Services
Specify the priority rules for load balancing. The priority rules are derived
from the FortiGate device.
Click Create New to add a priority rule. Enter the name of the service, then
select the source address and user groups, destination address and
protocol number, outgoing interface, and health check, then click OK to
add the rule.
Rules can also be edited and deleted from the list.
4. Click OK to add the WAN link.
Manage load balancing profiles
You can manage load balancing profiles from the Device Manager > SD-WAN pane. Some options are located
in the toolbar, and some options are available when you right-click a profile in the content pane.
184
Option
Description
Create New
Create a new load-balancing profile.
Administration Guide
Fortinet Technologies Inc.
SD-WAN Link Load Balance
Device Manager
Option
Description
Delete
Delete the selected profile.
Edit
Edit the selected profile.
Select All
Select all profiles in the content pane.
Creating profiles for checking WAN link status
When central monitoring of WAN link load balancing is enabled, you can create profiles that monitor the status of
load-balancing profiles for WAN links.
To create a profile:
1. If necessary, ensure that you are in the correct ADOM.
2. Go to Device Manager > SD-WAN > SD-WAN Status Check Profile, and click Create New. The New SDWAN Status Check Profile pane opens.
3. Configure the following options:
Name
Detect Protocol
Enter a name for the profile.
Select the detection method for the profile check:
Ping
l
l
TCP Echo
l
UDP Echo
l
HTTP
l
TWAMP
Detect Server
Type the IP address for WAN interface that you want to monitor.
Link Status
Specify options for the WAN link status.
Timeout
Specify how many seconds before the link times out.
Failures before inactive
Specify the threshold that triggers a warning message, in milliseconds, or
percent if the criteria is Packet Loss.
Restore link after
Specify the threshold that triggers an error message, in milliseconds, or
percent if the criteria is Packet Loss.
Actions when Inactive
Specify what happens with the WAN link becomes inactive.
Update Static Route
Select to update the static route when the WAN link becomes inactive.
Cascade Interfaces
Select to cascade interfaces when the WAN link becomes inactive
4. Click OK to create the new status check profile.
Administration Guide
Fortinet Technologies Inc.
185
Device Manager
FortiExtender
Manage profiles for checking WAN link status
When central monitoring of WAN link load balancing is enabled, you can manage monitoring profiles from the
Device Manager > SD-WAN > SD-WAN Status Check Profile pane. Some options are located in the toolbar,
and some options are available when you right-click a profile.
Option
Description
Create New
Create a new profile for checking WAN link status.
Delete
Delete the selected profile.
Edit
Edit the selected profile.
Clone
Clone the selected profile.
Select All
Select all profiles in the content pane.
FortiExtender
FortiExtender is managed centrally in the Device Manager pane. When a FortiGate in the ADOM has managed
FortiExtender devices, they are listed in an All FortiExtender group.
FortiExtender can be managed by a FortiGate running FortiOS v5.2 or later.
Centrally managed
When managing FortiExtender centrally, FortiAP devices will be listed in the AP Management pane in the ADOM
of the FortiGate managing the FortiExtender.
The following information is displayed:
186
Device Name
The serial number of the FortiGate device that is managing the
FortiExtender.
Serial Number
The serial number of the FortiExtender.
Priority
The FortiExtender priority, either Primary or Secondary.
Model
The FortiExtender model.
Management Status
The FortiExtender management status, either Authorized or
Deauthorized.
Administration Guide
Fortinet Technologies Inc.
FortiExtender
Device Manager
Status
The FortiExtender status, either Up or Down.
Network
The FortiExtender network status and carrier name.
Current Usage
The current data usage.
Last Month Usage
The data usage for the last month.
Version
The FortiExtender firmware version.
The right-click menu options include:
Refresh
Select a FortiExtender in the list, right-click, and select Refresh in the
menu to refresh the information displayed.
Edit
Select a FortiExtender in the list, right-click, and select Edit in the menu to
edit the FortiExtender modem settings, PPP authentication, general,
GSM/LTE, and CDMA settings.
Upgrade
Select a FortiExtender in the list, right-click, and select Upgrade in the
menu to upgrade the FortiExtender firmware.
Authorize
Select a FortiExtender in the list, right-click, and select Authorize in the
menu to authorize the unit for management.
Deauthorize
Select a FortiExtender in the list, right-click, and select Deauthorize in the
menu to deauthorize the unit for management.
Restart
Select a FortiExtender in the list, right-click, and select Restart in the menu
to restart the unit.
Set Primary
Select a FortiExtender in the list, right-click, and select Set Primary in the
menu to set the unit as the primary device.
Status
Select a FortiExtender in the list, right-click, and select Status in the menu
to view status information including system status, modem status, and
data usage.
To edit a FortiExtender:
1. Go to Device Manager > FortiExtender.
2. Right-click the FortiExtender device, and select Edit. The Edit FortiExtender page is displayed.
3. Configure the following settings:
Modem Settings
Configure the dial mode, redial limit, and quota limit.
PPP Authentication
Configure the user name, password, and authentication protocol.
Administration Guide
Fortinet Technologies Inc.
187
Device Manager
FortiMeter
General
Configure the usage cycle reset day, AT dial script, modem password, and
the allow network initiated updates to modem setting.
GSM / LTE
Configure the access point name (APN), SIM PIN, and LTE multiple mode.
CDMA
Configure the NAI, AAA shared secret, HA shared secret, primary HA,
secondary HA, AAA SPI, and HA SPI.
4. Select OK to save the setting.
FortiMeter
FortiMeter allows you turn FortiOS-VMs and FortiWebOS-VMs on and off as needed, paying only for the volume
and consumption of traffic that you use. These VMs are also sometimes called pay-as-you-go VMs.
You must meet the following requirements to use metered VMs:
l
You must have a FortiMeter license.
l
The FortiMeter license must be linked with the FortiManager unit by using FortiCare.
FortiOS VMs
FortiManager supports the following types of licenses for FortiMeter:
l
Prepaid: FortiOS VM usage is prepaid by purchasing points.
l
Postpaid: The FortiOS VM is billed monthly based on usage.
The license determines whether a FortiOS VM is prepaid or postpaid.
The VM deployment packages are included with firmware images on the Customer Service & Support site, and
have the following format: FOS_VMxx-v5-buildXXXX-Fortinet.out. In FortiManager, the VM will be
listed as a FortiOS VM.
FortiWeb VMs
FortiManager supports FortiWeb devices as logging devices. FortiWeb VMs are billed monthly based on usage.
The VM deployment packages are included with firmware images on the Customer Service & Support site, and
have the following format: FWB_OS1-v5xx-buildXXXX-FORTINET.out. In FortiManager, the VM will be
listed as a FBV0X.
Overview
The following is an overview of how to use metered VMs:
1. Purchase a FortiMeter license. Contact your sales representative for more information.
2. Go to FortiCare (https://support.fortinet.com/) and log into your account.
You can also access FortiCare from FortiManager:
l
From System Settings > Dashboard, in the License Information widget, click the Purchase icon in
the VM Meter Service field.
l
188
From Device Manager > VM Meter, click the Purchase Points icon in the toolbar.
Administration Guide
Fortinet Technologies Inc.
FortiMeter
Device Manager
3. Go to Asset > Manage/View Products, and locate the FortiMeter license.
4. Link the FortiMeter license with your FortiManager by using the Link Device option.
You can only link FortiManager to one metering group at a time.
5. If you are prepaying (FortiOS VMs only), purchase a point package and add it to the FortiMeter license using the
Add Licenses option. See Points on page 189.
6. Ensure that the VM is registered to the FortiManager. See Adding devices on page 104.
7. Authorize the metered VMs in FortiManager. See Authorizing metered VMs on page 189.
If connectivity between the VM and FortiManager is lost, FortiManager will invalidate
the VM instance after fifteen days. If the VM reconnects before fifteen days have
elapsed, it will automatically synchronize with the FortiManager database.
Points
Point can be purchased in packages of 1000 or 10000 from the FortiMeter product information page on FortiCare
using the Add Licenses button.
Points are used based on the type of service and the volume of traffic sent to FortiGuard.
Type
Service Code
Points
VOLUME (1TB)
FW
4
VOLUME (1TB)
FWURL
10
VOLUME (1TB)
UTM
25
For prepaid FortiOS VMs, after the point balance has become negative, VMs can continue to be used for up to 15
days before the account is frozen or more points are purchased to restore a positive point balance.
With a negative point balance, the FortiMeter status will show the number of days until it is frozen, or FREZ when
it is already frozen. FortiMeter will be unfrozen when a positive point balance is restored.
Authorizing metered VMs
You must authorize all metered VMs in FortiManager before you can use them.
Authorizing FortiOS VMs
FortiOS VMs must be registered before they can be authorized. See Adding devices on page 104.
To authorize metered FortiOS VMs:
1. Ensure that the VM is registered to the FortiManager. See Adding devices on page 104.
2. Ensure you are in the correct ADOM.
3. Go to Device Manager > VM Meter.
4. Select a device then click Authorize in the toolbar, right-click on a device then select Authorize, or double-click on
a device. The Authorize Device(s) dialog box opens.
An unauthorized device can use firewall services for up to 48 hours.
Administration Guide
Fortinet Technologies Inc.
189
Device Manager
FortiMeter
5. Select the License Type:
Trial
Maximum of two devices can have a trial license at any one time.
No traffic data are sent to FortiGuard, so no points are used.
Can be used for up to 30 days.
Regular
Regular license.
Points used based on the service level and volume of traffic going to FortiGuard.
6. Select the Services:
Firewall
Firewall only. This option cannot be deselected.
IPS
IPS servies.
Web Filter
Web filtering services.
AntiVirus
Antivirus services.
App Control
Application control services.
Full UTM
All services are selected.
7. Click OK to authorize the device.
Authorizing FortiWeb VMs
FortiWeb VMs must be registered manually before they can be authorized. See Adding devices manually on
page 111.
To authorize metered FortiWeb VMs:
1. Ensure that the FortiWeb VM is registered to the FortiManager. See Adding devices on page 104.
2. In the FortiWeb ADOM, go to Device Manager > VM Meter.
3. Select a device then click Authorize in the toolbar, right-click on a device then select Authorize, or double-click on
a device. The Authorize Device(s) dialog box opens.
4. On the Authorize Device pane, confirm the devices name and serial number.
The License Type is Regular - points are used based on the volume of traffic. The Services - Security,
Antivirus, IP Reputation - cannot be deselected.
5. Click OK to authorize the device.
Monitoring VMs
Go to Device Manager > VM Meter. For prepaid licenses (FortiOS VMs only), your total remaining point balance
is shown in the toolbar. For postpaid licenses, the total points used and the billing period are shown.
You can also view details about the individual VMs, including: the device name and serial number, number of
virtual CPUs, amount of RAM, service level, license status, volume of traffic used today, and more.
190
Administration Guide
Fortinet Technologies Inc.
FortiGate chassis devices
Device Manager
FortiGate chassis devices
Select FortiManager systems can work with the Shelf Manager to manage FortiGate 5050, 5060, 5140, and
5140B chassis. The Shelf Manager runs on the Shelf Management Mezzanine hardware platform included with
the FortiGate 5050, 5060, 5140, and 5140B chassis. You can install up to five FortiGate 5000 series blades in the
five slots of the FortiGate 5050 ATCA chassis and up to 14 FortiGate 5000 series blades in the 14 slots of the
FortiGate 5140 ATCA chassis. For more information on FortiGate 5000 series including Chassis and Shelf
manager, see the Fortinet Document Library.
You need to enable chassis management before you can work with the Shelf Manager through the FortiManager
system.
To enable chassis management:
1. Go to System Settings > Advanced > Advanced Settings. See Advanced Settings on page 499 for more
information.
2. Under Advanced Settings, select Chassis Management.
3. Set the Chassis Update Interval, from 4 to 1440 minutes.
4. Click Apply.
To add a chassis:
1. Go to Device Manager > Device & Groups,
2. Right-click in the tree menu and select Chassis > Add. The Create Chassis window opens.
3. Complete the following fields, then click OK:
Name
Type a unique name for the chassis.
Description
Optionally, type any comments or notes about this chassis.
Chassis Type
Select the chassis type: Chassis 5050, 5060, 5140 or 5140B.
IP Address
Type the IP address of the Shelf Manager running on the chassis.
Authentication Type
Select Anonymous, MD5, or Password from the dropdown list.
Admin User
Type the administrator user name.
Password
Type the administrator password.
Chassis Slot Assignment
You cannot assign FortiGate-5000 series blades to the slot until after the
chassis has been added.
To edit a chassis and assign FortiGate 5000 series blade to the slots:
1. Go to Device Manager > Device & Groups.
2. Right-click the chassis, and select Edit.
3. Modify the fields, except Chassis Type.
4. For Chassis Slot Assignment, from the dropdown list of a slot, select a FortiGate-5000 series blade to assign it to
Administration Guide
Fortinet Technologies Inc.
191
Device Manager
FortiGate chassis devices
the slot. You can select a FortiGate, FortiCarrier, or FortiSwitch unit.
You can only assign FortiSwitch units to slot 1 and 2.
5. Click OK.
Viewing chassis dashboard
You can select a chassis from the chassis list in the content pane, and view the status of the FortiGate blades in
the slots, power entry module (PEM), fan tray (FortiGate-5140 only), Shelf Manager, and shelf alarm panel
(SAP).
Viewing the status of the FortiGate blades
In the Device Manager tab, select the Blades under the chassis whose blade information you would like to view.
The following is displayed:
Refresh
Select to update the current page.
If there are no entries, Refresh is not displayed.
Slot #
The slot number in the chassis. The FortiGate 5050 chassis contains five
slots numbered 1 to 5. The FortiGate 5060 chassis contains six slots
numbered 1 to 6. The FortiGate 5140 and 5140B chassis contains fourteen
slots numbered 1 to 14.
Extension Card
If there is an extension card installed in the blade, this column displays an
arrow you can select to expand the display. The expanded display shows
details about the extension card as well as the blade.
Slot Info
Indicates whether the slot contains a node card (for example, a FortiGate
5001SX blade) or a switch card (for example, a FortiSwitch 5003 blade) or
is empty.
State
Indicates whether the card in the slot is installed or running, or if the slot is
empty.
Temperature Sensors
Indicates if the temperature sensors for the blade in each slot are detecting
a temperature within an acceptable range.
OK indicates that all monitored temperatures are within acceptable ranges.
Critical indicates that a monitored temperature is too high (usually about
75°C or higher) or too low (below 10°C).
Current Sensors
192
Indicates if the current sensors for the blade in each slot are detecting a
current within an acceptable range.
OK indicates that all monitored currents are within acceptable ranges.
Critical indicates that a monitored current is too high or too low.
Administration Guide
Fortinet Technologies Inc.
FortiGate chassis devices
Device Manager
Voltage Sensors
Indicates if the voltage sensors for the blade in each slot are detecting a
voltage within an acceptable range.
OK indicates that all monitored voltages are within acceptable ranges.
Critical indicates that a monitored voltage is too high or too low.
Power Allocated
Indicates the amount of power allocated to each blade in the slot.
Action
Select Activate to turn the state of a blade from Installed into Running.
Select Deactivate to turn the state of a blade from Running into Installed.
Edit
Select to view the detailed information on the voltage and temperature of a
slot, including sensors, status, and state. You can also edit some voltage
and temperature values.
Update
Select to update the slot.
To edit voltage and temperature values:
1. Go to [chassis name] > Blades and, in the content pane, select the Edit icon of a slot.
The detailed information on the voltage and temperature of the slot including sensors, status, and state is
displayed.
2. Select the Edit icon of a voltage or temperature sensor.
3. For a voltage sensor, you can modify the Upper Non-critical, Upper Critical, Lower Non-critical, and Lower
Critical values.
4. For a temperature sensor, you can modify the Upper Non-critical and Upper Critical values.
5. Select OK.
Viewing the status of the power entry modules
You can view the status of the PEMs by going to [chassis name] > PEM. The FortiGate 5140 chassis displays
more PEM information than the FortiGate 5050.
The following is displayed:
Refresh
Select to update the current page.
PEM
The order numbers of the PEM in the chassis.
Presence
Indicates whether the PEM is present or absent.
Temperature
The temperature of the PEM.
Temperature State
Indicates whether the temperature of the PEM is in the acceptable range.
OK indicates that the temperature is within acceptable range.
Threshold
PEM temperature thresholds.
Feed -48V
Number of PEM fuses. There are four pairs per PEM.
Administration Guide
Fortinet Technologies Inc.
193
Device Manager
FortiGate chassis devices
Status
PEM fuse status: present or absent.
Power Feed
The power feed for each pair of fuses.
Maximum External Current
Maximum external current for each pair of fuses.
Maximum Internal Current
Maximum internal current for each pair of fuses.
Minimum Voltage
Minimum voltage for each pair of fuses.
Power Available
Available power for each pair of fuses.
Power Allocated
Power allocated to each pair of fuses.
Used By
The slot that uses the power.
Viewing fan tray status (FG-5140 and FG-5140B chassis only)
Go to [chassis name] > Fan Tray to view the chassis fan tray status.
The following is displayed:
Refresh
Select to update the current page.
Thresholds
Displays the fan tray thresholds.
Fan Tray
The order numbers of the fan trays in the chassis.
Model
The fan tray model.
24V Bus
Status of the 24V Bus: present or absent.
-48V Bus A
Status of the -48V Bus A: present or absent.
-48V Bus B
Status of the -48V Bus B: present or absent.
Power Allocated
Power allocated to each fan tray.
Fans
Fans in each fan tray.
Status
The fan status. OK means it is working normally.
Speed
The fan speed.
Viewing shelf manager status
Go to [chassis name] > Shelf Manager to view the shelf manager status.
The following is displayed:
194
Administration Guide
Fortinet Technologies Inc.
FortiGate chassis devices
Device Manager
Refresh
Select to update the current page.
Shelf Manager
The order numbers of the shelf managers in the chassis.
Model
The shelf manager model.
State
The operation status of the shelf manager.
Temperature
The temperature of the shelf manager.
-48V Bus A
Status of the -48V Bus A: present or absent.
-48V Bus B
Status of the -48V Bus B: present or absent.
Power Allocated
Power allocated to each shelf manager.
Voltage Sensors
Lists the voltage sensors for the shelf manager.
State
Indicates if the voltage sensors for the shelf manager are detecting a
voltage within an acceptable range.
OK indicates that all monitored voltages are within acceptable ranges.
Below lower critical indicates that a monitored voltage is too low.
Voltage
Voltage value for a voltage sensor.
Edit
Select to modify the thresholds of a voltage sensor.
Viewing shelf alarm panel (SAP) status
You can view the shelf alarm panel (SAP) status for a chassis. The shelf alarm panel helps you monitor the
temperature and state of various sensors in the chassis.
Go to [chassis name] > SAP to view the chassis SAP status.
The following is displayed:
Presence
Indicates if the SAP is present or absent.
Telco Alarm
Telco form-c relay connections for minor, major and critical power faults
provided by the external dry relay Telco alarm interface (48VDC).
Air Filter
Indicates if the air filter is present or absent.
Model
The SAP model.
State
The operation status of the shelf manager.
Power Allocated
Power allocated to the SAP.
Temperature Sensors
The temperature sensors of the SAP
Administration Guide
Fortinet Technologies Inc.
195
Device Manager
196
FortiGate chassis devices
Temperature
The temperature of the SAP read by each sensor.
State
Indicates if the temperature sensors for the SAP are detecting a
temperature below the set threshold.
Edit
Select to modify the thresholds of a temperature sensor.
Administration Guide
Fortinet Technologies Inc.
Log and file storage
Logs and files are stored on the FortiManager hard disks. Logs are also temporarily store in the SQL database.
When ADOMs are enabled, settings can be specified for each ADOM that apply only to the devices in it. When
ADOMs are disabled, the settings apply to all managed devices.
Data policy and disk utilization settings for devices are collectively called log storage settings. Global log and file
storage settings apply to all logs and files, regardless of log storage settings (see File Management on page 498).
Both the global and log storage settings are always active.
These options are only available when the FortiAnalyzer features are manually
enabled. For more information, see FortiAnalyzer Features on page 367.
Disk space allocation
On the FortiManager, the system reserves 5% to 25% of the disk space for system usage and unexpected quota
overflow. The remaining 75% to 95% of the disk space is available for allocation to devices.
Reports are stored in the reserved space.
Total Available Disk Size
Reserved Disk Quota
Small Disk (up to 500GB)
The system reserves either 20% or 50GB of disk space, whichever is
smaller.
Medium Disk (up to 1TB)
The system reserves either 15% or 100GB of disk space, whichever is
smaller.
Large Disk (up to 5TB)
The system reserves either 10% or 200GB of disk space, whichever is
smaller.
Very Large Disk (bigger
than 5TB)
The system reserves either 5% or 300GB of disk space, whichever is
smaller.
The RAID level you select determines the disk size and the reserved disk quota level.
For example, a FortiManager 1000C with four 1TB disks configured in RAID 10 is
considered a large disk, so 10%, or 200GB, of disk space is reserved.
Administration Guide
Fortinet Technologies Inc.
197
Log and file storage
Log and file workflow
When devices send logs to a FortiManager unit, the logs enter the following workflow automatically:
1. Logs are compressed and saved in a log file on the FortiManager disks.
When a log file reaches a specified size, FortiManager rolls it over and archives it, and creates a new log file
to receive incoming logs. You can specify the size at which the log file rolls over. See Device logs on
page 494.
2. Logs are indexed in the SQL database to support analysis.
You can specify how long to keep logs indexed using a data policy. See Log storage policy on page 200.
3. Logs are purged from the SQL database, but remain compressed in a log file on the FortiManager disks.
4. Logs are deleted from the FortiManager disks.
You can specify how long to keep logs using a data policy. See Log storage policy on page 200.
In the indexed phase, logs are indexed in the SQL database for a specified length of time so they can be used for
analysis. Indexed, or Analytics, logs are considered online, and details about them can be used viewed in the
FortiView, NOC, Log View, and Event Management modules. You can also generate reports about the logs in
the Reports pane.
198
Administration Guide
Fortinet Technologies Inc.
Log and file storage
In the compressed phase, logs are compressed and archived in FortiManager disks for a specified length of time
for the purpose of retention. Compressed, or Archived, logs are considered offline, and their details cannot be
immediately viewed or used to generate reports.
The following table summarizes the differences between indexed and compressed log phases:
Log Phase
Location
Immediate Analytic Support
Indexed
Compressed in log file and
indexed in SQL database
Yes. Logs are available for analytic use in FortiView ,
NOC, Event Management, and Reports.
Compressed
Compressed in log file
No.
Automatic deletion
Logs and files are automatically deleted from the FortiManager unit according to the following settings:
l
Global automatic file deletion
File management settings specify when to delete the oldest Archive logs, quarantined files, reports, and
archived files from the disks, regardless of the log storage settings. See File Management on page 498 for
information.
l
Data policy
Data policies specify how long to store Analytics and Archive logs for each device. When the specified length of
time expires, Archive logs for the device are automatically deleted from the FortiManager device's disks.
l
Disk utilization
Disk utilization settings delete the oldest Archive logs for each device when the allotted disk space is filled. The
allotted disk space is defined by the log storage settings. Alerts warn you when the disk space usage reaches a
configured percentage.
All deletion policies are active on the FortiManager unit at all times, and you should carefully configure each
policy. For example, if the disk fullness policy for a device hits its threshold before the global automatic file
deletion policy for the FortiManager unit, Archive logs for the affected device are automatically deleted.
Conversely, if the global automatic file deletion policy hits its threshold first, the oldest Archive logs on the
FortiManager unit are automatically deleted regardless of the log storage settings associated with the device.
The following table summarizes the automatic deletion polices:
Policy
Scope
Trigger
Global automatic
file deletion
All logs, files, and
reports on the
system
When the specified length of time expires, old files are
automatically deleted. This policy applies to all files in the
system regardless of the data policy settings associated with
devices.
Data policy
Logs for the device
with which the data
policy is associated
When the specified length of retention time expires, old Archive
logs for the device are deleted. This policy affects only Archive
logs for the device with which the data policy is associated.
Administration Guide
Fortinet Technologies Inc.
199
Log and file storage
Log storage policy
Policy
Scope
Trigger
Disk utilization
Logs for the device
with which the log
storage settings
are associated
When the specified threshold is reached for the allotted amount
of disk space for the device, the oldest Archive logs are deleted
for the device. This policy affects only Archive logs for the
device with which the log storage settings are associated.
Logs for deleted devices
When you delete one or more devices from FortiAnalyzer, the raw log files and archive packets are deleted, and
the action is recorded in the local event log. However, the logs that have been inserted into the SQL database are
not deleted from the SQL database. As a result, logs for the deleted devices might display in the Log View and
FortiView panes, and any reports based on the logs might include results.
The following are ways you can remove logs from the SQL database for deleted devices.
l
l
l
Rebuild the SQL database for the ADOM to which deleted devices belonged or rebuild the entire SQL database.
Configure the log storage policy. When the deleted device logs are older than the Keep Logs for Analytics setting,
they are deleted. Also, when analytic logs exceed their disk quota, the SQL database is trimmed starting with the
oldest database tables. For more information, see Configure log storage on page 201.
Configure global automatic file deletion settings in System Settings > Advanced > File Management. When the
deleted device logs are older than the configured setting, they are deleted. For more information, see File
Management on page 498.
File Management configures global settings that override other log storage
settings and apply to all ADOMs.
Log storage policy
The log storage policy affects only the logs and SQL database of the devices associated with the log storage
policy. Reports are not affected. See Disk space allocation on page 197.
If ADOMs are enabled, you can view the data policies and disk usage for each ADOM in System Settings >
Storage Info.
200
Administration Guide
Fortinet Technologies Inc.
Log storage policy
Log and file storage
The following information and options are available:
Edit
Edit the selected ADOM's log storage policy.
Refresh
Refresh the page.
Search
Enter a search term to search the list.
Name
The name of the ADOM.
ADOMs are listed in two groups: Central Management and Other Device Types.
Analytics
(Actual/Config Days)
The age, in days, of the oldest Analytics logs (Actual Days), and the number of
days Analytics logs will be kept according to the data policy (Config Days).
Archive
(Actual/Config Days)
The age, in days, of the oldest Archive logs (Actual Days) and the number of
days Archive logs will be kept according to the data policy (Config Days).
Max Storage
The maximum disk space allotted to the ADOM (for both Analytics and Archive
logs). See Disk space allocation on page 197 for more information.
Analytics Usage
(Used/Max)
How much disk space Analytics logs have used, and the maximum disk space
allotted for them.
Archive Usage
(Used/Max)
How much disk space Archive logs have used and the maximum disk space
allotted for them.
This pane is only available when the FortiAnalyzer features are manually enabled. For
more information, see FortiAnalyzer Features on page 367.
Configure log storage
The log storage policy affects the logs and SQL database of the device associated with the log storage policy.
If you change log storage settings, the new date ranges affect Analytics and Archive
logs currently in the FortiManager device. Depending on the date change, Analytics
logs might be purged from the database, Archive logs might be added back to the
database, and Archive logs outside the date range might be deleted.
To configure log storage settings:
1. Go to System Settings > Storage Info.
2. Double-click on an ADOM, right-click on an ADOM and then select Edit from the menu, or select the ADOM then
click Edit in the toolbar. The Edit Log Storage Policy pane opens.
Administration Guide
Fortinet Technologies Inc.
201
Log and file storage
Storage statistics
3. Configure the following settings, then click OK.
Data Policy
Keep Logs for
Analytics
Specify how long to keep Analytics logs.
Keep Logs for
Archive
Specify how long to keep Archive logs.
Make sure your setting meets your organization’s regulatory requirements.
Disk Utilization
Maximum
Allowed
Specify the amount of disk space allotted. See also Disk space allocation
on page 197.
Analytics :
Archive
Specify the disk space ratio between Analytics and Archive logs. Analytics
logs require more space than Archive logs. Click the Modify checkbox to
change the setting.
Alert and Delete
When Usage
Reaches
Specify the percentage of allotted disk space usage that will trigger an alert
messages and start automatically deleting logs. The oldest Archive log files
or Analytics database tables are deleted first.
Storage statistics
To open the Storage Statistics pane, go to Log View > Storage Statistics.
202
Administration Guide
Fortinet Technologies Inc.
Storage statistics
Log and file storage
The pane shows visualizations of disk space usage for Analytic and Archive logs. The policy diagrams show an
overview and the details graphs show disk space usage details.
The policy diagram shows the percentage of the disk space quota that is used. Hover your cursor over the
diagram to view the used, free, and total allotted disk space. The configured length of time that logs are stored is
also shown.
To view or change log storage policies, click Storage Settings in the toolbar to open the Edit Log Storage Policy
dialog box.
The details graph shows the amount disk space used, in MBs, over the time period that the logs are stored for.
Click Max Line to show a line on the graph for the total space allotted. Hover over a spot in the graph to view the
used and available disk space at that specific date and time. Click on a point in the details graph to open a
breakdown of the disk space usage by device.
When the used quota approaches 100 percent, a warning message displays when accessing the Storage
Statistics pane.
Click Configure Now to open the Edit Log Storage Policy dialog box where you can adjust log storage policies to
prevent running out of allocated space (see Configure log storage on page 201), or click Remind Me Later to
resolve the issue another time.
Administration Guide
Fortinet Technologies Inc.
203
Policy & Objects
The Policy & Objects pane enables you to centrally manage and configure the devices that are managed by the
FortiManager unit. This includes the basic network settings to connect the device to the corporate network,
antivirus definitions, intrusion protection signatures, access rules, and managing and updating firmware for the
devices.
All changes related to policies and objects should be made on the FortiManager device, and not on the managed
devices.
If the administrator account you logged on with does not have the appropriate
permissions, you will not be able to edit or delete settings, or apply any changes.
Instead you are limited to browsing. To modify these settings, see Administrator
profiles on page 82.
If workspace is enabled, the ADOM must be locked before changes can be made. See
Locking an ADOM on page 59.
If workflow is enabled, the ADOM must be locked and a session must be started
before changes can be made. See Workflow Mode on page 61.
The following tabs are available on the Policy & Objects pane:
Policy Packages
Click to display the Policy Packages pane.
Object Configurations
Click to display the Object Configurations pane
The following options are available on the Policy Packages tab:
Policy Package
204
Click to access the policy package menu. The menu options are the same
as the right-click menu options.
Administration Guide
Fortinet Technologies Inc.
About policies
Policy & Objects
Install Wizard
Click to access the Install menu. You can start the Install Wizard where you
can install policy packages and device settings. You can also re-install a
policy.
ADOM Revisions
Click to create, edit, delete, restore, lock, and unlock ADOM Revisions.
Tools
Click to select one of the following tools from the menu: Display Options,
Find Unused Objects, or Find Duplicate Objects.
Collapse/Expand All
Collapse or expand all the categories in the policy list.
Object Selector
Open the object selector pane on the bottom or right side of the content
pane.
Search
The tree menu can be searched and sorted using the search field and
sorting button at the top of the menu.
The following options are available on the Objects Configurations tab:
ADOM Revisions
Click to create, edit, delete, restore, lock, and unlock ADOM Revisions.
Tools
Click to select one of the following tools from the menu: Display Options,
Find Unused Objects, or Find Duplicate Objects.
If workspace is enabled, you can select to lock and edit the policy package in the right-click menu. You do not
need to lock the ADOM first. The policy package lock status is displayed in the toolbar.
The following options are available:
Lock | Unlock
Select to lock or unlock the ADOM.
Sessions
Click to display the sessions list where you can save, submit, or discard
changes made during the session.
About policies
FortiManager provides administrators the ability to customize policies within their organization as they see fit.
Typically, administrators may want to customize access and policies based on factors such as geography, specific
security requirements, or legal requirements.
Within a single ADOM, administrators can create multiple policy packages. FortiManager provides you the ability
to customize policy packages per device or VDOM within a specific ADOM, or to apply a single policy package for
all devices within an ADOM. These policy packages can be targeted at a single device, multiple devices, all
devices, a single VDOM, multiple VDOMs, or all devices within a single ADOM. By defining the scope of a policy
package, an administrator can modify or edit the policies within that package and keep other policy packages
unchanged.
Administration Guide
Fortinet Technologies Inc.
205
Policy & Objects
About policies
FortiManager can help simplify provisioning of new devices, ADOMs, or VDOMs by allowing you to copy or clone
existing policy packages.
Policy theory
Security policies control all traffic attempting to pass through a unit between interfaces, zones, and VLAN
subinterfaces.
Security policies are instructions that units use to decide connection acceptance and packet processing for traffic
attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source
address, destination address, and service (by port number), and attempts to locate a security policy matching the
packet.
Security policies can contain many instructions for the unit to follow when it receives matching packets. Some
instructions are required, such as whether to drop or accept and process the packets, while other instructions,
such as logging and authentication, are optional.
Policy instructions may include Network Address Translation (NAT), or Port Address Translation (PAT), or they
can use virtual IPs or IP pools to translate source and destination IP addresses and port numbers.
Policy instructions may also include Security Profiles, which can specify application-layer inspection and other
protocol-specific protection and logging, as well as IPS inspection at the transport layer.
You configure security policies to define which sessions will match the policy and what actions the device will
perform with packets from matching sessions.
Sessions are matched to a security policy by considering these features of both the packet and policy:
l
Policy Type and Subtype
l
Incoming Interface
l
Source Address
l
Outgoing Interface
l
Destination Address
l
Schedule and time of the session’s initiation
l
Service and the packet’s port numbers.
If the initial packet matches the security policy, the device performs the configured action and any other
configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC , or SSL-VPN .
l
l
l
206
ACCEPT policy actions permit communication sessions, and may optionally include other packet processing
instructions, such as requiring authentication to use the policy, or specifying one or more Security Profiles to apply
features such as virus scanning to packets in the session. An ACCEPT policy can also apply interface-mode IPsec
VPN traffic if either the selected source or destination interface is an IPsec virtual interface.
DENY policy actions block communication sessions, and you can optionally log the denied traffic. If no security
policy matches the traffic, the packets are dropped, therefore it is not required to configure a DENY security policy in
the last position to block the unauthorized traffic. A DENY security policy is needed when it is required to log the
denied traffic, also called “violation traffic”.
IPSEC and SSL VPN policy actions apply a tunnel mode IPsec VPN or SSL VPN tunnel, respectively, and may
optionally apply NAT and allow traffic for one or both directions. If permitted by the firewall encryption policy, a
tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network
interface, destined for the local private network.
Administration Guide
Fortinet Technologies Inc.
Policy workflow
Policy & Objects
Create security policies based on traffic flow. For example, in a policy for POP3, where the email server is outside
of the internal network, traffic should be from an internal interface to an external interface rather than the other
way around. It is typically the user on the network requesting email content from the email server and thus the
originator of the open connection is on the internal port, not the external one of the email server. This is also
important to remember when viewing log messages, as the source and destination of the packets can seem
backwards.
Global policy packages
Global policies and objects function in a similar fashion to local policies and objects, but are applied universally to
all ADOMs and VDOMs inside your FortiManager installation. This allows users in a carrier, service provider, or
large enterprise to support complex installations that may require their customers to pass traffic through their own
network.
For example, a carrier or host may allow customers to transit traffic through their network, but do not want their
customer to have the ability to access the carrier’s internal network or resources. Creating global policy header
and footer packages to effectively surround a customer’s policy packages can help maintain security.
Global policy packages must be explicitly assigned to specific ADOMs to be used. When configuring global
policies, a block of space in the policy table is reserved for Local Domain Policies. All of the policies in an
ADOM’s policy table are inserted into this block when the global policy is assigned to an ADOM.
Display options for policies and objects can be configured in Policy & Objects > Tools > Display Options.
Global policies and objects are not supported on all FortiManager platforms. Please
review the products’ data sheets to determine support.
A global policy license is not required to use global policy packages.
Policy workflow
An administrator will typically carry out two main functions with their devices through FortiManager: provisioning
new devices or VDOMs on the network and managing the day-to-day operations of managed devices and
VDOMs.
Provisioning new devices
There are multiple steps to provision a new device or VDOM to be managed by the FortiManager unit:
1. In the Device Manager pane, create a new VDOM or add a new device.
2. Assign a system template to the provisioned device (optional).
3. In the Policy & Objects pane, configure any dynamic objects you wish to assign to the new VDOM or device.
4. Determine how a policy will be defined for the new device: does the new device or VDOM have a new policy
package unique to itself, or will the device or VDOM use a package that is implemented elsewhere?
5. Run the Install Wizard to install any objects and policies for the new device, or create a new policy package.
Administration Guide
Fortinet Technologies Inc.
207
Policy & Objects
Display options
6. If the new device uses an existing policy package, modify the installation targets of that package to include the
new device.
Day-to-day management of devices
An administrator will often have to modify various objects for the devices they are responsible for managing. A
typical set of tasks to manage an already provisioned device will include:
1. Adding, deleting, or editing various objects, such as firewall information, security profiles, user access rights,
antivirus signatures, etc.
2. Adding, deleting, or editing all of the policy packages or individual policies within a policy package. This can
include changing the order of operation, adding new policies, or modifying information or access permissions in
the policy package.
3. Installing updates to devices.
Display options
The policy and objects that are displayed on the Policy & Objects pane can be customized. Go to Tools >
Display Options.
You can turn the options on or off (visible or hidden). To turn on an option, select the checkbox beside the option
name. To turn off an option, clear the checkbox beside the option name. You can turn on all of the options in a
category by selecting the checkbox beside the category name. For example, you can turn on all firewall objects by
selecting the checkbox beside Firewall Objects. You can also turn on all of the categories by clicking the Check
All button at the bottom of the window.
Various display options are enabled by default and cannot be turned off.
Once turned on, you can configure the corresponding options from the appropriate location on the Policy &
Objects > Object Configurations pane.
Reset all of the options by clicking the Reset to Default button at the bottom of the screen, or reset only the
options in a category by clicking the Reset to Default button beside the category name.
Managing policy packages
Policy packages can be created and edited, and then assigned to specific devices in the ADOM. Folders can be
created for the policy packages to aid in the organization and management of the packages.
Not all policy and object options are enabled by default. To configure the enabled
options, go to Policy & Objects > Tools > Display Options and select your required
options.
208
Administration Guide
Fortinet Technologies Inc.
Managing policy packages
Policy & Objects
All of the options available from the Policy Packages menu can also be accessed by
right-clicking anywhere in the policy tree menu.
Create new policy packages
To create a new global policy package:
1. Ensure that you are in the Global ADOM.
2. Go to Policy & Objects > Policy Packages.
3. From the Policy Package menu select New Package or right-click in the tree menu and select New Package.
The Create New Policy Package window opens.
4. Enter a name for the new global policy package.
5. (Optional) Click the In Folder button to select a folder.
6. (Optional) Select the Central NAT checkbox to enable Central SNAT and Central DNAT policy types.
7. Click OK to add the policy package.
To create a new policy package:
1. Ensure that you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. From the Policy Package menu select New Package or right-click in the tree menu and select New Package.
The Create New Policy Package window opens.
4. Configure the following details, then click OK to create the policy package.
Name
Enter a name for the new policy package.
In Folder
Optionally, click the In Folder button to select a folder for the package.
Central NAT
Select the Central NAT checkbox to enable Central SNAT and Central
DNAT policy types.
Administration Guide
Fortinet Technologies Inc.
209
Policy & Objects
Managing policy packages
Inspection Mode
Select Flow-based (default) or Proxy for the inspection mode.
This option is only available for version 5.6 and later ADOMs.
For more information on inspection modes, see the FortiOS Handbook,
available in the Fortinet Document Library.
NGFW Mode
Select the NGFW mode, Profile-based (default) or Policy-based.
This option is only available for version 5.6 and later ADOMs when
Inspection Mode is Flow-based.
SSL/SSH Inspection
Select an SSL/SSH inspection type from the dropdown list.
This option is only available for version 5.6 and later ADOMs when NGFW
Mode is Policy-based.
Create new policy package folders
You can create new policy package folders within existing folders to help you better organize your policy
packages.
To create a new policy package folder:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. From the Policy Package menu select New Folder or right-click in the tree menu and select New Folder. The
Create New Policy Folder window opens.
4. Enter a name for the new policy folder.
5. (Optional) Click the In Folder button to nest the new folder inside another folder.
6. Click OK. The new policy folder is displayed in the tree menu.
Edit a policy package or folder
Policy packages and policy package folders can be edited and moved as required.
To edit a policy package or folder:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. Select the package or folder in the tree menu then select Policy Package > Edit from the toolbar, or right-click on
the package or folder and select Edit from the menu.
4. Edit the settings as required, then click OK to apply your changes.
Deselecting Central NAT does not delete Central SNAT or Central DNAT entries.
210
Administration Guide
Fortinet Technologies Inc.
Managing policy packages
Policy & Objects
To move a policy package or folder:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. Select the package or folder in the tree menu then select Policy Package > Move from the toolbar, or right-click
on the package or folder and select Move from the menu.
4. Change the location of the package or folder as required, then click OK.
Clone a policy package
To clone a policy package:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. Select the package or folder in the tree then select Policy Package > Clone Package from the toolbar, or rightclick on the package or folder and select Clone Package from the menu.
4. Edit the name and location of the clone as required.
5. Click OK to create the cloned policy package.
Remove a policy package or folder
To remove a policy package or folder:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. Select the package or folder in the tree menu then select Policy Package > Delete from the toolbar, or right-click
on the package or folder and select Delete from the menu.
Assign a global policy package
Global policy packages can be assigned or installed to specific ADOMs.
Only ADOMs of the same version as the global database or the next higher major release are presented as
options for assignment.
To assign a global policy package:
1. Ensure you are in the Global Database ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package, click Assignment. The ADOM assignment list is displayed in the content
pane.
4. If required, select Add ADOM to add an ADOM to the assignment list.
5. In the assignment list, select an ADOM, or click Select All.
Administration Guide
Fortinet Technologies Inc.
211
Policy & Objects
Managing policy packages
6. Click Assign Selected from the content toolbar. The Assign dialog box opens.
7. Select whether you want to assign only used objects or all objects, and if policies will be automatically installed to
ADOM devices.
8. Click OK to assign the policy package to the selected ADOM or ADOMs.
In the Assignment pane you can also edit the ADOM list, delete ADOMs from the list,
and assign and unassign ADOMs.
Install a policy package
When installing a policy package, objects that are referenced in the policy will be installed to the target device.
Some objects that are not directly referenced in the policy will also be installed to the
target device, such as FSSO polling objects, address and profile groups, and CA certificates.
To install a policy package to a target device:
1. Ensure you are in the ADOM that contains the policy package.
2. Go to Policy & Objects > Policy Packages.
3. From the Install menu, select Install Wizard. The Install Wizard opens.
4. Follow the steps in the install wizard to install the policy package. You can select to install policy package and
device settings or install the interface policy only.
For more information on the install wizard, see Using the Install Wizard to install policy packages and device
settings on page 130. For more information on editing the installation targets, see Policy package installation
targets on page 215.
Schedule a policy package install
In FortiManager you can create, edit, and delete install schedules for policy packages. The Schedule Install
menu option has been added to the Install wizard when selecting to install policy package and device settings.
You can specify the date and time to install the latest policy package changes.
Select the clock icon which is displayed beside the policy package name to create an install schedule. Select this
icon to edit or cancel the schedule. When a scheduled install has been configured and is active, hover the mouse
over the icon to view the scheduled date and time.
To schedule the install of a policy package to a target device:
1. Ensure you are in the ADOM that contains the policy package.
2. Go to Policy & Objects > Policy Packages.
3. From the Install menu, select Install Wizard. The Install Wizard opens.
4. Select Schedule Install, and set the install schedule date and time.
5. Select Next. In the device selection screen, edit the installation targets as required.
6. Select Next. In the interface validation screen, edit the interface mapping as required.
212
Administration Guide
Fortinet Technologies Inc.
Managing policy packages
Policy & Objects
7. Select Schedule Install to continue to the policy and object validation screen. In the ready to install screen you can
copy the log and download the preview text file.
To edit or cancel an install schedule:
1. Ensure you are in the ADOM that contains the policy package.
2. Go to Policy & Objects > Policy Packages.
3. Click the clock icon next to the policy package name in the Policy Package tree. The Edit Install Schedule dialog
box is displayed.
4. Select Cancel Schedule to cancel the install schedule, then select OK in the confirmation dialog box to cancel the
schedule. Otherwise, edit the install schedule as required and select OK to save your changes.
Reinstall a policy package
You can reinstall a policy package in Policy & Objects or Device Manager.
To reinstall a policy package:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Perform one of the following actions:
l
Go to Policy & Objects > Policy Packages, and select a policy package.
l
Go to Device Manager, and select a device.
3. In the toolbar, select Install > Re-install Policy.
After data is gathered, the Re-install Policy Package window is displayed.
4. (Optional) View a preview of the installation.
a. Click the Install Preview button.
After data is gathered, the Install Preview page is displayed.
Administration Guide
Fortinet Technologies Inc.
213
Policy & Objects
Managing policy packages
b. Click the Download button to download a text file of the preview information.
c. Click the Cancel button to close the page and return to the wizard.
5. (Optional) View the difference between the current policy package and the policy in the device.
a. Click the Policy Package Diff button.
After data is gathered, the Policy Package Diff page is displayed.
b. Click the Details links to view details about the changes to the policy, specific policies, and policy objects.
c. Click Cancel to close the page and return to the wizard.
6. Click Next.
7. Click Install.
The policy package is reinstalled to the target devices.
Export a policy package
You can export a policy package to a CSV file.
214
Administration Guide
Fortinet Technologies Inc.
Managing policy packages
Policy & Objects
To export a policy package:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. Select a policy package or folder, and from the Policy Package menu, select Export.
Policy packages are exported as CSV files.
Policy package installation targets
The Installation Targets pane allows you to view the installation target, config status, policy package status, and
schedule install status, as well as edit installation targets for policy package installs.
To view installation targets, go to Policy & Objects > Policy Packages. In the tree menu for the policy package,
select Installation Targets.
The following information is displayed:
Installation Target
The installation target and connection status.
Config Status
The device settings synchronization status.
Policy Package Status
The policy package installation status.
The following options are available:
Add
Select to add installation targets (device/group) for the policy package
selected. Select the add icon beside Device/Group to select devices.
Delete
Select to delete the selected entries from the installation target for the
policy package selected.
Install
Select an entry in the table and, from the Install menu, select Install
Wizard or Re-install Policy.
Search
Use the search field to search installation targets. Entering text in the
search field will highlight matches.
Perform a policy consistency check
The policy check tool allows you to check all policy packages within an ADOM to ensure consistency and
eliminate conflicts that may prevent your devices from passing traffic. This allows you to optimize your policy sets
and potentially reduce the size of your databases.
The check will verify:
l
Object duplication: two objects that have identical definitions
l
Object shadowing: a higher priority object completely encompasses another object of the same type
l
Object overlap: one object partially overlaps another object of the same type
l
Object orphaning: an object has been defined but has not been used anywhere.
Administration Guide
Fortinet Technologies Inc.
215
Policy & Objects
Managing policy packages
The policy check uses an algorithm to evaluate policy objects, based on the following attributes:
l
The source and destination interface policy objects
l
The source and destination address policy objects
l
The service and schedule policy objects.
To perform a policy check:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. Select a policy package or folder, and from the Policy Package menu, select Policy Check. The Policy
Consistency Check dialog box opens.
4. To perform a new consistency check, select Perform Policy Consistency Check, then click OK.
A policy consistency check is performed, and the results screen is shown.
To view the results of the last policy consistency check:
1. Select the ADOM for which you performed a consistency check.
2. Go to Policy & Objects > Policy Packages.
3. Select a policy package or folder, and from the Policy Package menu, select Policy Check. The Policy
Consistency Check dialog box opens.
4. To view the results of the most recent consistency check, select View Last Policy Consistency Check Result,
then click OK.
The Policy Consistency Check window opens, showing the results of the last policy consistency check.
View logs related to a policy rule
After you add a FortiAnalyzer device to FortiManager by using the Add FortiAnalyzer wizard, you can view the
logs that it receives. In the Policy & Objects pane, you can view logs related to the UUID for a policy rule. You
can also use the UUID to search related policy rules.
See also Adding FortiAnalyzer devices on page 114.
To view logs related to a policy rule:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. From the Column Settings menu in the toolbar, select UUID .
The UUID column is displayed.
4. Select a policy package.
5. In the content pane, right click a number in the UUID column, and select View Log.
The View Log by UUID: <UUID> window is displayed and lists all of the logs associated with the policy ID.
216
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Managing policies
Policies in policy packages can be created and managed by selecting an ADOM, and then selecting the policy
package whose policies you are configuring. Sections can be added to the policy list to help organize your
policies, and the policies can be listed in sequence, or by interface pairs.
On the Policy & Objects > Policy Packages pane, the tree menu lists the policy packages and the policies in
each policy package. In the following example, the default policy package is displayed with its policies, such as
IPv4 Policy, IPv6 Policy, and so on. The policies that are displayed for each policy package are controlled by the
display options. See Display options on page 208 for more information.
You can configure the following policies for a policy package:
IP policies
Central DNAT
Local in policy
NAT policies
DoS policy
Traffic shaping policy
Proxy policy
Interface policy
Central SNAT
Multicast policy
Various options are also available from column specific right-click menus, for more information see Column
options on page 218.
For more information about policies, see the FortiOS Handbook available in the Fortinet Document Library.
If workspace or workflow is enabled, the ADOM must be locked before changes can be
made. See Locking an ADOM on page 59.
Not all policy and object options are enabled by default. To configure the enabled
options, from the Tools menu, select Display Options.
Administration Guide
Fortinet Technologies Inc.
217
Policy & Objects
Managing policies
Section view will be disabled if one or more policies are using the Any interface, or if
one or more policies are configured with multiple source or destination interfaces.
Column options
The visible columns can be adjusted, where applicable, using the Column Settings menu in the content pane
toolbar. The columns and columns filters available are dependent on the policy and the ADOM firmware version.
Click and drag an applicable column to move it to another location in the table.
Policy search and filter
Go to Policy & Objects > Policy Packages, and use the search box to search or filter policies for matching rules
or objects.
The default Simple Search will highlight text that matches the string entered in the search field.
To add column filters:
1. Select Column Filter from the search field dropdown menu.
2. Do either of the following:
a. Right-click on a specific value in any column and select Add Filter (equals or not equals) from the menu.
or
a. Click Add Filter, then select a column heading from the list.
b. Select from the available values in the provided list. Select Or to add multiple values, or select Not to
remove any policies that contain the selected value from the results.
Multiple filters can be added.
3. Click Go to filter the list.
Policy hit count
You can view the hit count for each policy in a policy package. You must enable policy hit counts before you can
view the tally.
To enable policy hits:
1. Go to System Settings > Advanced Settings.
2. Beside Policy Hit Count, select Enable.
To view policy hit counts:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Package.
3. In the tree menu for a policy package, select a policy. The content pane for the policy is displayed.
4. View the Hit Count column.
218
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Creating policies
To create a new policy:
Policy creation varies depending on the type of policy that is being created. See the section below that
corresponds to the type of policy you are creating for specific instructions on creating that type of policy.
Policy creation will vary by ADOM version.
For information on creating policies, see the FortiOS Handbook, available in the
Fortinet Document Library.
To insert a policy:
Generic policies can be inserted above or below the currently selected policy. From the Create New menu, select
Insert Above or Insert Below. By default, new policies will be inserted at the bottom of the list.
Editing policies
Policies can be edited in a variety of different way, often directly on the policy list.
To edit a policy:
Select a policy and select Edit from the Edit menu, or double-click on a policy, to open the Edit Policy pane.
You can also edit a policy inline using the Object Selection pane, the right-click menu, and by dragging and
dropping objects. See Object selector on page 220 and Drag and drop objects on page 221.
The right-click menu changes based on the cell or object that is clicked on.
To clone a policy:
Select a policy, and from the Edit menu, select Clone. The Clone Policy dialog box opens with all of the settings
of the original policy. Edit the settings as required and select OK to create the clone.
To copy, cut, or paste a policy or object:
You can copy, cut, and paste policies. Select a policy, and from the Edit menu, select Cut or Copy. When pasting
a copied or cut policy, you can insert it above or below the currently selected policy.
You can also copy, cut, and paste objects within a policy. Select an object in a cell, or select multiple objects
using the control key, then right-click and select Copy or Cut. Copied or cut objects can only be pasted into
appropriate cells; an address cannot be pasted into a service cell for example.
Administration Guide
Fortinet Technologies Inc.
219
Policy & Objects
Managing policies
A copied or cut policy or object can be pasted multiple times without having to be
recopied.
To delete a policy:
You can delete a policy. Select a policy, and from the Edit menu, select Delete.
To add a section:
You can use sections to help organize your policy list. Policies can also be appended to sections.
Select a policy, and from the Section menu, click Add. Type a section name, and click OK to add a section to the
currently selected policy.
Object selector
The object selector pane opens when you access the Policy & Objects pane, when a policy package or policy is
selected, and when a cell in the policy list is selected.
It can also be accessed by clicking Object Selector > Dock to Bottom or Object Selector Dock to Right in the
toolbar, to dock the selector to the bottom or right side of the pane.
220
Create New
Click the create new dropdown list, then select the object type, to make a
new object. See Create a new object on page 247.
Collapse / Expand All
Expand or collapse all of the object groups shown in the pane.
Dock to bottom / right
Move the object selector pane to the bottom or right side of the content
pane.
Tool tips
See object selector usage tips.
Close
Close the object selector pane.
Search
Enter a search term to search the object list.
Refresh
Refresh the list.
Select All
Select all objects in the list.
Deselect All
Deselect all objects in the list.
Sort
Sort the object list alphabetically.
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Objects can be dragged and dropped from the pane to applicable, highlighted cells in the policy list.
Right-click on an object in the pane to Edit or Clone the object, and to see where it is used. See Edit an object on
page 250 and Clone an object on page 250.
Drag and drop objects
On the Policy & Objects > Policy Packages pane, objects can be dragged and dropped from the object selector
pane, and can also be dragged from one cell to another, without removing the object from the original cell.
One or more objects can be dragged at the same time. When dragging a single object, a box beside the pointer
will display the name of the object being dragged. When dragging multiple objects, the box beside the pointer will
show a count of the number of objects that are being dragged. To select multiple objects, click them while holding
the control key on your keyboard.
The cells or columns that the object or objects can be dropped into will be highlighted in the policy package pane.
After dropping the object or objects into a cell or column, the object will immediately appear in the cell as part of
the policy, or in all the cells of that column.
Configuring policy details
Various policy details can be configured directly from the policy tables, such as the policy schedule, service,
action, security profiles, and logging.
To edit a policy schedule:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
4. In the Schedule column, click the cell in the policy that you want to edit. The object selector pane is displayed on
the right-hand side.
5. In the object selector pane, locate the schedule object, and then drag and drop the object onto the cell in the
Schedule column for the policy that you want to change.
6. Click OK to save the changes and close the object selector pane.
To edit a policy service:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
4. In the Service column, click the cell in the policy that you want to edit. The object selector pane is opens.
5. In the object selector pane, locate the service object, and then drag and drop the object onto the cell in the
Service column for the policy that you want to change.
6. Select OK to save the service. The custom service will be added to Objects > Firewall Objects > Service.
Administration Guide
Fortinet Technologies Inc.
221
Policy & Objects
Managing policies
To edit a services object:
1. Go to Policy & Objects > Object Configuration.
2. In the tree menu, expand Firewall Objects, and select Services. The services objects are displayed in the content
pane.
3. Select a services object, and click Edit. The Edit Service dialog box is displayed.
4. Configure the following settings:
Name
Edit the service name as required.
Comments
Type an optional comment.
Service Type
Select Firewall or Explicit Proxy.
Show in service list
Select to display the object in the services list.
Category
Select a category for the service.
Protocol Type
Select the protocol from the dropdown list. Select one of the following:
TCP/UDP/SCTP, ICMP, ICMP6, or IP.
IP/FQDN
Type the IP address or FQDN.
This menu item is available when Protocol is set to TCP/UDP/SCTP. You
can then define the protocol, source port, and destination port in the table.
Type
Type the service type in the text field.
This menu item is available when Protocol is set to ICMP or ICMP6.
Code
Type the code in the text field.
This menu item is available when Protocol is set to ICMP or ICMP6.
Protocol Number
Type the protocol number in the text field.
This menu item is available when Protocol Type is set to IP.
Advanced Options
For more information on advanced option, see the FortiOS CLI Reference.
check-reset-range
Configure ICMP error message verification.
disable: The FortiGate unit does not validate ICMP error messages.
l
l
strict: If the FortiGate unit receives an ICMP error packet that
contains an embedded IP(A,B) | TCP(C,D) header, then if FortiManager
can locate the A:C->B:D session it checks to make sure that the
sequence number in the TCP header is within the range recorded in the
session. If the sequence number is not in range then the ICMP packet is
dropped. If it is enabled, the FortiGate unit logs that the ICMP packet
was dropped. Strict checking also affects how the anti-replay option
checks packets.
default: Use the global setting defined in system global.
This field is available when Protocol is TCP/UDP/SCTP.
This field is not available if explicit-proxy is enabled.
l
Color
222
Click the icon to select a custom, colored icon to display next to the service
name.
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
session-ttl
Type the default session timeout in seconds.
The valid range is from 300 - 604 800 seconds. Type 0 to use either the
per-policy session-ttl or per-VDOM session-ttl, as
applicable.
This is available when Protocol is TCP/UDP/SCTP.
tcp-halfclosetimer
Type how many seconds the FortiGate unit should wait to close a session
after one peer has sent a FIN packet but the other has not responded.The
valid range is from 1 to 86400 seconds. Type 0 to use the global setting
defined in system global.
This is available when Protocol is TCP/UDP/SCTP.
tcp-halfopentimer
Type how many seconds the FortiGate unit should wait to close a session
after one peer has sent an open session packet but the other has not
responded.
The valid range is from 1 to 86400 seconds. Type 0 to use the global
setting defined in system global.
This is available when Protocol is TCP/UDP/SCTP.
tcp-timewait-timer
Set the length of the TCP TIME-WAIT state in seconds.As described in
RFC 793, the “...TIME-WAIT state represents waiting for enough time to
pass to be sure the remote TCP received the acknowledgment of its
connection termination request.”
Reducing the length of the TIME-WAIT state means the FortiGate unit can
close terminated sessions faster, which means that more new sessions can
be opened before the session limit is reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT
to 0 seconds. Type 0 to use the global setting defined in system
global.
This is available when Protocol is TCP/UDP/SCTP.
udp-idle-timer
Type the number of seconds before an idle UDP connection times out.The
valid range is from 1 to 86400 seconds.
Type 0 to use the global setting defined in system global.
This is available when Protocol is TCP/UDP/SCTP.
5. Select OK to save the service. The custom service will be added to Policy & Objects > Objects Configuration >
Firewall Objects > Service.
To edit a policy action:
1. Select desired policy type in the tree menu.
2. Select the policy, and from the Edit menu, select Edit.
3. Set the Action option, and click OK.
To edit policy security profiles:
1. Select desired policy type in the tree menu.
2. For the policy, click the Profile column. The object selector pane is displayed.
3. Select a security profile, and click OK.
Administration Guide
Fortinet Technologies Inc.
223
Policy & Objects
Managing policies
To edit policy logging:
1. Select desired policy type in the tree menu.
2. Right-click the Log column, and select options from the menu.
IP policies
The section describes how to create new IPv4 and IPv6 policies.
IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a
network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4
network. IPv6 policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks.
On the Policy & Objects tab, from the Tools menu, select Display Options. In the
Policy section, select the IPv6 Policy checkbox to display this option.
To create a new IPv4 or IPv6 policy:
1. Ensure that you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Policy or IPv6
Policy. If you are in the Global Database ADOM, select IPv4 Header Policy, IPv4 Footer Policy, IPv6 Header
Policy, or IPv6 Footer Policy.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list, but above the implicit policy. The Create New Policy pane opens.
5. Enter the following information:
224
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Name
Enter a unique name for the policy. Each policy must have a unique name.
Incoming Interface
Click the field then select interfaces from the object selector pane.
Select the remove icon to remove values.
New objects can be created by clicking the Create New icon in the object
selector pane. See Create a new object on page 247 for more information.
Outgoing Interface
Select outgoing interfaces from the object selector pane.
Source Address
Select source addresses from the object selector pane.
Source User
Select source users from the object selector pane.
Source User Group
Select source user groups from the object selector pane.
Source Device
Select source devices, device groups, and device categories from the
object selector pane.
Internet Service
Turn internet service on or off.
This option is only available for IPv4 policies.
Destination Internet Service
Select internet services from the object selector pane.
This option is only available when Internet Service is on.
Destination Address
Select destination addresses, address groups, virtual IPs, and virtual
IP groups from the object selector pane.
This option is only available when Internet Service is off.
Service
Select services and service groups from the object selector pane.
This option is only available when Internet Service is off.
Schedule
Select schedules, one time or recurring, and schedule groups from the
object selector pane.
Application
Select applications from the object selector pane.
This option is only available when NGFW Mode is Policy-based; see
Create new policy packages on page 209.
URL Category
Select URL categories from the object selector pane.
This option is only available when NGFW Mode is Policy-based; see
Create new policy packages on page 209.
Action
Select an action for the policy to take: ACCEPT, DENY, or IPSEC .
IPSEC is not available for IPv6 policies.
Administration Guide
Fortinet Technologies Inc.
225
Policy & Objects
Log Violation Traffic
Managing policies
Select to log violation traffic.
This option is available when the Action is DENY.
Log Traffic
Select one of the following options:
l
No Log
l
Log Security Events
l
Log All Sessions
When Log Security Events or Log All Sessions is selected, you can select
to generate logs when the session starts and to capture packets.
This option is available when the Action is ACCEPT or IPSEC .
NAT
Select to enable NAT.
If enabled, select Use Destination Interface Address or Dynamic IP Pool,
and select Fixed Port if required. If Dynamic IP Pool is selected, select
pools from the object selector pane.
This option is available when the Action is ACCEPT, and when NGFW
Mode is Profile-based; see Create new policy packages on page 209.
VPN Tunnel
Select a VPN tunnel dynamic object from the dropdown list. Select to allow
traffic to be initiated from the remote site.
This option is available when the Action is IPSEC .
Security Profiles
Select to add security profiles or profile groups.
This option is available when the Action is ACCEPT or IPSEC .
The following profile types can be added:
226
l
AntiVirus Profile
l
Web Filter Profile
l
Application Control
l
IPS Profile
l
Email Filter Profile
l
DLP Sensor
l
VoIP Profile
l
ICAP Profile
l
SSL/SSH Inspection
l
Web Application Firewall
l
DNS Filter
l
CASI
l
Proxy Options
l
Profile Group (available when Use Security Profile Group is selected)
Administration Guide
Fortinet Technologies Inc.
Managing policies
Shared Shaper
Policy & Objects
Select traffic shapers.
This option is available if the Action is ACCEPT or IPSEC .
Reverse Shaper
Select traffic shapers.
This option is available if the Action is ACCEPT or IPSEC and at least
one forward traffic shaper is selected.
Per-IP Shaper
Select per IP traffic shapers.
This option is available if the Action is ACCEPT or IPSEC .
Description
Add a description of the policy, such as its purpose, or the changes that
have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled,
a disabled icon will be displayed in the Seq.# column to the left of the number.
Advanced options
Option
Description
Default
auth-cert
HTTPS server certificate for policy authentication (IPv4 only).
none
auth-path
Enable or disable authentication-based routing (IPv4 only).
disable
auth-redirect-addr
HTTP-to-HTTPS redirect address for firewall authentication (IPv4
only).
none
auto-asic-offload
Enable or disable policy traffic ASIC offloading.
enable
block-notification
Enable or disable block notification (IPv4 only).
disable
captive-portal-exempt
Enable or disable exemption of captive portal (IPv4 only).
disable
custom-log-fields
Select the custom log fields from the dropdown list.
none
delay-tcp-npu-session
Enable or disable TCP NPU session delay in order to guarantee
packet order of 3-way handshake (IPv4 only).
disable
diffserv-forward
Enable or disable application of the differentiated services code point
(DSCP) value to the DSCP field of forward (original) traffic.
disable
diffserv-reverse
Enable or disable application of the DSCP value to the DSCP field of
reverse (reply) traffic. If enabled, also configure diffservcoderev.
disable
Administration Guide
Fortinet Technologies Inc.
227
Policy & Objects
228
Managing policies
Option
Description
Default
diffservcode-forward
Type the DSCP value that the FortiGate unit will apply to the field of
originating (forward) packets. The value is 6 bits binary. The valid
range is 000000-111111.
000000
diffservcode-rev
Type the DSCP value that the FortiGate unit will apply to the field of
reply (reverse) packets. The value is 6 bits binary. The valid range is
000000-111111.
000000
disclaimer
Enable or disable user authentication disclaimer (IPv4 only).
disable
dsri
Enable or disable DSRI (Disable Server Response Inspection).
disable
dstaddr-negate
Enable or disable negated destination address match.
disable
firewall-session-dirty
Packet session management, either check-all or check-new.
checkall
fsso
Enable or disable FSSO (IPv4 only).
disable
fsso-agent-for-ntlm
Select the FSSO agent for NTLM from the dropdown list (IPv4 only).
none
identity-based-route
Name of identity-based routing rule (IPv4 only).
none
learning-mode
Enable or disable learning mode for policy (IPv4 only).
disable
match-vip
Enable or disable match DNATed packet (IPv4 only).
disable
natinbound
Enable or disable policy NAT inbound.
disable
natip
Type the NAT IP address in the text field (IPv4 only).
0.0.0.0
natoutbound
Enable or disable policy NAT outbound.
disable
ntlm
Enable or disable NTLM authentication (IPv4 only).
disable
ntlm-enabledbrowsers
Type a value in the text field (IPv4 only).
none
ntlm-guest
Enable or disable NTLM guest (IPv4 only).
disable
outbound
Enable or disable policy outbound.
disable
permit-any-host
Enable to accept UDP packets from any host (IPv4 only).
disable
permit-stun-host
Enable to accept UDP packets from any STUN host (IPv4 only).
disable
redirect-url
URL redirection after disclaimer/authentication (IPv4 only).
none
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Option
Description
Default
replacemsg-overridegroup
Specify authentication replacement message override group.
none
rsso
Enable or disable RADIUS Single Sign-On.
disable
rtp-addr
Select the RTP address from the dropdown list (IPv4 only).
none
rtp-nat
Enable to apply source NAT to RTP packets received by the firewall
policy (IPv4 only).
disable
scan-botnetconnections
Enable or disable scanning of connections to Botnet servers (IPv4
only).
disable
schedule-timeout
Enable to force session to end when policy schedule end time is
reached (IPv4 only).
disable
send-deny-packet
Enable to send a packet in reply to denied TCP, UDP or ICMP traffic.
disable
service-negate
Enable or disable negated service match.
disable
session-ttl
Type a value for the session time-to-live (TTL) from 300 to 604800, or
type 0 for no limitation.
0
srcaddr-negate
Enable or disable negated source address match.
disable
ssl-mirror
Enable or disable SSL mirror.
disable
ssl-mirror-intf
Mirror interface name.
none
tags
Applied object tags.
none
tcp-mss-receiver
Type a value for the receiver’s TCP MSS.
0
tcp-mss-sender
Type a value for the sender’s TCP MSS.
0
timeout-send-rst
Enable sending a TCP reset when an application session times out.
disable
vlan-cos-fwd
Type the VLAN forward direction user priority.
255
vlan-cos-rev
Type the VLAN reverse direction user priority.
255
wanopt
Enable or disable WAN optimization (IPv4 only).
disable
wanopt-detection
WAN optimization auto-detection mode (IPv4 only).
active
wanopt-passive-opt
WAN optimization passive mode options. This option decides what IP
address will be used to connect server (IPv4 only).
default
Administration Guide
Fortinet Technologies Inc.
229
Policy & Objects
Managing policies
Option
Description
Default
wanopt-peer
WAN optimization peer (IPv4 only).
none
wanopt-profile
WAN optimization profile (IPv4 only).
none
wccp
Enable or disable Web Cache Communication Protocol (WCCP) (IPv4
only).
disable
webcache
Enable or disable web cache (IPv4 only).
disable
webcache-https
Enable or disable web cache for HTTPS (IPv4 only).
disable
wsso
Enable or disable WiFi Single Sign-On (IPv4 only).
enable
NAT policies
Use NAT46 policies for IPv6 environments where you want to expose certain services to the public IPv4 Internet.
You will need to configure a virtual IP to permit the access.
Use NAT64 policies to perform network address translation (NAT) between an internal IPv6 network and an
external IPv4 network.
The NAT46 Policy tab allows you to create, edit, delete, and clone NAT46 policies. The NAT64 Policy tab allows
you to create, edit, delete, and clone NAT64 policies.
On the Policy & Objects pane, from the Tools menu, select Display Options, and
then select the NAT46 Policy and NAT64 Policy checkboxes to display these options.
To create a NAT46 or NAT64 policy:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package, click NAT46 Policy or NAT64 Policy.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Policy pane opens.
5. Configure the following settings, then click OK to create the policy:
230
Incoming Interface
Click the field then select interfaces from the object selector pane.
Outgoing Interface
Select outgoing interfaces.
Source Address
Select source addresses.
Destination Address
Select destination addresses, address groups, virtual IPs, and virtual
IP groups.
Service
Select services and service groups.
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Schedule
Select schedules, one time or recurring, and schedule groups.
Action
Select an action for the policy to take: ACCEPT, or DENY.
Log Allowed Traffic
Select to log allowed traffic.
NAT
NAT is enabled by default for this policy type when the Action is ACCEPT.
Use Destination Interface Address is selected by default. Select Fixed
Port if required.
Traffic Shaping
Select traffic shapers.
This option is available if the Action is ACCEPT.
Reverse Traffic Shaping
Select traffic shapers.
This option is available if at least one forward traffic shaper is selected.
Per-IP Traffic Shaping
Select per IP traffic shapers.
This option is available if the Action is ACCEPT.
Description
Add a description of the policy, such as its purpose, or the changes that
have been made to it.
Advanced Options
permit-any-host
Enable to accept UDP packets from any host.
tags
Applied object tags.
tcp-mss-receiver
Type a value for the receiver’s TCP MSS.
tcp-mss-sender
Type a value for the sender’s TCP MSS. Proxy policy
The section describes how to create web, FTP, and WAN Opt proxy policies.
On the Policy & Objects pane, go to Tools > Display Options, and then select the
Proxy Policy checkbox in the Policy section to display this option.
To create a new proxy policy:
1. Go to Policy & Objects > Policy Packages.
2. In the tree menu for the policy package in which you will be creating the new policy, select Proxy Policy.
3. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Policy pane opens.
Administration Guide
Fortinet Technologies Inc.
231
Policy & Objects
Managing policies
4. Enter the following information, then click OK to create the policy::
Explicit Proxy Type
Select the explicit proxy type: Explicit Web, Transparent Web, FTP, or
WAN Opt.
Incoming Interface
Select incoming interfaces from the object selector pane.
This option is only available when the proxy type is set to Transparent
Web.
Outgoing Interface
Select outgoing interfaces from the object selector pane.
Source
Select source addresses from the object selector pane.
Destination
Select destination addresses, address groups, virtual IPs, and virtual IP
groups from the object selector pane.
Schedule
Select schedules, one time or recurring, and schedule groups from the
object selector pane.
Action
Select an action for the policy to take: Deny, Accept, or Redirect.
Redirect is only available when the proxy type is set to Explicit Web, or
Transparent Web.
Log Violation Traffic
Select to log violation traffic.
This option is available when the Action is Deny.
Log Traffic
Select one of the following options:
l
No Log
l
Log Security Events
l
Log All Sessions
When Log All Sessions is selected, you can select to generate logs when
the session starts.
This option is available when the Action is Accept.
232
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Disclaimer Options
Set the Display Disclaimer: Disable, By Domain, By Policy, or By User.
Optionally, select a custom message in the Customize Messages field if
not disabled.
These options are available when the Action is Accept.
Security Profiles
Select to add security profiles or profile groups.
The following profile types can be added:
l Antivirus Profile
l
Web Filter Profile - not available when the proxy type is set to FTP
l
Application Control - not available when the proxy type is set to FTP
l
CASI - not available when the proxy type is set to FTP
l
IPS Profile - not available when the proxy type is set to FTP
l
DLP Sensor
l
ICAP - not available when the proxy type is set to FTP
l
Web Application Firewall - not available when the proxy type is set to FTP
l
Proxy Options
l
SSL/SSH Inspection
Profile Group (available when Use Security Profile Group is selected)
This option is available when the Action is Accept.
l
Redirect URL
Enter the redirect URL.
This option is only available when the Action is Redirect.
Web Proxy Forwarding
Server
Select a web proxy forwarding server from the dropdown list.
This option is not available when the proxy type is set to FTP.
Description
Add a description of the policy, such as its purpose, or the changes that
have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Advanced options
Option
Description
Default
dstaddr-negate
Enable or disable negated destination address match.
disable
global-label
Enter a global label.
none
internet-service-negate
Enable or disable negated internet service.
disable
label
Enter a label
none
poolname
Select a firewall IP pool from the dropdown list.
none
scan-botnetconnections
Enable or disable scanning of connections to Botnet servers.
disable
Administration Guide
Fortinet Technologies Inc.
233
Policy & Objects
Managing policies
Option
Description
Default
service-negate
Enable or disable negated service match.
disable
srcaddr-negate
Enable or disable negated source address match.
disable
tags
Applied object tags.
none
transparent
Use IP address of client to connect to server.
disable
webcache
Enable or disable web cache.
disable
webcache-https
Enable or disable web cache for HTTPS.
disable
webproxy-profile
Select a webproxy profile from the dropdown list.
none
Central SNAT
The Central SNAT (Secure NAT) table enables you to define and control (with more granularity) the address
translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source
address or address group, and which IP pool the destination address uses.
While similar in functionality to IP pools, where a single address is translated to an alternate address from a range
of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT,
you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port
translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both
the IP address and port translation.
The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming
address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source
address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network
traffic after a security policy.
The Central SNAT table allows you to create, edit, delete, and clone central SNAT entries.
Central SNAT does not support Section View .
Central NAT must be enabled, or NGFW Mode must be set to Policy-based, when
creating or editing the policy package for this option to be available in the tree menu.
See Create new policy packages on page 209.
To create a new central SNAT entry:
1. Ensure you are in the correct ADOM.
2. Go to Policy &Objects > Policy Packages.
3. In the tree menu for the policy package, click Central SNAT.
234
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Central SNAT pane opens.
5. Configure the following settings, then click OK to create the policy:
Original Address
Select the original address from the object selector pane.
Destination Address
Select the destination address from the object selector pane.
IP Pool
Select the IP pool from the object selector pane.
Protocol
Enter the protocol number, from 0 to 255.
Original Port
Enter the original port number, from 0 to 65535.
NAT Port
Enter the NAT port number, from 0 to 65535.
Advanced Options
action
Select an action, either Permit (default), or Deny.
dstintf
Select a destination interface from the dropdown list.
srcintf
Select a source interface from the dropdown list.
Central DNAT
The FortiGate unit checks the NAT table and determines if the destination IP address for incoming traffic must be
changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server
on a network behind the FortiGate device. DNAT means the actual address of the internal network is hidden from
the Internet. This step determines whether a route to the destination address actually exists.
DNAT must take place before routing so that the unit can route packets to the correct destination.
DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from
ADOM objects to DNAT policies. DNAT policies are automatically added to the VIP object table (Object
Configurations > Firewall Objects > Virtual IPs) when they are created.
VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the
VIP and selected Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed.
DNAT policies can also be copied, pasted, cloned, and moved from the right-click or Edit menus.
Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in
the DNAT table.
DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.
Central DNAT does not support Section View .
Administration Guide
Fortinet Technologies Inc.
235
Policy & Objects
Managing policies
Central NAT must be enabled when creating or editing the policy package for this
option to be available in the tree menu. See Create new policy packages on page 209.
To create a new central DNAT entry:
1. Ensure you are in the correct ADOM.
2. Go to Policy &Objects > Policy Packages.
3. In the tree menu for the policy package, click Central DNAT.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Virtual IP pane opens.
5. Configure the following settings, then click OK to create the VIP:
Name
Enter a unique name for the DNAT.
Comments
Optionally, enter comments about the DNAT, such as its purpose, or the
changes that have been made to it.
Color
Select a color.
Interface
Select an interface.
Network
236
Type
Select the network type: Static NAT, DNS Translation, or FQDN .
External IP
Address/Range
Enter the start and end external IP addresses in the fields. If there is only
one address, enter it in both fields.
This option is not available when the network type is FQDN .
Mapped IP
Address/Range
Enter the mapped IP address.
This option is not available when the network type is FQDN .
External IP
Address
Enter the external IP address.
This option is only available when the network type is FQDN .
Mapped Address
Select the mapped address.
This option is only available when the network type is FQDN .
Source Interface
Filter
Select a source interface filter.
Source Address Filter
Enable or disable source address filters. When enabled, multiple filters can
be added using the Add icon.
Port Forwarding
Enable or disable port forwarding.
Protocol
Select the protocol: TCP, UDP, SCTP, or ICMP.
External Service
Port
Enter the external service port.
This option is not available when Protocol is ICMP.
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Map to Port
Enter the map to port.
This option is not available when Protocol is ICMP.
Enable ARP Reply
Select to enable ARP reply.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Per-Device Mapping
If multiple imported VIP objects have the same name but different details,
the object type will become Dynamic Virtual IP, and the per-device
mappings will be listed here.
Mappings can also be manually added, edited, and deleted as needed.
To import VIPs from the Virtual IP object table:
1. Ensure you are in the correct ADOM.
2. Go to Policy &Objects > Policy Packages.
3. In the tree menu for the policy package, click Central DNAT.
4. Click Import in the toolbar. The Import dialog box will open.
5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific
objects.
6. Click OK to import the VIPs to the Central DNAT table.
Advanced options
Option
Description
Default
dns-mapping-ttl
Enter time-to-live for DNS response, from 0 to 604 800. 0 means use
the DNS server's response time.
0
gratuitous-arp-interval
Set the time interval between sending of gratuitous ARP packets by a
virtual IP. 0 disables this feature.
0
http-cookie-age
Set how long the browser caches cooking, from 0 to 525600 seconds.
60
http-cookie-domain
Enter the domain name to restrict the cookie to.
none
http-cookie-domainfrom-host
If enabled, when the unit adds a SetCookie to the HTTP(S) response,
the Domain attribute in the SetCookie is set to the value of the Host:
header, if there is one.
disable
http-cookie-generation
The exact value of the generation is not important, only that it is
different from any generation that has already been used.
0
http-cookie-path
Limit the cookies to a particular path.
none
Administration Guide
Fortinet Technologies Inc.
237
Policy & Objects
238
Managing policies
Option
Description
Default
http-cookie-share
Configure HTTP cookie persistence to control the sharing of cookies
across more than one virtual server.
The default setting means that any cookie generated by one virtual
server can be used by another virtual server in the same virtual
domain.
Disable to make sure that a cookie generated for a virtual server
cannot be used by other virtual servers.
same-ip
http-ip-header-name
Enter a name for the custom HTTP header that the original client IP
address is added to.
none
https-cookie-secure
Enable or disable using secure cookies for HTTPS sessions.
disable
id
Custom defined ID.
0
max-embryonicconnections
The maximum number of partially established SSL or HTTP
connections, from 0 to 100000.
1000
nat-source-vip
Enable to prevent unintended servers from using a virtual IP. Disable
to use the actual IP address of the server (or the destination interface
if using NAT) as the source address of connections from the server
that pass through the device.
disable
outlook-web-access
If enabled, the Front-End-Https: on header is inserted into the
HTTP headers, and added to all HTTP requests.
disable
ssl-algorithm
Set the permitted encryption algorithms for SSL sessions according to
encryption strength:
l high: permit only high encryption algorithms: AES or 3DES.
high
l
medium: permit high or medium (RC4) algorithms.
l
low: permit high, medium, or low (DES) algorithms.
l
custom: only allow some preselected cipher suites to be used.
ssl-client-fallback
Enable to prevent Downgrade Attacks on client connections.
enable
ssl-clientrenegotiation
Select the SSL secure renegotiation policy.
allow: allow, but do not require secure renegotiation.
allow
l
l
deny: do not allow renegotiation.
l
secure: require secure renegotiation.
ssl-client-sessionstate-max
The maximum number of SSL session states to keep for the segment
of the SSL connection between the client and the unit, from 0 to
100000.
1000
ssl-client-sessionstate-timeout
The number of minutes to keep the SSL session states for the
segment of the SSL connection between the client and the unit, from
1 to 14400.
30
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
Option
Description
Default
ssl-client-sessionstate-type
The method to use to expire SSL sessions for the segment of the SSL
connection between the client and the FortiGate.
l both: expire SSL session states when either ssl-clientsession-state-max or ssl-client-session-statetimeout is exceeded, regardless of which occurs first.
both
l
l
l
count: expire SSL session states when ssl-client-sessionstate-max is exceeded.
disable: expire all SSL session states.
time: expire SSL session states when ssl-client-sessionstate-timeout is exceeded.
ssl-dh-bits
The number of bits used in the Diffie-Hellman exchange for RSA
encryption of the SSL connection: 768, 1024, 1536, 2048, 3072,
or 4096.
2048
ssl-http-locationconversion
Enable to replace http with https in the reply’s Location HTTP header
field.
disable
ssl-http-match-host
Enable to apply Location conversion to the reply’s HTTP header only
if the host name portion of Location matches the request’s Host field
or, if the Host field does not exist, the host name portion of the
request’s URI.
disable
ssl-max-version
The highest version of SSL/TLS to allow in SSL sessions: ssl-3.0,
tls-1.0, tls-1.1, or tls-1.2.
tls-1.2
ssl-min-version
The lowest version of SSL/TLS to allow in SSL sessions: ssl-3.0,
tls-1.0, tls-1.1, or tls-1.2.
tls-1.0
ssl-pfs
Select the handling of Perfect Forward Secrecy (PFS) by controlling
the cipher suites that can be selected.
l allow: allow use of any cipher suite so PFS may or may not be
used depending on the cipher suite selected.
allow
l
l
ssl-send-empty-frags
Administration Guide
Fortinet Technologies Inc.
deny: allow only non-Diffie-Hellman cipher-suites, so PFS is not
applied.
require: allow only Diffie-Hellman cipher-suites, so PFS is
applied.
Enable to precede the record with empty fragments to thwart attacks
on CBC IV.
Disable this option if SSL acceleration will be used with an old or
buggy SSL implementation which cannot properly handle empty
fragments.
enable
239
Policy & Objects
Managing policies
Option
Description
Default
ssl-server-algorithm
Set the permitted encryption algorithms for SSL server sessions
according to encryption strength:
l high: permit only high encryption algorithms: AES or 3DES.
client
l
medium: permit high or medium (RC4) algorithms.
l
low: permit high, medium, or low (DES) algorithms.
l
custom: only allow some preselected cipher suites to be used.
ssl-server-max-version
The highest version of SSL/TLS to allow in SSL server sessions:
client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.
client
ssl-server-min-version
The lowest version of SSL/TLS to allow in SSL server sessions:
client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.
client
ssl-server-sessionstate-max
The maximum number of SSL session states to keep for the segment
of the SSL connection between the client and the unit, from 0 to
100000.
100
ssl-server-sessionstate-timeout
The number of minutes to keep the SSL session states for the
segment of the SSL connection between the client and the unit, from
1 to 14400.
60
ssl-server-sessionstate-type
The method to use to expire SSL sessions for the segment of the SSL
connection between the server and the FortiGate.
l both: expire SSL session states when either ssl-clientsession-state-max or ssl-client-session-statetimeout is exceeded, regardless of which occurs first.
both
l
l
l
count: expire SSL session states when ssl-client-sessionstate-max is exceeded.
disable: expire all SSL session states.
time: expire SSL session states when ssl-client-sessionstate-timeout is exceeded.
weblogic-server
Enable or disable adding an HTTP header to indicate SSL offloading
for a WebLogic server.
disable
websphere-server
Enable or disable adding an HTTP header to indicate SSL offloading
for a WebSphere server.
disable
DoS policy
The IPv4 DoS Policy and IPv6 DoS Policy panes allow you to create, edit, delete, and clone DoS policies.
On the Policy & Objects pane, from the Tools menu, select Display Options, and
then select the IPv4 DoS Policy and IPv6 DoS Policy checkboxes to display these
option.
240
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
To create a DoS policy:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package, click IPv4 DoS Policy or IPv6 DoS Policy.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Policy pane opens.
5. Configure the following settings, then click OK to create the policy:
Incoming Interface
Select the incoming interface from the object selector pane.
Source Address
Select the source address from the object selector pane.
Destination Address
Select the destination address from the object selector pane.
Service
Select the service from the object selector pane.
L3 Anomalies
ip_src_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
ip_dst_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
L4 Anomalies
tcp_syn_flood
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 2000.
tcp_port_scan
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 1000.
tcp_src_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
tcp_dst_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
udp_flood
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 2000.
udp_scan
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 2000.
Administration Guide
Fortinet Technologies Inc.
241
Policy & Objects
Managing policies
udp_src_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
udp_dst_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
icmp_flood
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 250.
icmp_sweep
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 100.
icmp_src_
session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 300.
icmp_dst_
session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 1000.
sctp_flood
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 2000.
sctp_scan
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 1000.
sctp_src_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
sctp_dst_session
Select to enable the DoS status and logging, select the action to pass,
block or proxy, and configure the threshold.
The default threshold is 5000.
Interface policy
The IPv4 Interface Policy and IPv6 Interface Policy panes allow you to create, edit, delete, and clone interface
policies.
On the Policy & Objects pane, from the Tools menu, select Display Options, and
then select the IPv4 Interface Policy and IPv6 Interface Policy checkboxes to display
these options.
242
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
To create a new interface policy:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package, click IPv4 Interface Policy or IPv6 Interface Policy.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Policy pane opens.
5. Configure the following settings, then click OK to create the policy:
Source
Interface
Select the source zone from the object selector pane.
Address
Select the source address from the object selector pane.
Destination
Address
Select the destination address from the object selector pane.
Service
Select the service from the object selector pane.
Log Traffic
Select the traffic to log: No Log, Log Security Events, or Log All Sessions.
AntiVirus Profile
Select to enable antivirus and select the profile from the dropdown list.
Web Filter Profile
Select to enable Web Filter and select the profile from the dropdown list.
Application Control
Select to enable Application Control and select the profile from the
dropdown list.
IPS Profile
Select to enable IPS and select the profile from the dropdown list.
Email Filter Profile
Select to enable Email Filter and select the profile from the dropdown list.
DLP Sensor
Select to enable DLP Sensor and select the profile from the dropdown list.
Advanced Options
comments
Add comments about the policy.
dsri
Enable or disable dsri.
scan-botnetconnections
Enable or disable scanning of connections to Botnet servers.
Multicast policy
Multicasting consists of using a single source to send data to many receivers simultaneously, while conserving
bandwidth and reducing network traffic. For information about multicasting, see the FortiOS Handbook available
in the Fortinet Document Library.
Administration Guide
Fortinet Technologies Inc.
243
Policy & Objects
Managing policies
On the Policy & Objects pane, from the Tools menu, select Display Options, and
then select the Mulitcast Policy checkbox to display this option.
To create a new multicast policy:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package, click Multicast Policy.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Policy pane opens.
5. Configure the following settings, then click OK to create the policy:
Incoming Interface
Click in the field and select incoming interfaces from the multicast interface
list on the object selector pane.
If no multicast interfaces are configured, click the Create New Object
button to open the Create New Dynamic Multicast Interface window, and
then create a new multicast interface.
Outgoing Interface
Click in the field and select outgoing interfaces from the multicast interface
list on the object selection pane.
If no multicast interfaces are configured, one must be created.
Source Address
Click the field and select the source firewall addresses from the object
selection pane.
Source NAT
Enable source NAT.
Source NAT Address
Enter the source NAT IP address.
Destination Interface
Click the field and select the destination firewall addresses from the object
selection pane.
Destination NAT
Enter the destination NAT IP address.
Protocol Option
Select a protocol option from the dropdown list: ANY, ICMP, IGMP, TCP,
UDP, OSFP, or Others.
Port Range
Set the port range. This option is only available when Protocol Option is
TCP or UDP.
Protocol Number
Enter the protocol number, from 1 to 256. This option is only available
when Protocol Option is Others.
Log Traffic
Select to log traffic.
Advanced Options
Enable or disable auto-asic-offload, and enter the id number.
Local in policy
The section describes how to create new IPv4 and IPv6 Local In policies.
244
Administration Guide
Fortinet Technologies Inc.
Managing policies
Policy & Objects
On the Policy & Objects pane, from the Tools menu, select Display Options, and
then select the IPv4 Local In Policy and IPv6 Local In Policy checkboxes to display
these options.
To create a new Local In policy:
1. Ensure that you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Local In Policy or
IPv6 Local In Policy.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
be added to the bottom of the list. The Create New Policy pane opens.
5. Enter the following information, then click OK to create the policy:
Interface
Click the field then select an interface from the object selector pane.
Select the remove icon to remove the interface.
New objects can be created by clicking the Create New icon in the object
selector pane. See Create a new object on page 247 for more information.
Source Address
Select source addresses.
Destination Address
Select destination addresses, address groups,. virtual IPs, and virtual IP
groups.
Service
Select services and service groups.
Schedule
Select schedules, one time or recurring, and schedule groups.
Action
Select an action for the policy to take: ACCEPT or DENY.
HA Management Interface
Only
Select to enable. This option is only available for IPv4 policies.
Traffic shaping policy
The section describes how to create new traffic shaping policies.
On the Policy & Objects pane, from the Tools menu, select Display Options, and
then select the Traffic Shaping Policy checkbox to display this option.
To create a traffic shaping policy:
1. Ensure that you are in the correct ADOM.
2. Go to Policy & Objects > Policy Packages.
3. In the tree menu for the policy package in which you will be creating the new policy, select Traffic Shaping Policy.
If you are in the Global Database ADOM, select Traffic Shaping Header Policy or Traffic Shaping Footer Policy.
4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below . By default, policies will
Administration Guide
Fortinet Technologies Inc.
245
Policy & Objects
Managing objects and dynamic objects
be added to the bottom of the list. The Create New Policy pane opens.
5. Enter the following information, then click OK to create the policy:
IP Version
Select the IP address version: IPv4 or IPv6.
Matching Criteria
Source
Select sources from the object selector pane.
Destination
Select destinations.
Service
Select services.
Application
Category
Select application categories.
Application
Select applications.
URL Category
Select URL categories.
Users
Select users.
User Groups
Select user groups.
Apply Shaper
Outgoing
Interface
Select outgoing interfaces.
Traffic Shaping
Select traffic shapers.
Reverse Traffic
Shaping
Select traffic shapers.
Per-IP Traffic
Shaping
Select per IP traffic shapers.
Managing objects and dynamic objects
All objects within an ADOM are managed by a single database unique to that ADOM. Objects inside that
database can include items such as addresses, services, intrusion protection definitions, antivirus signatures,
web filtering profiles, etc.
Many objects now include the option to enable dynamic mapping. You can create new dynamic maps. When this
feature is enabled, a table is displayed which lists the dynamic mapping information. You can also choose to add
the object to groups, when available, and add tags.
When making changes to an object within the object database, changes are reflected immediately within the
policy table in the GUI; no copying to the database is required.
Dynamic objects are used to map a single logical object to a unique definition per device. Addresses, interfaces,
virtual IPs, and an IP pool can all be addressed dynamically.
246
Administration Guide
Fortinet Technologies Inc.
Managing objects and dynamic objects
Policy & Objects
Not all policy and object options are enabled by default. See Display options on
page 208.
Objects and dynamic objects are managed in the Policy & Objects > Object Configurations pane. The available
objects vary, depending on the specific ADOM selected.
Objects are used to define policies, and policies are assembled into policy packages that you can install on
devices.
Policy packages are managed in the Policy & Objects > Policy Packages pane. When you view a policy in a
policy package, you edit the policy by dragging objects from other columns, policies, or the object selector frame
and dropping the objects in cells in the policy. For more information see Drag and drop objects on page 221.
On the Policy & Objects > Object Configuration pane, you can right-click on an object
to find out where the object is used (Where Used) or to add the object to a group
(Grouping).
FortiManager objects are defined either per ADOM or at a global level. Objects are displayed in the Policy
& Objects > Object Configuration pane.
Create a new object
Objects can be created as global objects, or for specific ADOMs.
To create a new object:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations.
3. Select the object type that you will be creating. For example, view the firewall addresses by going to Firewall
Objects > Address.
The firewall address list is displayed in the content pane. The available address or address group lists are
selectable on the content pane toolbar.
4. From the Create New menu, select the type of address. In this example, Address was selected. The New
Address dialog box opens.
Administration Guide
Fortinet Technologies Inc.
247
Policy & Objects
Managing objects and dynamic objects
In 5.2.0 or later, you can select to add the object to groups and enable dynamic
mapping. These options are not available for all objects.
5. Enter the required information, and click OK to create the new object.
Map a dynamic object
The devices and VDOMs to which a global object is mapped can also be viewed from the object list. In 5.2 or
later, you can add an object to groups and enable dynamic mapping. These options are not available for all
objects.
When the Dynamic Mapping option is available, select Create New to configure the dynamic mapping.
To configure a dynamic mapping via a CLI script, the configuration for the mapping must be defined in the
dynamic object under the config dynamic_mapping sub-tree. The CLI script must be run on a policy package
instead of the device database. For information on running CLI scripts, see Scripts on page 154
Examples:
Example 1: Dynamic VIP
config firewall vip
edit "vip1"
…
config dynamic_mapping
edit "FW60CA3911000089"-"root"
set extintf "any"
set extip 172.18.26.100
set mappedip 192.168.3.100
set arp-reply disable
next
end
end
Example 2: Dynamic Address
config firewall address
edit "address1"
…
248
Administration Guide
Fortinet Technologies Inc.
Managing objects and dynamic objects
Policy & Objects
config dynamic_mapping
edit "FW60CA3911000089"-"root"
set subnet 192.168.4.0 255.255.255.0
next
end
end
Example 3: Dynamic Interface
config dynamic interface
…
config dynamic_mapping
edit "FW60CA3911000089"-"root"
set local-intf internal
set intrazone-deny disable
next
end
end
Map a dynamic device group
When you create and edit a device group, you can choose whether to use the FortiManager ADOM or the
FortiGate device to manage members for the device group.
To create a dynamic device group:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations > User & Device > Customer Devices & Groups.
3. From the Create New menu, select Device Group.
4. Complete the following options, and select OK.
Group Name
Type a name for the device group.
Managed on ADOM
Specify whether to use the FortiManager ADOM or the FortiGate device to
manage members for the device group. When you select the Managed on
ADOM checkbox, the FortiManager ADOM manages members for the object,
and you must specify members for the object. When you clear the Manage on
ADOM checkbox, the FortiGate device manages members for the object, and
you must specify members by using FortiGate, not FortiManager.
Members
Select members for the device group.
Comments
(Optional) Type a comment.
Per-Device Mapping
Select to enable dynamic mapping for a device.
Administration Guide
Fortinet Technologies Inc.
249
Policy & Objects
Managing objects and dynamic objects
Remove an object
To remove an object:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations.
3. In the tree menu, select an object type. The content pane displays the objects for the object type.
4. Select the object, and click Delete.
You can delete the object, even when the object is used by a policy. After you delete the object, the policy is
updated to replace the IP address for the object with the word None.
Edit an object
After editing an object in the object database, the changes are immediately reflected within the policy table in the
GUI; no copying to the database is required.
To edit an object:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations.
3. In the tree menu, select an object type. The content pane displays the objects for the object type.
4. Select an object, and click Edit.
5. Edit the information as required, and click OK.
Objects can also be edited directly from the policy list and object selector pane by
right-clicking on the object and selecting Edit.
Clone an object
If a new object that you are creating is similar to a previously created object, the new object can be created by
cloning the previous object.
To clone an object:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations.
3. In the tree menu, select an object type. The content pane displays the objects for the object type.
4. Right-click an object, and select Clone. The Clone pane is displayed.
5. Adjust the information as required, and click OK to create the new object.
Search objects
The search objects tool allows you to search objects based on keywords.
250
Administration Guide
Fortinet Technologies Inc.
Managing objects and dynamic objects
Policy & Objects
To dynamically search objects:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations.
3. In the tree menu, select an object type. The content pane displays the objects for the object type.
4. In the search box on the right side lower content frame toolbar type a search keyword. The results of the search
are updated as you type and displayed in the object list.
Find unused objects
You can find unused objects.
To find unused objects:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects.
3. From the Tools menu, select Unused Objects. The Unused Objects dialog box is displayed.
4. When you are done, click Close.
Find and merge duplicate objects
Duplicate objects have the same definition, but different names. You can find duplicate objects and review them.
You then have the option to merge duplicate objects into one object.
To find duplicate objects:
1. Go to Policy & Objects.
2. From the Tools menu, select Find Duplicate Objects. The Duplicate Objects dialog box is displayed.
3. Review the groups of duplicate objects.
4. Click Merge to merge a group of duplicate objects into one object.
5. When you are done, click Close.
CLI-Only objects
FortiManager 5.2.0 or later adds the ability to configure objects in the GUI which are available only via the
FortiOS command line interface.
FortiToken configuration example
To configure FortiToken objects for FortiToken management:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations.
3. Go to User & Device > FortiTokens.
4. Click Create New.
5. Type the serial number or serial numbers of the FortiToken unit or units and click OK. Up to ten serial numbers
can be entered.
Administration Guide
Fortinet Technologies Inc.
251
Policy & Objects
Managing objects and dynamic objects
6. Go to User & Device > User Definition to create a new user.
7. When creating the new user, select FortiToken, and then select the FortiToken from the dropdown menu.
8. Go to User & Device > User Groups, create a new user group, and add the previously created user to this group.
9. Install a policy package to the FortiGate, as described in Install a policy package on page 212.
10. On the FortiGate, select User > FortiToken. Select one of the newly created FortiTokens, then select OK to
activate the FortiToken unit.
FSSO user groups
FSSO user groups can be retrieved directly from FSSO, from an LDAP server, via a remote FortiGate device, or
by polling the active directory server. Groups can also be entered manually.
To get groups from FSSO:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On.
3. Click Create New > Fortinet Single Sign-On Agent from the dropdown list.
4. Enter a unique name for the agent in the Name field.
5. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and
remove servers as needed by clicking the Add and Remove icons at the end of the rows.
6. Select From FSSO Agents in the Select FSSO Groups field.
7. Click Apply & Refresh. The Retrieve FSSO User Groups dialog box will open.
8. Click Next. The groups are retrieved from the FSSO.
9. Click OK. The groups can now be used in user groups, which can then be used in policies.
To get groups from an LDAP server:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On.
3. Click Create New > Fortinet Single Sign-On Agent from the dropdown list.
4. Enter a unique name for the agent in the Name field.
5. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device >
LDAP Servers.
6. Select groups from the Groups tab, then select Add Selected to add the groups.
You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group
names.
7. Select OK.
252
Administration Guide
Fortinet Technologies Inc.
Managing objects and dynamic objects
Policy & Objects
To get groups via a remote FortiGate:
The FortiGate device configuration must be synchronized or retrieving the FSSO user
groups will fail. See Checking device configuration status on page 139.
1. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On.
2. Click Create New > Fortinet Single Sign-On Agent from the dropdown list. The Create New Fortinet Single SignOn Agent window opens.
3. Enter a unique name for the agent in the Name field.
4. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and
remove servers as needed by clicking the Add and Remove icons at the end of the rows.
5. Select Via FortiGate in the Select FSSO Groups field.
6. Click Apply & Refresh. The Retrieve FSSO User Groups wizard will open.
7. Click Next to proceed with the wizard.
8. Select the device that the FSSO groups will be imported from. This device must be registered to the
FortiManager, its configuration must be synchronized, and it must be able to communicate with the FSSO server.
9. Click Next. The FSSO agent is installed on the FortiGate, the FortiGate retrieves the groups, and then the groups
are imported to the FortiManager.
Administration Guide
Fortinet Technologies Inc.
253
Policy & Objects
Managing objects and dynamic objects
10. After the groups have been imported, click Finish. The imported groups will be listed in the User Groups field.
11. Click OK. The groups can now be used in user groups, which can then be used in policies.
You must rerun the wizard to update the group list. It is not automatically updated.
To get groups from AD:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On.
3. Click Create New > Poll Active Directory Server from the dropdown list.
4. Configure the server name, local user, password, and polling.
5. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device >
LDAP Servers.
6. Select groups from the Groups tab, then select Add Selected to add the groups.
You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group
names.
7. Select OK.
Interface mapping
After creating an interface on the FortiManager, an interface mapping must be created so that the new interface
can be used when creating policies. To do this, create a new dynamic interface with per-device mapping.
To create a new dynamic interface with per-device mapping:
1. Ensure you are in the correct ADOM.
2. Go to Policy & Objects > Object Configurations.
3. Go to Zone/Interface > Interface and click Create New > Dynamic interface.
4. Enter a name and description for the dynamic interface.
5. Turn on Per-Device Mapping.
6. Click Add. The Per-Device Mapping dialog box opens.
254
Administration Guide
Fortinet Technologies Inc.
ADOM revisions
Policy & Objects
7. Select the device or VDOM in the Mapped Device field, select the interface in the Device Interface field, then
click OK.
8. Click OK to create the new dynamic interface object.
The mapped interface can now be used when creating policies.
ADOM revisions
ADOM revision history allows you to maintain a revision of the policy packages, objects, and VPN console
settings in an ADOM. Revisions can be automatically deleted based on given variables, and individual revisions
can be locked to prevent them being automatically deleted.
To configure ADOM revisions, go to Policy & Objects, and click ADOM Revisions.
This page displays the following:
ID
The ADOM revision identifier.
Name
The name of the ADOM revision. This field is user-defined when creating
the ADOM revision.
A green lock icon will be displayed beside the ADOM revision name when
you have selected Lock this revision from auto deletion.
Created by
The administrator that created the ADOM revision.
Created Time
The ADOM revision creation date and time.
Comment
Optional comments typed in the Description field when the ADOM revision
was created.
The following options are available:
Create New
Select to create a new ADOM revision.
Edit
Right-click on a revision in the table and select Edit in the menu to edit the
ADOM revision.
Delete
Right-click on a revision in the table and select Delete in the menu to
delete the ADOM revision.
When Lock this revision from auto deletion is selected, you are not able to
delete the ADOM revision.
Restore
Right-click on a revision in the table and select Restore in the menu to
restore the ADOM revision. Restoring a revision will revert policy packages,
objects and VPN console to the selected version. Select OK to continue.
More > Lock Revision
Right-click on a revision in the table and select Lock from the More menu
to lock this revision from auto deletion.
Administration Guide
Fortinet Technologies Inc.
255
Policy & Objects
ADOM revisions
More > Unlock Revision
Right-click on a revision in the table and select Unlock from the More menu
to unlock this revision. When the ADOM revision is in an unlocked state,
auto deletion will occur in accordance with your auto deletion settings.
View Revision Diff
Right-click on a revision in the table and select View Revision Diff in the
menu. The Summary page will be displayed. This page shows the revision
differences between the selected revision and the current database.
Settings
Select to configure the automatic deletion settings for ADOM revisions.
Close
Select to close the ADOM Revision dialog box and return to the Policy &
Objects tab.
To create a new ADOM revision:
1. Go to Policy & Objects, and click ADOM Revisions. The ADOM Revision dialog box opens.
2. Click Create New. The Create New Revision dialog box opens.
3. Type a name for the revisions in the Name field.
4. Optionally, type a description of the revision in the Description field.
5. To prevent the revision from being automatically deleted, select Lock this revision from auto deletion.
6. Click OK to create the new ADOM revision.
To edit an ADOM revision:
1. Open the ADOM Revisions dialog box.
2. Select a revision, and click Edit. The Edit Revision dialog box opens.
3. Edit the revision details as required, then click OK to apply your changes.
To delete ADOM revisions:
1. Open the ADOM Revisions dialog box.
2. Select a revision, and click Delete.
You can select multiple revisions by selecting the checkbox beside each revision.
3. Click OK in the confirmation dialog box to delete the selected revision or revisions.
To configure automatic deletion:
1. Open the ADOM Revisions dialog box, and click Settings.
2. Select Auto delete revision to enable to automatic deletion of revisions.
3. Select one of the two available options for automatic deletion of revisions:
4. Keep last x revisions: Only keep the entered numbered of revisions, deleting the oldest revision when a new
revision is created.
5. Delete revisions older than x days: Delete all revisions that are older than the entered number of days.
6. Click OK to apply the changes.
256
Administration Guide
Fortinet Technologies Inc.
ADOM revisions
Policy & Objects
To restore a previous ADOM revision:
1. Open the ADOM Revisions window.
2. Select a revision, and click Restore. A confirmation dialog box will appear.
3. Click OK to continue.
The Restore Revision dialog box opens. Restoring a revision will revert policy packages, objects and VPN
console to the selected version.
4. Click OK to continue.
To lock or unlock an ADOM revision:
1. Open the ADOM Revisions window.
2. Do one of the following:
l
l
Select a revision, and select Lock or Unlock from the More menu.
Edit the revision, and select or clear the Lock this revision from auto deletion checkbox in the Edit ADOM
Revision dialog box.
To view ADOM revision diff:
1. Open the ADOM Revisions window.
2. Select a revision, and click View Revision Diff. The Revision Diffs Between dialog box opens.
This page displays all Global Policy, Policy Package, and Policy Objects changes between the revision
selected and the current database.
3. Select [Details] to view all details on the changes made to policies and objects.
4. You can select to download this information as a CSV file to your management computer.
5. Click Close to return to the ADOM Revisions window.
Administration Guide
Fortinet Technologies Inc.
257
VPN Manager
Use the VPN Manager pane to enable and use central VPN management. You can view and configure IPsec
VPN and SSL-VPN settings that you can install to one or more devices.
Additional configuration options and short-cuts are available using the right-click
content menu. Right-click the mouse on different parts of the navigation panes on the
GUI page to access these context menus.
The VPN Manager pane includes the following tabs:
IPsec VPN
Displays all of defined IPsec VPN communities and associated devices for
the selected ADOM. You can create, monitor, and manage VPN settings.
See IPsec VPN Communities on page 260
Monitor
Displays a list of IPsec VPN tunnels, and allows you to bring the tunnels up
or down. See Monitoring IPsec VPN tunnels on page 269.
Map View
Displays a world map showing IPsec VPN tunnels. See Map View on
page 269
SSL-VPN
Create, monitor, and manage SSL-VPN settings. You can also create, edit,
and delete portal profiles for SSL-VPN settings. See SSL VPN on page 279.
Overview
When central VPN management is enabled, you can use the VPN Manager pane to configure IPsec VPN settings
that you can install to one or more devices. The settings are stored as objects in the objects database. You can
then select the objects in policies for policy packages on the Policy & Objects pane. You install the IPsec VPN
settings to one or more devices by installing the policy package to the devices.
You must enable central VPN management to access the settings on the VPN
Manager > IPsec VPN pane. However, you can access the settings on the VPN
Manager > SSL-VPN pane without enabling central VPN management. See Enabling
central VPN management on page 259.
In FortiManager 5.6.0 and later, mixed-mode VPN allows VPNs to be concurrently
configured through VPN Manager and on the FortiGate device in Device Manager.
In versions prior to 5.6.0, central VPN management must be disabled to configure
VPNs in Device Manager.
258
Administration Guide
Fortinet Technologies Inc.
Enabling central VPN management
VPN Manager
To create IPsec VPN settings:
1. Enable central VPN management. See Enabling central VPN management on page 259.
2. Create a VPN community, sometimes called a VPN topology. See Creating IPsec VPN communities on page 261.
3. Create a managed gateway. See Creating managed gateways on page 271.
To create SSL-VPN settings:
1. Create custom profiles. See Creating SSL VPN portal profiles on page 283.
Alternately, you can skip this step, and use the default portal profiles.
2. Add an SSL VPN to a device, and select a portal profile. See Creating SSL VPNs on page 280.
To install VPN objects to devices:
1. Plan the VPN security policies. See VPN security policies on page 278.
2. In a policy package, create VPN security policies, and select the VPN settings. See Creating policies on page 219.
3. Edit the installation targets for the policy package to add all of the devices onto which you want to install the policy
defined VPN settings. See Policy package installation targets on page 215.
4. Install the policy package to the devices. See Install a policy package on page 212.
Enabling central VPN management
You can enable centralized VPN management from the VPN Manager > IPsec VPN pane.
You can also enable centralized VPN management by editing an ADOM. When ADOMs are disabled, you can
enable centralized VPN management by using the System Settings > Dashboard pane.
Regardless of how you enable centralized VPN management, you use the VPN Manager module for centralized
VPN management.
To enable central VPN management:
1. Go to VPN Manager > IPsec VPN .
2. Select Enable.
3. Click OK in the confirmation dialog box.
To enable central VPN management for an ADOM:
1. Ensure that you are in the correct ADOM.
2. Go to System Settings > All ADOMs.
3. Right-click an ADOM, and select Edit.
4. In the Central Management field, select the VPN checkbox.
5. Click OK. Centralized VPN management is enabled for the ADOM.
Administration Guide
Fortinet Technologies Inc.
259
VPN Manager
IPsec VPN Communities
To enable central VPN management when ADOMs are disabled:
1. Go to System Settings > Dashboard.
2. In the System Information widget, in the VPN Management Mode field, select Change VPN Management
Mode. The Change VPN Management Mode dialog box is displayed.
3. Click OK.
IPsec VPN Communities
You can use the VPN Management > IPsec VPN pane to create and monitor full-meshed, star, and dial-up
IPsec VPN communities. IPsec VPN communities are also sometimes called VPN topologies.
Managing IPsec VPN communities
Go to VPN Manager > IPsec VPN to manage IPsec VPN communities.
The following options are available:
260
VPN Community
Select to create a new VPN community, edit the selected VPN community,
or delete the selected VPN community.
Install Wizard
Launch the Install Wizard to install IPsec VPN settings to devices.
Create New
Create a new VPN community. See Creating IPsec VPN communities on
page 261
Edit
Edit the selected VPN community. See Editing an IPsec VPN community
on page 268.
Delete
Delete the selected VPN community or communities. See Deleting VPN
communities on page 269.
Column Settings
Configure which columns are displayed, or click Reset to Default to reset
the display to the default columns.
Search
Enter a search term to search the communities list.
Configure Gateways
Go to the gateway list for the community. This option is only available from
the right-click menu. See IPsec VPN gateways on page 271.
Add Managed Gateway
Start the VPN Gateway Setup Wizard. This option is only available from
the right-click menu. See Creating managed gateways on page 271.
Administration Guide
Fortinet Technologies Inc.
IPsec VPN Communities
VPN Manager
Creating IPsec VPN communities
You can create one or more IPsec VPN communities. An IPsec VPN community is also sometimes called a
VPN topology. A VPN Topology Wizard is available to help you set up topologies.
After you create the IPsec VPN community, you can create the VPN gateway. See IPsec VPN gateways on
page 271.
To create a new IPsec VPN community:
1. Go to the VPN Manager > IPsec VPN tab.
2. From the VPN Community menu, select Create New, or click Create New in the toolbar.
The VPN Topology Setup Wizard is displayed.
3. Enter a name for the topology in the Name field.
4. Optionally, enter a brief description of the topology in the Description field.
5. Choose a topology type: Full Meshed, Star, or Dial up.
l
Full Meshed: Each gateway has a tunnel to every other gateway.
l
Star: Each gateway has one tunnel to a central hub gateway.
l
Dial up: Some gateways, often mobile users, have dynamic IP addresses and contact the gateway to establish
a tunnel.
6. Click Next.
Administration Guide
Fortinet Technologies Inc.
261
VPN Manager
IPsec VPN Communities
7. Configure the Authentication and Encryption information for the topology
8. Click Next.
9. Configure the VPN Zone, IKE Security Phase 1 Advanced Properties, IPsec Security Phase 2 Advanced
Properties, and Advanced Options.
10. Click Next.
11. Review the topology information on the Summary page, then click OK to create the topology.
After you have created the VPN topology, you can create managed and external gateways for the topology.
For descriptions of the options in the wizard, see VPN community settings on
page 262.
VPN community settings
The following table describes the options available in the VPN Topology Setup Wizard and on the Edit VPN
Community page.
Name
Type a name for the VPN topology.
Description
Type an optional description.
Choose VPN Topology
Choose a topology type. Select one of:
Full Meshed: Each gateway has a tunnel to every other gateway.
l
l
l
262
Star: Each gateway has one tunnel to a central hub gateway.
Dial up: Some gateways, often mobile users, have dynamic IP
addresses and contact the gateway to establish a tunnel.
Administration Guide
Fortinet Technologies Inc.
IPsec VPN Communities
Authentication
VPN Manager
Select Certificates or Pre-shared Key.
When you select Pre-shared Key, FortiGate implements the
Encapsulated Security Payload (ESP) protocol. Internet Key
Exchange (IKE) is performed automatically based on pre-shared keys
or X.509 digital certificates.
Certificates
If you selected Certificates, select a certificate template. Fortinet
provides several default certificate templates. You can also create
certificate templates on the Device Manager > Provisioning
Templates > Certificate Templates pane.
Pre-shared Key
If you selected Pre-shared Key, select Generate or Specify.
When you select Specify, type the pre-shared key that the FortiGate
unit will use to authenticate itself to the remote peer or dialup client
during phase 1 negotiations. You must define the same key at the
remote peer or client. The key must contain at least 6 printable
characters. For optimum protection against currently known attacks,
the key must consist of a minimum of 16 randomly chosen
alphanumeric characters.
Alternatively, you can select to generate a random pre-shared key.
Encryption
IKE Security (Phase 1)
Properties
Administration Guide
Fortinet Technologies Inc.
Define the IKE Profile. Configure IKE Phase 1 and IKE Phase 2
settings.
Define the Phase 1 proposal settings.
263
VPN Manager
IPsec VPN Communities
Encryption
Authentication
Select the encryption and authentication algorithms used to generate
keys for protecting negotiations and add encryption and
authentication algorithms as required.
You need to select a minimum of one and a maximum of three
combinations. The remote peer or client must be configured to use at
least one of the proposals that you define.
Select one of the following symmetric-key encryption algorithms:
l DES: Digital Encryption Standard, a 64-bit block algorithm that uses
a 56-bit key.
l
l
l
l
3DES: Triple-DES, in which plain text is encrypted three times by
three keys.
AES128: A 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 128-bit key.
AES192: A 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 192-bit key.
AES256: A 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 256-bit key.
l
ARIA128: A 128-bit block size that uses a 128-bit key.
l
ARIA192: A 128-bit block size that uses a 19- bit key.
l
ARIA256: A 128-bit block size that uses a 256-bit key.
SEED: A 16-round Feistel network with 128-bit blocks and a 128-bit
key.
Select either of the following authentication message digests to
check the authenticity of messages during phase 1 negotiations:
l MD5: Message Digest 5, the hash algorithm developed by RSA
Data Security.
l
l
l
l
SHA1: Secure Hash Algorithm 1, which produces a 160-bit
message digest.
SHA256: Secure Hash Algorithm 2, which produces a 256-bit
message digest.
SHA384: Secure Hash Algorithm 3, which produces a 384-bit
message digest.
SHA512: Secure Hash Algorithm 3, which produces a 512-bit
message digest.
To specify a third combination, use the Add button beside the fields
for the second combination.
l
IPsec Security (Phase
2) Properties
264
Define the Phase 2 proposal settings.
When you define phase 2 parameters, you can choose any set of
phase 1 parameters to set up a secure connection for the tunnel and
authenticate the remote peer. Auto Key configuration applies to both
tunnel-mode and interface-mode VPNs.
Administration Guide
Fortinet Technologies Inc.
IPsec VPN Communities
Encryption
Authentication
VPN Manager
Select the encryption and authentication algorithms used to generate
keys for protecting negotiations and add encryption and
authentication algorithms as required.
You need to select a minimum of one and a maximum of three
combinations. The remote peer or client must be configured to use at
least one of the proposals that you define.
It is invalid to set both Encryption and Authentication to NULL.
Select one of the following symmetric-key encryption algorithms:
l NULL: Do not use an encryption algorithm.
l
l
l
l
l
DES: Digital Encryption Standard, a 64-bit block algorithm that uses
a 56-bit key.
3DES: Triple-DES, in which plain text is encrypted three times by
three keys.
AES128: A 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 128-bit key.
AES192: A 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 192-bit key.
AES256: A 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 256-bit key.
l
ARIA128: A 128-bit block size that uses a 128-bit key.
l
ARIA192: A 128-bit block size that uses a 19- bit key.
l
ARIA256: A 128-bit block size that uses a 256-bit key.
SEED: A 16-round Feistel network with 128-bit blocks and a 128-bit
key
Select either of the following authentication message digests to
check the authenticity of messages during phase 1 negotiations:
l NULL: Do not use a message digest.
l
l
l
l
l
MD5: Message Digest 5, the hash algorithm developed by RSA
Data Security.
SHA1: Secure Hash Algorithm 1, which produces a 160-bit
message digest.
SHA256: Secure Hash Algorithm 2, which produces a 256-bit
message digest.
SHA384: Secure Hash Algorithm 3, which produces a 384-bit
message digest.
SHA512: Secure Hash Algorithm 3, which produces a 512-bit
message digest.
To specify a third combination, use the Add button beside the fields
for the second combination.
l
VPN Zone
Select to create VPN zones. When enabled, you can select to create
default or custom zones. When disabled, no VPN zones are created.
Create Default Zones
Select to have default zones created for you.
Use Custom Zone
Select to choose what zones to create.
Administration Guide
Fortinet Technologies Inc.
265
VPN Manager
IPsec VPN Communities
IKE Security Phase 1 Advanced Properties
Diffie Hellman
Group(s)
Select one or more of the following Diffie-Hellman (DH) groups: 2, 5,
14, 15, 16, 17, 18, 19, 20, 21.
At least one of the DH group settings on the remote peer or client
must match one the selections on the FortiGate unit. Failure to
match one or more DH groups will result in failed negotiations.
Only one DH group is allowed for static and dynamic DNS gateways
in aggressive mode.
Exchange Mode
Select either Aggressive or Main (ID Protection).
The FortiGate unit and the remote peer or dialup client exchange
phase 1 parameters in either Main mode or Aggressive mode. This
choice does not apply if you use IKE version 2, which is available only
for route-based configurations.
l In Main mode, the Phase 1 parameters are exchanged in multiple
rounds with encrypted authentication information
In Aggressive mode, the Phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
Although Main mode is more secure, you must select Aggressive
mode if there is more than one dialup Phase 1 configuration for the
interface IP address, and the remote VPN peer or client is
authenticated using an identifier local ID). Descriptions of the peer
options in this guide indicate whether Main or Aggressive mode is
required.
l
Key Life
Type the time (in seconds) that must pass before the IKE encryption
key expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172800 seconds.
Dead Peer Detection
Select this checkbox to reestablish VPN tunnels on idle connections
and clean up dead IKE peers if required. You can use this option to
receive notification whenever a tunnel goes up or down, or to keep
the tunnel connection open when no traffic is being generated inside
the tunnel. For example, in scenarios where a dialup client or
dynamic DNS peer connects from an IP address that changes
periodically, traffic may be suspended while the IP address changes.
IPsec Security Phase 2 Advanced Properties
Diffie Hellman
Group(s)
266
Select one or more of the following Diffie-Hellman (DH) groups: 2, 5,
14, 15, 16, 17, 18, 19, 20, 21.
At least one of the DH group settings on the remote peer or client
must match one the selections on the FortiGate unit. Failure to
match one or more DH groups will result in failed negotiations.
Only one DH group is allowed for static and dynamic DNS gateways
in aggressive mode.
Administration Guide
Fortinet Technologies Inc.
IPsec VPN Communities
VPN Manager
Replay detection
Select to enable or disable replay detection. Replay attacks occur
when an unauthorized party intercepts a series of IPsec packets and
replays them back into the tunnel.
Perfect forward
secrecy (PFS)
Select to enable or disable perfect forward secrecy (PFS).
Perfect forward secrecy (PFS) improves security by forcing a new
Diffie-Hellman exchange whenever keylife expires.
Key Life
Select the PFS key life. Select Second, Kbytes, or Both from the
dropdown list and type the value in the text field.
Autokey Keep
Alive
Select to enable or disable autokey keep alive.
The phase 2 SA has a fixed duration. If there is traffic on the VPN as
the SA nears expiry, a new SA is negotiated and the VPN switches to
the new SA without interruption. If there is no traffic, the SA expires
and the VPN tunnel goes down. A new SA will not be generated until
there is traffic.
The Autokey Keep Alive option ensures that a new SA is negotiated
even if there is no traffic so that the VPN tunnel stays up.
Auto-Negotiate
Select to enable or disable auto-negotiation.
NAT Traversal
Select the checkbox if a NAT device exists between the local
FortiGate unit and the VPN peer or client. The local FortiGate unit
and the VPN peer or client must have the same NAT traversal setting
(both selected or both cleared) to connect reliably.
Keep-alive Frequency
If NAT traversal is enabled or forced, type a keep-alive frequency setting (10-900 seconds).
Advanced-Options
For more information on advanced options, see the FortiOS CLI
Reference.
DPD
Select to enable or disable DPD. You can also choose to set to ondemand or on-idle.
fcc-enforcement
Enable or disable FCC enforcement.
ike-version
Select the version of IKE to use. This is available only if IPsec
Interface Mode is enabled. For more information about IKE v2, refer
to RFC 4306.
IKE v2 is not available if Exchange Mode is Aggressive. When IKE
Version is set to 2, Mode and XAUTH are not available.
inter-vdom
Enable or disable the inter-vdom setting.
Administration Guide
Fortinet Technologies Inc.
267
VPN Manager
loccalid-type
IPsec VPN Communities
Select the local ID type from the dropdown list. Select one of:
address: IP Address
l
l
asn1dn: ASN.1 Distinguished Name
l
auto: Select type automatically
l
fqdn: Fully Qualified Domain name
l
keyid: Key Identifier ID
l
user-fqdn: User Fully Qualified Domain Name
negotiate-timeout
Enter the negotiation timeout value. The default is 30 seconds.
npu-offload
Enable (default) or disable offloading of VPN session to a network
processing unit (NPU).
View IPsec VPN community details
The VPN community information pane includes a quick status bar showing the community settings and the list of
gateways in the community. Gateways can also be managed from this pane. See IPsec VPN gateways on
page 271 for information.
To view IPsec VPN community details:
1. Go to VPN Manager > IPsec VPN .
2. Select a community from the tree menu, or double-click on a community in the content pane. The community
information pane opens.
3. Select All VPN Communities in the tree menu to return to the VPN community list.
Editing an IPsec VPN community
To edit a VPN community, you must be logged in as an administrator with sufficient privileges. The community
name and topology cannot be edited.
To edit IPsec VPN communities:
1. Go to VPN Manager > IPsec VPN .
2. Do one of the following:
l
Double-click on a community or select it in the tree menu, then click Edit in the quick status bar or select VPN
Community > Edit.
l
Right-click on a community and select Edit from the menu.
l
Select a community, then click Edit in the toolbar.
The Edit VPN Community page is displayed.
3. Edit the settings as required, and then select OK to apply the changes.
268
Administration Guide
Fortinet Technologies Inc.
IPsec VPN Communities
VPN Manager
For descriptions of the settings, see VPN community settings on page 262.
Deleting VPN communities
To delete a VPN community or communities, you must be logged in as an administrator with sufficient privileges.
To delete VPN communities:
1. Go to VPN Manager > IPsec VPN .
2. Do one of the following:
l
Select the community in the tree, then select VPN Community > Delete.
l
Select the community or communities from the content pane list, then click Delete in the toolbar.
l
Select the community or communities from the content pane list, then right-click and select Delete.
3. Select OK in the confirmation box to delete the VPN community or communities.
Monitoring IPsec VPN tunnels
Go to VPN Manager > Monitor to view the list of IPsec VPN tunnels. You can also bring the tunnels up or down
on this pane. Select a specific community from the tree menu to show only that community's tunnels.
To bring tunnels up or down:
1. Go to VPN Manager > Monitor.
2. Find and select the tunnel or tunnels that you need to bring up or down in the list.
3. Click Bring Tunnel Up or Bring Tunnel Down from the toolbar or right-click menu
4. Select OK in the confirmation dialog box to apply the change.
Map View
The Map View pane shows IPsec VPN connections on an interactive world map (Google Maps). Select a specific
community from the tree menu to show only that community's tunnels.
Hovering the cursor over a connection will highlight the connection and show the gateway, ADOM, and city
names for each end of the tunnel.
Administration Guide
Fortinet Technologies Inc.
269
VPN Manager
IPsec VPN Communities
The following options are available:
Topology View
The topology view shows the configured VPN gateways. See IPsec VPN
gateways on page 271.
Traffic View
The traffic view shows network traffic through the tunnels between
protected subnets.
Show Table
Select to show the connection table on the bottom of the pane. In the
topology view, this option is only available when a specific community is
selected.
l The topology table shows the VPN gateway list and toolbar, with a
column added for location. See Managing VPN gateways on page 271 for
information.
l
The traffic table shows the same information and options as the Monitor
tab. See Monitoring IPsec VPN tunnels on page 269 for information.
Show Tunnel Down Only
Select to show only tunnels that are currently down.
This option is only available on the traffic view.
Refresh
Click to refresh the map view, or click the down arrow and select a refresh
rate from the dropdown menu.
Toggle Full Screen
Click to view the map in full screen mode. Press Esc to return to the
windowed view.
If necessary, the location of a device can be manually configured when editing the
device; see Editing device information on page 134.
270
Administration Guide
Fortinet Technologies Inc.
IPsec VPN gateways
VPN Manager
IPsec VPN gateways
A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets, decrypts the
encapsulated data packets, then passes the data packets to the local network. It also encrypts, encapsulates,
and sends the IPsec data packets to the gateway at the other end of the VPN tunnel.
The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet.
You can also define a secondary IP address for the interface, and use that address as the local VPN gateway
address, so that your existing setup is not affected by the VPN settings.
Once you have created the IPsec VPN topology, you can create managed and external gateways.
Managing VPN gateways
Go to VPN Manager > IPsec VPN , then select a community from the tree menu, or double-click on a community
in the list, to manage the VPN gateways in that community.
The following options are available:
Create New
Create a new managed or external gateway. See Creating managed
gateways on page 271 and Creating external gateways on page 276 for
more information.
Edit
Edit the selected gateway. See Editing an IPsec VPN gateway on
page 277.
Delete
Delete the selected gateway or gateways. See Deleting VPN gateways on
page 277.
Column Settings
Configure which columns are displayed, or click Reset to Default to reset
the display to the default columns.
Search
Enter a search term to search the gateway list.
Creating managed gateways
The settings available when creating a managed gateway depend on the VPN topology type, and how the
gateway is configured.
Managed gateways are managed by FortiManager in the current ADOM. Devices in a different ADOM can be
treated as external gateways. VPN configuration must be handled manually by the administrator in that ADOM.
See Creating external gateways on page 276.
Administration Guide
Fortinet Technologies Inc.
271
VPN Manager
IPsec VPN gateways
To create a managed gateway:
1. Go to VPN Manager > IPsec VPN .
2. Select a community from the tree menu, or double-click on a community in the list.
3. On the community information content pane, in the toolbar, select Create New > Managed Gateway.
The VPN Gateway Setup Wizard opens.
4. Proceed through the five pages of the wizard, filling in the following values as required, then click OK to create the
managed gateway.
272
Protected Subnet
Select a protected subnet from the dropdown list.
Role
Select the role of this gateway: Hub or Spoke.
This option is only available for star and dial up VPN topologies.
Device
Select a device from the dropdown list.
Default VPN Interface
Select the interface to use for this gateway from the dropdown list.
Hub-to-Hub Interface
Select the interface to use for hub to hub communication. This is required if
there are multiple hubs.
This option is only available for star and dial up topologies with the role set
to Hub.
Local Gateway
Enter the local gateway IP address.
Local ID
Enter a local ID.
Routing
Select the routing method: Manual (via Device Manager, or Automatic.
Summary Network(s)
Select the network from the dropdown list and select the priority. Click the
add icon to add more entries.
This option is only available for star and dial up topologies with the role set
to Hub.
Administration Guide
Fortinet Technologies Inc.
IPsec VPN gateways
Peer Type
VPN Manager
Select one of the following:
l
Accept any peer ID
l
Accept this peer ID: Enter the peer ID in the text field
Accept a dialup group: Select a group from the dropdown list
A Local ID is an alphanumeric value assigned in the Phase 1 configuration.
The local ID of a peer is called a Peer ID. The Local ID or peer ID can be
used to uniquely identify one end of a VPN tunnel, enabling a more secure
connection. If you have multiple VPN tunnels negotiating, this ensures the
proper remote and local ends connect.
When you configure the ID on your end, it is your local ID. When the
remote end connects to you, they see it as your peer ID. If you are
debugging a VPN connection, the local ID is part of the VPN negotiations.
You can use it to help troubleshoot connection problems.
The default configuration is to accept all local IDs (peer IDs). If your local
ID is set, the remote end of the tunnel must be configured to accept your
ID.
This option is only available for dial up topologies.
l
XAUTH Type
User Group
Select the XAUTH type: Disable, PAP Server, CHAP Server, or AUTO
Server.
This option is only available for dial up topologies.
Select the authentication user group from the dropdown list.
This field is available when XAUTH Type is set to PAP Server, CHAP
Server, or AUTO Server.
When the FortiGate unit is configured as an XAuth server, enter the user
group to authenticate remote VPN peers. The user group can contain local
users, LDAP servers, and RADIUS servers. The user group must be added
to the FortiGate configuration before the group name can be cross
referenced.
Enable IKE Configuration
Method ("mode config")
Select to enable or disable IKE configuration method.
This option is only available for dial up topologies.
Enable IP Assignment
Select to enable or disable IP assignment.
This option is only available for dial up topologies. When the role is set to
Hub, this option is only available when Enable IKE Configuration Method
is on.
IP Assignment
Mode
Select the IP assignment mode: Range or User Group.
This option is only available for dial up topologies with the role set to Hub
and Enable IP Assignment turned on.
IP Assignment
Type
Select the IP assignment type: IP or Subnet.
This option is only available for dial up topologies with the role set to Hub
and Enable IP Assignment turned on.
IPv4 Start IP
Enter the IPv4 start IP address.
This option is only available for dial up topologies with the role set to Hub
and Enable IP Assignment turned on.
Administration Guide
Fortinet Technologies Inc.
273
VPN Manager
274
IPsec VPN gateways
IPv4 End IP
Enter the IPv4 end IP address.
This option is only available for dial up topologies with the role set to Hub
and Enable IP Assignment turned on.
IPv4 Netmask
Enter the IPv4 netmask.
This option is only available for dial up topologies with the role set to Hub
and Enable IP Assignment turned on.
Add Route
Select to enable or disable adding a route for this gateway.
This option is only available for dial up topologies.
DNS Server #1 to #3
Enter the DNS server IP addresses to provide IKE Configuration Method to
clients.
This option is only available for dial up topologies with the role set to Hub
and either Enable IKE Configuration Method turned on, or DNS Service is
set to Specify.
WINS Server #1 and #2
Enter the WINS server IP addresses to provide IKE Configuration Method
to clients.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned on.
IPv4 Split include
Select the address or address group from the dropdown list.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned on.
Exclusive IP Range
Enter the start and end IP addresses of the exclusive IP address range.
Click the add icon to add more entries.
This option is only available for dial up topologies with the role set to Hub
and either Enable IKE Configuration Method and Enable IP Assignment
turned on, or Enable IKE Configuration Method turned off.
DHCP Server
Select to enable or disable DHCP server.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method is off.
Default Gateway
Enter the default gateway IP address.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned off.
DNS Service
Select Use System DNS setting to use the system's DNS settings, or
Specify to specify DNS servers #1 to #3.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned off.
Netmask
Enter the netmask.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned off.
IPsec Lease Hold
Enter the IPsec lease hold time.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned off.
Administration Guide
Fortinet Technologies Inc.
IPsec VPN gateways
VPN Manager
Auto-Configuration
Select to enable or disable automatic configuration.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned off.
DHCP Server IP Range
Enter the start and end IP addresses of the DHCP server range. Click the
add icon to add more entries.
This option is only available for dial up topologies with the role set to Hub
and Enable IKE Configuration Method turned off.
Advanced
authpasswd
Enter the XAuth client password for the FortiGate.
authusr
Enter the XAuth client user name for the FortiGate.
banner
Enter the banner value.
Specify the message to send to IKE Configuration Method clients. Some
clients display this message to users.
dns-mode
Select the DNS mode from the dropdown list:
auto: Assign DNS servers in the following order:
l
1. Servers assigned to interfaces by DHCP
2. Per-VDOM assigned DNS servers
3. Global DNS servers
l
manual: Use the DNS servers specified in DNS Server #1 to #3.
domain
Enter the domain value.
public-ip
Enter the public IP address.
Use this field to configure a VPN with dynamic interfaces. The value is the
dynamically assigned PPPoE address that remains static and does not
change over time.
route-overlap
Select the route overlap method from the dropdown list: allow , use-new, or
use-old.
spoke-zone
Select a spoke zone from the dropdown list.
unity-support
Enable or disable unity support.
vpn-interfacepriority
Set the VPN gateway interface priority. The default value is 1.
vpn-zone
Select a VPN zone from the dropdown list.
Administration Guide
Fortinet Technologies Inc.
275
VPN Manager
IPsec VPN gateways
Creating external gateways
External gateways are not managed by the FortiManager device.
To create an external gateway:
1. Go to VPN Manager > IPsec VPN .
2. Select a community from the tree menu, or double-click on a community in the list.
3. On the community information content pane, in the toolbar, select Create New > External Gateway. The New
VPN External Gateway pane opens.
4. Configure the following settings, then click OK to create the external gateway:
276
Node Type
Select either HUB or Spoke from the dropdown list.
This option is only available for star and dial up VPN topologies.
Gateway Name
Enter the gateway name.
Gateway IP
Select the gateway IP address from the dropdown list.
Hub IP
Select the hub IP address from the dropdown list.
This option is only available for star and dial up topologies with the role set
to Hub.
Create Phase2 per
Protected Subnet Pair
Toggle the switch to On to create a phase2 per protected subnet pair.
Routing
Select the routing method: Manual (via Device Manager, or Automatic.
This option is only available for full meshed and star topologies.
Administration Guide
Fortinet Technologies Inc.
IPsec VPN gateways
Peer Type
VPN Manager
Select one of the following:
l
Accept any peer ID
l
Accept this peer ID: Enter the peer ID in the text field
Accept a dialup group: Select a group from the dropdown list
A Local ID is an alphanumeric value assigned in the Phase 1 configuration.
The local ID of a peer is called a Peer ID. The Local ID or peer ID can be
used to uniquely identify one end of a VPN tunnel, enabling a more secure
connection. If you have multiple VPN tunnels negotiating, this ensures the
proper remote and local ends connect.
When you configure the ID on your end, it is your local ID. When the
remote end connects to you, they see it as your peer ID. If you are
debugging a VPN connection, the local ID is part of the VPN negotiations.
You can use it to help troubleshoot connection problems.
The default configuration is to accept all local IDs (peer IDs). If your local
ID is set, the remote end of the tunnel must be configured to accept your
ID.
This option is only available for dial up topologies.
l
Protected Subnet
Select a protected subnet from dropdown list. You can add multiple
subnets.
Local Gateway
Enter the local gateway IP address.
Editing an IPsec VPN gateway
To edit a VPN gateway, you must be logged in as an administrator with sufficient privileges. The gateway role
and device (if applicable) cannot be edited.
To edit IPsec VPN communities:
1. Go to VPN Manager > IPsec VPN .
2. Select a community from the tree menu, or double-click on a community in the list.
3. Double-click on a gateway, right-click on a gateway and then select Edit from the menu, or select the gateway
then click Edit in the toolbar. The Edit VPN Gateway pane opens.
4. Edit the settings as required, and then select OK to apply the changes.
Deleting VPN gateways
To delete a VPN gateway or gateways, you must be logged in as an administrator with sufficient privileges.
To delete VPN gateways:
1. Go to VPN Manager > IPsec VPN .
2. Select a community from the tree menu, or double-click on a community in the list.
3. Select the gateway or gateways you need to delete.
4. Click Delete in the toolbar, or right-click and select Delete.
5. Select OK in the confirmation box to delete the gateway or gateways.
Administration Guide
Fortinet Technologies Inc.
277
VPN Manager
VPN security policies
VPN security policies
Once you have defined the IP source and destination addresses, the phase 1 authentication parameters, and the
phase 2 parameters, you must define the VPN security policies.
FortiGate unit VPNs can be policy-based or route-based. There is little difference between the two types. In both
cases, you specify phase 1 and phase 2 settings. However there is a difference in implementation. A route-based
VPN creates a virtual IPsec network interface that applies encryption or decryption as needed to any traffic that it
carries. That is why route-based VPNs are also known as interface-based VPNs. A policy-based VPN is
implemented through a special security policy that applies the encryption you specified in the phase 1 and phase
2 settings.
An IPsec security policy enables the transmission and reception of encrypted packets, specifies the permitted
direction of VPN traffic, and selects the VPN tunnel. In most cases, only a single policy is needed to control both
inbound and outbound IP traffic through a VPN tunnel.
For a route-based VPN, you create two security policies between the virtual IPsec interface and the interface that
connects to the private network. In one policy, the virtual interface is the source. In the other policy, the virtual
interface is the destination. The Action for both policies is Accept. This creates bidirectional policies that ensure
traffic will flow in both directions over the VPN.
For a policy-based VPN, one security policy enables communication in both directions. You must select IPSEC
as the Action and then select the VPN tunnel dynamic object you have mapped to the phase 1 settings. You can
then enable inbound and outbound traffic as needed within that policy, or create multiple policies of this type to
handle different types of traffic differently. For example HTTPS traffic may not require the same level of scanning
as FTP traffic.
Defining policy addresses
A VPN tunnel has two end points. These end points may be VPN peers, such as two FortiGate gateways.
Encrypted packets are transmitted between the end points. At each end of the VPN tunnel, a VPN peer intercepts
encrypted packets, decrypts the packets, and forwards the decrypted IP packets to the intended destination.
You need to define firewall addresses for the private networks behind each peer. You will use these addresses as
the source or destination address depending on the security policy.
In general:
l
l
In a gateway-to-gateway, hub-and-spoke, dynamic DNS, redundant-tunnel, or transparent configuration, you need
to define a policy address for the private IP address of the network behind the remote VPN peer.
In a peer-to-peer configuration, you need to define a policy address for the private IP address of a server or host
behind the remote VPN peer.
Defining security policies
Security policies allow IP traffic to pass between interfaces on a FortiGate unit. You can limit communication to
particular traffic by specifying source and destination addresses. Then only traffic from those addresses will be
allowed.
Policy-based and route-based VPNs require different security policies.
278
Administration Guide
Fortinet Technologies Inc.
SSL VPN
VPN Manager
A policy-based VPN requires an IPsec security policy. You specify the interface to the private network, the
interface to the remote peer and the VPN tunnel. A single policy can enable traffic inbound, outbound, or in both
directions.
A route-based VPN requires an Accept security policy for each direction. As source and destination interfaces,
you specify the interface to the private network and the virtual IPsec interface of the VPN. The IPsec interface is
the destination interface for the outbound policy and the source interface for the inbound policy. One security
policy must be configured for each direction of each VPN interface.
If the security policy that grants the VPN connection is limited to certain services, DHCP must be included,
otherwise the client will not be able to retrieve a lease from the FortiGate’s (IPsec) DHCP server because the
DHCP request (coming out of the tunnel) will be blocked.
Before you define the IPsec policy, you must:
l
Define the IP source and destination addresses.
l
Specify the phase 1 authentication parameters.
l
Specify the phase 2 parameters.
l
Create a VPN Tunnel dynamic object (policy-based VPNs only).
You must define at least one IPsec policy for each VPN tunnel. If the same remote server or client requires access
to more than one network behind a local FortiGate unit, the FortiGate unit must be configured with an IPsec
policy for each network. Multiple policies may be required to configure redundant connections to a remote
destination or control access to different services at different times.
To ensure a secure connection, the FortiGate unit must evaluate IPSEC policies before ACCEPT and DENY
security policies. Because the FortiGate unit reads policies starting at the top of the list, you must move all IPsec
policies to the top of the list. When you define multiple IPsec policies for the same tunnel, you must reorder the
IPsec policies that apply to the tunnel so that specific constraints can be evaluated before general constraints.
When you define a route-based VPN, you create a virtual IPsec interface on the physical interface that connects
to the remote peer. You create ordinary Accept security policies to enable traffic between the IPsec interface and
the interface that connects to the private network. This makes configuration simpler than for policy-based VPNs,
which require IPsec security policies.
For more information on IPsec VPN, see the FortiOS Handbook in the Fortinet Document Library. See
Managing policies on page 217 for information on creating policies on your FortiManager.
SSL VPN
You can use the VPN Manager > SSL-VPN pane to create and monitor Secure Sockets Layer (SSL) VPNs. You
can also create and manage SSL VPN portal profiles.
Manage SSL VPNs
Go to VPN Manager > SSL VPN to manage SSL VPNs.
The following options are available:
Administration Guide
Fortinet Technologies Inc.
279
VPN Manager
SSL VPN
Add SSL VPN
Create a new SSL VPN with the Create SSL VPN dialog box. See Creating
SSL VPNs on page 280.
Install Wizard
Launch the Install Wizard to install SSL VPN settings to devices.
Create New
Create a new SSL VPN with the Create SSL VPN pane. This option is also
available from the right-click menu. See Creating SSL VPNs on page 280.
Edit
Edit the selected VPN. This option is also available from the right-click
menu. See Editing SSL VPNs on page 282.
Delete
Delete the selected VPN or VPNs. This option is also available from the
right-click menu. See Deleting SSL VPNs on page 282.
Search
Enter a search term to search the VPN list.
Creating SSL VPNs
To create SSL VPNs, you must be logged in as an administrator with sufficient privileges. Multiple VPNs can be
created.
To add SSL-VPN:
1. Go to VPN Manager > SSL-VPN .
2. Click Add SSL VPN , or click Create New in the content toolbar. The Create SSL VPN dialog box or pane is
displayed.
3. Configure the following settings, then click OK to create the VPN
280
Device
Select a FortiGate device or VDOM.
Connection Settings
Specify the connection settings.
Administration Guide
Fortinet Technologies Inc.
SSL VPN
VPN Manager
Listen on
Interface(s)
Define the interface the FortiGate will use to listen for SSL VPN tunnel
requests. This is generally your external interface.
Listen on Port
Enter the port number for HTTPS access.
Restrict Access
Allow access from any hosts, or limit access to specific hosts. If limiting
access, select the hosts that have access in the Hosts field.
Idle Logout
Select to enable idle timeout. When enabled, enter the amount of time
that the connection can remain inactive before timing out, from 10 to
28800 seconds (default: 300) in theInactive For field.
This setting applies to the SSL VPN session. The interface does not
time out when web application sessions or tunnels are up.
Server Certificate
Select the signed server certificate to use for authentication. Alternately,
select a certificate template that is configured to use the FortiManager
CA. See Certificate templates on page 152.
Require Client
Certificate
Select to use group certificates for authenticating remote clients. When
the remote client initiates a connection, the FortiGate unit prompts the
client for its client-side certificate as part of the authentication process.
For information on using PKI to provide client certificate authentication,
see the Authentication Guide.
Tunnel Mode Client Settings
Specify tunnel mode client settings. These settings determine how
tunnel mode clients are assigned IP addresses.
Address Range
Either automatically assign address, or specify custom IP ranges.
DNS Server
Select to use the same DNS as the client system, or to specify DNS
servers. Enter up to two DNS servers to be provided for the use of
clients.
Specify WINS
Servers
Select to specify WINS servers. Enter up to two WINS servers to be
provided for the use of clients.
Allow Endpoint
Registration
Select to allow endpoint registration.
Authentication/Portal
Mapping
Select the users and groups that can access the tunnel.
Create New
Create a new authentication/portal mapping entry. Select the
Users/Groups, Realm, and Portal, then click OK.
Edit
Edit the selected mapping.
Delete
Delete the selected mapping or mappings.
Advanced Options
Administration Guide
Fortinet Technologies Inc.
Configure advanced SSL VPN options. For information, see the FortiOS
CLI Reference: http://help.fortinet.com/cli/fos50hlp/56/index.htm.
281
VPN Manager
SSL VPN
Editing SSL VPNs
To edit an SSL VPN, you must be logged in as an administrator with sufficient privileges. The device cannot be
edited.
To edit an SSL VPN:
1. Go to VPN Manager > SSL VPN .
2. Double-click on a VPN, right-click on a VPN and then select Edit from the menu, or select the VPN then click Edit
in the toolbar. The Create SSL VPN pane opens.
3. Edit the settings as required, and then select OK to apply the changes.
Deleting SSL VPNs
To delete an SSL VPN or VPNs, you must be logged in as an administrator with sufficient privileges.
To delete SSL VPNs:
1. Go to VPN Manager > SSL VPN .
2. Select the VPN or VPNs you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Select OK in the confirmation box to delete the selected VPN or VPNs.
Portal profiles
The SSL VPN portal enables remote users to access internal network resources through a secure channel using a
web browser. FortiGate administrators can configure login privileges for system users as well as the network
resources that are available to the users.
There are three pre-defined default portal profiles:
l
Full-access
l
Tunnel-access
l
Web-access
Each portal type includes similar configuration options. You can also create custom portal profiles.
To manage portal profiles, go to VPN Manager > SSL VPN and select Portal Profiles in the tree menu.
The following options are available:
282
Create New
Create a new portal profile.
Edit
Edit the selected profile.
Delete
Delete the selected profile or profiles.
Administration Guide
Fortinet Technologies Inc.
SSL VPN
Search
VPN Manager
Enter a search term to search the portal profile list.
Creating SSL VPN portal profiles
To create SSL VPN portal profiles, you must be logged in as an administrator with sufficient privileges. Multiple
profiles can be created.
To create portal profiles:
1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu.
2. Click Create New in the toolbar, or right-click and select Create New. The Create New pane is displayed.
3. Configure the following settings, then select OK to create the profile.
Name
Enter a name for the portal.
Limit Users to One SSL
VPN Connection at a Time
Set the SSL VPN tunnel so that each user can only be logged in to the
tunnel one time per user log in. Once they are logged in to the portal, they
cannot go to another system and log in with the same credentials until they
log out of the first connection.
Tunnel Mode
Select to configure and enable tunnel mode access. These settings
determine how tunnel mode clients are assigned IPv4 addresses.
Administration Guide
Fortinet Technologies Inc.
283
VPN Manager
SSL VPN
Enable Split
Tunneling
Select so that the VPN carries only the traffic for the networks behind the
FortiGate unit. The user’s other traffic follows its normal route.
Routing Address
If you enable split tunneling, you are required to set the address that your
corporate network is using. Traffic intended for the routing address will not
be split from the tunnel.
Source IP Pools
Select an IPv4 pool for users to acquire an IP address when connecting to
the portal. There is always a default pool available if you do not create your
own.
IPv6 Tunnel Mode
Enable IPv6 Split
Tunneling
Select so that the VPN carries only the traffic for the networks behind the
FortiGate unit. The user’s other traffic follows its normal route.
IPv6 Routing
Address
If you enable split tunneling, you are required to set the address that your
corporate network is using. Traffic intended for the routing address will not
be split from the tunnel.
Source IP Pools
Select an IPv6 pool for users to acquire an IP address when connecting to
the portal. There is always a default pool available if you do not create your
own.
Tunnel Mode Client
Options
These options affect how the FortiClient application behaves when
connected to the FortiGate VPN tunnel. When enabled, a checkbox for the
corresponding option appears on the VPN log in screen in FortiClient, and
is disabled by default.
Allow client to
save password
The user's password is stored on the user’s computer and will automatically
populate each time they connect to the VPN.
Allow client to
connect
automatically
When the FortiClient application is launched, for example after a reboot or
system start up, FortiClient will automatically attempt to connect to the
VPN tunnel.
Allow client to
keep connections
alive
The FortiClient connection will not shut down. When not selected, during
periods of inactivity, FortiClient will attempt to stay connected every three
minutes for a maximum of 10 minutes.
Enable Web Mode
284
Select to configure and enable tunnel mode access. These settings
determine how tunnel mode clients are assigned IPv6 addresses.
Select to enable web mode access.
Portal Message
The text header that appears on the top of the web portal.
Theme
A color styling specifically for the web portal: blue, green, mariner,
melongene, or red.
Show Session
Information
Display the Session Information widget on the portal page. The widget
displays the log in name of the user, the amount of time the user has been
logged in, and the inbound and outbound traffic statistics.
Administration Guide
Fortinet Technologies Inc.
SSL VPN
VPN Manager
Show Connection
Launcher
Display the Connection Launcher widget on the portal page. Use the
widget to connect to an internal network resource without adding a
bookmark to the bookmark list. You select the type of resource and specify
the URL or IP address of the host computer.
Show Login
History
Include user log in history on the web portal, then specify the number of
history entries.
User Bookmarks
Include bookmarks on the web portal.
Bookmarks are used as links to internal network resources. When a
bookmark is selected from a bookmark list, a pop-up window opens with
the web page. Telnet, VNC, and RDP require a browser plugin. FTP and
Samba replace the bookmarks page with an HTML file-browser.
Pre-Defined
Bookmarks
The list of predefined bookmarks.
Click Create New to add a bookmark. See Predefined bookmarks on
page 285 for information.
Advanced Options
Configure advanced options. For information, see the FortiOS CLI
Reference: http://help.fortinet.com/cli/fos50hlp/56/index.htm.
Predefined bookmarks
Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark
list, a window opens with the requested web page. Telnet, RDP, and VNC open a window that requires a browser
plug-in. FTP replaces the bookmark page with an HTML file-browser.
A web bookmark can include log in credentials to automatically log the SSL VPN user into the web site. When the
administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN
credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.
Predefined bookmarks can be added to portal profiles when creating or editing a profile.
To create a predefined bookmark:
1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu.
2. Edit an existing profile, or create a new profile. See Editing portal profiles on page 287 or Creating SSL VPN portal
profiles on page 283.
3. Click Create New in the Pre-Defined Bookmark field. Enable Web Mode must be selected for this field to be
available. The Create New Bookmark dialog box opens. The available options will vary depending on the
selected type.
Administration Guide
Fortinet Technologies Inc.
285
VPN Manager
SSL VPN
4. Configure the following settings, then select OK to create the bookmark.
Name
Enter a name for the bookmark.
Type
Select the bookmark type: CITRIX, FTP, Port Forward, RDP, SMB, SSH ,
Telnet, or VNC, HTTP/HTTPS.
URL
Enter the bookmark URL. This option is only available when Type is Citrix,
or HTTP/HTTPS.
Folder
Enter the bookmark folder.
This option is only available when Type is FTP, or SMB.
Host
Enter the host name.
This option is only available when Type is RDP, SSH, TELNET, or VNC.
Remote Port
Enter the remote port.
This option is only available when Type is Port Forward.
Listening Port
Enter the listening port.
This option is only available when Type is Port Forward.
Show Status Window
Enable to show the status window.
This option is only available when Type is Port Forward.
Port
Enter the port number.
This option is only available when Type is RDP, or VNC .
Username
Enter the user name.
This option is only available when Type is RDP.
Password
Enter the password.
This option is only available when Type is RDP, or VNC .
286
Administration Guide
Fortinet Technologies Inc.
SSL VPN
Keyboard Layout
VPN Manager
Select the keyboard layout: German (QWERTZ), English (US), Unknown,
French (AZERTY), Italian, or Swedish.
This option is only available when Type is RDP.
Security
Select the security type: Allow the server to choose the type of security,
Network Level Authentication, Standard RDP encryption, or TLS
encryption.
This option is only available when Type is RDP.
Description
Optionally, enter a description of the bookmark.
Single Sign-on
Select the SSO setting for links that require authentication: Disabled,
Automatic, or Static.
If Static is selected, click the add icon, then enter the Name and Value to
add SSO Form Data. Multiple fields can be added. Click Remove to
remove a field.
When including a link using SSO, use the entire URL and not just the IP
address.
This option is only available when Type is Citrix, FTP, SMB, or
HTTP/HTTPS.
To edit a bookmark:
1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu.
2. Edit and existing profile, or create a new profile. See Editing portal profiles on page 287 or Creating SSL VPN
portal profiles on page 283.
3. Click the Edit icon in the bookmark row. The Bookmark dialog box opens.
4. Edit the bookmark as required, then click OK to apply your changes.
To delete a bookmark:
1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu.
2. Edit and existing profile, or create a new profile. See Editing portal profiles on page 287 or Creating SSL VPN
portal profiles on page 283.
3. Click the Delete icon in the bookmark row.
Editing portal profiles
To edit a portal profile, you must be logged in as an administrator with sufficient privileges. The device cannot be
edited.
To edit a portal profile:
1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu.
2. Double-click on a profile, right-click on a profile and then select Edit from the menu, or select the profile then click
Edit in the toolbar. The Edit Portal Profile pane opens.
3. Edit the settings as required, and then select OK to apply the changes.
Administration Guide
Fortinet Technologies Inc.
287
VPN Manager
SSL VPN
Deleting portal profiles
To delete a portal profile or profiles, you must be logged in as an administrator with sufficient privileges.
To delete portal profiles:
1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu.
2. Select the profile or profiles you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Select OK in the confirmation box to delete the selected profile or profiles.
Monitor SSL VPNs
SSL VPNs can be monitored by going to VPN Manager > SSL VPN and selecting Monitor from the tree menu.
The following information is shown:
288
Device
The device or VDOM name.
User
The user name.
Remote Host
The remote host.
Last Login
The time of the last log in.
Active Connections
The number of active connections on the VPN.
Administration Guide
Fortinet Technologies Inc.
AP Manager
Use AP Manager to centrally manage FortiAP access points.
The AP Manager pane includes the following tabs:
Managed APs
Displays unauthorized and authorized FortiAP devices. You can view, authorize, and
edit authorized FortiAP devices.
Monitor
Monitor FortiAP devices and the clients connected to them.
Map View
View the locations of FortiAP devices on a map.
WiFi templates
View, create, edit, and import AP profiles, SSIDs, and WIDS profiles.
The AP Manager pane allows you to manage, configure, and assign profiles to FortiAP devices. You can
configure multiple profiles that can be assigned to multiple devices. Profiles are installed to devices when you
install configurations to the devices.
The following steps provide an overview of using centralized AP management to configure and install profiles:
1. Create AP profiles.
See WiFi templates on page 303.
2. Assign profiles to FortiAP devices.
See Assigning profiles to FortiAP devices on page 296.
3. Install FortiAP profiles to devices.
On the Device Manager pane, select the FortiGate device that controls the FortiAP device, then select
Install > Install Config from the toolbar, and follow the prompts in the wizard. See Configuring a device on
page 120.
Managed APs
The Managed APs pane allows you to manage FortiAP devices that are controlled by FortiGate devices that are
managed by the FortiManager.
FortiAP devices, listed in the tree menu, are grouped based on the controller that they are connected to. The
devices can also be further divided into platform based groups within a controller.
Additional configuration options and short-cuts are available using the right-click
content menu. Right-click on the mouse on different parts of the navigation panes on
the GUI page to access these context menus.
Administration Guide
Fortinet Technologies Inc.
289
AP Manager
Managed APs
If workspace or workflow is enabled, the ADOM must be locked before changes can be
made. See Locking an ADOM on page 59.
Go to AP Manager > Managed APs to manage FortiAP devices. Managed APs are organized by their FortiGate
controller and group.
Quick status bar
You can quickly view the status of devices on the Managed AP pane by using the quick status bar, which contains
the following options:
l
Managed APs
l
Online
l
Offline
l
Unauthorized
l
Rogue APs
l
Client Connected
You can click each quick status to display in the content pane, or in a pop-up window, only the devices referenced
in the quick status.
To view the quick status bar:
1. Ensure that you are in the correct ADOM.
2. Go to AP Manager > Managed APs. The quick status bar is displayed above the content pane.
3. In the tree menu, select a FortiGate, group, or All_FortiGate. The devices for the group are displayed in the
content pane, and the quick status bar updates.
4. Click on each quick status to filter the devices displayed on the content pane. For example, click Offline, and the
content pane will display only devices that are currently offline.
5. Click Rogue APs to open the rogue AP list in a pop-up window.
6. Click Client Connected to open a list of WiFi clients in a pop-up window.
290
Administration Guide
Fortinet Technologies Inc.
Managed APs
AP Manager
Managing APs
FortiAP devices can be managed from the content pane below the quick status bar on the AP Manager >
Managed APs pane.
The following options are available from the toolbar and right-click menu:
Create New
Add an AP.
Edit
Edit the selected AP.
Delete
Delete the selected AP.
Assigned Profile
Assign a profile from the list to the AP. Only applicable profiles will be
listed. See Assigning profiles to FortiAP devices on page 296.
Column Settings
Click to select which columns to display or select Reset to Default to
display the default columns.
Authorize
Authorize an unregistered AP. See Authorizing and deauthorizing FortiAP
devices on page 296.
This option is also available in the toolbar by selecting More.
Deauthorize
Deauthorize a registered AP. See Authorizing and deauthorizing FortiAP
devices on page 296.
This option is also available in the toolbar by selecting More.
Grouping
Move the selected FortiAP devices into a new group. The APs must be the
same model to be grouped. See FortiAP groups on page 295.
This option is only available in the right-click menu.
Upgrade
Upgrade the AP. The AP must already be authorized.
Restart
Restart the AP.
This option is only available in the toolbar, by selecting More.
Refresh
Refresh the AP list, or refresh the selected FortiAP devices.
View Clients
View the clients connected to the AP. See Connected clients on page 299.
Administration Guide
Fortinet Technologies Inc.
291
AP Manager
Managed APs
View Rogue APs
View the Rogue APs. See Rogue APs on page 297.
This option is only available in the toolbar, by selecting More.
Search
Enter a search string into the search field to search the AP list.
This option is only available in the toolbar.
The following information is available in the content pane:
292
Access Point
The serial number of the AP.
Connected Via
The IP address of the AP.
SSIDs
The SSIDs associated with the AP.
Channel
The wireless radio channels that the access point uses.
Clients
The number of clients connected to the AP.
Select a value to open the View WiFi Clients window to view more details
about the clients connected to that radio. See Connected clients on
page 299.
OS Version
The OS version on the FortiAP.
AP Profile
The AP Profile assigned to the device, if any.
FortiGate
The FortiGate unit that is managing the AP. Displayed only for
unauthorized APs.
Comments
User entered comments.
Country
The Country code that the FortiAP is using.
Join Time
The date and time that the FortiAP joined.
LLDP
The Link Layer Discovery Protocol
Operating TX Power
The transmit power of the wireless radios.
Serials #
The serial number of the device
WTP Mode
The Wireless Transaction Protocol (WTP) mode, or 0 if none.
Administration Guide
Fortinet Technologies Inc.
Managed APs
AP Manager
To add a FortiAP:
1. Click Create New on the content pane toolbar. The Add FortiAP dialog box opens.
2. Enter the following information:
FortiGate
Select the FortiGate that the AP will be added to from the dropdown list. If
you have already selected a FortiGate in the tree menu, this field will
contain that FortiGate.
Serials Number
Enter the device's serial number.
Name
Enter a name for the device.
AP Profile
Select an AP profile to apply to the device from the dropdown list. See AP
profiles on page 303.
3. Click OK to add the device.
To edit FortiAP devices:
1. In the tree menu, select the group or FortiGate that contains the FortiAP device to be edited.
2. Locate the FortiAP device in the list in the content pane, or refine the list by selecting an option from the quick
status bar.
3. Either select the FortiAP and click Edit from the toolbar, double-click on the FortiAP, or right-click on the FortiAP
and select Edit. The Config FortiAP window opens.
Administration Guide
Fortinet Technologies Inc.
293
AP Manager
Managed APs
4. Edit the following options:
294
Serial Number
The device’s serial number. This field cannot be edited.
Name
The name of the AP.
Comments
Comments about the AP, such as its location or function.
Managed AP Status
Various information about the AP.
Status
The status of the AP, such as Connected, or Idle.
Connected Via
The method by which the device is connected to the controller.
Base MAC
Address
The MAC address of the device.
Join Time
The time that the AP joined.
Clients
The number of clients currently connected to the AP.
FortiAP OS
Version
The AP's current firmware version. Select Upgrade to upgrade the firmware
to a newer version if you have one available. See Firmware Management
on page 145
State
The state of the AP, such as Authorized, or Discovered.
Administration Guide
Fortinet Technologies Inc.
Managed APs
AP Manager
Wireless Settings
Assign a profile or configure radio settings manually.
FortiAP Profile
Select a profile from the dropdown list (see AP profiles on page 303), or
select Override Settings to customize the WiFi radio settings for the AP
(SSIDs, TX Power, and Rogue AP Scanning).
Do not
participate in
Rogue AP
scanning
Select this option to not participate in scanning for rogues APs.
Radio Settings Summary
A table showing the current setting, channels, and SSIDs configured for the
AP's radio or radios.
5. Click Apply to apply your changes.
To delete FortiAP devices:
1. In the tree menu, select the group or FortiGate that contains the FortiAP device to be deleted.
2. Locate the FortiAP device in the list in the content pane, or refine the list by selecting an option from the quick
status bar.
3. Either select the FortiAP and click Delete from the toolbar, or right-click on the FortiAP and select Delete.
4. Click OK in the confirmation dialog box to delete the AP.
A FortiAP device cannot be deleted if it is currently being used. For example, if a
firewall profile has been assigned to it.
FortiAP groups
FortiAP devices can be organized into groups based on FortiAP platforms. A group can only contain one model of
FortiAP. A FortiAP can only belong to one group.
Groups are listed in the tree menu under the FortiGate they were created in. They can be created, edited, and
deleted as needed.
To create a FortiAP group:
1. In the Managed APs pane, select FortiAP Group > Create New from the toolbar. The Create New FortiAP
Group dialog box opens.
Administration Guide
Fortinet Technologies Inc.
295
AP Manager
Managed APs
2. Configure the following:
Name
Enter a name for the group.
FortiGate
Select the FortiGate under which the group will be created.
Platform
Select the FortiAP platform that the group will apply to.
FortiAPs
Select FortiAPs to add to the group. Only FortiAPs in the selected FortiGate of the
selected platform will be available for selection.
3. Select OK to create the group.
To edit a group:
1. In the Managed APs pane, select a group from the tree menu, then select FortiAP Group > Edit from the toolbar.
2. Edit the group name and devices in the group as needed. The FortiGate and the platform cannot be changed.
3. Select OK to apply your changes.
To delete a group:
1. In the Managed APs pane, select a group from the tree menu.
2. Select FortiAP Group > Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the group.
Authorizing and deauthorizing FortiAP devices
To authorize FortiAP devices:
1. In the tree menu, select the group or FortiGate that contains the unauthorized FortiAP devices.
2. In the quick status bar, click Unauthorized. The unauthorized FortiAP devices are displayed in the content pane.
3. Select the FortiAP devices and either click More > Authorize from the toolbar, or right-click and select Authorize.
4. Select OK in the confirmation dialog box to authorize the selected devices.
To deauthorize FortiAP devices:
1. In the tree menu, select the group or FortiGate that contains the FortiAP devices to be deauthorized
2. Select the FortiAP devices and either click More > Deauthorize from the toolbar, or right-click and select
Deauthorize.
3. Select OK in the confirmation dialog box to deauthorize the selected devices.
Assigning profiles to FortiAP devices
You use the AP Manager pane to assign profiles to FortiAP devices, and you use the Device Manager pane to
install profiles to FortiAP devices when you install a configuration to the FortiGate that controls the
FortiAP device.
For more information about creating and managing AP profiles, see AP profiles on page 303.
296
Administration Guide
Fortinet Technologies Inc.
Managed APs
AP Manager
To assign profiles to FortiAP devices:
1. In the tree menu, select the group or FortiGate that contains the FortiAP device the profile will be applied to.
2. Locate the FortiAP device in the list in the content pane, or refine the list by selecting an option from the quick
status bar.
3. Either select the FortiAP and click Assigned Profile from the toolbar, or right-click on the FortiAP and select
Assigned Profile. The Assign AP Profile window opens.
4. Select a FortiAP profile from the dropdown list, then click OK to assign the profile.
To install FortiAP profiles to devices:
1. Go to the Device Manager pane.
2. Select the FortiGate device that controls the FortiAP device
3. Right click and select Install Config, or select Install > Install Config from the toolbar.
4. Click OK in the confirmation dialog box to install the configuration to the device. See Configuring a device on
page 120 for more information.
Rogue APs
A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access.
Click Rogue APs in the quick status bar to open the rogue AP list in a pop-up window.
The following options are available:
Mark As
Mark a rogue AP as:
Accepted: for APs that are an authorized part of your network or are
neighboring APs that are not a security threat.
l
l
l
Administration Guide
Fortinet Technologies Inc.
Rogue: for unauthorized APs that On-wire status indicates are attached
to your wired networks.
Unclassified: the initial status of a discovered AP. You can change an AP
back to unclassified if you have mistakenly marked it as Rogue or
Accepted.
297
AP Manager
Managed APs
Suppress AP
Suppress the selected APs. This will prevent users from connecting to the
AP. When suppression is activated against an AP, the controller sends
deauthentication messages to the rogue AP’s clients posing as the rogue
AP, and also sends deauthentication messages to the rogue AP posing as
its clients.
Before enabling this feature, verify that operation of Rogue Suppression is
compliant with the applicable laws and regulations of your region.
Unsurpress AP
Turn of suppression for the selected rogue APs.
Refresh
Refresh the rogue AP list.
Column Settings
Click to select which columns to display or select Reset to Default to
display the default columns.
The following columns are available:
State
The state of the AP:
Suppressed: red suppressed icon
l
298
l
Rogue: orange rogue icon
l
Accepted: green wireless signal mark
l
Unclassified: gray question mark
Status
Whether the AP is active (green) or inactive (orange).
SSID
The wireless service set identifier (SSID) or network name for the wireless
interface.
Security Type
The type of security currently being used.
Channel
The wireless radio channel that the access point uses.
MAC Adddess
The MAC address of the wireless interface.
Vendor Info
The name of the vendor.
Signal Strength
The relative signal strength of the AP.
Detected By
The name or serial number of the AP unit that detected the signal.
On-Wire
A green up-arrow indicates a suspected rogue, based on the on-wire
detection technique. An orange down-arrow indicates AP is not a suspected
rogue.
First Seen
How long ago this AP was first detected. This column is not visible by
default.
Administration Guide
Fortinet Technologies Inc.
Managed APs
AP Manager
Last Seen
How long ago this AP was last detected. This column is not visible by
default.
Rate
The data rate in, bps. This column is not visible by default.
Connected clients
To view connected wireless clients, click Client Connected in the quick status bar to open the WiFi client list in a
pop-up window that lists all the clients in the selected FortiGate or group.
To view the clients connected to specific APs, select the APs in the content pane, then right-click on them and
select View Clients.
The following columns are available:
SSID
The SSID that the client connected to.
FortiAP
The serial number of the FortiAP unit that the client connected to.
IP
The IP address assigned to the wireless client.
Device
The type of device that the client is using.
Channel
The wireless radio channel that is used.
Bandwidth Tx/Rx
Client received and transmitted bandwidth, in Kbps.
Signal Strength/Noise
The signal-to-noise ratio in dBs calculated from signal strength and noise
level.
Signal Strength
The relative signal strength of the AP.
Association Time
How long the client has been connected to this access point.
Auth
The type of authentication used.
Bandwidth RX
Client received bandwidth, in Kbps.
Bandwidth TX
Client transmitted bandwidth, in Kbps.
Device OS
The OS version on the FortiAP.
Administration Guide
Fortinet Technologies Inc.
299
AP Manager
Monitor
Host Information
The host name of the WiFi client, if available.
Idle Time
The amount of time that the client has been idle.
Manufacturer
The manufacturer of the client device.
Rate
The connection rate between the WiFi client and the AP.
Name
The name of the FortiGate device that the FortiAP is attached to.
Monitor
The Monitor pane includes a listing of connected clients, and a health monitor that display information about all
the APs for the selected FortiGate or group in widgets.
Clients Monitor
The client monitor lists information about connected clients. Go to AP Manager > Monitor and select the Clients
Monitor tab in the content pane to view the list. Select a specific FortiGate or group in the tree menu to filter the
listed clients.
You can search the table by entering a search term in the search field in the toolbar. The visible columns can be
adjusted by selecting Column Settings in the toolbar. The following columns are available:
300
SSID
The SSID that the client connected to.
FortiAP
The serial number of the FortiAP unit that the client connected to.
IP
The IP address assigned to the wireless client.
Device
The type of device that the client is using.
Channel
The wireless radio channel that is used.
Bandwidth Tx/Rx
Client received and transmitted bandwidth, in Kbps.
Signal Strength/Noise
The signal-to-noise ratio in dBs calculated from signal strength and noise
level.
Signal Strength
The relative signal strength of the AP.
Assication Time
How long the client has been connected to this access point.
Auth
The type of authentication used.
Bandwidth RX
Client received bandwidth, in Kbps.
Administration Guide
Fortinet Technologies Inc.
Monitor
AP Manager
Bandwidth TX
Client transmitted bandwidth, in Kbps.
Device OS
The OS version on the FortiAP.
Host Information
The host name of the WiFi client, if available.
Idle Time
The amount of time that the client has been idle.
Manufacturer
The manufacturer of the client device.
Rate
The connection rate between the WiFi client and the AP.
Name
The name of the FortiGate device that the FortiAP is attached to.
Health Monitor
Go to AP Manager > Monitor, select a FortiGate or group from the tree menu, and select the Health Monitor tab
in the content pane to open the health monitor.
Widgets can be moved by clicking and dragging their title bar into different locations on the screen. The
information in the widgets can be refreshed by clicking the refresh icon in the widget title bar. Widgets with tables
can be sorted by any column by clicking the column name.
Administration Guide
Fortinet Technologies Inc.
301
AP Manager
Map View
The following widgets are shown:
Widget
AP Status
Description
Displays a bar graph of:
Uptime > 24 hours: The number of APs that have been up
for over 24 hours.
l
l
Rebooted within 24 hours: the number of APs that have
been rebooted within the past 24 hours.
Down/Missing: Down or missing APs.
Select a specific column to view a table of the APs
represented in that column, along with other relevant
information, such as the APs' IP address, and the time of its
last reboot.
Select the name of a column in the legend to add or remove it
from the graph.
This widget is only available when the All FortiAPs group is
selected in the tree menu.
l
Client Count Over Time
A graph of the number of connected clients over the specified
time period: 1 hour, 1 day, or 30 days.
This widget is only available when the All FortiAPs group is
selected in the tree menu.
Top Client Count Per-AP (2.4 GHz or 5
GHz Band)
Lists the number of clients in the 2.4GHz and 5GHz band for
each FortiAP. Also includes columns for the channel and
bandwidth of the AP.
Top Wireless Interference (2.4 GHz or 5
GHz Band)
Lists the number of interfering APs in the 2.4GHz and 5GHz
band for each FortiAP. Also includes columns for the channel
and the number of MAC Errors for each AP.
Login Failures Information
Lists the time of a log in failure, the SSID involved, the Host
Name/MAC, and the User Name.
Map View
The Map View pane shows all of the FortiGate controllers on an interactive world map (Google Maps). Each
FortiGate is designated by a map pin in its geographic location on the map. The number of APs connected to the
FortiGate is listed in the pin.
302
Administration Guide
Fortinet Technologies Inc.
WiFi templates
AP Manager
Clicking on a map pin opens a list of the APs connected to that FortiGate. Clicking on the name of an AP from the
list will zoom the map into that location and provide further information about the AP, including the serial number,
IP address, number of clients, usage, and the last time the AP was seen if it is offline.
Click on the number of client to open the View WiFi Clients window (see Connected clients on page 299). Click
on the AP's serial number to open the Config FortiAP window, where you can edit the AP settings (see Managing
APs on page 291).
WiFi templates
The WiFi Templates pane allows you to create and manage AP profiles, SSIDs, and Wireless Intrusion Detection
System (WIDS) profiles that can be assigned to managed FortiAP devices.
Settings may vary for different ADOM versions.
AP profiles
AP profiles define radio settings for FortiAP models. The profile specifies details such as the operating mode of
the device, SSIDs, and transmit power. Custom AP profiles can be created as needed for new devices.
To view AP profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Templates, and select
AP Profile in the tree menu.
Administration Guide
Fortinet Technologies Inc.
303
AP Manager
WiFi templates
The following options are available in the toolbar and right-click menu:
Create New
Create a new AP profile.
Edit
Edit the selected AP profile.
Delete
Delete the selected AP profile.
Clone
Clone the selected AP profile.
Import
Import AP profiles from a connected FortiGate (toolbar only).
To create custom AP profiles:
1. On the AP Profile pane, click Create New in the toolbar, or select it from the right-click menu. The Create New
AP Profile windows opens.
2. Enter the following information:
304
Administration Guide
Fortinet Technologies Inc.
WiFi templates
AP Manager
Name
Type a name for the profile.
Comment
Optionally, enter comments.
Platform
Select the platform that the profile will apply to from the dropdown list.
Split Tunneling Subnet(s)
Enter the split tunneling subnet(s).
Radio 1 & 2
Configure the radio settings. The Radio 2 settings will only appear if the
selected platform has two radios.
Operation Mode
Select the radio operation mode:
Disabled: The radio is disabled. No further radio settings are available.
l
l
l
Access Point: The device is an access point.
Dedicated Monitor: The device is a dedicated monitor. Only the WIDS
Profile settings is available.
WIDS Profile
Select a WIDS profile from the dropdown list. See WIDS profiles on
page 313.
Radio Resource
Provision
Select to enable radio resource provisioning.
This feature measures utilization and interference on the available
channels and selects the clearest channel at each access point.
Client Load
Balance
Select the client load balancing methods to use: Frequency Handoff
and/or AP Handoff.
Band
Select the wireless protocol from the dropdown list. The available bands
depend on the selected platform.
In two radio devices, both radios cannot play in the same band.
Short Guard
Interval
Select to enable the short guard interval. This option is only available for
2.4GHz 802.11n/g/b, and 5GHz 802.11n bands.
Select Channel
Width
Select 20MHz or 40MHz channel width. This option is only available for
5GHz 802.11n bands.
Channel
Select the channel or channels to include. The available channels depend
on the selected platform and band.
Auto TX Power
Control
Optionally, enable automatic adjustment of transmit power, then specify
the minimum and maximum power levels, dBm.
TX Power
If Auto TX Power Control is disabled, enter the TX power in the form of the
percentage of the total available power.
SSID
Choose the SSIDs that APs using this profile will carry.
AP Country Code
Administration Guide
Fortinet Technologies Inc.
Select the AP country code from the dropdown list.
305
AP Manager
Advanced Options
WiFi templates
Configure advanced options for the SSID.
allowaccess: Allow management access to the managed AP via telnet,
http, https, and/or ssh.
l
l
l
dtsl-in-kernal: Enable/disable data channel DTLS in kernel.
dtls-policy: Select the WTP data channel DTLS policy: clear-text,
dtls-enabled, and/or ipsec-vpn.
l
handoff-roaming: Enable/disable handoff when a client is roaming.
l
handoff-rssi: Enter the minimum RSSI handoff value.
l
handoff-sta-thresh: Enter the threshold value for AP handoff.
l
ip-fragment-preventing: Prevent IP fragmentation for CAPWAP tunneled
control and data packets. Select tcp-mss-adjust and/or icmpunreachable.
l
led-state: Enable/disable use of LEDs on WTP.
l
lldp: Enable/disable LLDP.
l
login-passwd: Enter the log in password of the managed AP.
l
l
l
login-passwd-change: Select whether or not to allow the log in password
to be changed, or to reset to the factory default setting.
max-clients: Enter the maximum number of STAs supported by the WTP.
split-tunneling-acl-local-ap-subnet: Enable/disable split tunneling ACL
local AP subnet.
l
tun-mtu-downlink: Enter the downlink tunnel MTU.
l
tun-mtu-uplink: Enter the uplink tunnel MTU.
l
wan-port-mode: Set the WAN port mode: wan-only or wan-lan.
3. Click OK to create the new AP profile.
To edit a custom AP profile:
1. Either double-click a profile name, right-click a profile name and select Edit, or select a profile then click Edit in the
toolbar. The Edit AP Profile pane opens.
2. Edit the settings as required. The profile name cannot be edited.
3. Click OK to apply your changes.
To delete custom AP profiles:
1. Select the AP profile or profiles that will be deleted. Default profiles cannot be deleted.
2. Either select Delete from the toolbar, or right-click and select Delete.
3. Click OK in the confirmation dialog box to delete the profile.
To clone a custom AP profile:
1. Either select a profile and click Clone in the toolbar, or right-click a profile and select Clone. The Clone AP Profile
pane opens.
2. Edit the name of the profile, then edit the remaining settings as required.
3. Click OK to clone the profile.
306
Administration Guide
Fortinet Technologies Inc.
WiFi templates
AP Manager
To import a AP profile:
1. Click Import in the toolbar. The Import dialog box opens.
2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
3. Select the profile or profiles to be imported from the dropdown list.
4. Click OK to import the profile or profiles.
SSIDs
To view SSIDs and SSID groups, go to AP Manager > WiFi Templates, and select SSID in the tree menu.
The following options are available in the toolbar and right-click menu:
Create New
Create a new SSID or SSID group.
Edit
Edit the selected SSID or group.
Delete
Delete the selected SSID or group.
Clone
Clone the selected SSID or group.
Import
Import SSIDs from a connected FortiGate (toolbar only).
When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel to
Wireless Controller, Local bridge with FortiAP's Interface, or Mesh Downlink.
To create a new SSID (Tunnel to Wireless Controller):
1. On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New
SSID Profile windows opens.
Administration Guide
Fortinet Technologies Inc.
307
AP Manager
WiFi templates
2. Enter the following information:
308
Name
Type a name for the SSID.
Traffic Mode
Select Tunnel to Wireless Controller from the dropdown list.
Common Interface Settings
Select to enable common interface settings.
IP/Netmask
Type the IP address and netmask.
IPv6 Address
Type the IPv6 address.
Administrative Access
Select the allowed administrative service protocols from: HTTPS,
HTTP, PING, FMG-Access, SSH, SNMP, TELNET, Auto IPsec
Request, and FCT-Access.
IPv6 Administrative Access
Select the allowed IPv6 administrative service protocols from: HTTPS,
HTTP, PING, FMG-Access, SSH, SNMP, TELNET, and CAPWAP.
Enable DHCP
Select to enable and configure DHCP.
Note: If Mode is Relay, only the DHCP Server IP and Type settings are
available.
Address Range
Enter the DHCP address range.
Netmask
Enter the netmask.
Default Gateway
Select Same As Interface IP if the default gateway is the same as the
interface IP, or select Specify and type a new gateway IP address.
Administration Guide
Fortinet Technologies Inc.
WiFi templates
AP Manager
DNS Server
Select Same As System DNS if the DNS server is the same as the
system DNS, or select Specify and type a DNS server address.
Mode
Select Server or Relay.
DHCP Server IP
Enter the DHCP server IP address.
This option is only available if Mode is set to Relay.
MAC Address
Access Control List
The MAC address control list allows you to view the MAC addresses and
their actions. It includes a default entry for unknown MAC addresses.
l Click Create New to create a new IP MAC binding.
l
l
Type
Select an address then click Edit to edit the MAC address.
Select an address or addresses then click Delete to delete the
selected items. The unknown MAC address cannot be deleted.
Select Regular or IPsec.
WiFi Settings
SSID
Type the wireless service set identifier (SSID), or network name, for this
wireless interface. Users who want to use the wireless network must
configure their computers with this network name.
Security Mode
Select a security mode. The options are:
WPA/WPA2-PERSONAL
WPA2-ONLY-PERSONAL
WPA/WPA2ENTERPRISE
WPA2-ONLY-ENTERPRISE
Captive Portal
WPA/WPA2 Personal with Captive
Portal
OPEN
WPA only Personal with Captive
Portal
WPA-ONLY-PERSONAL
WPA2 Personal with Captive
Portal
WPA-ONLY-ENTERPRISE
Pre-shared Key
Enter the pre-shared key for the SSID.
This option is only available when the security mode includes WPA or
WPA2 personal.
Authentication
Select the authentication method for the SSID, either Local or RADIUS
Server, then select the requisite server or group from the dropdown list.
This option is only available when the security mode is includes WPA or
WPA2 enterprise.
Administration Guide
Fortinet Technologies Inc.
309
AP Manager
WiFi templates
Portal Type
Select the portal type, one of: Authentication, Disclaimer +
Authentication, Disclaimer Only, or Email Collection.
This option is only available when the security mode includes captive
portal.
Authentication
Portal
Select Local or External. If External is selected, enter the URL of the
portal.
This option is only available when the portal type includes
authentication.
User Groups
Select the user group to add from the dropdown list. Select the plus
symbol to add multiple groups.
This option is only available when the portal type includes
authentication.
Exempt List
Select the exempt list to add from the dropdown list. Select the plus
symbol to add multiple lists.
This option is only available when the portal type includes
authentication.
Customize Portal
Messages
Select to allow for customized portal messages. Portal messages
cannot be customized until after the interface has been created.
This option is only available when the portal type includes disclaimer or
email collection.
Redirect after
Captive Portal
Select Original Request or Specific URL. If Specific URL is selected,
enter the redirect URL.
This option is only available when the security mode includes captive
portal.
Block Intra-SSID
Traffic
Select to block intra-SSID traffic.
Split Tunneling
Select to enable split tunneling.
Maximum Clients
Select to limit the concurrent WiFi clients that can connect to the SSID.
If selected, type the desired maximum number of clients.
Optional VLAN ID
Select the VLAN ID in the text field using the arrow keys. Select 0 if
VLANs are not used.
VLAN Pool
Select AP groups to add to the VLAN pool
Device Detection
Add New Devices to
Vulnerability Scan
List
Select to detect and identify devices connecting to the SSID.
Select to add new devices to the vulnerability scan list.
3. Click OK to create the new tunnel to wireless controller SSID.
310
Administration Guide
Fortinet Technologies Inc.
WiFi templates
AP Manager
To create a new SSID (Local bridge with FortiAP's Interface):
1. On the SSID pane, click Create New > SSID in the toolbar.
2. Enter the following information:
Name
Type a name for the SSID.
Traffic Mode
Select Local bridge with FortiAP’s Interface from the dropdown list.
WiFi Settings
SSID
Type the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers with this network name.
Security Mode
Select a security mode. The options are:
WPA/WPA2-PERSONAL
WPA-ONLY-ENTERPRISE
WPA/WPA2-ENTERPRISE
WPA2-ONLY-PERSONAL
OPEN
WPA2-ONLY-ENTERPRISE
WPA-ONLY-PERSONAL
Pre-shared Key
Enter the pre-shared key for the SSID.
This option is only available when the security mode includes WPA or
WPA2 personal.
Authentication
Select the authentication method for the SSID, either Local or RADIUS
Server, then select the requisite server or group from the dropdown list.
This option is only available when the security mode is includes WPA or
WPA2 enterprise.
Maximum Clients
Select to limit the concurrent WiFi clients that can connect to the SSID. If
selected, type the desired maximum number of clients. Type 0 for no limit.
Optional VLAN ID
Select the VLAN ID in the text field using the arrow keys. Select 0 if VLANs
are not used.
VLAN Pool
Select AP groups to add to the VLAN pool
Device Detection
Select to detect and identify devices connecting to the SSID.
Add New Devices to
Vulnerability Scan
List
Select to add new devices to the vulnerability scan list.
3. Click OK to create the new local bridge SSID.
To create a SSID (Mesh Downlink):
1. On the SSID pane, click Create New > SSID in the toolbar.
2. Enter the following information:
Administration Guide
Fortinet Technologies Inc.
311
AP Manager
WiFi templates
Name
Type a name for the SSID.
Traffic Mode
Select Mesh Downlink from the dropdown list.
WiFi Settings
SSID
Type the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers with this network name.
Security Mode
Select a security mode. The options are:
WPA/WPA2-PERSONAL
WPA-ONLY-PERSONAL
OPEN
WPA2-ONLY-PERSONAL
Pre-shared Key
Enter the pre-shared key for the SSID.
Maximum Clients
Select to limit the concurrent WiFi clients that can connect to the SSID. If
selected, type the desired maximum number of clients. Type 0 for no limit.
VLAN Pool
Select AP groups to add to the VLAN pool
Device Detection
Select to detect and identify devices connecting to the SSID.
Add New Devices to
Vulnerability Scan
List
Select to add new devices to the vulnerability scan list.
3. Click OK to create the SSID.
To create a new SSID group:
1. On the SSID pane, click Create New > SSID Group in the toolbar. The Create New SSID Group windows opens.
2. Enter a name for the group in the Name field.
3. Optionally, enter a brief description of the group in the Comment box.
4. Optionally, add SSIDs to the group in the Members field.
5. Click OK to create the SSID group.
To edit an SSID or groups:
1. Either double-click on an SSID, select as SSID and then click Edit in the toolbar, or right-click then select Edit from
the menu. The Edit SSID or Edit SSID Group window opens.
2. Edit the settings as required. The SSID name and traffic mode cannot be edited.
3. Click OK to apply your changes.
To delete SSIDs or groups:
1. Select the SSIDs and groups that you would like to delete.
2. Either click Delete in the toolbar, or right-click and select Delete.
3. Click OK in the confirmation dialog box to delete the selected SSIDs and groups.
Deleting a group does not delete the SSIDs that are in the group.
312
Administration Guide
Fortinet Technologies Inc.
WiFi templates
AP Manager
To clone an SSID or group:
1. Either select an SSID or group and click Clone in the toolbar, or right-click on the SSID or group name, and select
Clone. The Clone SSID or Clone SSID Group dialog box opens.
2. Edit the settings as required. An SSID's traffic mode cannot be edited.
3. Click OK to clone the SSID.
To import an SSID:
1. Click Import in the toolbar. The Import dialog box opens.
2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
3. Select the SSID or SSIDs to be imported from the Profile dropdown list.
4. Click OK to import the SSID or SSIDs.
WIDS profiles
The WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible
intrusion attempts. When an attack is detected, a log message is recorded.
To view WIDS profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Templates, and
select WIDS Profile in the tree menu.
The following options are available in the toolbar and right-click menu:
Create New
Create a new WIDS profile.
Edit
Edit the selected WIDS profile.
Delete
Delete the selected WIDS profile.
Clone
Clone the selected WIDS profile.
Import
Import WIDS profiles from a connected FortiGate (toolbar only).
To create a new WIDS profile:
1. On the WIDS Profile pane, click Create New in the toolbar, or select it from the right-click menu. The Create New
WIDS Profile window opens.
Administration Guide
Fortinet Technologies Inc.
313
AP Manager
WiFi templates
2. Enter the following information:
Name
Enter a name for the profile.
Comments
Optionally, enter comments.
Enable Rogue AP Detection
Select to enable rogue AP detection.
Background Scan
Every Second(s)
Enter the number of seconds between background scans.
Disable
Background Scan
During Specified
Time
Select to disables background scanning during the specified time. Specify
the days of week, and the start and end times.
Enable Passive
Scan Mode
Select to enable passive scan mode.
Enable On-Wire
Rogue AP
Detection
Select to enable on-wire rogue AP detection. When enabled you can select
to auto suppress rogue APs in foreground scan.
Intrusion Type
The intrusion types that can be detected.
Status
Select to enable the intrusion type.
Threshold
If applicable, enter a threshold for reporting the intrusion, in seconds
except where specified.
Interval (sec)
If applicable, enter the interval for reporting the intrusion, in seconds.
3. Click OK to create the new WIDS profile.
314
Administration Guide
Fortinet Technologies Inc.
WiFi templates
AP Manager
Intrusion types
Intrusion Type
Description
Asleap Attack
ASLEAP is a tool used to perform attacks against LEAP authentication.
Association Frame
Flooding
A Denial of Service attack using association requests. The default
detection threshold is 30 requests in 10 seconds.
Authentication Frame
Flooding
A Denial of Service attack using association requests. The default
detection threshold is 30 requests in 10 seconds.
Broadcasting Deauthentication
This is a type of Denial of Service attack. A flood of spoofed deauthentication frames forces wireless clients to de-authenticate, then reauthenticate with their AP.
EAPOL Packet Flooding
(to AP)
Extensible Authentication Protocol over LAN (EAPOL) packets are used in
WPA and WPA2 authentication. Flooding the AP with these packets can be
a denial of service attack.
Several types of EAPOL packets can be detected:
l EAPOL-FAIL
l
EAPOL-LOGOFF
l
EAPOL-START
l
EAPOL-SUCC
Invalid MAC OU
Some attackers use randomly-generated MAC addresses. The first three
bytes of the MAC address are the Organizationally Unique Identifier (OUI),
administered by IEEE. Invalid OUIs are logged.
Long Duration Attack
To share radio bandwidth, WiFi devices reserve channels for brief periods
of time. Excessively long reservation periods can be used as a denial of
service attack. You can set a threshold between 1000 and 32 767
microseconds. The default is 8200.
Null SSID Probe Response
When a wireless client sends out a probe request, the attacker sends a
response with a null SSID. This causes many wireless cards and devices to
stop responding.
Premature EAPOL Packet
Flooding (to client)
Extensible Authentication Protocol over LAN (EAPOL) packets are used in
WPA and WPA2 authentication. Flooding the client with these packets can
be a denial of service attack.
Two types of EAPOL packets can be detected:
l EAPOL-FAIL
l
Spoofed De-authentication
Administration Guide
Fortinet Technologies Inc.
EAPOL-SUCC
Spoofed de-authentication frames form the basis for most denial of service
attacks.
315
AP Manager
WiFi templates
Intrusion Type
Description
Weak WEP IV Detection
A primary means of cracking WEP keys is by capturing 802.11 frames over
an extended period of time and searching for patterns of WEP initialization
vectors (IVs) that are known to be weak. WIDS detects known weak WEP
IVs in on-air traffic.
Wireless Bridge
WiFi frames with both the FromDS and ToDS fields set indicate a wireless
bridge. This will also detect a wireless bridge that you intentionally
configured in your network.
To edit a WIDS profile:
1. Either double-click on a profile name, select a profile and then click Edit in the toolbar, or right-click on the name
then select Edit from the menu. The Edit WIDS window opens.
2. Edit the settings as required.
3. Click OK to apply your changes.
To delete WIDS profiles:
1. Select the profile or profiles that will be deleted from the profile list.
2. Either click Delete from the toolbar, or right-click then select Delete.
3. Click OK in the confirmation dialog box to delete the profile or profiles.
To clone a WIDS profile:
1. Either select a profile and click Clone in the toolbar, or right-click a profile and select Clone. The Clone WIDS
pane opens.
2. Edit the name of the profile, then edit the remaining settings as required.
3. Click OK to clone the profile.
To import a WIDS profile:
1. Click Import in the toolbar. The Import dialog box opens.
2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
3. Select the profile or profiles to be imported from the dropdown list.
4. Click OK to import the profile or profiles.
316
Administration Guide
Fortinet Technologies Inc.
FortiClient Manager
The FortiClient Manager pane enables you to centrally manage FortiClient profiles for multiple FortiGate devices
and monitor FortiClient endpoints that are connected to FortiGate devices.
Endpoint control ensures that workstation computers (endpoints) and other network devices meet security
requirements. Otherwise they are not permitted access. Endpoint control enforces the use of FortiClient Endpoint
Security and pushes a FortiClient profile to the FortiClient application.
For information about FortiClient, see the FortiClient Administration Guide.
Additional configuration options and shortcuts are available using the right-click menu.
Right-click on different parts of the navigation panes in the GUI to access these
menus.
The FortiClient Manager pane includes the following tabs in the blue banner:
FortiTelemetry
View managed FortiGate devices with central FortiClient management
enabled. You can enable or disable FortiTelemetry for interfaces, enable or
disable FortiClient enforcement on interfaces, and assign FortiClient
profile packages to devices.
Monitor
Monitor FortiClient endpoints by compliance status or interface. You can
perform the following actions on FortiClient endpoints: block, unblock,
quarantine, release quarantine, and unregister. You can also exempt noncompliant FortiClient endpoints from compliance rules.
FortiClient profiles
View and create profile packages and FortiClient profiles. You can also
import FortiClient profiles from FortiGate devices.
Centralized FortiClient management is enabled by default. You use the FortiClient Manager pane to enable
FortiTelemetry and FortiClient enforcement on FortiGate interfaces as well as create and assign FortiClient
profile packages to one or more FortiGate devices or VDOMs. Profile packages are installed to devices when you
install configurations to the devices.
The following steps provide an overview of using centralized FortiClient management to configure, assign, and
install FortiClient profiles:
To create and assign FortiClient profile packages:
1. Create a FortiClient profile package. See Creating FortiClient profile packages on page 324.
2. Select the profile package, and create one or more FortiClient profiles. See Creating FortiClient profiles on
page 325.
3. Enable FortiTelemetry on FortiGate interfaces. See Enabling FortiTelemetry on interfaces on page 319.
4. Enable FortiClient enforcement on FortiGate interfaces. See Enabling endpoint control on interfaces on page 320.
5. Assign profile packages to FortiGate interfaces. See Assigning profile packages on page 329.
Administration Guide
Fortinet Technologies Inc.
317
FortiClient Manager
How FortiManager fits into endpoint compliance
To install configuration changes to devices:
1. On the FortiClient Manager > FortiClient Profiles pane, click Install Wizard.
2. Follow the prompts in the wizard. See Using the Install Wizard to install policy packages and device settings on
page 130.
How FortiManager fits into endpoint compliance
The FortiClient settings available in FortiManager are intended to complement FortiClient support that is
available with FortiClient EMS and FortiGate. Each product performs specific functions:
l
l
l
FortiClient EMS is used to deploy FortiClient (Windows) endpoints and FortiClient profiles, and the endpoints can
connect FortiClient Telemetry to FortiGate or to FortiClient EMS. You can import FortiClient profiles from FortiGate
devices to FortiClient EMS, and use FortiClient EMS to deploy the profiles. Alternately, you can use FortiClient
EMS to create and deploy profiles. When FortiClient endpoints connect FortiClient Telemetry to EMS, you can use
FortiClient EMS to monitor FortiClient endpoints.
FortiManager provides central FortiClient management for FortiGate devices that are managed by FortiManager.
In FortiManager, you can create one or more FortiClient profiles that you can assign to multiple FortiGate devices.
You can also import FortiClient profiles from one FortiGate device and assign the FortiClient profile to other
FortiGate devices. When FortiClient endpoints are registered to managed FortiGate devices, you can use
FortiManager to monitor FortiClient endpoints from multiple FortiGate devices.
FortiGate provides compliance rules for network access control. FortiGate devices enforce network compliance for
connected FortiClient endpoints. FortiGate devices communicate between FortiClient endpoints and
FortiManager.
FortiTelemetry
On the FortiClient Manager > FortiTelemetry pane, you can enable and disable FortiTelemetry and FortiClient
enforcement on FortiGate interfaces to use for FortiClient communication. You can also assign FortiClient profile
packages to FortiGate devices.
318
Administration Guide
Fortinet Technologies Inc.
FortiTelemetry
FortiClient Manager
After you make configuration changes, install the changes to the device. See Installing to devices on page 129.
Viewing devices
The FortiClient Manager > FortiTelemetry pane displays FortiGate devices with central FortiClient management
enabled.
To view devices:
1. If using ADOMs, ensure you are in the correct ADOM..
2. Go to FortiClient Manager > FortiTelemetry. The list of FortiGate devices is displayed in the tree menu.
3. Select a device.
The following options are available in the toolbar for the selected device:
Add Interface
Click to enable FortiTelemetry on interfaces for the selected device to use
for FortiClient communication.
Remove Interface
Click to disable FortiTelemetry on the selected interface.
Assign Profile
Click to assign a FortiClient profile package to the FortiGate.
The following information is displayed in the content pane for the selected device:
Virtual Domain
Displays the name of the virtual domain for the selected FortiGate device if
applicable.
Interface
Displays the interfaces with FortiTelemetry enabled for the FortiGate
device. The interfaces are used for FortiClient communication, and
FortiClient endpoints use the interface to connect or register to FortiGate.
IP
Displays the IP address for the interface.
Enforce FortiClient
Displays whether FortiClient is enforced on the interface. A green
checkmark indicates FortiClient is enforced. An x in a circle indicates that
FortiClient is not enforced.
Profile Package
Displays the name of the FortiClient profile package that is assigned to the
FortiGate interface.
Enabling FortiTelemetry on interfaces
When you add an interface on the FortiClient Manager > FortiTelemetry pane, you are enabling FortiTelemetry
for the interface, and the interface is used for connection and communication with FortiClient endpoints.
When you remove an interface on the FortiClient Manager > FortiTelemetry pane, you are disabling
FortiTelemetry for the interface.
Administration Guide
Fortinet Technologies Inc.
319
FortiClient Manager
Monitor
To enable FortiTelemetry on interfaces:
1. Go to FortiClient Manager > FortiTelemetry. The list of FortiGate devices is displayed in the tree menu.
2. Select a FortiGate device, and click Add Interface.
3. Select one or more interfaces to use for FortiClient communication, and click OK. The selected interfaces are
displayed in the Interface column, and FortiTelemetry is enabled for the interfaces.
Enabling endpoint control on interfaces
When you enable FortiClient enforcement on an interface, you are enabling endpoint control, and all FortiClient
endpoints using the interface are required to adhere to the FortiGate compliance rules that are specified in the
profile that is applied to the endpoint.
When you disable FortiClient enforcement on an interface, you are disabling endpoint control, and FortiClient
endpoints are not required to adhere to FortiGate compliance rules.
To enable FortiClient enforcement on interfaces:
1. Go to FortiClient Manager > FortiTelemetry. The list of FortiGate devices is displayed in the tree menu.
2. Click a FortiGate device.
3. Right-click an interface, and select Enable Enforce FortiClient.
You can disable FortiClient enforcement for the interface by selecting Disable Enforce FortiClient.
Assigning FortiClient profile packages to devices
You can use the FortiClient Manager > FortiTelemetry pane to assign FortiClient profile packages to interfaces
for FortiGate devices, and you can use the Install Wizard to install profile packages to FortiGate devices when
you install a configuration to the FortiGate device.
To assign FortiClient profile packages:
1. In the left pane, select a device.
2. In the content pane, click Assign Profile. The Assign Profile dialog box is displayed.
3. Select a profile package, and click OK. The selected profile package is assigned to the added interface(s).
4. Install the configuration changes to the FortiGate device.
Monitor
On the FortiClient Manager > Monitor pane, you can monitor FortiClient endpoints that are registered to
FortiGate devices.
Monitoring FortiClient endpoints
The list of FortiClient endpoints updates automatically when new endpoints are registered to the FortiGate
device. You can also click Refresh to update the list of FortiClient endpoints.
320
Administration Guide
Fortinet Technologies Inc.
Monitor
FortiClient Manager
To monitor FortiClient endpoints:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to FortiClient Manager > Monitor.
3. In the tree menu, select a FortiGate device.
The following buttons are available on the toolbar for the selected device:
Refresh
Click to refresh the list of FortiClient endpoints for the selected device.
Action
Click to select one of the following actions for the selected FortiClient
endpoint:
l Block
l
Unblock
l
Quarantine
l
Release Quarantine
l
Unregister
Column Settings
Click to select which columns to display or select Reset to Default to
display the default columns.
By Interface
Click to organize the display of FortiClient endpoints by the undetected
interfaces and interface name. In the Device column, click Undetected or
the interface name to hide and display its list of FortiClient endpoints.
By Compliance Status
Click to organize the display of FortiClient endpoints by the following
compliance statuses: Noncompliant and Exempt. In the Device column,
click Noncompliant or Exempt to hide and display its list of FortiClient
endpoints.
The following default columns of information are available for the selected device:
Device
Displays the name of the FortiClient endpoint that is registered to the
selected FortiGate device. It also displays an icon that represents the
operating system on the FortiClient endpoint. You can hover over each
device to view device details.
User
Displays the name of the user logged into the FortiClient endpoint.
IP Address
Displays the IP address of the FortiClient endpoint.
Status
Displays one of the following statuses for the FortiClient endpoint:
Online
l
FortiClient Version
Administration Guide
Fortinet Technologies Inc.
l
Offline
l
Registered-Online
l
Registered-Offline
l
Un-Registered
Displays the version of FortiClient software installed on the FortiClient
endpoint.
321
FortiClient Manager
Monitor
FortiClient Profile
Displays the name of the FortiClient profile that is assigned to the
FortiClient endpoint.
Compliance
Displays one of the following icons of compliance statuses for the
FortiClient endpoint:
l Compliant
l
Endpoint is not compliant with FortiClient profile
l
Quarantined
l
FortiTelemetry is disabled
Exempt
Hover the mouse over the compliance status icon to view more
information. Additional information about why the endpoint is not
compliant may also be displayed.
l
Monitoring FortiClient endpoints by compliance status
To monitor FortiClient endpoints by compliance status:
1. Go to FortiClient Manager > Monitor.
2. In the tree menu, select a FortiGate device.
3. Click By Compliance Status.
The list of FortiClient endpoints is displayed by compliance status.
4. In the Device column, click the compliance status to hide and display its list of FortiClient endpoints.
For example, click Noncompliant to hide and display the list of FortiClient endpoints with a status of
noncompliant.
5. In the Compliance column, hover the mouse over the compliance status to view more details.
Monitoring FortiClient endpoints by interface
To monitor FortiClient endpoints by interface:
1. Go to FortiClient Manager > Monitor.
2. In the tree menu, select a FortiGate device.
3. Click By Interface.
The list of FortiClient endpoints is displayed by compliance status.
4. In the Device column, click Undetected or the name of the interface to hide and display its list of FortiClient
endpoints.
Exempting non-compliant FortiClient endpoints
You can exempt FortiClient endpoints that are non-compliant from the compliance rules to allow the endpoints to
access the network.
322
Administration Guide
Fortinet Technologies Inc.
FortiClient profiles
FortiClient Manager
To exempt non-compliant FortiClient endpoints:
1. Go to FortiClient Manager > Monitor.
2. In the tree menu, select a FortiGate device.
3. Select one or more FortiClient endpoints.
4. Right-click the selected FortiClient endpoint, and select Exempt this device or Exempt all devices of this type.
The FortiClient endpoint is exempt from the compliance rules.
5. Install the configuration changes to the FortiGate device.
FortiClient profiles
The FortiClient Manager > Profiles pane allows you to create and manage FortiClient profile packages and
profiles for endpoints. You can create profile packages of profiles for endpoints that are running the following
operating systems: Windows, Mac, iOS, and Android.
The following information is displayed on the FortiClient Manager > FortiClient Profiles pane:
Profile Package
In the Profile Package menu, you can select to create, rename, or delete a
FortiClient profile package.
Assign Profile Package
Assigns the selected FortiClient profile package to a device.
Install Wizard
Click to launch the Install Wizard to install device settings to devices. This
process installs the FortiClient profile package that is assigned to the
device.
Viewing profile packages
To view profile packages:
1. Go to FortiClient Manager > FortiClient Profiles.
2. Click All Profile Packages.
The following options are available in the toolbar:
Create New
Click to create a new FortiClient profile package.
Rename
Click to rename the selected profile package.
Delete
Click to delete the selected profile package and all of its profiles.
The following information is displayed in the content pane:
Package Name
Displays the name of the profile package.
Device Targets
Displays the name of the device to which the profile package has been
assigned.
Administration Guide
Fortinet Technologies Inc.
323
FortiClient Manager
FortiClient profiles
Viewing FortiClient profiles
To view FortiClient profiles:
1. Go to FortiClient Manager > FortiClient Profiles.
2. In the All Profile Packages tree menu, click a profile.
The following options are available in the toolbar:
Create New
Click to create a new FortiClient profile for the selected FortiClient profile
package.
Edit
Select a profile, and click Edit to edit the profile. Alternatively, double click
the profile to open the Edit FortiClient Profile pane.
Delete
Select a profile, and click Delete to delete the profile from the ed
FortiClient profile package. Alternately, right-click a profile, and select
Delete.
Import
Select to import a FortiClient profile from an existing device or VDOM into
the selected FortiClient profile package.
Column Settings
Click to select which columns to display or select Reset to Default to
display the default columns.
The following information is displayed in the content pane:
Seq.#
Displays the sequence number of the FortiClient profile.
FortiClient Profile
Displays the name of the FortiClient profile for the selected FortiClient
profile package.
Assign To
Displays the device groups, user groups, and users associated with the
FortiClient profile.
Comments
Displays any comments about the FortiClient profile.
Non-Compliance Action
Displays the selected non-compliance action settings from the FortiClient
profile. The settings include: Warning, Block, or Auto-Update.
Creating FortiClient profile packages
FortiClient profile packages contain one or more FortiClient profiles. You assign FortiClient profile packages to
devices or VDOMs.
FortiManager includes a default FortiClient profile package, and you can create multiple profiles for the profile
package.
You can also create custom FortiClient profile packages and profiles.
324
Administration Guide
Fortinet Technologies Inc.
FortiClient profiles
FortiClient Manager
To create profile packages:
1. Go to FortiClient Manager > FortiClient Profiles.
2. From the Profile Package menu, select Create New.
3. Type a name, and click OK.
Creating FortiClient profiles
You can create one or more FortiClient profiles in a FortiClient profile package.
The FortiClient profile consists of the following sections:
l
Non-compliance action
l
Compliance rules
For more information on configuring FortiClient Profiles and Endpoint Control, see the FortiOS Handbook and
the FortiClient Administration Guide.
FortiClient profiles can be created, edited, deleted, and imported from devices using the right-click menu and
toolbar selections.
In FortiOS, this feature is found at Security Profiles > FortiClient Profiles.
To create a new FortiClient profile:
1. Go to FortiClient Manager > FortiClient Profiles.
2. In the tree menu, select the FortiClient profile package in which to create profiles.
3. Click Create New.
The Create New FortiClient Profile pane opens.
4. Enter the following information:
Profile Name
Type a name for the new FortiClient profile.
When creating a new FortiClient profile, XSS vulnerability characters are
not allowed.
Comments
(Optional) Type a profile description.
Administration Guide
Fortinet Technologies Inc.
325
FortiClient Manager
Assign Profile To
FortiClient profiles
Identify where to assign the profile:
Device Groups: Select device groups in the dropdown list.
l
l
User Groups: Select user groups in the dropdown list.
l
Users: Select users in the dropdown list.
Address: Select addresses in the dropdown list.
You can assign the profile to user groups and users when using Active
Directory authentication or RADIUS authentication for VPN.
l
On-Net Detection By
Address
Identify whether to use an address to detect when endpoints are on-net.
Select the address(es) from the list.
5. Set the Non-compliance action for FortiClient endpoint compliance: 326
Block
Select Block to provide the compliance rules but no configuration
information to FortiClient endpoints. When FortiClient endpoints fail to
comply with the compliance rules, endpoint access to the network is
blocked. Non-compliance information is displayed in the FortiClient
console. The administrator or endpoint user is responsible for reading the
noncompliance information and updating FortiClient software on the
endpoints to adhere to the compliance rules.
Warning
Select Warning to provide the compliance rules but no configuration
information to FortiClient endpoints. When FortiClient endpoints fail to
comply with the compliance rules, endpoint users are warned, but allowed
to continue accessing the network. Non-compliance information is
displayed in the FortiClient console. The administrator or endpoint user is
responsible for reading the noncompliance information and updating
FortiClient software on the endpoints to adhere to the compliance rules.
Auto-update
Select Auto-update to provide the compliance rules and configuration
information from FortiGate. The configuration information provided by
FortiGate helps FortiClient endpoints remain compliant. Non-compliance
information is displayed in the FortiClient console. The FortiManager
administrator and endpoint user are responsible for keeping endpoints
compliant.
Administration Guide
Fortinet Technologies Inc.
FortiClient profiles
FortiClient Manager
6. Set the compliance rules for FortiClient endpoints:
Endpoint
Vulnerability
Scan on
Client
Toggle on or off. Toggle ON to include the setting in the compliance rules.
Toggle OFF to exclude the setting from the compliance rules.
Vulnerability
quarantine
level
System
compliance
When Endpoint Vulnerability Scan on Client is toggled to ON, you can
select a quarantine level from the Vulnerability quarantine level list.
Toggle on or off. Toggle ON to include the setting in the compliance rules
and display additional options, such as minimum FortiClient version.
Toggle OFF to exclude the setting from the compliance rules.
Minimum
FortiClient
Version
When System compliance is toggled ON, you can enable or disable
Minimum FortiClient Version. Toggle ON to display the Windows
endpoints and Mac endpoints options.
Windows
endpoints
When Minimum FortiClient Version is toggled ON, you can type the
minimum version of FortiClient that is required on endpoints running
Windows operating systems.
Mac
endpoints
When Minimum FortiClient Version is toggled ON, you can type the
minimum version of FortiClient that is required on endpoints running
Macintosh operating systems.
Upload logs
to
FortiAnalyzer
When System compliance is toggled ON, you can enable or disable the
uploading of FortiClient logs from endpoints to FortiAnalyzer. Toggle ON
to enable uploading of logs to FortiAnalyzer, and then select the types of
logs to upload. You can upload Traffic, Vulnerability, and/or Event logs.
AntiVirus
Toggle on or off. Toggle ON to include AntiVirus in the compliance rules
and display additional options, such as Realtime Protection. Toggle OFF
to exclude the setting from the compliance rules.
Realtime
Protection
Administration Guide
Fortinet Technologies Inc.
When AntiVirus is toggled ON, you can enable or disable Realtime
Protection. Toggle ON to enable Realtime Protection and display
additional options, such as Up-to-date signatures.
327
FortiClient Manager
FortiClient profiles
Up-to-date
signatures
When AntiVirus and Realtime Protection are toggled ON, you can enable
or disable Up-to-date signatures. Toggle ON to enable up-to-date
signatures.
Scan with
FortiSandbox
When AntiVirus and Realtime Protection are toggled ON, you can enable
or disable scanning with FortiSandbox. Toggle ON to enable scanning
with FortiSandbox.
Third party
AntiVirus on
Windows
Toggle on or off. Toggle ON to include a requirement of third-party
AntiVirus software on the endpoint in the compliance rules.
Web Filter
Toggle on or off. Toggle ON to include Web Filter in the compliance rules.
Toggle OFF to exclude the setting from the compliance rules.
Profile
Application
Firewall
When Web Filter is toggled ON, you can select a web filter profile. A
default profile is selected by default.
Toggle on or off. Toggle ON to include Application Firewall in the
compliance rules. Toggle OFF to exclude the setting from the compliance
rules.
Application
Control
Sensor
When Application Firewall is toggled ON, you can select an application
control sensor. A default application control sensor is selected by default.
7. Click OK.
Editing FortiClient profiles
To edit a FortiClient profile:
1. Right-click a profile, and select Edit. The Edit FortiClient Profile <name> pane is displayed.
2. Edit the settings, and click OK.
Deleting FortiClient profiles
To delete a FortiClient profile:
1. Right-click a profile, and select Delete.
2. Click OK in the confirmation dialog box to delete the profile.
Importing FortiClient profiles
You can import FortiClient profiles from FortiGate.
328
Administration Guide
Fortinet Technologies Inc.
FortiClient profiles
FortiClient Manager
To import a FortiClient profile:
1. Go to FortiClient Manager > FortiClient Profiles.
2. Select a profile package, and click Import. The Import dialog box is displayed.
3. Enter the following information:
Import From Device
Select a device from which to import the profile or profiles from the
dropdown list. This list will include all the devices available in the ADOM.
Profile
Select the profile to import.
New Name
Select to create a new name for the profile being imported, and then type
the name in the field.
4. Click OK. The profile is imported into the selected profile package.
Assigning profile packages
To assign profile packages:
1. Go to FortiClient Manager > FortiClient Profiles.
2. Select a profile package, and click Assign Profile Package. The Assign Profile Package dialog box is displayed.
3. Select one or more devices, and click OK. The profile package is assigned to the device(s).
4. Install the configuration changes to the FortiGate device. See Configuring a device on page 120 for more
information.
Administration Guide
Fortinet Technologies Inc.
329
FortiGuard
The FortiGuard Distribution Network (FDN) provides FortiGuard services for your FortiManager system and its
managed devices and FortiClient agents. The FDN is a world-wide network of FortiGuard Distribution Servers
(FDS), which update the FortiGuard services on your FortiManager system on a regular basis so that your
FortiManager system is protected against the latest threats.
The FortiGuard services available on the FortiManager system include:
l
Antivirus and IPS engines and signatures
l
Web filtering and email filtering rating databases and lookups (select systems)
l
Vulnerability scan and management support for FortiAnalyzer
To view and configure these services, go to FortiGuard > Advanced Settings.
In FortiGuard Management, you can configure the FortiManager system to act as a local FDS, or use a web proxy
server to connect to the FDN. FortiManager systems acting as a local FDS synchronize their FortiGuard service
update packages with the FDN, then provide FortiGuard these updates and look up replies to your private
network’s FortiGate devices. The local FDS provides a faster connection, reducing Internet connection load and
the time required to apply frequent updates, such as antivirus signatures, to many devices.
As an example, you might enable FortiGuard services to FortiGate devices on the built-in FDS, then specify the
FortiManager system’s IP address as the override server on your devices. Instead of burdening your Internet
connection with all the devices downloading antivirus updates separately, the FortiManager system would use
the Internet connection once to download the FortiGate antivirus package update, then redistribute the package
to the devices.
FortiGuard Management also includes firmware revision management. To view and configure firmware options,
go to FortiGuard > Firmware Images. You can download these images from the Customer Service & Support
portal to install on your managed devices or on the FortiManager system.
Before you can use your FortiManager system as a local FDS, you must:
l
l
Register your devices with Fortinet Customer Service & Support and enable the FortiGuard service licenses. See
your device documentation for more information on registering your products.
If the FortiManager system’s Unregistered Device Options do not allow service to unregistered devices, add your
devices to the device list, or change the option to allow service to unregistered devices. For more information, see
the FortiManager CLI Reference.
For information about FDN service connection attempt handling or adding devices, see Device Manager on
page 103.
l
l
Enable and configure the FortiManager system’s built-in FDS. For more information, see Configuring network
interfaces on page 40.
Connect the FortiManager system to the FDN.
The FortiManager system must retrieve service update packages from the FDN before it can redistribute them
to devices and FortiClient agents on the device list. For more information, see Connecting the built-in FDS to
the FDN on page 335.
l
330
Configure each device or FortiClient endpoint to use the FortiManager system’s built-in FDS as their override
server. You can do this when adding a FortiGate system. For more information, see Adding devices on page 104.
Administration Guide
Fortinet Technologies Inc.
Settings
FortiGuard
This section contains the following topics:
l
Settings
l
Configuring devices to use the built-in FDS
l
Configuring FortiGuard services
l
Logging events related to FortiGuard services
l
Restoring the URL or antispam database
l
Licensing status
l
Package management
l
Query server management
l
Firmware images
For information on current security threats, virus and spam sample submission, and
FortiGuard service updates available through the FDN, including antivirus, IPS, web
filtering, and email filtering, see the FortiGuard Center website,
http://www.fortiguard.com/.
Settings
FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system’s built-in
FDS as an FDN override server.
By default, this option is enabled. After configuring FortiGuard and configuring your devices to use the
FortiManager system as their FortiGuard server, you can view overall and per device statistics on FortiGuard
service benefits.
To operate in a closed network, disable communication with the FortiGuard server. See Operating as an FDS in a
closed network on page 336.
Enable communication with
FortiGuard servers.
Administration Guide
Fortinet Technologies Inc.
When toggled OFF, you must manually upload packages, databases, and
licenses to your FortiManager. See Operating as an FDS in a closed
network on page 336.
331
FortiGuard
Settings
Communication with
FortiGuard Server
Select Servers Located in the US Only to limit communication to
FortiGuard servers located in the USA. Select Global Servers to
communicate with servers anywhere.
Enable Antivirus and IPS
Service
Toggle ON to enable antivirus and intrusion protection service.
Enable Web Filter and
Services
Toggle ON to enable web filter services. When uploaded to FortiManager,
the Web Filter database is displayed.
Enable Email Filter Services
Toggle ON to enable email filter services. When uploaded to
FortiManager, the Email Filter database is displayed.
Server Override Mode
Select Strict (Access Override Server Only) or Loose (Allow Access
Other Servers) override mode.
FortiGuard Antivirus and
IPS Settings
Configure antivirus and IPS settings. See FortiGuard antivirus and IPS
settings on page 332.
FortiGuard Web Filter and
Email Filter Settings
Configure web and email filter settings. See FortiGuard web and email
filter settings on page 333.
Override FortiGuard Server
(Local FortiManager)
Configure web and email filter settings. See Override FortiGuard server
(Local FortiManager) on page 334.
When on, select what versions FortiGate, FortiClient, FortiAnalyzer, and
FortiMail to download updates for.
FortiGuard antivirus and IPS settings
In this section you can enable settings for FortiGuard Antivirus and IPS settings. The following settings are
available:
Use Override Server
Address for
FortiGate/FortiMail
Configure to override the default built-in FDS so that you can use a port or
specific FDN server. Select the add icon to add additional override servers,
up to a maximum of ten. Select the delete iconto remove entries.
To override the default server for updating FortiGate/FortiMail device’s
FortiGuard services, see Overriding default IP addresses and ports on
page 341.
Allow Push Update
Configure to allow urgent or critical updates to be pushed directly to the
FortiManager system when they become available on the FDN. The
FortiManager system immediately downloads these updates.
To enable push updates, see Enabling push updates on page 339.
332
Administration Guide
Fortinet Technologies Inc.
Settings
Use Web Proxy
FortiGuard
Configure the FortiManager system’s built-in FDS to connect to the FDN
through a web proxy.
To enable updates using a web proxy, see Enabling updates through a web
proxy on page 340.
Scheduled Regular Updates
Configure when packages are updated without manually initiating an
update request.
To schedule regular service updates, see Scheduling updates on page 341.
Update
Select to immediately update the configured antivirus and email filter
settings.
Advanced
Enables logging of service updates and entries.
If either checkbox is not selected, you will not be able to view these entries
and events when you select View FDS and FortiGuard Download History.
FortiGuard web and email filter settings
In this section you can enable settings for FortiGuard Web Filter and Email Filter.
The following settings are available:
Connection to FDS
Server(s)
Configure connections for overriding the default built-in FDS or web proxy
server for web filter and email filter settings.
To override an FDS server for web filter and email filter services, see
Overriding default IP addresses and ports on page 341.
To enable web filter and email filter service updates using a web proxy
server, see Enabling updates through a web proxy on page 340.
Use Override Server
Address for FortiClient
Administration Guide
Fortinet Technologies Inc.
Configure to override the default built-in FDS so that you can use a port or
specific FDN server. Select the add icon to add additional override servers,
up to a maximum of ten. Select the delete icon to remove entries.
333
FortiGuard
Use Override Server
Address for
FortiGate/FortiMail
Settings
Configure to override the default built-in FDS so that you can use a port or
specific FDN server. Select the add icon to add additional override servers,
up to a maximum of ten. Select the delete icon to remove entries.
To override the default server for updating FortiGate device’s FortiGuard
services, see Overriding default IP addresses and ports on page 341.
Use Web Proxy
Configure the FortiManager system’s built-in FDS to connect to the FDN
through a web proxy. IPv4 and IPv6 are supported.
To enable updates using a web proxy, see Enabling updates through a web
proxy on page 340.
Polling Frequency
Configure how often polling is done.
Log Settings
Configure logging of FortiGuard web filtering, email filter, and antivirus
query events.
l
l
l
l
Log FortiGuard Server Update Events: enable or disable
FortiGuard Web Filtering: Choose from Log URL disabled, Log non-url
events, and Log all URL lookups.
FortiGuard Anti-spam: Choose from Log Spam disabled, Log non-spam
events, and Log all Spam lookups.
FortiGuard Anti-virus Query: Choose from Log Virus disabled, Log nonvirus events, and Log all Virus lookups.
To configure logging of FortiGuard web filtering and email filtering events,
see Logging FortiGuard web or email filter events on page 343.
Override FortiGuard server (Local FortiManager)
Configure and enable alternate FortiManager FDS devices, rather than using the local FortiManager system. You
can set up as many alternate FDS locations, and select what services are used. The following settings are
available:
Additional number of
Private FortiGuard Servers
(Excluding This One)
Select the add icon to add a private FortiGuard server. Select the delete
icon to remove entries.
Enable Antivirus and IPS
Update Service for Private
Server
When one or more private FortiGuard servers are configured, update
antivirus and IPS through this private server instead of using the default
FDN.
When adding a private server, you must type its IP address and time zone.
This option is available only when a private server has been configured.
Enable Web Filter and
Email Filter Update Service
for Private Server
When one or more private FortiGuard servers are configured, update the
web filter and email filter through this private server instead of using the
default FDN.
This option is available only when a private server has been configured.
334
Administration Guide
Fortinet Technologies Inc.
Settings
FortiGuard
Allow FortiGates to Access
Public FortiGuard Servers
When Private Servers
Unavailable
When one or more private FortiGuard servers are configured, managed
FortiGate units will go to those private servers for FortiGuard updates.
Enable this feature to allow those FortiGate units to then try to access the
public FDN servers if the private servers are unreachable.
This option is available only when a private server has been configured.
The FortiManager system’s network interface settings can restrict which network
interfaces provide FDN services. For more information, see Configuring network
interfaces on page 40.
Connecting the built-in FDS to the FDN
When you enable the built-in FDS and initiate an update either manually or by a schedule, the FortiManager
system attempts to connect to the FDN.
If all connection attempts to the server list fail, the connection status will be Disconnected.
If the connection status remains Disconnected, you may need to configure the FortiManager system’s
connection to the FDN by:
l
overriding the default IP address and/or port
l
configuring a connection through a web proxy
After establishing a connection with the FDN, the built-in FDS can receive FortiGuard service update packages,
such as antivirus engines and signatures or web filtering database updates, from the FDN.
To enable the built-in FDS:
1. Go to FortiGuard > Settings.
2. Enable the types of FDN services that you want to provide through your FortiManager system’s built-in FDS. For
more information, see Configuring FortiGuard services on page 339.
3. Click Apply.
The built-in FDS attempts to connect to the FDN.
If the built-in FDS is unable to connect, you may need to enable the selected services
on a network interface. For more information, see Configuring network interfaces on
page 40.
If you still cannot connect to the FDN, check routes, DNS, and any intermediary
firewalls or NAT devices for policies that block necessary FDN ports and protocols. For
additional FDN troubleshooting information, including FDN server selection, see FDN
port numbers and protocols on page 341.
See the FortiOS HandBook: FortiGuard Licensing for FortiGates with Limited or No Connectivity document in
the Fortinet Document Library at http://docs.fortinet.com/fortigate/admin-guides for more information.
Administration Guide
Fortinet Technologies Inc.
335
FortiGuard
Settings
Operating as an FDS in a closed network
The FortiManager can be operated as a local FDS server when it is in a closed network with no internet
connectivity.
Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from
support, and then uploaded to the FortiManager.
As databases can be large, we recommend uploading them using the CLI. See
Uploading packages with the CLI.
Go to FortiGuard > Settings to configure FortiManager as a local FDS server and to upload update packages and
license.
Enable Communication
with FortiGuard Servers
Toggle OFF to disable communication with the FortiGuard servers.
Enable Antivirus and IPS
Service
Toggle ON to enable antivirus and intrusion protection service.
Enable Web Filter Services
Toggle ON to enable web filter services. When uploaded to FortiManager,
the Web Filter database is displayed.
Enable Email Filter
Services
Toggle ON to enable email filter services. When uploaded to
FortiManager, the Email Filter database is displayed.
When on, select what versions FortiGate, FortiClient, FortiAnalyzer, and
FortiMail to download updates for.
Upload Options for FortiGate/FortiMail
336
Administration Guide
Fortinet Technologies Inc.
Settings
FortiGuard
AntiVirus/IPS Packages
Select to upload antivirus and IPS packages. Browse for the file you
downloaded from the Customer Service & Support portal on your
management computer. Select OK to upload the package to
FortiManager.
Web Filter Database
Select to upload the web filter database. Browse for the file you
downloaded from the Customer Service & Support portal on your
management computer. Select OK to upload the package to
FortiManager.
As the database can be large, uploading with the CLI is recommended.
See the instructions below.
Email Filter Database
Select to upload the email filter database. Browse for the file you
downloaded from the Customer Service & Support portal on your
management computer. Select OK to upload the package to
FortiManager.
As the database can be large, uploading with the CLI is recommended.
See the instructions below.
Service License
Select to import the FortiGate license. Browse for the file on your
management computer. Select OK to upload the package to
FortiManager.
A license file can be obtained from support by requesting your account
entitlement for the device.
Upload Options for FortiClient
AntiVirus/IPS Packages
Select to upload the FortiClient AntiVirus/IPS packages. Browse for the file
you downloaded from the Customer Service & Support portal on your
management computer. Select OK to upload the package to
FortiManager.
Uploading packages with the CLI
Packages and licenses can be uploaded using the CLI. This should be used when the packages being uploaded
are large, like database packages.
To upload packages and license files using the CLI:
1. If not already done, disable communications with the FortiGuard server and enable a closed network with the
following CLI commands:
config fmupdate publicnetwoek
set status disable
end
2. Upload an update package or license:
a. Load the package or license file to an FTP, SCP, or TFTP server
b. Run the following CLI command:
Administration Guide
Fortinet Technologies Inc.
337
FortiGuard
Configuring devices to use the built-in FDS
execute fmupdate { ftp | scp | tftp } import < av-ips | fct-av | url | spam |
file-query | license-fgt | license-fct | custom-url | domp > <remote_file>
<ip> <port> <remote_path> <user> <password>
Configuring devices to use the built-in FDS
After enabling and configuring the FortiManager system’s built-in FDS, you can configure devices to use the builtin FDS by providing the FortiManager system’s IP address and configured port as their override server.
Devices are not required to be registered with FortiManager system’s Device Manager to use the built-in FDS for
FortiGuard updates and services.
Procedures for configuring devices to use the built-in FDS vary by device type. See the documentation for your
device for more information.
If you are connecting a device to a FortiManager system’s built-in FDS, some types of
updates, such as antivirus engine updates, require you to enable SSH and HTTPS
Administrative Access on the network interface which will receive push updates. See
Network on page 40 for details.
Matching port settings
When configuring a device to override default FDN ports and IP addresses with that of a FortiManager system,
the default port settings for the device’s update or query requests may not match the listening port of the
FortiManager system’s built-in FDS. If this is the case, the device’s requests will fail. To successfully connect
them, you must match the devices’ port settings with the FortiManager system’s built-in FDS listening ports.
For example, the default port for FortiGuard antivirus and IPS update requests is TCP 443 on FortiOS v4.0 and
higher, but the FortiManager system’s built-in FDS listens for those requests on TCP 8890. In this case, the
FortiGate unit’s update requests would fail until you configure the unit to send requests on TCP 8890.
In some cases, the device may not be configurable; instead, you must configure the FortiManager system to
listen on an alternate port.
Handling connection attempts from unregistered devices
The built-in FDS replies to FortiGuard update and query connections from devices registered with the device
manager’s device list. If the FortiManager is configured to allow connections from unregistered devices,
unregistered devices can also connect.
For example, you might choose to manage a FortiGate unit’s firmware and configuration locally (from its GUI),
but use the FortiManager system when the FortiGate unit requests FortiGuard antivirus and IPS updates. In this
case, the FortiManager system considers the FortiGate unit to be an unregistered device, and must decide how
to handle the connection attempt. The FortiManager system will handle the connection attempt based on how it
is configured. Connection attempt handling is only configurable via the CLI.
To configure connection attempt handling:
1. Go to the CLI Console widget in the System Settings > Dashboard pane. For information on widget settings, see
Customizing the dashboard on page 448.
2. Click inside the console to connect.
338
Administration Guide
Fortinet Technologies Inc.
Configuring FortiGuard services
FortiGuard
3. To configure the system to add unregistered devices and allow service requests, type the following CLI command
lines:
config system admin setting
set unreg_dev_opt add_allow_service
end
4. To configure the system to add unregistered devices but deny service requests, type the following CLI command
lines:
config system admin setting
set unreg_dev_opt add_no_service
end
For more information, see the FortiManager CLI Reference.
Configuring FortiGuard services
FortiGuard Management provides a central location for configuring how the FortiManager system accesses the
FDN and FDS, including push updates. The following procedures explain how to configure FortiGuard services
and configuring override and web proxy servers, if applicable.
If you need to host a custom URL list that are rated by the FortiGate unit, you can import a list using the CLI.
l
Enabling push updates
l
Enabling updates through a web proxy
l
Overriding default IP addresses and ports
l
Scheduling updates
l
Accessing public FortiGuard web and email filter servers
Enabling push updates
When an urgent or critical FortiGuard antivirus or IPS signature update becomes available, the FDN can push
update notifications to the FortiManager system’s built-in FDS. The FortiManager system then immediately
downloads the update.
To use push update, you must enable both the built-in FDS and push updates. Push update notifications will be
ignored if the FortiManager system is not configured to receive them. If TCP port 443 downloads must occur
through a web proxy, you must also configure the web proxy connection. See Enabling updates through a web
proxy on page 340.
If push updates must occur through a firewall or NAT device, you may also need to override the default push IP
address and port.
For example, overriding the push IP address can be useful when the FortiManager system has a private IP
address, and push connections to a FortiManager system must traverse NAT. Normally, when push updates are
enabled, the FortiManager system sends its IP address to the FDN; this IP address is used by the FDN as the
destination for push messages; however, if the FortiManager system is on a private network, this IP address may
be a private IP address, which is not routable from the FDN – causing push updates to fail.
To enable push through NAT, type a push IP address override, replacing the default IP address with an IP
address of your choice such as the NAT device’s external or virtual IP address. This causes the FDN to send push
packets to the override IP address, rather than the FortiManager system’s private IP address. The NAT device
can then forward the connection to the FortiManager system’s private IP address.
Administration Guide
Fortinet Technologies Inc.
339
FortiGuard
Configuring FortiGuard services
The built-in FDS may not receive push updates if the external IP address of any
intermediary NAT device is dynamic (such as an IP address from PPPoE or DHCP).
When the NAT device’s external IP address changes, the FortiManager system’s push
IP address configuration becomes out-of-date.
To enable push updates to the FortiManager system:
1. Go to FortiGuard > Settings.
2. Click the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings on
page 332.
3. Toggle ON beside Allow Push Update.
4. If there is a NAT device or firewall between the FortiManager system and the FDN which denies push packets to
the FortiManager system’s IP address on UDP port 9443, type the IP Address and/or Port number on the NAT
device which will forward push packets to the FortiManager system. The FortiManager system will notify the FDN
to send push updates to this IP address and port number.
l
l
IP Address is the external or virtual IP address on the NAT device for which you will configure a static NAT or
port forwarding.
Port is the external port on the NAT device for which you will configure port forwarding.
5. Click Apply.
6. If you performed step 4, also configure the device to direct that IP address and/or port to the FortiManager
system.
l
l
If you entered a virtual IP address, configure the virtual IP address and port forwarding, and use static NAT
mapping.
If you entered a port number, configure port forwarding; the destination port must be UDP port 9443, the
FortiManager system’s listening port for updates.
To enable push through NAT in the CLI:
Enter the following commands:
config fmupdate fds-setting
config push-override-to-client
set status enable
config announce-ip
edit 1
set ip <override IP that FortiGate uses to download updates from FortiManager>
set port <port that FortiManager uses to send the update announcement>
end
end
end
Enabling updates through a web proxy
If the FortiManager system’s built-in FDS must connect to the FDN through a web (HTTP or HTTPS) proxy, you
can specify the IP address and port of the proxy server.
If the proxy requires authentication, you can also specify a user name and password.
340
Administration Guide
Fortinet Technologies Inc.
Configuring FortiGuard services
FortiGuard
To enable updates to the FortiManager system through a proxy:
1. Go to FortiGuard > Settings.
2. If configuring a web proxy server to enable web and email filtering updates, expand FortiGuard Web Filter and
Email Filter Settings.
3. If configuring a web proxy to enable antivirus and IPS updates, expand FortiGuard Antivirus and IPS Settings.
4. Toggle ON beside Use Web Proxy and enter the IP address and port number of the proxy.
5. If the proxy requires authentication, enter the user name and password.
6. Click Apply.
If the FDN connection status is Disconnected, the FortiManager system is unable to connect through the
web proxy.
Overriding default IP addresses and ports
The FortiManager device’s built-in FDS connects to the FDN servers using default IP addresses and ports. You
can override these defaults if you want to use a port or specific FDN server that is different from the default.
To override default IP addresses and ports:
1. Go to FortiGuard > Settings.
2. If you want to override the default IP address or port for synchronizing with available FortiGuard antivirus and IPS
updates, click the arrow to expand FortiGuard Antivirus and IPS Settings, then toggle ON beside Use Override
Server Address for FortiGate/FortiMail and enter the IP address and/or port number for all FortiGate units.
3. If you want to override the FortiManager system’s default IP address or port for synchronizing with available
FortiGuard web and email filtering updates, click the arrow to expand FortiGuard Web Filter and Email Filter
Settings.
4. Toggle ON beside Use Override Server Address for FortiGate/FortiMail and/or Use Override Server Address for
FortiClient and type the IP address and/or port number.
5. Click Apply.
If the FDN connection status remains disconnected, the FortiManager system is unable to connect with the
configured override.
FDN port numbers and protocols
Both the built-in FDS and devices use certain protocols and ports to successfully request and receive updates
from the FDN or override server. Any intermediary proxies or firewalls must allow these protocols and ports, or the
connection will fail.
After connecting to the FDS, you can verify connection status on the FortiGuard Management page. For more
information about connection status, see Connecting the built-in FDS to the FDN on page 335.
Scheduling updates
Keeping the built-in FDS up-to-date is important to provide current FortiGuard update packages and rating
lookups to requesting devices. This is especially true as new viruses, malware, and spam sources pop up on a
very frequent basis. By configuring a scheduled update, you are guaranteed to have a relatively recent version of
database updates.
Administration Guide
Fortinet Technologies Inc.
341
FortiGuard
Configuring FortiGuard services
A FortiManager system acting as an FDS synchronizes its local copies of FortiGuard update packages with the
FDN when:
l
you manually initiate an update request by selecting Update Now
l
it is scheduled to poll or update its local copies of update packages
l
if push updates are enabled, it receives an update notification from the FDN
If the network is interrupted when the FortiManager system is downloading a large file, it downloads all files again
when the network resumes.
To schedule antivirus and IPS updates:
1. Go to FortiGuard > Settings.
2. Click the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings on
page 332.
3. Toggle ON beside Schedule Regular Updates.
4. Specify an hourly, daily, or weekly schedule.
5. Click Apply.
To schedule Web Filtering and Email Filter polling:
1. Go to FortiGuard > Settings.
2. Click the arrow to expand FortiGuard Web Filter and Email Filter Settings.
3. In Polling Frequency, select the number of hours and minutes of the polling interval.
4. Click Apply.
If you have formatted your FortiManager system’s hard disk, polling and lookups will
fail until you restore the URL and email filter databases. For more information, see
Restoring the URL or antispam database on page 344.
Accessing public FortiGuard web and email filter servers
You can configure the FortiManager system to allow the managed FortiGate units to access public FortiGuard
web filter or email filter network servers in the event local FortiGuard web filter or email filter server URL lookups
fail. You can specify private servers where the FortiGate units can send URL queries.
To access public FortiGuard web and email filter servers:
1. Go to FortiGuard > Settings.
2. Click the arrow beside Override FortiGuard Server (Local FortiManager).
3. Click the add icon next to Additional number of private FortiGuard servers (excluding this one). Select the delete
icon to remove entries.
4. Type the IP Address for the server and select its Time Zone.
5. Repeat step 4 as often as required. You can include up to ten additional servers.
6. Select the additional options to set where the FDS updates come from, and if the managed FortiGate units can
access these servers if the local FDS is not available.
342
Administration Guide
Fortinet Technologies Inc.
Logging events related to FortiGuard services
l
l
l
FortiGuard
Toggle ON beside Enable Antivirus and IPS update Service for Private Server if you want the FDS updates to
come from a private server.
Toggle ON beside Enable Web Filter and Email Filter Service for Private Server if you want the updates to
come from a private server.
Toggle ON beside Allow FortiGates to Access Public FortiGuard Servers when Private Servers are
Unavailable if you want the updates to come from public servers in case the private servers are unavailable.
7. Click Apply.
Logging events related to FortiGuard services
You can log a variety of events related to FortiGuard services.
Logging events from the FortiManager system’s built-in FDS requires that you also
enable local event logging.
Logging FortiGuard antivirus and IPS updates
You can track FortiGuard antivirus and IPS updates to both the FortiManager system’s built-in FDS and any
registered FortiGate devices which use the FortiManager system’s FDS.
To log updates and histories to the built-in FDS:
1. Go to FortiGuard > Settings.
2. Click the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings on
page 332.
3. Under the Advanced heading, toggle ON beside Log Update Entries from FDS Server.
4. Click Apply.
To log updates to FortiGate devices:
1. Go to FortiGuard > Settings.
2. Click the arrow to expand FortiGuard Antivirus and IPS Settings.
3. Under the Advanced heading, toggle ON beside Log Update Histories for Each FortiGate.
4. Click Apply.
Logging FortiGuard web or email filter events
You can track FortiGuard web filtering and email filtering lookup and non-events occurring on any registered
FortiGate device which uses the FortiManager system’s FDS.
Before you can view lookup and non-event records, you must enable logging for FortiGuard web filtering or email
filter events.
Administration Guide
Fortinet Technologies Inc.
343
FortiGuard
Restoring the URL or antispam database
To log rating queries:
1. Go to FortiGuard > Settings.
2. Click the arrow to expand FortiGuard Web Filtering and Email Filter Settings.
3. Configure the log settings, the click Apply:
Log FortiGuard Server Update Enable or disable logging of FortiGuard server update events.
Events
FortiGuard Web Filtering
Log URL disabled
Disable URL logging.
Log non-URL events
Logs only non-URL events.
Log all URL lookups
Logs all URL lookups (queries) sent to the FortiManager system’s built-in
FDS by FortiGate devices.
FortiGuard Anti-spam
Log Spam disabled
Disable spam logging.
Log non-spam events
Logs email rated as non-spam.
Log all Spam lookups
Logs all spam lookups (queries) sent to the FortiManager system’s builtin FDS by FortiGate devices.
FortiGuard Anti-virus Query
Log Virus disabled
Disable virus logging.
Log non-virus events
Logs only non-virus events.
Log all Virus lookups
Logs all virus queries sent to the FortiManager system’s built-in FDS by
FortiGate devices.
Restoring the URL or antispam database
Formatting the hard disk or partition on FortiManager 3000 units and higher deletes the URL and antispam
databases required to provide FortiGuard email filter and web filtering services through the built-in FDS. The
databases will re-initialize when the built-in FDS is scheduled next, to synchronize them with the FDN.
Before formatting the hard disk or partition, you can back up the URL and antispam database using the CLI,
which encrypts the file. You can also back up licenses as well. The databases can be restored by importing them
using the CLI. If you have created a custom URL database, you can also backup or restore this customized
database (for FortiGate units).
344
Administration Guide
Fortinet Technologies Inc.
Licensing status
FortiGuard
Licensing status
FortiManager includes a licensing overview page that allows you to view license information for all managed
FortiGate devices. To view the licensing status, go to FortiGuard > Licensing Status.
This page displays the following information:
Refresh
Select the refresh icon to refresh the information displayed on this page.
Hide/Show license expired
devices only
Toggle to hide and display devices with an expired license only.
Search
Use the search field to find a specific device in the table.
Device Name
The device name or host name. You can change the order that devices are
listed by clicking the column title.
Serial Number
The device serial number
Platform
The device type, or platform.
ADOM
ADOM information. You can change the order that ADOMs are listed by
clicking the column title.
Antivirus
The license status and expiration date. You can change the order that
devices are listed by clicking the column title.
IPS
The license status and expiration date. You can change the order that
devices are listed by clicking the column title.
Email Filtering
The license status and expiration date. You can change the order that
devices are listed by clicking the column title.
Web Filtering
The license status and expiration date. You can change the order that
devices are listed by clicking the column title.
Mobile & Botnet C&C
The license status and expiration date. You can change the order that
devices are listed by clicking the column title.
Support
The license status and expiration date. You can change the order that
devices are listed by clicking the column title.
Icon states:
l
Green: License OK
l
Orange: License will expire soon
l
Red: License has expired
Administration Guide
Fortinet Technologies Inc.
345
FortiGuard
Package management
Package management
Antivirus and IPS signature packages are managed in FortiGuard > Package Management. Packages received
from FortiGuard and the service status of managed devices are listed in Receive Status and Service Status,
respectively.
Receive status
To view packages received from FortiGuard, go to FortiGuard > Package Management > Receive Status. This
page lists received packages, grouped by platform.
The following information is displayed:
Refresh
Select to refresh the table.
Show Used Object Only
Clear to show all package information. Select to show only relevant
package information.
Object Type
The type of object for the package.
Package Received
The name of the package.
Latest Version (Release
Date/Time)
The package version.
Size
The size of the package.
To Be Deployed Version
The package version that is to be deployed. Select Change to change the
version.
Update History
Select the icon to view the package update history.
Deployed version
To change the to be deployed version of a received packaged, click Change in the To Be Deployed Version
column for the package.
The Change Version dialog box is displayed, allowing you to select an available version from the dropdown list.
Update history
When you click the Update History button for a package, the Update History pane is displayed for the package.
It shows the update times, the events that occurred, the statuses of the updates, and the versions downloaded.
346
Administration Guide
Fortinet Technologies Inc.
Package management
FortiGuard
Service status
To view service statuses, go to FortiGuard > Package Management > Service Status. The service status
information can be displayed by installed package name or by device name.
The following options are available in the toolbar:
Push Pending
Select the device or devices in the list, then click Push Pending in the
toolbar to push pending updates to the device or devices.
Push All Pending
Select Push All Pending in the toolbar to push pending updates to all of the
devices in the list.
Refresh
Select to refresh the list.
By Package
Displays the service status information by installed package name.
By Device
Displays the service status information by device name.
Service status by Device
When you click the By Device button in the toolbar, the Service Status page displays a list of all the managed
FortiGate devices, their last update time, and their status.
You can pushing pending updates to the devices, either individually or all at the same time. You can refresh the
list by clicking Refresh in the toolbar.
Device
Status
The device serial number or host name is displayed.
The service update status. A device's status can be one of the following:
Up to Date: The latest package has been received by the FortiGate unit.
l
l
l
l
l
Last Update Time
Never Updated: The FortiGate unit has never requested or received the
package.
Pending: The FortiGate unit has an older version of the package due to
an acceptable reason (such as the scheduled update time having not
come yet). Hover the mouse over a pending icon to view the package to
be installed.
Problem: The FortiGate unit missed the scheduled query, or did not
correctly receive the latest package.
Unknown: The FortiGate unit’s status is not currently known.
The date and time of the last update.
Service status by Package
When you click the By Package button, the Service Status page shows a list of all the installed packages, the
applicable firmware version, the package version, and the progress on package installation to devices. You can
drill-down to view the installed device list.
Administration Guide
Fortinet Technologies Inc.
347
FortiGuard
Query server management
The content pane displays the following information:
Installed Packages Name
The name of the installed package.
Applicable Firmware
Version
The firmware version of the device for which the installed package is
created.
Package Version
The version of the installed package.
Installed Devices
The package installation progress for the devices. Click the <number> of
<number> link to view the installed device list.
To view the installed device list:
1. Go to FortiGuard > Package Management > Service Status.
2. In the toolbar, click By Package.
The list of installed packages is displayed.
3. In the Installed Devices column, click the <number> of <number> link for the installed package.
Device details are displayed.
Device Name
The name of the device.
Current Version
The version of the package.
Status
The device update status.
Last Update Time
The time of the last package update.
4. Click the Back arrow to return to the previous page.
Query server management
The query server manager shows when updates are received from the server, the update version, the size of the
update, and the update history. It also has graphs showing the number of queries from all the managed FortiGate
units made to the FortiManager device.
Receive status
The view the received packages, go to FortiGuard > Query Server Management > Receive Status.
The following information is displayed:
348
Refresh
Select to refresh the table.
History
The record of received packages.
Administration Guide
Fortinet Technologies Inc.
Query server management
FortiGuard
Package Received
The name of the received package.
Latest Version (Release
Date/Time)
The latest version of the received package.
Size
The size of the package.
Update History
Click to view the package update history.
Update history
When you click the Update History button for a package, the Update History pane is displayed for the package.
It shows the update times, the events that occurred, the statuses of the updates, and the versions downloaded.
Query status
Go to FortiGuard > Query Server Management > Query Status to view graphs that show:
l
The number of queries made from all managed devices to the FortiManager unit over a user selected time period
l
The top ten unrated sites
l
The top ten devices for a user selected time period
The following information is displayed:
Top 10 Unrated Sites
Displays the top 10 unrated sites and the number of events.
Hover the cursor over a row to see the exact number of queries.
Top 10 Devices
Displays the top 10 devices and number of sessions.
Hover the cursor over a row to see the exact number of queries. Click a row
to see a graph of the queries for that device.
Number of Queries
Displays the number of queries over a period of time.
Administration Guide
Fortinet Technologies Inc.
349
FortiGuard
Firmware images
Firmware images
Go to FortiGuard > Firmware Images to manage the firmware images stored on the FortiManager device. You
can import firmware images for FortiGate, FortiCarrier, FortiAnalyzer, FortiManager, FortiAP, and FortiExtender.
You can download only those images that are needed from the FDS systems, and customize which firmware
images are available for deployment.
The following information and settings are available:
Import Images
Select to open the firmware image import list.
Models
From the dropdown list, select All to show all the available models on the
FortiGuard server, or select Managed to show only the models that are
currently being managed by the FortiManager device.
Product
Select a managed product type from the dropdown list.
Model
The device model number that the firmware is applicable to.
Latest Version (Release
Date/Time)
The latest version of the firmware that is available.
Preferred Version
The firmware version that you would like to use on the device. Select
Change to open the Change Version dialog box, then select the desired
version from the dropdown list and select OK to change the preferred
version.
Size
The size of the firmware image.
Status
The status of the image, that is, from where it is available.
Action Status
The status of the current action being taken.
Release Notes
A link to a copy of the release for the firmware image that has been
downloaded.
Download/Delete
Download the firmware image from the FDS if it is available. If the
firmware images has already been downloaded, then delete the firmware
image from the FortiManager device.
For information about upgrading your FortiManager device, see the FortiManager Release Notes or contact
Fortinet Customer Service & Support.
To import a firmware image:
1. Go to FortiGuard > Firmware Images, and click Import Images in the toolbar.
2. Select a device in the list, and click Import in the toolbar.
3. In the Upload Firmware Image dialog box, click Browse to browse to the desired firmware image file.
4. Click OK to import the firmware image.
350
Administration Guide
Fortinet Technologies Inc.
Firmware images
FortiGuard
Firmware images can be downloaded from the Fortinet Customer Service & Support
site at https://support.fortinet.com/ (support account required).
To delete firmware images:
1. Go to FortiGuard > Firmware Images, and click Import Images in the toolbar.
2. Select the firmware images you would like to delete.
3. Click Delete in the toolbar. A confirmation dialog box appears.
4. Click OK to delete the firmware images.
Administration Guide
Fortinet Technologies Inc.
351
FortiSwitch Manager
The FortiSwitch Manager module enables you to centrally manage FortiSwitch templates and VLANs, and
monitor FortiSwitch devices that are connected to FortiGate devices. You can configure multiple templates for
specific FortiSwitch platforms that can be assigned to multiple devices.
The FortiSwitch Manager module includes the following tabs:
Managed
Switches
Displays unauthorized and authorized FortiSwitch devices. You can view, authorize,
and edit authorized switches, as well as apply templates to switches.
Monitor
Monitor FortiSwitch devices with a graphical representation of the connected switches.
FortiSwitch
Templates
View, create, and edit FortiSwitch templates and VLANs.
The following steps provide an overview of using centralized FortiSwitch management to configure and install
templates:
1. Create FortiSwitch VLANs.
See FortiSwitch VLANs on page 360.
2. Create FortiSwitch templates.
See FortiSwitch Templates on page 358.
3. Assign templates to FortiSwitch devices.
See Assigning templates to FortiSwitch devices on page 356.
4. Install the templates to the devices.
On the Device Manager pane, select the FortiGate device that controls the FortiAP device, then select
Install > Install Config from the toolbar, and follow the prompts in the wizard. See Configuring a device on
page 120.
Managed Switches
The Managed Switches pane allows you to manage FortiSwitch devices that are controlled by FortiGate devices
that are managed by the FortiManager.
FortiSwitch devices, listed in the content pane, are grouped based on the controller that they are connected to.
Additional configuration options and short-cuts are available using the right-click
content menu. Right-click on the mouse on different parts of the navigation panes on
the GUI page to access these context menus.
352
Administration Guide
Fortinet Technologies Inc.
Managed Switches
FortiSwitch Manager
If workspace or workflow is enabled, the ADOM must be locked before changes can be
made. See Locking an ADOM on page 59.
Go to FortiSwitch Manager > Managed Switches to manage FortiSwitch devices. Managed switches are
organized by their FortiGate controller.
Quick status bar
You can quickly view the status of devices on the Managed Switches pane by using the quick status bar, which
contains the following options:
l
Managed FortiSwitch
l
Online
l
Offline
l
Unauthorized
You can click each quick status to display in the content pane only the devices referenced in the quick status.
To view the quick status bar:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to FortiSwitch Manager > Managed Switches. The quick status bar is displayed above the content pane.
3. In the tree menu, select a FortiGate or All_FortiGate. The devices for the group are displayed in the content pane,
and the quick status bar updates.
4. Click on each quick status to filter the devices displayed on the content pane. For example, click Offline, and the
content pane will display only devices that are currently offline.
Managing FortiSwitches
FortiSwitch devices can be managed from the content pane below the quick status bar on the FortiSwitch
Manager > Managed Switches pane.
Administration Guide
Fortinet Technologies Inc.
353
FortiSwitch Manager
Managed Switches
The following options are available from the toolbar and right-click menu:
Edit
Edit the selected FortiSwitch.
Delete
Delete the switch or switches.
Assign Template
Assign a template to the switch. Only applicable templates will be listed.
See Assigning templates to FortiSwitch devices on page 356.
Column Settings
Click to select which columns to display or select Reset to Default to
display the default columns.
This option is only available in the toolbar.
Authorize
Authorize an unregistered switch. See Authorizing and deauthorizing
FortiSwitch devices on page 356.
This option is also available in the toolbar by selecting More.
Deauthorize
Deauthorize a registered switch. See Authorizing and deauthorizing
FortiSwitch devices on page 356.
This option is also available in the toolbar by selecting More.
Restart
Restart the switch.
This option is also available in the toolbar by selecting More.
Upgrade
Upgrade the switch. The FortiSwitch must already be authorized.
This option is also available in the toolbar by selecting More.
Connect to CLI
Connect to FortiSwitch device's CLI, if available.
Search
Enter a search string into the search field to search the switch list.
This option is only available in the toolbar.
The following information is available in the content pane:
354
FortiGate
The FortiGate that the FortiSwitch is connected to.
FortiSwitch Name
The name assigned to the switch.
Serial Number
The serial number of the switch.
Platform
The FortiSwitch model.
Connected Via
The IP address of the switch.
Administration Guide
Fortinet Technologies Inc.
Managed Switches
FortiSwitch Manager
OS Version
The OS version on the switch.
Template
The FortiSwitch template assigned to the device, if any.
Join Time
The date and time that the switch joined.
Comments
User entered comments.
Editing switches
FortiSwitch devices can be edited from the FortiSwitch Manager > Managed Switches pane.
To edit FortiSwitch devices:
1. In the tree menu, select the FortiGate that contains the FortiSwitch device to be edited, or select All_FortiGate to
list all of the switches.
2. Select the appropriate option from the quick status bar, and locate the switch in the content pane.
3. Double-click on the switch, select the switch and click Edit from the toolbar, or right-click on the switch and select
Edit. The Edit Managed FortiSwitch window opens.
4. Edit the following options, then click Apply to apply your changes.
Serial Number
The device’s serial number. This field cannot be edited.
Name
The name of the FortiSwitch.
Description
A description of the FortiSwitch, such as its model.
Template
Select the template that will be applied to the FortiSwitch from the
dropdown list. Only applicable templates will be available.
Status
The status of the FortiSwitch, such as Connected.
Click Restart to restart the switch.
Connecting From
The IP address of the switch.
Join Time
The date and time that the switch joined.
Administration Guide
Fortinet Technologies Inc.
355
FortiSwitch Manager
Managed Switches
State
The state of the AP, such as Authorized.
If the switch is authorized, click De-authorize to deauthorize the switch. If
the switch is not authorized, click Authorize to authorize it. See Authorizing
and deauthorizing FortiSwitch devices on page 356.
FortiSwitch OS Version
The OS version on the switch.
Click Upgrade to upgrade the firmware to a newer version if you have one
available. See Firmware Management on page 145
Deleting switches
FortiSwitch devices can be deleted from the FortiSwitch Manager > Managed Switches pane.
To delete FortiSwitch devices:
1. In the tree menu, select the FortiGate that contains the switch or switches to be deleted, or select All_FortiGate to
list all of the switches.
2. Select the appropriate option from the quick status bar, and locate the switch in the list in the content pane.
3. Select the switch or switches that you need to delete.
4. Click Delete from the toolbar, or right-click and select Delete.
5. Click OK in the confirmation dialog box to delete the switch or switches.
Authorizing and deauthorizing FortiSwitch devices
FortiSwitch devices can be authorized and deauthorized from the Managed Switches tab, or from the Edit
Managed FortiSwitch pane (see Editing switches on page 355).
To authorize FortiSwitch devices:
1. In the tree menu, select FortiGate that contains the unauthorized FortiSwitch devices, or select All_FortiGate to
list all of the switches.
2. In the quick status bar, click Unauthorized. The unauthorized FortiSwitch devices are displayed in the content
pane.
3. Select the switches and either click More > Authorize from the toolbar, or right-click and select Authorize.
4. Select OK in the confirmation dialog box to authorize the selected devices.
To deauthorize FortiSwitch devices:
1. In the tree menu, select FortiGate that contains the FortiSwitch devices to be deauthorized
2. Select the FortiSwitch devices and either click More > Deauthorize from the toolbar, or right-click and select
Deauthorize.
3. Select OK in the confirmation dialog box to deauthorize the selected devices.
Assigning templates to FortiSwitch devices
You use the FortiSwitch Manager pane to assign templates to switches, and you use the Device Manager pane to
install the templates to the switches when you install a configuration to the FortiGate that controls the
FortiSwitch device.
356
Administration Guide
Fortinet Technologies Inc.
Monitor
FortiSwitch Manager
For more information about creating and managing FortiSwitch templates, see FortiSwitch Templates on
page 358.
To assign a templates:
1. In the tree menu, select the FortiGate that contains the FortiSwitch device the template will be applied to, or
select All_FortiGate to list all of the switches.
2. Select the appropriate option from the quick status bar, and locate the switch in the content pane.
3. Select the switch and click Assign Template from the toolbar, or right-click on the switch and select Assign
Template. The Assign FortiSwitch Template dialog box opens.
4. Select a FortiSwitch template from the dropdown list, then click OK to assign it.
Only templates that apply to the specific device model will be available for selection.
Templates can also be applied when editing a device. See Editing switches on
page 355.
To install templates to devices:
1. Go to the Device Manager pane.
2. Select the FortiGate device that controls the FortiSwitch
3. Right click and select Install Config, or select Install > Install Config from the toolbar.
4. Click OK in the confirmation dialog box to install the configuration to the device. See Configuring a device on
page 120 for more information.
Monitor
The FortiSwitch Manager > Monitor pane shows a graphical representation of the connected FortiSwitch
devices.
Ports that are transmitting and receiving data are highlighted in green. Port groups, such as PoE or SFP+ ports,
are encircled in different colored boxes.
Administration Guide
Fortinet Technologies Inc.
357
FortiSwitch Manager
FortiSwitch Templates
Hovering the cursor over the edge of a port group will open a pop-up showing the type of port in the group.
Hovering the cursor over a port will open a pop-up showing information about the port, including:
Port
The port number.
Peer Device
The device that this switch is connected to. The current port, as well as the
port that it is connected to on the connected, and the connection between
the two devices, will be highlighted.
This item is only displayed when the port is connected to another
FortiSwitch device.
Native VLAN
The native VLAN of the port.
PoE
Whether or not the port is currently providing PoE power.
This item is only displayed on PoE ports.
Link
The state of the link, either up or down.
Speed
The speed of the port, such as 1000Mbps/Full Duplex. The value is 0Mbps
if the link is down.
Bytes Sent
The total number of bytes sent by the port.
Bytes Received
The total number of bytes received by the port.
FortiSwitch Templates
The FortiSwitch Manager > FortiSwitch Templates tab allows you to create and manage FortiSwitch templates
and VLANs that can be assigned to FortiSwitch devices.
FortiSwitch templates
FortiSwitch templates define VLAN, and PoE assignments for a FortiSwitch platform.
To view FortiSwitch templates, ensure that you are in the correct ADOM, go to FortiSwitch Manager
> FortiSwitch Templates, and select FortiSwitch Templates in the tree menu.
The following options are available in the toolbar and right-click menu:
358
Create New
Create a new FortiSwitch template. See Creating FortiSwitch templates on
page 359.
Edit
Edit the selected template.
Administration Guide
Fortinet Technologies Inc.
FortiSwitch Templates
FortiSwitch Manager
Delete
Delete the selected template or templates.
Search
Enter a search string into the search field to search the template list.
To edit a template:
1. Either double-click a template name, right-click a template and select Edit, or select a template then click Edit in
the toolbar. The Edit FortiSwitch Template pane opens.
2. Edit the settings as required, the click OK to apply your changes.
To delete templates:
1. Select the template or templates that will be deleted.
2. Either click Delete from the toolbar, or right-click and select Delete.
3. Click OK in the confirmation dialog box to delete the selected template or templates.
Creating FortiSwitch templates
When creating a new FortiSwitch template, the platform must be selected before configuring VLAN assignments.
To create a FortiSwitch template:
1. On the FortiSwitch Template pane, click Create New in the toolbar. The Create New FortiSwitch Template
window opens.
2. Enter the following information, then click OK to create the new template.
Template Name
Type a name for the template.
Comments
Optionally, enter comments.
Platforms
Select the platform that the template will apply to from the dropdown list.
Switch VLAN Assignments
Configure VLAN assignments.
Add Port
Administration Guide
Fortinet Technologies Inc.
Click to add a port to the table.
359
FortiSwitch Manager
FortiSwitch Templates
Port
Select a port profile from the dropdown list.
Native VLAN
Select the native VLAN from the available VLAN objects. See FortiSwitch
VLANs on page 360.
Allowed VLAN
Select the allowed VLAN from the available VLAN objects. See FortiSwitch
VLANs on page 360.
POE
Assignments
If applicable, turn PoE support on or off for the port.
Operation
Click to remove the row from the table.
FortiSwitch VLANs
VLANs are used when creating FortiSwitch templates.
To view FortiSwitch templates, ensure that you are in the correct ADOM, go to FortiSwitch Manager
> FortiSwitch Templates, and select FortiSwitch VLANs in the tree menu.
The following options are available in the toolbar and right-click menu:
Create New
Create a new FortiSwitch VLAN. See Creating FortiSwitch VLANs on
page 361.
Edit
Edit the selected VLAN.
Delete
Delete the selected VLAN or VLANs.
Search
Enter a search string into the search field to search the VLAN list.
To edit a VLAN:
1. Either double-click a VLAN, right-click a VLAN and select Edit, or select a VLAN then click Edit in the toolbar. The
Edit VLAN Definition pane opens. The interface name and VLAN ID cannot be edited.
2. Edit the settings as required, the click OK to apply your changes.
To delete VLANs:
1. Select the VLAN or VLANs that will be deleted.
2. Either click Delete from the toolbar, or right-click and select Delete.
3. Click OK in the confirmation dialog box to delete the selected VLAN or VLANs.
360
Administration Guide
Fortinet Technologies Inc.
FortiSwitch Templates
FortiSwitch Manager
Creating FortiSwitch VLANs
To create a FortiSwitch VLAN:
1. On the FortiSwitch VLAN pane, click Create New in the toolbar. The Create New VLAN Definition window
opens.
2. Enter the following information, then click OK to add the new VLAN.
Interface Name
Enter a name for the interface.
VLAN ID
Enter the VLAN ID
Role
Select the role for the interface: DMZ, LAN, UNDEFINED , or
WAN.
Estimated Bandwidth
Enter the estimated upstream and downstream bandwidths.
This option is only available when Role is WAN .
Administration Guide
Fortinet Technologies Inc.
361
FortiSwitch Manager
FortiSwitch Templates
Address
Addressing mode
The addressing mode.
IP/Network Mask
Enter the IP address and netmask.
IPv6 Addressing mode
Select the IPv6 addressing mode: Manual or DHCP.
IPv6
Address/Prefix
Enter the IPv6 address.
This option is only available when IPv6 Addressing mode is
Manual.
Restrict Access
Administrative Access
Select the allowed administrative service protocols from:
CAPWAP, DNP, FGFM, HTTP, HTTPS, PING, PROBERESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.
IPv6 Administrative Access
Select the allowed administrative service protocols from:
CAPWAP, FGFM, HTTP, HTTPS, PING, SNMP, SSH, and
TELNET.
DHCP Server
Turn the DHCP server on or off.
This option is only available when Role is LAN or
UNDEFINED.
DHCP Server IP
Enter the DHCP server IP address.
This option is only available when DHCP Server is ON and
Mode is Relay.
Address Range
Configure address ranges for DHCP. Click Create to create a
new range. Ranges can also be edited and deleted as required.
This option is only available when DHCP Server is ON and
Mode is Server.
Netmask
Enter the netmask.
This option is only available when DHCP Server is ON and
Mode is Server.
Default Gateway
Configure the default gateway: Same as Interface IP, or
Specify. If set to Specify, enter the gateway IP address in the
field.
This option is only available when DHCP Server is ON and
Mode is Server.
362
Administration Guide
Fortinet Technologies Inc.
FortiSwitch Templates
FortiSwitch Manager
DNS Server
Configure the DNS server: Same as System DNS, Same as
Interface IP, or Specify.
This option is only available when DHCP Server is ON and
Mode is Server.
DNS Server 1 - 3
Enter the DNS server IP addresses.
This option is only available when DHCP Server is ON, Mode is
Server, and DNS Server is Specify.
Mode
Select the DHCP mode: Server or Relay.
This option is only available when DHCP Server is ON.
NTP Server
Configure the NTP server: Local, Same as System NTP, or
Specify. If set to Specify, enter the NTP server IP address in
the field.
This option is only available when DHCP Server is ON and
Mode is Server.
Time Zone
Configure the timezone: Disable, Same as System, or
Specify. If set to Specify, select the timezone from the
dropdown list.
This option is only available when DHCP Server is ON and
Mode is Server.
Next Bootstrap
Server
Enter the IP address of the next bootstrap server.
Additional DHCP
Options
In the Lease Time field, enter the lease time, in seconds.
Default: 604800 seconds (7 days).
This option is only available when DHCP Server is ON and
Mode is Server.
Add DHCP options to the table. See To add additional DHCP
options: on page 365 for details. Options can also be edited and
deleted as required.
This option is only available when DHCP Server is ON and
Mode is Server.
MAC Reservation
+ Access Control
Select the action to take with unknown MAC addresses: assign
or block.
Add MAC address actions to the table. See To add a MAC
address reservation: on page 365 for details. Reservations can
also be edited and deleted as required.
This option is only available when DHCP Server is ON and
Mode is Server.
Administration Guide
Fortinet Technologies Inc.
363
FortiSwitch Manager
FortiSwitch Templates
Type
Select the type: Regular, or IPsec.
This option is only available when DHCP Server is ON.
Networked Devices
These options are only available when Role is DMZ, LAN, or
UNDEFINED.
Device Detection
Active Scanning
Turn device detection on or off.
Turn active scanning on or off.
This option is only available when Device Detection is on.
Admission Control
These options are only available when Role is LAN or
UNDEFINED.
Security Mode
Authentication
Portal
Select the security mode: 802.1X, CAPTIVE-PORTAL, or
NONE.
Configure the authentication portal: Local or External. If
External is selected, enter the portal in the field.
This option is only available when Security Mode is CAPTIVEPORTAL.
User Access
Select Restricted to Groups or Allow All.
This option is only available when Security Mode is CAPTIVEPORTAL.
User Groups
Select user groups from the available groups.
This option is available when Security Mode is 802.1X, or when
Security Mode is CAPTIVE-PORTAL and User Access is
Restricted to Groups.
Exempt Sources
Select sources that are exempt from the available firewall
addresses.
This option is only available when Security Mode is CAPTIVEPORTAL.
Device
Select user devices, device categories, and/or device groups.
This option is only available when Security Mode is CAPTIVEPORTAL.
Exempt
Destinations
Select destinations that are exempt from the available firewall
addresses.
This option is only available when Security Mode is CAPTIVEPORTAL.
364
Administration Guide
Fortinet Technologies Inc.
FortiSwitch Templates
FortiSwitch Manager
Exempt Services
Select services that are exempt from the available firewall
services.
This option is only available when Security mode is CAPTIVEPORTAL.
Miscellaneous
Scan Outgoing
Connections to Botnet
Sites
Select Block, Disable, or Monitor.
Secondary IP Address
Turn secondary IP addresses on or off.
Add IP addresses to the table. See To add a secondary IP
address: on page 366 for details. Addresses can also be edited
and deleted as required.
Status
Comments
Optionally, enter comments.
Interface State
Select if the interface is Enabled or Disabled.
Advanced Options
color
Change the color of the interface to one of the 32 options.
To add additional DHCP options:
1. Click Create in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens.
2. Enter the Option Code.
3. Select the Type: hex, ip, or string.
4. Enter the corresponding value.
5. Click OK to create the option.
To add a MAC address reservation:
1. Click Create in the MAC Reservation + Access Control table toolbar. The MAC Reservation + Access Control
dialog box opens.
Administration Guide
Fortinet Technologies Inc.
365
FortiSwitch Manager
FortiSwitch Templates
2. Enter the MAC Address.
3. Select the End IP: Assign IP, Block, or Reserve IP. If reserving the IP address, enter it in the field.
4. Optionally, enter a description.
5. Click OK to create the reservation.
To add a secondary IP address:
1. Click Create in the Secondary IP Address table toolbar. A dialog box opens.
2. Enter the IP address and netmask in the IP/Network Mask field.
3. Select the allowed administrative service protocols from: CAPWAP, DNP, FGFM, FTM, HTTP, HTTPS, PING,
PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.
4. Click OK to add the address.
366
Administration Guide
Fortinet Technologies Inc.
FortiAnalyzer Features
FortiAnalyzer features can be enabled either for a FortiManager unit or for managed FortiAnalyzer units, but not
for both at the same time. The features can be used to view and analyze logs from devices with logging enabled
that are managed by the FortiManager.
When the features are enabled manually, logs are stored and FortiAnalyzer features are configured on the
FortiManager.
When the features are enabled by adding a FortiAnalyzer to the FortiManager, logs are stored and log storage
settings are configured on the FortiAnalyzer device. Managed devices with logging enabled send logs to the
FortiAnalyzer. The FortiManager remotely accesses logs on the FortiAnalyzer unit and displays the information.
See Adding FortiAnalyzer devices on page 114.
When FortiAnalyzer features are enabled, the following modules are available:
FortiView
View summaries of log data. For example, you can view top threats to your
network, top sources of network traffic, top destinations of network traffic
and so on. See FortiView on page 370.
NOC
Log View
View log messages from managed devices with logging enabled. You can
view the traffic log, event log, or security log information. See Log View on
page 389.
Event Management
View events from logs that you want to monitor. You can specify what log
messages to display as events by configuring event handlers. See Event
Management on page 400.
Reports
Generate reports of data from logs. See Reports on page 415.
When FortiAnalyzer features are manually enabled, the following options are available on the System Settings
module:
Dashboard widgets
The following widgets can be added to the dashboard: Log Receive
Monitor, Insert Rate vs Receive Rate, Log Insert Lag Time, Receive
Rate vs Forwarding Rate, and Disk I/O.
The License Information widget will include a Logging section. See
Dashboard on page 446.
Logging Topology
View the logging topology. See Logging Topology on page 459.
Storage Info
View and configure log storage policies.
This pane is only available when ADOMs are enabled.
Fetcher Management
Configure log fetching. See Fetcher Management on page 473.
Administration Guide
Fortinet Technologies Inc.
367
FortiAnalyzer Features
Enable or disable FortiAnalyzer features
Device Log Settings
Configure device log file size, log rolling, and scheduled uploads to a
server. See Device logs on page 494.
File Management
Configure the automatic deletion of device log files, quarantined files,
reports, and content archive files after a set period of time. See File
Management on page 498.
Various other settings and information will be included on the FortiManager when FortiAnalyzer features are
enabled.
Enable or disable FortiAnalyzer features
If FortiAnalyzer features are enabled, you cannot add a FortiAnalyzer units to the FortiManager. If a FortiAnalyzer
is added to the FortiManager, FortiAnalyzer features are automatically enabled to support the managed
FortiAnalyzer unit, and cannot be disabled.
See Adding FortiAnalyzer devices on page 114 for more information.
To enable or disable the FortiAnalyzer features from the GUI:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the FortiAnalyzer Features toggle switch.
The FortiManager will reboot to apply the change.
To enable or disable the FortiAnalyzer features from the CLI:
1. Log in to the FortiManager CLI.
2. Enter the following commands:
config system global
set faz-status {enable | disable}
end
The FortiAnalyzer feature set is not available on the FortiManager 100C.
Viewing policy rules
When a FortiAnalyzer is managed by a FortiManager, you can view the logs that the FortiAnalyzer unit receives.
In the Log View module, you can also view the policy rules by clicking a policy ID number.
See Adding FortiAnalyzer devices on page 114.
To view policy rules:
1. Go to Log View > Traffic.
2. Click the number in the Policy ID column.
368
Administration Guide
Fortinet Technologies Inc.
Viewing policy rules
FortiAnalyzer Features
The View Policy window is displayed, showing the policy rules.
3. Click Return to close the window.
Administration Guide
Fortinet Technologies Inc.
369
FortiView
FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data
into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep track of
administrative activity, and more.
FortiView allows you to use multiple filters in the consoles, enabling you to narrow your view to a specific time, by
user ID or local IP address, by application, and others. You can use it to investigate traffic activity such as user
uploads/downloads or videos watched on YouTube on a network-wide user group or on an individual-user level. It
presents information in both text and visual format.
This pane is only available when the FortiAnalyzer features are enabled. For more
information, see FortiAnalyzer Features on page 367.
You can view summaries of log data in FortiView such as top threats to your network, top sources of network
traffic, and top destinations of network traffic. Depending on which summary you are viewing, you can view
summary information in different formats: table, bubble, map, or tile. For each summary view, you can drill down
to see more details.
FortiGate, FortiCarrier, and FortiClient EMS devices support FortiView.
How ADOMs affect the FortiView pane
When ADOMs are enabled, each ADOM has its own data analysis in FortiView .
Logs used for FortiView
FortiView displays data from Analytics logs. Data from Archive logs is not displayed in FortiView.
FortiView summary list and description
FortiView summaries for FortiGate and FortiCarrier devices
370
Category
View
Description
Summary
An overview
An overview of most used FortiView summary views. You can select
which widgets to display in the Summary.
Administration Guide
Fortinet Technologies Inc.
FortiView
Category
View
Description
Threats
Top Threats
Lists the top threats to your network.
The following incidents are considered threats:
l Risk applications detected by application control.
l
Intrusion incidents detected by IPS.
l
Malicious web sites detected by web filtering.
Malware/botnets detected by antivirus.
Note: If FortiGate is running FortiOS 5.0.x, turn on Security Profiles
> Client Reputation to view entries in Top Threats.
l
Threat Map
Displays a map of the world that shows the top traffic destination
country by color. Threats are displayed when the level is equal to or
greater than warning and the source IP is a public IP address.
The list of threats at the bottom shows the location, threat, severity,
and time of the attacks. The color gradient of the darts on the map
indicate the traffic risk, where red indicates the more critical risk.
This view has no filtering options. See also Viewing the threat map on
page 378.
Indicators of
Compromise (IOC)
Displays end users with suspicious web use compromises, including
end users’ IP addresses, overall threat rating, and number of threats.
Note: To use this feature:
1. UTM logs of the connected FortiGate devices must be enabled.
2. The FortiManager must subscribe to FortiGuard to keep its threat
database up-to-date.
Traffic
Top Sources
Displays the highest network traffic by source IP address and
interface, device, threat score (blocked and allowed), sessions
(blocked and allowed), and bytes (sent and received).
Top Destinations
Displays the highest network traffic by destination IP addresses, the
applications used to access the destination, sessions, and bytes.
Top Countries
Displays the highest network traffic by country in terms of traffic
sessions, including the destination, threat score, sessions, and bytes.
Policy Hits
Lists the policy hits by policy, device name, VDOM, number of hits,
bytes, and last used time and date.
Administration Guide
Fortinet Technologies Inc.
371
FortiView
Category
View
Description
Applications
& Websites
Top Applications
Displays the top applications used on the network including the
application name, category, risk level, number of clients, sessions
blocked and allowed, and bytes sent and received.
For a usage example, see Finding application and user information
on page 381.
Top Cloud
Applications
Displays the top cloud applications used on the network.
Top Websites
Displays the top allowed and blocked web sites on the network. You
can view information by domain or category by using the options in
the top right of the toolbar.
Top Browsing
Users
Displays the top web-browsing users, including source, group,
number of sites visited, browsing time, and number of bytes sent and
received.
SSL & Dialup IPsec
Displays the users who are accessing the network by using the
following types of security over a virtual private network (VPN) tunnel:
secure socket layers (SSL) and Internet protocol security (IPsec).
Site-to-Site IPsec
Displays the names of VPN tunnels with Internet protocol security
(IPsec) that are accessing the network.
Rogue APs
Displays the service set identifiers (SSID) of unauthorized WiFi
access points on the network.
Authorized APs
Displays the names of authorized WiFi access points on the network.
Authorized SSIDs
Displays the service set identifiers (SSID) of authorized WiFi access
points on the network.
WiFi Clients
Lists the names and IP addresses of the devices logged into the WiFi
network.
Admin Logins
Displays the users who logged into the managed device.
System Events
Displays events on the managed device.
Resource Usage
Displays device CPU, memory, logging, and other performance
information for the managed device.
Failed
Authentication
Attempts
Displays the IP addresses of the users who failed to log into the
managed device.
VPN
WiFi
System
372
Administration Guide
Fortinet Technologies Inc.
FortiView
Category
View
Description
Endpoints
All Endpoints
Lists the FortiClient endpoints registered to the FortiGate device.
Top Vulnerabilities
Displays vulnerability information about the FortiClient endpoints
registered to specific FortiGate devices. View by Device or
Vulnerability.
In Device view, the table shows the device, source, number and
severity of vulnerabilities, and category.
In Vulnerability view, select table or bubble format. The table format
shows the vulnerability name, severity, category, CVE ID, and host
count. The bubble graph format shows vulnerability by severity and
frequency.
Top Threats
Displays the top threats for registered FortiClient endpoints, including
the threat, threat level, and the number of incidents (blocked and
allowed).
Top Applications
Displays the top applications used by registered FortiClient
endpoints, including the application name, risk level, sessions
blocked and allowed, and bytes sent and received.
Top Web Sites
Displays the top allowed and blocked web sites on the network.
FortiView summaries for FortiClient EMS devices
Category
View
Description
Threats
Top Threats
Lists the top users involved in incidents and the top threats to your
network. The following incidents are considered threats:
l Risk applications detected by application control
Applications
& Websites
l
Malicious web sites detected by web filtering
l
Malware/botnets detected by antivirus
Top Applications
Displays the top applications used on the network including the
application name, category, risk level, number of clients, sessions
blocked and allowed, and bytes sent and received.
Top Websites
Displays the top allowed and blocked web sites on the network.
Administration Guide
Fortinet Technologies Inc.
373
FortiView
Using FortiView
Category
View
Description
Endpoints
All Endpoints
Lists the FortiClient endpoints registered to the FortiClient EMS
device.
Top Vulnerabilities
Displays vulnerability information about the FortiClient endpoints that
are registered to the FortiClient EMS device. View by Device or
Vulnerability.
In Device view, the table shows the device, source, number and
severity of vulnerabilities, and category.
In Vulnerability view, select table or bubble format. The table format
shows the vulnerability name, severity, category, CVE ID, and host
count. The bubble graph format shows vulnerability by severity and
frequency.
Using FortiView
When ADOMs are enabled, FortiView displays information for each ADOM so ensure you are in the correct
ADOM. See Switching between ADOMs on page 34.
FortiView summary page
The FortiView Summary page shows you an overview of the most used summary views. You can configure the
overall view of the Summary page.
Each summary view is a widget. You can configure the view settings of each widget, including adding the same
widget multiple times, each showing a different view. For example, you can add two Top Threats widgets: one
showing the Top 10 Threats view in a bubble chart, and the other showing the Top 20 Threats in a table.
374
Administration Guide
Fortinet Technologies Inc.
Using FortiView
FortiView
To view the details of each summary view, you can drill down each summary view or use the tree menu to view an
individual page.
Configuring the overall view settings for the Summary page
To add a widget to the Summary page:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to FortiView .
3. In the content pane toolbar, click Add Widget and select a FortiView summary from the list.
Administration Guide
Fortinet Technologies Inc.
375
FortiView
Using FortiView
To remove a widget from the Summary page:
Click the Remove This Widget button in the top-right of the widget.
To specify a time period for all the views on the Summary page:
On the FortiView Summary page, select a time period from the time period dropdown list in the toolbar.
To refresh the view and/or set refresh rate:
On the FortiView Summary page, click the Refresh Now button in the toolbar or select a refresh rate from the
dropdown menu.
To switch to full-screen mode:
On the FortiView Summary page, click the Full Screen button in the toolbar. To exit full-screen mode, either
press Esc or click the Exit Full Screen button in the top-right.
Viewing each widget on the Summary page
You can view and drill down each summary view on the Summary page or you can view an individual page that
you access through the tree menu. See Filtering FortiView summaries on page 378.
Configuring the view settings for an individual widget:
To Configure the view settings for an individual widget:
1. On the FortiView Summary page, click the Edit Settings button in the top-right of the widget. The summary view
flips to the settings panel.
2. On the settings panel, configure the settings for the widget, such as Chart Type, Show Top, and Sort By.
3. Click OK in the top-right corner to save the changes.
Viewing FortiView summaries
When viewing summary views, use the controls in the toolbar to select a display format, select a device, specify a
time period, refresh the view, set the refresh rate, export the information, and switch to full-screen mode.
Depending on which summary you are viewing, you can view summary information in different formats such as
table, bubble, map, or tile.
Some summary views support only one format. For example, Threat Map only supports the map format and
Policy Hits supports only the table format.
376
Administration Guide
Fortinet Technologies Inc.
Using FortiView
l
l
In summary views that support multiple formats, click the format icon in the top-right to select another format.
In table format:
l
To select how many items to display, use the Show dropdown list in the bottom-right.
l
l
FortiView
To sort by a column, click the column title.
In bubble and map format:
l
If sorting is available, use the Sort By dropdown list in the top-right.
l
To view more information, hover the mouse over a graphical element.
Most summary views let you drill down to view more details. To drill down to view more details, click or right-click
an element to view details about different dimensions in different tabs. You can continue to drill down by doubleclicking an entry. Click the Back button in the toolbar to return to the previous view.
Some summary views support multiple views. For example, Endpoints > Top Vulnerabilities has a Device view
and a Vulnerability view; and Applications & Websites > Top Cloud Applications has a Cloud Application view
and a Cloud User view.
Administration Guide
Fortinet Technologies Inc.
377
FortiView
Using FortiView
Viewing a map of top countries
You can view a map of the Traffic > Top Countries summary view. The map shows the destination country.
To view a map of top countries:
1. Go to FortiView > Traffic > Top Countries.
2. Select the Map icon from the dropdown list in the top-right.
3. Choose a sort method from the Sort By list in the top-right.
4. To view more information, hover the mouse over the map.
5. To drill down to view more details, click a country to view details about different dimensions in different tabs.
6. You can continue drilling down by double-clicking an entry.
7. Click the Back button in the toolbar to return to the previous view.
Viewing the threat map
You can view an animated world map that displays threats from unified threat management logs. Threats are
displayed in real-time. No replay or additional details are available.
You must specify the longitude and latitude of the device to enable threats for the
device to display in the threat map. You can edit the device settings to identify the
geographical location of the device in Device Manager.
To view the threat map:
1. Go to FortiView > Threats > Threat Map.
2. In the map, view the geographic location of the threats.
3. In the Threat Window , view the threat, level, and location.
Filtering FortiView summaries
Filter FortiView summaries using the Add Filter box in the toolbar or by right-clicking an entry and selecting a
context-sensitive filter. You can also filter by specific devices or log groups and by time.
378
Administration Guide
Fortinet Technologies Inc.
Using FortiView
FortiView
To filter FortiView summaries using filters in the toolbar:
1. Specify filters in the Add Filter box.
l
l
Regular Search: In the selected summary view, click Add Filter and select a filter from the dropdown list, then
type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or
“or”.
Advanced Search: Click the Switch to Advanced Search icon at the right end of the Add Filter box. In
Advanced Search mode, enter the search criteria (log field names and values). Click the Switch to Regular
Search icon to go back to regular search.
2. In the Device list, select a device.
3. In the Time list, select a time period.
4. If necessary, click Go.
To filter FortiView summaries using the right-click menu:
In the selected summary view, right-click an entry and select a filter criterion (Search <filter value>).
Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as
the filter criteria. This context-sensitive filter is only available for certain columns.
Viewing related logs
You can view the related logs for a FortiView summary in Log View . When you view related logs, the same filters
that you applied to the FortiView summary are applied to the log messages.
To view related logs for a FortiView summary, right-click the entry and select View Related Logs.
Exporting filtered summaries
You can export filtered FortiView summaries or any level of the drilldowns to PDF and report charts. Filtered
summaries are always exported in table format.
To export a filtered summary:
1. In the filtered summary view or its drilldown, click the Export button in the top-right and select Export to PDF or
Export to Report Chart.
2. In the dialog box, review and configure settings:
l
Specify a file name for the exported file.
l
In the Top field, specify the number of entries to export.
l
If you are in a drilldown view, the tab you are in is selected by default. You can select more tabs. If you are
exporting to report charst, the export creates one chart for each tab.
3. Click OK.
Charts are saved in the Chart Library. You can use them in the same way you use other charts.
Only log field filters are exported. Device and time period filters are not exported.
Administration Guide
Fortinet Technologies Inc.
379
FortiView
Using FortiView
Viewing Indicators of Compromise information
The Indicators of Compromise (IOC) summary shows end users with suspicious web usage compromises. It
provides information such as end users’ IP addresses, host name, group, OS, overall threat rating, a Map View ,
and number of threats. You can drill down to view threat details.
To generate the Indicators of Compromise, FortiAnalyzer checks the web filter logs of each end user against its
threat database. When a threat match is found, a threat score is given to the end user. When the check is
completed, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s
overall Indicators of Compromise.
To use this Indicators of Compromise summary, you must turn on the UTM web filter
of FortiGate devices. You must also subscribe your FortiManager unit to FortiGuard to
keep its local threat database synced with the FortiGuard threat database. See
Subscribing FortiManager to FortiGuard on page 380.
To view end users’ Indicators of Compromise information:
l
l
l
Go to FortiView > Threats > Indicators of Compromise.
The content pane displays an overview of end users with suspicious compromises in tile format, including end
user’s IP address, group, OS, overall threat rating, number of threats, a Map View button, and an Acknowledge
button.
To view Indicators of Compromise in a tabular format, click the Table/Tile dropdown menu at the top right and
select Table.
In tile format, to view a map of the Indicators of Compromise, click Map View in the tile. To see more details, hover
the cursor over a destination.
l
To acknowledge the Indicators of Compromise of an end user, click Ack.
l
To filter entries, click Add Filter and specify devices or a time period.
l
To drill down and view threat details, double-click a tile or a row.
Subscribing FortiManager to FortiGuard
Your FortiManager needs to subscribe to FortiGuard to keep its threat database up to date. You must purchase a
FortiGuard Indicators of Compromise Service license for that.
To subscribe FortiManager to FortiGuard:
1. Go to System Settings > Dashboard.
2. In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click
Purchase.
380
Administration Guide
Fortinet Technologies Inc.
Examples of using FortiView
FortiView
Monitoring resource usage of devices
You can monitor how much FortiManager system resources (e.g., CPU, memory, and disk space) each device
uses. When ADOMs are enabled, this information is displayed per ADOM. In a specific ADOM, you can view the
resource usage information of all the devices under the ADOM.
Go to FortiView > System > Resource Usage to monitor resource usage for devices.
Examples of using FortiView
You can use FortiView to find information about your network. The following are some examples.
Finding application and user information
Company ABC has over 1000 employees using different applications across different divisional areas, including
supply chain, accounting, facilities and construction, administration, and IT.
The administration team received a $6000 invoice from a software provider to license an application called
Widget-Pro. According to the software provider, an employee at Company ABC is using Widget-Pro software.
The system administrator wants to find who is using applications that are not in the company’s list of approved
applications. The administrator also wants to determine whether the user is unknown to FortiGuard signatures,
identify the list of users, and perform an analysis of their systems.
To find application and user information:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to FortiView > Applications & Websites > Top Applications.
3. Click Add Filter, select Application, type Widget-Pro, and click Go.
4. If you do not find the application in the filtered results, go to Log View > Traffic.
5. Click the Add Filter box, select Source IP, type the source IP address, and click Go.
Finding unsecured wireless access points
AAA Electronics has multiple access points in their stores for their wireless point-of-sale and mobile devices the
sales team uses.
War-driving hackers found an unsecured wireless connection in the AAA Electronics network. Hackers were able
to connect to the network and install a program for stealing personal data.
The network administrator already monitors unknown applications using FortiManager alerts and was informed
an unauthorized program had been installed. Following an investigation, the administrator determined the
program secured a wireless access point. The administrator now wants to determine if any of the other AAA
Electronics stores has insecure access points.
To find information on unsecured wireless access points:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to FortiView > WiFi > Rogue APs to view the list of unsecured wireless or rogue access points.
Administration Guide
Fortinet Technologies Inc.
381
FortiView
Examples of using FortiView
Analyzing and reporting on network traffic
A new administrator starts at #1 Technical College. The school has a free WiFi for students on the condition that
they accept the terms and policies for school use.
The new administrator is asked to analyze and report on the top source and destinations students visit, the source
and destinations that consume the most bandwidth, and the number of attempts to visit blocked sites.
To review the source and destination traffic and bandwidth:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to FortiView > Traffic > Top Sources.
3. Go to FortiView > Traffic > Top Destinations.
Viewing vulnerabilities with high severity and frequency
A-One Company experiences many network vulnerabilities but most of them are of low to medium severity and
occur infrequently. The network administrator wants to quickly see which vulnerabilities have high severity and
frequency.
To view vulnerabilities with high severity and frequency:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to FortiView > Endpoints > Top Vulnerabilities.
3. In the toolbar, select Vulnerability and Bubble format.
Focus on the top right of the bubble chart which shows vulnerabilities with the highest severity and frequency.
Hover the cursor over a vulnerability to see additional information and click a vulnerability to drill down to view
more details.
382
Administration Guide
Fortinet Technologies Inc.
NOC Dashboard
NOC
NOC
Use the NOC (Network Operations Center) or SOC (Security Operations Center) to view multiple panes of
network activity, including monitoring network security, WiFi security, and system performance.
NOC displays both real-time monitoring and historical trends. This centralized monitoring and awareness help
you to effectively monitor network events, threats, and security alerts.
This pane is only available when the FortiAnalyzer features are enabled. For more
information, see FortiAnalyzer Features on page 367.
NOC Dashboard
NOC includes predefined Security Monitor, WiFi Monitor, and System Performance dashboards.
You can create custom dashboards and add widgets to them. Each pane or widget monitors one activity. You can
select what widgets to display, customize widgets, move and resize widgets, and display widgets in full screen or
on different monitors.
A good way to use dashboards is to use multiple monitors to display different widgets that show a comprehensive
view of your network and security operations in real time. Select widgets that display information most relevant to
you.
Administration Guide
Fortinet Technologies Inc.
383
NOC
NOC Dashboard
One scenario is to use the main monitors in the middle to display widgets in a bigger size. These widgets monitor
network information that is most important to you. Then use the monitors on the sides to display other
information in smaller widgets.
For example, use the top monitor in the middle to display the Top Threat Destinations widget in full screen, use
the monitor(s) below that to display other Security Monitor widgets, use the monitors on the left to display WiFi
Monitor widgets at the top and System Performance widgets at the bottom, and use the monitors on the right as
a workspace to display widgets showing the busiest network activity. You can move, add, or remove widgets.
Using the NOC dashboard
NOC dashboards contains widgets that provide network and security information. Use the controls in the
dashboard toolbar to work with a dashboard.
384
Add Widget
Add widgets to a predefined or custom dashboard. For details, see Customizing the
NOC dashboard on page 385.
Dashboard
Create a new dashboard or reset a predefined dashboard to its default settings. For
custom dashboards, you can rename or delete the custom dashboard. For details,
see Customizing the NOC dashboard on page 385.
Create
New
Create a new dashboard.
Reset
Reset the dashboard.
Select
Security
Fabric
Select the Security Fabric to display in the dashboard.
You need to create a Security Fabric group in FortiGate and add the Security Fabric
group in FortiAnalyzer to be able to select a Security Fabric option in the NOC
dashboard.
Refresh
Refresh the data in the widgets.
Background color
Change the background color of the dashboard to make widgets easier to view in
different room lighting.
l
Day shows a brighter gray background color.
l
Night shows a black background.
l
Ocean shows a blue background color.
Hide Side-menu
and Show Sidemenu
Hide or show the tree menu on the left.
Full Screen
Display in full screen. To exit full screen, press Esc.
Administration Guide
Fortinet Technologies Inc.
NOC Dashboard
NOC
Use the controls in the widget title bar to work with widgets.
Settings icon
Change the settings of the widget. Widgets have settings applicable to that widget,
such as how many of the top items to display, Time Period, Refresh Interval, and
Chart Type.
View different
chart types
Some widget settings let you choose different chart types such as the Disk I/O and
Top Countries widget. You can add these widgets multiple times and set each widget
to show a different chart type.
Hide or show a
data type
For widgets that show different data types, click a data type in the title bar to hide or
show that data type in the graph.
For example, in the Insert Rate vs Receive Rate widget, click Receive Rate or Insert
Rate in the title bar to hide or show that data. In the Disk I/O widget, click Read or
Write in the title bar to hide or show that data type.
Remove widget
icon
Delete the widget from a predefined or custom dashboard.
Move widget
Click and drag a widget’s title bar to move it to another location.
Resize widget
Click and drag the resize button in the bottom-right of the widget.
View more details
Hover the cursor over a widget’s data points to see more details.
View a narrower
time period
Some widgets have buttons below the graph. Click and drag the buttons to view a
narrower time period.
Zoom in and out
For widgets that show information on a map such as the Top Threat Destinations
widget, use the scroll wheel to change the zoom level. Click and drag the map to view
a different area.
Customizing the NOC dashboard
You can add any widget to a predefined dashboard. You can also move, resize, or delete widgets. You cannot
rename or delete a predefined dashboard. To reset a predefined dashboard to its default settings, click
Dashboard > Reset.
You can add the same widget multiple times and configure each one differently, such as showing a different Time
Period, Refresh Interval, or Chart Type.
To create a dashboard:
1. In the toolbar, click Dashboard > Create New.
2. Specify the Name and whether you want to create a blank dashboard or use a template.
If you select From Template, specify which predefined dashboard you want to use as a template.
3. Click OK. The new dashboard appears In the tree menu.
Administration Guide
Fortinet Technologies Inc.
385
NOC
NOC dashboards and widgets
To display Security Fabric in NOC:
1. Create a Security Fabric in FortiGate.
2. Add the Security Fabric in FortiAnalyzer.
3. Go to NOC > Dashboard > Select Security Fabric. The Add Device dialog box will open.
4. Select the Security Fabric you want to display in the NOC Dashboard.
5. Add desired widgets to the dashboard.
To add a widget:
1. Select the predefined or custom dashboard where you want to add a widget.
2. Click Add Widget to expand the menu; then locate the widget you want to add.
3. Click the + button to add widgets.
4. When you have finished adding widgets, click the close button to close the Add Widget pane.
NOC dashboards and widgets
NOC includes the following predefined dashboards and widgets. You can create custom dashboards and add any
widget to any predefined or custom dashboard.
Security Monitor
The Security Monitor dashboard includes the following widgets:
Top Threat
Destinations
A world map showing the highest network traffic. Hover the cursor over data points to
see the source device and IP address, destination IP address and country, threat level,
and the number of incidents (blocked and allowed).
Top Threat
The top threats to your network. Hover the cursor over data points to see the threat,
category, threat level, threat score (blocked and allowed), and the number of incidents
(blocked and allowed).
The following incidents are considered threats:
386
l
Risk applications detected by application control
l
Intrusion incidents detected by IPS
l
Malicious web sites detected by web filtering
l
Malware/botnets detected by antivirus
Top Applications
The top applications used on the network. Hover the cursor over data points to see the
application name, risk level, category, sessions (blocked and allowed), and bytes (sent
and received).
Indicators of
Compromise
Suspicious web use compromises. Hover the cursor over data points to see the end
user IP address, host name, group, OS version, threat level, number of threats, and
blacklist count.
Administration Guide
Fortinet Technologies Inc.
NOC dashboards and widgets
Top Endpoint
Vulnerabilities
Vulnerability information about FortiClient endpoints. Hover the cursor over data
points to see the vulnerability count (critical, high, medium, and low), source IP
address and device, and category.
Top Sources
The highest network traffic by source IP address and interface, sessions (blocked and
allowed), threat score (blocked and allowed), and bytes (sent and received).
Top Countries
The highest network traffic by country, sessions (blocked and allowed), and bytes
(sent and received). You can display this widget as a treemap chart, bubble chart, or
bar chart; sorted by bandwidth or the number of sessions.
Security Fabric
Score Summary
Total score and suggested actions to improve the score.
Historical
Security Fabric
Scores
Changes of the audit score over time.
Security Fabric
Topology
A topology map showing the logical structure of connected security fabric devices.
Top Dialup VPN
A world map showing the users accessing the network using SSL or IPsec over a VPN
tunnel. Hover the cursor over data points to see the user name or IP address,
connected from IP address and country, connection time and duration, and bytes (sent
and received).
VPN Site-to-Site
A world map showing the names of VPN tunnels with Internet protocol security (IPsec)
that are accessing the network. Hover the cursor over data points to see the site-tosite IPsec tunnel, connected from and to IP address (including city and country if
available), duration, and bytes (sent and received).
FortiSandbox Scanning
Statistics
The number of files scanned by FortiSandbox. This chart shows the files by type:
malicious, suspicious, clean, and others. Hover the cursor over data points to see the
number of files of each type.
FortiSandbox Top Malicious
& Suspicious File
Users
Users or IP addresses that have the highest number of malicious and suspicious files
detected by FortiSandbox. This chart shows the username and avatar if it’s available,
otherwise it shows the IP address. Hover the cursor over data points to see the
number of files.
NOC
WiFi Monitor
The WiFi dashboard includes the following widgets:
Authorized APs
Administration Guide
Fortinet Technologies Inc.
A world map showing the names of authorized WiFi access points on the network.
387
NOC
NOC dashboards and widgets
Top SSID
The top SSID (service set identifiers) of authorized WiFi access points on the network.
Hover the cursor over data points to see the SSID and bytes (sent and received).
Top Rogue APs
The top SSID (service set identifiers) of unauthorized WiFi access points on the
network. Hover the cursor over data points to see the SSID and total live time.
System Performance
The System Performance dashboard includes the following widgets:
CPU & Memory
Usage
The usage status of the CPU and memory.
Multi-Core CPU
Usage
The usage status of a multi-core CPU.
Insert Rate vs
Receive Rate
The number of logs received vs the number of log actively inserted into the database
including the maximum and minimum rates.
l
Log receive rate: how many logs are being received.
l
Log insert rate: how many logs are being actively inserted into the database.
If the log insert rate is higher than the log receive rate, then the database is rebuilding.
The lag is the number of logs waiting to be inserted.
Disk I/O
388
The disk Transaction Rate (I/Os per second), Throughput (KB/s), or Utilization (%).
The Transaction Rate and Throughput graphs also show the maximum and minimum
disk activity.
Administration Guide
Fortinet Technologies Inc.
Log View
You can view log information by device or by log group.
When rebuilding the SQL database, Log View is not available until the rebuild is
complete. Click the Show Progress link in the message to view the status of the SQL
rebuild.
This pane is only available when the FortiAnalyzer features are enabled. For more
information, see FortiAnalyzer Features on page 367.
When ADOMs are enabled, each ADOM has its own information displayed in Log View .
Log View displays log messages from Analytics logs and Archive logs:
l
Historical logs and real-time logs in Log View are from Analytics logs.
l
Log Browse can display logs from both the current, active log file and any compressed log files.
Types of logs collected for each device
FortiManager can collect logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager,
FortiSandbox, FortiWeb, FortiClient, and syslog servers. Following is a description of the types of logs
FortiManager collects from each type of device:
Device Type
Log Type
FortiManager
Event
FortiAuthenticator
Event
FortiGate
Traffic
Event: Compliance Events, Endpoint, HA, System, Router, VPN, User, WAN Opt. &
Cache, and Wireless
DNS
Security: Vulnerability Scan, Antivirus, Web Filter, Application Control, Intrusion
Prevention, Email Filter, Data Leak Prevention, Web Application Firewall
FortiClient
VoIP
FortiCarrier
Traffic, Event, GTP
FortiCache
Traffic, Event, Antivirus, Web Filter
FortiClient
Traffic, Event, Vulnerability Scan
Administration Guide
Fortinet Technologies Inc.
389
Log View
Log messages
Device Type
Log Type
FortiDDoS
Event, Intrusion Prevention
FortiMail
History, Event, Antivirus, Email Filter
FortiManager
Event
FortiSandbox
Malware, Network Alerts
FortiWeb
Event, Intrusion Prevention, Traffic
Syslog
Generic
Traffic logs
Traffic logs record the traffic flowing through your FortiGate unit. Since traffic needs firewall policies to properly
flow through FortiGate, this type of logging is also called firewall policy logging. Firewall policies control all traffic
attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
Event logs
Event logs record administration management and Fortinet device system activity, such as when a configuration
changes, or admin login or HA events occur. Event logs are important because they record Fortinet device system
activity which provides valuable information about how your Fortinet unit is performing. FortiGate event logs
includes System, Router, VPN , User, and WiFi menu objects to provide you with more granularity when viewing
and searching log data.
DNS logs
DNS logs (FortiGate) record the DNS activity on your managed devices.
Security logs
Security logs (FortiGate) record all antivirus, web filtering, application control, intrusion prevention, email filtering,
data leak prevention, vulnerability scan, and VoIP activity on your managed devices.
The logs displayed on your FortiManager depends on the device type logging to it and
the enabled features. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager,
FortiWeb, FortiSandbox, FortiClient, and Syslog logging is supported. ADOMs must
be enabled to support non-FortiGate logging.
For more information on logging see the Logging and Reporting for FortiOS Handbook in the Fortinet Document
Library.
Log messages
You can view log information by device or by log group.
390
Administration Guide
Fortinet Technologies Inc.
Log messages
Log View
Viewing the log message list of a specific log type
You can find FortiMail and FortiWeb logs in their default ADOMs.
To view the log message list:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Log View , and select a log type from the tree menu.
The corresponding log messages list is displayed.
Viewing log message details
To view log message details:
1. Double-click a log message on the log message list or select the log message and then click Display Details in the
bottom-right.
The log details pane is displayed to the right of the log message list, with the log fields categorized in tree
view.
The log details pane provides shortcuts for adding filters and for showing or hiding a column. Right-click a log field
to select an option.
If the log message contains UTM logs, you can click the UTM log icon in the log details
pane to open the UTM log view window.
Administration Guide
Fortinet Technologies Inc.
391
Log View
Log messages
Customizing displayed columns
The columns displayed in the log message list can be customized and reordered as needed.
To customize what columns to display:
1. In the toolbar of the log message list view, click Column Settings and select a column to hide or display.
The available columns vary depending on the device and log type.
2. To add other columns, click More Columns. In the Column Settings dialog box, select the columns to show or
hide.
3. To reset to the default columns, click Reset to Default.
4. Click OK.
You can also add or remove a log field column in the log details pane, by right-clicking
a log field and selecting Add [ log field name] or Remove [ log field name].
To change the order of the displayed columns:
Place the cursor in the column title and move a column by dragging and dropping.
Filtering log messages
You can filter log messages using filters in the toolbar or by using the right-click menu.
Filters are not case-sensitive by default. To use case-sensitive filters, select Tools > Case Sensitive Search.
To filter log messages using filters in the toolbar:
1. Go to the log view you want.
2. Click Add Filter.
392
Regular search
Click Add Filter and select a filter from the dropdown list, then type a value.
Only displayed columns are available in the dropdown list. You can use
search operators in regular search.
Switching between regular
search and advanced
search
At the right end of the Add Filter box, click the Switch to Advanced Search
icon or click the Switch to Regular Search icon .
Advanced search
In Advanced Search mode, enter the search criteria (log field names and
values).
Search operators and
syntax
Click at the right end of the Add Filter box to view search operators and
syntax pane. See also Search operators and syntax on page 393.
Administration Guide
Fortinet Technologies Inc.
Log messages
Log View
CLI string “freestyle”
search
Searches the string within the indexed fields configured using the CLI
command: config ts-index-field.
For example, if the indexed fields have been configured using these CLI
commands:
config system sql
config ts-index-field
edit "FGT-traffic"
set value
"app,dstip,proto,service,srcip,user,utmaction"
next
end
end
Then if you type “Skype” in the Add Filter box, FortiAnalyzer searches for
“Skype” within these indexed fields:
app,dstip,proto,service,srcip,user, and utmaction.
You can combine freestyle search with other search methods, for example,
“Skype user=David”.
3. In the Device list, select a device.
4. In the Time list, select a time period.
To filter log summaries using the right-click menu:
In a log message list, right-click an entry and select a filter criterion. The search criterion with a
entries matching the filter values, while the search criterion with a
filter values.
icon returns
icon returns entries that do not match the
Depending on the column in which your cursor is placed when you right-click, Log View uses the column value as
the filter criteria. This context-sensitive filter is only available for certain columns.
To see log field name of a filter/column, right-click the column of a log entry and select
a context-sensitive filter. The Add Filter box shows log field name.
Context-sensitive filters are available for each log field in the log details pane. See
Viewing log message details on page 391.
Search operators and syntax
Operators or symbols
Syntax
And
Find log entries containing all the search terms. Connect the terms with a
space character, or “and”. Examples:
1. user=henry group=sales
2. user=henry and group=sales
Administration Guide
Fortinet Technologies Inc.
393
Log View
Log messages
Operators or symbols
Syntax
Or
Find log entries containing any of the search terms. Separate the terms
with “or” or a comma “,”. Examples:
1. user=henry or srcip=10.1.0.15
2. user=henry,linda
Not
Find log entries that do NOT contain the search terms. Add “-” before the
field name. Example:
-user=henry
>, <
Find log entries greater than or less than a value, or within a range. This
operator only applies to integer fields. Example:
policyid>1 and policyid<10
IP subnet/range search
Find log entries within a certain IP subnet or range. Examples:
1. srcip=192.168.1.0/24
2. srcip=10.1.0.1-10.1.0.254
Wildcard search
You can use wildcard searches for all field types. Examples:
1. srcip=192.168.1.*
2. policyid=1*
3. user=*
Filtering FortiClient log messages in FortiGate traffic logs
For FortiClient endpoints registered to FortiGate devices, you can filter log messages in FortiGate traffic log files
that are triggered by FortiClient.
To Filter FortiClient log messages:
1. Go to Log View > Traffic.
2. In the Add Filter box, type fct_devid=*. A list of FortiGate traffic logs triggered by FortiClient is displayed.
3. In the message log list, select a FortiGate traffic log to view the details in the bottom pane.
4. Click the FortiClient tab, and double-click a FortiClient traffic log to see details.
The FortiClient tab is available only when the FortiGate traffic logs reference FortiClient traffic logs.
Viewing historical and real-time logs
By default, Log View displays historical logs. Custom View and Chart Builder are only available in historical log
view.
To view real-time logs, in the log message list view toolbar, click Tools > Real-time Log.
To switch back to historical log view, click Tools > Historical Log.
Viewing raw and formatted logs
By default, Log View displays formatted logs. The log view you select affects available view options. You cannot
customize columns when viewing raw logs.
394
Administration Guide
Fortinet Technologies Inc.
Log messages
Log View
To view raw logs, in the log message list view toolbar, click Tools > Display Raw.
To switch back to formatted log view, click Tools > Formatted Log.
For more information about FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet
Document Library. For more information about raw logs of other devices, see the Log Message Reference for
the platform type.
Custom views
Use Custom View to save the filter setting, device selection, and the time period you have specified.
To create a new custom view:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Log View , and select a log type.
3. In the content pane, customize the log view as needed by adding filters, specifying devices, and/or specifying a
time period.
4. In the toolbar, click Tools > Custom View .
5. In the Name field, type a name for the new custom view.
6. Click OK. The custom view is now displayed under Log View > Custom View .
To edit a custom view:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to the Log View > Custom View .
3. In the toolbar, edit the filter settings, and click GO.
4. In the toolbar, click Tools > Custom View .
5. Click Save to save the changes to the existing custom view or click Save as to save the changes to a new custom
view.
6. Click OK.
Downloading log messages
You can download historical log messages to the management computer as a text or CSV file. You cannot
download real-time log messages.
To download log messages:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Log View , and select a log type.
Administration Guide
Fortinet Technologies Inc.
395
Log View
Log messages
3. In the toolbar, click Tools > Download.
4. In the Download Logs dialog box, configure download options:
l
In the Log file format dropdown list, select Text or CSV.
l
To compress the downloaded file, select Compress with gzip.
l
To download only the current log message page, select Current Page. To download all the pages in the log
message list, select All Pages.
5. Click Download.
Creating charts
You can also create charts in Reports > Report Definitions > Chart Library. See Chart
library on page 433
Log View includes a Chart Builder for you to build custom charts for each type of log messages.
To create charts with Chart Builder:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Log View , and select a log type.
3. In the toolbar, click Tools > Chart Builder.
4. In the Chart Builder dialog box, configure the chart and click Save.
396
Name
Type a name for the chart.
Columns
Select which columns of data to include in the chart based on the log
messages that are displayed on the Log View page.
Group By
Select how to group data in the chart.
Order By
Select how to order data in the chart.
Sort
Select a sort order for data in the chart.
Show Limit
Show Limit
Device
Displays the device(s) selected on the Log View page.
Time Frame
Displays the time frame selected on the Log View page.
Query
Displays the query being built.
Preview
Displays a preview of the chart.
Administration Guide
Fortinet Technologies Inc.
Log groups
Log View
Log groups
You can group devices into log groups. You can view FortiView summaries, display logs, generate reports, or
create handlers for a log group. Log groups are virtual so they do not have SQL databases or occupy additional
disk space.
In FortiManager 5.0.6 and earlier, you can treat log groups as a single device that has
its own SQL database. You cannot do this in FortiManager 5.2 and later.
When you add a device with VDOMs to a log group, all VDOMs are automatically added.
To create a new log group:
1. Go to Log View > Log Group.
2. In the content pane toolbar, click Create New.
3. In the Create New Log Group dialog box, type a log group name and add devices to the log group.
4. Click OK.
Log Browse
When a log file reaches its maximum size or a scheduled time, FortiManager rolls the active log file by renaming
the file. The file name is in the form of xlog.N.log, where x is a letter indicating the log type, and N is a unique
number corresponding to the time the first log entry was received. For information about setting the maximum file
size and log rolling options, see Device logs on page 494.
Log Browse displays log files stored for both devices and the FortiAnalyzer itself, and you can logs in the
compressed phase of the log workflow.
In Collector mode, if you want to view the latest log messages, select the
latest log file to display its log messages.
To view log files:
1. Go to Log View > Log Browse
2. Select a log file, and click Display to open the log file and display the log messages in formatted view.
You can perform all the same actions as with the log message list. See Viewing log message details on page 391.
Administration Guide
Fortinet Technologies Inc.
397
Log View
Log Browse
Importing a log file
Imported log files can be useful when restoring data or loading log data for temporary use. For example, if you
have older log files from a device, you can import these logs to the FortiManager unit so that you can generate
reports containing older data.
To import a log file:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Log View > Log Browse and click Import in the toolbar.
3. In the Device dropdown list, select the device the imported log file belongs to or select [Take From Imported File]
to read the device ID from the log file.
If you select [Take From Imported File], the log file must contain a device_id field in its log messages.
4. In the File(s) field, click Choose Files and specify the log file on the management computer.
5. Click OK. A message appears, stating that the upload is beginning, but will be canceled if you leave the page.
6. Click OK. The upload time varies depending on the size of the file and the speed of the connection.
After the log file is successfully uploaded, FortiManager inspects the file:
l
l
If the device_id field in the uploaded log file does not match the device, the import fails. Click Return to try
again.
If you selected [Take From Imported File] and the FortiManager unit’s device list does not currently contain
that device, a message appears after the upload. Click OK to import the log file and automatically add the
device to the device list.
Downloading a log file
You can download a log file to save it as a backup or to use outside the FortiManager unit. The download consists
of either the entire log file, or a partial log file, as selected by your current log view filter settings and, if
downloading a raw file, the time span specified.
To download a log file:
1. Go to Log View > Log Browse and select the log file that you want to download.
2. In the toolbar, click Download.
3. In the Download Log File(s) dialog box, configure download options:
l
In the Log file format dropdown list, select Native, Text, or CSV.
l
If you want to compress the downloaded file, select Compress with gzip.
4. Click Download.
398
Administration Guide
Fortinet Technologies Inc.
Log Browse
Log View
Deleting log files
To delete log files:
1. Go to Log View > Log Browse.
2. Select one or more files and click Delete.
3. Click OK to confirm.
Administration Guide
Fortinet Technologies Inc.
399
Event Management
Event Management displays all events generated by event handlers.
How ADOMs affect events
When ADOMs are enabled, each ADOM has its own event handlers and lists of events. Ensure you are in the
correct ADOM before viewing Event Management. See Switching between ADOMs on page 34.
Predefined event handlers
You can use predefined event handlers to generate events for Event Management. There are predefined event
handlers for FortiGate and FortiCarrier devices. For other devices, you can create custom event handlers.
Logs used for events
Event Management displays events from Analytics logs, not Archive logs.
This pane is only available when the FortiAnalyzer features are enabled. For more
information, see FortiAnalyzer Features on page 367.
Event handlers
Event handlers define what messages to extract from logs and display in Event Management. You must enable
an event handler to start generating events. To see which event handlers are enabled or disabled, see Enabling
event handlers on page 407.
You can configure event handlers to generate events for a specific device, for all devices, or for the local
FortiManager unit. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail,
FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. In 5.2.0 or later, Event Management
supports local FortiManager event logs.
You can configure the system to send you alerts for event handlers. You can send the alert to an email address,
SNMP community, or syslog server.
Managing event handlers
To manage event handlers, go to Event Management > Event Handler List. The following options are available:
400
Option
Description
Create New
Create a new event handler.
Administration Guide
Fortinet Technologies Inc.
Event handlers
Event Management
Option
Description
Edit
Edit the selected event handler.
Delete
Delete the selected event handler. You cannot delete predefined event
handlers.
Clone
Clone the selected event handler.
Enable
Enable the selected event handler to start generating events on the Event
Management > All Events page.
Disable
Disable the selected event handler to stop generating events on the Event
Management > All Events page.
Collapse All / Expand All
Collapse or expand the Filters column.
Show Predefined
Show or hide predefined handlers in the list.
Show Custom
Show or hide custom handlers in the list.
Factory Reset
If you have modified a predefined event handler, return the selected
predefined event handler to its factory default settings.
List of predefined event handlers
FortiManager includes predefined event handlers for FortiGate and FortiCarrier devices that you can use to
generate events.
Event Handler
Description
Antivirus Event
Enabled by default
l
Severity: Medium
l
Log Type: Traffic Log
l
Event Category: Antivirus
l
Group by: Virus Name
l
Log messages that match all conditions:
l
Level Greater Than or Equal To Information
Generic Text Filter: virus!='' and virus!='N/A'
l
Administration Guide
Fortinet Technologies Inc.
401
Event Management
Event handlers
Event Handler
Description
App Ctrl Event
Enabled by default
Application Crashed Event
Conserve Mode
l
Severity: Critical
l
Log Type: Traffic Log
l
Event Category: Application Control
l
Group by: Application Name
l
Log messages that match any of the following conditions:
l
Application Category Equal To Botnet
l
Application Category Equal To Proxy
Enabled by default
l
Severity: Medium
l
Log Type: Event Log
l
Event Category: System
l
Group by: Log Description
l
Log messages that match all conditions:
l
Log Description Equal To Application crashed
l
Level Greater Than or Equal To Warning
Disabled by default
l
Severity: Critical
l
Log Type: Event Log
l
Event Category: System
l
Group by: Message
l
Log messages that match all conditions:
l
DLP Event
Disabled by default
l
Severity: Medium
l
Log Type: Traffic Log
l
Event Category: DLP
l
Group by: DLP Rule Name
l
Log messages that match all conditions:
l
402
Log Description Equal To System services entered conserve mode
Security Action Equal To Blocked
Administration Guide
Fortinet Technologies Inc.
Event handlers
Event Management
Event Handler
Description
DNS Botnet C-and-C - High
Severity
Enabled by default
l
Severity: High
l
Log Type: DNS
l
Group by: Message
l
Log messages that match all conditions:
l
Level Equal To Warning
Generic Text Filter: botnetip!='' or botnetdomain!=''
l
HA Failover
Interface Down
Interface Up
Administration Guide
Fortinet Technologies Inc.
Disabled by default
l
Severity: Medium
l
Log Type: Event Log
l
Event Category: HA
l
Group by: Log Description
l
Log messages that match any of the following conditions:
l
Log Description Equal To Virtual cluster move member
l
Log Description Equal To Virtual cluster member state moved
Disabled by default
l
Severity: High
l
Log Type: Event Log
l
Event Category: System
l
Group by: Message
l
Log messages that match all conditions:
l
Action Equal To interface-stat-change
l
Status Equal To DOWN
Disabled by default
l
Severity: Medium
l
Log Type: Event Log
l
Event Category: System
l
Group by: Message
l
Log messages that match all conditions:
l
Action Equal To interface-stat-change
l
Status Equal To UP
403
Event Management
Event handlers
Event Handler
Description
IPS - Critical Severity
Enabled by default
l
Severity: Critical
l
Log Type: IPS
l
Group by: Attack Name
l
Log messages that match all conditions:
l
IPS - High Severity
Enabled by default
l
Severity: High
l
Log Type: IPS
l
Group by: Attack Name
l
Log messages that match all conditions:
l
IPS - Low Severity
l
Severity: Low
l
Log Type: IPS
l
Group by: Attack Name
l
Log messages that match all conditions:
l
Severity: Medium
l
Log Type: IPS
l
Group by: Attack Name
l
Log messages that match all conditions:
Severity Equal To Medium
Disabled by default
l
Severity: Medium
l
Log Type: Event Log
l
Event Category: VPN
l
Group By: VPN Tunnel
l
Log messages that match all conditions:
l
404
Severity Equal To Low
Disabled by default
l
IPsec Phase2 Down
Severity Equal To High
Disabled by default
l
IPS - Medium Severity
Severity Equal To Critical
Action Equal To phase2-down
Administration Guide
Fortinet Technologies Inc.
Event handlers
Event Management
Event Handler
Description
IPsec Phase2 Up
Disabled by default
l
Severity: Medium
l
Log Type: Event Log
l
Event Category: VPN
l
Group By: VPN Tunnel
l
Log messages that match all conditions:
l
Local Device Event
Enabled by default
l
Devices: Local Device
l
Severity: Medium
l
Log Type: Event Log
l
Event Category: Any
l
Group By: Device ID
l
Log messages that match all conditions:
l
Power Supply Failure
UTM Antivirus Event
Action Equal To phase2-up
Level Greater Than or Equal To Warning
Disabled by default
l
Severity: Critical
l
Log Type: Event Log
l
Event Category: System
l
Group by: Message
l
Log messages that match all conditions:
l
Action Equal To power-supply-monitor
l
Status Equal To failure
Enabled by default
l
Severity: High
l
Log Type: Antivirus Log
l
Group by: Virus Name
l
Log messages that match all conditions:
Level Greater Than or Equal To Information
Generic Text Filter: virus!='' and virus!='N/A' and
dtype!='fortisandbox'
l
l
Administration Guide
Fortinet Technologies Inc.
405
Event Management
Event handlers
Event Handler
Description
UTM App Ctrl Event
Enabled by default
UTM DLP Event
l
Severity: Critical
l
Log Type: Application Control
l
Group by: Application Name
l
Log messages that match any of the following conditions:
l
Application Category Equal To Botnet
l
Application Category Equal To Proxy
Disabled by default
l
Severity: Medium
l
Log Type: DLP
l
Group by: Profile
l
Log messages that match all conditions:
l
UTM Web Filter Event
406
Action Equal To Block
Enabled by default
l
Severity: Medium
l
Log Type: Web Filter
l
Group by: Category
l
Log messages that match any of the following conditions:
l
Web Category Equal To Child Abuse
l
Web Category Equal To Discrimination
l
Web Category Equal To Drug Abuse
l
Web Category Equal To Explicit Violence
l
Web Category Equal To Extremist Groups
l
Web Category Equal To Hacking
l
Web Category Equal To Illegal or Unethical
l
Web Category Equal To Plagiarism
l
Web Category Equal To Proxy Avoidance
l
Web Category Equal To Malicious Websites
l
Web Category Equal To Phishing
l
Web Category Equal To Spam URLs
Administration Guide
Fortinet Technologies Inc.
Event handlers
Event Management
Event Handler
Description
Web Filter Event
Enabled by default
l
Severity: Medium
l
Log Type: Traffic Log
l
Event Category: Web Filter
l
Group by: Category
l
Log messages that match any of the following conditions:
l
Web Category Equal To Child Abuse
l
Web Category Equal To Discrimination
l
Web Category Equal To Drug Abuse
l
Web Category Equal To Explicit Violence
l
Web Category Equal To Extremist Groups
l
Web Category Equal To Hacking
l
Web Category Equal To Illegal or Unethical
l
Web Category Equal To Plagiarism
l
Web Category Equal To Proxy Avoidance
l
Web Category Equal To Malicious Websites
l
Web Category Equal To Phishing
l
Web Category Equal To Spam URLs
Enabling event handlers
For both predefined and custom event handlers, you must enable the event handler to generate events. In the
Event Handler List, the Name column displays a
event handlers.
icon for enabled event handlers and a
icon for disabled
If you want to receive alerts for predefined events handlers, edit the predefined event handler to configure
notifications.
To enable event handlers:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Event Management > Event Handler List.
3. Select one or more event handlers and click More > Enable or right-click an event handler and select Enable.
Creating custom event handlers
To create a new event handler:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Event Management > Event Handler List.
Administration Guide
Fortinet Technologies Inc.
407
Event Management
Event handlers
3. In the toolbar, click Create New.
4. Configure the settings as required and click OK. For a description of the fields, see Create New Handler pane on
page 409.
5. Click OK to create the new event handler.
Creating custom event handlers using the Generic Text Filter
The Generic Text Filter uses regex (regular expression) syntax. You must use an escape character when needed.
For example, cfgpath=firewall.policy is the wrong syntax because it's missing an escape character. The
correct syntax is cfgpath=firewall\.policy.
To create an event handler using the Generic Text Filter to match raw log data:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Log View , and select a log type.
3. In the toolbar, click Tools > Display Raw.
The easiest method is to copy the text string you want from the raw log and paste it into the Generic Text Filter
field. Ensure you insert an escape character when necessary, for example, cfgpath=firewall\.policy.
4. Locate and copy the text in the raw log.
5. Go to Event Management > Event Handler List and click Create New.
6. In the Generic Text Filter box, paste the text you copied or type the text you want. Ensure you use the raw log field
names, for example, mem (not memory) and setuprate (not setup-rate).
For information on text format and operators, hover the cursor over the help icon. The operator ~ means contains
and !~ means does not contain.
408
Administration Guide
Fortinet Technologies Inc.
Event handlers
Event Management
7. If you want to be notified of events, configure the Notifications section.
8. Configure other settings as required and click OK. For a description of the fields, see Create New Handler pane on
page 409.
Create New Handler pane
Following is a description of the options available in the Create New Handler pane:
Field
Description
Status
Enable or disable the event handler.
Name
Add a name for the handler.
Description
Type a description of the event handler.
Devices
Select the devices to include.
l
All Devices
l
Specify: To add devices, click the Add icon.
l
Local Device: Select if the event handler is for local FortiManager event
logs. This option is only available in the root ADOM and is used to query
FortiManager event logs.
Severity
Select the severity from the dropdown list: Critical, High, Medium, or Low.
Filters
Configure filters for the handler.
Log Type
Select the log type from the dropdown list.
When Devices is set to Local Device the Log Type is Event Log.
Event Category
Select the category of event that this handler monitors. The available
options depends on the platform type.
This option is only available when Log Type is set to Traffic Logor Event
Log, and Devices is set to All Devices or Specify.
Group By
Select to group by Application Name or Application Cateogory.
Logs match
Select All or Any of the following conditions.
Log Field
Select a log field to filter from the dropdown list. The available options
depends on the selected log type.
Match Criteria
Select a match criteria from the dropdown list. The available options
depends on the selected log field.
Value
Either select a value from the dropdown list or enter a value in the text box.
The available options depends on the selected log field.
Administration Guide
Fortinet Technologies Inc.
409
Event Management
Field
Event handlers
Description
Add Filter
Add log filters.
When Devices is set to Local Device this option is not available. You can
only set one log field filter.
Delete
Delete the filter. There must be at least one filter.
Generic Text
Filter
Enter a generic text filter. For more information on creating a generic text
filter, see Creating custom event handlers using the Generic Text Filter on
page 408. For information on text format, hover the cursor over the help
icon. The operator ~ means contains and !~ means does not contain.
Notifications
Configure alerts for the handler.
Generate alert
when at least
Enter threshold values to generate alerts. Enter the number of matching
events that must occur in the number of minutes specified in the second
text box to generate an alert.
Send Alert Email
Send an alert by email. Specify email parameters including the mail server.
For more information, see Mail Server on page 490.
Send SNMP(...)
Trap
Select one or both checkboxes and specify an SNMP community or user
from the dropdown list. Click the add icon to create a new SNMP
community or user. For more information, see SNMP on page 481.
Send Alert to
Syslog Server
Send an alert to the syslog server. Select a syslog server from the
dropdown list. Click the add icon to create a new syslog server. For more
information, see Syslog Server on page 492.
Send Each Alert
Separately
Select to send each alert individually instead of in a group.
Filtering event handlers
You can filter the list of event handlers to show only predefined or custom handlers.
To filter event handlers:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Event Management > Event Handler List.
3. In the toolbar, click More > Show Predefined or More > Show Custom to filter the event handlers.
Searching event handlers
To search event handlers:
1. Go to Event Management > Event Handler List.
2. Type a search term in the search box at the top-right.
410
Administration Guide
Fortinet Technologies Inc.
Events
Event Management
Resetting to factory defaults
You can change predefined event handlers as needed. If required, you can restore predefined event handlers to
factory default settings.
To reset predefined event handlers:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Event Management > Event Handler.
3. Ensure the Show Predefined checkbox is selected.
4. Select one or more predefined event handlers.
5. Click More > Factory Reset to return the settings to factory defaults.
You can also reset predefined event handlers to factory default settings in the Edit
Handler page.
Events
After event handlers start generating events, you can view events and event details. Event Management > All
Events shows events by type and severity in a graphical format, and recent events in a tabular format. Event
Management > Calendar View shows events by month or week in a calendar or bar chart format.
When rebuilding the SQL database, you might not see a complete list of historical
events. However, you can always see events in real-time logs. You can view the status
of the SQL rebuild by checking the Rebuilding DB status in the Notification Center.
Event summaries
l
To view event summaries, go to Event Management > All Events.
l
To refresh the event summaries data, click Refresh.
l
To change the time period to display, click the time icon and specify a time period.
l
To view event handlers, click Event Handler List.
Administration Guide
Fortinet Technologies Inc.
411
Event Management
Events
All Events show events by type and severity in a graphical format, and recent events in a tabular format.
Events by Type
Events by Type shows a pie chart organized by event type.
To view the number of alerts (Events) and the number of logs (Counts) for that
event type, hover the cursor over parts of the pie or legend.
l
l
Events by
Severity
Events by Severity shows a bar chart organized by event severity.
To view the number of alerts (Events) and the number of logs (Counts) for that
event severity, hover the cursor over a bar.
l
l
Recent Events
To view a list showing only that type of event, click on that element in the chart.
To view a list showing only events with that severity, click on a bar in the chart.
Recent Events shows events for the selected time span.
To sort by a column, click the column header.
l
l
To include acknowledged events, click Show Acknowledged. See Acknowledging
events.
l
To search the list, type a search term in the search box.
l
To edit a handler, click a Handler element. See Event handlers.
l
l
To view information about an event and recommended actions, click its Event Name
hyperlink. This option is only available for some events.
To view event details, double-click the event line. See Event details.
Filtered event list
In Events by Type and Events by Severity, click an element to show only events of that type or severity. The
filtered event list shows the same information and options as the Recent Events list.
To return to the previous page, click the back button.
412
Administration Guide
Fortinet Technologies Inc.
Events
Event Management
Event details
In Recent Events or a filtered events list, to view event details, double-click the event line or right-click the event
and select View Details.
The event details page contains information about the event and a list of all individual logs. You can print,
acknowledge, and add comments to the event.
l
l
l
To change what columns to display, click Column Settings or Column Settings > More Columns.
To display more details, double-click a line or select a line and click Display Details in the bottom-right. The log
details pane open on the right side of the window.
To return to the previous page, click the back button.
Acknowledging events
Acknowledging an event removes it from the recent events list (if Show Acknowledged is not selected).
To acknowledge events:
l
In the recent events list, select one or more events, then right-click and select Acknowledge.
l
In the event details page, click Acknowledge.
Administration Guide
Fortinet Technologies Inc.
413
Event Management
Event calendar
Event calendar
Calendar View shows events by month or week in a calendar or bar chart format.
To include only events of a specific severity, click Severity Filters and select which severity levels to include. The
default filter is critical and high severity.
Click on any element in any of the views to open the filtered events list; see Filtered event list on page 412.
Click the Calendar Chart button in the toolbar to display the calendar. The monthly view of the calendar shows
bar charts of the events by severity on each day of the month. The weekly view shows the events for each hour of
each day of the week. Click the arrows on either side of the calendar heading to scroll through months or weeks.
Click the Bar Chart button in the toolbar to change to the bar chart view. The bar chart view shows a stacked,
vertical bar chart of the count versus time (days). Hovering the cursor over a bar shows the number of logs of each
severity and the total for that day.
414
Administration Guide
Fortinet Technologies Inc.
Reports
You can generate data reports from logs by using the Reports feature. You can do the following:
l
l
Use predefined reports. Predefined report templates, charts, and macros are available to help you create new
reports.
Create customize reports.
Report files are stored in the reserved space for the FortiManager device. See Automatic deletion on page 199.
When rebuilding the SQL database, Reports are not available until the rebuild is
completed. Select the Show Progress link in the message to view the status of the
SQL rebuild.
This pane is only available when the FortiAnalyzer features are enabled. For more
information, see FortiAnalyzer Features on page 367.
How ADOMs affect reports
When ADOMs are enabled, each ADOM has its own reports, libraries, and advanced settings. Make sure you are
in the correct ADOM before selecting a report. Switching between ADOMs on page 34.
Some reports are available only when ADOMs are enabled. For example, ADOMs must be enabled to access
FortiCarrier, FortiCache, FortiClient, FortiDDoS, FortiMail, FortiSandbox, and FortiWeb reports. You can
configure and generate reports for these devices within their respective default ADOM. These devices also have
device-specific charts and datasets.
Predefined reports, templates, charts, and macros
FortiManager includes a number of predefined elements you can use to create and/or build reports.
Predefined... GUI Location
Purpose
Reports
Reports > Report Definitions > All
Reports
You can generate reports directly or with minimum
setting configurations. Predefined reports are actually
report templates with basic default setting
configurations.
Templates
Reports > Report Definitions
> Templates
You can use directly or build upon. Report templates
include charts and/or macros and specify the layout of
the report. A template populates the Layout tab of a
report that is to be created. See List of report
templates on page 431.
Administration Guide
Fortinet Technologies Inc.
415
Reports
Generating reports
Predefined... GUI Location
Purpose
Charts
Reports > Report Definitions
> Chart Library
You can use directly or build upon a report template
you are creating, or in the Layout tab of a report that
you are creating. Charts specify what data to extract
from logs.
Macros
Reports > Report Definitions
> Macro Library
You can use directly or build upon a report template
that you are creating, or in the Layout tab of a report
that you are creating. Macros specify what data to
extract from logs.
Logs used for reports
Reports uses Analytics logs to generate reports. Archive logs are not used to generate reports.
How charts and macros extract data from logs
Reports include charts and/or macros. Each chart and macro is associated with a dataset. When you generate a
report, the dataset associated with each chart and macro extracts data from the logs and populates the charts
and macros.
FortiManager includes a number of predefined charts and macros. You can also create custom charts and
macros.
How auto-cache works
When you generate a report, it can take days to assemble the required dataset and produce the report,
depending on the required datasets. Instead of assembling datasets at the time of report generation, you can
enable the auto-cache feature for the report.
Auto-cache is a setting that tells the system to automatically generate hcache. The hcache (hard cache) means
that the cache stays on disk in the form of database tables instead of memory. Hcache is applied to “matured”
database tables. When a database table rolls, it becomes “mature”, meaning the table will not grow anymore.
Therefore, it is unnecessary to query this database table each time for the same SQL query, so hcache is used.
Hcache runs queries on matured database tables in advance and caches the interim results of each query. When
it is time to generate the report, much of the datasets are already assembled, and the system only needs to
merge the results from hcaches. This reduces report generation time significantly.
The auto-cache process uses system resources to assemble and cache the datasets and it takes extra space to
save the query results. You should only enable auto-cache for reports that require a long time to assemble
datasets.
Generating reports
You can generate reports by using one of the predefined reports or by using a custom report that you created. You
can find all the predefined reports and custom reports listed in Reports > Report Definitions > All Reports.
416
Administration Guide
Fortinet Technologies Inc.
Generating reports
Reports
To generate a report:
1. Go to Reports > Report Definitions > All Reports.
2. In the content pane, select a report from the list.
3. (Optional) Click Edit in the toolbar and edit settings on the Settings and Layout tabs. For a description of the
fields in the Settings and Layout tabs, see Reports Settings tab on page 421 and Creating charts on page 433 and
Macro library on page 437.
4. In the toolbar, click Run Report.
Viewing completed reports
After you generate reports, you can view completed reports in Reports > Generated Reports or Reports > Report
Definitions > All Reports. You can view reports in the following formats: HTML, PDF, XML, and CSV.
To view completed reports in Generated Reports:
1. Go to Reports > Generated Reports.
This view shows all generated reports for the specified time period.
2. To sort the report list by date, click Order by Time.To sort the report list by report name, click Order by Name.
3. Locate the report and click the format in which you want to view the report to open the report in that format.
For example, if you want to review the report in HTML format, click the HTML link.
To view completed reports in All Reports:
1. Go to Reports > Report Definitions > All Reports.
2. On the report list, double-click a report to open it.
3. In the View Report tab, locate the report and click the format in which you want to view the report to open the
report in that format.
For example, if you want to review the report in HTML format, click the HTML link.
Enabling auto-cache
You can enable auto-cache to reduce report generation time for reports that require a long time to assemble
datasets. For information about auto-cache and hcache, see How auto-cache works on page 416.
You can see the status of building the cache in Reports > Report Definitions > All Reports in the Cache Status
column.
To enable auto-cache:
1. Go to Reports > Report Definitions > All Reports.
2. Select the report from the list, and click Edit in the toolbar.
3. In the Settings tab, select the Enable Auto-cache checkbox.
4. Click Apply.
Administration Guide
Fortinet Technologies Inc.
417
Reports
Generating reports
Grouping reports
If you are running a large number of reports which are very similar, you can significantly improve report generation
time by grouping the reports. Grouping reports has these advantages:
l
Reduce the number of hcache tables.
l
Improve auto-hcache completion time.
l
Improve report completion time.
Step 1: Configure report grouping
For example, to group reports with titles containing string Security_Report by device ID and VDOM, enter
the following CLI commands:
config system report group
edit 0
set adom root
config group-by
edit devid
next
edit vd
next
end
set report-like Security_Report
next
end
Notes:
l
l
l
The report-like field specifies the string in report titles that is used for report grouping. This string is casesensitive.
The group-by value controls how cache tables are grouped.
To view report grouping information, enter the following CLI command, then check the Report Group column of the
table that is displayed.
execute sql-report list-schedule <ADOM>
Step 2: Initiate a rebuild of hcache tables
To initiate a rebuild of hcache tables, enter the following CLI command:
diagnose sql hcache rebuild-report <start-time> <end-time>
Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.
Retrieving report diagnostic logs
Once you start to run a report, FortiAnalyzer creates a log about the report generation status and system
performance. Use this diagnostic log to troubleshoot report performance issues. For example, if your report is
very slow to generate, you can use this log to check system performance and see which charts take the longest
time to generate.
To retrieve report generation logs:
1. In Reports > Generated Report, right-click the report and select Retrieve Diagnostic to download the log to your
computer.
418
Administration Guide
Fortinet Technologies Inc.
Creating reports
Reports
2. Use a text editor to open the log.
Scheduling reports
You can configure a report to generate on a regular schedule. Schedules can be viewed in the Report Calendar.
See Report calendar on page 444.
To schedule a report:
1. Go to Reports > Report Definitions > All Reports.
2. Select a report and click Edit in the toolbar.
3. Click Settings in the toolbar.
4. Select the Enable Schedule checkbox and configure the schedule.
5. Click Apply.
Creating reports
You can create reports from report templates, by cloning and editing predefined/existing reports, or start from
scratch.
Creating reports from report templates
You can create a new report from a template. The template populates the Layout tab of the report. The template
specifies what text, charts, and macros to use in the report and the layout of the content. Report templates do not
contain any data. Data is added to the report when you generate the report.
To create a new report from a template:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > All Reports.
3. In the toolbar, click Create New. The Create Report dialog box opens.
4. In the Name box, type a name for the new report. The following characters are NOT supported in report names: \ /
" ' < > & , | # ? % $ +
5. Select From Template for the Create from setting, then select a template from the dropdown list. The template
populates the Layout tab of the report.
6. Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on
page 429 for information about folders.
7. Select OK to create the new report.
Administration Guide
Fortinet Technologies Inc.
419
Reports
Creating reports
8. On the Settings tab, configure the settings as required. For a description of the fields, see Reports Settings tab on
page 421.
9. Optionally, go to the Layout tab to customize the report layout and content. For a description of the fields, see
Reports Layout tab on page 424.
10. Click Apply to save your changes.
Creating reports by cloning and editing
You can create reports by cloning and editing predefined and/or existing reports.
To create a report by cloning and editing:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > All Reports.
3. In the content pane, select the report from the list, then click Clone in the toolbar.
4. In the Clone Report dialog box, type a name for the cloned report. The following characters are NOT supported in
report names: \ / " ' < > & , | # ? % $ +
5. Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on
page 429 for information about folders.
6. Select OK to create the new report.
7. On the Settings tab, configure the settings as required. For a description of the fields, see Reports Settings tab on
page 421.
8. Optionally, go to the Layout tab to customize the report layout and content. For a description of the fields, see
Reports Layout tab on page 424.
9. Click Apply to save your changes.
Creating reports without using a template
To create a report without using a template:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > All Reports.
3. In the toolbar, click Create New. The Create New Report dialog box opens.
4. In the Name box, type a name for the new report. The following characters are NOT supported in report names: \ /
" ' < > & , | # ? % $ +
5. Select the Blank option for the Create from setting.
6. Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on
page 429 for information about folders.
7. Select OK to create the new report.
8. On the Settings tab, you can specify a time period for the report, what device logs to include in the report, and so
on. You can also add filters to the report, add a cover page to the report, and so on. For a description of the fields,
see Reports Settings tab on page 421.
To create a custom cover page, you must select Print Cover Page in the Advanced
Settings menu.
420
Administration Guide
Fortinet Technologies Inc.
Creating reports
Reports
9. On the Layout tab, you can specify the charts and macros to include in the report, as well as report content and
layout.
For a description of the fields, see Reports Layout tab on page 424.
For information about creating charts and macros, see Creating charts on page 433 and Creating macros on
page 437.
10. Click Apply to save your changes.
Reports Settings tab
The following options are available in the Settings tab:
Field
Description
Time Period
The time period the report covers. Select a time period or select Custom to
manually specify the start and end date and time.
Devices
The devices to include in the report. Select either All Devices or Specify to
add specific devices. Select the add icon to select devices.
Type
Select either Single Report (Group Report) or Multiple Reports (PerDevice).
This option is only available if multiple devices are selected.
Enable Schedule
Select to enable report template schedules.
Enable Auto-Cache
Select to assemble datasets before generating the report and as the data is
available. This process uses system resources and is recommended only
for reports that require days to assemble datasets. Disable this option for
unused reports and for reports that require little time to assemble datasets.
Generate PDF Report Every
Select when the report is generated.
Enter a number for the frequency of the report based on the time period
selected from the dropdown list.
Start time
Enter a starting date and time for the file generation.
End time
Enter an ending date and time for the file generation, or set it to never
ending.
Enable Notification
Select to enable report notification.
Output Profile
Select the output profile from the dropdown list, or click Create New to
create a new output profile. See Output profiles on page 441.
Filters section of Reports Settings tab
See Filtering report output on page 428.
Administration Guide
Fortinet Technologies Inc.
421
Reports
Creating reports
Advanced Settings section of Reports Settings tab
The following options are available in the Advanced Settings section of the Settings tab.
422
Field
Description
Language
Select the report language. Select one of the following: Default, English,
French, Japanese, Korean, Portuguese, Simplified_Chinese, Spanish, or
Traditional_Chinese.
Bundle rest into “Others”
Select to bundle the uncategorized results into an Others category.
Print Orientation
Set the print orientation to portrait or landscape.
Chart Heading Level
Set the heading level for the chart heading.
Default Font
Set the default font.
Hide # Column
Select to hide the column numbers.
Layout Header
Enter header text and select the header image. Accept the default Fortinet
image or click Browse to select a different image.
Layout Footer
Select either the default footer or click Custom to enter custom footer text
in the text field.
Print Cover Page
Select to print the report cover page. Click Customize to customize the
cover page. See Customizing report cover pages on page 423.
Print Table of Contents
Select to include a table of contents.
Print Device List
Select to print the device list. Select Compact, Count, or Detailed from the
dropdown list.
Print Report Filters
Select to print the filters applied to the report.
Obfuscate User
Select to hide user information in the report.
Resolve Hostname
Select to resolve hostnames in the report.
Allow Save Maximum
Select a value between 1-10000 for the maximum number of reports to
save.
Color Code
The color used to identify the report on the calendar. Select a color code
from the dropdown list to apply to the report schedule. Color options
include: Bold Blue, Blue, Turquoise, Green, Bold Green, Yellow , Orange,
Red, Bold Red, Purple, and Gray.
Administration Guide
Fortinet Technologies Inc.
Creating reports
Reports
Customizing report cover pages
A report cover page is only included in the report when enabled on the Settings tab in the Advanced Settings
section.
When enabled, the cover page can be customized to contain the desired information and imagery.
To customize a report cover page:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > All Reports.
3. In the content pane, select the report from the list, and click Edit in the toolbar.
4. Select the Settings tab and then click Advanced Settings.
5. Select the Print Cover Page checkbox, then click Customize next to the checkbox. The Edit Cover Page pane
opens.
6. Configure the following settings:
Background Image
Click Browse to open the Choose an Image dialog box.
Select an image or click Upload File to find an image on the management
computer, then click OK to add the image as the background image of the
cover page.
Top Image
Click Browse to open the Choose an Image dialog box.
Select an image or click Upload File to find an image on the management
computer, then click OK to add the image at the top of the cover page.
Top Image Position
Select the top image position from the dropdown menu. Select one of the
following: Left, Center, Right.
Text Color
Select a text color from the dropdown list.
Show Creation Time
Select to print the report date on the cover page.
Administration Guide
Fortinet Technologies Inc.
423
Reports
Creating reports
Show Data Range
Select to print the data range on the cover page.
Report Title
Accept the default title or type another title in the Report Title field.
Custom Text 1
If you want, enter custom text for the Custom Text 1 field.
Custom Text 2
If you want, enter custom text for the Custom Text 2 field.
Bottom Image
Click Browse to open the Choose an Image dialog box.
Select an image or click Upload File to find an image on the management
computer, then click OK to add the image to the bottom of the cover page.
Footer Left Text
If you want, enter custom text to be printed in the left footer of the cover
page.
Footer Right Text
If you want, enter custom text to be printed in the right footer of the cover
page.
Footer Background Color
Select the cover page footer background color from the dropdown list.
Reset to Default
Select to reset the cover page settings to their default settings.
7. Click OK to save the configurations and return to the Settings tab.
Reports Layout tab
Because the cut, copy, and paste functions need access to the clipboard of your
operating system, some Internet browsers either block it when called from the layout
editor toolbar, or ask you to explicitly agree to it. If you’re blocked from accessing the
clipboard by clicking the respective cut, copy and paste buttons from the toolbar or
context menu, you can always use keyboard shortcuts.
The following options are available in the Layout tab (layout editor):
424
Field
Description
Insert Chart or Edit Chart
Click to insert or edit a FortiManager chart. Charts are associated with
datasets that extract data from logs for the report.
In the Insert Chart or Chart Properties dialog box, you can specify a
custom title, width, and filters for the chart. For information on setting
filters, see Filtering report output on page 428.
You can edit a chart by right clicking a chart in the layout editor and
selecting Chart Properties or by clicking the chart to select it and then
clicking Edit Chart.
Insert Macro
Click to insert a FortiManager macro. Macros are associated with datasets
that extract data from logs for the report.
Administration Guide
Fortinet Technologies Inc.
Creating reports
Reports
Field
Description
Image
Click the Image button in the toolbar to insert an image into the report
layout. Right-click an existing image to edit image properties.
Table
Click the Table button in the toolbar to insert a table into the report layout.
Right-click an existing table to edit a cell, row, column, table properties, or
delete the table.
Insert Horizontal Line
Click to insert a horizontal line.
Insert Page Break for
Printing
Click to insert a page break for printing.
Link
Click the Link button in the toolbar to open the Link dialog box. You can
select to insert a URL, a link to an anchor in the text, or an email address.
Alternatively, use the CTRL+L keyboard shortcut to open the Link dialog
box.
Anchor
Click the Anchor button in the toolbar to insert an anchor in the report
layout.
Cut
To cut a text fragment, start with selecting it. When the text is selected,
you can cut it using one of the following methods:
l Click the cut button in the toolbar
Copy
l
Right-click and select cut in the menu
l
Use the CTRL+X shortcut on your keyboard.
To cut a text fragment, start with selecting it. When the text is selected,
you can cut it using one of the following methods:
l Click the cut button in the toolbar
l
Right-click and select cut in the menu
l
Use the CTRL+C shortcut on your keyboard.
Paste
To paste text, start with cutting or copying from another source. Depending
on the security settings of your browser, you may either paste directly from
the clipboard or use the Paste dialog box.
Paste as plain text
Click Paste as plain text to paste formatted text without the formatting. If
the browser blocks the editor toolbar’s access to clipboard, a Paste as
Plain Text dialog box appears and you can paste the fragment into the text
box using the CTRL+V keyboard shortcut.
Paste from Word
You can preserve basic formatting when you paste a text fragment from
Microsoft Word. To achieve this, copy the text in a Word document and
paste it using one of the following methods:
l Click the Paste from Word button in the toolbar
l
Administration Guide
Fortinet Technologies Inc.
Use the CTRL+V shortcut on your keyboard.
425
Reports
Creating reports
Field
Description
Undo
Click to undo the last action. Alternatively, use the CTRL+Z keyboard
shortcut to perform the undo operation.
Redo
Click to redo the last action. Alternatively, use the CTRL+Y keyboard
shortcut to perform the redo operation.
Find
Click to find text in the report layout editor. This dialog box includes the
following elements:
l Find what : Is the text field where you enter the word or phrase you want
to find.
l
l
l
Replace
Match whole word: Checking this option limits the search operation to
whole words.
Match cyclic: Checking this option means that after the editor reaches
the end of the document, the search continues from the beginning of the
text. This option is checked by default.
Click to replace text in the report layout editor. This dialog box includes
consists of the following elements:
l Find what : Is the text field where you enter the word or phrase you want
to find.
l
l
l
l
426
Match case: Checking this option limits the search operation to words
whose case matches the spelling (uppercase and lowercase letters) given
in the search field. This means the search becomes case-sensitive.
Replace with: Is the text field where you enter the word or phrase that will
replace the search term in the document.
Match case: Checking this option limits the search operation to words
whose case matches the spelling (uppercase and lowercase letters) given
in the search field. This means the search becomes case-sensitive.
Match whole word: Checking this option limits the search operation to
whole words.
Match cyclic: Checking this option means that after the editor reaches
the end of the document, the search continues from the beginning of the
text. This option is checked by default.
Save as Template
Click to save the layout as a template.
Paragraph Format
Select the paragraph format from the dropdown list. Select one of the
following: Normal, Heading 1, Heading 2, Heading 3, Heading 4,
Heading 5, Heading 6, Formatted, Address, or Normal (DIV).
Font Name
Select the font from the dropdown list.
Font Size
Select the font size from the dropdown list. Select a size ranging from 8 to
72.
Administration Guide
Fortinet Technologies Inc.
Creating reports
Reports
Field
Description
Bold
Select the text fragment and then click the Bold button in the toolbar.
Alternatively, use the CTRL+B keyboard shortcut to apply bold formatting
to a text fragment.
Italic
Select the text fragment and then click the Italic button in the toolbar.
Alternatively, use the CTRL+I keyboard shortcut to apply italics formatting
to a text fragment.
Underline
Select the text fragment and then click the Underline button in the toolbar.
Alternatively, use the CTRL+U keyboard shortcut to apply underline
formatting to a text fragment.
Strike Through
Select the text fragment and then click the Strike Through button in the
toolbar.
Subscript
Select the text fragment and then click the Subscript button in the toolbar.
Superscript
Select the text fragment and then click the Superscript button in the
toolbar.
Text Color
You can change the color of text in the report by using a color palette. To
choose a color, select a text fragment, click the Text Color button in the
toolbar, and select a color.
Background Color
You can also change the color of the text background.
Insert/Remove Numbered
List
Click to insert or remove a numbered list.
Insert/Remove Bulleted List
Click to insert or remove a bulleted list.
Decrease Indent
To decrease the indentation of the element, click the Decrease Indent
toolbar button. The indentation of a block-level element containing the
cursor will decrease by one tabulator length.
Increase Indent
To increase the indentation of the element, click the Increase Indent
toolbar button. The block-level element containing the cursor will be
indented with one tabulator length.
Block Quote
Block quote is used for longer quotations that are distinguished from the
main text by left and right indentation. It is recommended to use this type
of formatting when the quoted text consists of several lines or at least 100
words.
Align Left
When you align your text left, the paragraph is aligned with the left margin
and the text is ragged on the right side. This is usually the default text
alignment setting for the languages with left to right direction.
Administration Guide
Fortinet Technologies Inc.
427
Reports
Managing reports
Field
Description
Center
When you center your text, the paragraph is aligned symmetrically along
the vertical axis and the text is ragged on the both sides. This setting is
often used in titles or table cells.
Align Right
When you align your text right, the paragraph is aligned with the right
margin and the text is ragged on the left side. This is usually the default
text alignment setting for the languages with right to left direction.
Justify
When you justify your text, the paragraph is aligned to both the left and
right margins and the text is not ragged on either side..
Remove Format
Click to remove formatting.
Filtering report output
You can apply log message filters to reports. You can set up report filters in one of the following areas:
l
l
Settings tab Filters section.
Layout tab Filters section in the Insert Chart or Chart Properties dialog box. To open this dialog box, click Insert
Chart or Edit Chart, or right-click a chart and select Chart Properties.
In the Filters section, the following options are available.
Field
Description
Log messages that match
Available in the Settings tab only.
Select All to filter log messages based on all of the added conditions, or
select Any of the Following Conditions to filter log messages based on any
one of the conditions.
Add Filter
Click to add filters. For each filter, select the field, and operator from the
dropdown lists, then enter or select the values as applicable.
Filters vary based on device type.
LDAP Query
Available in the Settings tab only.
Click to add an LDAP query, then select the LDAP Server and the Case
Change value from the dropdown lists.
Managing reports
You can manage reports by going to Reports > Report Definitions > All Reports. Some options are available as
buttons on the toolbar. Some options are available in the right-click menu. Right-click a report to display the
menu.
428
Administration Guide
Fortinet Technologies Inc.
Managing reports
Reports
Option
Description
Create New
Creates a new report. You can choose whether to base the new report on a
report template.
Edit
Edits the selected report.
Delete
Deletes the selected report.
Clone
Clones the selected report.
Run report
Generates a report.
Folder
Organizes reports into folders.
Import
Imports a report from a management computer.
Export
Exports a report to a management computer.
Show Scheduled Only
Filters the list to include only reports that have been run or are scheduled to
be run.
Organizing reports into folders
You can create folders to organize reports.
To organize reports into folders:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > All Reports.
3. Click Folder in the toolbar, and select Create New Folder.
4. Specify the folder name and location and click OK. The folder is now displayed in the report list.
You can now create, clone, or import reports into this folder.
Importing and exporting reports
You can transport a report between FortiManager units. You can export a report from the FortiManager unit to the
management computer. The report is saved as a .dat file on the management computer. You can then import the
report file to another FortiManager unit.
To export or import reports:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > All Reports.
3. In the content pane, select a report, and select Import or Export from the More dropdown menu in the toolbar.
Administration Guide
Fortinet Technologies Inc.
429
Reports
Report template library
Report template library
Because the cut, copy, and paste functions need access to the clipboard of your
operating system, some Internet browsers either block it when called from the layout
editor toolbar, or ask you to explicitly agree to it. If you’re blocked from accessing the
clipboard by clicking the respective cut, copy and paste buttons from the toolbar or
context menu, you can always use keyboard shortcuts.
A report template defines the charts and macros that are in the report, as well as the layout of the content.
You can use the following items to create a report template:
l
Text
l
Images
l
Tables
l
Charts that reference datasets
l
Macros that reference datasets
Datasets for charts and macros specify what data are used from the Analytics logs when you generate the report.
You can also create custom charts and macros for use in report templates.
Creating report templates
You can create a report template by saving a report as a template or by creating a totally new template.
To create a report template:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to the Reports > Report Definitions> Templates.
3. In the toolbar of the content pane, click Create New.
4. Set the following options:
a. Name
b. Description
c. Category
5. Use the toolbar to insert and format text and graphics for the template. In particular, use the Insert Chart and
Insert Macro buttons to insert charts and macros into the template.
For a description of the fields, see Reports Layout tab on page 424. For information about creating charts
and macros, see Creating charts on page 433 and Creating macros on page 437.
6. Click OK.
The new template is now displayed on the template list.
To create a report template by saving a report:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > All Reports.
3. In the content pane, select the report from the list, and click Edit in the toolbar.
4. In the Layout tab, click the Save As Template button in the toolbar.
430
Administration Guide
Fortinet Technologies Inc.
Report template library
Reports
5. In the Save as Template dialog box, set the following options, and click OK:
a. Name
b. Description
c. Category
The new template is now displayed on the template list.
Viewing sample reports for predefined report templates
You can view sample reports for predefined report templates to help you visualize how the reports would look.
To view sample reports:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to the Reports > Report Definitions> Templates.
3. In the content pane, click the HTML or PDF link in the Preview column of a template to view a sample report
based on the template.
Managing report templates
You can manage report templates in Reports > Report Definitions> Templates. Some options are available as
buttons on the toolbar. Some options are available in the right-click menu. Right-click a template to display the
menu.
Option
Description
Create New
Creates a new report template
Edit
Edits a report template. You can edit report templates that you created.
You cannot edit predefined report templates.
View
Displays the settings for the predefined report template. You can copy
elements from the report template to the clipboard, but you cannot edit a
predefined report template.
Delete
Deletes the selected report template. You cannot delete predefined report
templates.
Clone
Clones the selected report template
Rename
Renames the selected report template. You cannot rename predefined
report templates.
List of report templates
FortiManager includes report templates you can use as is or build upon when you create a new report.
FortiManager provide different templates for different devices.
You can find report templates in Reports > Report Definitions > Templates.
Administration Guide
Fortinet Technologies Inc.
431
Reports
Report template library
FortiGate report templates
Template - 360-Degree Security Review
Template - Security Analysis
Template - Admin and System Events Report
Template - Threat Report
Template - Application Risk and Control
Template - Top 20 Categories and Applications
(Session)
Template - Bandwidth and Applications Report
Template - Top 20 Category and Websites
(Bandwidth)
Template - Client Reputation
Template - Top 20 Category and Websites (Session)
Template - Cyber Threat Assessment
Template - Top 500 Sessions by Bandwidth
Template - DNS Report
Template - Top Allowed and Blocked with
Timestamps
Template - Data Loss Prevention Detailed Report
Template - User Detailed Browsing Log
Template - Detailed Application Usage and Risk
Template - User Security Analysis
Template - Email Report
Template - User Top 500 Websites by Bandwidth
Template - FortiClient Default Report
Template - User Top 500 Websites by Session
Template - FortiClient Vulnerability Scan Report
Template - VPN Report
Template - GTP Report
Template - Web Usage Report
Template - Hourly Website Hits
Template - What is New Report
Template - IPS Report
Template - WiFi Network Summary
Template - PCI-DSS Compliance Review
Template - Wireless PCI Compliance
Template - SaaS Application Usage Report
FortiCache report templates
Template - FortiCache Default Report
Template - FortiCache Security Analysis
Template - FortiCache Web Usage Report
432
Administration Guide
Fortinet Technologies Inc.
Chart library
Reports
FortiClient report templates
Template - FortiClient Default Report
Template - FortiClient Vulnerability Scan Report
FortiDDoS report templates
Template - FortiDDoS Default Report
FortiMail report templates
Template - FortiMail Analysis Report
Template - FortiMail Default Report
FortiSandbox report templates
Template - FortiSandbox Default Report
FortiWeb report templates
Template - FortiWeb Default Report
Template - FortiWeb Web Application Analysis Report
Chart library
Use the Chart library to create, edit, and manage your charts.
Creating charts
You can also create charts using the Log View Chart Builder. See Creating charts on
page 396.
To create charts:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > Chart Library.
3. Click Create New in the toolbar.
Administration Guide
Fortinet Technologies Inc.
433
Reports
Chart library
4. Configure the settings for the new chart. The following table provides a description for each setting.
Name
Enter a name for the chart.
Description
Enter a description of the chart.
Dataset
Select a dataset from the dropdown list. For more information, see
Datasets on page 439. Options vary based on device type.
Resolve Hostname
Select to resolve the hostname. Select one of the following: Inherit,
Enabled, or Disabled.
Chart Type
Select a graph type from the dropdown list; one of: Table, Bar, Pie, Line,
Area, Donut, or Radar. This selection affects the rest of the available
selections.
Data Bindings
The data bindings vary depending on the chart type selected.
Table
434
Table Type
Select Regular, Ranked, or Drilldown.
Add Column
Select to add a column. Up to 15 columns can be added for a Regular
table.
Ranked tables have two columns, and Drilldown tables have three
columns.
Administration Guide
Fortinet Technologies Inc.
Chart library
Reports
Columns
The following column settings must be set:
Column Title: Enter a title for the column.
l
l
l
l
l
Width: Enter the column width as a percentage.
Data Binding: Select a value from the dropdown list. The options vary
depending on the selected dataset.
Format: Select a value from the dropdown list.
Add Data Binding: Add data bindings to the column. Every column must
have at least one data binding. The maximum number varies depending
on the table type.
Order By
Select what to order the table by. The available options vary depending on
the selected dataset.
Bundle rest
into
"Others"
Select to bundle the rest of the results into an Others category. This option
is not available for regular tables.
Show Top
Enter a numerical value. Only the first ‘X’ items are displayed. Other items
can be bundled into the Others category for Ranked and Drilldown tables.
Drilldown
Top
Enter a numerical value. Only the first ‘X’ items are displayed. This options
is only available for Drilldown tables.
X-Axis
l
Bar
l
l
Y-axis
l
l
l
Bundle rest
into
"Others"
Group By
Label: Enter a label for the axis.
Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.
Other items are bundled into the Others category.
Data Binding: Select a value from the dropdown list. The available
options vary depending on the selected dataset.
Format: Select a format from the dropdown list: Bandwidth, Counter,
Default, Percentage, or Severity.
Label: Enter a label for the axis.
Select to bundle the rest of the results into an Others category.
l
l
Order By
Data Binding: Select a value from the dropdown list. The available
options vary depending on the selected dataset.
Data Binding: Select a value from the dropdown list. The available
options vary depending on the selected dataset.
Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.
Other items can be bundled into the Others category.
Select to order by the X-Axis or Y-Axis.
Pie, Donut, or Radar
Administration Guide
Fortinet Technologies Inc.
435
Reports
Chart library
Category
l
l
l
Series
l
l
l
Bundle rest
into
"Others"
Data Binding: Select a value from the dropdown list. The available
options vary depending on the selected dataset.
Label: Enter a label for the axis.
Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.
Other items can be bundled into the Others category.
Data Binding: Select a value from the dropdown list. The available
options vary depending on the selected dataset.
Format: Select a format from the dropdown list: Bandwidth, Counter,
Default, Percentage, or Severity.
Label: Enter a label for the axis.
Select to bundle the rest of the results into an Others category.
Line or Area
X-Axis
l
l
Lines
l
l
Add line
Data Binding: Select a value from the dropdown list. The available
options vary depending on the selected dataset.
Label: Enter a label for the axis.
Data Binding: Select a value from the dropdown list. The available
options vary depending on the selected dataset.
Format: Select a format from the dropdown list: Bandwidth, Counter,
Default, Percentage, or Severity.
l
Type: Select the type from the dropdown list: Line Up or Line Down.
l
Legend: Enter the legend text for the line.
Select to add more lines.
5. Click OK.
Managing charts
Manage your charts in Reports > Report Definitions > Chart Library. Some options are available as buttons on
the toolbar. Some options are available in the right-click menu. Right-click a chart to display the menu.
436
Option
Description
Create New
Creates a new chart.
Edit
Edits a chart. You can edit charts that you created. You cannot edit
predefined charts.
View
Displays the settings for the selected predefined chart. You cannot edit a
predefined chart.
Administration Guide
Fortinet Technologies Inc.
Macro library
Reports
Option
Description
Delete
Deletes the selected chart. You can delete charts that you create. You
cannot delete predefined charts.
Clone
Clones the selected chart.
Import
Imports an exported FortiManager chart.
Export
Exports one or more FortiManager charts.
Show Predefined
Displays the predefined charts.
Show Custom
Displays the custom charts.
Search
Lets you search for a chart name.
Viewing datasets associated with charts
To view datasets associated with charts:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > Chart Library.
3. Select a chart, and click View in the toolbar.
4. In the View Chart pane, find the name of the dataset associated with the chart in the Dataset field.
5. Go to Reports > Report Definitions > Datasets.
6. In the Search box, type the name of the dataset.
7. Select the dataset that is found, and click View in the toolbar to view it.
Macro library
Use the Macro library to create, edit, and manage your macros.
Creating macros
FortiManager includes a number of predefined macros. You can also create new macros, or clone and edit
existing macros.
Macros are predefined to use specific datasets and queries. They are organized into categories, and can be
added to, removed from, and organized in reports.
Macros are currently supported in FortiGate and FortiCarrier ADOMs only.
Administration Guide
Fortinet Technologies Inc.
437
Reports
Macro library
To create a new macro:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > Macro Library, and click Create New. The Create Macro pane is displayed.
3. Provide the required information for the new macro.
Name
Enter a name for the macro.
Description
Enter a description of the macro.
Dataset
Select a dataset from the dropdown list.The options will vary based on
device type.
Query
Displays the query statement for the dataset selected.
Data Binding
The data bindings vary depending on the dataset selected. Select a data
binding from the dropdown list.
Display
Select a value from the dropdown list.
4. Click OK. The newly created macro is shown in the Macro library.
Managing macros
You can manage macros by Reports > Report Definitions> Macro Library. Some options are available as
buttons on the toolbar. Some options are available in the right-click menu. Right-click a macro to display the
menu.
438
Option
Description
Create New
Creates a new macro.
Edit
Edits the selected macro. You can edit macros that you created. You
cannot edit predefined macros.
View
Displays the settings for the selected macro. You cannot edit a predefined
macro.
Delete
Deletes the selected macro. You can delete macros that you create. You
cannot delete predefined macros.
Administration Guide
Fortinet Technologies Inc.
Datasets
Reports
Option
Description
Clone
Clones the selected macro.
Show Predefined
Displays the predefined macros.
Show Custom
Displays the custom macros.
Search
Lets you search for a macro name.
Viewing datasets associated with macros
To view datasets associated with macros:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions> Macro Library.
3. Select a macro, and click View (for predefined macros) or Edit (for custom macros) in the toolbar.
4. In the View Macro or Edit Macro pane, find the name of the dataset associated with the macro in the Dataset
field.
5. Go to Reports > Report Definitions> Datasets.
6. In the Search box, type the name of the dataset.
7. Double-click the dataset to view it.
Datasets
Use the Datasets pane to create, edit, and manage your datasets.
Creating datasets
FortiManager datasets are collections of data from logs for monitored devices. Charts and macros reference
datasets. When you generate a report, the datasets populate the charts and macros to provide data for the
report.
Predefined datasets for each supported device type are provided, and new datasets can be created and
configured.
To create a new dataset:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > Datasets, and click Create New. The Create Dataset pane is displayed.
3. Provide the required information for the new dataset.
Name
Administration Guide
Fortinet Technologies Inc.
Enter a name for the dataset.
439
Reports
Datasets
Log Type
Select a log type from the dropdown list.
The following log types are available for FortiGate: Application Control,
Intrusion Prevention, Content Log, Data Leak Prevention, Email Filter,
Event, Traffic, Virus, VoIP, Web Filter, Vulnerability Scan, FortiClient
Event, FortiClient Traffic, FortiClient Vulnerability Scan, Web
Application Firewall, GTP, and DNS.
l
l
l
The following log types are available for FortiMail: Email Filter, Event,
History, and Virus.
The following log types are available for FortiWeb: Intrusion Prevention,
Event, and Traffic.
Query
Enter the SQL query used for the dataset.
Variables
Click the Add button to add variable, expression, and description
information.
Test query with specified devices and time period
Time Period
Use the dropdown list to select a time period. When selecting Custom,
enter the start date and time, and the end date and time.
Devices
Select All Devices or Specify to select specific devices to run the SQL
query against. Click the Select Device button to add multiple devices to
the query.
Test
Select to test the SQL query before saving the dataset configuration.
4. Click Test.
The query results are displayed. If the query is not successful, an error message appears in the Test Result
pane.
5. Click OK.
Viewing the SQL query for an existing dataset
You can view the SQL query for a dataset, and test the query against specific devices or all devices.
To view the SQL query for an existing dataset:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Report Definitions > Datasets.
3. Hover the mouse cursor over the dataset on the dataset list. The SQL query is displayed as a tooltip.
You can also open the dataset to view the query in the Query field.
Managing datasets
You can manage datasets by going to Reports > Report Definitions > Datasets. Some options are available as
buttons on the toolbar. Some options are available in the right-click menu. Right-click a dataset to display the
menu.
440
Administration Guide
Fortinet Technologies Inc.
Output profiles
Reports
Option
Description
Create New
Creates a new dataset.
Edit
Edits the selected dataset. You can edit datasets that you created. You
cannot edit predefined datasets.
View
Displays the settings for the selected dataset. You cannot edit a predefined
dataset.
Delete
Deletes the selected dataset. You can delete datasets that you create. You
cannot delete predefined datasets.
Clone
Clones the selected dataset. You can edit cloned datasets.
Validate
Validate selected datasets.
Validate All Custom
Validates all custom datasets.
Search
Lets you search for a dataset name.
Output profiles
Output profiles allow you to define email addresses to which generated reports are sent and provide an option to
upload the reports to FTP, SFTP, or SCP servers. Once created, an output profile can be specified for a report.
Creating output profiles
You must configure a mail server before you can configure an output profile. See Mail
Server on page 490.
To create output profiles:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Advanced > Output Profile.
3. Click Create New. The Create Output Profile pane is displayed.
Administration Guide
Fortinet Technologies Inc.
441
Reports
Output profiles
4. Provide the following information, and click OK:
Name
Enter a name for the new output profile.
Comments
Enter a comment about the output profile (optional).
Output Format
Select the format or formats for the generated report. You can choose from
PDF, HTML, XML, and CSV formats.
Email Generated Reports
Enable emailing of generated reports.
Subject
Enter a subject for the report email.
Body
Enter body text for the report email.
Recipients
Select the email server from the dropdown list and enter to and from email
addresses. Click Add to add another entry so that you can specify multiple
recipients.
Upload Report to Server
442
Enable uploading of generated reports to a server.
Server Type
Select FTP, SFTP, or SCP from the dropdown list.
Server
Enter the server IP address.
User
Enter the username.
Password
Enter the password.
Directory
Specify the directory where the report will be saved.
Delete file(s) after
uploading
Select to delete the generated report after it has been uploaded to the
selected server.
Administration Guide
Fortinet Technologies Inc.
Report languages
Reports
Managing output profiles
You can manage output profiles by going to Reports > Advanced > Output Profile. Some options are available
as buttons on the toolbar. Some options are available in the right-click menu. Right-click an output profile to
display the menu.
Option
Description
Create New
Creates a new output profile.
Edit
Edits the selected output profile.
Delete
Deletes the selected output profile.
Report languages
You can specify the language of reports when creating a report. You can add new languages, and you can change
the name and description of the languages. You cannot edit the predefined languages.
Predefined report languages
FortiManager includes the following predefined report languages:
l
English (default report language)
l
French
l
Japanese
l
Korean
l
Portuguese
l
Simplified Chinese
l
Spanish
l
Traditional Chinese
Adding language placeholders
To add a language placeholder:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Advanced > Language.
3. Click Create New in the toolbar.
4. In the New Language pane, enter a name and description for the language, and click OK.
A new language placeholder is created.
Adding a new language placeholder does not create that language. It only adds a
placeholder for that language that contains the language name and description.
Administration Guide
Fortinet Technologies Inc.
443
Reports
Report calendar
Managing report languages
You can manage report languages by going to Reports > Advanced > Language. Some options are available as
buttons on the toolbar. Some options are available in the right-click menu. Right-click a language to display the
menu.
Option
Description
Create New
Creates a new report language placeholder.
View
Views details about the selected report language.
Edit
Edits the selected report language. You cannot edit predefined report
languages.
Delete
Deletes the selected report language. You cannot delete predefined report
languages.
Report calendar
You can use the report calendar to view all the reports that are scheduled for the selected month. You can edit or
disable upcoming report schedules, as well as delete or download completed reports.
Viewing all scheduled reports
To view all scheduled reports:
1. If using ADOMs, ensure you are in the correct ADOM.
2. Go to Reports > Advanced > Report Calendar.
444
Administration Guide
Fortinet Technologies Inc.
Report calendar
Reports
3. Hover the mouse cursor over a calendar entry to display the name, status, and device type of the scheduled
report.
4. Click a generated report to download it.
5. Click a scheduled report to go to the Settings tab of the report.
6. Click the left or right arrow at the top of the Report Calendar pane to change the month that is displayed. Click
Today to return to the current month.
Managing report schedules
You can manage report schedules in Reports > Advanced > Report Calendar.
To edit a report schedule:
1. In Report Calendar, right-click an upcoming calendar entry, and select Edit.
2. In the Settings tab of the report that opens, edit the corresponding report schedule.
To disable a report schedule:
In Report Calendar, right-click an upcoming calendar entry, and select Disable. All scheduled instances of the
report are removed from the report calendar. Completed reports remain in the report calendar.
To delete or download a completed report:
In Report Calendar, right-click a past calendar entry, and select Delete or Download. The corresponding
completed report will be deleted or downloaded.
You can only delete or download scheduled reports that have a Finished status. You
cannot delete scheduled reports with a Pending status.
Administration Guide
Fortinet Technologies Inc.
445
System Settings
System Settings allows you to manage system options for your FortiManager device.
Additional configuration options and short-cuts are available using the right-click
menu. Right-click the mouse on different navigation panes on the GUI page to access
these options.
Dashboard
The Dashboard contains widgets that provide performance and status information and enable you to configure
basic system settings. The dashboard also contains a CLI widget that lets you use the command line through the
GUI.
446
Administration Guide
Fortinet Technologies Inc.
Dashboard
System Settings
The following widgets are available:
Widget
Description
System Information
Displays basic information about the FortiManager system, such as up
time and firmware version. You can also enable or disable Administrative
Domains and FortiAnalyzer features. For more information, see System
Information widget on page 448.
From this widget you can manually update the FortiManager firmware to a
different release. For more information, see Updating the system firmware
on page 451.
The widget fields will vary based on how the FortiManager is configured,
for example, if ADOMs are enabled.
System Resources
Displays the real-time and historical usage status of the CPU, memory and
hard disk. For more information, see System Resources widget on
page 454.
License Information
Displays the devices being managed by the FortiManager unit and the
maximum numbers of devices allowed. For more information, see License
Information widget on page 455.
From this widget you can manually upload a license for VM systems.
Unit Operation
Displays status and connection information for the ports of the
FortiManager unit. It also enables you to shutdown and restart the
FortiManager unit or reformat a hard disk. For more information, see Unit
Operation widget on page 456.
CLI Console
Opens a terminal window that enables you to configure the FortiManager
unit using CLI commands directly from the GUI. For more information, see
CLI Console widget on page 456.
Alert Message Console
Displays log-based alert messages for both the FortiManager unit and
connected devices. For more information, see Alert Messages Console
widget on page 456.
Log Receive Monitor
Displays a real-time monitor of logs received. You can view data per device
or per log type. For more information, see Log Receive Monitor widget on
page 457.
The Log Receive Monitor widget is available when FortiAnalyzer Features
is enabled.
Insert Rate vs Receive Rate
Displays the log insert and receive rates. For more information, see Insert
Rate vs Receive Rate widget on page 457.
The Insert Rate vs Receive Rate widget is available when FortiAnalyzer
Features is enabled.
Log Insert Lag Time
Displays how many seconds the database is behind in processing the logs.
For more information, see Log Insert Lag Time widget on page 458.
The Log Insert Lag Time widget is available when FortiAnalyzer Features
is enabled.
Administration Guide
Fortinet Technologies Inc.
447
System Settings
Dashboard
Widget
Description
Receive Rate vs
Forwarding Rate
Displays the Receive Rate, which is the rate at which FortiManager is
receiving logs. When log forwarding is configured, the widget also displays
the log forwarding rate for each configured server. For more information,
see Receive Rate vs Forwarding Rate widget on page 458.
The Receive Rate vs Forwarding Rate widget is available when
FortiAnalyzer Features is enabled.
Disk I/O
Displays the disk utilization, transaction rate, or throughput as a
percentage over time. For more information, see Disk I/O widget on
page 459.
The Disk I/Owidget is available when FortiAnalyzer Features is enabled.
Customizing the dashboard
The FortiManager system dashboard can be customized. You can select which widgets to display, where they are
located on the page, and whether they are minimized or maximized. It can also be viewed in full screen by
selecting the full screen button on the far right side of the toolbar.
Action
Steps
Move a widget
Move the widget by clicking and dragging its title bar, then dropping it in its new
location
Add a widget
Select Toggle Widgets from the toolbar, then select the name widget you need to
add.
Delete a widget
Click the Close icon in the widget's title bar.
Customize a
widget
For widgets with an edit icon, you can customize the widget by clicking the Edit icon
and configuring the settings.
Reset the
dashboard
Select Toggle Widgets > Reset to Default from the toolbar. The dashboards will be
reset to the default view.
System Information widget
The information displayed in the System Information widget is dependent on the FortiManager models and
device settings. The following information is available on this widget:
Host Name
448
The identifying name assigned to this FortiManager unit. Click the edit host
name button to change the host name. For more information, see
Changing the host name on page 450.
Administration Guide
Fortinet Technologies Inc.
Dashboard
System Settings
Serial Number
The serial number of the FortiManager unit. The serial number is unique to
the FortiManager unit and does not change with firmware upgrades. The
serial number is used for identification when connecting to the FortiGuard
server.
Platform Type
Displays the FortiManager platform type, for example FMGVM64 (virtual
machine).
HA Status
Displays if FortiManager unit is in High Availability mode and whether it is
the Master or Slave unit in the HA cluster. For more information see High
Availability on page 460.
System Time
The current time on the FortiManager internal clock. Click the edit system
time button to change system time settings. For more information, see
Configuring the system time on page 450.
Firmware Version
The version number and build number of the firmware installed on the
FortiManager unit. To update the firmware, you must download the latest
version from the Customer Service & Support website at
https://support.fortinet.com. Click the update button, then select the
firmware image to load from the local hard disk or network volume. For
more information, see Updating the system firmware on page 451.
System Configuration
The date of the last system configuration backup. The following actions are
available:
l Click the backup button to backup the system configuration to a file; see
Backing up the system on page 452.
l
l
Click the restore to restore the configuration from a backup file; see
Restoring the configuration on page 452. You can also migrate the
configuration to a different FortiManager model by using the CLI. See
Migrating the configuration on page 453.
Click the check point to revert the system to a prior saved configuration;
see System checkpoints on page 453.
Current Administrators
The number of administrators currently logged in. Click the current session
list button to view the session details for all currently logged in
administrators.
Up Time
The duration of time the FortiManager unit has been running since it was
last started or restarted.
Administrative Domain
Displays whether ADOMs are enabled. Toggle the switch to change the
Administrative Domain state. See Enabling and disabling the ADOM
feature on page 50.
FortiAnalyzer Features
Displays whether FortiAnalyzer features are enabled. Toggle the switch to
change the FortiAnalyzer features state. FortiAnalyzer Features are not
available on available on the FortiManager 100C.
See FortiAnalyzer Features on page 367 for information.
Administration Guide
Fortinet Technologies Inc.
449
System Settings
Dashboard
Changing the host name
The host name of the FortiManager unit is used in several places.
l
It appears in the System Information widget on the dashboard. For more information about the System
Information widget.
l
It is used in the command prompt of the CLI.
l
It is used as the SNMP system name.
The System Information widget and the get system status CLI command will display the full host name.
However, if the host name is longer than 16 characters, the CLI and other places display the host name in a
truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For
example, if the host name is FortiManager1234567890, the CLI prompt would be FortiManager123456~#.
To change the host name:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the edit host name button next to the Host Name field.
3. In the Host Name box, type a new host name.
The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens,
and underscores. Spaces and special characters are not allowed.
4. Click the checkmark to change the host name.
Configuring the system time
You can either manually set the FortiManager system time or configure the FortiManager unit to automatically
keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
For many features to work, including scheduling, logging, and SSL-dependent
features, the FortiManager system time must be accurate.
To configure the date and time:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the edit system time button next to the System Time field.
3. Configure the following settings to either manually configure the system time, or to automatically synchronize the
FortiManager unit’s clock with an NTP server:
450
System Time
The date and time according to the FortiManager unit’s clock at the time
that this pane was loaded or when you last clicked the Refresh button.
Time Zone
Select the time zone in which the FortiManager unit is located and whether
or not the system automatically adjusts for daylight savings time.
Update Time By
Select Set time to manually set the time, or Synchronize with NTP Server
to automatically synchronize the time.
Set Time
Manually set the data and time.
Administration Guide
Fortinet Technologies Inc.
Dashboard
System Settings
Select Date
Set the date from the calendar or by manually entering it in the format:
YYYY/MM/DD.
Select Time
Select the time.
Synchronize with NTP
Server
Automatically synchronize the date and time.
Sync Interval
Enter how often, in minutes, the device should synchronize its time with the
NTP server. For example, entering 1440 causes the Fortinet unit to
synchronize its time once a day.
Server
Enter the IP address or domain name of an NTP server. Click the plus icon
to add more servers. To find an NTP server that you can use, go to
http://www.ntp.org.
4. Click the checkmark to apply your changes.
Updating the system firmware
To take advantage of the latest features and fixes, FortiManager provides two ways to upgrade its firmware:
manually or through the FDN. For information about upgrading your FortiManager device, see the FortiManager
Upgrade Guide, or contact Fortinet Customer Service & Support.
Backup the configuration and database before changing the firmware of your
FortiManager unit. Changing the firmware to an older or incompatible version may
reset the configuration and database to the default values for that firmware version,
resulting in data loss. For information on backing up the configuration, see Backing up
the system on page 452.
Before you can download firmware updates for your FortiManager unit, you must first
register your FortiManager unit with Customer Service & Support. For details, go to
https://support.fortinet.com/ or contact Customer Service & Support.
To manually update the FortiManager firmware:
1. Download the firmware (the .out file) from the Customer Service & Support website,
https://support.fortinet.com/.
2. Go to System Settings > Dashboard.
3. In the System Information widget, in the Firmware Version field, click Upgrade Firmware. The Firmware Upload
dialog box opens.
4. Drag and drop the file onto the dialog box, or click Browse to locate the firmware package (.out file) that you
downloaded from the Customer Service & Support portal and then click Open.
5. Click OK. Your device will upload the firmware image and you will receive a confirmation message noting that the
upgrade was successful.
Administration Guide
Fortinet Technologies Inc.
451
System Settings
Dashboard
Optionally, you can upgrade firmware stored on an FTP or TFTP server using the
following CLI command:
execute restore image {ftp | tftp} <file path to server> <IP
of server> <username on server> <password>
For more information, see the FortiManager CLI Reference.
6. Refresh the browser and log back into the device.
7. Launch the Device Manager module and make sure that all formerly added devices are still listed.
8. Launch other functional modules and make sure they work properly.
Installing firmware replaces the current network vulnerability management engine with
the version included with the firmware release that you are installing. After you install
the new firmware, make sure that your vulnerability definitions are up-to-date. For
more information, see FortiGuard on page 330.
The FortiManager firmware can also be updated through the FDN. For more information, see Firmware images
on page 350.
Backing up the system
Fortinet recommends that you back up your FortiManager configuration to your management computer on a
regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with
minimal affect to the network. You should also perform a back up after making any changes to the FortiManager
configuration or settings that affect the connected devices.
You can perform backups manually or at scheduled intervals. You can also create a backups - called checkpoints that define a point where the FortiManager and network management is stable and functioning. Should any
future configurations cause issues, you have a point where the system is stable.
Fortinet recommends backing up all configuration settings from your FortiManager unit before upgrading the
FortiManager firmware.
To back up the FortiManager configuration:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the backup button next to System Configuration. The Backup System
dialog box opens
3. If you want to encrypt the backup file, select the Encryption box, then type and confirm the password you want to
use. The password can be a maximum of 63 characters.
4. Select OK and save the backup file on your management computer.
Restoring the configuration
You can use the following procedure to restore your FortiManager configuration from a backup file on your
management computer.
If your FortiManager unit is in HA mode, switch to Standalone mode.
452
Administration Guide
Fortinet Technologies Inc.
Dashboard
System Settings
The restore operation will temporarily disable the communication channel between
FortiManager and all managed devices. This is a safety measure, in case any devices
are being managed by another FortiManager. To re-enable the communication,
please go to System Settings >Advanced >Advanced Settings and disable Offline
Mode.
To restore the FortiManager configuration:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the restore button next to System Configuration. The Restore dialog box
opens.
3. Configure the following settings then select OK.
Choose Backup File
Select Browse to find the configuration backup file you want to restore.
Password
Type the encryption password, if applicable.
Overwrite current IP,
routing and HA settings
Select the checkbox to overwrite the current IP, routing, and HA settings.
Restore in Offline Mode
Informational checkbox. Hover over the help icon for more information.
Migrating the configuration
You can back up the system of one FortiManager model, and then use the CLI and the FTP, SCP, or SFTP
protocol to migrate the settings to another FortiManager model.
You need the username and password for the FortiManager model to which you are migrating the configuration
file.
If you encrypted the FortiManager configuration file when you created it, you need the password to decrypt the
configuration file when you migrate the file to another FortiManager model.
To migrate the FortiManager configuration:
1. In one FortiManager model, go to System Settings > Dashboard.
2. Back up the system. See Backing up the system on page 452.
3. In the other FortiManager model, go to System Settings > Dashboard.
4. In the CLI Console widget, type the following command:
execute migrate all-settings <ftp | scp | sftp> <server> <filepath> <user> <password>
[cryptpasswd]
System checkpoints
You can create a system checkpoint backup to capture a specific configuration. This backup provides a history
where the FortiManager and FortiGate units are completely in sync. Should there be a major failure, you can
completely revert the FortiManager to when it was in working order. These are, in essence, snapshots of your
FortiManager managed network system.
You should make a system checkpoint backup before installing new firmware to devices or making a major
configuration change to the network. If the update or modification causes problems, you can quickly revert to an
earlier known “good” version of the configuration to restore operation.
Administration Guide
Fortinet Technologies Inc.
453
System Settings
Dashboard
A system checkpoint backup includes the system configuration of the FortiManager unit.
Please note the following:
l
l
l
The system checkpoint does not include the FortiGate settings.
For policy package specific settings, after reverting to a checkpoint, you need to re-install policy packages to update
FortiGate policy and related configuration.
For non-policy package settings, after reverting to a checkpoint, you must trigger FortiGate to auto-update and
overwrite the checkpoint reverted configuration. Alternatively, you can disable the auto update function in System
Settings and re-install the checkpoint reverted configuration to FortiGate.
To create a system checkpoint:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the checkpoint button next to System Configuration. The System
Checkpoint List opens.
3. Select Create New. The Add New System Checkpoint dialog box opens.
4. In the Comments box, type a description, up to 63 characters, for the reason or state of the backup.
5. Select OK. The system checkpoint task will be run and the checkpoint will be created.
To revert to a system checkpoint:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the checkpoint button next to System Configuration. The System
Checkpoint table opens.
3. Select the system checkpoint in the table then click Revert.
4. A confirmation dialog box will open. Select OK to continue.
When reverting to a system checkpoint, the FortiManager will reboot.
To delete a system checkpoint:
1. Go to System Settings > Dashboard.
2. In the System Information widget, click the checkpoint button next to System Configuration. The System
Checkpoint table opens.
3. Select the system checkpoint in the table then select Delete in the toolbar.
4. Click OK in the confirmation dialog box to delete the checkpoint.
System Resources widget
The System Resources widget displays the usage status of the CPUs, memory, and hard disk. You can view
system resource information in real-time or historical format, as well as average or individual CPU usage.
On VMs, warning messages are displayed if the amount of memory or the number of CPUs assigned are too low,
or if the allocated hard drive space is less than the licensed amount. These warnings are also shown in the
notification list (see GUI overview on page 31). Clicking on a warning opens the FortiManager VM Install Guide.
454
Administration Guide
Fortinet Technologies Inc.
Dashboard
System Settings
To toggle between real-time and historical data, click Edit in the widget toolbar, select Historical or Real-time,
edit the other settings as required, then click OK.
To view individual CPU usage, from the Real-Time display, click on the CPU chart. To go back to the standard
view again, click the chart again.
License Information widget
The License Information widget displays the number of devices connected to the FortiManager.
VM License
VM license information and status. click the upload license button to
upload a new VM license file. This field is only visible for FortiManager
VM.
Management
Device/VDOMs
The total number of devices and VDOMs connected to the FortiManager
and the total number of device and VDOM licenses.
FortiGates/Logging
Devices
The number of connected FortiGates and other logging devices.
FortiAPs
The number of connected FortiAPs.
Logging
This section is only shown when FortiAnalyzer Features is enabled. For
more information, see FortiAnalyzer Features on page 367.
GB/Day
The gigabytes per day of logs allowed and used for this FortiManager.
Click the show details button to view the GB per day of logs used for the
previous 6 days.
VM Storage
The amount of VM storage used and remaining.
This field is only visible for FortiManager VM.
FortiGuard
Administration Guide
Fortinet Technologies Inc.
The FortiGuard license status. Click the purchase button to go to the
Fortinet Customer Service & Support website, where you can purchase a
license.
This field is only visible for FortiManager VM.
455
System Settings
Dashboard
Unit Operation widget
The Unit Operation widget graphically displays the status of each port. The port name indicates its status by its
color. Green indicates the port is connected. Grey indicates there is no connection.
Hover the cursor over the ports to view a pop-up that displays the full name of the interface, the IP address and
netmask, the link status, the speed of the interface, and the amounts of sent and received data.
CLI Console widget
The CLI Console widget enables you to type command lines through the GUI, without making a separate Telnet,
SSH, or local console connection to access the CLI.
The CLI Console widget requires that your web browser support JavaScript.
For information on available CLI commands, see the FortiManager CLI Reference.
When using the CLI Console widget, you are logged in with the same administrator account you used to access
the GUI. You can enter commands by typing them, or you can copy and paste commands into or out of the
console.
Click Detach in the widget toolbar to open the widget in a separate window.
Alert Messages Console widget
The Alert Message Console widget displays log-based alert messages for both the FortiManager unit itself and
connected devices.
Alert messages help you track system events on your FortiManager unit such as firmware changes, and network
events such as detected attacks. Each message shows the date and time the event occurred.
Alert messages can also be delivered by email, syslog, or SNMP.
456
Administration Guide
Fortinet Technologies Inc.
Dashboard
System Settings
Click Edit from the widget toolbar to view the Alert Message Console Settings, where you can adjust the number
of entries that are visible in the widget, and the refresh interval.
To view a complete list of alert messages, click Show More from the widget toolbar. The widget will show the
complete list of alerts. To clear the list, click Delete All Messages. Click Show Less to return to the previous
view.
Log Receive Monitor widget
The Log Receive Monitor widget displays the rate at which the FortiManager unit receives logs over time. Log
data can be displayed by either log type or device.
Hover the cursor over a point on the graph to see the exact number of logs that were received at a specific time.
Click the name of a device or log type to add or remove it from the graph. Click Edit in the widget toolbar to
modify the widget's settings.
This widget is only available when the FortiAnalyzer features are manually enabled.
For more information, see FortiAnalyzer Features on page 367.
Insert Rate vs Receive Rate widget
The Insert Rate vs Receive Rate widget displays the log insert and log receive rates over time.
l
Log receive rate: how many logs are being received.
l
Log insert rate: how many logs are being actively inserted into the database.
If the log insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of
logs waiting to be inserted.
Hover the cursor over a point on the graph to see the exact number of logs that were received and inserted at a
specific time. Click Receive Rate or Insert Rate to remove those data from the graph. Click the edit icon in the
widget toolbar to adjust the time interval shown on the graph and the refresh interval.
Administration Guide
Fortinet Technologies Inc.
457
System Settings
Dashboard
This widget is only available when the FortiAnalyzer features are manually enabled.
For more information, see FortiAnalyzer Features on page 367.
Log Insert Lag Time widget
The Log Insert Lag Time widget displays how many seconds the database is behind in processing the logs.
Click the edit icon in the widget toolbar to adjust the time interval shown on the graph and the refresh interval (0
to disable) of the widget.
This widget is only available when the FortiAnalyzer features are manually enabled.
For more information, see FortiAnalyzer Features on page 367.
Receive Rate vs Forwarding Rate widget
The Receive Rate vs Forwarding Rate widget displays the rate at which the FortiManager is receiving logs.
When log forwarding is configured, the widget also displays the log forwarding rate for each configured server.
Click the edit icon in the widget toolbar to adjust the time period shown on the graph and the refresh interval, if
any, of the widget.
458
Administration Guide
Fortinet Technologies Inc.
Logging Topology
System Settings
This widget is only available when the FortiAnalyzer features are manually enabled.
For more information, see FortiAnalyzer Features on page 367.
Disk I/O widget
The Disk I/O widget shows the disk utilization (%), transaction rate (requests/s), or throughput (KB/s), versus
time.
Click the edit icon in the widget toolbar to select which chart is displayed, the time period shown on the graph,
and the refresh interval (if any) of the chart.
This widget is only available when the FortiAnalyzer features are manually enabled.
For more information, see FortiAnalyzer Features on page 367.
Logging Topology
The Logging Topology pane shows the physical topology of devices in the security fabric. Click, hold, and drag to
adjust the view in the content pane, and double-click or use the scroll wheel to change the zoom.
The visualization can be filtered to show only FortiAnalyzer devices or all devices by device count or traffic.
Hovering the cursor over a device in the visualization will show information about the device, such as the
IP address and device name. Right-click on a device and select View Related Logs to go to the Log View pane,
filtered for that device.
Administration Guide
Fortinet Technologies Inc.
459
System Settings
High Availability
This pane is only available when the FortiAnalyzer features are manually enabled. For
more information, see FortiAnalyzer Features on page 367.
High Availability
FortiManager high availability (HA) provides a solution for a key requirement of critical enterprise management
and networking components: enhanced reliability. Understanding what’s required for FortiManager reliability
begins with understanding what normal FortiManager operations are and how to make sure normal operations
continue if a FortiManager unit fails.
Most of the FortiManager operations involve storing FortiManager and FortiGate configuration and related
information in the FortiManager database on the FortiManager unit hard disk. A key way to enhance reliability of
FortiManager is to protect the data in the FortiManager database from being lost if the FortiManager unit fails.
This can be achieved by dynamically backing up FortiManager database changes to one or more backup
FortiManager units. Then, if the operating FortiManager unit fails, a backup FortiManager unit can take the place
of the failed unit.
A FortiManager HA cluster consists of up five FortiManager units of the same FortiManager series. One of the
FortiManager units in the cluster operates as a primary or master unit and the other one to four units operate as
backup, or slave, units. All of the units are visible on the network. The primary unit and the backup units can be at
the same location. FortiManager HA also supports geographic redundancy so the primary unit and backup units
can be in different locations attached to different networks as long as communication is possible between them
(for example, over the Internet, over a WAN, or through a private network).
Administrators connect to the primary unit GUI or CLI to perform FortiManager operations. Managed devices
connect with the primary unit for normal management operations (configuration push, auto-update, firmware
upgrade, and so on). If FortiManager is used to distribute FortiGuard updates to managed devices, managed
devices can connect to the primary FortiManager unit or one of the backup units.
If the primary FortiManager unit fails you must manually configure one of the backup units to become the primary
unit. The new primary unit will have the same IP addresses as it did when it was the backup unit.
460
Administration Guide
Fortinet Technologies Inc.
High Availability
System Settings
A reboot of the FortiManager device is not required when it is promoted from a backup
to the primary unit.
When devices with different licenses are used to create an HA cluster, the license that
allows for the smallest number of managed devices will be used.
Synchronizing the FortiManager configuration and HA heartbeat
All changes to the FortiManager database are saved on the primary unit, and then these changes are
synchronized to the backup units. The FortiManager configuration of the primary unit is also synchronized to the
backup units (except for the HA parameters). As a result, the backup units always match the primary unit. So if
the primary unit fails, a backup unit can be configured to take the place of the primary unit and continue
functioning as a standalone FortiManager unit.
While the FortiManager cluster is operating, all backup units in the cluster exchange HA heartbeat packets with
the primary unit so the primary unit can verify the status of the backup units and the backup units can verify the
status of the primary unit. The HA heartbeat packets use TCP port 5199. HA heartbeat monitoring, as well as
FortiManager database and configuration synchronization takes place using the connections between the
FortiManager units in the cluster. As part of configuring the primary unit you add peer IPs and peer serial numbers
of each of the backup FortiManager units in the cluster. You also add the peer IP of the primary unit and the
primary unit serial number to each of the backup units.
Depending on the peer IPs that you use, you can isolate HA traffic to specific
FortiManager interfaces and connect those interfaces together so they function as
synchronization interfaces between the FortiManager units in the cluster.
Communication between the units in the cluster must be maintained for the HA cluster
to operate.
The interfaces used for HA heartbeat and synchronization communication can be connected to your network.
However, if possible you should isolate HA heartbeat and synchronization packets from your network to save
bandwidth.
If the primary or a backup unit fails
If the primary unit fails the backup units stop receiving HA heartbeat packets from the primary unit. If one of the
backup units fails, the primary unit stops received HA heartbeat packets from the backup unit. In either case the
cluster is considered down until it is reconfigured.
When the cluster goes down the cluster units still operating send SNMP traps and write log messages to alert the
system administrator that a failure has occurred. You can also see the failure from the HA Status page.
You re-configure the cluster by removing the failed unit from the cluster configuration. If the primary unit has
failed, this means configuring one of the backup units to be the primary unit and adding peer IPs for all of the
remaining backup units to the new primary unit configuration.
If a backup unit has failed, you re-configure the cluster by removing the peer IP of the failed backup unit from the
primary unit configuration.
Administration Guide
Fortinet Technologies Inc.
461
System Settings
High Availability
Once the cluster is re-configured it will continue to operate as before but with fewer cluster units. If the failed unit
is restored you can re-configure the cluster again to add the failed unit back into the cluster. In the same way you
can add a new unit to the cluster by changing the cluster configuration to add it.
FortiManager HA cluster startup steps
FortiManager units configured for HA start up begin sending HA heartbeat packets to their configured peer IP
addresses and also begin listening for HA heartbeat packets from their configured peer IP addresses.
When the FortiManager units receive HA heartbeat packets with a matching HA cluster ID and password from a
peer IP address, the FortiManager unit assumes the peer is functioning.
When the primary unit is receiving HA heartbeat packets from all of the configured peers or backup units, the
primary unit sets the cluster status to up. Once the cluster is up the primary unit then synchronizes its
configuration to the backup unit. This synchronization process can take a few minutes depending on the size of
the FortiManager database. During this time database and configuration changes made to the primary unit are
not synchronized to the backup units. Once synchronization is complete, if changes were made during
synchronization, they are re-synchronized to the backup units.
Most of the primary unit configuration, as well as the entire FortiManager database, are synchronized to the
backup unit. Interface settings and HA settings are not synchronized. These settings must be configured on each
cluster unit.
Once the synchronization is complete, the FortiManager HA cluster begins normal operation.
Configuring HA options
To configure HA options go to System Settings > HA. From here you can configure FortiManager units to start
an HA cluster or you can change the HA configuration of the cluster.
To configure a cluster, you must set the mode of the primary unit to Master and the modes of the backup units to
Slave. Then you must add the IP addresses and serial numbers of each backup unit to primary unit peer list. The
IP address and serial number of the primary unit must be added to each of the backup unit HA configurations.
Also, the primary unit and all backup units must have the same Cluster ID and Group Password.
You can connect to the primary unit GUI to work with FortiManager. Thanks to configuration synchronization, you
can configure and work with the cluster in the same way as you would work with a standalone FortiManager unit.
462
Administration Guide
Fortinet Technologies Inc.
High Availability
System Settings
Configure the following settings:
Cluster Status
Monitor FortiManager HA status. See Monitoring HA status on page 467.
SN
The serial number of the device.
Mode
The high availability mode, either Master or Slave.
IP
The IP address of the device.
Enable
Shows if the peer is currently enabled.
Module Data
Synchronized
Module data synchronized in bytes.
Pending Module
Data
Pending module data in bytes.
Cluster Settings
Operation Mode
Select Master to configure the FortiManager unit to be the primary unit in a
cluster.
Select Slave to configure the FortiManager unit to be a backup unit in a
cluster.
Select Standalone to stop operating in HA mode.
Peer IP
Select the peer IP version from the dropdown list, either IPv4 or IPv6.
Then, type the IP address of another FortiManager unit in the cluster. For
the primary unit you can add up to four Peer IP addresses for up to four
backup units. For a backup unit you can only add the IP address of the
primary unit.
Peer SN
Type the serial number of the FortiManager unit corresponding to the
entered IP address.
Cluster ID
A number between 1 and 64 that identifies the HA cluster. All members of
the HA cluster must have the same cluster ID. If you have more than one
FortiManager HA cluster on the same network, each HA cluster must have
a different cluster ID. The FortiManager GUI browser window title changes
to include the cluster ID when FortiManager unit is operating in HA mode.
Group Password
A password for the HA cluster. All members of the HA cluster must have the
same group password. The maximum password length is 19 characters. If
you have more than one FortiManager HA cluster on the same network,
each HA cluster must have a different password.
File Quota
Enter the file quota, from 2048 to 20480MB (default: 4096MB).
You cannot configure the file quota for backup units.
Administration Guide
Fortinet Technologies Inc.
463
System Settings
High Availability
Heart Beat
Interval
The time a cluster unit waits between sending heartbeat packets, in
seconds. The heartbeat interval is also the amount of time that a
FortiManager unit waits before expecting to receive a heartbeat packet
from the other cluster unit. The default heartbeat interval is 5 seconds. The
heartbeat interval range is 1 to 255 seconds. You cannot configure the
heartbeat interval on the backup units.
Failover
Threshold
The number of heartbeat intervals that one of the cluster units waits to
receive HA heartbeat packets from other cluster units before assuming that
the other cluster units have failed. The default failover threshold is 3. The
failover threshold range is 1 to 255. You cannot configure the failover
threshold of the backup units.
In most cases you do not have to change the heartbeat interval or failover
threshold. The default settings mean that if the a unit fails, the failure is
detected after 3 x 5 or 15 seconds; resulting in a failure detection time of 15
seconds.
If the failure detection time is too short, the HA cluster may detect a failure
when none has occurred. For example, if the primary unit is very busy it
may not respond to HA heartbeat packets in time. In this situation, the
backup unit may assume the primary unit has failed when the primary unit
is actually just busy. Increase the failure detection time to prevent the
backup unit from detecting a failure when none has occurred.
If the failure detection time is too long, administrators will be delayed in
learning that the cluster has failed. In most cases, a relatively long failure
detection time will not have a major effect on operations. But if the failure
detection time is too long for your network conditions, then you can reduce
the heartbeat interval or failover threshold.
Download Debug
Log
Select to download the HA debug log file to the management computer.
General FortiManager HA configuration steps
1. Configure the FortiManager units for HA operation:
l
Configure the primary unit.
l
Configure the backup units.
2. Change the network configuration so the remote backup unit and the primary unit can communicate with each
other.
3. Connect the units to their networks.
4. Add basic configuration settings to the cluster:
l
Add a password for the admin administrative account.
l
Change the IP address and netmask of the port1 interface.
l
Add a default route.
GUI configuration steps
Use the following procedures to configure the FortiManager units for HA operation from the FortiManager unit
GUI. It assumes you are starting with three FortiManager units with factory default configurations. The primary
unit and the first backup unit are connected to the same network. The second backup unit is connected to a
464
Administration Guide
Fortinet Technologies Inc.
High Availability
System Settings
remote network and communicates with the primary unit over the Internet. Sample configuration settings are also
shown.
To configure the primary unit for HA operation:
1. Connect to the primary unit GUI.
2. Go to System Settings > HA.
3. Configure HA settings.
Example HA master configuration:
Operation Mode
Master
Peer IP
172.20.120.23
Peer SN
<serial_number>
Peer IP
192.268.34.23
Peer SN
<serial_number>
Cluster ID
15
Group Password
password
File Quota
4096
Heartbeat Interval
5 (Keep the default setting.)
Failover Threshold
3 (Keep the default setting.)
4. Click Apply.
To configure the backup unit on the same network for HA operation:
1. Connect to the backup unit GUI.
2. Go to System Settings > HA.
3. Configure HA settings.
Example local backup configuration:
Operation Mode
Slave
Priority
5 (Keep the default setting.)
Peer IP
172.20.120.45
Peer SN
<serial_number>
Cluster ID
15
Group Password
password
File Quota
4096
Administration Guide
Fortinet Technologies Inc.
465
System Settings
High Availability
Heartbeat Interval
5 (Keep the default setting.)
Failover Threshold
3 (Keep the default setting.)
4. Click Apply.
To configure a remote backup unit for HA operation:
1. Connect to the backup unit GUI.
2. Go to System Settings > HA.
3. Configure HA settings.
Example remote backup configuration:
Operation Mode
Slave
Priority
5 (Keep the default setting.)
Peer IP
192.168.20.23
Peer SN
<serial_number>
Cluster ID
15
Group Password
password
File Quota
4096
Heartbeat Interval
5 (Keep the default setting.)
Failover Threshold
3 (Keep the default setting.)
4. Click Apply.
To change the network configuration so that the remote backup unit and the primary unit can
communicate with each other:
Configure the appropriate firewalls or routers to allow HA heartbeat and synchronization traffic to pass between
the primary unit and the remote backup unit using the peer IPs added to the primary unit and remote backup unit
configurations.
HA traffic uses TCP port 5199.
To connect the cluster to the networks:
1. Connect the cluster units.
No special network configuration is required for the cluster.
2. Power on the cluster units.
The units start and use HA heartbeat packets to find each other, establish the cluster, and synchronize their
configurations.
466
Administration Guide
Fortinet Technologies Inc.
High Availability
System Settings
To add basic configuration settings to the cluster:
Configure the cluster to connect to your network as required.
Monitoring HA status
Go to System Settings > HA to monitor the status of the FortiManager units in an operating HA cluster. The
FortiManager HA status pane displays information about the role of each cluster unit, the HA status of the cluster,
and the HA configuration of the cluster.
The FortiManager GUI browser window title changes to indicate that the FortiManager
unit is operating in HA mode. The following text is added to the title HA (Group ID:
<group_id>). Where <group_id> is the HA Group ID.
From the FortiManager CLI you can use the command get system ha to display
the same HA status information.
The following information is displayed:
Cluster Status
Mode
The cluster status can be Up if this unit is received HA heartbeat packets
from all of its configured peers. The cluster status will be Down if the
cluster unit is not receiving HA heartbeat packets from one or more of its
configured peers.
The role of the FortiManager unit in the cluster. The role can be:
Master: for the primary (or master) unit.
l
l
Slave: for the backup units.
Module Data Synchronized
The amount of data synchronized between this cluster unit and other
cluster units.
Pending Module Data
The amount of data waiting to be synchronized between this cluster unit
and other cluster units.
Upgrading the FortiManager firmware for an operating cluster
You can upgrade the firmware of an operating FortiManager cluster in the same way as upgrading the firmware of
a standalone FortiManager unit. During the firmware upgrade procedure, you connect to the primary unit GUI or
CLI to upgrade the firmware.
Similar to upgrading the firmware of a standalone FortiManager unit, normal FortiManager operations are
temporarily interrupted while the cluster firmware upgrades. As a result of this interruption, you should only
upgrade the firmware during a maintenance period.
To upgrade FortiManager HA cluster firmware:
1. Log into the primary unit GUI.
2. Upgrade the primary unit firmware.
Administration Guide
Fortinet Technologies Inc.
467
System Settings
Certificates
The firmware is forwarded to all the slave units, and then all the devices (master and slaves) are rebooted.
See the FortiManager Release Notes and FortiManager Upgrade Guide in the Fortinet Document Library
for more information.
Administrators may not be able to connect to the FortiManager GUI until the upgrade
synchronization process is complete. During the upgrade, using SSH or telnet to
connect to the CLI may also be slow; use the console to connect to the CLI.
Certificates
The FortiManager generates a certificate request based on the information you entered to identify the
FortiManager unit. After you generate a certificate request, you can download the request to a management
computer and then forward the request to a CA.
Local certificates are issued for a specific server, or website. Generally they are very specific, and often for an
internal enterprise network.
CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to an
entire company.
The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired,
stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are
maintained by the CA that issues the certificates and include the date and time when the next CRL will be issued,
as well as a sequence number to help ensure you have the most current versions.
Local certificates
The FortiManager unit generates a certificate request based on the information you enter to identify the
FortiManager unit. After you generate a certificate request, you can download the request to a computer that has
management access to the FortiManager unit and then forward the request to a CA.
The certificate window also enables you to export certificates for authentication, importing, and viewing.
The FortiManager has one default local certificate: Fortinet_Local.
You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some
options are available in the toolbar. Some options are also available in the right-click menu.
Creating a local certificate
To create a certificate request:
1. Go to System Settings > Certificates > Local Certificates
2. Click Create New in the toolbar. The Generate Certificate Signing Request pane opens.
3. Enter the following information as required, then click OK to save the certificate request:
Certificate Name
468
The name of the certificate.
Administration Guide
Fortinet Technologies Inc.
Certificates
System Settings
Subject Information
Select the ID type from the dropdown list:
l
l
l
Host IP: Select if the unit has a static IP address. Enter the public IP
address of the unit in the Host IP field.
Domain Name: Select if the unit has a dynamic IP address and
subscribes to a dynamic DNS service. Enter the domain name of the unit
in the Domain Name field.
Email: Select to use an email address. Enter the email address in the
Email Address field.
Optional Information
Organization Unit
(OU)
The name of the department. You can enter a series of OUs up to a
maximum of 5. To add or remove an OU, use the plus (+) or minus (-)
icons.
Organization (O)
Legal name of the company or organization.
Locality (L)
Name of the city or town where the device is installed.
State/Province
(ST)
Name of the state or province where the FortiGate unit is installed.
Country (C)
Select the country where the unit is installed from the dropdown list.
E-mail Address
(EA)
Contact email address.
Subject
Alternative Name
Optionally, enter one or more alternative names for which the certificate is
also valid. Separate names with a comma.
A name can be:
l e-mail address
l
IP address
l
URI
l
DNS name (alternatives to the Common Name)
directory name (alternatives to the Distinguished Name)
You must precede the name with the name type.
l
Key Type
The key type can be RSA or Elliptic Curve.
Key Size
Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or
2048 Bit. This option is only available when the key type is RSA.
Curve Name
Select the curve name from the dropdown list: secp256r1 (default),
secp384r1, or secp521r1. This option is only available when the key type is
Elliptic Curve.
Enrollment Method
The enrollment method is set to File Based.
Administration Guide
Fortinet Technologies Inc.
469
System Settings
Certificates
Importing local certificates
To import a local certificate:
1. Go to System Settings > Certificates > Local Certificates.
2. Click Import in the toolbar or right-click and select Import. The Import dialog box opens.
3. Enter the following information as required, then click OK to import the local certificate:
Type
Select the certificate type from the dropdown list: Local Certificate, PKCS
#12 Certificate, or Certificate.
Certificate File
Click Browse... and locate the certificate file on the management
computer.
Key File
Click Browse... and locate the key file on the management computer.
This option is only available when Type is Certificate.
Password
Enter the certificate password.
This option is only available when Type is PKCS #12 Certificate or
Certificate.
Certificate Name
Enter the certificate name.
This option is only available when Type is PKCS #12 Certificate or
Certificate.
Deleting local certificates
To delete a local certificate or certificates:
1. Go to System Settings > Certificates > Local Certificates.
2. Select the certificate or certificates you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.
Viewing details of local certificates
To view details of a local certificate:
1. Go to System Settings > Certificates > Local Certificates.
2. Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or
right-click menu. The View Local Certificate page opens.
470
Administration Guide
Fortinet Technologies Inc.
Certificates
System Settings
3. Click OK to return to the local certificates list.
Downloading local certificates
To download a local certificate:
1. Go to System Settings > Certificates > Local Certificates.
2. Select the certificate that you need to download.
3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management
computer.
CA certificates
The FortiManager has one default CA certificate, Fortinet_CA. In this sub-menu you can delete, import, view,
and download certificates.
Importing CA certificates
To import a CA certificate:
1. Go to System Settings > Certificates > CA Certificates.
2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
3. Click Browse..., browse to the location of the certificate, then click OK.
Viewing CA certificate details
To view a CA certificate's details:
1. Go to System Settings > Certificates > CA Certificates.
2. Select the certificates you need to see details about.
3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA
Certificate page opens.
4. Click OK to return to the CA certificates list.
Downloading CA certificates
To download a CA certificate:
1. Go to System Settings > Certificates > CA Certificates.
2. Select the certificate you need to download.
Administration Guide
Fortinet Technologies Inc.
471
System Settings
Certificates
3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management
computer.
Deleting CA certificates
To delete a CA certificate or certificates:
1. Go to System Settings > Certificates > CA Certificates.
2. Select the certificate or certificates you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.
The Fortinet_CA certificate cannot be deleted.
Certificate revocation lists
When you apply for a signed personal or group certificate to install on remote clients, you can obtain the
corresponding root certificate and Certificate Revocation List (CRL) from the issuing CA.
The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired,
stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are
maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued
as well as a sequence number to help ensure you have the most current version of the CRL.
When you receive the signed personal or group certificate, install the signed certificate on the remote client(s)
according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA
on the FortiManager unit according to the procedures given below.
Importing a CRL
To import a CRL:
1. Go to System Settings > Certificates > CRL.
2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens.
3. Click Browse..., browse to the location of the CRL, then click OK to import it.
Viewing a CRL
To view a CRL:
1. Go to System Settings > Certificates > CRL.
2. Select the CRL you need to see details about.
3. Click View Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The Result page
opens.
4. Click OK to return to the CRL list.
472
Administration Guide
Fortinet Technologies Inc.
Fetcher Management
System Settings
Deleting a CRL
To delete a CRL or CRLs:
1. Go to System Settings > Certificates > CRL.
2. Select the CRL or CRLs you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation dialog box to delete the selected CRL or CRLs.
Fetcher Management
Log fetching is used to retrieve archived logs from one FortiManager device to another. This allows
administrators to run queries and reports against historic data, which can be useful for forensic analysis.
The fetching FortiManager can query the server FortiManager and retrieve the log data for a specified device and
time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis
and reports.
Log fetching can only be done on two FortiManager devices running the same firmware. A FortiManager device
can be either the fetch server or the fetching client, and it can perform both roles at the same time with different
FortiManager devices. Only one log fetching session can be established at a time between two FortiManager
devices.
The basic steps for fetching logs are:
1. On the client, create a fetching profile. See Fetching profiles on page 473.
2. On the client, send the fetch request to the server. See Fetch requests on page 474.
3. If this is the first time fetching logs with the selected profile, or if any changes have been made to the devices
and/or ADOMs since the last fetch, on the client, sync devices and ADOMs with the server. See Synchronizing
devices and ADOMs on page 476.
4. On the server, review the request, then either approve or reject it. See Request processing on page 476.
5. Monitor the fetch process on either FortiManager. See Fetch monitoring on page 477.
6. On the client, wait until the database is rebuilt before using the fetched data for analysis.
This pane is only available when the FortiAnalyzer features are manually enabled. For
more information, see FortiAnalyzer Features on page 367.
Fetching profiles
Fetching profiles can be managed from the Profiles tab on the System Settings > Fetcher Management pane.
Profiles can be created, edited, and deleted as required. The profile list shows the name of the profile, as well as
the IP address of the server it fetches from, the server and local ADOMs, and the administrator name on the fetch
server.
Administration Guide
Fortinet Technologies Inc.
473
System Settings
Fetcher Management
To create a new fetching profile:
1. On the client, go to System Settings > Fetcher Management.
2. Select the Profiles tab, then click Create New in the toolbar, or right-click and select Create New from the menu.
The Create New Profile dialog box opens.
3. Configure the following settings, then click OK to create the profile.
Name
Enter a name for the profile.
Server IP
Enter the IP address of the fetch server.
User
Enter the username of an administrator on the fetch server, which, together
with the password, authenticates the fetch client's access to the fetch
server.
Password
Enter the administrator's password, which, together with the username,
authenticates the fetch client's access to the fetch server.
The fetch server administrator user name and password must be for an administrator
with either a Standard_User or Super_User profile.
To edit a fetching profile:
1. Go to System Settings > Fetching Management.
2. Double-click on a profile, right-click on a profile then select Edit, or select a profile then click Edit in the toolbar.
The Edit Profile pane opens.
3. Edit the settings as required, then click OK to apply your changes.
To delete a fetching profile or profiles:
1. Go to System Settings > Fetching Management.
2. Select the profile or profiles you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation dialog box to delete the selected profile or profiles.
Fetch requests
A fetch request requests archived logs from the fetch server configured in the selected fetch profile. When making
the request, the ADOM on the fetch server the logs are fetched from must be specified. An ADOM on the fetching
474
Administration Guide
Fortinet Technologies Inc.
Fetcher Management
System Settings
client must be specified or, if needed, a new one can be created. If logs are being fetched to an existing local
ADOM, you must ensure the ADOM has enough disk space for the incoming logs.
The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It
must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy.
For example: Today is July 1, the ADOM's data policy is configured to keep analytics logs for 30 days (June 1 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to
keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will
be automatically deleted after they are fetched.
To send a fetch request:
1. On the fetch client, go to System Settings > Fetcher Management and select the Profiles tab
2. Select the profile then click Request Fetch in the toolbar, or right-click and select Request Fetch from the menu.
The Fetch Logs dialog box opens.
3. Configure the following settings, then click Request Fetch.
The request is sent to the fetch server. The status of the request can be viewed in the Sessions tab.
Name
Displays the name of the fetch server you have specified.
Server IP
Displays the IP address of the server you have specified.
User
Displays the username of the server administrator you have provided.
Secure Connection
Select to use SSL connection to transfer fetched logs from the server.
Server ADOM
Select the ADOM on the server the logs will be fetched from. Only one
ADOM can be fetched from at a time.
Local ADOM
Select the ADOM on the client where the logs will be received.
Either select an existing ADOM from the dropdown list, or create a new
ADOM by entering a name for it into the field.
Administration Guide
Fortinet Technologies Inc.
475
System Settings
Fetcher Management
Devices
Add the devices the logs will be fetched from. Up to 256 devices can be
added.
Click Select Device, select devices from the list, then click OK.
Enable Filters
Select to enable filters on the logs that will be fetched.
Select All or Any of the Following Conditions in the Log messages that
match field to control how the filters are applied to the logs.
Add filters to the table by selecting the Log Field, Match Criteria, and
Value for each filter.
Time Period
Specify what date and time range of log messages to fetch.
Index Fetch Logs
If selected, the fetched logs will be indexed in the SQL database of the
client once they are received. Select this option unless you want to
manually index the fetched logs.
Synchronizing devices and ADOMs
If this is the first time the fetching client is fetching logs from the device, or if any changes have been made the
devices or ADOMs since the last fetch, then the devices and ADOMs must be synchronized with the server.
To synchronize devices and ADOMs:
1. On the client, go to System Settings > Fetcher Management and select the Profiles tab
2. Select the profile then click Sync Devices in the toolbar, or right-click and select Sync Devices from the menu.
The Sync Server ADOM(s) & Device(s) dialog box opens and shows the progress of the process.
Once the synchronization is complete, you can verify the changes on the client. For example, newly added
devices in the ADOM specified by the profile.
If a new ADOM is created, the new ADOM will mirror the disk space and data policy of
the corresponding server ADOM. If there is not enough space on the client, the client
will create an ADOM with the maximum allowed disk space and give a warning
message. You can then adjust disk space allocation as required.
Request processing
After a fetching client has made a fetch request, the request will be listed on the fetch server in the Received
Request section of the Sessions tab on the Fetcher Management pane. It will also be available from the
notification center in the GUI banner.
Fetch requests can be approved or rejected.
To process the fetch request:
1. Go to the notification center in the GUI banner and click the log fetcher request, or go to the Sessions tab on the
System Settings > Fetcher Management pane.
476
Administration Guide
Fortinet Technologies Inc.
Event Log
System Settings
2. Find the request in the Received Request section. You may have to expand the section, or select Expand All in
the content pane toolbar. The status of the request will be Waiting for approval.
3. Click Review to review the request. The Review Request dialog box will open.
4. Click Approve to approve the request, or click Reject to reject the request.
If you approve the request, the server will start to retrieve the requested logs in the background and send
them to the client. If you reject the request, the request will be canceled and the request status will be listed
as Rejected on both the client and the server.
Fetch monitoring
The progress of an approved fetch request can be monitored on both the fetching client and the fetch server.
Go to System Settings > Fetcher Management and select the Sessions tab to monitor the fetch progress. A
fetch session can be paused by clicking Pause, and resumed by clicking Resume. It can also be canceled by
clicking Cancel.
Once the log fetching is completed, the status changes to Done and the request record can be deleted by clicking
Delete. The client will start to index the logs into the database.
It can take a long time for the client to finish indexing the fetched logs and make the
analyzed data available. A progress bar is shown in the GUI banner; for more
information, click on it to open the Rebuild Log Database dialog box.
Log and report features will not be fully available until the rebuilding process is
complete.
Event Log
The Event Log pane provides an audit log of actions made by users on FortiManager. It allows you to view log
messages that are stored in memory or on the internal hard disk drive. You can use filters to search the messages
and download the messages to the management computer.
See the FortiManager Log Message Reference, available from the Fortinet Document Library, for more
information about the log messages.
Go to System Settings > Event Log to view the local log list.
Administration Guide
Fortinet Technologies Inc.
477
System Settings
Event Log
The following options are available:
Add Filter
Filter the event log list based on the log level, user, sub type, or message.
See Event log filtering on page 479.
Download
Download the event logs in either CSV or the normal format to the
management computer.
Raw Log / Formatted Log
Click on Raw Log to view the logs in their raw state.
Click Formatted Log to view them in the formatted into a table.
Historical Log
Click to view the historical logs list.
Back
Click the back icon to return to the regular view from the historical view.
View
View the selected log file. This option is also available from the right-click
menu, or by double-clicking on the log file.
This option is only available when viewing historical event logs.
Delete
Delete the selected log file. This option is also available from the right-click
menu.
This option is only available when viewing historical event logs.
Clear
Clear the selected file of logs. This option is also available from the rightclick menu.
This option is only available when viewing historical event logs.
Type
Select the type from the dropdown list:
l
Event Log
l
FDS Upload Log: Select the device from the dropdown list.
FDS Download Log: Select the service (FDS, or FCT) from the Service
dropdown list, select the event type (All Event, Push Update, Poll
Update, or Manual Update) from the Event dropdown list, and then click
Go to browse the logs.
This option is only available when viewing historical logs.
l
Search
Pagination
Enter a search term to search the historical logs.
This option is only available when viewing historical event logs.
Browse the pages of logs and adjust the number of logs that are shown per
page.
The following information is shown:
478
Administration Guide
Fortinet Technologies Inc.
Event Log
System Settings
#
The log number.
Date Time
The date and time that the log file was generated.
Level
The log level:
Debug
Error
Information
Critical
Notification
Alert
Warning
Emergency
User
The user that the log message relates to.
Sub Type
The log sub-type:
System manager event
HA event
FG-FM protocol event
Firmware manager event
Device configuration event
FortiGuard service event
Global database event
FortiClient manager event
Script manager event
FortiMail manager event
Web portal event
Debug I/O log event
Firewall objects event
Configuration change event
Policy console event
Device manager event
VPN console event
Web service event
Endpoint manager event
FortiAnalyzer event
Revision history event
Log daemon event
Deployment manager event
FIPS-CC event
Real-time monitor event
Managered devices event
Log and report manager event
Message
Log message details.
Event log filtering
The event log can be filtered using the Add Filter box in the toolbar.
Administration Guide
Fortinet Technologies Inc.
479
System Settings
Task Monitor
To filter FortiView summaries using the toolbar:
1. Specify filters in the Add Filter box.
l
l
Regular Search: In the selected summary view, click in the Add Filter box, select a filter from the dropdown list,
then type a value. Click NOT to negate the filter value. You can add multiple filters at a time, and connect them
with an "or".
Advanced Search: Click the Switch to Advanced Search icon at the right end of the Add Filter box to switch to
advanced search mode. In this mode, you type in the whole search criteria (log field names and values). Click
the Switch to Regular Search icon to return to regular search.
2. Click Go to apply the filter.
Task Monitor
Using the task monitor, you can view the status of the tasks you have performed.
Go to System Settings > Task Monitor to view the task monitor. The task list size can also be configured; see
The following options are available:
Delete
Remove the selected task or tasks from the list.
This changes to Cancel Running Task(s) when View is Running.
View
Select which tasks to view from the dropdown list, based on their status.
The available options are: Running, Pending, Done, Error, Cancelling,
Cancelled, Aborting, Aborted, Warning, and All.
Expand Arrow
In the Source column, select the expand arrow icon to display the specific
actions taken under this task.
To filter the specific actions taken for a task, select one of the options on
top of the action list. Select the history icon to view specific information on
task progress. This can be useful when troubleshooting warnings and
errors.
Group Error
Devices
Select Group Error Devices to create a group of the failed devices,
allowing for re-installations to easily be done on only the failed devices.
History
Click the history icon to view task details in a new window.
Pagination
Browse the pages of tasks and adjust the number of tasks shown per page.
The following information is available:
480
Administration Guide
Fortinet Technologies Inc.
SNMP
System Settings
ID
The identification number for a task.
Source
The platform from where the task is performed. Click the expand arrow to
view details of the specific task and access the history button.
Description
The nature of the task. Click the arrow to display the specific actions taken
under this task.
User
The user or users who performed the tasks.
Status
The status of the task (hover over the icon to view the description):
Done: Completed with success.
l
l
Error: Completed without success.
l
Canceled: User canceled the task.
l
Canceling: User is canceling the task.
l
Aborted: The FortiManager system stopped performing this task.
l
Aborting: The FortiManager system is stopping performing this task.
l
Running: Being processed. In this status, a percentage bar appears in the
Status column.
l
Pending
l
Warning
Start Time
The time that the task was started.
ADOM
The ADOM associated with the task.
History
Click the history button to view task details.
SNMP
Enable the SNMP agent on the FortiManager device so it can send traps to and receive queries from the
computer that is designated as its SNMP manager. This allows for monitoring the FortiManager with an SNMP
manager.
SNMP has two parts - the SNMP agent that is sending traps, and the SNMP manager that monitors those traps.
The SNMP communities on monitored FortiGate devices are hard coded and configured by the FortiManager
system - they are not user configurable.
The FortiManager SNMP implementation is read-only — SNMP v1, v2c, and v3 compliant SNMP manager
applications, such as those on your local computer, have read-only access to FortiManager system information
and can receive FortiManager system traps.
SNMP agent
The SNMP agent sends SNMP traps originating on the FortiManager system to an external monitoring SNMP
manager defined in a SNMP community. Typically an SNMP manager is an application on a local computer that
can read the SNMP traps and generate reports or graphs from them.
Administration Guide
Fortinet Technologies Inc.
481
System Settings
SNMP
The SNMP manager can monitor the FortiManager system to determine if it is operating properly, or if there are
any critical events occurring. The description, location, and contact information for this FortiManager system will
be part of the information an SNMP manager will have — this information is useful if the SNMP manager is
monitoring many devices, and it will enable faster responses when the FortiManager system requires attention.
Go to System Settings > Advanced > SNMP to configure the SNMP agent.
The following information and options are available:
SNMP Agent
Description
Optionally, type a description of this FortiManager system to help uniquely
identify this unit.
Location
Optionally, type the location of this FortiManager system to help find it in
the event it requires attention.
Contact
Optionally, type the contact information for the person in charge of this
FortiManager system.
SNMP v1/2c
482
Select to enable the SNMP agent. When this is enabled, it sends
FortiManager SNMP traps.
The list of SNMP v1/v2c communities added to the FortiManager
configuration.
Create New
Select Create New to add a new SNMP community. If SNMP agent is not
selected, this control will not be visible.
For more information, see SNMP v1/v2c communities on page 483.
Edit
Edit the selected SNMP community.
Delete
Delete the selected SNMP community or communities.
Community Name
The name of the SNMP community.
Administration Guide
Fortinet Technologies Inc.
SNMP
System Settings
Queries
The status of SNMP queries for each SNMP community. The enabled icon
indicates that at least one query is enabled. The disabled icon indicates
that all queries are disabled.
Traps
The status of SNMP traps for each SNMP community. The enabled icon
indicates that at least one trap is enabled. The disabled icon indicates that
all traps are disabled.
Enable
Enable or disable the SNMP community.
SNMP v3
The list of SNMPv3 users added to the configuration.
Create New
Select Create New to add a new SNMP user. If SNMP agent is not
selected, this control will not be visible.
For more information, see SNMP v3 users on page 485.
Edit
Edit the selected SNMP user.
Delete
Delete the selected SNMP user or users.
User Name
The user name for the SNMPv3 user.
Security Level
The security level assigned to the SNMPv3 user.
Notification
Hosts
The notification host or hosts assigned to the SNMPv3 user.
Queries
The status of SNMP queries for each SNMP user. The enabled icon
indicates queries are enabled. The disabled icon indicates they are
disabled.
SNMP v1/v2c communities
An SNMP community is a grouping of equipment for network administration purposes. You must configure your
FortiManager to belong to at least one SNMP community so that community’s SNMP managers can query the
FortiManager system information and receive SNMP traps from it.
These SNMP communities do not refer to the FortiGate devices the FortiManager
system is managing.
Each community can have a different configuration for SNMP traps and can be configured to monitor different
events. You can add the IP addresses of up to eight hosts to each community. Hosts can receive SNMP device
traps and information.
To create a new SNMP community:
1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
2. In the SNMP v1/v2c section, click Create New in the toolbar. The New SNMP Community pane opens.
Administration Guide
Fortinet Technologies Inc.
483
System Settings
SNMP
3. Configure the following options, then click OK to create the community.
Name
Enter a name to identify the SNMP community. This name cannot be
edited later.
Hosts
The list of hosts that can use the settings in this SNMP community to
monitor the FortiManager system.
When you create a new SNMP community, there are no host entries.
Select Add to create a new entry that broadcasts the SNMP traps and
information to the network connected to the specified interface.
Queries
484
IP
Address/Netmask
Enter the IP address and netmask of an SNMP manager.
By default, the IP address is 0.0.0.0 so that any SNMP manager can use
this SNMP community.
Interface
Select the interface that connects to the network where this SNMP
manager is located from the dropdown list. This must be done if the SNMP
manager is on the Internet or behind a router.
Delete
Click the delete icon to remove this SNMP manager entry.
Add
Select to add another entry to the Hosts list. Up to eight SNMP manager
entries can be added for a single community.
Enter the port number (161 by default) the FortiManager system uses to
send v1 and v2c queries to the FortiManager in this community. Enable
queries for each SNMP version that the FortiManager system uses.
Administration Guide
Fortinet Technologies Inc.
SNMP
System Settings
Traps
SNMP Event
Enter the Remote port number (162 by default) the FortiManager system
uses to send v1 and v2c traps to the FortiManager in this community.
Enable traps for each SNMP version that the FortiManager system uses.
Enable the events that will cause SNMP traps to be sent to the community.
l
Interface IP changed
l
Log disk space low
l
CPU Overuse
l
Memory Low
l
System Restart
l
CPU usage exclude NICE threshold
l
HA Failover
l
RAID Event (only available for devices that support RAID)
l
Power Supply Failed (only available on supported hardware devices)
FortiAnalyzer feature set SNMP events:
l
High licensed device quota
l
High licensed log GB/day
l
Log Alert
l
Log Rate
l
Data Rate
To edit an SNMP community:
1. Go to System Settings > Advanced > SNMP.
2. In the SNMP v1/v2c section, double-click on a community, right-click on a community then select Edit, or select a
community then click Edit in the toolbar. The Edit SNMP Community pane opens.
3. Edit the settings as required, then click OK to apply your changes.
To delete an SNMP community or communities:
1. Go to System Settings > Advanced > SNMP.
2. In the SNMP v1/v2c section, select the community or communities you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation dialog box to delete the selected community or communities.
SNMP v3 users
The FortiManager SNMP v3 implementation includes support for queries, traps, authentication, and privacy.
SNMP v3 users can be created, edited, and deleted as required.
To create a new SNMP user:
1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled.
2. In the SNMP v3 section, click Create New in the toolbar. The New SNMP User pane opens.
Administration Guide
Fortinet Technologies Inc.
485
System Settings
SNMP
3. Configure the following options, then click OK to create the community.
User Name
Security Level
The name of the SNMP v3 user.
The security level of the user. Select one of the following:
l
l
l
486
No Authentication, No Privacy
Authentication, No Privacy: Select the Authentication Algorithm (SHA1,
MD5) and enter the password.
Authentication, Privacy: Select the Authentication Algorithm (SHA1,
MD5), the Private Algorithm (AES, DES), and enter the passwords.
Queries
Select to enable queries then enter the port number. The default port is
161.
Notification Hosts
The IP address or addresses of the host. Click the add icon to add multiple
IP addresses.
Administration Guide
Fortinet Technologies Inc.
SNMP
System Settings
SNMP Event
Enable the events that will cause SNMP traps to be sent to the SNMP
manager.
l
Interface IP changed
l
Log disk space low
l
CPU Overuse
l
Memory Low
l
System Restart
l
CPU usage exclude NICE threshold
l
HA Failover
l
RAID Event (only available for devices that support RAID)
l
Power Supply Failed (only available on supported hardware devices)
FortiAnalyzer feature set SNMP events:
l
High licensed device quota
l
High licensed log GB/day
l
Log Alert
l
Log Rate
l
Data Rate
To edit an SNMP user:
1. Go to System Settings > Advanced > SNMP.
2. In the SNMP v3 section, double-click on a user, right-click on a user then select Edit, or select a user then click
Edit in the toolbar. The Edit SNMP User pane opens.
3. Edit the settings as required, then click OK to apply your changes.
To delete an SNMP user or users:
1. Go to System Settings > Advanced > SNMP.
2. In the SNMP v3 section, select the user or users you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation dialog box to delete the selected user or users.
SNMP MIBs
The Fortinet and FortiManager MIBs, along with the two RFC MIBs, can be obtained from Customer Service &
Support (https://support.fortinet.com). You can download the FORTINET-FORTIMANAGERFORTIANALYZER-MIB.mib MIB file in the firmware image file folder. The FORTINET-CORE-MIB.mib file is
located in the main FortiManager 5.00 file folder.
RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of Userbased Security Model (RFC 3414).
To be able to communicate with the SNMP agent, you must include all of these MIBs into your SNMP manager.
Generally your SNMP manager will be an application on your local computer. Your SNMP manager might already
include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet and
FortiManager proprietary MIBs to this database.
Administration Guide
Fortinet Technologies Inc.
487
System Settings
SNMP
MIB file name or RFC
Description
FORTINET-CORE-MIB.mib
The proprietary Fortinet MIB includes all system configuration information
and trap information that is common to all Fortinet products.
Your SNMP manager requires this information to monitor Fortinet unit
configuration settings and receive traps from the Fortinet SNMP agent.
FORTINETFORTIMANAGER-MIB.mib
The proprietary FortiManager MIB includes system information and trap
information for FortiManager units.
RFC-1213 (MIB II)
The Fortinet SNMP agent supports MIB II groups with the following
exceptions.
l No support for the EGP group from MIB II (RFC 1213, section 3.11 and
6.10).
l
RFC-2665 (Ethernet-like
MIB)
Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do
not accurately capture all Fortinet traffic activity. More accurate
information can be obtained from the information reported by the Fortinet
MIB.
The Fortinet SNMP agent supports Ethernet-like MIB information with the
following exception.
No support for the dot3Tests and dot3Errors groups.
SNMP traps
Fortinet devices share SNMP traps, but each type of device also has traps specific to that device type. For
example FortiManager units have FortiManager specific SNMP traps. To receive Fortinet device SNMP traps,
you must load and compile the FORTINET-CORE-MIB into your SNMP manager.
Traps sent include the trap message as well as the unit serial number (fnSysSerial) and host name (sysName).
The Trap Message column includes the message that is included with the trap, as well as the SNMP MIB field
name to help locate the information about the trap.
Trap message
Description
ColdStart, WarmStart, LinkUp,
LinkDown
Standard traps as described in RFC 1215.
CPU usage high
(fnTrapCpuThreshold)
CPU usage exceeds the set percent. This threshold can be set in the
CLI using the following commands:
config system snmp sysinfo
set trap-high-cpu-threshold <percentage value>
end
CPU usage excluding NICE
processes
(fmSysCpuUsageExcludedNice)
488
CPU usage excluding NICE processes exceeds the set percentage.
This threshold can be set in the CLI using the following commands:
config system snmp sysinfo
set trap-cpu-high-exclude-nice-threshold
<percentage value>
end
Administration Guide
Fortinet Technologies Inc.
SNMP
System Settings
Trap message
Description
Memory low
(fnTrapMemThreshold)
Memory usage exceeds 90 percent. This threshold can be set in the
CLI using the following commands:
config system snmp sysinfo
set trap-low-memory-threshold <percentage
value>
end
Log disk too full
(fnTrapLogDiskThreshold)
Log disk usage has exceeded the configured threshold. Only available
on devices with log disks.
Temperature too high
(fnTrapTempHigh)
A temperature sensor on the device has exceeded its threshold. Not all
devices have thermal sensors. See manual for specifications.
Voltage outside acceptable
range
(fnTrapVoltageOutOfRange)
Power levels have fluctuated outside of normal levels. Not all devices
have voltage monitoring instrumentation.
Power supply failure
(fnTrapPowerSupplyFailure)
Power supply failure detected. Available on some devices that support
redundant power supplies.
Interface IP change
(fnTrapIpChange)
The IP address for an interface has changed. The trap message
includes the name of the interface, the new IP address and the serial
number of the Fortinet unit. You can use this trap to track interface IP
address changes for interfaces with dynamic IP addresses set using
DHCP or PPPoE.
HA switch
(fmTrapHASwitch)
FortiManager HA cluster has been re-arranged. A new master has been
selected and asserted.
Fortinet & FortiManager MIB fields
The Fortinet MIB contains fields reporting current Fortinet unit status information. The below tables list the
names of the MIB fields and describe the status information available for each one. You can view more details
about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your
SNMP manager and browsing the Fortinet MIB fields.
System MIB fields:
MIB field
Description
fnSysSerial
Fortinet unit serial number.
Administrator accounts:
MIB field
Description
fnAdminNumber
The number of administrators on the Fortinet unit.
Administration Guide
Fortinet Technologies Inc.
489
System Settings
Mail Server
MIB field
Description
fnAdminTable
Table of administrators.
fnAdminIndex
Administrator account index number.
fnAdminName
The user name of the administrator
account.
fnAdminAddr
An address of a trusted host or subnet
from which this administrator account can
be used.
fnAdminMask
The netmask for fnAdminAddr.
Custom messages:
MIB field
Description
fnMessages
The number of custom messages on the Fortinet unit.
MIB fields and traps
MIB field
Description
fmModel
A table of all FortiManager models.
fmTrapHASwitch
The FortiManager HA cluster has been re-arranged. A new master has
been selected and asserted.
Mail Server
A mail server allows the FortiManager to sent email messages, such as notifications when reports are run or
specific events occur. Mail servers can be added, edited, deleted, and tested.
Go to System Settings > Advanced > Mail Server to configure SMTP mail server settings.
If an existing mail server is in use, the delete icon is removed and the mail server entry
cannot be deleted.
To add a mail server:
1. Go to System Settings > Advanced > Mail Server.
2. Click Create New in the toolbar. The Create New Mail Server Settings pane opens.
490
Administration Guide
Fortinet Technologies Inc.
Mail Server
System Settings
3. Configure the following settings and then select OK to create the mail server.
SMTP Server Name
Enter a name for the SMTP server.
Mail Server
Enter the mail server information.
SMTP Server Port
Enter the SMTP server port number. The default port is 25.
Enable Authentication
Select to enable authentication.
Email Account
Enter an email account. This option is only accessible when authentication
is enabled.
Password
Enter the email account password. This option is only accessible when
authentication is enabled.
To edit a mail server:
1. Go to System Settings > Advanced > Mail Server.
2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click
Edit in the toolbar. The Edit Mail Server Settings pane opens.
3. Edit the settings as required, and then click OK to apply the changes.
To test the mail server:
1. Go to System Settings > Advanced > Mail Server.
2. Select the server you need to test.
3. Click Test from the toolbar, or right-click and select Test.
4. Type the email address you would like to send a test email to and click OK. A confirmation or failure message will
be displayed.
5. Click OK to close the confirmation dialog box.
To delete a mail server or servers:
1. Go to System Settings > Advanced > Mail Server.
2. Select the server or servers you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation box to delete the server.
Administration Guide
Fortinet Technologies Inc.
491
System Settings
Syslog Server
Syslog Server
Go to System Settings > Advanced > Syslog Server to configure syslog server settings. Syslog servers can be
added, edited, deleted, and tested.
If an existing syslog server is in use, the delete icon is removed and the server entry
cannot be deleted.
To add a syslog server:
1. Go to System Settings > Advanced > Syslog Server.
2. Click Create New in the toolbar. The Create New Syslog Server Settings pane opens.
3. Configure the following settings and then select OK to create the mail server.
Name
Enter a name for the syslog server.
IP address (or FQDN)
Enter the IP address or FQDN of the syslog server.
Syslog Server Port
Enter the syslog server port number. The default port is 514.
To edit a syslog server:
1. Go to System Settings > Advanced > Syslog Server.
2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then click
Edit in the toolbar. The Edit Syslog Server Settings pane opens.
3. Edit the settings as required, and then click OK to apply the changes.
To test the syslog server:
1. Go to System Settings > Advanced > Syslog Server.
2. Select the server you need to test.
3. Click Test from the toolbar, or right-click and select Test.
A confirmation or failure message will be displayed.
To delete a syslog server or servers:
1. Go to System Settings > Advanced > Syslog Server.
2. Select the server or servers you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation box to delete the server or servers.
492
Administration Guide
Fortinet Technologies Inc.
Meta Fields
System Settings
Meta Fields
Meta fields allow administrators to add extra information when configuring, adding, or maintaining FortiGate
units or adding new administrators. You can make the fields mandatory or optional, and set the length of the
field.
With the fields set as mandatory, administrators must supply additional information when they create a new
FortiGate object, such as an administrator account or firewall policy. Fields for this new information are added to
the FortiGate unit dialog boxes in the locations where you create these objects. You can also provide fields for
optional additional information.
The one exception to this is the System Administrators object. This object applies only to administrators on the
FortiManager unit. All other objects are related to FortiGate units.
Go to System Settings > Advanced > Meta Fields to configure meta fields. Meta fields can be added, edited,
and deleted.
Select Expand All or Contract All from the toolbar or right-click menu to view all of or
none of the meta fields under each object.
To create a new meta field:
1. Go to System Settings > Advanced > Meta Fields.
2. Click Create New in the toolbar. The Create New Meta Field pane opens.
3. Configure the following settings and then select OK to create the meta field.
Administration Guide
Fortinet Technologies Inc.
493
System Settings
Device logs
Object
The object this metadata field applies to: System Administrators,
Devices, Device Groups, Chassis, Administrative Domain, Firewall
Addresses, Firewall Address Groups, Firewall Services, Firewall Service
Groups, or Firewall Policy.
Name
Enter the label to use for the field.
Length
Select the maximum number of characters allowed for the field from the
dropdown list: 20, 50, or 255.
Importance
Select Required to make the field compulsory, otherwise select Optional.
Status
Select Disabled to disable this field. The default selection is Enabled.
This field is only available for non-firewall objects.
To edit a meta field:
1. Go to System Settings > Advanced > Meta Fields.
2. Double-click on a field, right-click on a field and then select Edit from the menu, or select a field then click Edit in
the toolbar. The Edit Meta Fields pane opens.
3. Edit the settings as required, and then click OK to apply the changes.
The Object and Name fields cannot be edited.
To delete a meta field or fields:
1. Go to System Settings > Advanced > Meta Fields.
2. Select the field or fields you need to delete.
3. Click Delete in the toolbar, or right-click and select Delete.
4. Click OK in the confirmation box to delete the field or fields.
The default meta fields cannot be deleted.
Device logs
The FortiManager allows you to log system events to disk. You can control device log file size and the use of the
FortiManager unit’s disk space by configuring log rolling and scheduled uploads to a server.
As the FortiManager unit receives new log items, it performs the following tasks:
l
Verifies whether the log file has exceeded its file size limit.
l
Checks to see if it is time to roll the log file if the file size is not exceeded.
494
Administration Guide
Fortinet Technologies Inc.
Device logs
System Settings
When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiManager
unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example,
tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to
the time the first log entry was received. The file modification time will match the time when the last log was
received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the
new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or
downloaded via the GUI, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2017-09-29-08-03-54.gz
If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading,
thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP
server is unavailable, the logs are uploaded during the next scheduled upload.
Log rolling and uploading can be enabled and configured using the GUI or CLI.
This pane is only available when the FortiAnalyzer features are manually enabled. For
more information, see FortiAnalyzer Features on page 367.
Configuring rolling and uploading of logs using the GUI
Go to System Settings > Advanced > Device Log Setting to configure device log settings.
Configure the following settings, and then select Apply:
Registered Device Logs
Administration Guide
Fortinet Technologies Inc.
495
System Settings
Device logs
Roll log file when size
exceeds
Roll log files at scheduled
time
Enter the log file size, from 10 to 500MB. Default: 200MB.
Select to roll logs daily or weekly.
Daily: select the hour and minute value in the dropdown lists.
l
l
Upload logs using a standard
file transfer protocol
Weekly: select the day, hour, and minute value in the dropdown
lists.
Select to upload logs and configure the following settings.
Upload Server Type
Select one of FTP, SFTP, or SCP.
Upload Server IP
Enter the IP address of the upload server.
User Name
Enter the username used to connect to the upload server.
Password
Enter the password used to connect to the upload server.
Remote Directory
Enter the remote directory on the upload server where the log will
be uploaded.
Upload Log Files
Select to upload log files when they are rolled according to
settings selected under Roll Logs, or daily at a specific hour.
Upload rolled files in
gzip file format
Select to gzip the logs before uploading. This will result in smaller
logs and faster upload times.
Delete files after
uploading
Select to remove device log files from the FortiManager system
after they have been uploaded to the Upload Server.
Local Device Log
496
Send the local event logs to
FortiAnalyzer / FortiManager
Select to send local event logs to another FortiAnalyzer or
FortiManager device.
IP Address
Enter the IP address of the FortiAnalyzer or FortiManager.
Upload Option
Select to upload logs in real time or at a scheduled time.
When selecting a scheduled time, you can specify the hour and
minute to upload logs each day.
Severity Level
Select the minimum log severity level from the dropdown list. This
option is only available when Upload Option is Realtime.
Secure connection
for log transmission
Select to use a secure connection for log transmission.
Administration Guide
Fortinet Technologies Inc.
Device logs
System Settings
Configuring rolling and uploading of logs using the CLI
Log rolling and uploading can be enabled and configured using the CLI. For more information, see the
FortiManager CLI Reference.
Enable or disable log file uploads
Use the following CLI commands to enable or disable log file uploads.
To enable log uploads:
config system log settings
config rolling-regular
set upload enable
end
To disable log uploads:
config system log settings
config rolling-regular
set upload disable
end
Roll logs when they reach a specific size
Use the following CLI commands to specify the size, in MB, at which a log file is rolled.
To roll logs when they reach a specific size:
config system log settings
config rolling-regular
set file-size <integer>
end
Roll logs on a schedule
Use the following CLI commands to configure rolling logs on a set schedule, or never.
To disable log rolling:
config system log settings
config rolling-regular
set when none
end
To enable daily log rolling:
config system log settings
config rolling-regular
set upload enable
set when daily
set hour <integer>
set min <integer>
end
Administration Guide
Fortinet Technologies Inc.
497
System Settings
File Management
To enable weekly log rolling:
config system log settings
config rolling-regular
set when weekly
set days {mon | tue | wed | thu | fri | sat | sun}
set hour <integer>
set min <integer>
end
File Management
FortiManager allows you to configure automatic deletion of device log files, quarantined files, reports, and
content archive files after a set period of time.
Go to System Settings > Advanced > File Management to configure file management settings.
Configure the following settings, and then select Apply:
Device log files older than
Select to enable automatic deletion of compressed log files.
Enter a value in the text field, select the time period (Days, Weeks, or
Months), and choose a time of day.
Reports older than
Select to enable automatic deletion of reports of data from compressed log
files. Enter a value in the text field, select the time period, and choose a
time of day.
Content archive files older
than
Select to enable automatic deletion of IPS and DP archives from Archive
logs. Enter a value in the text field, select the time period, and choose a
time of day.
Quarantined files older
than
Select to enable automatic deletion of compressed log files of quarantined
files. Enter a value in the text field, select the time period, and choose a
time of day.
This pane is only available when the FortiAnalyzer features are manually enabled. For
more information, see FortiAnalyzer Features on page 367.
498
Administration Guide
Fortinet Technologies Inc.
Advanced Settings
System Settings
Advanced Settings
Go to System Settings > Advanced > Advanced Settings to view and configure advanced settings and
download WSDL files.
Configure the following settings and then select Apply:
Offline Mode
Enabling Offline Mode shuts down the protocol used to communicate with
managed devices. This allows you to configure, or troubleshoot, the
FortiManager without affecting managed devices.The FortiManager
cannot automatically connect to a FortiGate if offline mode is enabled.
ADOM Mode
Select the ADOM mode, either Normal or Advanced.
Advanced mode will allow you to assign a VDOM from a single device to a
different ADOM, but will result in more complicated management
scenarios. It is recommended only for advanced users.
Download WSDL file
Select the required WSDL functions then click the Download button to
download the WSDL file to your management computer.
When selecting Legacy Operations, no other options can be selected.
Web services is a standards-based, platform independent, access method
for other hardware and software APIs. The file itself defines the format of
commands the FortiManager will accept as well as the responses to
expect. Using the WSDL file, third-party or custom applications can
communicate with the FortiManager unit and operate it or retrieve
information, just as an administrator can from the GUI or CLI.
Chassis Management
Enable chassis management, then enter the chassis update interval, from
4 to 1440 minutes. Default: 15 minutes.
Configuration Changes
Received from FortiGate
Select to either automatically accept changes (default) or to prompt the
administrator to accept the changes.
Task List Size
Set a limit on the size of the task list. Default: 2000.
Verify Installation
Select to preview the installation before proceeding.
Allow Install Interface
Policy Only
Select to manage and install only interface based policies, instead of all
device and policy configuration.
Policy Hit Count
Enable or disable policy hit counting.
Administration Guide
Fortinet Technologies Inc.
499
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Download PDF
Similar pages