Monthly Archives: May 2016

Central VPN Console – FortiManager 5.2

Leave a reply

Central VPN Console

When Central VPN Console is selected for VPN Management when creating an ADOM, a VPN Console tree menu item will appear in the Policy & Objects tab under Policy Package. You will need to enable the Show VPN Console option in System Settings > Admin > Admin Settings. You can create VPN topologies in this page. Once you have configured a VPN topology and gateway, you can configure the related firewall policies, preview and install. For more information, see Managing policies.

VPN topology

You can create full meshed, star, and dial up VPN topologies. Once you have created the topology, you can create the VPN gateway.

Create VPN Topology

Configure the following settings:

 

Name Type a name for the VPN topology.  
Description Type an optional description.
Topology Select the topology type from the drop-down list. Select one of:

Full Meshed: Each gateway has a tunnel to every other gateway.

Star: Each gateway has one tunnel to a central hub gateway.

Dial up: Some gateways, often mobile users, have dynamic IP addresses and contact the gateway to establish a tunnel.
IKE Profile Define the IKE Profile. Configure IKE Phase 1, IKE Phase 2, Advanced settings, and Authentication settings.
IKE Phase 1 Define the IKE Phase 1 proposal settings .
Pages: 1 2 3 4 5 6

Policy and Objects – FortiManager 5.2

9 Replies

Policy & Objects

The Policy & Objects tab enables you to centrally manage and configure the devices that are managed by the FortiManager unit. This includes the basic network settings to connect the device to the corporate network, antivirus definitions, intrusion protection signatures, access rules, and managing and updating firmware for the devices.

If the administrator account you logged on with does not have the appropriate permissions, you will not be able to edit or delete settings, or apply any changes. Instead you are limited to browsing. To modify these settings, see Profile.

If workspace is enabled, all policies and objects are read-only until you lock the ADOM. After making any changes you must select the save icon. When unlocking the ADOM, before the save action has been selected, a warning message will open advising you that you have unsaved configuration changes. You can select to save the changes from the warning message dialog box. Alternatively, you can select to lock and edit a specific policy package in the ADOM.

ADOM level policies and objects

The following options are available:

policy package Select to access the policy package menu. The menu options are the same as the the right-click menu options.

About policies

Policy Select to create a new policy.
Tools Select and then select either ADOM Revisions or Display Options from the menu.
Collapse All / Expand

All

 Select to collapse or expand all policies.

In v5.0.5 and earlier, if workspace is enabled, an ADOM must be locked before any changes can made to policy packages or objects. See Concurrent ADOM access for information on enabling or disabling workspace.

In v5.2.0 and later, if workspace is enabled, you can select to lock and edit the policy package in the right-click menu. You do not need to lock the ADOM first. The policy package lock status is displayed in the toolbar.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Scripts – FortiManager 5.2

Leave a reply

Scripts

Scripts must be configured to be displayed to be accessible as described in this chapter. Go to System Settings > Admin > Admin Settings and select Show Script from the Display Options on GUI section to make it visible in the Web-based Manager. For more information, see Administrator settings.

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes in the Web-based Manager page to access these options.

FortiManager scripts enable you to create, execute, and view the results of scripts executed on FortiGate devices, policy packages, the ADOM database, the global policy package, or the DB. Scripts can also be filtered based on different device information, such as OS type and platform.

At least one FortiGate device must be configured in the FortiManager system for you to be able to use scripts.

Scripts can be written in one of two formats:

  • A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with the number sign (#). A comment line will not be executed.
  • Tcl scripting commands to provide more functionality to your scripts including global variables and decision structures.

When writing your scripts, it is generally easier to write them in a context-sensitive editor, and then cut and paste them into the script editor on your FortiManager system. This can help avoid syntax errors and can reduce the amount of troubleshooting required for your scripts.

For information about scripting commands, see the FortiGate CLI reference.

Configuring scripts

To configure, import, export, or run scripts, go to the Device Manager tab, expand an ADOM view in the tree menu, and then select Scripts > Script. To configure script groups, go to Scripts > CLI Script Group. The script list for the selected ADOM will be displayed.

Script list

The following information is displayed:

Name The user-defined script name.
Type The script type.
Target The script target. One of the following: l Device Database l Policy Package, ADOM Database l Remote FortiGate Directly (via CLI)
Comments User defined comment for the script.
Last Modified The date and time that the script was last modified.

The following options are available:

Create New Select to create a new script.
Import Select to import a script from your management computer. Type a name, description, select Tcl type if applicable, and browse for the file on your management computer. Select submit to import the script to FortiManager.
Run Select a script in the table, right-click, and select Run in the menu to run the script against the target selected. When selecting to run a script against a policy package, select the policy package from the drop-down list in the dialog window. When selecting to run a script against a device or database, select the device in the tree menu in the dialog window.
New Select a script in the table, right-click, and select New in the menu to create a new script.
Edit Select a script in the table, right-click, and select Edit in the menu to clone the script selected.
Clone Select a script in the table, right-click, and select Clone in the menu to clone the script selected.
Delete Select a script in the table, right-click, and select Delete in the menu to delete the script selected.
Export Select a script in the table, right-click, and select Export in the menu to export the script as a .txt file to your management computer.
Select All Select Select All in the right-click menu to select all scripts in the table and select Delete to delete all selected scripts.
Search Search the scripts by typing a search term in the search field.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13

Device Configurations – FortiManager 5.2

Leave a reply

Device Configurations

The FortiManager system maintains a configuration repository to manage device configuration revisions. After modifying device configurations, you can save them to the FortiManager repository and install the modified configurations to individual devices or device groups. You can also retrieve the current configuration of a device, or revert a device’s configuration to a previous revision.

This section contains the following topics: l Checking device configuration status l Managing configuration revision history

Checking device configuration status

In the Device Manager tab, when you select a device, you can view that device’s basic information under the device dashboard. You can also check if the current configuration file of the device stored in the FortiManager repository is in sync with the one running on the device.

If you make any configuration changes to a device directly, rather than using the FortiManager system, the configuration on the device and the configuration saved in the FortiManager repository will be out of sync. In this case, you can re synchronize with the device by retrieving the configuration from the device and saving it to the FortiManager repository.

You can use the following procedures when checking device configuration status on a FortiGate, FortiCarrier, or FortiSwitch.

To check the status of a configuration installation on a FortiGate unit:

  1. Go to the Device Manager tab, then select the ADOM and device group.
  2. In the All FortiGate page, select the FortiGate unit that you want to check the configuration status of. The device dashboardof for that unit is shown in the right content pane.
  3. In the dashboard, locate the Configuration and Installation Status
  4. Verify the status in the Installation Tracking

Configuration and installation status widget

Checking device configuration status

The following information is shown:

Device Profile The device profile associated with the device. Select Change to set this value.
Database Configuration Select View to display the configuration file of the FortiGate unit.
Total Revisions Displays the total number of configuration revisions and the revision history. Select Revision History to view device history.
Sync Status The synchronization status with the FortiManager.

Synchronized: The latest revision is confirmed as running on the device.

Out_of_sync: The configuration file on the device is not synchronized with the FortiManager system.

Unknown: The FortiManager system is unable to detect which revision (in revision history) is currently running on the device.

Select Refresh to update the Installation Status.
Warning Displays any warnings related to configuration and installation status.

None: No warning.

Unknown configuration version running on FortiGate: FortiGate configuration has been changed!: The FortiManager system cannot detect which revision (in Revision History) is currently running on the device.

Unable to detect the FortiGate version: Connectivity error! l Aborted: The FortiManager system cannot access the device.
Installation Tracking  
Device Settings Status Modified: Some configuration on the device has changed since the latest revision in the FortiManager database. Select Save Now to install and save the configuration.

UnModified: All configuration displayed on the device is saved as the latest revision in the FortiManager database.
Installation Preview Select icon to display a set of commands that will be used in an actual device configuration installation in a new window.
Last Installation Last Installation: The FortiManager system sent a configuration to the device at the time and date listed.
Scheduled Installation Scheduled Installation: A new configuration will be installed on the device at the date and time indicated.
Script Status Select Configure to view script execution history.
Last Script Run Displays the date when the last script was run against the managed device.
Scheduled Script Displays the date when the next script is scheduled to run against the managed device.

Pages: 1 2 3

FortiManager Wizards – FortiManager 5.2

4 Replies

FortiManager Wizards

The FortiManager Device Manager tab provides you with device and installation wizards to aid you in various administrative and maintenance tasks. Using these tools can help you shorten the amount of time it takes to do many common tasks.

FortiManager offers four wizards:

Add device wizard

Discover: The device will be probed using the provided IP address and credentials to determine the model type and other important information.

Add Model Device: The device will be added using the serial number, firmware version, and other explicitly entered information. You can also select to assign a system template to the provisioned device.

Install wizard

Install Policy Package & Device Settings: Install a specific policy package. Any device specific settings for devices associated with the package will also be installed. You can select to create a revision and schedule the install.

Install Device Settings (only): Install only device settings for a selected set of devices; policy and object changes will not be updated from the last install. This option is only available when launching the Install Wizard in the Device Manager tab.

Install Interface Policy (only): Install interface policy only in a selected policy package. Any device specific settings for devices associated with the package will also be installed.

Import policy wizard

Import device

Re-install policy

Re-install Policy Package: You can right-click on the Config Status column icon in the Device Manager tab to perform a quick install of a policy package without launching the Install wizard.

This section will describe each wizard and their usage.

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.

Pages: 1 2 3 4 5 6 7 8 9 10

Provisioning Templates – FortiManager 5.2

Leave a reply

Provisioning Templates

The Provisioning Templates section of the Device Manager tree menu provides configuration options for System templates, WiFi templates, Threat Weight templates, FortiClient templates, and Certificate templates.

Provisioning templates

Select the ADOM from the drop-down list and select Provisioning Templates in the tree menu.

System templates

System templates

The System Templates menu allows you to create and manage device profiles. A system template is a subset of a model device configuration. Each device or device group will be able to be linked with a system template. When linked, the selected settings will come from the template, not from the Device Manager database.

By default, there is one generic profile defined. System templates are managed in a similar manner to policy packages. You can use the context menus to create new device profiles. You can configure settings in the widget or import settings from a specific device.

Go to the Device Manager tab, then select Provisioning Templates > System Templates > default in the tree menu to configure system templates.

The following widgets and settings are available:

 

System

Widget Description
DNS Primary DNS Server, Secondary DNS Server, Local Domain Name, IPv6 DNS settings.

Configure in the system template or import settings from a specific device. Select Apply to save the setting.

Hover over the widget heading to select the following options:

l  Import: Import DNS settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings.

l  Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.
Time Settings Synchronize with NTP Server and Sync Interval settings. You can select to use the FortiGuard server or specify a custom server.

Configure in the system template or import settings from a specific device.

Select Apply to save the setting.

Hover over the widget heading to select the following options:

l  Import: Import time settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings.

l  Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.
Alert Email SMTP Server settings including server, authentication, SMTP user, and password.

Configure in the system template or import settings from a specific device.

Select Apply to save the setting.

Hover over the widget heading to select the following options:

l  Import: Import alert email settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings.

l  Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.
Admin Settings Web Administration Ports, Timeout Settings, and Web Administration. Configure in the system template and select Apply to save the setting.

Hover over the widget heading to select the following options:

l Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Device Manager – FortiManager 5.2

1 Reply

Device Manager

Use the Device Manager tab to view and configure managed devices. This chapter covers navigating the Device Manager tab, viewing devices, managing devices, managing FortiAP access points, and managing FortiExtender wireless WAN extenders. For information on adding devices, and installing policy packages see FortiManager Wizards

.

Additional configuration options and short-cuts are available using the right-click content menu. Rightclick the mouse on different parts of the navigation panes on the Web-based Manager page to access these context menus.

The Device Manager tab provides access to devices and groups, provisioning templates, scripts, and VPN monitor menus.

Device manager layout

The Device Manager tab includes the following menus:

Devices & Groups View and configure managed and logging devices per ADOM. Use the toolbar to add devices, devices groups, and launch the install wizard.
Provisioning Templates Configure provisioning templates. For information on system, WiFi, Threat Weight, FortiClient, and certificate templates, see Provisioning Templates .
Scripts Create new or import scripts. Scripts is disabled by default. You can enable this advanced configuration options in System Systems > Admin > Admin Settings .

Select Show Script to enable on this option in the Device Manager tab tree menu.

For more information on scripts, see Scripts .
VPN Monitor Select VPN Monitor to view Central IPsec and Central SSL-VPN menus. These menus allow you to monitor the VPN connections for the ADOM in a central location. You can also bring up or bring down VPN connections.

Viewing managed/logging device

You can view the dashboard and related information of all managed/logging and provisioned devices.

This section contains the following topics:

l Using column filters l View managed/logging devices l Dashboard widgets

Using column filters

You can filter each column, by selecting the column header. Use the right-click menu to access the context menu to add or remove columns.

The following table describes the available columns and filters available per column.

Column filters
Column Filters
Device Name Click on the column header to sort the entries in ascending or descending order (alphabetic).

 

Column Filters
Config Status Filter by configuration status:

l Synchronized l Synchronized from AutoUpdate l Out of Sync l Pending l Warning l Unknown

Hover the cursor icon over the column icon for additional information.
Policy Package Status Filter by policy package status:

l Imported l Installed l Modified l Never Installed l Unknown

Hover the cursor icon over the column icon for additional information.
Hostname Click on the column header to sort the entries in ascending or descending order (alphabetic).
Connectivity Filter by connectivity status: l Connected l Connection Down l Unknown

Hover the cursor icon over the column icon for additional information.
IP Click on the column header to sort the entries in ascending or descending order (numeric).
Platform Click on the column header to sort the entries in ascending or descending order (alphabetic).
Logs Click on the column header to sort the entries in ascending or descending order (log status).
Quota Click on the column header to sort the entries in ascending or descending order (device log quota). Hover the cursor icon over the column icon for additional information.
Column Filters
Log Connection Click on the column header to sort the entries in ascending or descending order (log connection status). The log connection can be one of the following states:

l IPsec Tunnel is up l IPsec Tunnel is down l IPsec Tunnel is disabled

Hover the cursor icon over the column icon for additional information.
FortiGuard License Filter by license status:

l Valid l Expired l Unknown

Hover the cursor icon over the column icon for additional information.
Firmware Version Click on the column header to sort the entries in ascending or descending order (firmware version).
Description Click on the column header to sort the entries in ascending or descending order (description).

You can left-click the description cell to add a description to the entry.

Select OK to save the change.
Other Filter by Description, Contact, City, Province, Country, Company.

View managed/logging devices

You can view information about individual devices in the Device Manager tab. This section describes the FortiGate unit summary.

To view managed/logging devices:

  1. Select the Device Manager
  2. Select the ADOM from the drop-down list.
  3. Select the device group, for example Managed FortiGates, in the tree menu.

When the FortiAnalyzer feature set is enabled, the All FortiGates device group is replaced with Managed FortiGates and Logging FortiGates . Managed FortiGates include FortiGate devices which are managed by FortiManager but do not send logs. Logging FortiGates include FortiGate devices which are not managed, but do send logs to FortiManager .

  1. Select a device or VDOM from the list of managed devices. The device dashboard and related information is shown in the left content pane.
Device dashboard
Dashboard toolbar

The dashboard toolbar allows you to select the content, or panel, that is shown in the content pane.

The dashboard toolbar displays the device name and current panel on the right-hand side. Hovering the cursor over the

Menu drop-down menu, on the left-hand side of the toolbar, will display the available panels organized into categories.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

Restricted Administrator Profiles – FortiManager 5.2

Leave a reply

Restricted Administrator Profiles

In v5.2.0 or later, you can configure restricted administrator profiles. The restricted profile is used by the restricted administrator account. You can use restricted administrator accounts to provide delegated management of Web Filter profiles, Application Sensors, and Intrusion Protection System (IPS) Sensors for a specific ADOM. These restricted administrators can view, edit, and install changes to their ADOM.

To create a custom restricted administrator profile:

  1. Go to System Settings > Admin > Profile and select Create New in the toolbar. The Create Profile dialog box appears.

Create new administrator profile

  1. Configure the following settings:
Profile Name Type a name for this profile.
Description Type a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to.
Type Select Restricted Admin.
Permission Select to enable permission.
Web Filter Profile Select to enable the web filter profile permission.
Application Sensor Select to enable the application sensor permission.
IPS Sensor Select to enable the IPS sensor permission.
  1. Select OK to save the new restricted administrator profile.

Restricted administrator accounts                                                                             Restricted Administrator Profiles

Restricted administrator accounts

Once you have configured the new restricted administrator profile, you can create a new restricted administrator account and apply the profile to the administrator account.

To create a new restricted administrator account:

  1. Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator page is displayed.

Creating a new administrator account

  1. Configure the following settings:
User Name Type the name that this administrator uses to log in. This field is available if you are creating a new administrator account.
Description Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.

(Character limit = 127)

Administration Guide                                                                                                                                       155

Fortinet Technologies Inc.

Restricted Administrator Profiles                                                                             Restricted administrator accounts

Type Select the type of authentication the administrator will use when logging into the device.

Select one of the following: LOCAL, RADIUS, LDAP, TACACS+, or PKI.
RADIUS Server Select the RADIUS server from the drop-down menu.

This field is only available when Type is set to RADIUS.
LDAP Server Select the LDAP server from the drop-down menu.

This field is only available when Type is set to LDAP.
TACACS+ Server Select the TACACS+ server from the drop-down menu.

This field is only available when Type is set to TACACS+.
Wildcard Select to enable wildcard.

This field is only available when Type is set to RADIUS, LDAP, or TACACS+.
Subject Type a comment in the subject field for the PKI administrator. This field is only available when Type is set to PKI.
CA Select the CA from the drop-down menu.

This field is only available when Type is set to PKI.
Require two-factor authentication Select to enable two-factor authentication.

This field is only available when Type is set to PKI.
New Password Type the password.

This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.
Confirm Password Type the password again to confirm it. The passwords must match. This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.
Admin Profile Select a restricted administrator profile from the drop-down menu. The profile selected determines the administrator’s access to the FortiManager unit’s features.To create a new profile see To create a custom restricted administrator profile:.
Administrative Domain Choose the ADOMs this administrator will be able to access. This field is only available if ADOMs are enabled.
Web Filter Profile Select the web filter profile that the administrator will have access to. Select the add icon to add multiple Web Filter profiles.
Application Sensor Select the Application Sensor that the administrator will have access to. Select the add icon to add multiple Application Sensors.
IPS Sensor Select the IPS Sensor that the administrator will have access to. Select the add icon to add multiple IPS Sensors.

FortiManager portal                                                                                                Restricted Administrator Profiles

Trusted Host Optionally, type the trusted host IPv4 or IPv6 address and netmask that the administrator can log in to the FortiManager unit from. Select the add icon to add trusted hosts. You can specify up to ten trusted hosts.

Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.
User Information (optional)  
Contact Email Type a contact email address for the new administrator. This email address is also used for workflow session approval email notifications.
Contact Phone Type a contact phone number for the new administrator.
  1. Select OK to create the new restricted administrator account.

FortiManager portal

When the restricted administrator logs into the FortiManager, they have access to the security profiles that are configured for the account.

Restricted administrator portal

The following options are available:

Install icon Select to install changes to the ADOM.

Administration Guide                                                                                                                                       157

Fortinet Technologies Inc.

Restricted Administrator Profiles                                                                                                FortiManager portal

Change Password icon Select the change password icon in the toolbar to change your account password. A Change Password dialog box is displayed. Type your old password, the new password, confirm the password, and select OK to save the new password. This option must be enabled via the CLI.
Help icon Select the help icon in the toolbar to load the FortiManager online help. The online help will be loaded in a new browser window.
Log Out icon Select the log out icon to log out of FortiManager.
Web Filter Profile When the Web Filter Profile permission is enabled in the restricted administrator profile, this menu will be displayed. The Web Filter Profile selected in the restricted administrator account will be listed. For information on configuring the Web Filter profile, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.
IPS Sensor When the IPS Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The IPS Sensor selected in the restricted administrator account will be listed. For information on configuring the IPS sensor, see the FortiOS documentation for the firmware version of the ADOM.

The options will vary based on the ADOM version.
Application Sensor When the Application Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The application sensor selected in the restricted administrator account will be listed. For information on configuring the Application Sensor, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.

To enable the restricted user to change their own password:

Log into the device command line interface and enter the following CLI command:

config system admin profile edit <restricted_admin_profile> set change-password enable

end

When the restricted administrator logs into their ADOM, the change password icon is displayed in the toolbar.