Category Archives: Administration Guides

Provisioning Templates – FortiManager 5.2

Provisioning Templates

The Provisioning Templates section of the Device Manager tree menu provides configuration options for System templates, WiFi templates, Threat Weight templates, FortiClient templates, and Certificate templates.

Provisioning templates

Select the ADOM from the drop-down list and select Provisioning Templates in the tree menu.

System templates

The System Templates menu allows you to create and manage device profiles. A system template is a subset of a model device configuration. Each device or device group will be able to be linked with a system template. When linked, the selected settings will come from the template, not from the Device Manager database.

By default, there is one generic profile defined. System templates are managed in a similar manner to policy packages. You can use the context menus to create new device profiles. You can configure settings in the widget or import settings from a specific device.

Go to the Device Manager tab, then select Provisioning Templates > System Templates > default in the tree menu to configure system templates.

The following widgets and settings are available:

System

Widget	Description
DNS	Primary DNS Server, Secondary DNS Server, Local Domain Name, IPv6 DNS settings. Configure in the system template or import settings from a specific device. Select Apply to save the setting. Hover over the widget heading to select the following options: l Import: Import DNS settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings. l Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.
Time Settings	Synchronize with NTP Server and Sync Interval settings. You can select to use the FortiGuard server or specify a custom server. Configure in the system template or import settings from a specific device. Select Apply to save the setting. Hover over the widget heading to select the following options: l Import: Import time settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings. l Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.
Alert Email	SMTP Server settings including server, authentication, SMTP user, and password. Configure in the system template or import settings from a specific device. Select Apply to save the setting. Hover over the widget heading to select the following options: l Import: Import alert email settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings. l Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.
Admin Settings	Web Administration Ports, Timeout Settings, and Web Administration. Configure in the system template and select Apply to save the setting. Hover over the widget heading to select the following options: l Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Device Manager – FortiManager 5.2

1 Reply

Device Manager

Use the Device Manager tab to view and configure managed devices. This chapter covers navigating the Device Manager tab, viewing devices, managing devices, managing FortiAP access points, and managing FortiExtender wireless WAN extenders. For information on adding devices, and installing policy packages see FortiManager Wizards

Additional configuration options and short-cuts are available using the right-click content menu. Rightclick the mouse on different parts of the navigation panes on the Web-based Manager page to access these context menus.

The Device Manager tab provides access to devices and groups, provisioning templates, scripts, and VPN monitor menus.

Device manager layout

The Device Manager tab includes the following menus:

Devices & Groups	View and configure managed and logging devices per ADOM. Use the toolbar to add devices, devices groups, and launch the install wizard.
Provisioning Templates	Configure provisioning templates. For information on system, WiFi, Threat Weight, FortiClient, and certificate templates, see Provisioning Templates .
Scripts	Create new or import scripts. Scripts is disabled by default. You can enable this advanced configuration options in System Systems > Admin > Admin Settings . Select Show Script to enable on this option in the Device Manager tab tree menu. For more information on scripts, see Scripts .
VPN Monitor	Select VPN Monitor to view Central IPsec and Central SSL-VPN menus. These menus allow you to monitor the VPN connections for the ADOM in a central location. You can also bring up or bring down VPN connections.

Viewing managed/logging device

You can view the dashboard and related information of all managed/logging and provisioned devices.

This section contains the following topics:

l Using column filters l View managed/logging devices l Dashboard widgets

Using column filters

You can filter each column, by selecting the column header. Use the right-click menu to access the context menu to add or remove columns.

The following table describes the available columns and filters available per column.

Column filters

Column	Filters
Device Name	Click on the column header to sort the entries in ascending or descending order (alphabetic).

Column	Filters
Config Status	Filter by configuration status: l Synchronized l Synchronized from AutoUpdate l Out of Sync l Pending l Warning l Unknown Hover the cursor icon over the column icon for additional information.
Policy Package Status	Filter by policy package status: l Imported l Installed l Modified l Never Installed l Unknown Hover the cursor icon over the column icon for additional information.
Hostname	Click on the column header to sort the entries in ascending or descending order (alphabetic).
Connectivity	Filter by connectivity status: l Connected l Connection Down l Unknown Hover the cursor icon over the column icon for additional information.
IP	Click on the column header to sort the entries in ascending or descending order (numeric).
Platform	Click on the column header to sort the entries in ascending or descending order (alphabetic).
Logs	Click on the column header to sort the entries in ascending or descending order (log status).
Quota	Click on the column header to sort the entries in ascending or descending order (device log quota). Hover the cursor icon over the column icon for additional information.
Column	Filters
Log Connection	Click on the column header to sort the entries in ascending or descending order (log connection status). The log connection can be one of the following states: l IPsec Tunnel is up l IPsec Tunnel is down l IPsec Tunnel is disabled Hover the cursor icon over the column icon for additional information.
FortiGuard License	Filter by license status: l Valid l Expired l Unknown Hover the cursor icon over the column icon for additional information.
Firmware Version	Click on the column header to sort the entries in ascending or descending order (firmware version).
Description	Click on the column header to sort the entries in ascending or descending order (description). You can left-click the description cell to add a description to the entry. Select OK to save the change.
Other	Filter by Description, Contact, City, Province, Country, Company.

View managed/logging devices

You can view information about individual devices in the Device Manager tab. This section describes the FortiGate unit summary.

To view managed/logging devices:

Select the Device Manager
Select the ADOM from the drop-down list.
Select the device group, for example Managed FortiGates, in the tree menu.

When the FortiAnalyzer feature set is enabled, the All FortiGates device group is replaced with Managed FortiGates and Logging FortiGates . Managed FortiGates include FortiGate devices which are managed by FortiManager but do not send logs. Logging FortiGates include FortiGate devices which are not managed, but do send logs to FortiManager .

Select a device or VDOM from the list of managed devices. The device dashboard and related information is shown in the left content pane.

Device dashboard

Dashboard toolbar

The dashboard toolbar allows you to select the content, or panel, that is shown in the content pane.

The dashboard toolbar displays the device name and current panel on the right-hand side. Hovering the cursor over the

Menu drop-down menu, on the left-hand side of the toolbar, will display the available panels organized into categories.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

Restricted Administrator Profiles – FortiManager 5.2

Leave a reply

Restricted Administrator Profiles

In v5.2.0 or later, you can configure restricted administrator profiles. The restricted profile is used by the restricted administrator account. You can use restricted administrator accounts to provide delegated management of Web Filter profiles, Application Sensors, and Intrusion Protection System (IPS) Sensors for a specific ADOM. These restricted administrators can view, edit, and install changes to their ADOM.

To create a custom restricted administrator profile:

Go to System Settings > Admin > Profile and select Create New in the toolbar. The Create Profile dialog box appears.

Create new administrator profile

Configure the following settings:

Profile Name	Type a name for this profile.
Description	Type a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to.
Type	Select Restricted Admin.
Permission	Select to enable permission.
Web Filter Profile	Select to enable the web filter profile permission.
Application Sensor	Select to enable the application sensor permission.
IPS Sensor	Select to enable the IPS sensor permission.

Select OK to save the new restricted administrator profile.

Restricted administrator accounts Restricted Administrator Profiles

Restricted administrator accounts

Once you have configured the new restricted administrator profile, you can create a new restricted administrator account and apply the profile to the administrator account.

To create a new restricted administrator account:

Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator page is displayed.

Creating a new administrator account

Configure the following settings:

User Name

Type the name that this administrator uses to log in. This field is available if you are creating a new administrator account.

Description

Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.

(Character limit = 127)

Administration Guide 155

Fortinet Technologies Inc.

Restricted Administrator Profiles Restricted administrator accounts

Type	Select the type of authentication the administrator will use when logging into the device. Select one of the following: LOCAL, RADIUS, LDAP, TACACS+, or PKI.
RADIUS Server	Select the RADIUS server from the drop-down menu. This field is only available when Type is set to RADIUS.
LDAP Server	Select the LDAP server from the drop-down menu. This field is only available when Type is set to LDAP.
TACACS+ Server	Select the TACACS+ server from the drop-down menu. This field is only available when Type is set to TACACS+.
Wildcard	Select to enable wildcard. This field is only available when Type is set to RADIUS, LDAP, or TACACS+.
Subject	Type a comment in the subject field for the PKI administrator. This field is only available when Type is set to PKI.
CA	Select the CA from the drop-down menu. This field is only available when Type is set to PKI.
Require two-factor authentication	Select to enable two-factor authentication. This field is only available when Type is set to PKI.
New Password	Type the password. This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.
Confirm Password	Type the password again to confirm it. The passwords must match. This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.
Admin Profile	Select a restricted administrator profile from the drop-down menu. The profile selected determines the administrator’s access to the FortiManager unit’s features.To create a new profile see To create a custom restricted administrator profile:.
Administrative Domain	Choose the ADOMs this administrator will be able to access. This field is only available if ADOMs are enabled.
Web Filter Profile	Select the web filter profile that the administrator will have access to. Select the add icon to add multiple Web Filter profiles.
Application Sensor	Select the Application Sensor that the administrator will have access to. Select the add icon to add multiple Application Sensors.
IPS Sensor	Select the IPS Sensor that the administrator will have access to. Select the add icon to add multiple IPS Sensors.

FortiManager portal Restricted Administrator Profiles

Trusted Host	Optionally, type the trusted host IPv4 or IPv6 address and netmask that the administrator can log in to the FortiManager unit from. Select the add icon to add trusted hosts. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.
User Information (optional)
Contact Email	Type a contact email address for the new administrator. This email address is also used for workflow session approval email notifications.
Contact Phone	Type a contact phone number for the new administrator.

Select OK to create the new restricted administrator account.

FortiManager portal

When the restricted administrator logs into the FortiManager, they have access to the security profiles that are configured for the account.

Restricted administrator portal

The following options are available:

Install icon

Select to install changes to the ADOM.

Administration Guide 157

Fortinet Technologies Inc.

Restricted Administrator Profiles FortiManager portal

Change Password icon	Select the change password icon in the toolbar to change your account password. A Change Password dialog box is displayed. Type your old password, the new password, confirm the password, and select OK to save the new password. This option must be enabled via the CLI.
Help icon	Select the help icon in the toolbar to load the FortiManager online help. The online help will be loaded in a new browser window.
Log Out icon	Select the log out icon to log out of FortiManager.
Web Filter Profile	When the Web Filter Profile permission is enabled in the restricted administrator profile, this menu will be displayed. The Web Filter Profile selected in the restricted administrator account will be listed. For information on configuring the Web Filter profile, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.
IPS Sensor	When the IPS Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The IPS Sensor selected in the restricted administrator account will be listed. For information on configuring the IPS sensor, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.
Application Sensor	When the Application Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The application sensor selected in the restricted administrator account will be listed. For information on configuring the Application Sensor, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.

To enable the restricted user to change their own password:

Log into the device command line interface and enter the following CLI command:

config system admin profile edit <restricted_admin_profile> set change-password enable

end

When the restricted administrator logs into their ADOM, the change password icon is displayed in the toolbar.

System Settings FortiManager 5.2

Leave a reply

System Settings
The System Settings tab enables you to manage and configure the basic system options for the FortiManager unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access permissions, managing and updating firmware for the device and configuring logging and access to the FortiGuard Update Service for updates.
The System Settings tab provides access to the following menus and sub-menus:
Dashboard The Dashboard page displays widgets that provide performance and status information and enable you to configure basic system settings.
All ADOMs The All ADOMS page is only available when ADOMs are enabled. It lists all of the ADOMs, version, devices, VPN management, number of policy packages and alert device information.
On this page you can create, edit, delete and upgrade ADOMs. You can also view the alert device details.
RAID management The RAID Management page displays information about the status of RAID, as well as what RAID level has been selected and how much disk space is currently consumed.
Network The Network page provides routing and interface management options. It also provides access to diagnostic tools, such as ping, and a detailed listing of all currently configured interfaces.
High availability The HA page allows you to configure operation mode and cluster settings.
Admin Select this menu to configure administrator user accounts, as well as configure global administrative settings for the FortiManager unit.
Administrator Profile Workflow Approval Remote authentication server Administrator settings
Certificates The Certificates section allows you to configure local and CA certificates, and Certificate revocation lists (CRLs).
Event log View log messages that are stored in memory or on the internal hard disk. On this page you can view historical or real-time logs and download event logs.
Task monitor The Task Monitor page allows you to view the status of the tasks that you have performed.

System Settings
Advanced Select to configure mail server settings, remote output, Simple Network Management Protocol (SNMP), meta field data and other advanced settings. SNMP
Mail server Syslog server Meta fields Device log settings File management Advanced settings Portal users
Dashboard
When you select the System Settings tab, it automatically opens at the System Settings > Dashboard page.
The Dashboard displays widgets that provide performance and status information and enable you to configure basic system settings. The dashboard also contains a CLI widget that allows you to use the command line through the Webbased Manager. All of the widgets appear on a single dashboard, which can be customized as desired. FortiManagersystem dashboard

The following widgets are available:
System Information Displays basic information about the FortiManager system, such as up time and firmware version. You can also enable or disable Administrative Domains and FortiAnalyzer features. For more information, see System Information widget. From this widget you can manually update the FortiManager firmware to a different release. For more information, see Firmware images.
License Information Displays the devices being managed by the FortiManager unit and the maximum numbers of devices allowed. For more information, see License Information widget.
From this widget you can manually upload a license for FortiManager VM systems.
Unit Operation Displays status and connection information for the ports of the FortiManager unit. It also enables you to shutdown and restart the FortiManager unit or reformat a hard disk. For more information, see Unit Operation widget.
System Resources Displays the real-time and historical usage status of the CPU, memory and hard disk. For more information, see System Resources widget.
Alert Message Console Displays log-based alert messages for both the FortiManager unit itself and connected devices. For more information, see Alert Messages Console widget.
CLI Console Opens a terminal window that enables you to configure the FortiManager unit using CLI commands directly from the Web-based Manager. This widget is hidden by default. For more information, see CLI Console widget.
Log Receive Monitor Displays a real-time monitor of logs received. You can select to view data per device or per log type. For more information, see Log Receive Monitor widget. The Log Receive Monitor widget is available when FortiAnalyzerFeatures is enabled.
Logs/Data Received Displays real-time or historical statistics of logs and data received. For more information, see Logs/Data Received widget.
The Log/Data Received widget is available when FortiAnalyzerFeatures is enabled.
Statistics Displays statistics for logs and reports. For more information, see Statistics widget.
The Statistics widget is available when FortiAnalyzerFeatures is enabled.
Customizing the dashboard
The FortiManager system dashboard can be customized. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.
To move a widget
Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.
System Settings
To add a widget
In the dashboard toolbar, select Add Widget, then select the names of widgets that you want to show. To remove a widget, select the Close icon.
Adding a widget

To reset the dashboard
Select Dashboard > Reset Dashboard from the dashboard toolbar.
To see the available options for a widget
Position your mouse cursor over the icons in the widget’s title bar. Options vary slightly from widget to widget, but always include options to close or show/hide the widget.
A minimized widget

The following options are available:
Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
More Alerts Show the Alert Messages dialog box.
This option appears only in the Alert Message Console widget.
Edit Select to change settings for the widget.
This option appears only in the System Resources, Alert Message Console, Logs/Data Received, and Log Receive Monitor widgets.
Detach Detach the CLI Console widget from the dashboard and open it in a separate window.
This option appears only in the CLI Console widget.
Reset Select to reset the information shown in the widget. This option appears only in the Statistics widget.
Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
System Information widget
The system dashboard includes a System Information widget, shown in System Information widget, which displays the current status of the FortiManager unit and enables you to configure basic system settings.
System Information widget

The information displayed in the System Information widget is dependent on the FortiManager models and device settings. The following information is available on this widget:
Host Name The identifying name assigned to this FortiManager unit. Select [Change] to change the host name. For more information, see Changing the host name.
Serial Number The serial number of the FortiManager unit. The serial number is unique to the FortiManager unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
Platform Type Displays the FortiManager platform type, for example FMG-VM (virtual machine).
HA Status Displays if FortiManager unit is in High Availability mode and whether it is the Master or Slave unit in the HA cluster. For more information see High
Availability.
System Time The current time on the FortiManager internal clock. Select [Change] to change system time settings. For more information, see Configuring the system time.

System Settings
Firmware Version The version number and build number of the firmware installed on the FortiManager unit. To update the firmware, you must download the latest version from the Customer Service & Support website at https://support.fortinet.com. Select [Update] and select the firmware image to load from the local hard disk or network volume. For more information, see Updating the system firmware.
System Configuration The date of the last system configuration backup. The following actions are available:
l Select [Backup] to backup the system configuration to a file; see Backing up the system.
l Select [Restore] to restore the configuration from a backup file; see Restoring the configuration.
l Select [System Checkpoint] to revert the system to a prior saved configuration; see Creating a system checkpoint.
Current Administrators The number of administrators that are currently logged in. The following actions are available:
l Select [Change Password] to change your own password.
l Select [Detail] to view the session details for all currently logged in administrators. See Monitoring administrator sessions for more information.
Up Time The duration of time the FortiManager unit has been running since it was last started or restarted.
Administrative Domain Displays whether ADOMs are enabled. Select [Enable/Disable] to change the Administrative Domain state. SeeEnabling and disabling the ADOM feature.
Global Database Version Displays the current Global Database version. Select [Change] to change the global database version.
Offline Mode Displays whether Offline Mode is enabled. To enable or disable Offline Mode, go to System Settings > Advanced > Advanced Settings.
FortiAnalyzer Features Displays whether FortiAnalyzer features are enabled. Select [Enable/Disable] to change the FortiAnalyzer features state.
The following options are available:
Refresh Select the refresh icon in the title bar to refresh the information displayed.
Close Select the close icon in the title bar to remove the widget from the dashboard.
Changing the host name
The host name of the FortiManager unit is used in several places.
Administration Guide
Fortinet Technologies Inc.
It appears in the System Information widget on the Dashboard. For more information about the System Information widget, see System Information widget. It is used in the command prompt of the CLI. It is used as the SNMP system name. For information about SNMP, see SNMP .
The System Information widget and the get system status CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiManager1234567890, the CLI prompt would be FortiManager123456~#.
To change the host name:
1. Go to System Settings > Dashboard.
2. In the System Information widget, next to the Host Name field, select [Change].
Edit Host Name dialog box

3. In the Host Name box, type a new host name.
The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.
4. Select OK.
Configuring the system time
You can either manually set the FortiManager system time or configure the FortiManager unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

Workflow Mode – FortiManager 5.2

Leave a reply

Workflow Mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy or object changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, an administrator with the appropriate workflow permissions will be able to approve or reject workflow sessions before they are implemented to the database.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button. You can then proceed to make changes to policies and objects. When you are done making changes, select the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

Enable or disable workflow mode

You can enable or disable workflow mode from the CLI only.

To enable or disable workflow mode:

Select the System Settings tab in the navigation pane.
Go to System Settings > Dashboard.
In the CLI Console widget type the following CLI command lines:

config system global set workspace-mode {workflow | disabled}

end

The FortiManager session will end and you must log back into the FortiManager system.

sessions Workflow Mode

When workspace-mode is workflow, the Device Manager tab and Policy & Objects tab are readonly. You must lock the ADOM to create a new workflow session.

Optionally, you can select to enable or disable ADOM lock override. When this feature is enabled, an administrator can select to unlock an ADOM that is locked by another administrator.

To enable or disable ADOM lock override:

Select the System Settings tab in the navigation pane.
Go to System Settings > Dashboard.
In the CLI Console widget type the following CLI command lines:

config system global set lock-prempt {enable | disable}

end

Workflow sessions

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button in the Session List dialog box. Type a name for the session and select OK. You can then proceed to make changes to policy packages and objects. When you are done making changes, select the Save button and then the Submit button in the toolbar. In the Submit forApproval dialog box, type a comment and the notification email. Once the session is submitted, the lock is released and other administrators may initiate a session.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the administrator that submitted the session. If the session was approved, no further action is required. If the session was rejected, the administrator will need to log on and repair their changes. Once they create a session, the administrator will make their repair on top of the last session changes.

To start a workflow session:

Select the Policy & Objects tab in the navigation pane.
Select the ADOM from the drop-down list.
Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed.
Select the Create New Session button, type a name for new session, type optional comments, and select OK to start the session.
Make the required changes to Policy Package and Objects and select Sessions > Submit in the toolbar to submit changes for approval. The Submit forApproval dialog box is displayed.

Enter the following:

Comments	Type a comment for the session.
Attach configuration change details	Select to attach configuration change details to the email.

Mode Workflow sessions

Select OK to send submit the session for approval.

The session is submitted for approval, an email is sent to the approver, and the ADOM is returned to an unlocked state. An ADOM revision is created for the workflow session.

To approve, reject, or repair a workflow session:

Select the Policy & Objects tab in the navigation pane.
Select the ADOM from the drop-down list.

ID		The session identifier.
Status		The session status. One of the following: l Waiting Approval: The session is waiting to be reviewed and approved. l Approved: The workflow session was approved by the approver. l Rejected: The workflow session was rejected by the approver. l Repaired: The rejected workflow session was repaired. When a rejected session is repaired, a new session ID is created for this repaired session.
Name		The user defined name to identify the session.
User		The administrator name who created the session.
Date Submitted		The date and time that the session was submitted for approval.

Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed. Alternatively, select Sessions > Session List from the toolbar.

The following information is displayed:

sessions Workflow Mode

Comments	Select a policy in the list to view or add comments to the session. The comments box displays comments from the session creator. The session approver can add comments.
Create New Session	Select to create a new workflow session.
Continue Without Session	Select to continue without starting a new session. When a new session is not started, all policy and objects are read-only.

Right-clicking on a session in the list opens a pop-up menu with the following options:

Approve	Select Approve when the session status is Waiting Approval.
Reject	Select Reject when the session status is Waiting Approval. A rejected session must be repaired before the next session in the list can be approved.
Repair	Select Repair when the session status is Rejected. A repaired session results in a new session being created for the repair. This session is added after the last session in the list.
View Diff	Select View Diff to view the difference between the two revisions. You can select to download the revision in a CSV file to your management computer.

Select to Approve, Reject, Repair, or View Diff.

Administrative Domains – FortiManager 5.2

3 Replies

Administrative Domains

FortiManager appliances scale to manage thousands of Fortinet devices. Administrative domains (ADOMs) enable administrators to manage only those devices that are specific to their geographic location or business division. FortiGate devices with multiple VDOMs can be divided among multiple ADOMs.

If ADOMs are enabled, each administrator account is tied to an ADOM. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Administrator accounts that have special permissions, such as the admin account, can see and maintain all ADOMs and the devices within those domains.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. For more information, see Enabling and disabling the ADOM feature.

The maximum number of ADOMs you can add depends on the FortiManager system model. Please refer to the FortiManager data sheet for information on the maximum number of devices that your model supports.

This section includes the following topics:

Enabling and disabling the ADOM feature
ADOM modes
ADOM versions
Managing ADOMs

What is the best way to organize my devices using ADOMs?

You can organize devices into ADOMs to allow you to better manage these devices. You can organize these devices by:

Firmware version: group all devices with the same firmware version into an ADOM.
Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

Enabling and disabling the ADOM feature

To enable or disable the ADOM feature, you must be logged in as the admin administrator. Only this user has the ability to enable or disable this feature.

Enabling and disabling the ADOM feature

To enable the ADOM feature:

Log in as admin.
Go to System Settings > Dashboard.
In the system information widget, select Enable next to Administrative Domain Enabling ADOMs

To disable the ADOM feature:

Remove all the managed devices from all ADOMs.
Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.

After removing the ADOMs, you can now disable the ADOM feature.

Go to System Settings > Dashboard.
In the system information widget, select Disable next to Administrative Domain.

ADOM modes

When the ADOMs feature is enabled and you log in as the admin user, all the available ADOMs will be listed in the tree menus on different tabs.

In the Policy & Objects tab, a menu bar is available that allows to select either Global, or a specific ADOM from the drop-down list. Selecting Global or a specific ADOM will then display the policy packages and objects appropriate for your selection.

Switching between ADOMs

As an admin administrator, you are able to move between all the ADOMs created on the FortiManager system. This enables you to view, configure and manage the various domains.

Other administrators are only able to move between the ADOMs to which they have been given permission. They are able to view and administer the domains based on their account‘s permission settings.

To access a specific ADOM, simply select that ADOM in the tree menu. The FortiManager system presents you with the available options for that domain, depending on what tab you are currently using.

Normal mode ADOMs

When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a diff revision on the change to the FortiManager using the FGFM protocol.

Backup mode ADOMs

When creating an ADOM in Backup Mode, the ADOM is consider Read Only, where you are not able to make changes to the ADOM and managed devices from the FortiManager. Changes are made via scripts which are run on the managed device, or through the device’s Web-based Manager or CLI directly. Revisions are sent to the FortiManager when specific conditions are met:

l Configuration change and session timeout l Configuration change and logout l Configuration change and reboot l Manual configuration backup from the managed device.

Backup mode enables you to configure an ADOM where all the devices that are added to the ADOM will only have their configuration backed up. Configuration changes cannot be made to the devices in backup ADOM. You can push any existing revisions to managed devices. You can still monitor and review the revision history for these devices, and scripting is still allowed for pushing scripts directly to FortiGate units.

ADOM versions

ADOMs can concurrently manage FortiGate units running both FortiOS v4.3 and v5.0, or v5.0 and v5.2, allowing devices running these versions to share a common database. This allows you to continue to manage an ADOM as normal while upgrading the devices within that ADOM.

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that are in that ADOM. This version is selected when creating a new ADOM (see Adding an ADOM), and can be updated after the all of the devices within the ADOM have been updated to the latest FortiOS firmware version.

The general steps for upgrading an ADOM that contains multiple devices running FortiOS v4.3 from v4.3 to v5.0 are as follows:

Make sure that the FortiManager unit is upgraded to a version that supports this feature.
In the ADOM, upgrade one of the FortiGate units to FortiOS v5.0, and then resynchronize the device.
All the ADOM objects, including Policy Packages, remain as v4.3.
Upgrade the rest of the FortiGate units in the ADOM to version 5.0 firmware.
Upgrade the ADOM to v5.0. See “Administrative Domains” on page 40 for more information.

All of the database objects will be converted the v5.0 format, and the Web-based Manager content for the ADOM will change to reflect the v5.0 features and behavior.

Pages: 1 2 3

Using The Web Based Manager – FortiManager 5.2

Leave a reply

Using the Web-based Manager

This section describes general information about using the Web-based Manager to access the Fortinet system from within a current web browser.

This section includes the following topics: l System requirements l Connecting to the Web-based Manager l Web-based Manager overview l Configuring Web-based Manager settings l Reboot and shutdown of the FortiManager unit

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.

System requirements

Supported web browsers

The following web browsers are supported by FortiManager v5.2.1:

l Microsoft Internet Explorer version 11 l Mozilla Firefox version 33 l Google Chrome version 38

Other web browsers may function correctly, but are not supported by Fortinet. For more information see the FortiManagerRelease Notes.

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be viewed properly.

Connecting to the Web-based Manager

The FortiManager unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

Web-based Manager overview

To connect to the Web-based Manager:

Connect the Port 1 interface of the unit to a management computer using the provided Ethernet cable.
Configure the management computer to be on the same subnet as the internal interface of the FortiManager unit:
- Browse to Network and Sharing Center> Change AdapterSettings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4)Properties.
- Change the IP address of the management computer to 168.1.2 and the netmask to 255.255.255.0.
To access the FortiManager unit’s Web-based Manager, start an Internet browser of your choice and browse to https://192.168.1.99.
Type admin in the Name box, leave the Password box blank, and select Login.

You can now proceed with configuring your FortiManager unit.

If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.

For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces.

Web-based Manager overview

FortiManager v5.2 introduces an improved Web-based Manager layout and tree menu for improved usability. You can now select the ADOM from the drop-down list to view the devices and groups for the specific ADOM. The ADOM selection drop-down list is available in the Device Manager, Policy & Objects, FortiView, Event Management, and Reports tabs.

This section describes the following topics:

Viewing the Web-based Manager

Using the tab bar

Using the Web-based Manager Web-based Manager overview

Viewing the Web-based Manager

The four main parts of the FortiManager Web-based Manager are the tree menu, tab bar, ADOM selector and toolbar, and right content pane.

The Web-based Manager includes detailed online help. Selecting Help in the tab bar opens the online help.

The tab bar and content pane information displayed to an administrator vary according to the administrator account settings and access profile that have be configured for that user. To configure administrator profiles, go to System Settings > Admin > Profile. You can configure the administrator profile at both a global and ADOM level with a high degree of granularity in providing read/write, read-only, or restricted permission to various Web-based Manager modules. When defining a new administrator, you can further define which ADOMs and policy packages the administrator can access. For more information about administrator accounts and their permissions, see Admin.

When you log in to the FortiManager unit as the admin administrator, the Web-based Manager opens to the Device Manager tab. You can view all ADOMs in the navigation tree, and ADOM information in the content pane. For more information, see Device Manager.

Using the tab bar

The tab bar is organized into a number of tabs. The available tabs displayed are dependent on the features enabled and the administrator profile settings.

Web-based Manager tabs

Tab	Description
Device Manager	Add and manage devices, view the device information and status, create and manage device groups and manage firewall global policy objects. From this menu, you can also configure the web portal configurations, users, and groups. In the Menu section, you can configure managed devices locally in the FortiManager Web-based Manager. In the Provisioning Templates section, you can configure System Templates, WiFi Templates, Threat Weight Templates, FortiClient Templates, and Certificate Templates and assign these templates to specific managed FortiGate and FortiCarrier devices. Additional menus are available for scripts and VPN monitor. For more information, see Device Manager.
Policy & Objects	Configure policy packages and objects. When Central VPN Console is enabled for the ADOM, you can create VPN topologies and managed/external gateways. For more information, see Policy & Objects.

Configuring Web-based Manager settings

Tab	Description
FortiGuard	Configure FortiGuard Center settings, package and query server management, and firmware images. For more information, see FortiGuard Management.
System Settings	Configure system settings such as network interfaces, administrators, system time, server settings, and widgets and tabs. From this menu, you can also perform maintenance and firmware operations. For more details on using this menu, see System Settings.
FortiView	The following summary views are available: Top Sources, Top Applications, Top Destinations, Top Websites, Top Threats, Top Cloud Applications, Top Cloud Users, System Events, Admin Logins, SSL & Dialup IPsec, Site-Site IPsec, Rogue APs, and Resource Usage. This tab was implemented to match the FortiView implementation in FortiGate. The Log View tab is found in the FortiView tab. View logs for managed devices. You can display, download, import, and delete logs on this page. You can also define Custom Views. This tab can be hidden by disabling the FortiAnalyzer feature set.
Event Management	Configure and view events for managed log devices. You can view events by severity or by handler. For more information, see Event Management. This tab can be hidden by disabling the FortiAnalyzer feature set.
Reports	Configure report templates, schedules, and output profiles. You can create and test datasets, configure output profiles, and add language support. For more information, seeReports on page 502. This tab can be hidden by disabling the FortiAnalyzer feature set.

Configuring Web-based Manager settings

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface on which it listens, and the display language.

This section includes the following topics:

l Changing the Web-based Manager language l Administrative access l Restricting Web-based Manager access by trusted host l Changing the Web-based Manager idle timeout l Other security considerations

Using the Web-based Manager Configuring Web-based Manager settings

Changing the Web-based Manager language

The Web-based Manager supports multiple languages; the default language is English. You can change the Web-based Manager to display in English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses. You can also set the FortiManager Web-based Manager to automatically detect the system language, and by default show the screens in the proper language, if available.

To change the Web-based Manager language:

Go to System Settings > Admin > Admin Settings.
In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your web browser.
Select OK.

Administrative access

Administrative access enables an administrator to connect to the FortiManager system to view and change configuration settings. The default configuration of your FortiManager system allows administrative access to one or more of the interfaces of the unit as described in your FortiManager system QuickStart Guide and Install Guide available in the Fortinet Document Library.

Administrative access can be configured in IPv4 or IPv6 and includes the following settings:

HTTPS

HTTP

PING

SSH

TELNET

SNMP

Web Service

To change administrative access to your FortiManager system:

Go to System Settings > Network.

Administrative access is configured for port1. To configure administrative access for another interface, select All Interfaces, and then select the interface to edit.

Set the IPv4 IP/Netmask or IPv6 Address.
Select one or more Administrative Access types for the interface.
Select Service Access, FortiGate Updates, and Web Filtering/Antispam if required.
Set the Default Gateway.
Configure the primary and secondary DNS servers.
Select Apply.

In addition to the settings listed earlier, you can select to enable access on interface from the All Interfaces window.

Restricting Web-based Manager access by trusted host

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the administrator user can only log into the Web-based Manager when working Reboot and shutdown of the FortiManager unit

on a computer with the trusted host as defined in the administrator account. You can configure up to ten trusted hosts per administrator account. See Administrator for more details.

Changing the Web-based Manager idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for five minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged into the Web-based Manager and then left unattended.

To change the Web-based Manager idle timeout:

Go to System Settings > Admin > Admin Settings.
Change the Idle Timeout minutes as required (1-480 minutes).
Select Apply.

Other security considerations

Other security consideration for restricting access to the FortiManager Web-based Manager include the following:

Configure administrator accounts using a complex passphrase for local accounts l Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI l Configure the administrator profile to only allow read/write permission as required and restrict access using readonly or no permission to settings which are not applicable to that administrator
Configure the administrator account to only allow access to specific ADOMs as required l Configure the administrator account to only allow access to specific policy packages as required.

Reboot and shutdown of the FortiManager unit

Always reboot and shutdown the FortiManager system using the unit operation options in the Web-based Manager, or using CLI commands, to avoid potential configuration problems.

To reboot the FortiManager unit:

From the Web-based Manager, go to System Settings > Dashboard.
In the Unit Operation widget select Reboot, or from the CLI Console widget type: execute reboot

To shutdown the FortiManager unit:

From the Web-based Manager, go to System Settings > Dashboard.
In the Unit Operation widget select Shutdown, or from the CLI Console widget type: execute shutdown

Fortinet Management Theory

Leave a reply

Fortinet Management Theory

FortiManager is an integrated platform for the centralized management of products in a Fortinet security infrastructure. A FortiManager provides centralized policy-based provisioning, configuration and update management for FortiGate (including FortiGate, FortiWiFi, and FortiGate VM), FortiCarrier, FortiSwitch, and FortiSandbox devices.

To reduce network delays and minimize external Internet usage, a FortiManager installation can also act as an on-site FortiGuard Distribution Server (FDS) for your managed devices and FortiClient agents to download updates to their virus and attack signatures, and to use the built-in web filtering and email filter services.

The FortiManager scales to manage up to 5 000 devices and virtual domains (VDOMs) from a single FortiManager interface. It is primarily designed for medium to large enterprises and managed security service providers.

Using a FortiManager device as part of an organization’s Fortinet security infrastructure can help minimize both initial deployment costs and ongoing operating expenses. It allows fast device provisioning, detailed revision tracking, and thorough auditing.

Key features of the FortiManager system

Configuration revision control and tracking

Your FortiManager unit records and maintains the history of all configuration changes made over time. Revisions can be scheduled for deployment or rolled back to a previous configuration when needed.

Centralized management

FortiManager can centrally manage the configurations of multiple devices from a single console. Configurations can then be built in a central repository and deployed to multiple devices when required.

Administrative domains

FortiManager can segregate management of large deployments by grouping devices into geographic or functional ADOMs. See Administrative Domains.

Local FortiGuard service provisioning

A FortiGate device can use the FortiManager unit for antivirus, intrusion prevention, web filtering, and email filtering to optimize performance of rating lookups, and definition and signature downloads. See FortiGuard Management.

Firmware management

FortiManager can centrally manage firmware images and schedule managed devices for upgrade.

Scripting

FortiManager supports CLI or Tcl based scripts to simplify configuration deployments. See Scripts.

Logging and reporting

FortiManager can also be used to log traffic from managed devices and generate Structured Query Language (SQL) based reports. FortiManager also integrates FortiAnalyzer logging and reporting features.

Fortinet device life cycle management

The management tasks for devices in a Fortinet security infrastructure follow a typical life cycle:

Deployment: An administrator completes configuration of the Fortinet devices in their network after initial installation.
Monitoring: The administrator monitors the status and health of devices in the security infrastructure, including resource monitoring and network usage. External threats to your network infrastructure can be monitored and alerts generated to advise.
Maintenance: The administrator performs configuration updates as needed to keep devices up-to-date.
Upgrading: Virus definitions, attack and data leak prevention signatures, web and email filtering services, and device firmware images are all kept current to provide continuous protection for devices in the security infrastructure.

Inside the FortiManager system

FortiManager is a robust system with multiple layers to allow you to effectively manage your Fortinet security infrastructure.

Device Manager tab

The Device Manager tab contains all ADOMs, and devices. You can create new ADOMs, device groups, provision and add devices, install policy packages and device settings. See Device Manager.

Policy & Objects tab

The Policy & Objects tab contains all of your global and local policy packages and objects that are applicable to all ADOMs, and configuration revisions. See Policy & Objects.

System Settings tab

The Systems Settings tab enables the configuration of system settings and monitors the operation of your FortiManager unit. See System Settings.

Inside the FortiManager device manager tab

Global ADOM layer

The global ADOM layer contains two key pieces: the global object database and all header and footer policies.

Header and footer policies are used to envelop policies within each individual ADOM. These are typically invisible to users and devices in the ADOM layer. An example of where this would be used is in a carrier environment, where the carrier would allow customer traffic to pass through their network but would not allow the customer to have access to the carrier’s network assets.

ADOM layer

The ADOM layer is where the FortiManager manages individual devices or groups of devices. It is inside this layer where policy packages and folders are created, managed and installed on managed devices. Multiple policy packages can be created here, and they can easily be copied to other ADOMs to facilitate configuration or provisioning of new devices on the network. The ADOM layer contains one common object database per ADOM, which contains information such as addresses, services, antivirus and attack definitions, and web filtering and email filter.

Device manager layer

The device manager layer records information on devices that are centrally managed by the FortiManager unit, such as the name and type of device, the specific device model, its IP address, the current firmware installed on the unit, the device’s revision history, and its real-time status.