Tag Archives: fortimanager 5.2

Central VPN Console – FortiManager 5.2

Central VPN Console

When Central VPN Console is selected for VPN Management when creating an ADOM, a VPN Console tree menu item will appear in the Policy & Objects tab under Policy Package. You will need to enable the Show VPN Console option in System Settings > Admin > Admin Settings. You can create VPN topologies in this page. Once you have configured a VPN topology and gateway, you can configure the related firewall policies, preview and install. For more information, see Managing policies.

VPN topology

You can create full meshed, star, and dial up VPN topologies. Once you have created the topology, you can create the VPN gateway.

Create VPN Topology

Configure the following settings:

 

Name Type a name for the VPN topology.  
Description Type an optional description.
Topology Select the topology type from the drop-down list. Select one of:

Full Meshed: Each gateway has a tunnel to every other gateway.

Star: Each gateway has one tunnel to a central hub gateway.

Dial up: Some gateways, often mobile users, have dynamic IP addresses and contact the gateway to establish a tunnel.

IKE Profile Define the IKE Profile. Configure IKE Phase 1, IKE Phase 2, Advanced settings, and Authentication settings.
IKE Phase 1 Define the IKE Phase 1 proposal settings .

Scripts – FortiManager 5.2

Scripts

Scripts must be configured to be displayed to be accessible as described in this chapter. Go to System Settings > Admin > Admin Settings and select Show Script from the Display Options on GUI section to make it visible in the Web-based Manager. For more information, see Administrator settings.

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes in the Web-based Manager page to access these options.

FortiManager scripts enable you to create, execute, and view the results of scripts executed on FortiGate devices, policy packages, the ADOM database, the global policy package, or the DB. Scripts can also be filtered based on different device information, such as OS type and platform.

At least one FortiGate device must be configured in the FortiManager system for you to be able to use scripts.

Scripts can be written in one of two formats:

  • A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with the number sign (#). A comment line will not be executed.
  • Tcl scripting commands to provide more functionality to your scripts including global variables and decision structures.

When writing your scripts, it is generally easier to write them in a context-sensitive editor, and then cut and paste them into the script editor on your FortiManager system. This can help avoid syntax errors and can reduce the amount of troubleshooting required for your scripts.

For information about scripting commands, see the FortiGate CLI reference.

Configuring scripts

To configure, import, export, or run scripts, go to the Device Manager tab, expand an ADOM view in the tree menu, and then select Scripts > Script. To configure script groups, go to Scripts > CLI Script Group. The script list for the selected ADOM will be displayed.

Script list

The following information is displayed:

Name The user-defined script name.
Type The script type.
Target The script target. One of the following: l Device Database l Policy Package, ADOM Database l Remote FortiGate Directly (via CLI)
Comments User defined comment for the script.
Last Modified The date and time that the script was last modified.

The following options are available:

Create New Select to create a new script.
Import Select to import a script from your management computer. Type a name, description, select Tcl type if applicable, and browse for the file on your management computer. Select submit to import the script to FortiManager.
Run Select a script in the table, right-click, and select Run in the menu to run the script against the target selected. When selecting to run a script against a policy package, select the policy package from the drop-down list in the dialog window. When selecting to run a script against a device or database, select the device in the tree menu in the dialog window.
New Select a script in the table, right-click, and select New in the menu to create a new script.
Edit Select a script in the table, right-click, and select Edit in the menu to clone the script selected.
Clone Select a script in the table, right-click, and select Clone in the menu to clone the script selected.
Delete Select a script in the table, right-click, and select Delete in the menu to delete the script selected.
Export Select a script in the table, right-click, and select Export in the menu to export the script as a .txt file to your management computer.
Select All Select Select All in the right-click menu to select all scripts in the table and select Delete to delete all selected scripts.
Search Search the scripts by typing a search term in the search field.

Restricted Administrator Profiles – FortiManager 5.2

Restricted Administrator Profiles

In v5.2.0 or later, you can configure restricted administrator profiles. The restricted profile is used by the restricted administrator account. You can use restricted administrator accounts to provide delegated management of Web Filter profiles, Application Sensors, and Intrusion Protection System (IPS) Sensors for a specific ADOM. These restricted administrators can view, edit, and install changes to their ADOM.

To create a custom restricted administrator profile:

  1. Go to System Settings > Admin > Profile and select Create New in the toolbar. The Create Profile dialog box appears.

Create new administrator profile

  1. Configure the following settings:
Profile Name Type a name for this profile.
Description Type a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to.
Type Select Restricted Admin.
Permission Select to enable permission.
Web Filter Profile Select to enable the web filter profile permission.
Application Sensor Select to enable the application sensor permission.
IPS Sensor Select to enable the IPS sensor permission.
  1. Select OK to save the new restricted administrator profile.

Restricted administrator accounts                                                                             Restricted Administrator Profiles

Restricted administrator accounts

Once you have configured the new restricted administrator profile, you can create a new restricted administrator account and apply the profile to the administrator account.

To create a new restricted administrator account:

  1. Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator page is displayed.

Creating a new administrator account

  1. Configure the following settings:
User Name Type the name that this administrator uses to log in. This field is available if you are creating a new administrator account.
Description Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.

(Character limit = 127)

Administration Guide                                                                                                                                       155

Fortinet Technologies Inc.

Restricted Administrator Profiles                                                                             Restricted administrator accounts

Type Select the type of authentication the administrator will use when logging into the device.

Select one of the following: LOCAL, RADIUS, LDAP, TACACS+, or PKI.

RADIUS Server Select the RADIUS server from the drop-down menu.

This field is only available when Type is set to RADIUS.

LDAP Server Select the LDAP server from the drop-down menu.

This field is only available when Type is set to LDAP.

TACACS+ Server Select the TACACS+ server from the drop-down menu.

This field is only available when Type is set to TACACS+.

Wildcard Select to enable wildcard.

This field is only available when Type is set to RADIUS, LDAP, or TACACS+.

Subject Type a comment in the subject field for the PKI administrator. This field is only available when Type is set to PKI.
CA Select the CA from the drop-down menu.

This field is only available when Type is set to PKI.

Require two-factor authentication Select to enable two-factor authentication.

This field is only available when Type is set to PKI.

New Password Type the password.

This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.

Confirm Password Type the password again to confirm it. The passwords must match. This field is only available when Type is set to LOCAL, RADIUS, LDAP, TACACS+, or PKI.
Admin Profile Select a restricted administrator profile from the drop-down menu. The profile selected determines the administrator’s access to the FortiManager unit’s features.To create a new profile see To create a custom restricted administrator profile:.
Administrative Domain Choose the ADOMs this administrator will be able to access. This field is only available if ADOMs are enabled.
Web Filter Profile Select the web filter profile that the administrator will have access to. Select the add icon to add multiple Web Filter profiles.
Application Sensor Select the Application Sensor that the administrator will have access to. Select the add icon to add multiple Application Sensors.
IPS Sensor Select the IPS Sensor that the administrator will have access to. Select the add icon to add multiple IPS Sensors.

FortiManager portal                                                                                                Restricted Administrator Profiles

Trusted Host Optionally, type the trusted host IPv4 or IPv6 address and netmask that the administrator can log in to the FortiManager unit from. Select the add icon to add trusted hosts. You can specify up to ten trusted hosts.

Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.

User Information (optional)  
Contact Email Type a contact email address for the new administrator. This email address is also used for workflow session approval email notifications.
Contact Phone Type a contact phone number for the new administrator.
  1. Select OK to create the new restricted administrator account.

FortiManager portal

When the restricted administrator logs into the FortiManager, they have access to the security profiles that are configured for the account.

Restricted administrator portal

The following options are available:

Install icon Select to install changes to the ADOM.

Administration Guide                                                                                                                                       157

Fortinet Technologies Inc.

Restricted Administrator Profiles                                                                                                FortiManager portal

Change Password icon Select the change password icon in the toolbar to change your account password. A Change Password dialog box is displayed. Type your old password, the new password, confirm the password, and select OK to save the new password. This option must be enabled via the CLI.
Help icon Select the help icon in the toolbar to load the FortiManager online help. The online help will be loaded in a new browser window.
Log Out icon Select the log out icon to log out of FortiManager.
Web Filter Profile When the Web Filter Profile permission is enabled in the restricted administrator profile, this menu will be displayed. The Web Filter Profile selected in the restricted administrator account will be listed. For information on configuring the Web Filter profile, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.
IPS Sensor When the IPS Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The IPS Sensor selected in the restricted administrator account will be listed. For information on configuring the IPS sensor, see the FortiOS documentation for the firmware version of the ADOM.

The options will vary based on the ADOM version.

Application Sensor When the Application Sensor permission is enabled in the restricted administrator profile, this menu will be displayed. The application sensor selected in the restricted administrator account will be listed. For information on configuring the Application Sensor, see the FortiOS documentation for the firmware version of the ADOM. The options will vary based on the ADOM version.

To enable the restricted user to change their own password:

Log into the device command line interface and enter the following CLI command:

config system admin profile edit <restricted_admin_profile> set change-password enable

end

When the restricted administrator logs into their ADOM, the change password icon is displayed in the toolbar.

Workflow Mode – FortiManager 5.2

Workflow Mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy or object changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, an administrator with the appropriate workflow permissions will be able to approve or reject workflow sessions before they are implemented to the database.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button. You can then proceed to make changes to policies and objects. When you are done making changes, select the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

Enable or disable workflow mode

You can enable or disable workflow mode from the CLI only.

To enable or disable workflow mode:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command lines:

config system global set workspace-mode {workflow | disabled}

end

  1. The FortiManager session will end and you must log back into the FortiManager system.

sessions                                                                                                                        Workflow Mode

When workspace-mode is workflow, the Device Manager tab and Policy & Objects tab are readonly. You must lock the ADOM to create a new workflow session.

Optionally, you can select to enable or disable ADOM lock override. When this feature is enabled, an administrator can select to unlock an ADOM that is locked by another administrator.

To enable or disable ADOM lock override:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command lines:

config system global set lock-prempt {enable | disable}

end

Workflow sessions

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button in the Session List dialog box. Type a name for the session and select OK. You can then proceed to make changes to policy packages and objects. When you are done making changes, select the Save button and then the Submit button in the toolbar. In the Submit forApproval dialog box, type a comment and the notification email. Once the session is submitted, the lock is released and other administrators may initiate a session.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the administrator that submitted the session. If the session was approved, no further action is required. If the session was rejected, the administrator will need to log on and repair their changes. Once they create a session, the administrator will make their repair on top of the last session changes.

To start a workflow session:

  1. Select the Policy & Objects tab in the navigation pane.
  2. Select the ADOM from the drop-down list.
  3. Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed.
  4. Select the Create New Session button, type a name for new session, type optional comments, and select OK to start the session.
  5. Make the required changes to Policy Package and Objects and select Sessions > Submit in the toolbar to submit changes for approval. The Submit forApproval dialog box is displayed.

Enter the following:

Comments Type a comment for the session.
Attach configuration change details Select to attach configuration change details to the email.

 

Mode                                                                                                                      Workflow sessions

  1. Select OK to send submit the session for approval.

The session is submitted for approval, an email is sent to the approver, and the ADOM is returned to an unlocked state. An ADOM revision is created for the workflow session.

To approve, reject, or repair a workflow session:

  1. Select the Policy & Objects tab in the navigation pane.
  2. Select the ADOM from the drop-down list.
ID   The session identifier.
Status   The session status. One of the following:

Waiting Approval: The session is waiting to be reviewed and approved.

Approved: The workflow session was approved by the approver. l Rejected: The workflow session was rejected by the approver.

Repaired: The rejected workflow session was repaired. When a rejected session is repaired, a new session ID is created for this repaired session.

Name   The user defined name to identify the session.
User   The administrator name who created the session.
Date Submitted   The date and time that the session was submitted for approval.
  1. Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed. Alternatively, select Sessions > Session List from the toolbar.

The following information is displayed:

sessions                                                                                                                      Workflow Mode

Comments Select a policy in the list to view or add comments to the session. The comments box displays comments from the session creator. The session approver can add comments.
Create New Session Select to create a new workflow session.
Continue Without Session Select to continue without starting a new session. When a new session is not started, all policy and objects are read-only.

Right-clicking on a session in the list opens a pop-up menu with the following options:

Approve Select Approve when the session status is Waiting Approval.
Reject Select Reject when the session status is Waiting Approval. A rejected session must be repaired before the next session in the list can be approved.
Repair Select Repair when the session status is Rejected. A repaired session results in a new session being created for the repair. This session is added after the last session in the list.
View Diff Select View Diff to view the difference between the two revisions. You can select to download the revision in a CSV file to your management computer.
  1. Select to Approve, Reject, Repair, or View Diff.

Administrative Domains – FortiManager 5.2

Administrative Domains

FortiManager appliances scale to manage thousands of Fortinet devices. Administrative domains (ADOMs) enable administrators to manage only those devices that are specific to their geographic location or business division. FortiGate devices with multiple VDOMs can be divided among multiple ADOMs.

If ADOMs are enabled, each administrator account is tied to an ADOM. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Administrator accounts that have special permissions, such as the admin account, can see and maintain all ADOMs and the devices within those domains.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. For more information, see Enabling and disabling the ADOM feature.

The maximum number of ADOMs you can add depends on the FortiManager system model. Please refer to the FortiManager data sheet for information on the maximum number of devices that your model supports.

This section includes the following topics:

  • Enabling and disabling the ADOM feature
  • ADOM modes
  • ADOM versions
  • Managing ADOMs

What is the best way to organize my devices using ADOMs?

You can organize devices into ADOMs to allow you to better manage these devices. You can organize these devices by:

  • Firmware version: group all devices with the same firmware version into an ADOM.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
  • Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

Enabling and disabling the ADOM feature

To enable or disable the ADOM feature, you must be logged in as the admin administrator. Only this user has the ability to enable or disable this feature.

Enabling and disabling the ADOM feature

To enable the ADOM feature:

  1. Log in as admin.
  2. Go to System Settings > Dashboard.
  3. In the system information widget, select Enable next to Administrative Domain Enabling ADOMs

To disable the ADOM feature:

  1. Remove all the managed devices from all ADOMs.
  2. Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.

After removing the ADOMs, you can now disable the ADOM feature.

  1. Go to System Settings > Dashboard.
  2. In the system information widget, select Disable next to Administrative Domain.

ADOM modes

ADOM modes

When the ADOMs feature is enabled and you log in as the admin user, all the available ADOMs will be listed in the tree menus on different tabs.

In the Policy & Objects tab, a menu bar is available that allows to select either Global, or a specific ADOM from the drop-down list. Selecting Global or a specific ADOM will then display the policy packages and objects appropriate for your selection.

Switching between ADOMs

As an admin administrator, you are able to move between all the ADOMs created on the FortiManager system. This enables you to view, configure and manage the various domains.

Other administrators are only able to move between the ADOMs to which they have been given permission. They are able to view and administer the domains based on their account‘s permission settings.

To access a specific ADOM, simply select that ADOM in the tree menu. The FortiManager system presents you with the available options for that domain, depending on what tab you are currently using.

Normal mode ADOMs

When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a diff revision on the change to the FortiManager using the FGFM protocol.

Backup mode ADOMs

When creating an ADOM in Backup Mode, the ADOM is consider Read Only, where you are not able to make changes to the ADOM and managed devices from the FortiManager. Changes are made via scripts which are run on the managed device, or through the device’s Web-based Manager or CLI directly. Revisions are sent to the FortiManager when specific conditions are met:

l Configuration change and session timeout l Configuration change and logout l Configuration change and reboot l Manual configuration backup from the managed device.

Backup mode enables you to configure an ADOM where all the devices that are added to the ADOM will only have their configuration backed up. Configuration changes cannot be made to the devices in backup ADOM. You can push any existing revisions to managed devices. You can still monitor and review the revision history for these devices, and scripting is still allowed for pushing scripts directly to FortiGate units.

ADOM versions

ADOM versions

ADOMs can concurrently manage FortiGate units running both FortiOS v4.3 and v5.0, or v5.0 and v5.2, allowing devices running these versions to share a common database. This allows you to continue to manage an ADOM as normal while upgrading the devices within that ADOM.

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that are in that ADOM. This version is selected when creating a new ADOM (see Adding an ADOM), and can be updated after the all of the devices within the ADOM have been updated to the latest FortiOS firmware version.

The general steps for upgrading an ADOM that contains multiple devices running FortiOS v4.3 from v4.3 to v5.0 are as follows:

  1. Make sure that the FortiManager unit is upgraded to a version that supports this feature.
  2. In the ADOM, upgrade one of the FortiGate units to FortiOS v5.0, and then resynchronize the device.
  3. All the ADOM objects, including Policy Packages, remain as v4.3.
  4. Upgrade the rest of the FortiGate units in the ADOM to version 5.0 firmware.
  5. Upgrade the ADOM to v5.0. See “Administrative Domains” on page 40 for more information.

All of the database objects will be converted the v5.0 format, and the Web-based Manager content for the ADOM will change to reflect the v5.0 features and behavior.

Using The Web Based Manager – FortiManager 5.2

Using the Web-based Manager

This section describes general information about using the Web-based Manager to access the Fortinet system from within a current web browser.

This section includes the following topics: l System requirements l Connecting to the Web-based Manager l Web-based Manager overview l Configuring Web-based Manager settings l Reboot and shutdown of the FortiManager unit

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.

System requirements

Supported web browsers

The following web browsers are supported by FortiManager v5.2.1:

l Microsoft Internet Explorer version 11 l Mozilla Firefox version 33 l Google Chrome version 38

Other web browsers may function correctly, but are not supported by Fortinet. For more information see the FortiManagerRelease Notes.

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be viewed properly.

Connecting to the Web-based Manager

The FortiManager unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

Web-based Manager overview

To connect to the Web-based Manager:

  1. Connect the Port 1 interface of the unit to a management computer using the provided Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiManager unit:
    • Browse to Network and Sharing Center> Change AdapterSettings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4)Properties.
    • Change the IP address of the management computer to 168.1.2 and the netmask to 255.255.255.0.
  3. To access the FortiManager unit’s Web-based Manager, start an Internet browser of your choice and browse to https://192.168.1.99.
  4. Type admin in the Name box, leave the Password box blank, and select Login.

You can now proceed with configuring your FortiManager unit.

If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.

For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces.

Web-based Manager overview

FortiManager v5.2 introduces an improved Web-based Manager layout and tree menu for improved usability. You can now select the ADOM from the drop-down list to view the devices and groups for the specific ADOM. The ADOM selection drop-down list is available in the Device Manager, Policy & Objects, FortiView, Event Management, and Reports tabs.

This section describes the following topics:

Viewing the Web-based Manager

Using the tab bar

Using the Web-based Manager                                                                                   Web-based Manager overview

Viewing the Web-based Manager

The four main parts of the FortiManager Web-based Manager are the tree menu, tab bar, ADOM selector and toolbar, and right content pane.

The Web-based Manager includes detailed online help. Selecting Help in the tab bar opens the online help.

The tab bar and content pane information displayed to an administrator vary according to the administrator account settings and access profile that have be configured for that user. To configure administrator profiles, go to System Settings > Admin > Profile. You can configure the administrator profile at both a global and ADOM level with a high degree of granularity in providing read/write, read-only, or restricted permission to various Web-based Manager modules. When defining a new administrator, you can further define which ADOMs and policy packages the administrator can access. For more information about administrator accounts and their permissions, see Admin.

When you log in to the FortiManager unit as the admin administrator, the Web-based Manager opens to the Device Manager tab. You can view all ADOMs in the navigation tree, and ADOM information in the content pane. For more information, see Device Manager.

Using the tab bar

The tab bar is organized into a number of tabs. The available tabs displayed are dependent on the features enabled and the administrator profile settings.

Web-based Manager tabs

Tab Description
Device Manager Add and manage devices, view the device information and status, create and manage device groups and manage firewall global policy objects. From this menu, you can also configure the web portal configurations, users, and groups. In the Menu section, you can configure managed devices locally in the FortiManager Web-based Manager. In the Provisioning Templates section, you can configure System Templates, WiFi Templates, Threat Weight Templates, FortiClient Templates, and Certificate Templates and assign these templates to specific managed FortiGate and FortiCarrier devices. Additional menus are available for scripts and VPN monitor. For more information, see Device Manager.
Policy & Objects Configure policy packages and objects. When Central VPN Console is enabled for the ADOM, you can create VPN topologies and managed/external gateways. For more information, see Policy & Objects.

Configuring Web-based Manager settings

Tab Description
FortiGuard Configure FortiGuard Center settings, package and query server management, and firmware images. For more information, see FortiGuard Management.
System Settings Configure system settings such as network interfaces, administrators, system time, server settings, and widgets and tabs. From this menu, you can also perform maintenance and firmware operations. For more details on using this menu, see System Settings.
FortiView The following summary views are available: Top Sources, Top Applications,

Top Destinations, Top Websites, Top Threats, Top Cloud Applications, Top

Cloud Users, System Events, Admin Logins, SSL & Dialup IPsec, Site-Site IPsec, Rogue APs, and Resource Usage. This tab was implemented to match the FortiView implementation in FortiGate.

The Log View tab is found in the FortiView tab. View logs for managed devices. You can display, download, import, and delete logs on this page.

You can also define Custom Views.

This tab can be hidden by disabling the FortiAnalyzer feature set.

Event Management Configure and view events for managed log devices. You can view events by severity or by handler. For more information, see Event Management.

This tab can be hidden by disabling the FortiAnalyzer feature set.

Reports Configure report templates, schedules, and output profiles. You can create and test datasets, configure output profiles, and add language support. For more information, seeReports on page 502.

This tab can be hidden by disabling the FortiAnalyzer feature set.

Configuring Web-based Manager settings

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface on which it listens, and the display language.

This section includes the following topics:

l Changing the Web-based Manager language l Administrative access l Restricting Web-based Manager access by trusted host l Changing the Web-based Manager idle timeout l Other security considerations

Using the Web-based Manager                                                                   Configuring Web-based Manager settings

Changing the Web-based Manager language

The Web-based Manager supports multiple languages; the default language is English. You can change the Web-based Manager to display in English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses. You can also set the FortiManager Web-based Manager to automatically detect the system language, and by default show the screens in the proper language, if available.

To change the Web-based Manager language:

  1. Go to System Settings > Admin > Admin Settings.
  2. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your web browser.
  3. Select OK.

Administrative access

Administrative access enables an administrator to connect to the FortiManager system to view and change configuration settings. The default configuration of your FortiManager system allows administrative access to one or more of the interfaces of the unit as described in your FortiManager system QuickStart Guide and Install Guide available in the Fortinet Document Library.

Administrative access can be configured in IPv4 or IPv6 and includes the following settings:

HTTPS

HTTP

PING

SSH

  TELNET

SNMP

Web Service

To change administrative access to your FortiManager system:

  1. Go to System Settings > Network.

Administrative access is configured for port1. To configure administrative access for another interface, select All Interfaces, and then select the interface to edit.

  1. Set the IPv4 IP/Netmask or IPv6 Address.
  2. Select one or more Administrative Access types for the interface.
  3. Select Service Access, FortiGate Updates, and Web Filtering/Antispam if required.
  4. Set the Default Gateway.
  5. Configure the primary and secondary DNS servers.
  6. Select Apply.

In addition to the settings listed earlier, you can select to enable access on interface from the All Interfaces window.

Restricting Web-based Manager access by trusted host

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the administrator user can only log into the Web-based Manager when working Reboot and shutdown of the FortiManager unit

on a computer with the trusted host as defined in the administrator account. You can configure up to ten trusted hosts per administrator account. See Administrator for more details.

Changing the Web-based Manager idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for five minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged into the Web-based Manager and then left unattended.

To change the Web-based Manager idle timeout:

  1. Go to System Settings > Admin > Admin Settings.
  2. Change the Idle Timeout minutes as required (1-480 minutes).
  3. Select Apply.

Other security considerations

Other security consideration for restricting access to the FortiManager Web-based Manager include the following:

  • Configure administrator accounts using a complex passphrase for local accounts l Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI l Configure the administrator profile to only allow read/write permission as required and restrict access using readonly or no permission to settings which are not applicable to that administrator
  • Configure the administrator account to only allow access to specific ADOMs as required l Configure the administrator account to only allow access to specific policy packages as required.

Reboot and shutdown of the FortiManager unit

Always reboot and shutdown the FortiManager system using the unit operation options in the Web-based Manager, or using CLI commands, to avoid potential configuration problems.

To reboot the FortiManager unit:

  1. From the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget select Reboot, or from the CLI Console widget type: execute reboot

To shutdown the FortiManager unit:

  1. From the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget select Shutdown, or from the CLI Console widget type: execute shutdown

 

What’s New In FortiManager version 5.2

What’s New in FortiManager version 5.2

FortiManager version 5.2 includes the following new features and enhancements. Always review all sections in the FortiManagerRelease Notes prior to upgrading your device.

FortiManager version 5.2.1

FortiManager version 5.2.1 includes the following new features and enhancements.

  • Toolbar buttons for the Policy section. l Install for admin with Restricted profile.
  • Approval matrix for Workflow.
  • IPv6 support for FG-FM connections. l Unify JSON APIs with XML APIs. l Added version to JSON APIs for Policy Package & Objects. l Common ADOM version for FortiOS v5.0 and v5.2.
  • A message is displayed when the database is upgrading or rebuilding. The message contains the estimated time to complete the action. l Optional dynamic VIP default values.

FortiManager version 5.2.0

FortiManager version 5.2.0 includes the following new features and enhancements.

Workflow mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, the admin will have a new option in the admin profile page to approve/reject workflow requests.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the admin that submitted the session. If the session was approved, no further action is required. If the session was rejected, the admin will need to log on and repair their changes. Once they create a session, the admin will make their repair on top of the last session changes.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and click the Start Session button. You can then proceed to make changes to policies and objects. When you are done making changes, click the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

To enable and disable workflow mode:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command:

config system global set workspace-mode {workflow | disabled}

end

The FortiManager session will end and you must log back into the FortiManager system.

Advanced CLI-Only Objects menu

An advanced CLI-Only Objects menu has been added in the Device Manager and Policy & Objects tabs which allows you to configure device settings which are normally configured via the at the CLI on the device. This menu includes commands which are only available in the CLI.

VPN Monitor menu in Device Manager

A VPN monitor tree menu has been added to provide real-time VPN status information including which users are connected to the FortiGate selected. The menu contains a Central IPsec and a Central SSL-VPN monitor. For IPsec VPN, you can select to bring the tunnel up or down using the right-click menu.

FortiToken two-Factor authentication for admin log in

FortiManager now supports FortiToken two-factor authentication for administrator logon. When creating a new administrator, select Type > RADIUS, and select the FortiAuthenticator server in the RADIUS server drop-down list.

 

FortiToken is authenticated via FortiAuthenticator. When configured, the user will be prompted to type the FortiToken code after entering their user name and password.

Successful authentication will provide the user with permission to the FortiManager and will generate a logon event log on the FortiAuthenticator.

UUID support

In FortiOS version 5.2, a universally unique identifier (UUID) attribute has been added to some firewall objects, so that the logs can record these UUIDs to be used by a FortiManager or FortiAnalyzer unit. When installing a configuration to a FortiOS v5.2 device, a single UUID is used for the same object or policy across all managed FortiGates.

In the FortiView > Log View tab, you can select a log entry, right-click, and select Jump to Policy from the pop-up menu to view the policy associated with the log message. In the Policy & Objects tab, you can select a policy, rightclick, and select Show Matching Logs from the pop-up menu to view any logs associated with the policy.

Dynamic address group

A new option has been added to allow an address group to be a dynamic group. Group mappings can be configured for specific devices.

Dynamic mapping management improvements

The following improvements have been made to dynamic mapping management:

l Convert an address to a dynamic address l A radio button has been added to allow you to turn dynamic mapping on or off for various firewall objects. When dynamic mapping is enabled, you can view existing mappings or create a new dynamic mapping. l Dynamic address with mapping table

In dynamic address mode, the table of mappings is displayed allowing you to add, edit, or delete device mapping.

When editing a mapping, the settings are displayed in a pop-up dialog box.

Object Web-based Manager enhancements

When creating or editing objects in Policy & Objects, a dialog box is displayed similar to the policy dialog box.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs. You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.

Improved logging of script execution

FortiManager now includes several logs for scripting functions including: creating scripts, groups, and installing scripts.

Firmware version displayed is consistent with FortiOS

FortiManager v5.2 uses the firmware naming convention ‘5.2.0’, where the first digit reflects the version, the second digit reflects the release, and the third digit reflects the patch. This change is consistent with FortiOS v5.2.0 changes. All references to the firmware version in the Web-based Manager and have been updated to this new format. Update service to FortiWeb

FortiManager v5.2 can now provide antivirus updates to FortiWeb.

FortiExtender support

When adding a FortiGate to FortiManager that is managing a FortiExtender, the FortiExtender will be available in an All FortiExtender group in the ADOM. You can authorize, deauthorize, upgrade, restart, edit, and view the status of the FortiExtender from the right-click menu.

Restricted Admin profiles

Create restricted admin profiles to allow a delegated administrator to manage their ADOM’s security profiles. You can allow the delegated administrator to make changes to the Web Filter profile, IP sensor, and Application sensor associated with their ADOM.

Flexible FortiGuard Distribution Server (FDS) override list management

The System Template now allows you to configure multiple override servers, FortiManager, and FortiGuard servers into one list. You can provide services to FortiGates using this template. When adding new servers, you can select the server type, update, rating or both. This feature allows you to manage FortiGates with different override lists.

Model device improvements

The Add Model Device option in the Device Wizard has been updated to allow you to provisioning a single device or multiple devices more efficiently. When adding a device, only the FortiGate serial number and FortiOS version are required. A new option has been added to allow you to add multiple devices by importing a Comma Separated Value (CSV) file with the required information.

Once the model device is added to FortiManager you can assign the device to an ADOM, assign a policy package, and associate it with a provisioning template. When an unregistered FortiGate with a matching serial number connects to FortiManager, you can install the model device configuration.

Enable the FortiAnalyzer feature set in the Web-based Manager

In FortiManager version 5.0.6 or earlier, the FortiAnalyzer feature set was enabled or disabled via the CLI only. In

FortiManager v5.2.0 or later, you can also enable or disable these features in the Web-based Manager. To enable the FortiAnalyzer feature set, go to System Settings > Dashboard. In the System Information widget, select [Enabled] beside FortiAnalyzerFeatures.

FortiSandbox support

FortiSandbox version 1.4 can be centrally managed by a FortiManager running version 5.2.0 or later.

Policy package locking

In FortiManager version 5.2 you can lock and edit a policy package without locking the ADOM. When the policy package is locked, other users are unable to lock the ADOM or edit the locked policy package. The policy package is edited in a private workspace. Only the policy package is in the workspace, not the object database. When locking and editing a policy package, the object database remains locked. The policy package lock status is displayed in the toolbar.

Before you can lock an ADOM or policy package, you must first enable workspace to disable concurrent ADOM access from the CLI.

When workspace is enabled, all ADOMs and policy packages are read-only. In the Device Manager tab, you can rightclick an ADOM and select Lock from the right-click menu. When the ADOM is locked you can edit the ADOM, all other administrators need to wait until you unlock the ADOM.

In the Policy & Objects tab, you can select to lock the ADOM from the toolbar. When the ADOM is locked, all policy packages and objects in that ADOM are locked and read-only to other administrators until you finish your edits and unlock the ADOM.

Policy Package locking allows you to lock a specific policy package without locking the ADOM. In the Policy & Objects tab, select the ADOM from the drop-down list, select the policy package, right-click and select Lock & Edit from the right-click menu.

When a policy package is locked, other administrators are not able to lock the ADOM in the Device Manager or Policy & Objects tabs. The policy package is displayed as locked. Other administrators can however lock and edit other policy packages in the same ADOM.

When the policy package is locked, the administrator can edit the policy package as required and access the following options in the left side tree right-click menu: Install Wizard, Export, Policy Check, Save, and Unlock. Before unlocking the policy package, select Save in the toolbar or right-click menu to save changes made to the policy package for the session.

Although another administrator can select to lock and edit an unlocked policy package, neither administrator is able to create a new policy package or edit the object database. To create a new policy package or edit the object database, the ADOM must be locked.

When an ADOM or policy package is locked, the lock is automatically released by an admin idle timeout or by closing the browser window. Any unsaved changes will be lost. Always ensure that changes are saved using the save option in the toolbar or right-click menu.

Import improvements

The following improvements have been made to the import operation:

  • Auto resynchronization when tunnel re-up: After changes are made to a FortiGate, when the tunnel comes back online, the changes are auto-synchronized to FortiManager. The device manager database is always in sync with the FortiGate and the out-of-sync condition has been removed.
  • Detect FortiGate changes that impact policy & objects: FortiManager now is able to detect when the settings were changed on the FortiGate and synchronized back to the related policy and object settings. This allows you to know when the policy package is out-of-sync with what is installed on the FortiGate. You can either re-apply the changes or modify the policy package.
  • Warning when overwrite an existing policy package: FortiManager now displays a warning dialog box allowing you to decide to either overwrite the policy package, cancel the import, or import the policy package under a different name.

Policy & Objects display options improvement

When importing objects or policy types, FortiManager will detect whether or not the related display option is enabled. If it is not, FortiManager will prompt the user via a dialog box to enable the display options item.

Central WiFi management improvements

The following improvements have been made to central WiFi management:

l Wireless Profiles have been renamed Custom AP Profiles l Created, edit, and delete APs l Assign AP profiles to multiple APs l Consistent replacement messages between FortiGate and FortiManager l Customize Captive Portal messages per SSID.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2.1 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs.

You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.