Tag Archives: fortimanager administrators guide

FortiView – FortiManager 5.2

FortiView

The FortiView tab allows you to access both FortiView drill down and Log view menus. FortiView in FortiManager collects data from FortiView in FortiGate. In order for information to appear in the FortiView dashboards in FortiGate, disk logging must be selected for the FortiGate unit. Select the FortiView tab and select the ADOM from the dropdown list.

When rebuilding the SQL database, FortiView will not be available until after the rebuild is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.

FortiView

Use FortiView to drill down real-time and historical traffic from log devices by sources, applications, destinations, web sites, threats, cloud applications, cloud users, system and admin events, SSL and dialup IPsec, site to site IPsec, rogue APs, and resource usage. Each FortiView summary view can be filtered by a variety of attributes, as well as by device and time period. These attributes can be selected using the right-click context menu. Results can also be filtered using the various columns. The following summary views are available:

  • Top Sources l Top Applications l Top Destinations l Top Web Sites l Top Threats l Top Cloud Applications/Users l System Events l Admin Logins l SSL & Dialup IPsec l Site-to-Site IPsec
  • Rogue APs l Resource usage

FortiGuard Management – FortiManager 5.2

FortiGuard Management

The FortiGuard Distribution Network (FDN) provides FortiGuard services for your FortiManager system and its managed devices and FortiClient agents. The FDN is a world-wide network of FortiGuard Distribution Servers (FDS) which update the FortiGuard services on your FortiManager system on a regular basis so that your FortiManager system is protected against the latest threats.

The FortiGuard services available on the FortiManager system include:

l Antivirus and IPS engines and signatures l Web filtering and email filtering rating databases and lookups (select systems) l Vulnerability scan and management support for FortiAnalyzer

To view and configure these services, go to FortiGuard > FortiGuard Management > Advanced Settings.

In FortiGuard Management, you can configure the FortiManager system to act as a local FDS, or use a web proxy server to connect to the FDN. FortiManager systems acting as a local FDS synchronize their FortiGuard service update packages with the FDN, then provide FortiGuard these updates and look up replies to your private network’s FortiGate devices. The local FDS provides a faster connection, reducing Internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices.

As an example, you might enable FortiGuard services to FortiGate devices on the built-in FDS, then specify the FortiManager system’s IP address as the override server on your devices. Instead of burdening your Internet connection with all the devices downloading antivirus updates separately, the FortiManager system would use the Internet connection once to download the FortiGate antivirus package update, then redistribute the package to the devices.

FortiGuard Management also includes firmware revision management. To view and configure firmware options, go to FortiGuard Management > Firmware Images. You can download these images from the Customer Service & Support portal to install on your managed devices or on the FortiManager system.

Before you can use your FortiManager system as a local FDS, you must:

  • Register your devices with Fortinet Customer Service & Support and enable the FortiGuard service licenses. See your device documentation for more information on registering your products.
  • If the FortiManager system’s Unregistered Device Options do not allow service to unregistered devices, add your devices to the device list, or change the option to allow service to unregistered devices. For more information, see the FortiManagerCLI Reference.

For information about FDN service connection attempt handling or adding devices, see Device Manager.

  • Enable and configure the FortiManager system’s built-in FDS. For more information, see Configuring network interfaces. l Connect the FortiManager system to the FDN.

The FortiManager system must retrieve service update packages from the FDN before it can redistribute them to devices and FortiClient agents on the device list. For more information, see Connecting the built-in FDS to the FDN.

  • Configure each device or FortiClient endpoint to use the FortiManager system’s built-in FDS as their override server. You can do this when adding a FortiGate system. For more information, see Adding a device.

This section contains the following topics:

  • Advanced settings l Configuring devices to use the built-in FDS l Configuring FortiGuard services l Logging events related to FortiGuard services l Restoring the URL or antispam database l Package management l Query server management l Firmware images

For information on current security threats, virus and spam sample submission, and FortiGuard service updates available through the FDN, including antivirus, IPS, web filtering, and email filtering, see the FortiGuard Center website, http://www.fortiguard.com/.

Central VPN Console – FortiManager 5.2

Central VPN Console

When Central VPN Console is selected for VPN Management when creating an ADOM, a VPN Console tree menu item will appear in the Policy & Objects tab under Policy Package. You will need to enable the Show VPN Console option in System Settings > Admin > Admin Settings. You can create VPN topologies in this page. Once you have configured a VPN topology and gateway, you can configure the related firewall policies, preview and install. For more information, see Managing policies.

VPN topology

You can create full meshed, star, and dial up VPN topologies. Once you have created the topology, you can create the VPN gateway.

Create VPN Topology

Configure the following settings:

 

Name Type a name for the VPN topology.  
Description Type an optional description.
Topology Select the topology type from the drop-down list. Select one of:

Full Meshed: Each gateway has a tunnel to every other gateway.

Star: Each gateway has one tunnel to a central hub gateway.

Dial up: Some gateways, often mobile users, have dynamic IP addresses and contact the gateway to establish a tunnel.

IKE Profile Define the IKE Profile. Configure IKE Phase 1, IKE Phase 2, Advanced settings, and Authentication settings.
IKE Phase 1 Define the IKE Phase 1 proposal settings .

Device Manager – FortiManager 5.2

Device Manager

Use the Device Manager tab to view and configure managed devices. This chapter covers navigating the Device Manager tab, viewing devices, managing devices, managing FortiAP access points, and managing FortiExtender wireless WAN extenders. For information on adding devices, and installing policy packages see FortiManager Wizards

.

Additional configuration options and short-cuts are available using the right-click content menu. Rightclick the mouse on different parts of the navigation panes on the Web-based Manager page to access these context menus.

The Device Manager tab provides access to devices and groups, provisioning templates, scripts, and VPN monitor menus.

Device manager layout

The Device Manager tab includes the following menus:

Devices & Groups View and configure managed and logging devices per ADOM. Use the toolbar to add devices, devices groups, and launch the install wizard.
Provisioning Templates Configure provisioning templates. For information on system, WiFi, Threat Weight, FortiClient, and certificate templates, see Provisioning Templates .
Scripts Create new or import scripts. Scripts is disabled by default. You can enable this advanced configuration options in System Systems > Admin > Admin Settings .

Select Show Script to enable on this option in the Device Manager tab tree menu.

For more information on scripts, see Scripts .

VPN Monitor Select VPN Monitor to view Central IPsec and Central SSL-VPN menus. These menus allow you to monitor the VPN connections for the ADOM in a central location. You can also bring up or bring down VPN connections.

Viewing managed/logging device

You can view the dashboard and related information of all managed/logging and provisioned devices.

This section contains the following topics:

l Using column filters l View managed/logging devices l Dashboard widgets

Using column filters

You can filter each column, by selecting the column header. Use the right-click menu to access the context menu to add or remove columns.

The following table describes the available columns and filters available per column.

Column filters
Column Filters
Device Name Click on the column header to sort the entries in ascending or descending order (alphabetic).

 

Column Filters
Config Status Filter by configuration status:

l Synchronized l Synchronized from AutoUpdate l Out of Sync l Pending l Warning l Unknown

Hover the cursor icon over the column icon for additional information.

Policy Package Status Filter by policy package status:

l Imported l Installed l Modified l Never Installed l Unknown

Hover the cursor icon over the column icon for additional information.

Hostname Click on the column header to sort the entries in ascending or descending order (alphabetic).
Connectivity Filter by connectivity status: l Connected l Connection Down l Unknown

Hover the cursor icon over the column icon for additional information.

IP Click on the column header to sort the entries in ascending or descending order (numeric).
Platform Click on the column header to sort the entries in ascending or descending order (alphabetic).
Logs Click on the column header to sort the entries in ascending or descending order (log status).
Quota Click on the column header to sort the entries in ascending or descending order (device log quota). Hover the cursor icon over the column icon for additional information.
Column Filters
Log Connection Click on the column header to sort the entries in ascending or descending order (log connection status). The log connection can be one of the following states:

l IPsec Tunnel is up l IPsec Tunnel is down l IPsec Tunnel is disabled

Hover the cursor icon over the column icon for additional information.

FortiGuard License Filter by license status:

l Valid l Expired l Unknown

Hover the cursor icon over the column icon for additional information.

Firmware Version Click on the column header to sort the entries in ascending or descending order (firmware version).
Description Click on the column header to sort the entries in ascending or descending order (description).

You can left-click the description cell to add a description to the entry.

Select OK to save the change.

Other Filter by Description, Contact, City, Province, Country, Company.

View managed/logging devices

You can view information about individual devices in the Device Manager tab. This section describes the FortiGate unit summary.

To view managed/logging devices:

  1. Select the Device Manager
  2. Select the ADOM from the drop-down list.
  3. Select the device group, for example Managed FortiGates, in the tree menu.

When the FortiAnalyzer feature set is enabled, the All FortiGates device group is replaced with Managed FortiGates and Logging FortiGates . Managed FortiGates include FortiGate devices which are managed by FortiManager but do not send logs. Logging FortiGates include FortiGate devices which are not managed, but do send logs to FortiManager .

  1. Select a device or VDOM from the list of managed devices. The device dashboard and related information is shown in the left content pane.
Device dashboard
Dashboard toolbar

The dashboard toolbar allows you to select the content, or panel, that is shown in the content pane.

The dashboard toolbar displays the device name and current panel on the right-hand side. Hovering the cursor over the

Menu drop-down menu, on the left-hand side of the toolbar, will display the available panels organized into categories.

System Settings FortiManager 5.2

System Settings
The System Settings tab enables you to manage and configure the basic system options for the FortiManager unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access permissions, managing and updating firmware for the device and configuring logging and access to the FortiGuard Update Service for updates.
The System Settings tab provides access to the following menus and sub-menus:
Dashboard The Dashboard page displays widgets that provide performance and status information and enable you to configure basic system settings.
All ADOMs The All ADOMS page is only available when ADOMs are enabled. It lists all of the ADOMs, version, devices, VPN management, number of policy packages and alert device information.
On this page you can create, edit, delete and upgrade ADOMs. You can also view the alert device details.
RAID management The RAID Management page displays information about the status of RAID, as well as what RAID level has been selected and how much disk space is currently consumed.
Network The Network page provides routing and interface management options. It also provides access to diagnostic tools, such as ping, and a detailed listing of all currently configured interfaces.
High availability The HA page allows you to configure operation mode and cluster settings.
Admin Select this menu to configure administrator user accounts, as well as configure global administrative settings for the FortiManager unit.
Administrator Profile Workflow Approval Remote authentication server Administrator settings
Certificates The Certificates section allows you to configure local and CA certificates, and Certificate revocation lists (CRLs).
Event log View log messages that are stored in memory or on the internal hard disk. On this page you can view historical or real-time logs and download event logs.
Task monitor The Task Monitor page allows you to view the status of the tasks that you have performed.

System Settings
Advanced Select to configure mail server settings, remote output, Simple Network Management Protocol (SNMP), meta field data and other advanced settings. SNMP
Mail server Syslog server Meta fields Device log settings File management Advanced settings Portal users
Dashboard
When you select the System Settings tab, it automatically opens at the System Settings > Dashboard page.
The Dashboard displays widgets that provide performance and status information and enable you to configure basic system settings. The dashboard also contains a CLI widget that allows you to use the command line through the Webbased Manager. All of the widgets appear on a single dashboard, which can be customized as desired. FortiManagersystem dashboard

The following widgets are available:
System Information Displays basic information about the FortiManager system, such as up time and firmware version. You can also enable or disable Administrative Domains and FortiAnalyzer features. For more information, see System Information widget. From this widget you can manually update the FortiManager firmware to a different release. For more information, see Firmware images.
License Information Displays the devices being managed by the FortiManager unit and the maximum numbers of devices allowed. For more information, see License Information widget.
From this widget you can manually upload a license for FortiManager VM systems.
Unit Operation Displays status and connection information for the ports of the FortiManager unit. It also enables you to shutdown and restart the FortiManager unit or reformat a hard disk. For more information, see Unit Operation widget.
System Resources Displays the real-time and historical usage status of the CPU, memory and hard disk. For more information, see System Resources widget.
Alert Message Console Displays log-based alert messages for both the FortiManager unit itself and connected devices. For more information, see Alert Messages Console widget.
CLI Console Opens a terminal window that enables you to configure the FortiManager unit using CLI commands directly from the Web-based Manager. This widget is hidden by default. For more information, see CLI Console widget.
Log Receive Monitor Displays a real-time monitor of logs received. You can select to view data per device or per log type. For more information, see Log Receive Monitor widget. The Log Receive Monitor widget is available when FortiAnalyzerFeatures is enabled.
Logs/Data Received Displays real-time or historical statistics of logs and data received. For more information, see Logs/Data Received widget.
The Log/Data Received widget is available when FortiAnalyzerFeatures is enabled.
Statistics Displays statistics for logs and reports. For more information, see Statistics widget.
The Statistics widget is available when FortiAnalyzerFeatures is enabled.
Customizing the dashboard
The FortiManager system dashboard can be customized. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.
To move a widget
Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.
System Settings
To add a widget
In the dashboard toolbar, select Add Widget, then select the names of widgets that you want to show. To remove a widget, select the Close icon.
Adding a widget

To reset the dashboard
Select Dashboard > Reset Dashboard from the dashboard toolbar.
To see the available options for a widget
Position your mouse cursor over the icons in the widget’s title bar. Options vary slightly from widget to widget, but always include options to close or show/hide the widget.
A minimized widget

The following options are available:
Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
More Alerts Show the Alert Messages dialog box.
This option appears only in the Alert Message Console widget.
Edit Select to change settings for the widget.
This option appears only in the System Resources, Alert Message Console, Logs/Data Received, and Log Receive Monitor widgets.
Detach Detach the CLI Console widget from the dashboard and open it in a separate window.
This option appears only in the CLI Console widget.
Reset Select to reset the information shown in the widget. This option appears only in the Statistics widget.
Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
System Information widget
The system dashboard includes a System Information widget, shown in System Information widget, which displays the current status of the FortiManager unit and enables you to configure basic system settings.
System Information widget

The information displayed in the System Information widget is dependent on the FortiManager models and device settings. The following information is available on this widget:
Host Name The identifying name assigned to this FortiManager unit. Select [Change] to change the host name. For more information, see Changing the host name.
Serial Number The serial number of the FortiManager unit. The serial number is unique to the FortiManager unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
Platform Type Displays the FortiManager platform type, for example FMG-VM (virtual machine).
HA Status Displays if FortiManager unit is in High Availability mode and whether it is the Master or Slave unit in the HA cluster. For more information see High
Availability.
System Time The current time on the FortiManager internal clock. Select [Change] to change system time settings. For more information, see Configuring the system time.

System Settings
Firmware Version The version number and build number of the firmware installed on the FortiManager unit. To update the firmware, you must download the latest version from the Customer Service & Support website at https://support.fortinet.com. Select [Update] and select the firmware image to load from the local hard disk or network volume. For more information, see Updating the system firmware.
System Configuration The date of the last system configuration backup. The following actions are available:
l Select [Backup] to backup the system configuration to a file; see Backing up the system.
l Select [Restore] to restore the configuration from a backup file; see Restoring the configuration.
l Select [System Checkpoint] to revert the system to a prior saved configuration; see Creating a system checkpoint.
Current Administrators The number of administrators that are currently logged in. The following actions are available:
l Select [Change Password] to change your own password.
l Select [Detail] to view the session details for all currently logged in administrators. See Monitoring administrator sessions for more information.
Up Time The duration of time the FortiManager unit has been running since it was last started or restarted.
Administrative Domain Displays whether ADOMs are enabled. Select [Enable/Disable] to change the Administrative Domain state. SeeEnabling and disabling the ADOM feature.
Global Database Version Displays the current Global Database version. Select [Change] to change the global database version.
Offline Mode Displays whether Offline Mode is enabled. To enable or disable Offline Mode, go to System Settings > Advanced > Advanced Settings.
FortiAnalyzer Features Displays whether FortiAnalyzer features are enabled. Select [Enable/Disable] to change the FortiAnalyzer features state.
The following options are available:
Refresh Select the refresh icon in the title bar to refresh the information displayed.
Close Select the close icon in the title bar to remove the widget from the dashboard.
Changing the host name
The host name of the FortiManager unit is used in several places.
Administration Guide
Fortinet Technologies Inc.
It appears in the System Information widget on the Dashboard. For more information about the System Information widget, see System Information widget. It is used in the command prompt of the CLI. It is used as the SNMP system name. For information about SNMP, see SNMP .
The System Information widget and the get system status CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiManager1234567890, the CLI prompt would be FortiManager123456~#.
To change the host name:
1. Go to System Settings > Dashboard.
2. In the System Information widget, next to the Host Name field, select [Change].
Edit Host Name dialog box

3. In the Host Name box, type a new host name.
The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.
4. Select OK.
Configuring the system time
You can either manually set the FortiManager system time or configure the FortiManager unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

Fortinet Management Theory

Fortinet Management Theory

FortiManager is an integrated platform for the centralized management of products in a Fortinet security infrastructure. A FortiManager provides centralized policy-based provisioning, configuration and update management for FortiGate (including FortiGate, FortiWiFi, and FortiGate VM), FortiCarrier, FortiSwitch, and FortiSandbox devices.

To reduce network delays and minimize external Internet usage, a FortiManager installation can also act as an on-site FortiGuard Distribution Server (FDS) for your managed devices and FortiClient agents to download updates to their virus and attack signatures, and to use the built-in web filtering and email filter services.

The FortiManager scales to manage up to 5 000 devices and virtual domains (VDOMs) from a single FortiManager interface. It is primarily designed for medium to large enterprises and managed security service providers.

Using a FortiManager device as part of an organization’s Fortinet security infrastructure can help minimize both initial deployment costs and ongoing operating expenses. It allows fast device provisioning, detailed revision tracking, and thorough auditing.

Key features of the FortiManager system

Configuration revision control and tracking

Your FortiManager unit records and maintains the history of all configuration changes made over time. Revisions can be scheduled for deployment or rolled back to a previous configuration when needed.

Centralized management

FortiManager can centrally manage the configurations of multiple devices from a single console. Configurations can then be built in a central repository and deployed to multiple devices when required.

Administrative domains

FortiManager can segregate management of large deployments by grouping devices into geographic or functional ADOMs. See Administrative Domains.

Local FortiGuard service provisioning

A FortiGate device can use the FortiManager unit for antivirus, intrusion prevention, web filtering, and email filtering to optimize performance of rating lookups, and definition and signature downloads. See FortiGuard Management.

Firmware management

FortiManager can centrally manage firmware images and schedule managed devices for upgrade.

 

Scripting

FortiManager supports CLI or Tcl based scripts to simplify configuration deployments. See Scripts.

Logging and reporting

FortiManager can also be used to log traffic from managed devices and generate Structured Query Language (SQL) based reports. FortiManager also integrates FortiAnalyzer logging and reporting features.

Fortinet device life cycle management

The management tasks for devices in a Fortinet security infrastructure follow a typical life cycle:

  • Deployment: An administrator completes configuration of the Fortinet devices in their network after initial installation.
  • Monitoring: The administrator monitors the status and health of devices in the security infrastructure, including resource monitoring and network usage. External threats to your network infrastructure can be monitored and alerts generated to advise.
  • Maintenance: The administrator performs configuration updates as needed to keep devices up-to-date.
  • Upgrading: Virus definitions, attack and data leak prevention signatures, web and email filtering services, and device firmware images are all kept current to provide continuous protection for devices in the security infrastructure.

Inside the FortiManager system

FortiManager is a robust system with multiple layers to allow you to effectively manage your Fortinet security infrastructure.

Device Manager tab

The Device Manager tab contains all ADOMs, and devices. You can create new ADOMs, device groups, provision and add devices, install policy packages and device settings. See Device Manager.

Policy & Objects tab

The Policy & Objects tab contains all of your global and local policy packages and objects that are applicable to all ADOMs, and configuration revisions. See Policy & Objects.

System Settings tab

The Systems Settings tab enables the configuration of system settings and monitors the operation of your FortiManager unit. See System Settings.

 

Inside the FortiManager device manager tab

Global ADOM layer

The global ADOM layer contains two key pieces: the global object database and all header and footer policies.

Header and footer policies are used to envelop policies within each individual ADOM. These are typically invisible to users and devices in the ADOM layer. An example of where this would be used is in a carrier environment, where the carrier would allow customer traffic to pass through their network but would not allow the customer to have access to the carrier’s network assets.

ADOM layer

The ADOM layer is where the FortiManager manages individual devices or groups of devices. It is inside this layer where policy packages and folders are created, managed and installed on managed devices. Multiple policy packages can be created here, and they can easily be copied to other ADOMs to facilitate configuration or provisioning of new devices on the network. The ADOM layer contains one common object database per ADOM, which contains information such as addresses, services, antivirus and attack definitions, and web filtering and email filter.

Device manager layer

The device manager layer records information on devices that are centrally managed by the FortiManager unit, such as the name and type of device, the specific device model, its IP address, the current firmware installed on the unit, the device’s revision history, and its real-time status.

 

 

What’s New In FortiManager version 5.2

What’s New in FortiManager version 5.2

FortiManager version 5.2 includes the following new features and enhancements. Always review all sections in the FortiManagerRelease Notes prior to upgrading your device.

FortiManager version 5.2.1

FortiManager version 5.2.1 includes the following new features and enhancements.

  • Toolbar buttons for the Policy section. l Install for admin with Restricted profile.
  • Approval matrix for Workflow.
  • IPv6 support for FG-FM connections. l Unify JSON APIs with XML APIs. l Added version to JSON APIs for Policy Package & Objects. l Common ADOM version for FortiOS v5.0 and v5.2.
  • A message is displayed when the database is upgrading or rebuilding. The message contains the estimated time to complete the action. l Optional dynamic VIP default values.

FortiManager version 5.2.0

FortiManager version 5.2.0 includes the following new features and enhancements.

Workflow mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, the admin will have a new option in the admin profile page to approve/reject workflow requests.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the admin that submitted the session. If the session was approved, no further action is required. If the session was rejected, the admin will need to log on and repair their changes. Once they create a session, the admin will make their repair on top of the last session changes.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and click the Start Session button. You can then proceed to make changes to policies and objects. When you are done making changes, click the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

To enable and disable workflow mode:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command:

config system global set workspace-mode {workflow | disabled}

end

The FortiManager session will end and you must log back into the FortiManager system.

Advanced CLI-Only Objects menu

An advanced CLI-Only Objects menu has been added in the Device Manager and Policy & Objects tabs which allows you to configure device settings which are normally configured via the at the CLI on the device. This menu includes commands which are only available in the CLI.

VPN Monitor menu in Device Manager

A VPN monitor tree menu has been added to provide real-time VPN status information including which users are connected to the FortiGate selected. The menu contains a Central IPsec and a Central SSL-VPN monitor. For IPsec VPN, you can select to bring the tunnel up or down using the right-click menu.

FortiToken two-Factor authentication for admin log in

FortiManager now supports FortiToken two-factor authentication for administrator logon. When creating a new administrator, select Type > RADIUS, and select the FortiAuthenticator server in the RADIUS server drop-down list.

 

FortiToken is authenticated via FortiAuthenticator. When configured, the user will be prompted to type the FortiToken code after entering their user name and password.

Successful authentication will provide the user with permission to the FortiManager and will generate a logon event log on the FortiAuthenticator.

UUID support

In FortiOS version 5.2, a universally unique identifier (UUID) attribute has been added to some firewall objects, so that the logs can record these UUIDs to be used by a FortiManager or FortiAnalyzer unit. When installing a configuration to a FortiOS v5.2 device, a single UUID is used for the same object or policy across all managed FortiGates.

In the FortiView > Log View tab, you can select a log entry, right-click, and select Jump to Policy from the pop-up menu to view the policy associated with the log message. In the Policy & Objects tab, you can select a policy, rightclick, and select Show Matching Logs from the pop-up menu to view any logs associated with the policy.

Dynamic address group

A new option has been added to allow an address group to be a dynamic group. Group mappings can be configured for specific devices.

Dynamic mapping management improvements

The following improvements have been made to dynamic mapping management:

l Convert an address to a dynamic address l A radio button has been added to allow you to turn dynamic mapping on or off for various firewall objects. When dynamic mapping is enabled, you can view existing mappings or create a new dynamic mapping. l Dynamic address with mapping table

In dynamic address mode, the table of mappings is displayed allowing you to add, edit, or delete device mapping.

When editing a mapping, the settings are displayed in a pop-up dialog box.

Object Web-based Manager enhancements

When creating or editing objects in Policy & Objects, a dialog box is displayed similar to the policy dialog box.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs. You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.

Improved logging of script execution

FortiManager now includes several logs for scripting functions including: creating scripts, groups, and installing scripts.

Firmware version displayed is consistent with FortiOS

FortiManager v5.2 uses the firmware naming convention ‘5.2.0’, where the first digit reflects the version, the second digit reflects the release, and the third digit reflects the patch. This change is consistent with FortiOS v5.2.0 changes. All references to the firmware version in the Web-based Manager and have been updated to this new format. Update service to FortiWeb

FortiManager v5.2 can now provide antivirus updates to FortiWeb.

FortiExtender support

When adding a FortiGate to FortiManager that is managing a FortiExtender, the FortiExtender will be available in an All FortiExtender group in the ADOM. You can authorize, deauthorize, upgrade, restart, edit, and view the status of the FortiExtender from the right-click menu.

Restricted Admin profiles

Create restricted admin profiles to allow a delegated administrator to manage their ADOM’s security profiles. You can allow the delegated administrator to make changes to the Web Filter profile, IP sensor, and Application sensor associated with their ADOM.

Flexible FortiGuard Distribution Server (FDS) override list management

The System Template now allows you to configure multiple override servers, FortiManager, and FortiGuard servers into one list. You can provide services to FortiGates using this template. When adding new servers, you can select the server type, update, rating or both. This feature allows you to manage FortiGates with different override lists.

Model device improvements

The Add Model Device option in the Device Wizard has been updated to allow you to provisioning a single device or multiple devices more efficiently. When adding a device, only the FortiGate serial number and FortiOS version are required. A new option has been added to allow you to add multiple devices by importing a Comma Separated Value (CSV) file with the required information.

Once the model device is added to FortiManager you can assign the device to an ADOM, assign a policy package, and associate it with a provisioning template. When an unregistered FortiGate with a matching serial number connects to FortiManager, you can install the model device configuration.

Enable the FortiAnalyzer feature set in the Web-based Manager

In FortiManager version 5.0.6 or earlier, the FortiAnalyzer feature set was enabled or disabled via the CLI only. In

FortiManager v5.2.0 or later, you can also enable or disable these features in the Web-based Manager. To enable the FortiAnalyzer feature set, go to System Settings > Dashboard. In the System Information widget, select [Enabled] beside FortiAnalyzerFeatures.

FortiSandbox support

FortiSandbox version 1.4 can be centrally managed by a FortiManager running version 5.2.0 or later.

Policy package locking

In FortiManager version 5.2 you can lock and edit a policy package without locking the ADOM. When the policy package is locked, other users are unable to lock the ADOM or edit the locked policy package. The policy package is edited in a private workspace. Only the policy package is in the workspace, not the object database. When locking and editing a policy package, the object database remains locked. The policy package lock status is displayed in the toolbar.

Before you can lock an ADOM or policy package, you must first enable workspace to disable concurrent ADOM access from the CLI.

When workspace is enabled, all ADOMs and policy packages are read-only. In the Device Manager tab, you can rightclick an ADOM and select Lock from the right-click menu. When the ADOM is locked you can edit the ADOM, all other administrators need to wait until you unlock the ADOM.

In the Policy & Objects tab, you can select to lock the ADOM from the toolbar. When the ADOM is locked, all policy packages and objects in that ADOM are locked and read-only to other administrators until you finish your edits and unlock the ADOM.

Policy Package locking allows you to lock a specific policy package without locking the ADOM. In the Policy & Objects tab, select the ADOM from the drop-down list, select the policy package, right-click and select Lock & Edit from the right-click menu.

When a policy package is locked, other administrators are not able to lock the ADOM in the Device Manager or Policy & Objects tabs. The policy package is displayed as locked. Other administrators can however lock and edit other policy packages in the same ADOM.

When the policy package is locked, the administrator can edit the policy package as required and access the following options in the left side tree right-click menu: Install Wizard, Export, Policy Check, Save, and Unlock. Before unlocking the policy package, select Save in the toolbar or right-click menu to save changes made to the policy package for the session.

Although another administrator can select to lock and edit an unlocked policy package, neither administrator is able to create a new policy package or edit the object database. To create a new policy package or edit the object database, the ADOM must be locked.

When an ADOM or policy package is locked, the lock is automatically released by an admin idle timeout or by closing the browser window. Any unsaved changes will be lost. Always ensure that changes are saved using the save option in the toolbar or right-click menu.

Import improvements

The following improvements have been made to the import operation:

  • Auto resynchronization when tunnel re-up: After changes are made to a FortiGate, when the tunnel comes back online, the changes are auto-synchronized to FortiManager. The device manager database is always in sync with the FortiGate and the out-of-sync condition has been removed.
  • Detect FortiGate changes that impact policy & objects: FortiManager now is able to detect when the settings were changed on the FortiGate and synchronized back to the related policy and object settings. This allows you to know when the policy package is out-of-sync with what is installed on the FortiGate. You can either re-apply the changes or modify the policy package.
  • Warning when overwrite an existing policy package: FortiManager now displays a warning dialog box allowing you to decide to either overwrite the policy package, cancel the import, or import the policy package under a different name.

Policy & Objects display options improvement

When importing objects or policy types, FortiManager will detect whether or not the related display option is enabled. If it is not, FortiManager will prompt the user via a dialog box to enable the display options item.

Central WiFi management improvements

The following improvements have been made to central WiFi management:

l Wireless Profiles have been renamed Custom AP Profiles l Created, edit, and delete APs l Assign AP profiles to multiple APs l Consistent replacement messages between FortiGate and FortiManager l Customize Captive Portal messages per SSID.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2.1 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs.

You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.

 

FortiManager 5.2 Administration Guide – Introduction

Introduction

FortiManager Security Management appliances allow you to centrally manage any number of Fortinet Network Security devices, from several to thousands, including FortiGate, FortiWiFi, and FortiCarrier. Network administrators can better control their network by logically grouping devices into administrative domains (ADOMs), efficiently applying policies and distributing content security/firmware updates. FortiManager is one of several versatile Network Security Management Products that provide a diversity of deployment types, growth flexibility, advanced customization through APIs and simple licensing.

FortiManager features

FortiManager provides the following features:

  • Provides easy centralized configuration, policy-based provisioning, update management and end-to-end network monitoring for your Fortinet installation,
  • Segregate management of large deployments easily and securely by grouping devices and agents into geographic or functional administrative domains (ADOMs),
  • Reduce your management burden and operational costs with fast device and agent provisioning, detailed revision tracking, and thorough auditing capabilities,
  • Easily manage complex mesh and star VPN environments while leveraging FortiManager as a local distribution point for software and policy updates,
  • Seamless integration with FortiAnalyzer appliances provides in-depth discovery, analysis, prioritization and reporting of network security events,
  • Quickly create and modify policies/objects with a consolidated, drag and drop enabled, in-view editor,
  • Script and automate device provisioning, policy pushing, etc. with JSON APIs or build custom web portals with the

XML API, l Leverage powerful device profiles for mass provisioning and configuration of managed devices,

  • Centrally control firmware upgrades and content security updates from FortiGuard Center Threat Research &

Response, l Deploy with either a physical hardware appliance or virtual machine with multiple options to dynamically increase storage

FortiManager system architecture emphasizes reliability, scalability, ease of use, and easy integration with third-party systems.

FortiManager feature set

The FortiManager feature set includes the following modules:

l Device Manager l Policy & Objects l FortiGuard l System Settings