Tag Archives: fortimanager admin guide

What’s New In FortiManager version 5.2

What’s New in FortiManager version 5.2

FortiManager version 5.2 includes the following new features and enhancements. Always review all sections in the FortiManagerRelease Notes prior to upgrading your device.

FortiManager version 5.2.1

FortiManager version 5.2.1 includes the following new features and enhancements.

  • Toolbar buttons for the Policy section. l Install for admin with Restricted profile.
  • Approval matrix for Workflow.
  • IPv6 support for FG-FM connections. l Unify JSON APIs with XML APIs. l Added version to JSON APIs for Policy Package & Objects. l Common ADOM version for FortiOS v5.0 and v5.2.
  • A message is displayed when the database is upgrading or rebuilding. The message contains the estimated time to complete the action. l Optional dynamic VIP default values.

FortiManager version 5.2.0

FortiManager version 5.2.0 includes the following new features and enhancements.

Workflow mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, the admin will have a new option in the admin profile page to approve/reject workflow requests.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the admin that submitted the session. If the session was approved, no further action is required. If the session was rejected, the admin will need to log on and repair their changes. Once they create a session, the admin will make their repair on top of the last session changes.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and click the Start Session button. You can then proceed to make changes to policies and objects. When you are done making changes, click the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

To enable and disable workflow mode:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command:

config system global set workspace-mode {workflow | disabled}

end

The FortiManager session will end and you must log back into the FortiManager system.

Advanced CLI-Only Objects menu

An advanced CLI-Only Objects menu has been added in the Device Manager and Policy & Objects tabs which allows you to configure device settings which are normally configured via the at the CLI on the device. This menu includes commands which are only available in the CLI.

VPN Monitor menu in Device Manager

A VPN monitor tree menu has been added to provide real-time VPN status information including which users are connected to the FortiGate selected. The menu contains a Central IPsec and a Central SSL-VPN monitor. For IPsec VPN, you can select to bring the tunnel up or down using the right-click menu.

FortiToken two-Factor authentication for admin log in

FortiManager now supports FortiToken two-factor authentication for administrator logon. When creating a new administrator, select Type > RADIUS, and select the FortiAuthenticator server in the RADIUS server drop-down list.

 

FortiToken is authenticated via FortiAuthenticator. When configured, the user will be prompted to type the FortiToken code after entering their user name and password.

Successful authentication will provide the user with permission to the FortiManager and will generate a logon event log on the FortiAuthenticator.

UUID support

In FortiOS version 5.2, a universally unique identifier (UUID) attribute has been added to some firewall objects, so that the logs can record these UUIDs to be used by a FortiManager or FortiAnalyzer unit. When installing a configuration to a FortiOS v5.2 device, a single UUID is used for the same object or policy across all managed FortiGates.

In the FortiView > Log View tab, you can select a log entry, right-click, and select Jump to Policy from the pop-up menu to view the policy associated with the log message. In the Policy & Objects tab, you can select a policy, rightclick, and select Show Matching Logs from the pop-up menu to view any logs associated with the policy.

Dynamic address group

A new option has been added to allow an address group to be a dynamic group. Group mappings can be configured for specific devices.

Dynamic mapping management improvements

The following improvements have been made to dynamic mapping management:

l Convert an address to a dynamic address l A radio button has been added to allow you to turn dynamic mapping on or off for various firewall objects. When dynamic mapping is enabled, you can view existing mappings or create a new dynamic mapping. l Dynamic address with mapping table

In dynamic address mode, the table of mappings is displayed allowing you to add, edit, or delete device mapping.

When editing a mapping, the settings are displayed in a pop-up dialog box.

Object Web-based Manager enhancements

When creating or editing objects in Policy & Objects, a dialog box is displayed similar to the policy dialog box.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs. You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.

Improved logging of script execution

FortiManager now includes several logs for scripting functions including: creating scripts, groups, and installing scripts.

Firmware version displayed is consistent with FortiOS

FortiManager v5.2 uses the firmware naming convention ‘5.2.0’, where the first digit reflects the version, the second digit reflects the release, and the third digit reflects the patch. This change is consistent with FortiOS v5.2.0 changes. All references to the firmware version in the Web-based Manager and have been updated to this new format. Update service to FortiWeb

FortiManager v5.2 can now provide antivirus updates to FortiWeb.

FortiExtender support

When adding a FortiGate to FortiManager that is managing a FortiExtender, the FortiExtender will be available in an All FortiExtender group in the ADOM. You can authorize, deauthorize, upgrade, restart, edit, and view the status of the FortiExtender from the right-click menu.

Restricted Admin profiles

Create restricted admin profiles to allow a delegated administrator to manage their ADOM’s security profiles. You can allow the delegated administrator to make changes to the Web Filter profile, IP sensor, and Application sensor associated with their ADOM.

Flexible FortiGuard Distribution Server (FDS) override list management

The System Template now allows you to configure multiple override servers, FortiManager, and FortiGuard servers into one list. You can provide services to FortiGates using this template. When adding new servers, you can select the server type, update, rating or both. This feature allows you to manage FortiGates with different override lists.

Model device improvements

The Add Model Device option in the Device Wizard has been updated to allow you to provisioning a single device or multiple devices more efficiently. When adding a device, only the FortiGate serial number and FortiOS version are required. A new option has been added to allow you to add multiple devices by importing a Comma Separated Value (CSV) file with the required information.

Once the model device is added to FortiManager you can assign the device to an ADOM, assign a policy package, and associate it with a provisioning template. When an unregistered FortiGate with a matching serial number connects to FortiManager, you can install the model device configuration.

Enable the FortiAnalyzer feature set in the Web-based Manager

In FortiManager version 5.0.6 or earlier, the FortiAnalyzer feature set was enabled or disabled via the CLI only. In

FortiManager v5.2.0 or later, you can also enable or disable these features in the Web-based Manager. To enable the FortiAnalyzer feature set, go to System Settings > Dashboard. In the System Information widget, select [Enabled] beside FortiAnalyzerFeatures.

FortiSandbox support

FortiSandbox version 1.4 can be centrally managed by a FortiManager running version 5.2.0 or later.

Policy package locking

In FortiManager version 5.2 you can lock and edit a policy package without locking the ADOM. When the policy package is locked, other users are unable to lock the ADOM or edit the locked policy package. The policy package is edited in a private workspace. Only the policy package is in the workspace, not the object database. When locking and editing a policy package, the object database remains locked. The policy package lock status is displayed in the toolbar.

Before you can lock an ADOM or policy package, you must first enable workspace to disable concurrent ADOM access from the CLI.

When workspace is enabled, all ADOMs and policy packages are read-only. In the Device Manager tab, you can rightclick an ADOM and select Lock from the right-click menu. When the ADOM is locked you can edit the ADOM, all other administrators need to wait until you unlock the ADOM.

In the Policy & Objects tab, you can select to lock the ADOM from the toolbar. When the ADOM is locked, all policy packages and objects in that ADOM are locked and read-only to other administrators until you finish your edits and unlock the ADOM.

Policy Package locking allows you to lock a specific policy package without locking the ADOM. In the Policy & Objects tab, select the ADOM from the drop-down list, select the policy package, right-click and select Lock & Edit from the right-click menu.

When a policy package is locked, other administrators are not able to lock the ADOM in the Device Manager or Policy & Objects tabs. The policy package is displayed as locked. Other administrators can however lock and edit other policy packages in the same ADOM.

When the policy package is locked, the administrator can edit the policy package as required and access the following options in the left side tree right-click menu: Install Wizard, Export, Policy Check, Save, and Unlock. Before unlocking the policy package, select Save in the toolbar or right-click menu to save changes made to the policy package for the session.

Although another administrator can select to lock and edit an unlocked policy package, neither administrator is able to create a new policy package or edit the object database. To create a new policy package or edit the object database, the ADOM must be locked.

When an ADOM or policy package is locked, the lock is automatically released by an admin idle timeout or by closing the browser window. Any unsaved changes will be lost. Always ensure that changes are saved using the save option in the toolbar or right-click menu.

Import improvements

The following improvements have been made to the import operation:

  • Auto resynchronization when tunnel re-up: After changes are made to a FortiGate, when the tunnel comes back online, the changes are auto-synchronized to FortiManager. The device manager database is always in sync with the FortiGate and the out-of-sync condition has been removed.
  • Detect FortiGate changes that impact policy & objects: FortiManager now is able to detect when the settings were changed on the FortiGate and synchronized back to the related policy and object settings. This allows you to know when the policy package is out-of-sync with what is installed on the FortiGate. You can either re-apply the changes or modify the policy package.
  • Warning when overwrite an existing policy package: FortiManager now displays a warning dialog box allowing you to decide to either overwrite the policy package, cancel the import, or import the policy package under a different name.

Policy & Objects display options improvement

When importing objects or policy types, FortiManager will detect whether or not the related display option is enabled. If it is not, FortiManager will prompt the user via a dialog box to enable the display options item.

Central WiFi management improvements

The following improvements have been made to central WiFi management:

l Wireless Profiles have been renamed Custom AP Profiles l Created, edit, and delete APs l Assign AP profiles to multiple APs l Consistent replacement messages between FortiGate and FortiManager l Customize Captive Portal messages per SSID.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2.1 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs.

You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.

 

FortiManager Admin Guide Incoming

Had a question come in that made me do some more follow up on some specifics regarding the FortiManager. Just realized I hadn’t added the Administrative Guides for the FortiManager to the site yet. I will be adding these later tonight when I return for the gym. God this site has a long way to go to hit the  goals I have for it. Sorry for the delays!