Tag Archives: fortimanager guide

Event Management – FortiManager 5.2

Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiManager. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. In v5.2.0 or later, Event Management supports local FortiManager event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

When rebuilding the SQL database, Event Management will not be available until after the rebuild is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.

Events page

The following information is displayed:

Events

Count The number of log entries associated with the event. Click the heading to sort events by count.
Event Name The name of the event. Click the heading to sort events by event name.
Severity The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.
Event Type The event type. For example, Traffic orEvent. Click the heading to sort events by event type. IPS and Application Control event names are links. Select the link to view additional information.
Additional Info Additional information about the event. Click the heading to sort events by additional information.
Last Occurrence The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.
Pagination Adjust the number of logs that are listed per page and browse through the pages.

Log View – FortiManager 5.2

Log view

Logging and reporting can help you determine what is happening on your network, as well as informing you of certain network activity, such as the detection of a virus, or IPsec VPN tunnel errors. Logging and reporting go hand in hand, and can become a valuable tool for information gathering, as well as displaying the activity that is happening on the network.

Your FortiManager device collects logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiSandbox, FortiWeb, FortiClient, and syslog servers.

Collected logs

Device Type Log Type
FortiGate Traffic

Event: Endpoint, HA, System, Router, VPN, User, WAN Opt. & Cache, and Wireless

Security: Vulnerability Scan, AntiVirus, Web Filter, Application Control, Intrusion Prevention, Email Filter, Data Leak Prevention FortiClient

VoIP

Content logs are also collected for FortiOS 4.3 devices.

FortiCarrier Traffic, Event
FortiCache Traffic, Event, Antivirus, Web Filter
FortiClient Traffic , Event
FortiMail History, Event, Antivirus, Email Filter
FortiManager Event
FortiSandbox Malware, Network Alerts
FortiWeb Event, Intrusion Prevention, Traffic
Syslog Generic

Scripts – FortiManager 5.2

Scripts

Scripts must be configured to be displayed to be accessible as described in this chapter. Go to System Settings > Admin > Admin Settings and select Show Script from the Display Options on GUI section to make it visible in the Web-based Manager. For more information, see Administrator settings.

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes in the Web-based Manager page to access these options.

FortiManager scripts enable you to create, execute, and view the results of scripts executed on FortiGate devices, policy packages, the ADOM database, the global policy package, or the DB. Scripts can also be filtered based on different device information, such as OS type and platform.

At least one FortiGate device must be configured in the FortiManager system for you to be able to use scripts.

Scripts can be written in one of two formats:

  • A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with the number sign (#). A comment line will not be executed.
  • Tcl scripting commands to provide more functionality to your scripts including global variables and decision structures.

When writing your scripts, it is generally easier to write them in a context-sensitive editor, and then cut and paste them into the script editor on your FortiManager system. This can help avoid syntax errors and can reduce the amount of troubleshooting required for your scripts.

For information about scripting commands, see the FortiGate CLI reference.

Configuring scripts

To configure, import, export, or run scripts, go to the Device Manager tab, expand an ADOM view in the tree menu, and then select Scripts > Script. To configure script groups, go to Scripts > CLI Script Group. The script list for the selected ADOM will be displayed.

Script list

The following information is displayed:

Name The user-defined script name.
Type The script type.
Target The script target. One of the following: l Device Database l Policy Package, ADOM Database l Remote FortiGate Directly (via CLI)
Comments User defined comment for the script.
Last Modified The date and time that the script was last modified.

The following options are available:

Create New Select to create a new script.
Import Select to import a script from your management computer. Type a name, description, select Tcl type if applicable, and browse for the file on your management computer. Select submit to import the script to FortiManager.
Run Select a script in the table, right-click, and select Run in the menu to run the script against the target selected. When selecting to run a script against a policy package, select the policy package from the drop-down list in the dialog window. When selecting to run a script against a device or database, select the device in the tree menu in the dialog window.
New Select a script in the table, right-click, and select New in the menu to create a new script.
Edit Select a script in the table, right-click, and select Edit in the menu to clone the script selected.
Clone Select a script in the table, right-click, and select Clone in the menu to clone the script selected.
Delete Select a script in the table, right-click, and select Delete in the menu to delete the script selected.
Export Select a script in the table, right-click, and select Export in the menu to export the script as a .txt file to your management computer.
Select All Select Select All in the right-click menu to select all scripts in the table and select Delete to delete all selected scripts.
Search Search the scripts by typing a search term in the search field.

Device Manager – FortiManager 5.2

Device Manager

Use the Device Manager tab to view and configure managed devices. This chapter covers navigating the Device Manager tab, viewing devices, managing devices, managing FortiAP access points, and managing FortiExtender wireless WAN extenders. For information on adding devices, and installing policy packages see FortiManager Wizards

.

Additional configuration options and short-cuts are available using the right-click content menu. Rightclick the mouse on different parts of the navigation panes on the Web-based Manager page to access these context menus.

The Device Manager tab provides access to devices and groups, provisioning templates, scripts, and VPN monitor menus.

Device manager layout

The Device Manager tab includes the following menus:

Devices & Groups View and configure managed and logging devices per ADOM. Use the toolbar to add devices, devices groups, and launch the install wizard.
Provisioning Templates Configure provisioning templates. For information on system, WiFi, Threat Weight, FortiClient, and certificate templates, see Provisioning Templates .
Scripts Create new or import scripts. Scripts is disabled by default. You can enable this advanced configuration options in System Systems > Admin > Admin Settings .

Select Show Script to enable on this option in the Device Manager tab tree menu.

For more information on scripts, see Scripts .

VPN Monitor Select VPN Monitor to view Central IPsec and Central SSL-VPN menus. These menus allow you to monitor the VPN connections for the ADOM in a central location. You can also bring up or bring down VPN connections.

Viewing managed/logging device

You can view the dashboard and related information of all managed/logging and provisioned devices.

This section contains the following topics:

l Using column filters l View managed/logging devices l Dashboard widgets

Using column filters

You can filter each column, by selecting the column header. Use the right-click menu to access the context menu to add or remove columns.

The following table describes the available columns and filters available per column.

Column filters
Column Filters
Device Name Click on the column header to sort the entries in ascending or descending order (alphabetic).

 

Column Filters
Config Status Filter by configuration status:

l Synchronized l Synchronized from AutoUpdate l Out of Sync l Pending l Warning l Unknown

Hover the cursor icon over the column icon for additional information.

Policy Package Status Filter by policy package status:

l Imported l Installed l Modified l Never Installed l Unknown

Hover the cursor icon over the column icon for additional information.

Hostname Click on the column header to sort the entries in ascending or descending order (alphabetic).
Connectivity Filter by connectivity status: l Connected l Connection Down l Unknown

Hover the cursor icon over the column icon for additional information.

IP Click on the column header to sort the entries in ascending or descending order (numeric).
Platform Click on the column header to sort the entries in ascending or descending order (alphabetic).
Logs Click on the column header to sort the entries in ascending or descending order (log status).
Quota Click on the column header to sort the entries in ascending or descending order (device log quota). Hover the cursor icon over the column icon for additional information.
Column Filters
Log Connection Click on the column header to sort the entries in ascending or descending order (log connection status). The log connection can be one of the following states:

l IPsec Tunnel is up l IPsec Tunnel is down l IPsec Tunnel is disabled

Hover the cursor icon over the column icon for additional information.

FortiGuard License Filter by license status:

l Valid l Expired l Unknown

Hover the cursor icon over the column icon for additional information.

Firmware Version Click on the column header to sort the entries in ascending or descending order (firmware version).
Description Click on the column header to sort the entries in ascending or descending order (description).

You can left-click the description cell to add a description to the entry.

Select OK to save the change.

Other Filter by Description, Contact, City, Province, Country, Company.

View managed/logging devices

You can view information about individual devices in the Device Manager tab. This section describes the FortiGate unit summary.

To view managed/logging devices:

  1. Select the Device Manager
  2. Select the ADOM from the drop-down list.
  3. Select the device group, for example Managed FortiGates, in the tree menu.

When the FortiAnalyzer feature set is enabled, the All FortiGates device group is replaced with Managed FortiGates and Logging FortiGates . Managed FortiGates include FortiGate devices which are managed by FortiManager but do not send logs. Logging FortiGates include FortiGate devices which are not managed, but do send logs to FortiManager .

  1. Select a device or VDOM from the list of managed devices. The device dashboard and related information is shown in the left content pane.
Device dashboard
Dashboard toolbar

The dashboard toolbar allows you to select the content, or panel, that is shown in the content pane.

The dashboard toolbar displays the device name and current panel on the right-hand side. Hovering the cursor over the

Menu drop-down menu, on the left-hand side of the toolbar, will display the available panels organized into categories.

System Settings FortiManager 5.2

System Settings
The System Settings tab enables you to manage and configure the basic system options for the FortiManager unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access permissions, managing and updating firmware for the device and configuring logging and access to the FortiGuard Update Service for updates.
The System Settings tab provides access to the following menus and sub-menus:
Dashboard The Dashboard page displays widgets that provide performance and status information and enable you to configure basic system settings.
All ADOMs The All ADOMS page is only available when ADOMs are enabled. It lists all of the ADOMs, version, devices, VPN management, number of policy packages and alert device information.
On this page you can create, edit, delete and upgrade ADOMs. You can also view the alert device details.
RAID management The RAID Management page displays information about the status of RAID, as well as what RAID level has been selected and how much disk space is currently consumed.
Network The Network page provides routing and interface management options. It also provides access to diagnostic tools, such as ping, and a detailed listing of all currently configured interfaces.
High availability The HA page allows you to configure operation mode and cluster settings.
Admin Select this menu to configure administrator user accounts, as well as configure global administrative settings for the FortiManager unit.
Administrator Profile Workflow Approval Remote authentication server Administrator settings
Certificates The Certificates section allows you to configure local and CA certificates, and Certificate revocation lists (CRLs).
Event log View log messages that are stored in memory or on the internal hard disk. On this page you can view historical or real-time logs and download event logs.
Task monitor The Task Monitor page allows you to view the status of the tasks that you have performed.

System Settings
Advanced Select to configure mail server settings, remote output, Simple Network Management Protocol (SNMP), meta field data and other advanced settings. SNMP
Mail server Syslog server Meta fields Device log settings File management Advanced settings Portal users
Dashboard
When you select the System Settings tab, it automatically opens at the System Settings > Dashboard page.
The Dashboard displays widgets that provide performance and status information and enable you to configure basic system settings. The dashboard also contains a CLI widget that allows you to use the command line through the Webbased Manager. All of the widgets appear on a single dashboard, which can be customized as desired. FortiManagersystem dashboard

The following widgets are available:
System Information Displays basic information about the FortiManager system, such as up time and firmware version. You can also enable or disable Administrative Domains and FortiAnalyzer features. For more information, see System Information widget. From this widget you can manually update the FortiManager firmware to a different release. For more information, see Firmware images.
License Information Displays the devices being managed by the FortiManager unit and the maximum numbers of devices allowed. For more information, see License Information widget.
From this widget you can manually upload a license for FortiManager VM systems.
Unit Operation Displays status and connection information for the ports of the FortiManager unit. It also enables you to shutdown and restart the FortiManager unit or reformat a hard disk. For more information, see Unit Operation widget.
System Resources Displays the real-time and historical usage status of the CPU, memory and hard disk. For more information, see System Resources widget.
Alert Message Console Displays log-based alert messages for both the FortiManager unit itself and connected devices. For more information, see Alert Messages Console widget.
CLI Console Opens a terminal window that enables you to configure the FortiManager unit using CLI commands directly from the Web-based Manager. This widget is hidden by default. For more information, see CLI Console widget.
Log Receive Monitor Displays a real-time monitor of logs received. You can select to view data per device or per log type. For more information, see Log Receive Monitor widget. The Log Receive Monitor widget is available when FortiAnalyzerFeatures is enabled.
Logs/Data Received Displays real-time or historical statistics of logs and data received. For more information, see Logs/Data Received widget.
The Log/Data Received widget is available when FortiAnalyzerFeatures is enabled.
Statistics Displays statistics for logs and reports. For more information, see Statistics widget.
The Statistics widget is available when FortiAnalyzerFeatures is enabled.
Customizing the dashboard
The FortiManager system dashboard can be customized. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.
To move a widget
Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.
System Settings
To add a widget
In the dashboard toolbar, select Add Widget, then select the names of widgets that you want to show. To remove a widget, select the Close icon.
Adding a widget

To reset the dashboard
Select Dashboard > Reset Dashboard from the dashboard toolbar.
To see the available options for a widget
Position your mouse cursor over the icons in the widget’s title bar. Options vary slightly from widget to widget, but always include options to close or show/hide the widget.
A minimized widget

The following options are available:
Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
More Alerts Show the Alert Messages dialog box.
This option appears only in the Alert Message Console widget.
Edit Select to change settings for the widget.
This option appears only in the System Resources, Alert Message Console, Logs/Data Received, and Log Receive Monitor widgets.
Detach Detach the CLI Console widget from the dashboard and open it in a separate window.
This option appears only in the CLI Console widget.
Reset Select to reset the information shown in the widget. This option appears only in the Statistics widget.
Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
System Information widget
The system dashboard includes a System Information widget, shown in System Information widget, which displays the current status of the FortiManager unit and enables you to configure basic system settings.
System Information widget

The information displayed in the System Information widget is dependent on the FortiManager models and device settings. The following information is available on this widget:
Host Name The identifying name assigned to this FortiManager unit. Select [Change] to change the host name. For more information, see Changing the host name.
Serial Number The serial number of the FortiManager unit. The serial number is unique to the FortiManager unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
Platform Type Displays the FortiManager platform type, for example FMG-VM (virtual machine).
HA Status Displays if FortiManager unit is in High Availability mode and whether it is the Master or Slave unit in the HA cluster. For more information see High
Availability.
System Time The current time on the FortiManager internal clock. Select [Change] to change system time settings. For more information, see Configuring the system time.

System Settings
Firmware Version The version number and build number of the firmware installed on the FortiManager unit. To update the firmware, you must download the latest version from the Customer Service & Support website at https://support.fortinet.com. Select [Update] and select the firmware image to load from the local hard disk or network volume. For more information, see Updating the system firmware.
System Configuration The date of the last system configuration backup. The following actions are available:
l Select [Backup] to backup the system configuration to a file; see Backing up the system.
l Select [Restore] to restore the configuration from a backup file; see Restoring the configuration.
l Select [System Checkpoint] to revert the system to a prior saved configuration; see Creating a system checkpoint.
Current Administrators The number of administrators that are currently logged in. The following actions are available:
l Select [Change Password] to change your own password.
l Select [Detail] to view the session details for all currently logged in administrators. See Monitoring administrator sessions for more information.
Up Time The duration of time the FortiManager unit has been running since it was last started or restarted.
Administrative Domain Displays whether ADOMs are enabled. Select [Enable/Disable] to change the Administrative Domain state. SeeEnabling and disabling the ADOM feature.
Global Database Version Displays the current Global Database version. Select [Change] to change the global database version.
Offline Mode Displays whether Offline Mode is enabled. To enable or disable Offline Mode, go to System Settings > Advanced > Advanced Settings.
FortiAnalyzer Features Displays whether FortiAnalyzer features are enabled. Select [Enable/Disable] to change the FortiAnalyzer features state.
The following options are available:
Refresh Select the refresh icon in the title bar to refresh the information displayed.
Close Select the close icon in the title bar to remove the widget from the dashboard.
Changing the host name
The host name of the FortiManager unit is used in several places.
Administration Guide
Fortinet Technologies Inc.
It appears in the System Information widget on the Dashboard. For more information about the System Information widget, see System Information widget. It is used in the command prompt of the CLI. It is used as the SNMP system name. For information about SNMP, see SNMP .
The System Information widget and the get system status CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiManager1234567890, the CLI prompt would be FortiManager123456~#.
To change the host name:
1. Go to System Settings > Dashboard.
2. In the System Information widget, next to the Host Name field, select [Change].
Edit Host Name dialog box

3. In the Host Name box, type a new host name.
The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.
4. Select OK.
Configuring the system time
You can either manually set the FortiManager system time or configure the FortiManager unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

Administrative Domains – FortiManager 5.2

Administrative Domains

FortiManager appliances scale to manage thousands of Fortinet devices. Administrative domains (ADOMs) enable administrators to manage only those devices that are specific to their geographic location or business division. FortiGate devices with multiple VDOMs can be divided among multiple ADOMs.

If ADOMs are enabled, each administrator account is tied to an ADOM. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Administrator accounts that have special permissions, such as the admin account, can see and maintain all ADOMs and the devices within those domains.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. For more information, see Enabling and disabling the ADOM feature.

The maximum number of ADOMs you can add depends on the FortiManager system model. Please refer to the FortiManager data sheet for information on the maximum number of devices that your model supports.

This section includes the following topics:

  • Enabling and disabling the ADOM feature
  • ADOM modes
  • ADOM versions
  • Managing ADOMs

What is the best way to organize my devices using ADOMs?

You can organize devices into ADOMs to allow you to better manage these devices. You can organize these devices by:

  • Firmware version: group all devices with the same firmware version into an ADOM.
  • Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM.
  • Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
  • Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

Enabling and disabling the ADOM feature

To enable or disable the ADOM feature, you must be logged in as the admin administrator. Only this user has the ability to enable or disable this feature.

Enabling and disabling the ADOM feature

To enable the ADOM feature:

  1. Log in as admin.
  2. Go to System Settings > Dashboard.
  3. In the system information widget, select Enable next to Administrative Domain Enabling ADOMs

To disable the ADOM feature:

  1. Remove all the managed devices from all ADOMs.
  2. Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.

After removing the ADOMs, you can now disable the ADOM feature.

  1. Go to System Settings > Dashboard.
  2. In the system information widget, select Disable next to Administrative Domain.

ADOM modes

ADOM modes

When the ADOMs feature is enabled and you log in as the admin user, all the available ADOMs will be listed in the tree menus on different tabs.

In the Policy & Objects tab, a menu bar is available that allows to select either Global, or a specific ADOM from the drop-down list. Selecting Global or a specific ADOM will then display the policy packages and objects appropriate for your selection.

Switching between ADOMs

As an admin administrator, you are able to move between all the ADOMs created on the FortiManager system. This enables you to view, configure and manage the various domains.

Other administrators are only able to move between the ADOMs to which they have been given permission. They are able to view and administer the domains based on their account‘s permission settings.

To access a specific ADOM, simply select that ADOM in the tree menu. The FortiManager system presents you with the available options for that domain, depending on what tab you are currently using.

Normal mode ADOMs

When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a diff revision on the change to the FortiManager using the FGFM protocol.

Backup mode ADOMs

When creating an ADOM in Backup Mode, the ADOM is consider Read Only, where you are not able to make changes to the ADOM and managed devices from the FortiManager. Changes are made via scripts which are run on the managed device, or through the device’s Web-based Manager or CLI directly. Revisions are sent to the FortiManager when specific conditions are met:

l Configuration change and session timeout l Configuration change and logout l Configuration change and reboot l Manual configuration backup from the managed device.

Backup mode enables you to configure an ADOM where all the devices that are added to the ADOM will only have their configuration backed up. Configuration changes cannot be made to the devices in backup ADOM. You can push any existing revisions to managed devices. You can still monitor and review the revision history for these devices, and scripting is still allowed for pushing scripts directly to FortiGate units.

ADOM versions

ADOM versions

ADOMs can concurrently manage FortiGate units running both FortiOS v4.3 and v5.0, or v5.0 and v5.2, allowing devices running these versions to share a common database. This allows you to continue to manage an ADOM as normal while upgrading the devices within that ADOM.

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that are in that ADOM. This version is selected when creating a new ADOM (see Adding an ADOM), and can be updated after the all of the devices within the ADOM have been updated to the latest FortiOS firmware version.

The general steps for upgrading an ADOM that contains multiple devices running FortiOS v4.3 from v4.3 to v5.0 are as follows:

  1. Make sure that the FortiManager unit is upgraded to a version that supports this feature.
  2. In the ADOM, upgrade one of the FortiGate units to FortiOS v5.0, and then resynchronize the device.
  3. All the ADOM objects, including Policy Packages, remain as v4.3.
  4. Upgrade the rest of the FortiGate units in the ADOM to version 5.0 firmware.
  5. Upgrade the ADOM to v5.0. See “Administrative Domains” on page 40 for more information.

All of the database objects will be converted the v5.0 format, and the Web-based Manager content for the ADOM will change to reflect the v5.0 features and behavior.

Using The Web Based Manager – FortiManager 5.2

Using the Web-based Manager

This section describes general information about using the Web-based Manager to access the Fortinet system from within a current web browser.

This section includes the following topics: l System requirements l Connecting to the Web-based Manager l Web-based Manager overview l Configuring Web-based Manager settings l Reboot and shutdown of the FortiManager unit

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.

System requirements

Supported web browsers

The following web browsers are supported by FortiManager v5.2.1:

l Microsoft Internet Explorer version 11 l Mozilla Firefox version 33 l Google Chrome version 38

Other web browsers may function correctly, but are not supported by Fortinet. For more information see the FortiManagerRelease Notes.

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be viewed properly.

Connecting to the Web-based Manager

The FortiManager unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

Web-based Manager overview

To connect to the Web-based Manager:

  1. Connect the Port 1 interface of the unit to a management computer using the provided Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiManager unit:
    • Browse to Network and Sharing Center> Change AdapterSettings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4)Properties.
    • Change the IP address of the management computer to 168.1.2 and the netmask to 255.255.255.0.
  3. To access the FortiManager unit’s Web-based Manager, start an Internet browser of your choice and browse to https://192.168.1.99.
  4. Type admin in the Name box, leave the Password box blank, and select Login.

You can now proceed with configuring your FortiManager unit.

If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.

For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces.

Web-based Manager overview

FortiManager v5.2 introduces an improved Web-based Manager layout and tree menu for improved usability. You can now select the ADOM from the drop-down list to view the devices and groups for the specific ADOM. The ADOM selection drop-down list is available in the Device Manager, Policy & Objects, FortiView, Event Management, and Reports tabs.

This section describes the following topics:

Viewing the Web-based Manager

Using the tab bar

Using the Web-based Manager                                                                                   Web-based Manager overview

Viewing the Web-based Manager

The four main parts of the FortiManager Web-based Manager are the tree menu, tab bar, ADOM selector and toolbar, and right content pane.

The Web-based Manager includes detailed online help. Selecting Help in the tab bar opens the online help.

The tab bar and content pane information displayed to an administrator vary according to the administrator account settings and access profile that have be configured for that user. To configure administrator profiles, go to System Settings > Admin > Profile. You can configure the administrator profile at both a global and ADOM level with a high degree of granularity in providing read/write, read-only, or restricted permission to various Web-based Manager modules. When defining a new administrator, you can further define which ADOMs and policy packages the administrator can access. For more information about administrator accounts and their permissions, see Admin.

When you log in to the FortiManager unit as the admin administrator, the Web-based Manager opens to the Device Manager tab. You can view all ADOMs in the navigation tree, and ADOM information in the content pane. For more information, see Device Manager.

Using the tab bar

The tab bar is organized into a number of tabs. The available tabs displayed are dependent on the features enabled and the administrator profile settings.

Web-based Manager tabs

Tab Description
Device Manager Add and manage devices, view the device information and status, create and manage device groups and manage firewall global policy objects. From this menu, you can also configure the web portal configurations, users, and groups. In the Menu section, you can configure managed devices locally in the FortiManager Web-based Manager. In the Provisioning Templates section, you can configure System Templates, WiFi Templates, Threat Weight Templates, FortiClient Templates, and Certificate Templates and assign these templates to specific managed FortiGate and FortiCarrier devices. Additional menus are available for scripts and VPN monitor. For more information, see Device Manager.
Policy & Objects Configure policy packages and objects. When Central VPN Console is enabled for the ADOM, you can create VPN topologies and managed/external gateways. For more information, see Policy & Objects.

Configuring Web-based Manager settings

Tab Description
FortiGuard Configure FortiGuard Center settings, package and query server management, and firmware images. For more information, see FortiGuard Management.
System Settings Configure system settings such as network interfaces, administrators, system time, server settings, and widgets and tabs. From this menu, you can also perform maintenance and firmware operations. For more details on using this menu, see System Settings.
FortiView The following summary views are available: Top Sources, Top Applications,

Top Destinations, Top Websites, Top Threats, Top Cloud Applications, Top

Cloud Users, System Events, Admin Logins, SSL & Dialup IPsec, Site-Site IPsec, Rogue APs, and Resource Usage. This tab was implemented to match the FortiView implementation in FortiGate.

The Log View tab is found in the FortiView tab. View logs for managed devices. You can display, download, import, and delete logs on this page.

You can also define Custom Views.

This tab can be hidden by disabling the FortiAnalyzer feature set.

Event Management Configure and view events for managed log devices. You can view events by severity or by handler. For more information, see Event Management.

This tab can be hidden by disabling the FortiAnalyzer feature set.

Reports Configure report templates, schedules, and output profiles. You can create and test datasets, configure output profiles, and add language support. For more information, seeReports on page 502.

This tab can be hidden by disabling the FortiAnalyzer feature set.

Configuring Web-based Manager settings

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface on which it listens, and the display language.

This section includes the following topics:

l Changing the Web-based Manager language l Administrative access l Restricting Web-based Manager access by trusted host l Changing the Web-based Manager idle timeout l Other security considerations

Using the Web-based Manager                                                                   Configuring Web-based Manager settings

Changing the Web-based Manager language

The Web-based Manager supports multiple languages; the default language is English. You can change the Web-based Manager to display in English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses. You can also set the FortiManager Web-based Manager to automatically detect the system language, and by default show the screens in the proper language, if available.

To change the Web-based Manager language:

  1. Go to System Settings > Admin > Admin Settings.
  2. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your web browser.
  3. Select OK.

Administrative access

Administrative access enables an administrator to connect to the FortiManager system to view and change configuration settings. The default configuration of your FortiManager system allows administrative access to one or more of the interfaces of the unit as described in your FortiManager system QuickStart Guide and Install Guide available in the Fortinet Document Library.

Administrative access can be configured in IPv4 or IPv6 and includes the following settings:

HTTPS

HTTP

PING

SSH

  TELNET

SNMP

Web Service

To change administrative access to your FortiManager system:

  1. Go to System Settings > Network.

Administrative access is configured for port1. To configure administrative access for another interface, select All Interfaces, and then select the interface to edit.

  1. Set the IPv4 IP/Netmask or IPv6 Address.
  2. Select one or more Administrative Access types for the interface.
  3. Select Service Access, FortiGate Updates, and Web Filtering/Antispam if required.
  4. Set the Default Gateway.
  5. Configure the primary and secondary DNS servers.
  6. Select Apply.

In addition to the settings listed earlier, you can select to enable access on interface from the All Interfaces window.

Restricting Web-based Manager access by trusted host

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the administrator user can only log into the Web-based Manager when working Reboot and shutdown of the FortiManager unit

on a computer with the trusted host as defined in the administrator account. You can configure up to ten trusted hosts per administrator account. See Administrator for more details.

Changing the Web-based Manager idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for five minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged into the Web-based Manager and then left unattended.

To change the Web-based Manager idle timeout:

  1. Go to System Settings > Admin > Admin Settings.
  2. Change the Idle Timeout minutes as required (1-480 minutes).
  3. Select Apply.

Other security considerations

Other security consideration for restricting access to the FortiManager Web-based Manager include the following:

  • Configure administrator accounts using a complex passphrase for local accounts l Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI l Configure the administrator profile to only allow read/write permission as required and restrict access using readonly or no permission to settings which are not applicable to that administrator
  • Configure the administrator account to only allow access to specific ADOMs as required l Configure the administrator account to only allow access to specific policy packages as required.

Reboot and shutdown of the FortiManager unit

Always reboot and shutdown the FortiManager system using the unit operation options in the Web-based Manager, or using CLI commands, to avoid potential configuration problems.

To reboot the FortiManager unit:

  1. From the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget select Reboot, or from the CLI Console widget type: execute reboot

To shutdown the FortiManager unit:

  1. From the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget select Shutdown, or from the CLI Console widget type: execute shutdown

 

FortiManager 5.2 Administration Guide – Introduction

Introduction

FortiManager Security Management appliances allow you to centrally manage any number of Fortinet Network Security devices, from several to thousands, including FortiGate, FortiWiFi, and FortiCarrier. Network administrators can better control their network by logically grouping devices into administrative domains (ADOMs), efficiently applying policies and distributing content security/firmware updates. FortiManager is one of several versatile Network Security Management Products that provide a diversity of deployment types, growth flexibility, advanced customization through APIs and simple licensing.

FortiManager features

FortiManager provides the following features:

  • Provides easy centralized configuration, policy-based provisioning, update management and end-to-end network monitoring for your Fortinet installation,
  • Segregate management of large deployments easily and securely by grouping devices and agents into geographic or functional administrative domains (ADOMs),
  • Reduce your management burden and operational costs with fast device and agent provisioning, detailed revision tracking, and thorough auditing capabilities,
  • Easily manage complex mesh and star VPN environments while leveraging FortiManager as a local distribution point for software and policy updates,
  • Seamless integration with FortiAnalyzer appliances provides in-depth discovery, analysis, prioritization and reporting of network security events,
  • Quickly create and modify policies/objects with a consolidated, drag and drop enabled, in-view editor,
  • Script and automate device provisioning, policy pushing, etc. with JSON APIs or build custom web portals with the

XML API, l Leverage powerful device profiles for mass provisioning and configuration of managed devices,

  • Centrally control firmware upgrades and content security updates from FortiGuard Center Threat Research &

Response, l Deploy with either a physical hardware appliance or virtual machine with multiple options to dynamically increase storage

FortiManager system architecture emphasizes reliability, scalability, ease of use, and easy integration with third-party systems.

FortiManager feature set

The FortiManager feature set includes the following modules:

l Device Manager l Policy & Objects l FortiGuard l System Settings