Tag Archives: fortinet Adding a FortiGate to FortiManager

Adding a FortiGate to FortiManager

Adding a FortiGate to FortiManager

Before you can maintain a FortiGate unit using a FortiManager unit, you need to add it to the FortiManager. This requires configuration on both the FortiGate and FortiManager. This section describes the basics to configure management using a FortiManager device. For more information on the interaction of FortiManager with the FortiGate unit, see the FortiManager documentation.

end

The default encryption automatically sets high and medium encryption algorithms. Algorithms used for high, medium, and low follows openssl definitions:

  • High – Key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

Algorithms are: DHE-RSA-AES256-SHA:AES256-SHA: EDH-RSA-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3- MD5:DHE-RSA-AES128-SHA:AES128-SHA

  • Medium – Key strengths of 128 bit encryption. Algorithms are: RC4-SHA:RC4-MD5:RC4-MD
  • Low – Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites

Algorithms are: EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DES-CBC-MD5.

 

FortiGate configuration

These steps ensure that the FortiGate unit will be able to receive updated antivirus and IPS updates and allow remote management through the FortiManager system. You can add a FortiGate unit whether it is running in either NAT mode or transparent mode. The FortiManager unit provides remote management of a FortiGate unit over TCP port 541.

If you have not already done so, register the FortiGate unit by visiting http://support.fortinet.com and select Product Registration. By registering your Fortinet unit, you will receive updates to threat detection and prevention databases (Antivirus, Intrusion Detection, etc.) and will also ensure your access to technical support.

You must enable the FortiGate management option so the FortiGate unit can accept management updates to firmware, antivirus signatures, and IPS signatures.

 

To configure the FortiGate unit – web-based manager

1. Log in to the FortiGate unit.

2. Go to System > Admin > Settings.

3. Enter the IP address for the FortiManager unit.

4. Select Send Request.

The FortiManager ID now appears in the Trusted FortiManager table.

As an additional security measure, you can also select Registration Password and enter a password to connect to the FortiManager.

 

To configure the FortiGate unit – CLI

config system central-management set fmg <ip_address>

end

 

To use the registration password enter:

execute central-mgmt register-device <fmg-serial-no><fmg-register-password><fgt- usrname><fgt-password>

 

Configuring an SSL connection

An SSL connection can be configured between the two devices and an encryption level selected. Use the following CLI commands in the FortiGate CLI to configure the connection:

config system central-management set status enable

set enc-algorithm {default* | high | low}

end

 

The default encryption automatically sets high and medium encryption algorithms. Algorithms used for high, medium, and low follows openssl definitions:

  • High – Key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

Algorithms are: DHE-RSA-AES256-SHA:AES256-SHA: EDH-RSA-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3- MD5:DHE-RSA-AES128-SHA:AES128-SHA

  • Medium – Key strengths of 128 bit encryption. Algorithms are: RC4-SHA:RC4-MD5:RC4-MD
  • Low – Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites

 

Algorithms are: EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DES-CBC-MD5.

 

FortiManager configuration

Once the connection between the FortiGate unit and the FortiManager unit has been configured, you can add the FortiGate to the Device Manager in the FortiManager unit’s web-based manager. For details on completing the configuration, see the FortiManager Administration Guide.