UserGuide Fortinet FortiManager (BYOL) Centralized Security Management

Documents

Product Categories

Fortinet FortiManager (BYOL) Centralized Security Management

Jun 28, 2024

"-"" set subnet x.x.x.x x.x.x.x next end Syntax applicable for ippool and ippool6 config firewall ippool edit xxxx ...regular FOS command here... config dynamic_mapping edit ""-"" set startip x.x.x.x set endip x.x.x.x next end Syntax applicable for vip, vip6, vip46, and vip64 config firewall vip edit xxxx ...regular FOS command here... config dynamic_mapping edit ""-"" set extintf "any" set extip x.x.x.x-x.x.x.x set mappedip x.x.x.x-x.x.x.x set arp-reply enable|disable next end Syntax applicable for dynamic zone config dynamic interface edit xxxx set single-intf disable set default-mapping enable|disable set defmap-intf xxxx config dynamic_mapping edit ""-"" set local-intf xxxx set intrazone-deny enable|disable next end next end Syntax applicable for dynamic interface config dynamic interface FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 103 edit xxxx set single-intf enable set default-mapping enable|disable set defmap-intf xxxx config dynamic_mapping edit ""-"" set local-intf xxxx set intrazone-deny enable|disable next end next end Syntax applicable for dynamic multicast interface config dynamic multicast interface edit xxx set description xxx config dynamic_mapping edit "fgtname"-"vdom" set local-intf xxx next end next end Syntax applicable for local certificate (dynamic mapping) config dynamic certificate local edit xxxx config dynamic_mapping edit ""-"global" set local-cert xxxx next end Syntax applicable for vpn tunnel config dynamic vpntunnel edit xxxx config dynamic_mapping edit ""-"" set local-ipsec "" next end Syntax applicable for vpn console table config vpnmgr vpntable edit xxxx set topology star|meshed|dial set psk-auto-generate enable|disable set psksecret xxxx set ike1proposal 3des-sha1 3des-md5 ... set ike1dhgroup XXXX set ike1keylifesec 28800 FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 104 set ike1mode aggressive|main set ike1dpd enable|disable set ike1nattraversal enable|disable set ike1natkeepalive 10 set ike2proposal 3des-sha1 3des-md5 set ike2dhgroup 5 set ike2keylifetype seconds|kbyte|both set ike2keylifesec 1800 set ike2keylifekbs 5120 set ike2keepalive enable|disable set replay enable|disable set pfs enable|disable set ike2autonego enable|disable set fcc-enforcement enable|disable set localid-type auto|fqdn|user-fqdn|keyid|addressasn1dn set authmethod psk|signature set inter-vdom enable|disable set certificate XXXX next end Syntax applicable for vpn console node config vpnmgr node edit "1" set vpntable "" set role hub|spoke set iface xxxx set hub_iface xxxx set automatic_routing enable|disable set extgw_p2_per_net enable|disable set banner xxxx set route-overlap use-old|use-new|allow set dns-mode manual|auto set domain xxxx set local-gw x.x.x.x set unity-support enable|disable set xauthtype disable|client|pap|chap|auto set authusr xxxx set authpasswd xxxx set authusrgrp xxxx set public-ip x.x.x.x config protected_subnet edit 1 set addr xxxx xxxx ... next end Syntax applicable for setting installation target on policy package config firewall policy edit x ...regular policy command here... set _scope ""-"" next FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 105 end Syntax applicable for global policy config global header policy ...regular policy command here... end config global footer policy ...regular policy command here... end Script history The execution history of scripts run on specific devices can be viewed from a device’s dashboard. The script log can be viewed in the Task Monitor. The script execution history table also allows for viewing the script history, and re-running the script. To view the script execution history: 1. Go to DeviceManager > Device & Groups. 2. In the tree menu, select the device group, for example, Managed FortiGates. The list of devices display in the content pane and in the bottom tree menu. 3. In the bottom tree menu, select the device whose script history you want to view. The System: Dashboard for the device displays in the content pane. 4. In the Configuration and Installation Status widget, select View History in the Script Status field to open the Script Execution History pane. 5. To view the script history for a specific script, select the Browse icon in the far right column of the table to open the Script History dialog box. 6. To re-run a script, select the Run script now icon in the far right column of the table. The script is re-run. See Run a script on page 96. 7. Select Return to return to the device dashboard. To view a script log: 1. Go to System Settings > Task Monitor. 2. Locate the script execution task whose log you need to view, and expand the task. 3. Select the History icon to open the script log window. For more information, see Task Monitor on page 420. Script samples This section helps familiarize you with FortiManager scripts, provides some script samples, and provides some troubleshooting tips. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 106 The scripts presented in this section are in an easy to read format that includes: l the purpose or title of the script l the script itself l the output from the script (blank lines are removed from some output) l any variations that may be useful l which versions of FortiOS this script will execute on Do not include \r in your scripts as this will cause the script to not process properly. Script samples includes: l CLI scripts l Tcl scripts CLI scripts CLI scripts include only FortiOS CLI commands as they are entered at the command line prompt on a FortiGate device. CLI scripts do not include Tool Command Language (Tcl) commands, and the first line of the script is not “#!” as it is for Tcl scripts. CLI scripts are useful for specific tasks such as configuring a routing table, adding new firewall policies, or getting system information. These example tasks easily apply to any or all FortiGate devices connected to the FortiManager system. However, the more complex a CLI script becomes the less it can be used with all FortiGate devices - it quickly becomes tied to one particular device or configuration. One example of this is any script that includes the specific IP address of a FortiGate device’s interfaces cannot be executed on a different FortiGate device. Samples of CLI scripts have been included to help get you started writing your own scripts for your network administration tasks. Error messages will help you determine the causes of any CLI scripting problems, and fix them. For more information, see Error Messages on page 110. The troubleshooting tips section provides some suggestions on how to quickly locate and fix problems in your CLI scripts. For more information, see Troubleshooting Tips on page 111. CLI script samples There are two types of CLI scripts. The first type is getting information from your FortiGate device. The second type is changing information on your FortiGate device. Getting information remotely is one of the main purposes of your FortiManager system, and CLI scripts allow you to access any information on your FortiGate devices. Getting information typically involves only one line of script as the following scripts show. To view interface information for port1: FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 107 Script show system interface port1 Output config system interface edit "port1" set vdom "root" set ip 172.20.120.148 255.255.255.0 set allowaccess ping https ssh set type physical next end Variations Remove the interface name to see a list that includes all the interfaces on the FortiGate device including virtual interfaces such as VLANs. Note This script does not work when run on a policy package. If the preceding script is used to be run on the FortiGate Directly (via CLI) or run on device database on a FortiGate has the VDOM enabled. The script will have be modified to the following: config global show system interface port1 end Since running on device database does not yield any useful information. View the log of script running on device: FortiGate-VM64-70 ------- Executing time: 2013-10-15 13:27:32 ------ Starting log (Run on database) config global end Running script on DB success ------- The end of log ---------- The script should be run on the FortiGate Directly (via CLI). View the log of script running on device: FortiGate-VM64-70 ------- Executing time: 2013-10-15 13:52:02 ------ Starting log (Run on device) FortiGate-VM64 $ config global FortiGate-VM64 (global) $ show system interface port1 config system interface edit "port1" set vdom "root" set ip 10.2.66.181 255.255.0.0 set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct probe-response capwap set type physical set snmp-index 1 next end FortiGate-VM64 (global) $ end ------- The end of log ---------- To view the entries in the static routing table. To get any useful information, the script has to be re-written for the following if the VDOM is enabled for FortiGate and has to be run on the FortiGate Directly (via CLI). config vdom edit root FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 108 show route static next end Here is a sample run of the preceding script running on the FortiGate Directly (via CLI). View the log of script running on device: FortiGate-VM64-70 ------- Executing time: 2013-10-15 14:24:10 ------ Starting log (Run on device) FortiGate-VM64 $ config vdom FortiGate-VM64 (vdom) $ edit root current vf=root:0 FortiGate-VM64 (root) $ show route static config router static edit 1 set device "port1" set gateway 10.2.0.250 next end FortiGate-VM64 (root) $ next FortiGate-VM64 (vdom) $ end ------- The end of log ---------- To view the entries in the static routing table: Script show route static Output config router static edit 1 set device "port1" set gateway 172.20.120.2 next edit 2 set device "port2" set distance 7 set dst 172.20.120.0 255.255.255.0 set gateway 172.20.120.2 next end Variations none View information about all the configured FDN servers on this device: Script config global diag debug rating end Output View the log of script running on device: FortiGate-VM64 ------- Executing time: 2013-10-15 14:32:15 ------ Starting log (Run on device) FortiGate-VM64 $ config global FortiGate-VM64 (global) $ diagnose debug rating Locale : english License : Contract Expiration : Thu Jan 3 17:00:00 2030 -=- Server List (Tue Oct 15 14:32:49 2013) -=- FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 109 IP Weight RTT Flags TZ Packets Curr Lost Total Lost 192.168.100.206 35 2 DIF -8 4068 72 305 192.168.100.188 36 2 F -8 4052 72 308 FortiGate-VM64 (global) $ end ------- The end of log ---------- Variations Output for this script will vary based on the state of the FortiGate device. The preceding output is for a FortiGate device that has never been registered. For a registered FortiGate device without a valid license, the output would be similar to: Locale : english License : Unknown Expiration : N/A Hostname : guard.fortinet.net -=- Server List (Tue Oct 3 09:34:46 2006) -=- IP Weight Round-time TZ Packets Curr Lost Total Lost ** None ** Setting FortiGate device information with CLI scripts gives you access to more settings and allows you more fine grained control than you may have in the DeviceManager. Also CLI commands allow access to more advanced options that are not available in the FortiGate GUI. Scripts that set information require more lines. Any scripts that you will be running on the global database must include the full CLI commands and not use short forms for the commands. Short form commands will not run on the global database. Create a new account profile called policy_admin allowing read-only access to policy related areas: Script config global config system accprofile edit "policy_admin" set fwgrp read set loggrp read set sysgrp read next end end Output View the log of script running on device:FortiGate-VM64 ------- Executing time: 2013-10-16 13:39:35 ------ Starting log (Run on device) FortiGate-VM64 $ config global FortiGate-VM64 (global) $ config system accprofile FortiGate-VM64 (accprofile) $ edit "prof_admin" FortiGate-VM64 (prof_admin) $ set fwgrp read FortiGate-VM64 (prof_admin) $ set loggrp read FortiGate-VM64 (prof_admin) $ set sysgrp read FortiGate-VM64 (prof_admin) $ next FortiGate-VM64 (accprofile) $ end FortiGate-VM64 (global) $ end ------- The end of log ---------- FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 110 Variations This profile is read-only to allow a policy administrator to monitor this device’s configuration and traffic. Variations may include enabling other areas as read-only or write permissions based on that account type’s needs. With the introduction of global objects/security console (global database), you can run a CLI script on the FortiManager global database in addition to running it on a FortiGate unit directly. Compare the following sample scripts: l Running a CLI script on a FortiGate unit config vdom edit “root” config firewall policy edit 10 set srcintf “port5” set dstintf “port6” set srcaddr “all” set dstaddr “all” set status disable set schedule "always" set service "ALL" set logtraffic disable next end l Running a CLI script on the global database config firewall policy edit 10 set srcintf “port5” set dstintf “port6” set srcaddr "all" set dstaddr "all" set status disable set schedule "always" set service "ALL" set logtraffic disable next end Error Messages Most error messages you will see are regular FortiGate CLI error messages. If you are familiar with the CLI you will likely recognize them. Other error messages indicate your script encountered problems while executing, such as: l command parse error: It was not possible to parse this line of your script into a valid FortiGate CLI command. Common causes for this are misspelled keywords or an incorrect command format. l unknown action: Generally this message indicates the previous line of the script was not executed, especially if the previous line accesses an object such as “config router static”. l Device XXX failed-1: This usually means there is a problem with the end of the script. XXX is the name of the FortiGate unit the script is to be executed on. If a script has no end statement or that line has an error in it you may see this error message. You may also see this message if the FortiGate unit has not been synchronized by deploying its current configuration. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 111 Troubleshooting Tips Here are some troubleshooting tips to help locate and fix problems you may experience with your scripts. l Check the script output. Generally the error messages displayed here will help you locate and fix the problem. l See the FortiGate CLI Reference for more information on all CLI commands. l There is a limit to the number of scripts allowed on the FortiManager unit. Try removing an old script before trying to save your current one. l Asmentioned at the start of this chapter, ensure the console more command is disabled on the FortiGate devices where scripts execute. Otherwise a condition may occur where both the FortiGate device and the FortiManager system are waiting for each other to respond until they timeout. l There should be no punctuation at the start or end of the lines. l Only whitespace is allowed on the same line as the command. This is useful in lining up end and next commands for quick and easy debugging of the script. l Keep your scripts short. They are easier to troubleshoot and it gives you more flexibility. You can easily execute a number of scripts after each other. l Use full command names. For example instead of “set host test” use “set hostname test”. This is required for any scripts that are to be run on the global database. l Use the number sign (#) to comment out a line you suspect contains an error. Tcl scripts Tcl is a dynamic scripting language that extends the functionality of CLI scripting. In FortiManager Tcl scripts, the first line of the script is “#!” as it is for standard Tcl scripts. Do not include the exit command that normally ends Tcl scripts; it will prevent the script from running. This guide assumes you are familiar with the Tcl language and regular expressions, and instead focuses on how to use CLI commands in your Tcl scripts. Where you require more information about Tcl commands than this guide contains, please refer to resources such as the Tcl newsgroup, Tcl reference books, and the official Tcl website at http://www.tcl.tk. Tcl scripts can do more than just get and set information. The benefits of Tcl come from: l variables to store information, l loops to repeats commands that are slightly different each time l decisions to compare information from the device The sample scripts in this section will contain procedures that you can combine to use your scripts. The samples will each focus on one of four areas: l Tcl variables l Tcl loops l Tcl decisions l Tcl file IO To enable Tcl scripting, use the following CLI commands: config system admin setting set show_tcl_script enable FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 112 end Limitations of FortiManager Tcl FortiManager Tcl executes in a controlled environment. You do not have to know the location of the Tcl interpreter or environment variables to execute your scripts. This also means some of the commands normally found in Tcl are not used in FortiManager Tcl. Depending on the CLI commands you use in your Tcl scripts, you may not be able to run some scripts on some versions of FortiOS as CLI commands change periodically. Before testing a new script on a FortiGate device, you should backup that device’s configuration and data to ensure it is not lost if the script does not work as expected. Tcl variables Variables allow you to store information from the FortiGate device, and use it later in the script. Arrays allow you to easily manage information by storing multiple pieces of data under a variable name. The next script uses an array to store the FortiGate system information. Example: Save system status information in an array. Script: #! proc get_sys_status aname { upvar $aname a puts [exec "# This is an example Tcl script to get the system status of the FortiGate\n" "# " 15 ] set input [exec "get system status\n" "# " 15 ] # puts $input set linelist [split $input \n] # puts $linelist foreach line $linelist { if {![regexp {([^:]+):(.*)} $line dummy key value]} continue switch -regexp -- $key { Version { regexp {FortiGate-([^ ]+) ([^,]+),build([\d]+),.*} $value dummy a(platform) a(version) a (build) } Serial-Number { set a(serial-number) [string trim $value] } Hostname { set a(hostname) [string trim $value] } } } } get_sys_status status puts "This machine is a $status(platform) platform." puts "It is running version $status(version) of FortiOS." puts "The firmware is build# $status(build)." FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 113 puts "S/N: $status(serial-number)" puts "This machine is called $status(hostname)" Output: ------- Executing time: 2013-10-21 09:58:06 ------ Starting log (Run on device) FortiGate-VM64 # This machine is a VM64 platform. It is running version v5.0 of FortiOS. The firmware is build# 0228. S/N: FGVM02Q105060070 This machine is called FortiGate-VM64 ------- The end of log ---------- Variations: Once the information is in the variable array, you can use it as part of commands you send to the FortiGate device or to make decisions based on the information. For example: if {$status(version) == 5.0} { # follow the version 5.0 commands } elseif {$status(version) == 5.0} { # follow the version 5.0 commands } This script introduces the concept of executing CLI commands within Tcl scripts using the following method: set input [exec "get system status\n" "# "] This command executes the CLI command “get system status” and passes the result into the variable called input. Without the “\n” at the end of the CLI command, the CLI command will not execute to provide output. In analyzing this script: l line 1 is the required #! to indicate this is a Tcl script l lines 2-3 open the procedure declaration l lines 4-5 puts the output from the CLI command into a Tcl variable as a string, and breaks it up at each return character into an array of smaller strings l line 6 starts a loop to go through the array of strings l line 7 loops if the array element is punctuation or continues if its text l line 8 takes the output of line 7’s regular expression command and based on a match, performs one of the actions listed in lines 9 through 17 l lines 9-11 if regular expression matches ‘Version’ then parse the text and store values for the platform, version, and build number in the named array elements l line 12-14 if regular expression matches ‘Serial-Number’ then store the value in an array element named that after trimming the string down to text only l lines 15-17 is similar to line 12 except the regular expression is matched against ‘Hostname’ l line 17-19 close the switch decision statement, the for each loop, and the procedure l line 20 calls the procedure with an array name of status l lines 21-25 output the information stored in the status array FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 114 Tcl loops Even though the last script used a loop, that script’s main purpose was storing information in the array. The next script uses a loop to create a preset number of users on the FortiGate device, in this case 10 users. The output is only shown for the first two users due to space considerations. Example: Create 10 users from usr0001 to usr0010: Script: #! proc do_cmd {cmd} { puts [exec "$cmd\n" "# " 15] } set num_users 10 do_cmd "config vdom" do_cmd "edit root" do_cmd "config user local" for {set i 1} {$i <= $num_users} {incr i} { set name [format "usr%04d" $i] puts "Adding user: $name" do_cmd "edit $name" do_cmd "set status enable" do_cmd "set type password" do_cmd "next" } do_cmd "end" do_cmd "end" do_cmd "config vdom" do_cmd "edit root" do_cmd "show user local" do_cmd "end" Output: View the log of script running on device:FortiGate-VM64 ------- Executing time: 2013-10-16 15:27:18 ------ Starting log (Run on device) config vdom FortiGate-VM64 (vdom) # edit root current vf=root:0 FortiGate-VM64 (root) # config user local FortiGate-VM64 (local) # Adding user: usr0001 edit usr0001 new entry ''usr0001'' added FortiGate-VM64 (usr0001) # set status enable FortiGate-VM64 (usr0001) # set type password FortiGate-VM64 (usr0001) # next FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 115 FortiGate-VM64 (local) # Adding user: usr0002 edit usr0002 new entry ''usr0002'' added FortiGate-VM64 (usr0002) # set status enable FortiGate-VM64 (usr0002) # set type password FortiGate-VM64 (usr0002) # next Variations: There are a number of uses for this kind of looping script. One example is to create firewall policies for each interface that deny all non-HTTPS and non-SSH traffic by default. Another example is a scheduled script to loop through the static routing table to check that each entry is still reachable, and if not remove it from the table. This script loops 10 times creating a new user each time whose name is based on the loop counter. The format command is used to force a four digit number. In analyzing this script: l line 1 is the required #! to indicate this is a Tcl script l lines 2-4 open CLI command wrapper procedure l line 5 declares the number of users to create l line 6 gets the FortiGate ready for entering local users l line 7 opens the for loop that will loop ten times l line 8 sets the user name based on the incremented loop counter variable l line 9 is just a comment to the administrator which user is being created l lines 10-13 create and configure the user, leaving the CLI ready for the next user to be added l line 14 ends the for loop l line 15 ends the adding of users in the CLI l line 16 executes a CLI command to prove the users were added properly Tcl decisions Tcl has a number of decision structures that allow you to execute different CLI commands based on what information you discover. This script is more complex than the previous scripts as it uses two procedures that read FortiGate information, make a decision based on that information, and then executes one of the CLI sub-scripts based on that information. Example: Add information to existing firewall policies. Script: #! # need to define procedure do_cmd # the second parameter of exec should be "# " # If split one command to multiple lines use "\" to continue proc do_cmd {cmd} { puts [exec "$cmd\n" "# "] } foreach line [split [exec "show firewall policy\n" "# "] \n] { if {[regexp {edit[ ]+([0-9]+)} $line match policyid]} { FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 116 continue } elseif {[regexp {set[ ]+(\w+)[ ]+(.*)\r} $line match key value]} { lappend fw_policy($policyid) "$key $value" } } do_cmd "config firewall policy" foreach policyid [array names fw_policy] { if {[lsearch $fw_policy($policyid){diffservcode_forward 000011}] == -1} { do_cmd "edit $policyid" do_cmd "set diffserv-forward enable" do_cmd "set diffservcode-forward 000011" do_cmd "next" } } do_cmd "end" Variations: This type of script is useful for updating long lists of records. For example if the FortiOS version adds new keywords to user accounts, you can create a script similar to this one to get the list of user accounts and for each one edit it, add the new information, and move on to the next. This script uses two decision statements. Both are involved in text matching. The first decision is checking each line of input for the policy ID and if its not there it skips the line. If it is there, all the policy information is saved to an array for future use. The second decision searches the array of policy information to see which polices are miss In analyzing this script: l line 1 is the required #! to indicate this is a Tcl script l line 2-8 is a loop that reads each policy’s information and appends only the policy ID number to an array variable called fw_policy l line 9 opens the CLI to the firewall policy section to prepare for the loop l line 10 starts the for each loop that increments through all the firewall policy names stored in fw_policy l line 11 checks each policy for an existing differvcode_forward 000011 entry - if its not found lines 12-15 are executed, otherwise they are skipped l line 12 opens the policy determined by the loop counter l line 13-14 enable diffserv_forward, and set it to 000011 l line 15 saves this entry and prepares for the next one l line 16 closes the if statement l line 17 closes the for each loop l line 18 saves all the updated firewall policy entries Additional Tcl Scripts Example: Get and display state information about the FortiGate device: Script: #! #Run on FortiOS v5.00 #This script will display FortiGate''s CPU states, #Memory states, and Up time puts [exec "# This is an example Tcl script to get the system performance of the FortiGate\n" "# " 15 ] set input [exec "get system status\n" "# " 15] FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 117 regexp {Version: *([^ ]+) ([^,]+),build([0-9]+),[0-9]+} $input dummy status(Platform) status (Version) status(Build) if {$status(Version) eq "v5.0"} { puts -nonewline [exec "config global\n" "# " 30] puts -nonewline [exec "get system performance status\n" "# " 30] puts -nonewline [exec "end\n" "# " 30] } else { puts -nonewline [exec "get system performance\n" "#" 30] } Output: ------- Executing time: 2013-10-21 16:21:43 ------ Starting log (Run on device) FortiGate-VM64 # config global FortiGate-VM64 (global) # get system performance status CPU states: 0% user 0% system 0% nice 90% idle CPU0 states: 0% user 0% system 0% nice 90% idle CPU1 states: 0% user 0% system 0% nice 90% idle Memory states: 73% used Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes Average sessions: 1 sessions in 1 minute, 2 sessions in 10 minutes, 2 sessions in 30 minutes Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 6 days, 1 hours, 34 minutes FortiGate-VM64 (global) # end FortiGate-VM64 # ------- The end of log ---------- ------- Executing time: 2013-10-21 16:16:58 ------ Example: Configure common global settings. Script: #! #Run on FortiOS v5.00 #This script will configure common global, user group and ntp settings #if you do not want to set a parameter, comment the #corresponding set command #if you want to reset a parameter to it''s default #value, set it an empty string puts [exec "# This is an example Tcl script to configure global, user group and ntp setting of FortiGate\n" "# " 15 ] # global set sys_global(admintimeout) "" # user group set sys_user_group(authtimeout) 20 # ntp set sys_ntp(source-ip) "0.0.0.0" set sys_ntp(ntpsync) "enable" FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 118 #procedure to execute FortiGate command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# " 30] } #config system global---begin fgt_cmd "config global" fgt_cmd "config system global" foreach key [array names sys_global] { if {$sys_global($key) ne ""} { fgt_cmd "set $key $sys_global($key)" } else { fgt_cmd "unset $key" } } fgt_cmd "end" fgt_cmd "end" #config system global---end #config system user group---begin fgt_cmd "config vdom" fgt_cmd "edit root" fgt_cmd "config user group" fgt_cmd "edit groupname" foreach key [array names sys_user_group] { if {$sys_user_group($key) ne ""} { fgt_cmd "set $key $sys_user_group($key)" } else { fgt_cmd "unset $key" } } fgt_cmd "end" fgt_cmd "end" #config system user group---end #config system ntp---begin fgt_cmd "config global" fgt_cmd "config system ntp" foreach key [array names sys_ntp] { if {$sys_ntp($key) ne ""} { fgt_cmd "set $key $sys_ntp($key)" } else { fgt_cmd "unset $key" } } fgt_cmd "end" fgt_cmd "end" #config system ntp---end Output: ------- Executing time: 2013-10-22 09:12:57 ------ Starting log (Run on device) FortiGate-VM64 # config global FortiGate-VM64 (global) # config system global FortiGate-VM64 (global) # unset admintimeout FortiGate-VM64 (global) # end FortiGate-VM64 (global) # end FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 119 FortiGate-VM64 # config vdom FortiGate-VM64 (vdom) # edit root current vf=root:0 FortiGate-VM64 (root) # config user group FortiGate-VM64 (group) # edit groupname FortiGate-VM64 (groupname) # set authtimeout 20 FortiGate-VM64 (groupname) # end FortiGate-VM64 (root) # end FortiGate-VM64 # config global FortiGate-VM64 (global) # config system ntp FortiGate-VM64 (ntp) # set ntpsync enable FortiGate-VM64 (ntp) # set source-ip 0.0.0.0 FortiGate-VM64 (ntp) # end FortiGate-VM64 (global) # end FortiGate-VM64 # ------- The end of log ---------- Example: Configure syslogd settings and filters. Script: #! #Run on FortiOS v5.00 #This script will configure log syslogd setting and #filter #key-value pairs for ''config log syslogd setting'', no #value means default value. set setting_list {{status enable} {csv enable} {facility alert} {port} {server 1.1.1.2}} #key-value pairs for ''config log syslogd filter'', no #value means default value. puts [exec "# This is an example Tcl script to configure log syslogd setting and filter setting of FortiGate\n" "# " 15 ] set filter_list {{attack enable} {email enable} {severity} {traffic enable} {virus disable} {web enable}} #set the number of syslogd server, "", "2" or "3" set syslogd_no "2" #procedure to execute FortiGate CLI command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# "] } #procedure to set a series of key-value pairs proc set_kv kv_list { foreach kv $kv_list { set len [llength $kv] if {$len == 0} { continue } elseif {$len == 1} { fgt_cmd "unset [lindex $kv 0]" } else { fgt_cmd "set [lindex $kv 0] [lindex $kv 1]" } } } #configure log syslogd setting---begin fgt_cmd "config global" fgt_cmd "config log syslogd$syslogd_no setting" set_kv $setting_list fgt_cmd "end" FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 120 #configure log syslogd setting---end #configure log syslogd filter---begin fgt_cmd "config log syslogd$syslogd_no filter" set_kv $filter_list fgt_cmd "end" #configure log syslogd filter---end Output: Starting log (Run on device) FortiGate-VM64 # config global FortiGate-VM64 (global) # config log syslogd2 setting FortiGate-VM64 (setting) # set status enable FortiGate-VM64 (setting) # set csv enable FortiGate-VM64 (setting) # set facility alert FortiGate-VM64 (setting) # unset port FortiGate-VM64 (setting) # set server 1.1.1.2 FortiGate-VM64 (setting) # end FortiGate-VM64 (global) # config log syslogd2 filter FortiGate-VM64 (filter) # set attack enable FortiGate-VM64 (filter) # set email enable FortiGate-VM64 (filter) # unset severity FortiGate-VM64 (filter) # set traffic enable FortiGate-VM64 (filter) # set virus disable FortiGate-VM64 (filter) # set web enable FortiGate-VM64 (filter) # end FortiGate-VM64 (global) # ------- The end of log ---------- Example: Configure the FortiGate device to communicate with a FortiAnalyzer unit: Script: #! #This script will configure the FortiGate device to #communicate with a FortiAnalyzer unit #Enter the following key-value pairs for ''config #system fortianalyzer'' set status enable set enc-algorithm high #localid will be set as the hostname automatically #later puts [exec "# This is an example Tcl script to configure the FortiGate to communicate with a FortiAnalyzer\n" "# " 15 ] set server 1.1.1.1 #for fortianalyzer, fortianalyzer2 or #fortianalyzer3, enter the corresponding value "", #"2", "3" set faz_no "" #keys used for ''config system fortianalyzer'', if you #do not want to change the value of a key, do not put #it in the list set key_list {status enc-algorithm localid server } ##procedure to get system status from a FortiGate proc get_sys_status aname { FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 121 upvar $aname a set input [split [exec "get system status\n" "# "] \n] foreach line $input { if {![regexp {([^:]+):(.*)} $line dummy key value]} continue set a([string trim $key]) [string trim $value] } } #procedure to execute FortiGate command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# "] } #set the localid as the FortiGate''s hostname get_sys_status sys_status set localid $sys_status(Hostname) #config system fortianalyzer---begin fgt_cmd "config global" fgt_cmd "config log fortianalyzer$faz_no setting" foreach key $key_list { if [info exists $key] { fgt_cmd "set $key [set $key]" } else { fgt_cmd "unset $key" } } fgt_cmd "end" fgt_cmd "end" #config system fortianalyzer---end Output: Starting log (Run on device) FortiGate-VM64 # config global FortiGate-VM64 (global) # config log fortianalyzer setting FortiGate-VM64 (setting) # set status enable FortiGate-VM64 (setting) # set enc-algorithm high FortiGate-VM64 (setting) # set localid FortiGate-VM64 FortiGate-VM64 (setting) # set server 1.1.1.1 FortiGate-VM64 (setting) # end FortiGate-VM64 (global) # end FortiGate-VM64 # ------- The end of log --------- Example: Create custom IPS signatures and add them to a custom group. Script: #! #Run on FortiOS v5.00 #This script will create custom ips signatures and #change the settings for the custom ips signatures puts [exec "# This is an example Tcl script to create custom ips signatures and change the settings for the custom ips signatures on a FortiGate\n" "# " 15 ] #Enter custom ips signatures, signature names are the #names of array elements set custom_sig(c1) {"F-SBID(--protocol icmp;--icmp_type 10; )"} set custom_sig(c2) {"F-SBID(--protocol icmp;--icmp_type 0; )"} #Enter custom ips settings FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 122 set custom_rule(c1) {{status enable} {action block} {log enable} {log-packet} {severity high}} set custom_rule(c2) {{status enable} {action pass} {log} {log-packet disable} {severity low}} #procedure to execute FortiGate command proc fgt_cmd cmd { puts -nonewline [exec "$cmd\n" "# "] } #procedure to set a series of key-value pairs proc set_kv kv_list { foreach kv $kv_list { set len [llength $kv] if {$len == 0} { continue } elseif {$len == 1} { fgt_cmd "unset [lindex $kv 0]" } else { fgt_cmd "set [lindex $kv 0] [lindex $kv 1]" } } } #config ips custom---begin fgt_cmd "config vdom" fgt_cmd "edit root" fgt_cmd "config ips custom" foreach sig_name [array names custom_sig] { fgt_cmd "edit $sig_name" fgt_cmd "set signature $custom_sig($sig_name)" fgt_cmd "next" } fgt_cmd "end" #config ips custom settings---begin foreach rule_name [array names custom_rule] { fgt_cmd "config ips custom" fgt_cmd "edit $rule_name" set_kv $custom_rule($rule_name) fgt_cmd "end" } fgt_cmd "end" #config ips custom settings---end Output: Starting log (Run on device) FortiGate-VM64 # config vdom FortiGate-VM64 (vdom) # edit root current vf=root:0 FortiGate-VM64 (root) # config ips custom FortiGate-VM64 (custom) # edit c1 set signature "F-SBID(--protocol icmp;--icmp_type 10; )" FortiGate-VM64 (c1) # set signature "F-SBID(--protocol icmp;--icmp_type 10; )" FortiGate-VM64 (c1) # next FortiGate-VM64 (custom) # edit c2 FortiGate-VM64 (c2) # set signature "F-SBID(--protocol icmp;--icmp_type 0; )" FortiGate-VM64 (c2) # next FortiGate-VM64 (custom) # end FortiGate-VM64 (root) # config ips custom FortiGate-VM64 (custom) # edit c1 FortiGate-VM64 (c1) # set status enable FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 123 FortiGate-VM64 (c1) # set action block FortiGate-VM64 (c1) # set log enable FortiGate-VM64 (c1) # unset log-packet FortiGate-VM64 (c1) # set severity high FortiGate-VM64 (c1) # end FortiGate-VM64 (root) # config ips custom FortiGate-VM64 (custom) # edit c2 FortiGate-VM64 (c2) # set status enable FortiGate-VM64 (c2) # set action pass FortiGate-VM64 (c2) # unset log FortiGate-VM64 (c2) # set log-packet disable FortiGate-VM64 (c2) # set severity low FortiGate-VM64 (c2) # end FortiGate-VM64 (root) # end FortiGate-VM64 # ------- The end of log ---------- Variations: None. Tcl file IO You can write to and read from files using Tcl scripts. For security reasons there is only one directory on the FortiManager where scripts can access files. For this reason, there is no reason to include the directory in the file name you are accessing. For example “/var/temp/myfile” or “~/myfile” will cause an error, but “myfile” or “/myfile” is OK. The Tcl commands that are supported for file IO are: file, open, gets, read, tell, seek, eof, flush, close, fcopy, fconfigure, and fileevent. The Tcl file command only supports delete subcommand, and does not support the -force option. There is 10MB of diskspace allocated for Tcl scripts. An error will be reported if this size is exceeded. These files will be reset when the following CLI commands are run: exec format, exec reset partition, or exec reset all. The files will not be reset when the firmware is updated unless otherwise specified. To write to a file: Script #! set somefile [open “tcl_test” w] puts $somefile "Hello, world!" close $somefile To read from a file: Script #! set otherfile [open “tcl_test” r] while {[gets $otherfile line] >= 0} { puts [string length $line] } close $otherfile Output Hello, world! These two short scripts write a file called tcl_test and then read it back. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 124 Line 3 in both scripts opens the file either for reading (r) or writing (w) and assigns it to a filehandle (somefile or otherfile). Later in the script when you see these filehandles, its input or output passing to the open file. When reading from the file, lines 4 and 5 loop through the file line by line until it reaches the end of the file. Each line that is read is put to the screen. Both scripts close the file before they exit. Troubleshooting Tips This section includes suggestions to help you find and fix problems you may be having with your scripts. l Make sure the commands you are trying to execute are valid for the version of FortiOS running on your target FortiGate device. l You should always use braces when evaluating code that may contain user input, to avoid possible security breaches. To illustrate the danger, consider this interactive session: % set userinput {[puts DANGER!]} [puts DANGER!] % expr $userinput == 1 DANGER! 0 % expr {$userinput == 1} 0 In the first example, the code contained in the user-supplied input is evaluated, whereas in the second the braces prevent this potential danger. As a general rule, always surround expressions with braces, whether using expr directly or some other command that takes an expression. l A number that includes a leading zero or zeros, such as 0500 or 0011, is interpreted as an octal number, not a decimal number. So 0500 is actually 320 in decimal, and 0011 is 9 in decimal. l There is a limit to the number of scripts allowed on the FortiManager unit. Try removing an old script before trying to save your current one. l Using the Tcl command “catch” you can add custom error messages in your script to alert you to problems during the script execution. When catch encounters an error it will return 1, but if there is no error it will return 0. For example: if { [catch {open $someFile w} fid] } { puts stderr "Could not open $someFile for writing\n$fid" exit 1 ;# error opening the file! } else { # put the rest of your script here } Use Tcl script to access FortiManager’s device database or ADOM database You can use Tcl script to access FortiManager’s device database or ADOM database (local database). Example 1: Run the Tcl script on an ADOM database for a specify policy package. For example, creating new a policy or object: Syntax puts [exec_ondb "/adom//pkg/" "embedded cli commands" "# "] Usage puts [exec_ondb "/adom/52/pkg/default" " FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 125 config firewall address edit port5_address next end " "# "] Example 2: Run the Tcl script on the current ADOM database for a specify policy package. For example, creating a new policy and object: Syntax puts [exec_ondb "/adom/./pkg/" "embedded cli commands" "# "] or puts [exec_ondb "/pkg/" "embeded cli commands" "# "] Usage puts [exec_ondb "/adom/./pkg/default" " config firewall address edit port5_address next end " "# "] Example 3: Run Tcl script on a specific device in an ADOM: Syntax puts [exec_ondb "/adom//device/" "embedded cli commands" "# "] Usage puts [exec_ondb "/adom/v52/device/FGT60CA" " config global config system global set admintimeout 440 end end " "# "] Example 4: Run Tcl script on current devices in an ADOM: Syntax puts [exec_ondb "/adom//device/." "embedded cli commands" "# "] Usage puts [exec_ondb "/adom/v52/device/." " config global config system global set admintimeout 440 end end " "# "] FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 126 exec_ondb cannot be run on the Global ADOM. SD-WAN Go to DeviceManager > SD-WAN to configure SD-WAN templates and assign FortiGate devices to the templates. SD-WAN templates help you do the following: l Deploy a single SD-WAN template from FortiManager across multiple FortiGate devices. l Perform a zero-touch deployment without manual configuration locally at the FortiGate devices. l Roll out a uniform SD-WAN configuration across your network. l Eliminate errors in SD-WAN configuration across multiple FortiGate devices since the SD-WAN template is applied centrally from FortiManager. l Monitor network Performance SLA across multiple FortiGate devices centrally from FortiManager. l Monitor the performance of your SD-WAN with multiple views. Using SD-WAN templates consists of the following steps: 1. Specify the ports where the SD-WAN settings will be applied. See Interface members on page 127. 2. Specify the health-check servers that will monitor the network parameters. See Health-Check Servers on page 135. 3. Create an SD-WAN template that includes the following: a. Add Interface Members - add the Interface Members created in step 1. b. Performance SLA - create a Performance SLA. Add the Interface Member and Health Check Servers. c. SD-WAN Rules - create rules and configure advanced options on network traffic management. See SD-WAN templates on page 129. 4. Assign a FortiGate device to the SD-WAN template. See Assigned devices on page 137. 5. Install device settings using the Install Wizard. See Using the Install Wizard to install device settings only on page 69. 6. Go to SD-WAN > Monitor to monitor the FortiGate devices. See Monitor SD-WAN on page 138. The SD-WAN template takes effect on the FortiGate device only after it is installed using the Install Wizard. After installing the SD-WAN template on the FortiGate device, changing settings in SD-WAN, Performance SLA, or SD-WAN Rules locally on the FortiGate device will result in the SD-WAN template on the FortiManager being out of sync with the FortiGate device. You must configure the same settings on the FortiManager SD-WAN template and install it again using the Install Wizard to be in sync with the settings on the FortiGate. Enabling central SD-WAN management Central SD-WANmanagement can be enabled per ADOM. When enabled, the SD-WAN tab shows the following items on the left pane: FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 127 l Assigned Devices l SD-WAN Templates l Interface Members l Health-Check Servers l Monitor To enable central SD-WAN management: 1. Go to System Settings > All ADOMs. 2. Select the ADOM and clickEdit in the toolbar, or right-click the ADOM and select Edit from the pop-up menu. The Edit ADOM window opens. (See Editing an ADOM on page 403.) 3. Next to Central Management, select the SD-WAN check box. 4. ClickOK. Interface members Create newWAN interface members. To create a new interface member: 1. Ensure that you are in the correct ADOM and that central SD-WANmanagement is enabled. 2. Go to DeviceManager > SD-WAN > InterfaceMembers. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New WAN Interface page opens. 4. Enter the following information, then clickOK to create the newWAN interface: Name Enter the name of the WAN detect server. Description Enter a description of the server. Default Interface Specify the default interface for the WAN link. Gateway The default gateway for this interface. Usually the default gateway of the Internet service provider that this interface is connected to. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 128 Weight Weight of this interface for weighted load balancing (0 - 255). More traffic is directed to interfaces with higher weights. Volume Ratio Measured volume ratio (this value / sum of all values = percentage of link volume, 0 - 255). Per-Device Mapping Enable per-device mapping. See Per-device mapping on page 128. Advanced Options gateway6 IPv6 gateway address. ingress-spillover- Ingress spillover threshold for this interface (0 - 16776000 kbit/s). When this threshold traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. priority Priority of the interface (0 - 4294967295). Used for SD-WAN rules or priority rules. source Source IPv4 address. source6 Source IPv6 address. spillover- Egress spillover threshold for this interface (0 - 16776000 kbit/s). When this threshold traffic volume threshold is reached, new sessions spill over to other interfaces in the SD-WAN. status Enable/disable the interface. To edit an interface member: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > InterfaceMembers. 3. Select the interface member from the list and clickEdit in the toolbar, or right-click the interface then select Edit. The Edit WAN Interface page opens. 4. Edit the interface as required, and clickOK to apply your changes. To delete an interface member or members: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > InterfaceMembers. 3. Select the interface or interfaces from the list and clickDelete in the toolbar, or right-click the interface and select Delete. 4. ClickOK in the confirmation dialog box to delete the interface or interfaces. Per-device mapping To add WAN interface per-device mapping: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > InterfaceMembers. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 129 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New WAN Interface page opens. 4. Enable Per-DeviceMapping. 5. ClickCreate New in the per-device mapping toolbar. The Create New InterfaceMember dialog-box opens. 6. Select aMapped Device then an Interface from the drop-down lists. 7. Enter theGateway IP address,Weight, Volume, and AdvancedOptions. 8. ClickOK. To edit WAN interface per-device mapping: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > InterfaceMembers. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New WAN Interface page opens. 4. Select a per device mapping then clickEdit in the per-device mapping toolbar. The Edit InterfaceMember dialog- box opens. 5. Edit the settings as required, then clickOK. To delete WAN interface per-device mappings: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > InterfaceMembers. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New WAN Interface page opens. 4. Select one or more per device mapping, then clickDelete in the per-device mapping toolbar. 5. ClickOK in the confirmation dialog box to delete the mapping or mappings. SD-WAN templates Create an SD-WAN template with the required network parameters. Create the interface member and health-check servers before adding them to the SD-WAN template. See Interface members on page 127 and Health-Check Servers on page 135. To create a new SD-WAN template: 1. Ensure that you are in the correct ADOM and that central SD-WANmanagement is enabled. 2. Go to DeviceManager > SD-WAN > SD-WAN Template. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 130 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New page opens. 4. Enter the following information and clickOK to create the new SD-WAN template: Name Enter the name of the template. Description Enter a description of the template. SD-WAN Status Select On orOff. Interface Members Interface members can be added, edited, and removed. An interface member must be created before it can be added to a template, see Interface members on page 127. Performance SLA See Performance SLA on page 131. SD-WAN Rules See SD-WAN rules on page 133. Advanced Options fail-alert-interfaces Names of the FortiGate interfaces from which the link failure alert is sent for this interface. fail-detect Enable/disable fail detection features for this interface. To edit an SD-WAN template: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > SD-WAN Template. 3. Select the template from the list and clickEdit in the toolbar, or right-click the template and select Edit. The Edit page opens. 4. Edit the template as required, and clickOK to apply your changes. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 131 To delete an SD-WAN template or templates: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > SD-WAN Template. 3. Select the template or templates from the list and clickDelete in the toolbar, or right-click the template and select Delete. 4. ClickOK in the confirmation dialog box to delete the template or templates. Performance SLA Create a Performance SLA in FortiManager that can be used to monitor the SD-WAN performance in FortiGate devices. You can also create a Performance SLA in FortiManager. If all links meet the SLA criteria, the FortiGate uses the first link, even if that link isn’t the best quality. If at any time, the link in use doesn’t meet the SLA criteria, and the next link in the configuration meets the SLA criteria, the FortiGate changes to that link. If the next link doesn’t meet the SLA criteria, the FortiGate uses the next link in the configuration if it meets the SLA criteria, and so on. To create a new performance SLA: 1. Ensure that you are in the correct ADOM and that central SD-WANmanagement is enabled. 2. Go to DeviceManager > SD-WAN > SD-WAN Template. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New page opens. 4. In the Performance SLA toolbar, clickCreate New. The Create Performance SLA dialog-box opens 5. Enter the following information, and clickOK to create the performance SLA: Name Enter the name of the performance SLA. Detect Protocol Select the detection method for the profile check: l Ping l TCP ECHO FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 132 l UDPECHO l HTTP l TWAMP Detect Server Enter the IP address of the WAN interface that you want to monitor. Member Select available interface members. The interfaces must already be added to the template. SLA ClickCreate New to create a new SLA. Enable and enter the Jitter Threshold (in milliseconds), Latency Threshold (in milliseconds), and Packet Loss Threshold (in percent), then clickOK to create the SLA. SLAs can also be edited and deleted as required. Link Status Interval Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 1). Failure Before Specify the number of failures before the link becomes inactive (1 - 10, default Inactive = 5). Restore Link After Specify the number of successful responses received before server is considered recovered (1 - 10, default = 5). Action When Inactive Specify what happens with the WAN link becomes inactive. Update Static Select to update the static route when the WAN link becomes inactive. Route Cascade Select to cascade interfaces when the WAN link becomes inactive. Interfaces Advanced Options addr-mode Address mode (IPv4 or IPv6). http-get URL used to communicate with the server if the protocol if the protocol is HTTP. http-match Response string expected from the server if the protocol is HTTP. interval Status check interval, or the time between attempting to connect to the server, in seconds (1 - 3600, default = 5). packet-size Packet size of a TWAMP test session (64 - 1024). threshold-alert- Alert threshold for jitter (ms, default = 0), range [0-4294967295]. jitter threshold-alert- Alert threshold for latency, in milliseconds (0 - 4294967295, default = 0). latency threshold-alert- Alert threshold for packet loss, in percent (0 - 100, default = 0). packetloss FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 133 threshold- Warning threshold for jitter, in milliseconds (0 - 4294967295, default = 0). warning-jitter threshold- Warning threshold for latency, in milliseconds (0 - 4294967295, default = 0). warning-latency threshold- Warning threshold for packet loss, in percent (0 - 100, default = 0). warning- packetloss SD-WAN rules Configure SD-WAN rules for WAN links by specifying the required network parameters. The SD-WAN rules are applied to the FortiGate device when the SD-WAN template is applied. To create a new SD-WAN rule: 1. Ensure that you are in the correct ADOM and that central SD-WANmanagement is enabled. 2. Go to DeviceManager > SD-WAN > SD-WAN Template. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New page opens. 4. In the SD-WAN Rules toolbar, clickCreate New. The Create New SD-WAN Rule dialog-box opens. 5. Enter the following information, then clickOK to create the new SD-WAN rule: Name Enter the name of the rule. Source Address Add one or more address from the drop-down. Users Add one or more users from the drop-down. User Groups Add one or more groups from the drop-down. Destination FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 134 Address Select an address or addresses from the drop-down list. This option is only available when Destination is Address. Internet Service Select a service or services from the drop-down list. This option is only available when Destination is Internet Service. Internet Service Select a service group or groups from the drop-down list. This option is only Group available when Destination is Internet Service. Custom Internet Select a service or services from the drop-down list. This option is only Service available when Destination is Internet Service. Custom Internet Select a service group or groups from the drop-down list. This option is only Service Group available when Destination is Internet Service. Application Select an application or applications from the drop-down list. This option is only available when Destination is Internet Service. Application Group Select an application group or groups from the drop-down list. This option is only available when Destination is Internet Service. Protocol Select the protocol, of specify the protocol number. Port Range Enter the port range. This option is only available when the protocol is TCP or UDP. Type of Service Specify the type of service and bit mask. This option is only available the protocol is set to Specify. Outgoing Interface Select Best Quality orMinimumQuality (SLA). Interface Members Select interface members. Status Check This option is only available when the outgoing interface is Best Quality. Require SLA Target This option is only available when the outgoing interface isMinimumQuality (SLA). Advanced Options addr-mode Address mode (IPv4 or IPv6). bandwidth-weight Coefficient of reciprocal of available bidirectional bandwidth in the formula of custom-profile-1, range [0-10000000]. dscp-forward Enable/disable forward traffic DSCP tag. dscp-forward-tag Forward traffic DSCP tag. dscp-reverse Enable/disable reverse traffic DSCP tag. dscp-reverse-tag verse traffic DSCP tag. dst-negate Enable/disable negation of destination address match. dst6 Destination IPv6 address name. input-device Source interface name. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 135 internet-service- Control-based Internet Service ID list. ctrl internet-service- Control-based Internet Service ID, range [0-4294967295]. ctrl-group internet-service- Custom Internet Service group list. custom-group internet-service- Internet Service group list. group jitter-weight Coefficient of jitter in the formula of custom-profile-1, range [0-10000000]. latency-weight Coefficient of latency in the formula of custom-profile-1, range[0-10000000]. link-cost- Percentage threshold change of link cost values that will result in policy route threshold regeneration (0 - 10000000, default = 10). packet-loss- Coefficient of packet-loss in the formula of custom-profile-1, range[0- weight 10000000]. route-tag IPv4 route map route-tag, range [0-4294967295]. src-negate Enable/disable negation of source address match. src6 Source IPv6 address name. status Enable/disable SD-WAN service. Health-Check Servers Configure health-check servers for the FortiGate unit to verify that real servers are able respond to network connection attempts. If a real server responds to connection attempts, the load balancer continues to send sessions to it. If a real server stops responding to connection attempts, the load balancer assumes that the server is down and does not send sessions to it. The health-check servers configuration determines how the load balancer tests the real servers. You can use a single health-check servers for multiple load balancing configurations. To add a health-check server: 1. Ensure that you are in the correct ADOM and that central SD-WANmanagement is enabled. 2. Go to DeviceManager > SD-WAN > Health-Check Servers. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 136 3. ClickCreate New in the content pane toolbar. The Create New WAN Detect Server page opens. 4. Enter the following information, then clickOK to add the server: Name Enter the name of the WAN detect server. Description Enter a description of the server. Detect Server Enter the IP address of the WAN interface that you want to monitor. Click the plus icon to add more interfaces. Per-Device Mapping Enable per-device mapping. See Per-device mapping on page 136. To edit a health-check server: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > Health-Check Servers. 3. Select the server from the list and clickEdit in the toolbar, or right-click the server then select Edit. The Edit WAN Detect Server page opens. 4. Edit the server as required, then clickOK to apply your changes. To delete a health-check server or servers: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > Health-Check Servers. 3. Select the server or server s from the list and clickDelete in the toolbar, or right-click the server then select Delete. 4. ClickOK in the confirmation dialog box to delete the server or servers. Per-device mapping Adding a Health-Check Server makes it the default server for all VDOMs on the FortiGate device. With per-device mapping, you can add a different Health-Check Server for each VDOM on the FortiGate device. To add health-check per-device mapping: 1. Ensure that you are in the correct ADOM and that central SD-WANmanagement is enabled. 2. Go to DeviceManager > SD-WAN > Health-Check Servers. 3. ClickCreate New in the content pane toolbar. The Create New WAN Detect Server page opens. 4. Enable Per-DeviceMapping. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 137 5. ClickCreate New in the per-device mapping toolbar. 6. Select aMapped Device from the drop-down list. 7. Enter the Detect Server IP address, and add additional detect servers as needed. 8. ClickOK. To edit health-check per-device mapping: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > Health-Check Servers. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New WAN Detect Server page opens. 4. Select a per device mapping then clickEdit in the per-device mapping toolbar. 5. Edit the settings as required, then clickOK. To delete health-check per-device mappings: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > Health-Check Servers. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New WAN Detect Server page opens. 4. Select one or more per device mapping, then clickDelete in the per-device mapping toolbar. 5. ClickOK in the confirmation dialog box to delete the mapping or mappings. Assigned devices Assign a FortiGate device to an SD-WAN template. The network parameters specified in the SD-WAN template are used to measure the performance of the WAN link on the FortiGate device. To assign a FortiGate device to the SD-WAN template: 1. Ensure that you are in the correct ADOM and that central SD-WANmanagement is enabled. 2. Go to DeviceManager > SD-WAN > Assigned Devices. 3. ClickCreate New in the content pane toolbar, or right-click and select Create New. The Create New page opens. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 138 4. Select a FortiGate andWAN Template from the drop-down lists. The InterfaceMapping table will be populated with the interface members that are in the selected template. 5. ClickOK. To edit an assigned device: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to DeviceManager > SD-WAN > Assigned Devices. 3. Select the assigned device from the list, and clickEdit in the toolbar, or right-click the device and select Edit. The Edit page opens. 4. Edit the FortiGate and WAN template as required, and clickOK to apply your changes. To delete an assigned device or devices: 1. If using ADOMs, ensure that you are in the correct ADOM.. 2. Go to DeviceManager > SD-WAN > Assigned Devices. 3. Select the assigned device or devices from the list and clickDelete in the toolbar, or right-click the device and select Delete. 4. ClickOK in the confirmation dialog box to delete the assigned device or devices. Monitor SD-WAN After adding the Interface Members, Health-Check Servers, creating SD-WAN templates, and assigning devices to the SD-WAN template, go to SD-WAN > Monitor to monitor the FortiGate devices. The FortiGate devices can be monitored from two views, Map View and Table View. To monitor SD-WAN with Map View: 1. ClickMap View to view the SD-WAN link on Google Maps. 2. Hover over the SD-WAN icon. The following information is shown: () Interface Interface members. Performance SLA Shows whether the interface is meeting the performance SLA criteria. Jitter (ms) Actual value of Jitter. Latency (ms) Actual value of Latency. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 139 Packet Loss (ms) Actual value of Packet loss. Bandwidth (TX/RX) Bandwidth of data transmitted and received. Volume (TX/RX) Volume of data transmitted and received. Session Number of active sessions. Select Show Unhealthy Devices only to show only the devices that do not meet the Performance SLA criteria. To monitor SD-WAN with Table View: 1. Click Table View to view the SD-WAN parameters for each device. The following information is shown for each device: Device Name of the device. SD-WAN Interface members. Internet Services Add or remove the Internet Services from the Services Settings drop-down. The data is shown for the selected Internet Services. The Internet Services are specified in SD-WAN Rules > Destination type > Internet Service in FortiGate. Applications Add or remove the Applications from the Services Settings drop-down. The data is shown for the selected applications. The applications are specified in SD-WAN Rules > Destination type > Internet Service in FortiGate. Upload Volume of data transmitted up stream Download Volume of data transmitted down stream. Automatic Refresh FortiManager extracts the data from FortiGate devices based on the refresh settings. Select the automatic refresh interval from Every 5Minutes to Every 30Minutes. Alternatively, you can select Manual Refresh to refresh the data manually. Hover over a service for a device that is shown in red. A pop-up shows the parameters that have failed the SLA criteria. FortiExtender FortiExtender is centrally managed from the DeviceManager pane. When a FortiGate in the ADOM has managed FortiExtender devices, they are listed in an All FortiExtender group. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 140 FortiExtender can be managed by a FortiGate running FortiOS 5.2 or later. To view managed FortiExtender devices, go to DeviceManager > Extender. The following information is displayed: Device Name The name of the FortiGate device that is managing the FortiExtender. Serial Number The serial number of the FortiExtender. Priority The FortiExtender priority, either Primary or Secondary. Model The FortiExtender model. Management Status The FortiExtender management status, either Authorized orDeauthorized. Status The FortiExtender status, eitherUp orDown. Network The FortiExtender network status and carrier name. Current Usage The current data usage. Last Month Usage The data usage for the last month. Version The FortiExtender firmware version. IP The FortiExtender IP address. The right-click menu and toolbar options include: Refresh Select a FortiExtender in the list, right-click, and select Refresh in the menu to refresh the information displayed. Edit Select a FortiExtender in the list, right-click, and select Edit in the menu to edit the FortiExtender modem settings, PPP authentication, general, GSM/LTE, and CDMA settings. Upgrade Select a FortiExtender in the list, right-click, and select Upgrade in the menu to upgrade the FortiExtender firmware. Authorize Select a FortiExtender in the list, right-click, and select Authorize in the menu to authorize the unit for management. Deauthorize Select a FortiExtender in the list, right-click, and select Deauthorize in the menu to deauthorize the unit for management. Restart Select a FortiExtender in the list, right-click, and select Restart in the menu to restart the unit. Set Primary Select a FortiExtender in the list, right-click, and select Set Primary in the menu to set the unit as the primary device. Status Select a FortiExtender in the list, right-click, and select Status in the menu to view status information including system status, modem status, and data usage. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 141 To edit a FortiExtender: 1. Go to DeviceManager > Extender. 2. Select a FortiExtender and clickEdit in the toolbar, or right-click the FortiExtender device, and select Edit. The Edit FortiExtender page opens. 3. Configure the following settings, then clickOK to save the setting: Modem Settings Configure the dial mode, redial limit, and quota limit. PPP Authentication Configure the user name, password, and authentication protocol. General Configure the usage cycle reset day, AT dial script, modem password, and enable/disable allowing network initiated updates to modem setting. GSM / LTE Configure the access point name (APN), SIM PIN, and LTEmultiple mode. CDMA Configure the NAI, AAA shared secret, HA shared secret, primary HA, secondary HA, AAA SPI, and HA SPI. FortiMeter FortiMeter allows you turn FortiOS-VMs and FortiWebOS-VMs on and off as needed, paying only for the volume and consumption of traffic that you use. These VMs are also sometimes called pay-as-you-go VMs. You must meet the following requirements to use metered VMs: l You must have a FortiMeter license. l The FortiMeter license must be linked with the FortiManager unit by using FortiCare. FortiOS VMs FortiManager supports the following types of licenses for FortiMeter: l Prepaid: FortiOS VM usage is prepaid by purchasing points. l Postpaid: The FortiOS VM is billed monthly based on usage. The license determines whether FortiMeter is prepaid or postpaid. The VM deployment packages are included with firmware images on the Customer Service & Support site, and have the following format: FOS_VMxx-vX-buildXXXX-Fortinet.out. In FortiManager, the VM will be listed as a FortiOS VM. FortiManager also supports metering for FortiOS VM HA clusters. FortiWeb VMs FortiManager supports FortiWeb devices as logging devices. FortiWeb VMs are billed monthly based on usage. The VM deployment packages are included with firmware images on the Customer Service & Support site, and have the following format: FWB_OS1-vXxx-buildXXXX-FORTINET.out. In FortiManager, the VM will be listed as a FBV0X. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 142 Overview The following is an overview of how to use metered VMs: 1. Purchase a FortiMeter license. Contact your sales representative for more information. 2. Go to FortiCare (https://support.fortinet.com/) and log into your account. You can also access FortiCare from FortiManager: l From System Settings > Dashboard, in the License Informationwidget, click the Purchase icon in the VM Meter Service field. l From DeviceManager > VMMeter, click the Purchase Points icon in the toolbar. 3. Go to Asset > Manage/View Products, and locate the FortiMeter license. 4. Link the FortiMeter license with your FortiManager by using the Link Device option. You can only link FortiManager to one metering group at a time. 5. If you are prepaying (FortiOS VMs only), purchase a point package and add it to the FortiMeter license using the Add Licenses option. See Points on page 142. 6. Ensure that the VM is registered to the FortiManager. See Adding devices on page 39. 7. Authorize the metered VMs in FortiManager. See Authorizing metered VMs on page 143. If connectivity between the VM and FortiManager is lost, FortiManager will invalidate the VM instance after fifteen days. If the VM reconnects before fifteen days have elapsed, it will automatically synchronize with the FortiManager database. Points Points can be purchased in packages of 1000 or 10000 from the FortiMeter product information page on FortiCare using the Add Licenses button. Points are used based on the type of service and the volume of traffic sent to FortiGuard. Type Service Code Points VOLUME (1TB) FW 4 VOLUME (1TB) FWURL 10 VOLUME (1TB) UTM 25 For prepaid FortiOS VMs, after the point balance has become negative, VMs can continue to be used for up to 15 days before the account is frozen or more points are purchased to restore a positive point balance. With a negative point balance, the FortiMeter status will show the number of days until it is frozen, or FREZ when it is already frozen. FortiMeter will be unfrozen when a positive point balance is restored. For FortiOS VM HA clusters, only the master or primary unit sends traffic to FortiMeter. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 143 Authorizing metered VMs You must authorize all metered VMs in FortiManager before you can use them. Authorizing FortiOS VMs FortiOS VMsmust be registered before they can be authorized. See Adding devices on page 39. To authorize metered FortiOS VMs: 1. Ensure that the VM is registered to the FortiManager. See Adding devices on page 39. 2. Ensure you are in the correct ADOM. 3. Go to DeviceManager > VMMeter. 4. Select a device then clickAuthorize in the toolbar, right-click on a device then select Authorize, or double-click on a device. The Authorize Device(s) dialog box opens. An unauthorized device can use firewall services for up to 48 hours. 5. Select the License Type: Trial Maximum of two devices can have a trial license at any one time. No traffic data are sent to FortiGuard, so no points are used. Can be used for up to 30 days. Regular Regular license. Points used based on the service level and volume of traffic going to FortiGuard. 6. Select the Services: Firewall Firewall only. This option cannot be deselected. IPS IPS servies. Web Filter Web filtering services. AntiVirus Antivirus services. App Control Application control services. Full UTM All services are selected. 7. ClickOK to authorize the device. Authorizing FortiWeb VMs FortiWeb VMsmust be registered manually before they can be authorized. See Adding devices manually on page 46. To authorize metered FortiWeb VMs: 1. Ensure that the FortiWeb VM is registered to the FortiManager. See Adding devices on page 39. 2. In the FortiWeb ADOM, go to DeviceManager > VMMeter. 3. Select a device then clickAuthorize in the toolbar, right-click on a device then select Authorize, or double-click on a device. The Authorize Device(s) dialog box opens. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 144 4. On the Authorize Device pane, confirm the devices name and serial number. The License Type isRegular - points are used based on the volume of traffic. The Services - Security, Antivirus, IP Reputation - cannot be deselected. 5. ClickOK to authorize the device. Monitoring VMs Go to DeviceManager > VMMeter. For prepaid licenses (FortiOS VMs only), your total remaining point balance is shown in the toolbar. For postpaid licenses, the total points used and the billing period are shown. You can also view details about the individual VMs, including: the device name and serial number, number of virtual CPUs, amount of RAM, service level, license status, volume of traffic used today, and more. FortiGate chassis devices Select FortiManager systems can work with the Shelf Manager to manage FortiGate 5050, 5060, 5140, and 5140B chassis. The Shelf Manager runs on the Shelf Management Mezzanine hardware platform included with the FortiGate 5050, 5060, 5140, and 5140B chassis. You can install up to five FortiGate 5000 series blades in the five slots of the FortiGate 5050 ATCA chassis and up to 14 FortiGate 5000 series blades in the 14 slots of the FortiGate 5140 ATCA chassis. For more information on FortiGate 5000 series including Chassis and Shelf manager, see the Fortinet Document Library. You need to enable chassis management before you can work with the Shelf Manager through the FortiManager system. To enable chassis management: 1. Go to System Settings > Advanced > Advanced Settings. See Advanced Settings on page 439 for more information. 2. Under Advanced Settings, select Chassis Management. 3. Set the Chassis Update Interval, from 4 to 1440 minutes. 4. ClickApply. To add a chassis: 1. Go to DeviceManager > Device & Groups, 2. Right-click in the tree menu and select Chassis > Add. The Create Chassis window opens. 3. Complete the following fields, then clickOK: Name Type a unique name for the chassis. Description Optionally, type any comments or notes about this chassis. Chassis Type Select the chassis type: Chassis 5050, 5060, 5140 or 5140B. IP Address Type the IP address of the Shelf Manager running on the chassis. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 145 Authentication Type Select Anonymous, MD5, or Password from the dropdown list. Admin User Type the administrator user name. Password Type the administrator password. Chassis Slot Assignment You cannot assign FortiGate-5000 series blades to the slot until after the chassis has been added. To edit a chassis and assign FortiGate 5000 series blade to the slots: 1. Go to DeviceManager > Device & Groups. 2. Right-click the chassis, and select Edit. 3. Modify the fields, except Chassis Type. 4. ForChassis Slot Assignment, from the dropdown list of a slot, select a FortiGate 5000 series blade to assign it to the slot. You can select a FortiGate, FortiCarrier, or FortiSwitch unit. You can only assign FortiSwitch units to slot 1 and 2. 5. ClickOK. Viewing chassis dashboard You can select a chassis from the chassis list in the content pane, and view the status of the FortiGate blades in the slots, power entry module (PEM), fan tray (FortiGate-5140 only), Shelf Manager, and shelf alarm panel (SAP). Viewing the status of the FortiGate blades In the DeviceManager tab, select the Blades under the chassis whose blade information you would like to view. The following is displayed: Refresh Select to update the current page. If there are no entries, Refresh is not displayed. Slot # The slot number in the chassis. l The FortiGate 5050 chassis contains five slots numbered 1 to 5. l The FortiGate 5060 chassis contains six slots numbered 1 to 6. l The FortiGate 5140 and 5140B chassis contains fourteen slots numbered 1 to 14. Extension Card If there is an extension card installed in the blade, this column displays an arrow you can select to expand the display. The expanded display shows details about the extension card as well as the blade. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 146 Slot Info Indicates whether the slot contains a node card (for example, a FortiGate 5001SX blade) or a switch card (for example, a FortiSwitch 5003 blade) or is empty. State Indicates whether the card in the slot is installed or running, or if the slot is empty. Temperature Sensors Indicates if the temperature sensors for the blade in each slot are detecting a temperature within an acceptable range. l OK: All monitored temperatures are within acceptable ranges. l Critical: A monitored temperature is too high (usually about 75°C or higher) or too low (below 10°C). Current Sensors Indicates if the current sensors for the blade in each slot are detecting a current within an acceptable range. l OK: All monitored currents are within acceptable ranges. l Critical: A monitored current is too high or too low. Voltage Sensors Indicates if the voltage sensors for the blade in each slot are detecting a voltage within an acceptable range. l OK: All monitored voltages are within acceptable ranges. l Critical: A monitored voltage is too high or too low. Power Allocated Indicates the amount of power allocated to each blade in the slot. Action Select Activate to turn the state of a blade from Installed into Running. Select Deactivate to turn the state of a blade from Running into Installed. Edit Select to view the detailed information on the voltage and temperature of a slot, including sensors, status, and state. You can also edit some voltage and temperature values. Update Select to update the slot. To edit voltage and temperature values: 1. Go to [chassis name] > Blades and, in the content pane, select the Edit icon of a slot. The detailed information on the voltage and temperature of the slot including sensors, status, and state is displayed. 2. Select the Edit icon of a voltage or temperature sensor. 3. For a voltage sensor, you can modify the Upper Non-critical, Upper Critical, Lower Non-critical, and Lower Critical values. 4. For a temperature sensor, you can modify the Upper Non-critical and Upper Critical values. 5. Select OK. Viewing the status of the power entry modules You can view the status of the PEMs by going to [chassis name] > PEM. The FortiGate 5140 chassis displays more PEM information than the FortiGate 5050. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 147 The following is displayed: Refresh Select to update the current page. PEM The order numbers of the PEM in the chassis. Presence Indicates whether the PEM is present or absent. Temperature The temperature of the PEM. Temperature State Indicates whether the temperature of the PEM is in the acceptable range. l OK: The temperature is within acceptable range. Threshold PEM temperature thresholds. Feed -48V Number of PEM fuses. There are four pairs per PEM. Status PEM fuse status: present or absent. Power Feed The power feed for each pair of fuses. Maximum External Current Maximum external current for each pair of fuses. Maximum Internal Current Maximum internal current for each pair of fuses. Minimum Voltage Minimum voltage for each pair of fuses. Power Available Available power for each pair of fuses. Power Allocated Power allocated to each pair of fuses. Used By The slot that uses the power. Viewing fan tray status (FG-5140 and FG-5140B chassis only) Go to [chassis name] > Fan Tray to view the chassis fan tray status. The following is displayed: Refresh Select to update the current page. Thresholds Displays the fan tray thresholds. Fan Tray The order numbers of the fan trays in the chassis. Model The fan tray model. 24V Bus Status of the 24V Bus: present or absent. -48V Bus A Status of the -48V Bus A: present or absent. -48V Bus B Status of the -48V Bus B: present or absent. Power Allocated Power allocated to each fan tray. Fans Fans in each fan tray. Status The fan status. l OK: It is working normally. Speed The fan speed. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 148 Viewing shelf manager status Go to [chassis name] > Shelf Manager to view the shelf manager status. The following is displayed: Refresh Select to update the current page. Shelf Manager The order numbers of the shelf managers in the chassis. Model The shelf manager model. State The operation status of the shelf manager. Temperature The temperature of the shelf manager. -48V Bus A Status of the -48V Bus A: present or absent. -48V Bus B Status of the -48V Bus B: present or absent. Power Allocated Power allocated to each shelf manager. Voltage Sensors Lists the voltage sensors for the shelf manager. State Indicates if the voltage sensors for the shelf manager are detecting a voltage within an acceptable range. l OK: All monitored voltages are within acceptable ranges. l Below lower critical: A monitored voltage is too low. Voltage Voltage value for a voltage sensor. Edit Select to modify the thresholds of a voltage sensor. Viewing shelf alarm panel (SAP) status You can view the shelf alarm panel (SAP) status for a chassis. The shelf alarm panel helps you monitor the temperature and state of various sensors in the chassis. Go to [chassis name] > SAP to view the chassis SAP status. The following is displayed: Presence Indicates if the SAP is present or absent. Telco Alarm Telco form-c relay connections for minor, major and critical power faults provided by the external dry relay Telco alarm interface (48VDC). Air Filter Indicates if the air filter is present or absent. Model The SAPmodel. State The operation status of the shelf manager. Power Allocated Power allocated to the SAP. Temperature Sensors The temperature sensors of the SAP Temperature The temperature of the SAP read by each sensor. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Devices 149 State Indicates if the temperature sensors for the SAP are detecting a temperature below the set threshold. Edit Select to modify the thresholds of a temperature sensor. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects The Policy & Objects pane enables you to centrally manage and configure the devices that are managed by the FortiManager unit. This includes the basic network settings to connect the device to the corporate network, antivirus definitions, intrusion protection signatures, access rules, and managing and updating firmware for the devices. All changes related to policies and objects should be made on the FortiManager device, and not on the managed devices. If the administrator account you logged on with does not have the appropriate permissions, you will not be able to edit or delete settings, or apply any changes. Instead you are limited to browsing. To modify these settings, see Administrator profiles on page 453. If Display Policy & Objects in Dual Pane is enabled, the Policy Packages andObject Configurations tabs will be shown on the same pane, withObject Configurations on the lower half of the screen. See Display options on page 154. If workspace is enabled, the ADOM must be locked before changes can be made. See Locking an ADOM on page 406. If workflow is enabled, the ADOM must be locked and a session must be started before changes can be made. See Workflow mode on page 362. The following tabs are available on the Policy & Objects pane by default: Policy Packages Click to display the Policy Packages pane. Object Configurations Click to display theObject Configurations pane. If Display Policy & Objects in Dual Pane is enabled, both tabs will be shown on the same pane. The following options are available on the Policy Packages tab: FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 151 Policy Package Click to access the policy package menu. The menu options are the same as the right-click menu options. Install Wizard Click to access the Install menu. You can start the Install Wizard where you can install policy packages and device settings. You can also re-install a policy. ADOM Revisions Click to create, edit, delete, restore, lock, and unlock ADOM Revisions. Tools Click to select one of the following tools from the menu: Display Options, Find UnusedObjects, or Find Duplicate Objects. Collapse/Expand All Collapse or expand all the categories in the policy list. Object Selector Open the object selector pane on the bottom or right side of the content pane. This option is not available when dual pane is enabled. Search The tree menu can be searched and sorted using the search field and sorting button at the top of the menu. The following options are available on theObjects Configurations tab: ADOM Revisions Click to create, edit, delete, restore, lock, and unlock ADOM Revisions. Tools Click to select one of the following tools from the menu: Display Options, Find UnusedObjects, or Find Duplicate Objects. If workspace is enabled, you can select to lock and edit the policy package in the right-click menu. You do not need to lock the ADOM first. The policy package lock status is displayed in the toolbar. The following options are available: Lock | Unlock Select to lock or unlock the ADOM. Sessions Click to display the sessions list where you can save, submit, or discard changes made during the session. About policies FortiManager provides administrators the ability to customize policies within their organization as they see fit. Typically, administrators may want to customize access and policies based on factors such as geography, specific security requirements, or legal requirements. Within a single ADOM, administrators can create multiple policy packages. FortiManager provides you the ability to customize policy packages per device or VDOM within a specific ADOM, or to apply a single policy package for all devices within an ADOM. These policy packages can be targeted at a single device, multiple devices, all devices, a single VDOM, multiple VDOMs, or all devices within a single ADOM. By defining the scope of a policy package, an administrator can modify or edit the policies within that package and keep other policy packages unchanged. FortiManager can help simplify provisioning of new devices, ADOMs, or VDOMs by allowing you to copy or clone existing policy packages. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 152 Policy theory Security policies control all traffic attempting to pass through a unit between interfaces, zones, and VLAN subinterfaces. Security policies are instructions that units use to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and service (by port number), and attempts to locate a security policy matching the packet. Security policies can contain many instructions for the unit to follow when it receives matching packets. Some instructions are required, such as whether to drop or accept and process the packets, while other instructions, such as logging and authentication, are optional. Policy instructions may include Network Address Translation (NAT), or Port Address Translation (PAT), or they can use virtual IPs or IP pools to translate source and destination IP addresses and port numbers. Policy instructions may also include Security Profiles, which can specify application-layer inspection and other protocol- specific protection and logging, as well as IPS inspection at the transport layer. You configure security policies to define which sessions will match the policy and what actions the device will perform with packets from matching sessions. Sessions are matched to a security policy by considering these features of both the packet and policy: l Policy Type and Subtype l Incoming Interface l Source Address l Outgoing Interface l Destination Address l Schedule and time of the session’s initiation l Service and the packet’s port numbers. If the initial packet matches the security policy, the device performs the configured action and any other configured options on all packets in the session. Packet handling actions can be ACCEPT, DENY, IPSEC, or SSL-VPN. l ACCEPT policy actions permit communication sessions, and may optionally include other packet processing instructions, such as requiring authentication to use the policy, or specifying one or more Security Profiles to apply features such as virus scanning to packets in the session. An ACCEPT policy can also apply interface-mode IPsec VPN traffic if either the selected source or destination interface is an IPsec virtual interface. l DENY policy actions block communication sessions, and you can optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped, therefore it is not required to configure a DENY security policy in the last position to block the unauthorized traffic. A DENY security policy is needed when it is required to log the denied traffic, also called “violation traffic”. l IPSEC and SSL VPN policy actions apply a tunnel mode IPsec VPN or SSL VPN tunnel, respectively, and may optionally apply NAT and allow traffic for one or both directions. If permitted by the firewall encryption policy, a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface, destined for the local private network. Create security policies based on traffic flow. For example, in a policy for POP3, where the email server is outside of the internal network, traffic should be from an internal interface to an external interface rather than the other way around. It is typically the user on the network requesting email content from the email server and thus the originator of the open connection is on the internal port, not the external one of the email server. This is also important to remember when viewing log messages, as the source and destination of the packets can seem backwards. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 153 Global policy packages Global policies and objects function in a similar fashion to local policies and objects, but are applied universally to all ADOMs and VDOMs inside your FortiManager installation. This allows users in a carrier, service provider, or large enterprise to support complex installations that may require their customers to pass traffic through their own network. For example, a carrier or host may allow customers to transit traffic through their network, but do not want their customer to have the ability to access the carrier’s internal network or resources. Creating global policy header and footer packages to effectively surround a customer’s policy packages can help maintain security. Global policy packages must be explicitly assigned to specific ADOMs to be used. When configuring global policies, a block of space in the policy table is reserved for Local Domain Policies. All of the policies in an ADOM’s policy table are inserted into this block when the global policy is assigned to an ADOM. Display options for policies and objects can be configured in Policy & Objects > Tools > Display Options. Global policies and objects are not supported on all FortiManager platforms. Please review the products’ data sheets to determine support. A global policy license is not required to use global policy packages. Policy workflow An administrator will typically carry out two main functions with their devices through FortiManager: provisioning new devices or VDOMs on the network and managing the day-to-day operations of managed devices and VDOMs. Provisioning new devices There are multiple steps to provision a new device or VDOM to be managed by the FortiManager unit: 1. In the DeviceManager pane, create a new VDOM or add a new device. 2. Assign a system template to the provisioned device (optional). 3. In the Policy & Objects pane, configure any dynamic objects you wish to assign to the new VDOM or device. 4. Determine how a policy will be defined for the new device: does the new device or VDOM have a new policy package unique to itself, or will the device or VDOM use a package that is implemented elsewhere? 5. Run the Install Wizard to install any objects and policies for the new device, or create a new policy package. 6. If the new device uses an existing policy package, modify the installation targets of that package to include the new device. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 154 Day-to-day management of devices An administrator will often have to modify various objects for the devices they are responsible for managing. A typical set of tasks to manage an already provisioned device will include: 1. Adding, deleting, or editing various objects, such as firewall information, security profiles, user access rights, antivirus signatures, etc. 2. Adding, deleting, or editing all of the policy packages or individual policies within a policy package. This can include changing the order of operation, adding new policies, or modifying information or access permissions in the policy package. 3. Installing updates to devices. Display options The policy and objects that are displayed on the Policy & Objects pane can be customized, and the Policy Packages andObject Configurations tabs can be combined onto a single pane. To adjust the policies and objects that are displayed, go to Tools > Display Options. You can turn the options on or off (visible or hidden). To turn on an option, select the checkbox beside the option name. To turn off an option, clear the checkbox beside the option name. You can turn on all of the options in a category by selecting the checkbox beside the category name. For example, you can turn on all firewall objects by selecting the checkbox beside Firewall Objects. You can also turn on all of the categories by clicking the Check All button at the bottom of the window. Various display options are enabled by default and cannot be turned off. Once turned on, you can configure the corresponding options from the appropriate location on the Policy & Objects > Object Configurations pane. Reset all of the options by clicking the Reset to Default button at the bottom of the screen, or reset only the options in a category by clicking the Reset to Default button beside the category name. To convert the module to a single pane: 1. Go to System Settings > Advanced > Advanced Settings. 2. Enable Display Policy & Objects in Dual Pane. 3. ClickApply. The Policy & Objects pane will now be a single pane that includes both tabs. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 155 Managing policy packages Policy packages can be created and edited, and then assigned to specific devices in the ADOM. Folders can be created for the policy packages to aid in the organization and management of the packages. Not all policy and object options are enabled by default. To configure the enabled options, go to Policy & Objects > Tools > Display Options and select your required options. All of the options available from the Policy Packages menu can also be accessed by right- clicking anywhere in the policy tree menu. Create new policy packages To create a new global policy package: 1. Ensure that you are in theGlobal ADOM. 2. Go to Policy & Objects > Policy Packages. 3. From the Policy Packagemenu select New Package or right-click in the tree menu and select New Package. The Create New Policy Packagewindow opens. 4. Enter a name for the new global policy package. 5. (Optional) Click the In Folder button to select a folder. 6. (Optional) Select the Central NAT checkbox to enable Central SNAT and Central DNAT policy types. 7. ClickOK to add the policy package. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 156 To create a new policy package: 1. Ensure that you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. From the Policy Packagemenu select New Package or right-click in the tree menu and select New Package. The Create New Policy Packagewindow opens. 4. Configure the following details, then clickOK to create the policy package. Name Enter a name for the new policy package. In Folder Optionally, click the In Folder button to select a folder for the package. Central NAT Select the Central NAT checkbox to enable Central SNAT and Central DNAT policy types. Inspection Mode Select Flow-based (default) or Proxy for the inspection mode. This option is only available for version 5.6 and later ADOMs. For more information on inspection modes, see the FortiOS Handbook, available in the Fortinet Document Library. NGFW Mode Select the NGFWmode, Profile-based (default) or Policy-based. This option is only available for version 5.6 and later ADOMs when Inspection Mode is Flow-based. SSL/SSH Inspection Select an SSL/SSH inspection type from the dropdown list. This option is only available for version 5.6 and later ADOMs when NGFW Mode is Policy-based. Create new policy package folders You can create new policy package folders within existing folders to help you better organize your policy packages. To create a new policy package folder: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. From the Policy Packagemenu select New Folder or right-click in the tree menu and select New Folder. The Create New Policy Folderwindow opens. 4. Enter a name for the new policy folder. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 157 5. (Optional) Click the In Folder button to nest the new folder inside another folder. 6. ClickOK. The new policy folder is displayed in the tree menu. Edit a policy package or folder Policy packages and policy package folders can be edited and moved as required. To edit a policy package or folder: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. Select the package or folder in the tree menu then select Policy Package > Edit from the toolbar, or right-click on the package or folder and select Edit from the menu. 4. Edit the settings as required, then clickOK to apply your changes. Deselecting Central NAT does not delete Central SNAT or Central DNAT entries. To move a policy package or folder: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. Select the package or folder in the tree menu then select Policy Package > Move from the toolbar, or right-click on the package or folder and select Move from the menu. 4. Change the location of the package or folder as required, then clickOK. Clone a policy package To clone a policy package: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. Select the package or folder in the tree then select Policy Package > Clone Package from the toolbar, or right- click on the package or folder and select Clone Package from the menu. 4. Edit the name and location of the clone as required. 5. ClickOK to create the cloned policy package. Remove a policy package or folder To remove a policy package or folder: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 158 3. Select the package or folder in the tree menu then select Policy Package > Delete from the toolbar, or right-click on the package or folder and select Delete from the menu. Assign a global policy package Global policy packages can be assigned or installed to specific ADOMs. Only ADOMs of the same version as the global database or the next higher major release are presented as options for assignment. The central NAT setting must be consistent between the global policy package and the ADOM to which you are assigning the policy package. Because central NAT is not supported at the global level, you should disable central NAT in all ADOMs to which you are assigning a global policy package. The inspection-mode setting must also match in the global policy package and the ADOM to which you are assigning the policy package. To assign a global policy package: 1. Ensure you are in theGlobal Database ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package, clickAssignment. The ADOM assignment list is displayed in the content pane. 4. If required, select Add ADOM to add an ADOM to the assignment list. 5. In the assignment list, select an ADOM, or clickSelect All. 6. ClickAssign Selected from the content toolbar. The Assign dialog box opens. 7. Select whether you want to assign only used objects or all objects, and if policies will be automatically installed to ADOM devices. 8. ClickOK to assign the policy package to the selected ADOM or ADOMs. In the Assignment pane you can also edit the ADOM list, delete ADOMs from the list, and assign and unassign ADOMs. Install a policy package When installing a policy package, objects that are referenced in the policy will be installed to the target device. Default or per-device mapping must exist or the installation will fail. Some objects that are not directly referenced in the policy will also be installed to the target device, such as FSSO polling objects, address and profile groups, and CA certificates. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 159 Policies within a policy package can be configured to install only on specified target devices. See Install policies only to specific devices on page 171. To install a policy package to a target device: 1. Ensure you are in the ADOM that contains the policy package. 2. Go to Policy & Objects > Policy Packages. 3. Select a policy package and from the Installmenu or right-click menu select Install Wizard. The Install Wizard opens. 4. Follow the steps in the install wizard to install the policy package. You can select to install policy package and device settings or install the interface policy only. For more information on the install wizard, see Using the Install Wizard to install policy packages and device settings on page 67. For more information on editing the installation targets, see Policy package installation targets on page 162. Reinstall a policy package You can reinstall a policy package in Policy & Objects orDeviceManager. To reinstall a policy package: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Perform one of the following actions: l Go to Policy & Objects > Policy Packages, and select a policy package. l Go to DeviceManager, and select devices or VDOMs. 3. In the toolbar, select Install > Re-install Policy. After data is gathered, the Re-install Policy Packagewindow is displayed. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 160 4. (Optional) View policy consistency check results (see Perform a policy consistency check on page 164). a. Click the Policy Check Result button. b. Click the Close button to close the page and return to the wizard. 5. (Optional) View a preview of the installation. a. Click the Install Preview button. After data is gathered, the Install Preview page is displayed. b. Click the Download button to download a text file of the preview information. c. Click the Close button to close the page and return to the wizard. 6. (Optional) View the difference between the current policy package and the policy in the device. a. Click the Policy Package Diff button. After data is gathered, the Policy Package Diff page is displayed. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 161 b. Click the Details links to view details about the changes to the policy, specific policies, and policy objects. c. ClickClose to close the page and return to the wizard. 7. ClickNext. 8. Click Install. The policy package is reinstalled to the target devices. Schedule a policy package install In FortiManager you can create, edit, and delete install schedules for policy packages. The Schedule Installmenu option has been added to the Install wizard when selecting to install policy package and device settings. You can specify the date and time to install the latest policy package changes. Select the clock icon which is displayed beside the policy package name to create an install schedule. Select this icon to edit or cancel the schedule. When a scheduled install has been configured and is active, hover the mouse over the icon to view the scheduled date and time. To schedule the install of a policy package to a target device: 1. Ensure you are in the ADOM that contains the policy package. 2. Go to Policy & Objects > Policy Packages. 3. From the Installmenu, select Install Wizard. The Install Wizard opens. 4. Select Schedule Install, and set the install schedule date and time. 5. Select Next. In the device selection screen, edit the installation targets as required. 6. Select Next. In the interface validation screen, edit the interface mapping as required. 7. Select Schedule Install to continue to the policy and object validation screen. In the ready to install screen you can copy the log and download the preview text file. To edit or cancel an install schedule: 1. Ensure you are in the ADOM that contains the policy package. 2. Go to Policy & Objects > Policy Packages. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 162 3. Click the clock icon next to the policy package name in the Policy Package tree. The Edit Install Schedule dialog box is displayed. 4. Select Cancel Schedule to cancel the install schedule, then select OK in the confirmation dialog box to cancel the schedule. Otherwise, edit the install schedule as required and select OK to save your changes. Export a policy package You can export a policy package as a Microsoft Excel or CSV file. To export a policy package: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. Select a policy package or folder then, from the Policy Packagemenu, select Export to Excel or Export to CSV. The policy package is downloaded to your management computer. Policy package installation targets The Installation Targets pane allows you to view the installation target, config status, policy package status, and schedule install status, as well as edit installation targets for policy package installs. To view installation targets, go to Policy & Objects > Policy Packages. In the tree menu for the policy package, select Installation Targets. The following information is displayed: Installation Target The installation target and connection status. Config Status See the table below for config status details. Policy Package Status See the table below for policy package status details. The following table identifies the different available config statuses. Config Status Icon Description Synchronized Green check Configurations are synchronized between FortiManager and the managed device. Modified Yellow triangle Configurations are modified on FortiManager and not synchronized between FortiManager and the managed device. Auto-update Green check Configurations modified on the managed device are auto synced to FortiManager. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 163 Config Status Icon Description Modified (recent auto- Yellow triangle Configurations are modified on updated) FortiManager and configurations modified on the managed device are auto synced to FortiManager. Out of Sync Red X Configurations are modified on the managed device and not synced to FortiManager. Conflict Red X When one of the following happens: l Install failed l Configurations are modified on both FortiManager and the managed device, and not auto synced to FortiManager. Unknown Gray question mark When one of the following happens: l Connection goes down l No revision is generated, like added model device The following table identifies the different available policy package statuses. Policy Package Status Icon Description Imported Green check Policies and objects are imported into FortiManager. Synchronized Green check Policies and objects are synchronized between FortiManager and the managed device. Modified Yellow triangle Policies or objects are modified on FortiManager. Out of Sync Red X Policies or objects are modified on the managed device. Unknown with policy package Gray question mark Configurations of the managed device name are retrieved on FortiManager after being imported/installed. Never Installed Yellow triangle No policy package is imported or installed. When importing a device with agentless FSSO configured (that is, the device polls the AD servers), the status of all policy packages that reference user fsso-polling isModified. This is because FortiManager sends all fsso-polling objects to all devices that are using agentless FSSO. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 164 The following options are available: Add Select to add installation targets (device/group) for the policy package selected. Select the add icon beside Device/Group to select devices. Delete Select to delete the selected entries from the installation target for the policy package selected. Install Select an entry in the table and, from the Installmenu, select Install Wizard or Re-install Policy. Search Use the search field to search installation targets. Entering text in the search field will highlight matches. Perform a policy consistency check The policy check tool allows you to check all policy packages within an ADOM to ensure consistency and eliminate conflicts that may prevent your devices from passing traffic. This allows you to optimize your policy sets and potentially reduce the size of your databases. The check will verify: l Object duplication: two objects that have identical definitions l Object shadowing: a higher priority object completely encompasses another object of the same type l Object overlap: one object partially overlaps another object of the same type l Object orphaning: an object has been defined but has not been used anywhere. The policy check uses an algorithm to evaluate policy objects, based on the following attributes: l The source and destination interface policy objects l The source and destination address policy objects l The service and schedule policy objects. A policy consistency check can be automatically performed during every install. When doing the install, only modified or added policies are checked, decreasing the performance impact when compared to a full consistency check. This function can be enabled when editing the ADOM (see Editing an ADOM on page 403). To perform a policy check: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. Select a policy package or folder, and from the Policy Packagemenu, select Policy Check. The Policy Consistency Check dialog box opens. 4. To perform a new consistency check, select Perform Policy Consistency Check, then clickOK. A policy consistency check is performed, and the results screen is shown. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 165 To view the results of the last policy consistency check: 1. Select the ADOM for which you performed a consistency check. 2. Go to Policy & Objects > Policy Packages. 3. Select a policy package or folder, and from the Policy Packagemenu, select Policy Check. The Policy Consistency Check dialog box opens. 4. To view the results of the most recent consistency check, select View Last Policy Consistency Check Result, then clickOK. The Policy Consistency Check window opens, showing the results of the last policy consistency check. View logs related to a policy rule After you add a FortiAnalyzer device to FortiManager by using the Add FortiAnalyzer wizard, you can view the logs that it receives. In the Policy & Objects pane, you can view logs related to the UUID for a policy rule. You can also use the UUID to search related policy rules. See also Adding FortiAnalyzer devices on page 51. To view logs related to a policy rule: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. From the Column Settings menu in the toolbar, select UUID. The UUID column is displayed. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 166 4. Select a policy package. 5. In the content pane, right click a number in the UUID column, and select View Log. The View Log by UUID: window is displayed and lists all of the logs associated with the policy ID. Find and replace objects You can find and replace objects used in multiple policies and policy packages. Some objects can be replaced with multiple objects. To find and replace objects: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. Select a policy package, and then select a policy. Details for the policy are displayed in the content pane. 4. In the content pane, right-click an object, and select Find and Replace. All policies in all policy packages are searched, and all occurrences of the found object are displayed in the Find and Replace dialog box. 5. Select the checkbox for the entries that include the object you want to replace. 6. In the Replace with box, select one or more objects to use instead. 7. ClickReplace. The objects are replaced, and the results are displayed. 8. (Optional) ClickExport to PDF to download a PDF summary of what objects were replaced. Managing policies Policies in policy packages can be created and managed by selecting an ADOM, and then selecting the policy package whose policies you are configuring. For some policy types, sections can be added to the policy list to help organize your policies, and the policies can be listed in sequence, or by interface pairs. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 167 On the Policy & Objects > Policy Packages pane, the tree menu lists the policy packages and the policies in each policy package. The policies that are displayed for each policy package are controlled by the display options. See Display options on page 154 for more information. You can configure the following policies for a policy package: IP policies Central SNAT Multicast policy Virtual wire pair policy Central DNAT Local in policies NAT policies DoS policies Traffic shaping policy Proxy policy Interface policies Various options are also available from column specific right-click menus, for more information see Column options on page 168. For more information about policies, see the FortiOS Handbook available in the Fortinet Document Library. If workspace or workflow is enabled, the ADOM must be locked before changes can be made. See Locking an ADOM on page 406. Not all policy and object options are enabled by default. To configure the enabled options, from the Tools menu, select Display Options. Section view will be disabled if one or more policies are using the Any interface, or if one or more policies are configured with multiple source or destination interfaces. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 168 Column options The visible columns can be adjusted, where applicable, using the Column Settings menu in the content pane toolbar. The columns and columns filters available are dependent on the policy and the ADOM firmware version. Click and drag an applicable column to move it to another location in the table. Policy search and filter Go to Policy & Objects > Policy Packages, and use the search box to search or filter policies for matching rules or objects. The default Simple Searchwill highlight text that matches the string entered in the search field. To add column filters: 1. Select Column Filter from the search field dropdown menu. 2. Do either of the following: a. Right-click on a specific value in any column and select Add Filter (equals or not equals) from the menu. or a. ClickAdd Filter, then select a column heading from the list. b. Select from the available values in the provided list. Select Or to add multiple values, or select Not to remove any policies that contain the selected value from the results. Multiple filters can be added. 3. ClickGo to filter the list. Policy hit count You can use FortiManager to view FortiGate policy hit counters. You must enable policy hit counts before you can view the information. In FortiManager, the policy hit counts are aggregated across all managed FortiGate units for the policy. The hit count is collected from managed FortiGate units every 300 seconds (5 minutes) by default. You can configure the frequency by using the config system global command with the hitcount_interval variable and the hitcount_concurrent variable. For more information, see the FortiManager CLI Reference available on the Fortinet Document Library. When the policy hit counter is reset on the FortiGate, FortiManager subtracts the amount from its hit counters too. The hit count information is excluded from the FortiManager event log, but it''s included in the debug log for troubleshooting purposes. To enable policy hits: 1. Go to System Settings > Advanced Settings. 2. Beside Policy Hit Count, select Enable. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 169 To view policy hit counts: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Package. 3. In the tree menu for a policy package, select a policy. The content pane for the policy is displayed. 4. View the Hit Count, Bytes, Packets, First Used, and Last Used columns. 5. Hover the mouse over the cells in the columns to view the Session Count, Session First Used, and Session Last Used fields of information. The Session Count field reports the total number of completed sessions from the FortiGate. The Session Count field excludes incomplete sessions, such as sessions where TCP three-way handshakes are incomplete, UDP sessions are pending replies, and SCTP sessions that have not reached an established state. The Session First Used and Session Last Used fields are session aware and triggered when return traffic is generated. They indicate when a policy rule is being used not just hit. Creating policies To create a new policy: Policy creation varies depending on the type of policy that is being created. See the following section that corresponds to the type of policy you are creating for specific instructions on creating that type of policy. Policy creation will vary by ADOM version. For information on creating policies, see the FortiOS Handbook, available in the Fortinet Document Library. To insert a policy: Generic policies can be inserted above or below the currently selected policy. From the Create New menu, select Insert Above or Insert Below. By default, new policies will be inserted at the bottom of the list. Editing policies Policies can be edited in a variety of different way, often directly on the policy list. To edit a policy: Select a policy and select Edit from the Edit menu, or double-click on a policy, to open the Edit Policy pane. You can also edit a policy inline using the object pane (either theObject Selector frame or theObject Configurations pane when dual pane is enabled), the right-click menu, and by dragging and dropping objects. See Object selector on page 170 and Drag and drop objects on page 171. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 170 The right-click menu changes based on the cell or object that is clicked on. When available, selecting AddObject(s) opens the AddObject(s) dialog box, where one or more objects can be selected to add to the policy, or new objects can be created and then added. Selecting RemoveObject(s) removes the object from the policy. To clone a policy: Select a policy, and from the Edit menu, select Clone. The Clone Policy dialog box opens with all of the settings of the original policy. Edit the settings as required and select OK to create the clone. To copy, cut, or paste a policy or object: You can copy, cut, and paste policies. Select a policy, and from the Edit menu, select Cut orCopy. When pasting a copied or cut policy, you can insert it above or below the currently selected policy. You can also copy, cut, and paste objects within a policy. Select an object in a cell, or select multiple objects using the control key, then right-click and select Copy orCut. Copied or cut objects can only be pasted into appropriate cells; an address cannot be pasted into a service cell for example. A copied or cut policy or object can be pasted multiple times without having to be recopied. To delete a policy: You can delete a policy. Select a policy, and from the Edit menu, select Delete. To add a section: You can use sections to help organize your policy list. Policies can also be appended to sections. Select a policy, and from the Sectionmenu, clickAdd. Type a section name, and clickOK to add a section to the currently selected policy. Object selector TheObject Selector frame opens when a cell in the policy list is selected. TheObject Selector frame is only available when Display Policy & Objects in Dual Pane is disabled. See Display options on page 154. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 171 Create New Click the create new dropdown list, then select the object type to make a new object. See Create a new object on page 200. Collapse / Expand All Expand or collapse all of the object groups shown in the pane. Dock to bottom / right Move theObject Selector frame to the bottom or right side of the content pane. Close Close theObject Selector frame. Search Enter a search term to search the object list. Refresh Refresh the list. Select All Select all objects in the list. Deselect All Deselect all objects in the list. Sort Sort the object list alphabetically. Objects can be added or removed from the selected cell by clicking on them, and then selecting OK to apply the change and close theObject Selection pane. Objects can also be dragged and dropped from the pane to applicable, highlighted cells in the policy list. Right-click on an object in the pane to Edit orClone the object, and to see where it is used. See Edit an object on page 204 and Clone an object on page 205. Drag and drop objects On the Policy & Objects > Policy Packages pane, objects can be dragged and dropped from the object pane, and can also be dragged from one cell to another, without removing the object from the original cell. One or more objects can be dragged at the same time. When dragging a single object, a box beside the pointer will display the name of the object being dragged. When dragging multiple objects, the box beside the pointer will show a count of the number of objects that are being dragged. To select multiple objects, click them while holding the control key on your keyboard. The cells or columns that the object or objects can be dropped into will be highlighted in the policy package pane. After dropping the object or objects into a cell or column, the object will immediately appear in the cell as part of the policy, or in all the cells of that column. Install policies only to specific devices Policies can be configured to install only to specific installation targets within the policy package. This allows a single policy package to be applied to multiple different types of devices. For example, FortiGate and FortiWiFi devices can share the same policy, even though FortiGate devices do not have WiFi interfaces. To install a policy only to specific devices: 1. Ensure you are in the ADOM that contains the policy package. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu, select the policy package 4. Select Column Settings > Install On from the content pane toolbar. The Install On column is not shown by default. 5. Click Installation Targets in the Install On column of the policy that will be applied to specific devices. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 172 6. In theObject Selector frame, select the devices that the policy will be installed on (see Policy package installation targets on page 162), then clickOK. The policy will now be installed only on the selected installation targets, and not the other devices to which the policy package is assigned. Configuring policy details Various policy details can be configured directly from the policy tables, such as the policy schedule, service, action, security profiles, and logging. To edit a policy schedule with dual pane disabled: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane. 4. In the Schedule column, click the cell in the policy that you want to edit. TheObject Selector frame is displayed. 5. In theObject Selector frame, locate the schedule object, then drag and drop the object onto the cell in the Schedule column for the policy that you want to change. 6. ClickOK to close theObject Selector frame. To edit a policy schedule with dual pane enabled: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects. 3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane. 4. In the object pane, go to Firewall Objects > Schedules. 5. Locate the schedule object, then drag and drop the object onto the cell in the Schedule column for the policy that you want to change. To edit a policy service with dual pane disabled: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane. 4. In the Service column, click the cell in the policy that you want to edit. TheObject Selector frame opens. 5. In theObject Selector frame, locate the service object, and then drag and drop the object onto the cell in the Service column for the policy that you want to change. 6. ClickOK to close theObject Selector frame. To edit a policy service with dual pane enabled: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects. 3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane. 4. In the object pane, go to Firewall Objects > Services. The services objects are displayed in the content pane. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 173 5. Locate the service object, then drag and drop the object onto the cell in the Service column for the policy that you want to change. To edit a services object: 1. Go to Policy & Objects > Object Configuration. 2. In the tree menu, go to Firewall Objects > Services. The services objects are displayed in the content pane. 3. Select a services object, and clickEdit. The Edit Service dialog box is displayed. 4. Configure the following settings, then clickOK to save the service. The custom service will be added to the available services. Name Edit the service name as required. Comments Type an optional comment. Service Type Select Firewall or Explicit Proxy. Show in service list Select to display the object in the services list. Category Select a category for the service. Protocol Type Select the protocol from the dropdown list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP. IP/FQDN Type the IP address or FQDN. This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port, and destination port in the table. Type Type the service type in the text field. This menu item is available when Protocol is set to ICMP or ICMP6. Code Type the code in the text field. This menu item is available when Protocol is set to ICMP or ICMP6. Protocol Number Type the protocol number in the text field. This menu item is available when Protocol Type is set to IP. Advanced Options For more information on advanced option, see the FortiOS CLI Reference. check-reset-range Configure ICMP error message verification. l disable: The FortiGate unit does not validate ICMP error messages. l strict: If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiManager can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If it is enabled, the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets. l default: Use the global setting defined in system global. This field is available when Protocol is TCP/UDP/SCTP. This field is not available if explicit-proxy is enabled. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 174 Color Click the icon to select a custom, colored icon to display next to the service name. session-ttl Type the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. Type 0 to use either the per- policy session-ttl or per-VDOM session-ttl, as applicable. This is available when Protocol is TCP/UDP/SCTP. tcp-halfclose-timer Type how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global. This is available when Protocol is TCP/UDP/SCTP. tcp-halfopen-timer Type how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global. This is available when Protocol is TCP/UDP/SCTP. tcp-timewait-timer Set the length of the TCP TIME-WAIT state in seconds.As described in RFC 793, the “...TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.” Reducing the length of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster, which means that more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds. Type 0 to use the global setting defined in system global. This is available when Protocol is TCP/UDP/SCTP. udp-idle-timer Type the number of seconds before an idle UDP connection times out.The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global. This is available when Protocol is TCP/UDP/SCTP. To edit a policy action: 1. Select desired policy type in the tree menu. 2. Select the policy, and from the Edit menu, select Edit. 3. Set the Action option, and clickOK. To edit policy logging: 1. Select desired policy type in the tree menu. 2. Right-click the Log column, and select options from the menu. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 175 To edit policy security profiles with dual pane disabled: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane. 4. In the Security Profiles column, click the cell in the policy that you want to edit. TheObject Selector frame is displayed. 5. In theObject Selector frame, locate the profiles, then drag and drop the object onto the cell in the Security Profiles column for the policy that you want to change. 6. ClickOK to close theObject Selector frame. To edit policy security profiles with dual pane enabled: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects. 3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane. 4. In the object pane, go to Security Profiles. 5. Locate the profile object, then drag and drop the object onto the cell in the Security Profiles column for the policy that you want to change. The policy action must be Accept to add security profiles to the policy. IP policies The section describes how to create new IPv4 and IPv6 policies. IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4 network. IPv6 policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks. On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the IPv6 Policy checkbox to display this option. To create a new IPv4 or IPv6 policy: 1. Ensure that you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Policy or IPv6 Policy. If you are in the Global Database ADOM, select IPv4 Header Policy, IPv4 Footer Policy, IPv6 Header Policy, or IPv6 Footer Policy. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Policy pane opens. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 176 5. Enter the following information: Name Enter a unique name for the policy. Each policy must have a unique name. Incoming Interface Click the field then select interfaces from theObject Selector frame, or drag and drop the address from the object pane. Select the remove icon to remove values. New objects can be created by clicking the Create New icon in theObject Selector frame. See Create a new object on page 200 for more information. Outgoing Interface Select outgoing interfaces. Source Internet Service Turn source internet service on or off, then select services. This option is only available for IPv4 policies. Source Address Select source addresses. This option is only available when Source Internet Service is off. Source User Select source users. This option is only available when Source Internet Service is off. Source User Group Select source user groups. This option is only available when Source Internet Service is off. Source Device Select source devices, device groups, and device categories. This option is only available when Source Internet Service is off. Destination Internet Service Turn destination internet service on or off, then select services. This option is only available for IPv4 policies. Destination Address Select destination addresses, address groups, virtual IPs, and virtual IP groups. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 177 This option is only available when Destination Internet Service is off. Service Select services and service groups. This option is only available when Destination Internet Service is off. Schedule Select schedules, one time or recurring, and schedule groups. Application Select applications. This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages on page 155. URL Category Select URL categories. This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages on page 155. Action Select an action for the policy to take: ACCEPT, DENY, or IPSEC. IPSEC is not available for IPv6 policies. Log Traffic When the Action isDENY, select Log Violation Traffic to log violation traffic. When the Action is ACCEPT or IPSEC, select one of the following options: l No Log l Log Security Events l Log All Sessions Generate Logs when Select to generate logs when the session starts. Session Starts Capture Packets Select to capture packets. This option is available when the Action is ACCEPT or IPSEC, and Log Security Events or Log All Sessions is selected NAT Select to enable NAT. If enabled, select UseDestination Interface Address orDynamic IP Pool, and select Fixed Port if required. If Dynamic IP Pool is selected, select pools. This option is available when the Action is ACCEPT, and when NGFW Mode is Profile-based; see Create new policy packages on page 155. VPN Tunnel Select a VPN tunnel dynamic object from the dropdown list. Select to allow traffic to be initiated from the remote site. This option is available when the Action is IPSEC. Security Profiles Select to add security profiles or profile groups. This option is available when the Action is ACCEPT or IPSEC. The following profile types can be added: l AntiVirus Profile l Web Filter Profile l Application Control l IPS Profile l Email Filter Profile l DLP Sensor l VoIP Profile FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 178 l ICAP Profile l SSL/SSH Inspection l Web Application Firewall l DNS Filter l Proxy Options l Profile Group (available when Use Security Profile Group is selected) Shared Shaper Select traffic shapers. This option is available if the Action is ACCEPT or IPSEC. Reverse Shaper Select traffic shapers. This option is available if the Action is ACCEPT or IPSEC and at least one forward traffic shaper is selected. Per-IP Shaper Select per IP traffic shapers. This option is available if the Action is ACCEPT or IPSEC. Comments Add a description of the policy, such as its purpose, or the changes that have been made to it. Advanced Options Configure advanced options, see Advanced options below. For more information on advanced option, see the FortiOS CLI Reference. 6. ClickOK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. Advanced options Option Description Default auth-cert HTTPS server certificate for policy authentication (IPv4 only). none auth-path Enable or disable authentication-based routing (IPv4 only). disable auth-redirect-addr HTTP-to-HTTPS redirect address for firewall authentication (IPv4 only). none auto-asic-offload Enable or disable policy traffic ASIC offloading. enable block-notification Enable or disable block notification (IPv4 only). disable captive-portal-exempt Enable or disable exemption of captive portal (IPv4 only). disable custom-log-fields Select the custom log fields from the dropdown list. none delay-tcp-npu-session Enable or disable TCPNPU session delay in order to guarantee packet disable order of 3-way handshake (IPv4 only). diffserv-forward Enable or disable application of the differentiated services code point disable (DSCP) value to the DSCP field of forward (original) traffic. diffserv-reverse Enable or disable application of the DSCP value to the DSCP field of disable reverse (reply) traffic. If enabled, also configure diffservcode-rev. diffservcode-forward Type the DSCP value that the FortiGate unit will apply to the field of 000000 originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 179 Option Description Default diffservcode-rev Type the DSCP value that the FortiGate unit will apply to the field of reply 000000 (reverse) packets. The value is 6 bits binary. The valid range is 000000- 111111. disclaimer Enable or disable user authentication disclaimer (IPv4 only). disable dscp-match Enable or disable DSCP check. disable dscp-negate Enable or disable negate DSCPmatch. disable dscp-value Enter the DSCP value. 000000 dsri Enable or disable DSRI (Disable Server Response Inspection) to ignore disable HTTP server responses. dstaddr-negate Enable or disable negated destination address match. disable firewall-session-dirty Packet session management, either check-all or check-new. check-all fsso-agent-for-ntlm Select the FSSO agent for NTLM from the dropdown list (IPv4 only). none identity-based-route Name of identity-based routing rule (IPv4 only). none internet-service-negate When enabled, Internet services match against any Internet service disable EXCEPT the selected Internet service (IPv4 only). internet-service-src- Enables or disables the use of Internet Services in source for this policy. If disable negate enabled, internet-service-src specifies what the service must NOT be (IPv4 only). learning-mode Enable or disable learning mode for policy (IPv4 only). disable match-vip Enable or disable match DNATed packet (IPv4 only). disable natinbound Enable or disable policy NAT inbound. disable natip Type the NAT IP address in the text field (IPv4 only). 0.0.0.0 natoutbound Enable or disable policy NAT outbound. disable np-acceleration Enable or disable UTM Network Processor acceleration. enable ntlm Enable or disable NTLM authentication (IPv4 only). disable ntlm-enabled-browsers Type a value in the text field (IPv4 only). none ntlm-guest Enable or disable NTLM guest (IPv4 only). disable outbound Enable or disable policy outbound. disable permit-any-host Enable to accept UDP packets from any host (IPv4 only). disable permit-stun-host Enable to accept UDP packets from any STUN host (IPv4 only). disable radius-mac-auth-bypass Enable MAC authentication bypass. The bypassed MAC address must be disable received from RADIUS server. redirect-url URL redirection after disclaimer/authentication (IPv4 only). none FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 180 Option Description Default replacemsg-override- Specify authentication replacement message override group. none group rtp-addr Select the RTP address from the dropdown list (IPv4 only). none rtp-nat Enable to apply source NAT to RTP packets received by the firewall policy disable (IPv4 only). scan-botnet-connections Enable or disable scanning of connections to Botnet servers (IPv4 only). disable schedule-timeout Enable to force session to end when policy schedule end time is reached disable (IPv4 only). send-deny-packet Enable to send a packet in reply to denied TCP, UDP or ICMP traffic. disable service-negate Enable or disable negated service match. disable session-ttl Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 0 for no limitation. srcaddr-negate Enable or disable negated source address match. disable ssh-filter-profile Select an SSH filter profile from the dropdown list. None ssl-mirror Enable or disable SSL mirror. disable ssl-mirror-intf Mirror interface name. none tcp-mss-receiver Type a value for the receiver’s TCPMSS. 0 tcp-mss-sender Type a value for the sender’s TCPMSS. 0 tcp-session-without-syn Enable or disable creation of TCP session without SYN flag. disable l all - Enable TCP session without SYN. l data-only - Enable TCP session data only. l disable - Disable TCP session without SYN. timeout-send-rst Enable sending a TCP reset when an application session times out. disable vlan-cos-fwd Type the VLAN forward direction user priority. 255 vlan-cos-rev Type the VLAN reverse direction user priority. 255 vlan-filter Set VLAN filters. wanopt Enable or disable WAN optimization (IPv4 only). disable wanopt-detection WAN optimization auto-detection mode (IPv4 only). active wanopt-passive-opt WAN optimization passive mode options. This option decides what IP default address will be used to connect server (IPv4 only). wanopt-peer WAN optimization peer (IPv4 only). none wanopt-profile WAN optimization profile (IPv4 only). none FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 181 Option Description Default wccp Enable or disable Web Cache Communication Protocol (WCCP) (IPv4 disable only). webcache Enable or disable web cache (IPv4 only). disable webcache-https Enable or disable web cache for HTTPS (IPv4 only). disable wsso Enable or disable WiFi Single Sign-On (IPv4 only). enable Virtual wire pair policy The section describes how to create virtual wire pair policies. Before you can create a policy, you must create a virtual wire pair. See Configuring virtual wire pairs on page 226. You must display the option before you can set it. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the IPv4 Virtual Wire Pair Policy checkbox to display this option. To create a virtual wire pair policy: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Virtual Wire Pair Policy. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. 5. Enter the following information, then clickOK to create the policy: Name Enter a unique name for the policy. Each policy must have a unique name. Virtual Wire Pair Interface Select an interface. You can type the name of the interface to search for it in the list. Virtual Wire Pair Select an arrow to indicate the flow of traffic between ports. Source Internet Service Turn source internet service on or off, then select services from theObject Selector frame, or drag and drop them from the object pane. Source Address Select source addresses. This option is only available when Source Internet Service is off. Source User Select source users. This option is only available when Source Internet Service is off. Source User Group Select source user groups. This option is only available when Source Internet Service is off. Source Device Select source devices, device groups, and device categories. This option is only available when Source Internet Service is off. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 182 Internet Service ToggleON to enable Internet service. ToggleOFF to disable Internet service. Destination Internet Service Turn destination internet service on or off, then select services. Destination Address Select destination addresses, address groups, virtual IPs, and virtual IP groups. This option is available when Destination Internet Service isOFF. Service Select services and service groups. This option is available when Destination Internet Service isOFF. Schedule Select schedules, one time or recurring, and schedule groups. Action Select an action for the policy to take: Deny or Accept. Log Traffic When the Action isDENY, select Log Violation Traffic to log violation traffic. When the Action is ACCEPT, select one of the following options: l No Log l Log Security Events l Log All Sessions Generate Logs when Select to generate logs when the session starts. Session Starts Capture Packets Select to capture packets. This option is available when the Action is ACCEPT and Log Security Events or Log All Sessions is selected Security Profiles Select to add security profiles or profile groups. This option is available when Action is Accept. The following profile types can be added: l Antivirus Profile l Web Filter Profile l Application Control l IPS Profile l Email Filter Profile l DLP Sensor l VoIP Profile l ICAP Profile l SSL/SSH Inspection l Web Application Firewall l DNS Filter l Proxy Options l Profile Group (available when Use Security Profile Group is selected) Shared Shaper Select traffic shapers. This option is available if the Action is ACCEPT or IPSEC. Reverse Shaper Select traffic shapers. This option is available if the Action is ACCEPT or IPSEC and at least one forward traffic shaper is selected. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 183 Per-IP Shaper Select per IP traffic shapers. This option is available if the Action is ACCEPT or IPSEC. Description Add a description of the policy, such as its purpose, or the changes that have been made to it. Advanced Options Configure advanced options, see Advanced options on page 178. For more information on advanced option, see the FortiOS CLI Reference. NAT policies Use NAT46 policies for IPv6 environments where you want to expose certain services to the public IPv4 Internet. You will need to configure a virtual IP to permit the access. Use NAT64 policies to perform network address translation (NAT) between an internal IPv6 network and an external IPv4 network. The NAT46 Policy tab allows you to create, edit, delete, and clone NAT46 policies. The NAT64 Policy tab allows you to create, edit, delete, and clone NAT64 policies. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the NAT46 Policy and NAT64 Policy checkboxes to display these options. To create a NAT46 or NAT64 policy: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package, clickNAT46 Policy orNAT64 Policy. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. 5. Configure the following settings, then clickOK to create the policy: Incoming Interface Click the field then select interfaces from theObject Selector frame, or drag and drop the address from the object pane. Outgoing Interface Select outgoing interfaces. Source Address Select source addresses. Destination Address Select destination addresses, address groups, virtual IPs, and virtual IP groups. Service Select services and service groups. Schedule Select schedules, one time or recurring, and schedule groups. Action Select an action for the policy to take: ACCEPT, orDENY. Log Allowed Traffic Select to log allowed traffic. NAT NAT is enabled by default for this policy type when the Action is ACCEPT. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 184 UseDestination Interface Address is selected by default. Select Fixed Port if required. Dynamic IP Pool Select to use dynamic IP pools. Select Fixed Port if required, and the IP Pool Name from the available IP pool objects. This option is only available for NAT64 policies. Traffic Shaping Select traffic shapers. This option is available if the Action is ACCEPT. Reverse Traffic Shaping Select traffic shapers. This option is available if at least one forward traffic shaper is selected. Per-IP Traffic Shaping Select per IP traffic shapers. This option is available if the Action is ACCEPT. Description Add a description of the policy, such as its purpose, or the changes that have been made to it. Advanced Options ippool Enable IP pools. This option is only available for NAT46 policies. permit-any-host Enable to accept UDP packets from any host. poolname Select a firewall IP pool from the dropdown list (default = None). This option is only available for NAT46 policies. tcp-mss-receiver Enter a value for the receiver’s TCPMSS. tcp-mss-sender Enter a value for the sender’s TCPMSS. Proxy policy The section describes how to create web, FTP, and WAN Opt proxy policies. On the Policy & Objects pane, go to Tools > Display Options, and then select the Explicit Proxy Policy checkbox in the Policy section to display this option. To create a new proxy policy: 1. Go to Policy & Objects > Policy Packages. 2. In the tree menu for the policy package in which you will be creating the new policy, select Explicit Proxy Policy. 3. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 185 4. Enter the following information, then clickOK to create the policy: Explicit Proxy Type Select the explicit proxy type: Explicit Web, Transparent Web, FTP, orWAN Optimize. Incoming Interface Select incoming interfaces from theObject Selector frame, or drag and drop the address from the object pane. This option is only available when the proxy type is set to Transparent Web. Outgoing Interface Select outgoing interfaces. Source Select source addresses. Destination Select destination addresses, address groups, virtual IPs, and virtual IP groups. Service Select services and service groups from the object selector pane. Schedule Select schedules, one time or recurring, and schedule groups. Action Select an action for the policy to take: Deny, Accept, orRedirect. Redirect is only available when the proxy type is set to Explicit Web, or Transparent Web. Log Traffic Select one of the following options: l No Log l Log Security Events l Log All Sessions When Log All Sessions is selected, you can select to generate logs when the session starts. This option is available when the Action is Accept. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 186 Log Violation Traffic Select to log violation traffic. This option is available when the Action isDeny. Disclaimer Options Set the Display Disclaimer: Disable, By Domain, By Policy, or By User. Optionally, select a custom message in the CustomizeMessages field if not disabled. These options are available when the Action is Accept. Security Profiles Select to add security profiles or profile groups. The following profile types can be added: l Antivirus Profile l Web Filter Profile - not available when the proxy type is set to FTP l Application Control - not available when the proxy type is set to FTP l IPS Profile - not available when the proxy type is set to FTP l DLP Sensor l ICAP - not available when the proxy type is set to FTP l Web Application Firewall - not available when the proxy type is set to FTP l Proxy Options l SSL/SSH Inspection l Profile Group (available when Use Security Profile Group is selected) This option is available when the Action is Accept. Redirect URL Enter the redirect URL. This option is only available when the Action isRedirect. Web Proxy Forwarding Select a web proxy forwarding server from the dropdown list. Server This option is not available when the proxy type is set to FTP. Comments Add a description of the policy, such as its purpose, or the changes that have been made to it. Advanced Options Configure advanced options, see Advanced options below. For more information on advanced option, see the FortiOS CLI Reference. Advanced options Option Description Default dstaddr-negate Enable or disable negated destination address match. disable global-label Enter a global label. - http-tunnel-auth Enableor disable HTTP tunnel authentication disable internet-service-negate Enable or disable negated internet service. disable label Enter a label - poolname Select a firewall IP pool from the dropdown list. None scan-botnet-connections Enable or disable scanning of connections to Botnet servers. disable service-negate Enable or disable negated service match. disable FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 187 Option Description Default session-ttl Session TTL for sessions accepted by this policy (300 - 6040800 seconds, 0 0 = use system default). srcaddr-negate Enable or disable negated source address match. disable ssh-filter-profile Name of an existing SSH filter profile. None transparent Use IP address of client to connect to server. disable webcache Enable or disable web cache. disable webcache-https Enable or disable web cache for HTTPS. disable webproxy-profile Select a webproxy profile from the dropdown list. None Central SNAT The Central SNAT (Secure NAT) table enables you to define and control (with more granularity) the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group, and which IP pool the destination address uses. While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation. The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy. The Central SNAT table allows you to create, edit, delete, and clone central SNAT entries. Central SNAT does not support Section View. Central NATmust be enabled, orNGFW Modemust be set to Policy-based, when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages on page 155. To create a new central SNAT entry: 1. Ensure you are in the correct ADOM. 2. Go to Policy &Objects > Policy Packages. 3. In the tree menu for the policy package, clickCentral SNAT. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 188 added to the bottom of the list. The Create New Central SNAT pane opens. 5. Configure the following settings, then clickOK to create the policy: Incoming Interface Click the field then select interfaces from theObject Selector frame, or drag and drop the address from the object pane. Select the remove icon to remove values. Outgoing Interface Select outgoing interfaces. Source Address Select source addresses. Destination Address Select destination addresses, address groups, virtual IPs, and virtual IP groups. NAT Select to enable NAT. IP Pool Configuration Select eitherUseOutgoing Interface Address, orUseDynamic IP Pool. If using a dynamic IP pool, select the pool from theObject Selector frame. This option is only available when NAT is selected. Protocol Select the protocol: ANY, TCP, UDP, SCTP, or Specify. If Specify is selected, specify the protocol number. This option is only available when NAT is selected. Comments Add a description of the policy, such as its purpose, or the changes that have been made to it. Meta Fields If configured, enter values for the required meta fields, and optionally for the optional fields. See Meta Fields on page 433. Advanced Options Enable or disable nat. Central DNAT The FortiGate unit checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists. DNAT must take place before routing so that the unit can route packets to the correct destination. DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the VIP object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created. VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selected Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved from the right-click or Edit menus. Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table. DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 189 Central DNAT does not support Section View. Central NATmust be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages on page 155. To create a new central DNAT entry: 1. Ensure you are in the correct ADOM. 2. Go to Policy &Objects > Policy Packages. 3. In the tree menu for the policy package, clickCentral DNAT. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Virtual IP pane opens. 5. Configure the following settings, then clickOK to create the VIP: Name Enter a unique name for the DNAT. Comments Optionally, enter comments about the DNAT, such as its purpose, or the changes that have been made to it. Color Select a color. Interface Select an interface. Network Type Select the network type: Static NAT, DNS Translation, or FQDN. External IP Address/Range Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields. This option is not available when the network type is FQDN. Mapped IP Address/Range Enter the mapped IP address. This option is not available when the network type is FQDN. External IP Address Enter the external IP address. This option is only available when the network type is FQDN. Mapped Address Select the mapped address. This option is only available when the network type is FQDN. Source Interface Filter Select a source interface filter. Optional Filters Enable or disable optional filters. Source Address Add source IP, range, or subnet filters. Multiple filters can be added using the Add icon. Services Enable and add services. Port Forwarding Enable or disable port forwarding. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 190 Protocol Select the protocol: TCP, UDP, SCTP, or ICMP. External Service Enter the external service port. Port This option is not available when Protocol is ICMP. Map to Port Enter the map to port. This option is not available when Protocol is ICMP. Enable ARP Reply Select to enable ARP reply. Add To Groups Optionally, select groups to add the virtual IP to from the list. Advanced Options Configure advanced options, see Advanced options. For more information on advanced option, see the FortiOS CLI Reference. Per-Device Mapping Enable or disable per-device mapping. If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here. Mappings can also be manually added, edited, and deleted as needed. To import VIPs from the Virtual IP object table: 1. Ensure you are in the correct ADOM. 2. Go to Policy &Objects > Policy Packages. 3. In the tree menu for the policy package, clickCentral DNAT. 4. Click Import in the toolbar. The Import dialog box will open. 5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects. 6. ClickOK to import the VIPs to the Central DNAT table. Advanced options Option Description Default dns-mapping-ttl Enter time-to-live for DNS response, from 0 to 604 800. 0 means use the 0 DNS server''s response time. extaddr Select an address. None gratuitous-arp-interval Set the time interval between sending of gratuitous ARP packets by a 0 virtual IP. 0 disables this feature. http-cookie-age Set how long the browser caches cooking, from 0 to 525600 seconds. 60 http-cookie-domain Enter the domain name to restrict the cookie to. none http-cookie-domain- If enabled, when the unit adds a SetCookie to the HTTP(S) response, the disable from-host Domain attribute in the SetCookie is set to the value of the Host: header, if there is one. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 191 Option Description Default http-cookie-generation The exact value of the generation is not important, only that it is different 0 from any generation that has already been used. http-cookie-path Limit the cookies to a particular path. none http-cookie-share Configure HTTP cookie persistence to control the sharing of cookies across same-ip more than one virtual server. The default setting means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain. Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers. http-ip-header-name Enter a name for the custom HTTP header that the original client IP none address is added to. https-cookie-secure Enable or disable using secure cookies for HTTPS sessions. disable id Custom defined ID. 0 max-embryonic- The maximum number of partially established SSL or HTTP connections, 1000 connections from 0 to 100000. nat-source-vip Enable to prevent unintended servers from using a virtual IP. Disable to use disable the actual IP address of the server (or the destination interface if using NAT) as the source address of connections from the server that pass through the device. outlook-web-access If enabled, the Front-End-Https: on header is inserted into the disable HTTP headers, and added to all HTTP requests. ssl-algorithm Set the permitted encryption algorithms for SSL sessions according to high encryption strength: l high: permit only high encryption algorithms: AES or 3DES. l medium: permit high or medium (RC4) algorithms. l low: permit high, medium, or low (DES) algorithms. l custom: only allow some preselected cipher suites to be used. ssl-client-fallback Enable to prevent Downgrade Attacks on client connections. enable ssl-client-renegotiation Select the SSL secure renegotiation policy. allow l allow: allow, but do not require secure renegotiation. l deny: do not allow renegotiation. l secure: require secure renegotiation. ssl-client-session-state- The maximum number of SSL session states to keep for the segment of 1000 max the SSL connection between the client and the unit, from 0 to 100000. ssl-client-session-state- The number of minutes to keep the SSL session states for the segment of 30 timeout the SSL connection between the client and the unit, from 1 to 14400. ssl-client-session-state- The method to use to expire SSL sessions for the segment of the SSL both type connection between the client and the FortiGate. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 192 Option Description Default l both: expire SSL session states when either ssl-client- session-state-max or ssl-client-session-state- timeout is exceeded, regardless of which occurs first. l count: expire SSL session states when ssl-client-session- state-max is exceeded. l disable: expire all SSL session states. l time: expire SSL session states when ssl-client-session- state-timeout is exceeded. ssl-dh-bits The number of bits used in the Diffie-Hellman exchange for RSA encryption 2048 of the SSL connection: 768, 1024, 1536, 2048, 3072, or 4096. ssl-hpkp Enable or disable including HPKP header in response. disable ssl-hpkp-age The number of seconds that the client should honor the HPKP setting (60 - 5184000 157680000). ssl-hpkp-backup Certificate to generate the backup HPKP pin from (size = 35, datasource(s) None = vpn.certificate.local.name,vpn.certificate.ca.name). ssl-hpkp-include- Enable or disable indicating that the HPKP header applies to all disable subdomains subdomains. ssl-hpkp-primary Certificate to generate the primary HPKP pin from (size = 35, datasource(s) None = vpn.certificate.local.name,vpn.certificate.ca.name). ssl-hpkp-report-uri URL to report HPKP violations to (size = 255). ssl-hsts Enable or disable including HSTS header in response. disable ssl-hsts-age The number of seconds that the client should honour the HSTS setting (60 - 5184000 157680000). ssl-hsts-include- Enable or disable indicating that the HSTS header applies to all disable subdomains subdomains. ssl-http-location- Enable to replace http with https in the reply’s Location HTTP header field. disable conversion ssl-http-match-host Enable to apply Location conversion to the reply’s HTTP header only if the disable host name portion of Location matches the request’s Host field or, if the Host field does not exist, the host name portion of the request’s URI. ssl-max-version The highest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls- tls-1.2 1.0, tls-1.1, or tls-1.2. ssl-min-version The lowest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls- tls-1.0 1.0, tls-1.1, or tls-1.2. ssl-pfs Select the handling of Perfect Forward Secrecy (PFS) by controlling the allow cipher suites that can be selected. l allow: allow use of any cipher suite so PFSmay or may not be used depending on the cipher suite selected. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 193 Option Description Default l deny: allow only non-Diffie-Hellman cipher-suites, so PFS is not applied. l require: allow only Diffie-Hellman cipher-suites, so PFS is applied. ssl-send-empty-frags Enable to precede the record with empty fragments to thwart attacks on enable CBC IV. Disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments. ssl-server-algorithm Set the permitted encryption algorithms for SSL server sessions according client to encryption strength: l high: permit only high encryption algorithms: AES or 3DES. l medium: permit high or medium (RC4) algorithms. l low: permit high, medium, or low (DES) algorithms. l custom: only allow some preselected cipher suites to be used. ssl-server-max-version The highest version of SSL/TLS to allow in SSL server sessions: client, client ssl-3.0, tls-1.0, tls-1.1, or tls-1.2. ssl-server-min-version The lowest version of SSL/TLS to allow in SSL server sessions: client, client ssl-3.0, tls-1.0, tls-1.1, or tls-1.2. ssl-server-session-state- The maximum number of SSL session states to keep for the segment of 100 max the SSL connection between the client and the unit, from 0 to 100000. ssl-server-session-state- The number of minutes to keep the SSL session states for the segment of 60 timeout the SSL connection between the client and the unit, from 1 to 14400. ssl-server-session-state- The method to use to expire SSL sessions for the segment of the SSL both type connection between the server and the FortiGate. l both: expire SSL session states when either ssl-client- session-state-max or ssl-client-session-state- timeout is exceeded, regardless of which occurs first. l count: expire SSL session states when ssl-client-session- state-max is exceeded. l disable: expire all SSL session states. l time: expire SSL session states when ssl-client-session- state-timeout is exceeded. weblogic-server Enable or disable adding an HTTP header to indicate SSL offloading for a disable WebLogic server. websphere-server Enable or disable adding an HTTP header to indicate SSL offloading for a disable WebSphere server. DoS policies The IPv4 DoS Policy and IPv6 DoS Policy panes allow you to create, edit, delete, and clone DoS policies. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 194 On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the IPv4 DoS Policy and IPv6 DoS Policy checkboxes to display these option. To create a DoS policy: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package, click IPv4 DoS Policy or IPv6 DoS Policy. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. 5. Configure the following settings, then clickOK to create the policy: Incoming Interface Select the incoming interface from theObject Selector frame, or drag and drop the address from the object pane. Source Address Select the source address. Destination Address Select the destination address. Service Select the service. L3 Anomalies ip_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. ip_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. L4 Anomalies tcp_syn_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 2000. tcp_port_scan Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 1000. tcp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. tcp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. udp_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 195 The default threshold is 2000. udp_scan Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 2000. udp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. udp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. icmp_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 250. icmp_sweep Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 100. icmp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 300. icmp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 1000. sctp_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 2000. sctp_scan Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 1000. sctp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. sctp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold. The default threshold is 5000. Advanced Options Optionally, add a description of the policy, such as its purpose, or the changes that have been made to it. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 196 Interface policies The IPv4 Interface Policy and IPv6 Interface Policy panes allow you to create, edit, delete, and clone interface policies. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the IPv4 Interface Policy and IPv6 Interface Policy check boxes to display these options. To create a new interface policy: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package, click IPv4 Interface Policy or IPv6 Interface Policy. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. 5. Configure the following settings, then clickOK to create the policy: Source Interface Select the source zone from theObject Selector frame, or drag and drop the address from the object pane. Address Select the source address. Destination Address Select the destination address. Service Select the service. Log Traffic Select the traffic to log: No Log, Log Security Events, or Log All Sessions. AntiVirus Profile Select to enable antivirus and select the profile from the dropdown list. Web Filter Profile Select to enable Web Filter and select the profile from the dropdown list. Application Control Select to enable Application Control and select the profile from the dropdown list. IPS Profile Select to enable IPS and select the profile from the dropdown list. Email Filter Profile Select to enable Email Filter and select the profile from the dropdown list. DLP Sensor Select to enable DLP Sensor and select the profile from the dropdown list. Advanced Options comments Add comments about the policy. dsri Enable or disable DSRI (default = disable). scan-botnet- Enable or disable scanning of connections to Botnet servers (default = connections disable). FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 197 Multicast policy Multicasting consists of using a single source to send data to many receivers simultaneously, while conserving bandwidth and reducing network traffic. For information about multicasting, see the FortiOS Handbook available in the Fortinet Document Library. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select theMulitcast Policy checkbox to display this option. To create a new multicast policy: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package, clickMulticast Policy. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. 5. Configure the following settings, then clickOK to create the policy: Incoming Interface Click in the field and select incoming interfaces from the multicast interface list on theObject Selector frame, or drag and drop the interface from the object pane. If no multicast interfaces are configured, click the Create New Object button to open the Create New Dynamic Multicast Interfacewindow, and then create a new multicast interface. Outgoing Interface Click in the field and select outgoing interfaces from the multicast interface list. If no multicast interfaces are configured, one must be created. Source Address Click the field and select the source firewall addresses. Source NAT Enable source NAT. Source NAT Address Enter the source NAT IP address. Destination Interface Click the field and select the destination firewall addresses. Destination NAT Enter the destination NAT IP address. Protocol Option Select a protocol option from the dropdown list: ANY, ICMP, IGMP, TCP, UDP, OSFP, orOthers. Port Range Set the port range. This option is only available when Protocol Option is TCP orUDP. Protocol Number Enter the protocol number, from 1 to 256. This option is only available when Protocol Option isOthers. Log Traffic Select to log traffic. Advanced Options Enable or disable auto-asic-offload (default = enable). FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 198 Local in policies The section describes how to create new IPv4 and IPv6 Local In policies. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the IPv4 Local In Policy and IPv6 Local In Policy checkboxes to display these options. To create a new Local In policy: 1. Ensure that you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Local In Policy or IPv6 Local In Policy. 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. 5. Enter the following information, then clickOK to create the policy: Interface Click the field then select an interface from the object selector frame, or drag and drop the interface from the object pane. Source Address Select source addresses. Destination Address Select destination addresses, address groups,. virtual IPs, and virtual IP groups. Service Select services and service groups. Schedule Select schedules, one time or recurring, and schedule groups. Action Select an action for the policy to take: ACCEPT orDENY. HA Management Interface Select to enable. This option is only available for IPv4 policies. Only Traffic shaping policy The section describes how to create new traffic shaping policies. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the Traffic Shaping Policy checkbox to display this option. To create a traffic shaping policy: 1. Ensure that you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the tree menu for the policy package in which you will be creating the new policy, select Traffic Shaping Policy. If you are in the Global Database ADOM, select Traffic Shaping Header Policy or Traffic Shaping Footer Policy. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 199 4. ClickCreate New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens. 5. Enter the following information, then clickOK to create the policy: IP Version Select the IP address version: IPv4 or IPv6. Matching Criteria Source Internet Turn source internet service on or off, then select services. Service Source Address Select source addresses from theObject Selector frame, or drag and drop them from the object pane.. This option is only available when Source Internet Service is off. Destination Turn destination internet service on or off, then select services. Internet Service Destination Select destination addresses, address groups, virtual IPs, and virtual IP Address groups. This option is only available when Destination Internet Service is off. Service Select services and service groups. This option is only available when Destination Internet Service is off. Application Select application categories. Category Application Select applications. URL Category Select URL categories. Users Select users. User Groups Select user groups. Apply Shaper Outgoing Select outgoing interfaces. Interface Traffic Shaping Select traffic shapers. Reverse Traffic Select traffic shapers. Shaping Per-IP Traffic Select per IP traffic shapers. Shaping Advanced Options class-id Set the class ID (2 - 31, default = 0). schedule Set the schedule (default = None). FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 200 Managing objects and dynamic objects All objects within an ADOM are managed by a single database unique to that ADOM. Objects inside that database can include items such as addresses, services, intrusion protection definitions, antivirus signatures, web filtering profiles, etc. Many objects now include the option to enable dynamic mapping. You can create new dynamic maps. When this feature is enabled, a table is displayed which lists the dynamic mapping information. You can also choose to add the object to groups, when available, and add tags. When making changes to an object within the object database, changes are reflected immediately within the policy table in the GUI; no copying to the database is required. If partial install is enabled, the edited object can be pushed to all the devices that currently use it. Dynamic objects are used to map a single logical object to a unique definition per device. Addresses, interfaces, virtual IPs, and an IP pool can all be addressed dynamically. Not all policy and object options are enabled by default. See Display options on page 154. Objects and dynamic objects are managed in the Policy & Objects > Object Configurations pane (on the bottom half of the screen when dual pane is enabled). The available objects vary, depending on the specific ADOM selected. Objects are used to define policies, and policies are assembled into policy packages that you can install on devices. Policy packages are managed in the Policy & Objects > Policy Packages pane (on the top half of the screen when dual pane is enabled). When you view a policy in a policy package, you edit the policy by dragging objects from other columns, policies, or the object selector frame and dropping the objects in cells in the policy. For more information see Drag and drop objects on page 171. On the Policy & Objects > Object Configuration pane, you can see whether an object is used in the Used column, and you can right-click on an object to find out where the object is used (Where Used) or to add the object to a group (Grouping). FortiManager objects are defined either per ADOM or at a global level. Create a new object Objects can be created as global objects, or for specific ADOMs. To create a new object: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. Select the object type that you will be creating. For example, view the firewall addresses by going to Firewall Objects > Address. The firewall address list is displayed in the content pane. The available address or address group lists are selectable on the content pane toolbar. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 201 4. From the Create New menu, select the type of address. In this example, Address was selected. The Create New Address pane opens. In 5.2.0 or later, you can select to add the object to groups and enable dynamic mapping. These options are not available for all objects. 5. Enter the required information, then clickOK to create the new object. If you create Security Profiles that include Application Signature or Custom IPS Signature with the same ID for multiple VDOMs, FortiManager will automatically change the ID. For example, multiple VDOMs in a FortiGate device having the same Custom IPS Signature will have different IDs assigned by FortiManager while installing the policy. The Custom IPS Signature name will remain the same, but the ID will be different for each VDOM. The automatic change of ID affects the attack_id in Custom IPS Signature and attack_ id or vuln_id in Application Signature. The change in ID may occur even when importing a policy from FortiGate device and re-installing the policy. You can view the modified ID in the Install Wizard by clicking Install Preview. Alternatively, you can also go to DeviceManager > [FortiGate_Name] > CLI-Only Objects> ips orDevice Manager > [FortiGate_Name] > CLI-Only Objects> application to view the modified ID for the particular VDOM. Color code an object Objects can be color coded for easy identification. For objects other than the Dynamic Interface and Zone, the color coding option is available in AdvancedOptions. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 202 To color code an object: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations . 3. Select the object type that you will be creating. For example, view the interface by going to Zone/Interface > Interface. The interface list is displayed in the content pane. The available interfaces are selectable on the content pane toolbar. 4. From the Create New menu, select the type of interface. In this example, Zonewas selected. The Create New Zone pane opens. 5. Select or specify the values for the following fields: l Name - specify a name for the object. l Description - enter a brief description. l Color - select a color for this object from the drop-down. l Default Mapping - select the check box to configure the default mapping for this object. See Map a dynamic object on page 202 l Per-Device Mapping - switch the slider toON for mapping this interface to a FortiGate device. See Interface mapping on page 210 6. ClickOK. If a color code is not selected while creating an object, black is assigned as the default color. The color coding for Dynamic Interface and Zone cannot be installed to the FortiGate devices and can only be viewed in FortiManager. The color coding for other objects can be installed to FortiGate devices. Map a dynamic object The devices and VDOMs to which a global object is mapped can also be viewed from the object list. In 5.2 or later, you can add an object to groups and enable dynamic mapping. These options are not available for all objects. When the Dynamic Mapping option is available, select Create New to configure the dynamic mapping. To configure a dynamic mapping via a CLI script, the configuration for the mapping must be defined in the dynamic object under the config dynamic_mapping sub-tree. The CLI script must be run on a policy package instead of the device database. For information on running CLI scripts, see Scripts on page 94 FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 203 Default mapping is only used when there is no per-device mapping for a particular device. You must have either a per-device mapping or a default mapping in a policy package. Otherwise, the policy package installation will fail. When you import a policy package, a per-device mapping is usually added when the object is already used by a FortiGate. Examples: Example 1: Dynamic VIP config firewall vip edit "vip1" … config dynamic_mapping edit "FW60CA3911000089"-"root" set extintf "any" set extip 172.18.26.100 set mappedip 192.168.3.100 set arp-reply disable next end end Example 2: Dynamic Address config firewall address edit "address1" … config dynamic_mapping edit "FW60CA3911000089"-"root" set subnet 192.168.4.0 255.255.255.0 next end end Example 3: Dynamic Interface config dynamic interface … config dynamic_mapping edit "FW60CA3911000089"-"root" set local-intf internal set intrazone-deny disable next end end Map a dynamic device group When you create and edit a device group, you can choose whether to use the FortiManager ADOM or the FortiGate device to manage members for the device group. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 204 To create a dynamic device group: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations > User & Device > Customer Devices & Groups. 3. From the Create New menu, select Device Group. 4. Complete the following options, then clickOK. Group Name Type a name for the device group. Managed on ADOM Specify whether to use the FortiManager ADOM or the FortiGate device to manage members for the device group. When you select theManaged on ADOM checkbox, the FortiManager ADOM manages members for the object, and you must specify members for the object. When you clear theManage on ADOM checkbox, the FortiGate device manages members for the object, and you must specify members by using FortiGate, not FortiManager. Members Select members for the device group. Comments (Optional) Type a comment. Per-Device Mapping Select to enable dynamic mapping for a device. Remove an object To remove an object: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. In the tree menu, select an object type. The content pane displays the objects for the object type. 4. Select the object, and clickDelete. Edit an object After editing an object in the object database, the changes are immediately reflected within the policy table in the GUI; no copying to the database is required. If partial install is enabled, the edited object can be manually pushed to all devices currently using that object, see Push to device on page 205. To edit an object: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. In the tree menu, select an object type. The content pane displays the objects for the object type. 4. Select an object, then clickEdit. 5. Edit the information as required, and clickOK. Objects can also be edited directly from the policy list andObject Selector frame by right- clicking on the object and selecting Edit. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 205 Push to device An object can be manually pushed to all devices that are currently using that object. Partial install must be enabled in the CLI for this option to be available. To enable partial install: In the CLI Consolewidget, or any terminal emulation software, enter the following commands: config system global set partial-install enable end To push an object or objects to devices: 1. In theObject Configurations pane, locate the objects to push. 2. Select the objects then clickMore > Push To Device in the toolbar, or right-click on the objects and select Push To Device. The Push To Device dialog box opens, and the selected object or objects are pushed to all of the devices that currently use them. After an object is pushed to a device, policy packages will be flagged as modified until the next time the packages are installed. Global database objects cannot be pushed to devices. Clone an object If a new object that you are creating is similar to a previously created object, the new object can be created by cloning the previous object. To clone an object: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. In the tree menu, select an object type. The content pane displays the objects for the object type. 4. Right-click an object, and select Clone. The Clone pane is displayed. 5. Adjust the information as required, and clickOK to create the new object. Search objects The search objects tool allows you to search objects based on keywords. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 206 To dynamically search objects: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. In the tree menu, select an object type. The content pane displays the objects for the object type. 4. In the search box on the right side lower content frame toolbar type a search keyword. The results of the search are updated as you type and displayed in the object list. Find unused objects To find unused objects: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects. 3. From the Tools menu, select UnusedObjects. The UnusedObjects dialog box is displayed. 4. When you are done, clickClose. The Used column on theObject Configurations pane will also show you if an object is used or not. Find and merge duplicate objects Duplicate objects have the same definition, but different names. You can find duplicate objects and review them. You then have the option to merge duplicate objects into one object. To find duplicate objects: 1. Go to Policy & Objects. 2. From the Tools menu, select Find Duplicate Objects. The Duplicate Objects dialog box is displayed. 3. Review the groups of duplicate objects. 4. ClickMerge to merge a group of duplicate objects into one object. 5. When you are done, clickClose. Export signatures to CSV file format You can export Intrusion Prevention signatures (IPS) and Application Control signatures to a file CSV format. To export signatures to CSV format: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. In the tree menu, select Application Control or Intrusion Prevention. 4. ClickCreate New to create a new object, or double-click an exiting object to open it for editing. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 207 5. ClickAdd Signatures. The Add Signatures dialog box is displayed. 6. ClickExport to CSV. The Export to CSV dialog box is displayed. 7. (Optional) Change the file name. 8. Select whether to export all columns or only customized columns. 9. ClickDownload. CLI-Only objects FortiManager 5.2.0 or later adds the ability to configure objects that are available only via the FortiOS command line interface, as well as settings that are not available in the FortiManager GUI. FortiToken configuration example To configure FortiToken objects for FortiToken management: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. Go to User & Device > FortiTokens. 4. ClickCreate New. 5. Type the serial number or serial numbers of the FortiToken unit or units and clickOK. Up to ten serial numbers can be entered. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 208 6. Go to User & Device > User Definition to create a new user. 7. When creating the new user, select FortiToken, and then select the FortiToken from the dropdown menu. 8. Go to User & Device > User Groups, create a new user group, and add the previously created user to this group. 9. Install a policy package to the FortiGate, as described in Install a policy package on page 158. 10. On the FortiGate, select User > FortiToken. Select one of the newly created FortiTokens, then select OK to activate the FortiToken unit. FSSO user groups FSSO user groups can be retrieved directly from FSSO, from an LDAP server, via a remote FortiGate device, or by polling the active directory server. Groups can also be entered manually. When user groups are retrieved from an LDAP server, the information is cached on FortiManager for 24 hours by default. After the time expires, the information is deleted from the cache. You can change the default setting by using the config system global command with the ldap-cache-timeout variable. For more information, see the FortiManager CLI Reference. To get groups from FSSO: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On. 3. ClickCreate New > Fortinet Single Sign-On Agent from the dropdown list. 4. Enter a unique name for the agent in the Name field. 5. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows. 6. Select From FSSOAgents in the Select FSSOGroups field. 7. ClickApply & Refresh. The Retrieve FSSOUser Groups dialog box will open. 8. ClickNext. The groups are retrieved from the FSSO. 9. ClickOK. The groups can now be used in user groups, which can then be used in policies. To get groups from an LDAP server: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On. 3. ClickCreate New > Fortinet Single Sign-On Agent from the dropdown list. 4. Enter a unique name for the agent in the Name field. 5. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device > LDAP Servers. 6. Select groups from theGroups tab, then select Add Selected to add the groups. You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group names. 7. Select OK. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 209 To get groups via a remote FortiGate: The FortiGate device configuration must be synchronized or retrieving the FSSO user groups will fail. See Checking device configuration status on page 79. 1. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On. 2. ClickCreate New > Fortinet Single Sign-On Agent from the dropdown list. The Create New Fortinet Single Sign- On Agent window opens. 3. Enter a unique name for the agent in the Name field. 4. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows. 5. Select Via FortiGate in the Select FSSOGroups field. 6. ClickApply & Refresh. The Retrieve FSSOUser Groups wizard will open. 7. ClickNext to proceed with the wizard. 8. Select the device that the FSSO groups will be imported from. This device must be registered to the FortiManager, its configuration must be synchronized, and it must be able to communicate with the FSSO server. 9. ClickNext. The FSSO agent is installed on the FortiGate, the FortiGate retrieves the groups, and then the groups are imported to the FortiManager. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 210 10. After the groups have been imported, click Finish. The imported groups will be listed in the User Groups field. 11. ClickOK. The groups can now be used in user groups, which can then be used in policies. You must rerun the wizard to update the group list. It is not automatically updated. To get groups from AD: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. and select User & Device > Single Sign-On. 3. ClickCreate New > Poll Active Directory Server from the dropdown list. 4. Configure the server name, local user, password, and polling. 5. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device > LDAP Servers. 6. Select groups from theGroups tab, then select Add Selected to add the groups. You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group names. 7. Select OK. Interface mapping After creating an interface on the FortiManager, an interface mapping must be created so that the new interface can be used when creating policies. To do this, create a new dynamic interface with per-device mapping. To create a new dynamic interface with per-device mapping: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Object Configurations. 3. Go to Zone/Interface > Interface and clickCreate New > Dynamic interface. 4. Enter a name and description for the dynamic interface. 5. Turn on Per-DeviceMapping. 6. ClickAdd. The Per-DeviceMapping dialog box opens. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 211 7. Select the device or VDOM in theMapped Device field, select the interface in the Device Interface field, then click OK. 8. ClickOK to create the new dynamic interface object. The mapped interface can now be used when creating policies. VIP mapping Normally, Virtual IP (VIP) objects map to a single interface, or ANY, just as with FortiOS. In the special case where the interface that the VIP is bound to belongs to a zone, FortiManager handles importing and installing the object in a unique way. When importing a policy package, the VIP is bound to the zone instead of the interface. If per-device mapping is enabled for the VIP, FortiManager automatically adds dynamic mapping for that device that maps the VIP to the specific interface. To use the VIP on another FortiGate, you can add an interface mapping entry for the other FortiGate. The zone acts as filter, limiting the interfaces that can be selected. That is, you can only select an external interface that is a member of the selected zone. FortiManager binds the VIP to a zone because it needs to know which policies the VIP could be applied to. FortiGate devices use different logic because they already know the zone membership. In FortiOS, VIPs can only by bound to an interface, and not a zone. Consequently, if there is no matching per-device mapping, FortiManager will convert the binding to ANY when installing configuration changes to FortiGate. Depending on the circumstance, this can be avoided by: l Leaving per-device mapping enabled on the VIP at the ADOM, and letting FortiManager add the required per- device mappings. l If you are configuring FortiManager to start using the VIP on other FortiGates, adding the per-device mappings manually. Modify existing interface-zone mapping Interfaces mapped to a zone locally on FortiGate devices are not visible in Device Manager on FortiManager. It is recommended to create objects in FortiManager instead of creating it on FortiGate devices locally. If an interface is already mapped to a zone in FortiGate, it must be unmapped first. A zone must be created in FortiManager, added to a policy and installed to FortiGate. For convenience and ease of use, it is better to manage Object Configuration and Interface Mapping from FortiManager. If an Interface is mapped to a Zone in FortiGate: 1. Log on to the FortiGate device. 2. Delete the Interface/Zone mapping from Interfaces > [Interface_Name] >Delete. 3. Log on to FortiManager. 4. Go to Policy & Objects >Object Configurations. 5. ClickCreate New > Zone. Configure the settings and create a zone named Zone_One. Enable Per-Device Mapping and select theMapped Device and Device Interface. 6. Go to Policy & Objects > Policy Packages. Select Create New from the Policy Package drop-down. 7. In the Create New Policy Package dialog, specify the name asNew_Policy_Package. 8. Click the New_Policy_Package and clickCreate New. Specify the name asNew_IPv4_Policy and include Zone_ One in the policy. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 212 9. ClickNew_IPv4_Policy and click Installation Target. Assign the FortiGate device to this policy. 10. Right-clickNew Policy Package and select Install Wizard. Select Install Policy Package & Device Settings and select the New Policy Package from the drop-down. Complete the installation as per the Install Wizard. Zone_One is now available on the FortiGate device and mapped as specified in step 5. A zone is installed to a FortiGate device only if it is created, mapped to an interface, included in the Policy Package, assigned to a device, and installed using the Install Wizard. An interface cannot be reused if it is already mapped to a zone. To reuse an interface, first unmap it from the zone inObject Configurations, and then reinstall to the FortiGate device. After a Virtual IP is created, it must be mapped to interfaces. If per-device mapping is used, the mapping will be visible immediately in DeviceManager > [ Device_Name] > Interface. ADOM revisions ADOM revision history allows you to maintain a revision of the policy packages, objects, and VPN console settings in an ADOM. Revisions can be automatically deleted based on given variables, and individual revisions can be locked to prevent them being automatically deleted. To configure ADOM revisions, go to Policy & Objects, and clickADOMRevisions. This page displays the following: ID The ADOM revision identifier. Name The name of the ADOM revision. This field is user-defined when creating the ADOM revision. A green lock icon will be displayed beside the ADOM revision name when you have selected Lock this revision from auto deletion. Created by The administrator that created the ADOM revision. Created Time The ADOM revision creation date and time. Comment Optional comments typed in the Description field when the ADOM revision was created. The following options are available: Create New Select to create a new ADOM revision. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 213 Edit Right-click on a revision in the table and select Edit in the menu to edit the ADOM revision. Delete Right-click on a revision in the table and select Delete in the menu to delete the ADOM revision. When Lock this revision from auto deletion is selected, you are not able to delete the ADOM revision. Restore Right-click on a revision in the table and select Restore in the menu to restore the ADOM revision. Restoring a revision will revert policy packages, objects and VPN console to the selected version. Select OK to continue. More > Lock Revision Right-click on a revision in the table and select Lock from theMoremenu to lock this revision from auto deletion. More > Unlock Revision Right-click on a revision in the table and select Unlock from theMoremenu to unlock this revision. When the ADOM revision is in an unlocked state, auto deletion will occur in accordance with your auto deletion settings. View Revision Diff Right-click on a revision in the table and select View Revision Diff in the menu. The Summary page will be displayed. This page shows the revision differences between the selected revision and the current database. Settings Select to configure the automatic deletion settings for ADOM revisions. Close Select to close the ADOMRevision dialog box and return to the Policy & Objects tab. To create a new ADOM revision: 1. Go to Policy & Objects, and clickADOMRevisions. The ADOMRevision dialog box opens. 2. ClickCreate New. The Create New Revision dialog box opens. 3. Type a name for the revisions in the Name field. 4. Optionally, type a description of the revision in the Description field. 5. To prevent the revision from being automatically deleted, select Lock this revision from auto deletion. 6. ClickOK to create the new ADOM revision. To edit an ADOM revision: 1. Open the ADOMRevisions dialog box. 2. Select a revision, and clickEdit. The Edit Revision dialog box opens. 3. Edit the revision details as required, then clickOK to apply your changes. To delete ADOM revisions: 1. Open the ADOMRevisions dialog box. 2. Select a revision, and clickDelete. You can select multiple revisions by selecting the checkbox beside each revision. 3. ClickOK in the confirmation dialog box to delete the selected revision or revisions. FortiManager Administration Guide Fortinet Technologies Inc.Firewall Policy & Objects 214 To configure automatic deletion: 1. Open the ADOMRevisions dialog box, and clickSettings. 2. Select Auto delete revision to enable to automatic deletion of revisions. 3. Select one of the two available options for automatic deletion of revisions: 4. Keep last x revisions: Only keep the entered numbered of revisions, deleting the oldest revision when a new revision is created. 5. Delete revisions older than x days: Delete all revisions that are older than the entered number of days. 6. ClickOK to apply the changes. To restore a previous ADOM revision: 1. Open the ADOMRevisions window. 2. Select a revision, and clickRestore. A confirmation dialog box will appear. 3. ClickOK to continue. The Restore Revision dialog box opens. Restoring a revision will revert policy packages, objects and VPN console to the selected version. 4. ClickOK to continue. To lock or unlock an ADOM revision: 1. Open the ADOMRevisions window. 2. Do one of the following: l Select a revision, and select Lock orUnlock from theMoremenu. l Edit the revision, and select or clear the Lock this revision from auto deletion checkbox in the Edit ADOM Revision dialog box. To view ADOM revision diff: 1. Open the ADOMRevisions window. 2. Select a revision, and clickView Revision Diff. The Revision Diffs Between dialog box opens. This page displays all Global Policy, Policy Package, and Policy Objects changes between the revision selected and the current database. 3. Select [Details] to view all details on the changes made to policies and objects. 4. You can select to download this information as a CSV file to your management computer. 5. ClickClose to return to the ADOMRevisions window. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View The Fabric View module enables you to view Security Fabric Ratings of configurations for FortiGate Security Fabric groups as well as create fabric connectors. The Fabric View tab is available in version 6.0 ADOMs and later. This section contains the following topics: l Security Rating on page 215 l SDN on page 217 Security Rating The Fabric View > Security Rating pane displays Security Fabric Ratings of configurations for FortiGate Security Fabric groups. You can view the results for multiple FortiGate Security Fabric groups. You must generate the Security Fabric Ratings by using FortiOS before you can view the information in FortiManager. The following information is available on the Security Rating pane: Tree menu Displays the list of Security Fabric groups. Each group is identified by its root FortiGate unit. Security Score The results of the Security Fabric Rating. For information about interpreting the security score, see the FortiOS Handbook—Security Fabric available on the Document Library. For information about each of the checks that are performed, see the Fortinet Recommended Security Best Practices document. Failed Click to filter the content pane to display only failed results. The number of failures is displayed in brackets. All Results Click to filter the content pane to display all results. The total number of results is displayed in brackets. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 216 All FortiGates Click to view results for all FortiGate units in the selected Security Fabric group, or click individual FortiGate units to view only its results. Issues You can expand and contract the list of issues. For example, click Fabric Security Hardening to expand and contract the rows of information about that issue. FortiGate Displays the name of the FortiGate unit. Hover your mouse over the name to display more information about the device. Result Displays the result of the Security Fabric Rating for the specific issue. Recommendation Displays the recommended action for the issue. Enabling the Security Rating tab The Security Rating tab is displayed when FortiManager is managing FortiGate units that have Security Fabric enabled and are part of a Security Fabric group. If ADOMs are enabled in FortiManager, the Security Rating tab is only available in FortiGate ADOMs that contain a Security Fabric group. Viewing Security Fabric Ratings You can view Security Fabric Ratings of configurations for all FortiGate units in a Security Fabric Group or for individual FortiGate units in a Security Fabric group. You cannot use FortiManager to generate Security Fabric Ratings; you must use FortiOS to generate Security Fabric Ratings for a FortiGate Security Fabric group, and then you can see the Security Fabric Ratings in FortiManager. For information about generating and interpreting Security Fabric Ratings, see the FortiOS Handbook—Security Fabric available on the Document Library. For more information about each of the checks that are performed, see the Fortinet Recommended Security Best Practices document. To view Security Fabric Ratings: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to Fabric View > Security Rating. 3. In the tree menu, select the Security Fabric group. The Security Fabric Rating results are displayed in the content pane for the selected Security Fabric group. You can filter the results. For example, you can view only failed results by clicking the Failed button, and you can click the All Results button to view all results again. 4. In the content pane, select All FortiGates to view results for all FortiGates in the group, or select individual FortiGate units to display results for only the selected unit. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 217 Fabric Connectors You can use FortiManager to create the following types of fabric connectors: l SDN l Threat Feeds l SSO/Identity SDN You can use the Fabric Connectors tab to create SDN fabric connectors for the following products: l Cisco Application Centric Infrastructure (ACI) l Amazon Web Services (AWS) l Microsoft Azure l VMware NSX l Nuage Virtualized Services Platform The fabric connectors in FortiManager define the type of connector and include information for FortiGate to communicate with and authenticate with the products. In some cases FortiGate units must communicate with products through the Fortinet SDN Connector, and in other cases FortiGate units communicate directly with the products. FortiGate works with Fortinet SDN Connector to communicate with the following products: l Cisco Application Centric Infrastructure (ACI) l Nuage Virtualized Services Platform For more information about Fortinet SDN Connector, see the Fortinet Document Library. You cannot import a policy package for Fortinet SDN Connector from FortiGate to FortiManager. FortiGate works without Fortinet SDN Connector to communicate directly with the following products: l Amazon Web Services (AWS) l Microsoft Azure l VMware NSX This section contains the following topics: l Creating ACI fabric connectors on page 218 l Creating AWS fabric connectors on page 219 l Creating Microsoft Azure fabric connectors on page 220 l Creating VMware NSX fabric connectors on page 221 l Creating Nuage fabric connectors on page 223 l Importing address names to fabric connectors on page 224 l Configuring dynamic firewall addresses for fabric connectors on page 225 l Configuring virtual wire pairs on page 226 FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 218 Creating ACI fabric connectors With FortiManager, you can create a fabric connector for Application Centric Infrastructure (ACI), and then import address names from ACI to automatically create dynamic objects that you can use in policies. When you install the policies to one or more FortiGate units, FortiGate uses the information and Fortinet SDN Connector to communicate with ACI and dynamically populate the objects with IP addresses. When you create a fabric connector for ACI, you are specifying how FortiGate can communicate with ACI through Fortinet SDN Connector. As a result, you are configuring communication and authentication information for Fortinet SDN Connector. If ADOMs are enabled, you can create multiple fabric connectors per ADOM; however, each fabric connector requires a unique IP address. Requirements: l FortiManager version 5.6 ADOM or later The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later. l FortiGate is managed by FortiManager. l The managed FortiGate unit is configured to work with Application Centric Infrastructure (ACI). To create a fabric connector object for ACI: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SDN, select ACI, and clickNext. 4. Configure the following options, and then clickOK: Name Type a name for the fabric connector object. Type Displays Application Centric Infrastructure (ACI). IP Type the IP address for Fortinet SDN Connector. Port Identify the port used for Fortinet SDN Connector. Perform one of the following options: l ClickUseDefault to use the default port. l ClickSpecify and type the port number. User Name Type the user name for Fortinet SDN Connector. Password Type the password for Fortinet SDN Connector. Status ToggleOn to enable the fabric connector object. ToggleOFF to disable the fabric connector object. To complete the fabric connector setup: 1. Import address names from ACI to the fabric connector object. See Importing address names to fabric connectors on page 224. The address names are imported and converted to dynamic firewall address objects. The objects do not yet include IP addresses. The objects are displayed on the Firewall Objects > Addresses pane. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 219 2. In the policy package in which you will be creating the new policy, create an IPv4 policy and include the firewall address objects for ACI. See IP policies on page 175. 3. Install the policy package to FortiGate. See Install a policy package on page 158. FortiGate uses the information and Fortinet SDN Connector to communicate with ACI and dynamically populate the firewall address objects with IP addresses. If the address names change in ACI after you import them to FortiManager, you must import the address names again. Creating AWS fabric connectors With FortiManager, you can create a fabric connector for Amazon Web Services (AWS), and then import address names from AWS to automatically create dynamic objects that you can use in policies. When you install the policies to one or more FortiGate units, FortiGate uses the information to communicate with AWS and dynamically populate the objects with IP addresses. Fortinet SDN Connector is not required for this configuration. When you create a fabric connector for AWS, you are specifying how FortiGate can communicate directly with AWS. If ADOMs are enabled, you can create one fabric connector per ADOM. Requirements: l FortiManager version 5.6 ADOM or later The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later. l FortiGate is managed by FortiManager. l The managed FortiGate unit is configured to work with AWS. Following is a high-level overview of the configuration procedure: To create a fabric connector object for AWS: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SDN, select AWS, and clickNext. 4. Configure the following options, and then clickOK: Name Type a name for the fabric connector object. Type DisplaysAmazonWeb Services (AWS). AWS access key ID Type the access key ID from AWS. AWS secret access key Type the secret access key from AWS. AWS region name Type the region name from AWS. AWS VPC ID Type the AWS VPC ID. Update Interval (s) Specify how often in seconds that the dynamic firewall objects should be updated. Status ToggleOn to enable the fabric connector object. ToggleOFF to disable the fabric connector object. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 220 To complete the fabric connector setup: 1. Import address names from AWS to the fabric connector object. See Importing address names to fabric connectors on page 224. The address names are imported and converted to firewall address objects. The objects do not yet include IP addresses. The objects are displayed on the Firewall Objects > Addresses pane. 2. In the policy package in which you will be creating the new policy, create an IPv4 policy and include the firewall address objects for AWS. See IP policies on page 175. 3. Install the policy package to FortiGate. See Install a policy package on page 158. FortiGate communicates with AWS to dynamically populate the firewall address objects with IP addresses. If the filter names change in AWS after you import them to FortiManager, you must modify the filter again. Creating Microsoft Azure fabric connectors With FortiManager, you can create a fabric connector for Microsoft Azure. You cannot import address names from Microsoft Azure to the fabric connector. Instead you must manually create dynamic firewall objects that you can use in policies. When you install the policies to one or more FortiGate units, FortiGate uses the information to communicate with Microsoft Azure and dynamically populate the objects with IP addresses. Fortinet SDN Connector is not required for this configuration. When you create a fabric connector for Microsoft Azure, you are specifying how FortiGate can communicate directly with Microsoft Azure. If ADOMs are enabled, you can create one fabric connector per ADOM. Requirements: l FortiManager version 5.6 ADOM or later The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later. l FortiGate is managed by FortiManager. l The managed FortiGate unit is configured to work with Microsoft Azure. To create a fabric connector object for Microsoft Azure: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SDN, select Azure, and clickNext. 4. Configure the following options, and then clickOK: Name Type a name for the fabric connector object. Type Displays Microsoft Azure. Azure tenant ID Type the tenant ID from Azure. Azure client ID Type the client ID from Azure. Azure client secret Type the client secret from Azure. Azure subscription ID Type the subscription ID for Azure. Azure resource group Type the resource group for Azure. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 221 Update Interval (s) Specify how often in seconds that the dynamic firewall objects should be updated. Status ToggleOn to enable the fabric connector object. ToggleOFF to disable the fabric connector object. Advanced Options Expand to specify advanced options for Azure. azure-region Select an Azure region. To complete the fabric connector setup: 1. Create dynamic firewall address objects. See Configuring dynamic firewall addresses for fabric connectors on page 225. You cannot import address names from Microsoft Azure to FortiManager. 2. In the policy package in which you will be creating the new policy, create an IPv4 policy and include the dynamic firewall address objects for Microsoft Azure. See IP policies on page 175. 3. Install the policy package to FortiGate. See Install a policy package on page 158. FortiGate communicates with Microsoft Azure to dynamically populate the firewall address objects with IP addresses. Creating VMware NSX fabric connectors With FortiManager, you can create a fabric connector for VMware NSX, and then import address names from VMware NSX to automatically create dynamic objects that you can use in policies. When you install the policies to one or more FortiGate units, FortiGate uses the information to communicate with VMware NSX and dynamically populate the objects with IP addresses. Fortinet SDN Connector is not required for this configuration. When you create a fabric connector for VMware NSX, you are specifying how FortiGate can communicate directly with VMware NSX. If ADOMs are enabled, you can create one fabric connector per ADOM. Requirements: l FortiManager version 5.6 ADOM or later The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later. l FortiGate unit or FortiGate VMX Service Manager is managed by FortiManager. l The managed FortiGate or FortiGate VMX Service Manager is configured to work with VMware NSX . l IPv4 virtual wire pair policy FortiGate or FortiGate VMXService Manager requires the use of an IPv4 virtual wire pair policy. To create a fabric connector object for NSX: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SDN, select NSX, and clickNext. 4. Configure the following options, and then clickOK: Name Type a name for the fabric connector object. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 222 Type DisplaysVMware NSX. IP Type the IP address for VMware NSX. User Name Type the user name for VMware NSX. Password Type the password for VMware NSX. Update Interval (s) Specify how often in seconds that the dynamic firewall objects should be updated. Status ToggleOn to enable the fabric connector object. ToggleOFF to disable the fabric connector object. VMX The VMX options identify settings used by the FortiGate VMXService Manager to communicate with the REST API for NSXManager. Service Name Type the name of the FortiGate VMX service defined on NSXManager. Image Location Type the location of the FortiGate VMX deployment template used by NSX Manager to deploy the FortiGate VMX service. REST API The REST API options specify how the FortiGate VMXService Manager communicates with the REST API for NSXManager. Port Type the port used by the FortiGate VMXService Manager to communicate with NSXManager. Interface Select the interface used by the FortiGate VMXService Manager to communicate with NSXManager. Choose between Mgmt and Sync. Password Type the password that FortiGate VMXService Manager uses with the REST API to communicate with NSXManager. Note: This is not the admin password for FortiGate VMXService Manager. To complete the fabric connector setup: 1. Import address names from VMware NSX to the fabric connector object. See Importing address names to fabric connectors on page 224. The address names are imported and converted to firewall address objects. The objects do not yet include IP addresses. The objects are displayed on the Firewall Objects > Addresses pane. 2. Create a virtual wire pair. See Configuring virtual wire pairs on page 226. 3. In the policy package in which you will be creating the new policy, create an IPv4 virtual wire pair policy, select the virtual wire pair, and add the firewall address objects for the VMware NSX. See Virtual wire pair policy on page 181. 4. Install the policy package to FortiGate or FortiGate VMXService Manager. See Install a policy package on page 158. The ForitGate unit or FortiGate VMXService Manager communicates with VMware NSX to dynamically populate the firewall address objects with IP addresses. If the address names change in VMware NSX after you import them to FortiManager, you must import the address names again. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 223 Creating Nuage fabric connectors With FortiManager, you can create a fabric connector for Nuage Virtualized Services Platform. You cannot import address names from Nuage Virtualized Services Platform to the fabric connector. Instead you must manually create dynamic firewall objects that you can use in policies. When you install the policies to one or more FortiGate units, FortiGate uses the information and Fortinet SDN Connector to communicate with Nuage Virtualized Services Platform and dynamically populate the objects with IP addresses. When you create a fabric connector for Nuage Virtualized Services Plan, you are specifying how FortiGate can communicate with Nuage through Fortinet SDN Connector. As a result, you are configuring communication and authentication information for Fortinet SDN Connector. If ADOMs are enabled, you can create multiple fabric connectors per ADOM; however, each fabric connector requires a unique IP address. Requirements: l FortiManager version 5.6 ADOM or later The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later. l FortiGate is managed by FortiManager. l The managed FortiGate unit is configured to work with Nuage Virtualized Services Platform. To create a fabric connector object for Nuage: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SDN, select Nuage, and clickNext. 4. Configure the following options, and then clickOK: Name Type a name for the fabric connector object. Type Displays Nuage Virtualized Services Platform. IP Type the IP address for Fortinet SDN Connector. Port Identify the port used for Fortinet SDN Connector. Perform one of the following options: l ClickUseDefault to use the default port. l ClickSpecify and type the port number. User Name Type the user name for Fortinet SDN Connector. Password Type the password for Fortinet SDN Connector. Status ToggleOn to enable the fabric connector object. ToggleOFF to disable the fabric connector object. To complete the fabric connector setup: 1. Create dynamic firewall address objects. See Configuring dynamic firewall addresses for fabric connectors on page 225. You cannot import address names from Nuage Virtualized Services Platform to FortiManager. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 224 2. In the policy package in which you will be creating the new policy, create an IPv4 policy and include the firewall address objects for Nuage Virtualized Services Platform. See IP policies on page 175. 3. Install the policy package to FortiGate. See Install a policy package on page 158. FortiGate communicates with Nuage Virtualized Services Platform to dynamically populate the firewall address objects with IP addresses. Importing address names to fabric connectors After you configure a fabric connector, you can import address names from products, such as NSX and ACI, to the fabric connector, and dynamic firewall address objects are automatically created. When you are importing address names from AWS, you must add filters to display the correct instances before importing address names. You cannot import address names to fabric connectors created for Microsoft Azure and Nuage Virtualized Services Platform. You must manually create dynamic firewall address objects for these types of fabric connectors. See Configuring dynamic firewall addresses for fabric connectors on page 225. To import address names for NSX and ACI: 1. Go to Policy & Objects > Object Configurations. 2. In the tree menu, go to Security Fabric > Fabric Connectors. 3. In the content pane, right-click the fabric connector, and select Import. The Import SDN Connector dialog box is displayed. 4. Select the address names, and click Import. The address names are imported and converted to dynamic firewall address objects that are displayed on the Firewall Objects > Addresses pane. To import address names for AWS: 1. Go to Policy & Objects > Object Configurations. 2. In the tree menu, go to Security Fabric > Fabric Connectors. 3. In the content pane, right-click the fabric connector, and select Import. The Import SDN Connector dialog box is displayed. 4. Create a filter to select the correct AWS instances: a. ClickAdd Filter. The Filter Generator dialog box is displayed. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 225 b. ClickAdd Filter, and select a filter. A filtered list of instances is displayed. c. ClickOK. The Import SDN Connector dialog box is displayed, and it contains the filter. You can add additional filters, or edit and delete filters. d. (Optional) Repeat this procedure to add additional filters. 5. Select the filters, and click Import. The address names are imported and converted to dynamic firewall address objects that are displayed on the Firewall Objects > Addresses pane. The name of the dynamic firewall address uses the following naming convention: AWS-. Use the Details column and the instance ID to identify the object. Configuring dynamic firewall addresses for fabric connectors You cannot import address names to fabric connectors created for Microsoft Azure and Nuage Virtualized Services Platform. Instead you must create dynamic firewall objects that can be dynamically populated when FortiGate communicates with Microsoft Azure and Nuage Virtualized Services Platform. To configure dynamic firewall addresses for Microsoft Azure fabric connectors: 1. Go to Policy & Objects > Object Configurations. 2. In the tree menu, go to Firewall Objects > Addresses. 3. In the content pane, clickCreate New and select Address. 4. Complete the following options for Microsoft Azure fabric connectors: Address Name Type a name for the firewall address object. Type Select Fabric Connector Address. SDN Select the Microsoft Azure fabric connector. Filter Type the name of the filter for the AWS instance. 5. Set the remaining options as required, and clickOK To configure dynamic firewall addresses for Nuage fabric connectors: 1. Go to Policy & Objects > Object Configurations. 2. In the tree menu, go to Firewall Objects > Addresses. 3. In the content pane, clickCreate New and select Address. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 226 4. Complete the following options for Nuage fabric connectors: Address Name Type a name for the firewall address object. Type Select Fabric Connector Address. SDN Select the Nuage Virtualized Services Platform fabric connector. Organization Type the name of the organization for the Nuage Virtualized Services Platform. Subnet Name Type the name of the subnet for the Nuage Virtualized Services Platform. Policy Group Type the name of the policy group for the Nuage Virtualized Services Platform. 5. Set the remaining options as required, and clickOK Configuring virtual wire pairs Before you create an IPv4 virtual wire pair policy, you must create a virtual wire pair. ADOM version 5.4, 5.6, or later is required. Earlier ADOM versions are not supported. To configure virtual wire pairs: 1. Go to Policy & Objects > Object Configurations. 2. In the tree menu, go to Zone/Interface > Interface. 3. In the content pane, clickCreate New and select Virtual Wire Pair. 4. Complete the following options, and clickOK. Name Type a name for the virtual wire pair. Interface Members Select two interface members. Wildcard VLAN ToggleON to enable wildcard VLANs for the virtual wire pair. When enabled, all VLAN-tagged traffic can pass through the virtual wire pair, if allowed by the virtual wire pair firewall policies. ToggleOFF to disable wildcard VLANs for the virtual wire pair. Threat Feeds You can use the Fabric Connectors tab to create the following types of threat feed connectors: l Category l Address l Domain FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 227 Threat feed connectors dynamically import an external block list. The block list is a text file that contains a list of either addresses or domains and resides on an HTTP server. You use block lists to deny access to source or destination IP addresses in web filter and DNS filter profiles, SSL inspection exemptions, and as sources or destinations in proxy policies. This section contains the following topic: l Creating threat feed connectors on page 227 Creating threat feed connectors You can create threat feed connectors for FortiGuard categories, firewall IP addresses, and domain names. To create threat feed connectors: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under Threat Feeds, select Category, Address, orDomain, and clickNext. 4. Configure the following options, and then clickOK: Type DisplaysURL List if you selected Category. Displays IP List if you selected Address. DisplaysDomain List if you selected Domain. Name Type a name for the fabric connector object. URI of external resource Type the link to an external text file. The path must start with http://, https://, or fmg://, for example, http://example.com/url. Category ID Type the category ID. The ID is between 192 and 221. Available only when Type displaysDomain List. Refresh Rate The time in minutes to refresh the external resource. Comments (Optional) Type comments about the connector. Status ToggleOn to enable the fabric connector object. ToggleOFF to disable the fabric connector object. SSO/Identity You can use the Fabric Connectors tab to create the following types of SSO/identity connectors: l AD Polling l FSSO l RADIUS SSO connectors integrate single sign-on (SSO) authentication in networks. SSO allows users to enter their credentials once and have those credentials reused when they access other network resources through FortiGate. For more information about SSO, see the FortiOS Handbook. This section contains the following topics: FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 228 l Creating Active Directory connectors on page 228 l Creating FSSO connectors on page 228 l Creating RADIUS connectors on page 229 Creating Active Directory connectors You can create SSO/identity connectors for Active Directory servers. This connector configures polling of Active Directory servers for FSSO. To create Active Directory connectors: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SSO/Identity, select AD Polling, and clickNext. 4. Configure the following options, and then clickOK: Server Name/IP Type the name or IP address for the Active Directory server. Local User Type the user name required to log into the Active Directory server. Password Type the password required to log into the Active Directory server. Enable Polling ToggleOn to enable polling of the Active Directory server. ToggleOFF to disable this feature. LDAP Server Select the LDAP server name from the list. The LDAP server name is used in LDAP connection strings. Creating FSSO connectors You can create SSO/identity connectors for Fortinet single sign-on (FSSO) agents. FSSO is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. To create FSSO connectors: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SSO/Identity, select FSSO, and clickNext. 4. Configure the following options, and then clickOK: Name Type a name for the connector object. FSSO Agent Complete the IP/Name, Password, and Port options for each FortiAuthenticator unit that will act as an SSO agent. Select FSSO Groups Specify whether to get FSSO groups from FSSO agents or via FortiGate. FortiManager Administration Guide Fortinet Technologies Inc.Fabric View 229 User Groups LDAP Server Select the name of the LDAP server to be used to get group information from the Directory Service. Per-Device Mapping (Optional) ToggleOn to set per-device mappings between FortiGate units and FSSO agents, and then create the mappings. ToggleOFF to disable this feature. Advanced Options Expand to view and configure advanced options for Fortinet single sign-on agents. For details, see the FortiOS CLI Reference. Creating RADIUS connectors You can create an SSO/identity connector for RADIUS single sign-on (RSSO) agents. Only one RADIUS connector can exist at one time. To create RADIUS connectors: 1. Go to Fabric View > Fabric Connectors. 2. ClickCreate New. The Create New Fabric Connectorwizard is displayed. 3. Under SSO/Identity, select RADIUS, and clickNext. 4. Configure the following options, and then clickOK: Name Type the name of the RADIUS SSO agent. Use RADIUS Shared Secret ToggleOn to enable the use of a RADIUS shared secret between collector agent and RADIUS server, and then enter the shared secret. ToggleOFF to disable this feature. Send RADIUS Responses ToggleOn to send RADIUS response packets after receiving start and stop records. ToggleOFF to disable this feature. Advanced Options Expand to view and configure advanced options for RADIUS single sign-on agents. For details, see the FortiOS CLI Reference. FortiManager Administration Guide Fortinet Technologies Inc.NOC - SOCMonitoring Use the NOC (Network Operations Center) and SOC (Security Operations Center) to view the configuration status of managed devices. Hide the tree menu on the left to display dashboards in full screen. To prevent timeout, ensure Idle Timeout is greater than the widget''sRefresh Interval. See Idle timeout on page 471 and Settings icon on page 233. This section contains the following topics: l NOC - SOC dashboards and widgets on page 230 l Using the NOC - SOC dashboard on page 232 NOC - SOC dashboards and widgets NOC - SOC includes a predefined dashboard forDevice Status. When FortiAnalzyer features are enabled, NOC - SOC includes additional predefined dashboards. For more information, see the FortiAnalyzer Administration Guide. FortiManager Administration Guide Fortinet Technologies Inc.NOC - SOCMonitoring 231 Device Status The Device Status dashboard communicates the configuration status between FortiManager and managed devices. The center of the Device Status dashboard includes a circular chart that automatically rotates to communicate configuration status about managed devices. You can control what information displays by using the following controls at the top of the widget: Playing and Click to start and pause the automatic rotation of the circle chart. Paused Zoom in and out Use the Zoom in and Zoom out tools to enlarge and shrink areas of the circle chart. When zoomed in, use the scroll bar to move across the circle chart. Rotate Options Specify whether the chart automatically displays information about Next Problematic Device orOne by One. Search Devices Select a device and display its information. Settings icon Change the settings of the widget. Widgets have settings applicable to that widget, such as how many of the top items to display, Time Period, Refresh Interval, and Chart Type. Remove widget Delete the widget from a predefined or custom dashboard. icon The Device Status dashboard includes the following information: Overall Device A summary of the status of all devices. The following colors are used to communicate status: Status l Red indicates action is required now. l Orange indicates action is required soon. l Blue indicates no action is required. Each device is represented by a segment in the circle. Click each segment to display the following information about the selected device in the middle of the circle: l Host name FortiManager Administration Guide Fortinet Technologies Inc.NOC - SOCMonitoring 232 l IP address l Firmware version Information about the following statuses of the selected device is also displayed on the right: l Connectivity status l Support Contracts l Licenses l Configuration Status and Policy Package Status The colored rings in the circle correspond to the status information on the right. The outer ring in the circle corresponds with the Connectivity status. The second most outer ring corresponds to the Supports Contracts status, and so on. Require Action The number of devices that require configuration changes. The number is displayed in a red box. Will Soon Require The number of devices that will require configuration changes in the near future. The number Action is displayed in an orange box. Total Number of The total number of devices displayed on the dashboard. The number is displayed in a blue Devices box. Connectivity Displays the connectivity status for the selected device. Click the Connectivity link to display the selected device on the DeviceManager > Device & Groups pane. Support Contracts Displays the expiration date of the support contracts for the selected device. Click the Support Contracts link to display the selected device on the DeviceManager > License pane. Licenses Displays the expiration date of the licenses for the selected device. Click the Licenses link to display the selected device on the DeviceManager > License pane. Configuration Displays the configuration status for the selected device. Click the Configuration Status link Status to display the selected device on the DeviceManager > Device & Groups pane. Policy Package Displays the policy package status for the selected device. Click the Policy Package Status Status link to display the selected device on the DeviceManager > Device & Groups pane. Using the NOC - SOC dashboard NOC - SOC dashboards contain widgets that provide network and security information. Use the controls in the dashboard toolbar to work with a dashboard. Add Widget Add widgets to a predefined or custom dashboard. For details, see Customizing the NOC - SOC dashboard on page 233. Dashboard Create a new dashboard or reset a predefined dashboard to its default settings. For custom dashboards, you can rename or delete the custom dashboard. For details, see Customizing the NOC - SOC dashboard on page 233. Create New Create a new dashboard. Reset Reset a predefined dashboard to its default widgets and settings. FortiManager Administration Guide Fortinet Technologies Inc.NOC - SOCMonitoring 233 Rename Rename a custom dashboard. Delete Delete a custom dashboard. Refresh Refresh the data in the widgets. Background color Change the background color of the dashboard to make widgets easier to view in different room lighting. l Day shows a brighter gray background color. l Night shows a black background. l Ocean shows a blue background color. Hide Side-menu or Hide or show the tree menu on the left. In a typical NOC/SOC environment, the side menu is Show Side-menu hidden and dashboards are displayed in full screen mode. Use the controls in the widget title bar to work with widgets. Settings icon Change the settings of the widget. Remove widget Delete the widget from a predefined or custom dashboard. icon Move widget Click and drag a widget’s title bar to move it to another location. Resize widget Click and drag the resize button in the bottom-right of the widget. Customizing the NOC - SOC dashboard You can add any widget to a predefined dashboard. You can also move, resize, or delete widgets. You cannot rename or delete a predefined dashboard. To reset a predefined dashboard to its default settings, clickDashboard > Reset. To create a dashboard: 1. In the toolbar, clickDashboard > Create New. 2. Specify the Name and whether you want to create a blank dashboard or use a template. If you select From Template, specify which predefined dashboard you want to use as a template. 3. ClickOK. The new dashboard appears In the tree menu. To add a widget: 1. Select the predefined or custom dashboard where you want to add a widget. 2. ClickAddWidget to expand the menu; then locate the widget you want to add. 3. Click the + button to add widgets. 4. When you have finished adding widgets, click the close button to close the AddWidget pane. FortiManager Administration Guide Fortinet Technologies Inc.VPN Use the VPN Manager pane to enable and use central VPN management. You can view and configure IPsec VPN and SSL-VPN settings that you can install to one or more devices. Additional configuration options and short-cuts are available using the right-click content menu. Right-click the mouse on different parts of the navigation panes on the GUI page to access these context menus. The VPN Manager pane includes the following tabs: IPsec VPN Displays all of defined IPsec VPN communities and associated devices for the selected ADOM. You can create, monitor, and manage VPN settings. See IPsec VPN Communities on page 237 Monitor Displays a list of IPsec VPN tunnels, and allows you to bring the tunnels up or down. See Monitoring IPsec VPN tunnels on page 245. Map View Displays a world map showing IPsec VPN tunnels. See Map View on page 246 SSL-VPN Create, monitor, and manage SSL-VPN settings. You can also create, edit, and delete portal profiles for SSL-VPN settings. See SSL VPN on page 255. Overview When central VPN management is enabled, you can use the VPN Manager pane to configure IPsec VPN settings that you can install to one or more devices. The settings are stored as objects in the objects database. You can then select the objects in policies for policy packages on the Policy & Objects pane. You install the IPsec VPN settings to one or more devices by installing the policy package to the devices. You must enable central VPN management to access the settings on the VPN Manager > IPsec VPN pane. However, you can access the settings on the VPN Manager > SSL-VPN pane without enabling central VPN management. See Enabling central VPN management on page 235. To create IPsec VPN settings: 1. Enable central VPN management. See Enabling central VPN management on page 235. 2. Create a VPN community, sometimes called a VPN topology. See Creating IPsec VPN communities on page 237. 3. Create a managed gateway. See Creating managed gateways on page 247. FortiManager Administration Guide Fortinet Technologies Inc.VPN 235 To create SSL-VPN settings: 1. Create custom profiles. See Creating SSL VPN portal profiles on page 258. Alternately, you can skip this step, and use the default portal profiles. 2. Add an SSL VPN to a device, and select a portal profile. See Creating SSL VPNs on page 256. To install VPN objects to devices: 1. Plan the VPN security policies. See VPN security policies on page 253. 2. In a policy package, create VPN security policies, and select the VPN settings. See Creating policies on page 169. 3. Edit the installation targets for the policy package to add all of the devices onto which you want to install the policy defined VPN settings. See Policy package installation targets on page 162. 4. Install the policy package to the devices. See Install a policy package on page 158. VPNs can also be configured directly on a FortiGate. To prevent conflicts, the preserve field must be selected in the phase 1 and phase 2 interfaces when creating the VPN. See The FortiOS Handbook, in the Fortinet Document Library, for more information. Enabling central VPN management You can enable centralized VPNmanagement from the VPN Manager > IPsec VPN pane. You can also enable centralized VPNmanagement by editing an ADOM. When ADOMs are disabled, you can enable centralized VPNmanagement by using the System Settings > Dashboard pane. Regardless of how you enable centralized VPNmanagement, you use the VPN Managermodule for centralized VPN management. To enable central VPN management: 1. Go to VPN Manager > IPsec VPN. 2. Select Enable. 3. ClickOK in the confirmation dialog box. To enable central VPN management for an ADOM: 1. Ensure that you are in the correct ADOM. 2. Go to System Settings > All ADOMs. 3. Right-click an ADOM, and select Edit. 4. In the Central Management field, select the VPN checkbox. 5. ClickOK. Centralized VPNmanagement is enabled for the ADOM. FortiManager Administration Guide Fortinet Technologies Inc.VPN 236 To enable central VPN management when ADOMs are disabled: 1. Go to System Settings > Dashboard. 2. In the System Informationwidget, in the VPN Management Mode field, select Change VPN Management Mode. The Change VPN Management Mode dialog box is displayed. 3. ClickOK. DDNS support When Dynamic DNS (DDNS) is enabled on FortiGates, VPN Manager supports DDNS. First VPN Manager searches for the interface IP for IPsec Phase2. If no IP is found, then VPN Manager searches for DDNS. You can use FortiManager and the CLI-only objects menu to enable DDNS on each FortiGate device. The CLI-only objects menu is available in the Device Manager pane. See CLI-Only Objects menu on page 64. With the CLI-only objects menu, you can use the config system ddns command to enable DDNS on a per-device basis. The selected monitoring interface must be the interface that supports your tunnel, for example: config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain ".fortiddns.com" set monitor-interface "port14" next end You can also use the CLI-only objects menu to configure DDNS on multiple FortiGate interfaces. Once configured, you can use FortiManager to view all the DDNS entries, but you cannot edit the entries. Following is an example of how to configure DDNS on multiple FortiGates by using the CLI-only objects menu: config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain ".fortiddns.com" set use-public-ip enable set monitor-interface "wan" next edit 2 set ddns-server FortiGuardDDNS set ddns-domain ".fortiddns.com" set use-public-ip disable set monitor-interface "wwan" next end Multiple DDNS entries are useful when using SDWAN and multiple broadband links. FortiManager Administration Guide Fortinet Technologies Inc.VPN 237 IPsec VPN Communities You can use the VPN Management > IPsec VPN pane to create and monitor full-meshed, star, and dial-up IPsec VPN communities. IPsec VPN communities are also sometimes called VPN topologies. Managing IPsec VPN communities Go to VPN Manager > IPsec VPN to manage IPsec VPN communities. The following options are available: VPN Community Select to create a new VPN community, edit the selected VPN community, or delete the selected VPN community. Install Wizard Launch the Install Wizard to install IPsec VPN settings to devices. Create New Create a new VPN community. See Creating IPsec VPN communities on page 237 Edit Edit the selected VPN community. See Editing an IPsec VPN community on page 244. Delete Delete the selected VPN community or communities. See Deleting VPN communities on page 245. Column Settings Configure which columns are displayed, or clickReset to Default to reset the display to the default columns. Search Enter a search term to search the communities list. Configure Gateways Go to the gateway list for the community. This option is only available from the right-click menu. See IPsec VPN gateways on page 247. Add Managed Gateway Start the VPN Gateway SetupWizard. This option is only available from the right-click menu. See Creating managed gateways on page 247. Creating IPsec VPN communities You can create one or more IPsec VPN communities. An IPsec VPN community is also sometimes called a VPN topology. AVPN Topology Wizard is available to help you set up topologies. After you create the IPsec VPN community, you can create the VPN gateway. See IPsec VPN gateways on page 247. FortiManager Administration Guide Fortinet Technologies Inc.VPN 238 To create a new IPsec VPN community: 1. Go to the VPN Manager > IPsec VPN tab. 2. Do one of the following: l From the VPN Community menu select Create New. l ClickCreate New in the content pane toolbar. l Right-click in the tree menu or on an existing community and select Create New. The VPN Topology SetupWizard is displayed. 3. Enter a name for the topology in the Name field. 4. Optionally, enter a brief description of the topology in the Description field. 5. Choose a topology type: Full Meshed, Star, orDial up. l Full Meshed: Each gateway has a tunnel to every other gateway. l Star: Each gateway has one tunnel to a central hub gateway. l Dial up: Some gateways, often mobile users, have dynamic IP addresses and contact the gateway to establish a tunnel. FortiManager Administration Guide Fortinet Technologies Inc.VPN 239 6. ClickNext. 7. Configure the Authentication and Encryption information for the topology 8. ClickNext. 9. Configure the VPN Zone, IKE Security Phase 1 Advanced Properties, IPsec Security Phase 2 Advanced Properties, and AdvancedOptions. 10. ClickNext. 11. Review the topology information on the Summary page, then clickOK to create the topology. After you have created the VPN topology, you can create managed and external gateways for the topology. For descriptions of the options in the wizard, see VPN community settings on page 239. VPN community settings The following table describes the options available in the VPN Topology SetupWizard and on the Edit VPN Community page. Name Type a name for the VPN topology. Description Type an optional description. Choose VPN Topology Choose a topology type. Select one of: l Full Meshed: Each gateway has a tunnel to every other gateway. l Star: Each gateway has one tunnel to a central hub gateway. FortiManager Administration Guide Fortinet Technologies Inc.VPN 240 l Dial up: Some gateways, often mobile users, have dynamic IP addresses and contact the gateway to establish a tunnel. Authentication Select Certificates or Pre-shared Key. When you select Pre-shared Key, FortiGate implements the Encapsulated Security Payload (ESP) protocol. Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates. Certificates If you selected Certificates, select a certificate template. Fortinet provides several default certificate templates. You can also create certificate templates on the DeviceManager > Provisioning Templates > Certificate Templates pane. Pre-shared Key If you selected Pre-shared Key, select Generate or Specify. When you select Specify, type the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same key at the remote peer or client. The key must contain at least 6 printable characters. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. Alternatively, you can select to generate a random pre-shared key. Encryption Define the IKE Profile. Configure IKE Phase 1 and IKE Phase 2 settings. IKE Security (Phase 1) Define the Phase 1 proposal settings. Properties IKE Version Select IKE version 1 or 2 (default = 2). For more information about IKE v2, refer to RFC 4306. Encryption Select the encryption and authentication algorithms used to generate keys Authentication for protecting negotiations and add encryption and authentication algorithms as required. You need to select at least one combination. The remote peer or client must be configured to use at least one of the proposals that you define. Select one of the following symmetric-key encryption algorithms: l 3DES: Triple-DES, in which plain text is encrypted three times by three keys. l AES128: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. l AES128GCM: AES128 Galois/Counter Mode (GCM). l AES192: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. l AES256: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. l AES256GCM l ARIA128: A 128-bit block size that uses a 128-bit key. l ARIA192: A 128-bit block size that uses a 192- bit key. l ARIA256: A 128-bit block size that uses a 256-bit key. l CHACHA20POLY1305: Arbitrary length, 96-bit nonce, and 256-bit key. FortiManager Administration Guide Fortinet Technologies Inc.VPN 241 l DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. l SEED: A 16-round Feistel network with 128-bit blocks and a 128-bit key. Select either of the following authentication message digests to check the authenticity of messages during phase 1 negotiations: l MD5: Message Digest 5, the hash algorithm developed by RSAData Security. l SHA1: Secure Hash Algorithm 1, which produces a 160-bit message digest. l SHA256: Secure Hash Algorithm 2, which produces a 256-bit message digest. l SHA384: Secure Hash Algorithm 3, which produces a 384-bit message digest. l SHA512: Secure Hash Algorithm 3, which produces a 512-bit message digest. Note: If the encryption is GCM or CHACHA20POLY1305, the authentication options are PRFSHA1, PRFSHA256, PRFSHA384, and PRFSHA512. To specify more combinations, use the Add button beside any of the table rows. IPsec Security (Phase 2) Define the Phase 2 proposal settings. Properties When you define phase 2 parameters, you can choose any set of phase 1 parameters to set up a secure connection for the tunnel and authenticate the remote peer. Auto Key configuration applies to both tunnel-mode and interface-mode VPNs. Encryption Select the encryption and authentication algorithms used to generate keys Authentication for protecting negotiations and add encryption and authentication algorithms as required. You need to select at least one combination. The remote peer or client must be configured to use at least one of the proposals that you define. It is invalid to set both Encryption and Authentication to NULL. Select one of the following symmetric-key encryption algorithms: l 3DES: Triple-DES, in which plain text is encrypted three times by three keys. l AES128: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. l AES128GCM: AES128 Galois/Counter Mode (GCM). l AES192: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. l AES256: A 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. l AES256GCM l ARIA128: A 128-bit block size that uses a 128-bit key. l ARIA192: A 128-bit block size that uses a 192- bit key. l ARIA256: A 128-bit block size that uses a 256-bit key. l CHACHA20POLY1305: Arbitrary length, 96-bit nonce, and 256-bit key. FortiManager Administration Guide Fortinet Technologies Inc.VPN 242 l DES: Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. l NULL: Do not use an encryption algorithm. l SEED: A 16-round Feistel network with 128-bit blocks and a 128-bit key. Select either of the following authentication message digests to check the authenticity of messages during phase 1 negotiations: l NULL: Do not use a message digest. l MD5: Message Digest 5, the hash algorithm developed by RSAData Security. l SHA1: Secure Hash Algorithm 1, which produces a 160-bit message digest. l SHA256: Secure Hash Algorithm 2, which produces a 256-bit message digest. l SHA384: Secure Hash Algorithm 3, which produces a 384-bit message digest. l SHA512: Secure Hash Algorithm 3, which produces a 512-bit message digest. Note: If the encryption is GCM or CHACHA20POLY1305, no authentication options can be selected. To specify more combinations, use the Add button beside any of the table rows. VPN Zone Select to create VPN zones. When enabled, you can select to create default or custom zones. When disabled, no VPN zones are created. Create Default Zones Select to have default zones created for you. Use Custom Zone Select to choose what zones to create. IKE Security Phase 1 Advanced Properties Diffie Hellman Select one or more of the following Diffie-Hellman (DH) groups: 1, 2, 5, 14, Group(s) 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. Exchange Mode Select either Aggressive orMain (ID Protection). The FortiGate unit and the remote peer or dialup client exchange phase 1 parameters in eitherMain (ID Protection) or Aggressivemode. This choice does not apply if you use IKE version 2, which is available only for route- based configurations. l In Main mode, the Phase 1 parameters are exchanged in multiple rounds with encrypted authentication information l In Aggressive mode, the Phase 1 parameters are exchanged in single message with authentication information that is not encrypted. FortiManager Administration Guide Fortinet Technologies Inc.VPN 243 Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup Phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier local ID). Descriptions of the peer options in this guide indicate whether Main or Aggressive mode is required. Key Life Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172800 seconds. Dead Peer Select this checkbox to reestablish VPN tunnels on idle connections and Detection clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes. IPsec Security Phase 2 Advanced Properties Diffie Hellman Select one or more of the following Diffie-Hellman (DH) groups: 1, 2, 5, 14, Group(s) 15, 16, 17, 18, 19, 20, 21, 27, 28, 29, 30, 31. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. Only one DH group is allowed for static and dynamic DNS gateways in aggressive mode. Replay detection Select to enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. Perfect forward Select to enable or disable perfect forward secrecy (PFS). secrecy (PFS) Perfect forward secrecy (PFS) improves security by forcing a new Diffie- Hellman exchange whenever keylife expires. Key Life Select the PFS key life. Select Second, Kbytes, or Both from the dropdown list and type the value in the text field. Autokey Keep Select to enable or disable autokey keep alive. Alive The phase 2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption. If there is no traffic, the SA expires and the VPN tunnel goes down. A new SAwill not be generated until there is traffic. The Autokey Keep Alive option ensures that a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up. Auto-Negotiate Select to enable or disable auto-negotiation. FortiManager Administration Guide Fortinet Technologies Inc.VPN 244 NAT Traversal Select the checkbox if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. Keep-alive Frequency If NAT traversal is enabled or forced, type a keep-alive frequency setting (10-900 seconds). Advanced-Options For more information on advanced options, see the FortiOS CLI Reference. fcc-enforcement Enable or disable FCC enforcement. inter-vdom Enable or disable the inter-vdom setting. loccalid-type Select the local ID type from the dropdown list. Select one of: l address: IP Address l asn1dn: ASN.1 Distinguished Name l auto: Select type automatically l fqdn: Fully Qualified Domain name l keyid: Key Identifier ID l user-fqdn: User Fully Qualified Domain Name negotiate-timeout Enter the negotiation timeout value. The default is 30 seconds. npu-offload Enable (default) or disable offloading of VPN session to a network processing unit (NPU). View IPsec VPN community details The VPN community information pane includes a quick status bar showing the community settings and the list of gateways in the community. Gateways can also be managed from this pane. See IPsec VPN gateways on page 247 for information. To view IPsec VPN community details: 1. Go to VPN Manager > IPsec VPN. 2. Select a community from the tree menu, or double-click on a community in the content pane. The community information pane opens. 3. Select All VPN Communities in the tree menu to return to the VPN community list. Editing an IPsec VPN community To edit a VPN community, you must be logged in as an administrator with sufficient privileges. The community name and topology cannot be edited. FortiManager Administration Guide Fortinet Technologies Inc.VPN 245 To edit IPsec VPN communities: 1. Go to VPN Manager > IPsec VPN. 2. Do one of the following: l Double-click on a community or select it in the tree menu, then clickEdit in the quick status bar or select VPN Community > Edit. l Right-click on a community and select Edit from the menu. l Select a community, then clickEdit in the toolbar. The Edit VPN Community page is displayed. 3. Edit the settings as required, and then select OK to apply the changes. For descriptions of the settings, see VPN community settings on page 239. Deleting VPN communities To delete a VPN community or communities, you must be logged in as an administrator with sufficient privileges. To delete VPN communities: 1. Go to VPN Manager > IPsec VPN. 2. Do one of the following: l Select the community in the tree, then select VPN Community > Delete. l Select the community or communities from the content pane list, then clickDelete in the toolbar. l Select the community or communities from the content pane list or tree menu, then right-click and select Delete. 3. Select OK in the confirmation box to delete the VPN community or communities. Monitoring IPsec VPN tunnels Go to VPN Manager > Monitor to view the list of IPsec VPN tunnels. You can also bring the tunnels up or down on this pane. Select a specific community from the tree menu to show only that community''s tunnels. To bring tunnels up or down: 1. Go to VPN Manager > Monitor. 2. Find and select the tunnel or tunnels that you need to bring up or down in the list. FortiManager Administration Guide Fortinet Technologies Inc.VPN 246 3. ClickBring Tunnel Up or Bring Tunnel Down from the toolbar or right-click menu 4. Select OK in the confirmation dialog box to apply the change. Map View TheMap View pane shows IPsec VPN connections on an interactive world map (Google Maps). Select a specific community from the tree menu to show only that community''s tunnels. Hovering the cursor over a connection will highlight the connection and show the gateway, ADOM, and city names for each end of the tunnel. The following options are available: Topology View The topology view shows the configured VPN gateways. See IPsec VPN gateways on page 247. Traffic View The traffic view shows network traffic through the tunnels between protected subnets. Show Table Select to show the connection table on the bottom of the pane. In the topology view, this option is only available when a specific community is selected. l The topology table shows the VPN gateway list and toolbar, with a column added for location. See Managing VPN gateways on page 247 for information. l The traffic table shows the same information and options as theMonitor tab. See Monitoring IPsec VPN tunnels on page 245 for information. Show Tunnel Down Only Select to show only tunnels that are currently down. This option is only available on the traffic view. Refresh Click to refresh the map view, or click the down arrow and select a refresh rate from the dropdown menu. Toggle Full Screen Click to view the map in full screen mode. PressEsc to return to the windowed view. FortiManager Administration Guide Fortinet Technologies Inc.VPN 247 If necessary, the location of a device can be manually configured when editing the device; see Editing device information on page 72. IPsec VPN gateways A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets, decrypts the encapsulated data packets, then passes the data packets to the local network. It also encrypts, encapsulates, and sends the IPsec data packets to the gateway at the other end of the VPN tunnel. The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet. You can also define a secondary IP address for the interface, and use that address as the local VPN gateway address, so that your existing setup is not affected by the VPN settings. Once you have created the IPsec VPN topology, you can create managed and external gateways. Managing VPN gateways Go to VPN Manager > IPsec VPN, then select a community from the tree menu, or double-click on a community in the list, to manage the VPN gateways in that community. The following options are available: Create New Create a new managed or external gateway. See Creating managed gateways on page 247 and Creating external gateways on page 252 for more information. Edit Edit the selected gateway. See Editing an IPsec VPN gateway on page 253. Delete Delete the selected gateway or gateways. See Deleting VPN gateways on page 253. Column Settings Configure which columns are displayed, or clickReset to Default to reset the display to the default columns. Search Enter a search term to search the gateway list. Creating managed gateways The settings available when creating a managed gateway depend on the VPN topology type, and how the gateway is configured. FortiManager Administration Guide Fortinet Technologies Inc.VPN 248 Managed gateways are managed by FortiManager in the current ADOM. Devices in a different ADOM can be treated as external gateways. VPN configuration must be handled manually by the administrator in that ADOM. See Creating external gateways on page 252. To create a managed gateway: 1. Go to VPN Manager > IPsec VPN. 2. Select a community from the tree menu, or double-click on a community in the list. 3. On the community information content pane, in the toolbar, select Create New > ManagedGateway. The VPN Gateway SetupWizard opens. 4. Proceed through the five pages of the wizard, filling in the following values as required, then clickOK to create the managed gateway. Protected Subnet Select a protected subnet from the dropdown list. Role Select the role of this gateway: Hub or Spoke. This option is only available for star and dial up VPN topologies. Device Select a device from the dropdown list. Default VPN Interface Select the interface to use for this gateway from the dropdown list. Hub-to-Hub Interface Select the interface to use for hub to hub communication. This is required if there are multiple hubs. This option is only available for star and dial up topologies with the role set to Hub. Local Gateway Enter the local gateway IP address. Local ID Enter a local ID. Routing Select the routing method: Manual (via DeviceManager, or Automatic. Summary Network(s) Select the network from the dropdown list and select the priority. Click the add icon to add more entries. FortiManager Administration Guide Fortinet Technologies Inc.VPN 249 This option is only available for star and dial up topologies with the role set to Hub. Peer Type Select one of the following: l Accept any peer ID l Accept this peer ID: Enter the peer ID in the text field l Accept a dialup group: Select a group from the dropdown list l Accept peer: Select a peer from the dropdown list l Accept peer group: Select a peer group from the dropdown list A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems. The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID. This option is only available for dial up topologies. XAUTH Type Select the XAUTH type: Disable, PAP Server, CHAP Server, or AUTO Server. This option is only available for dial up topologies. User Group Select the authentication user group from the dropdown list. This field is available when XAUTH Type is set to PAP Server, CHAP Server, or AUTOServer. When the FortiGate unit is configured as an XAuth server, enter the user group to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before the group name can be cross referenced. Enable IKE Configuration Select to enable or disable IKE configuration method. Method ("mode config") This option is only available for dial up topologies. Enable IP Assignment Select to enable or disable IP assignment. This option is only available for dial up topologies. When the role is set to Hub, this option is only available when Enable IKE ConfigurationMethod is on. IP Assignment Select the IP assignment mode: Range orUser Group. Mode This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on. IP Assignment Select the IP assignment type: IP or Subnet. Type This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on. IPv4 Start IP Enter the IPv4 start IP address. FortiManager Administration Guide Fortinet Technologies Inc.VPN 250 This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on. IPv4 End IP Enter the IPv4 end IP address. This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on. IPv4 Netmask Enter the IPv4 netmask. This option is only available for dial up topologies with the role set to Hub and Enable IP Assignment turned on. Add Route Select to enable or disable adding a route for this gateway. This option is only available for dial up topologies. DNS Server #1 to #3 Enter the DNS server IP addresses to provide IKE Configuration Method to clients. This option is only available for dial up topologies with the role set to Hub and either Enable IKE ConfigurationMethod turned on, orDNS Service is set to Specify. WINS Server #1 and #2 Enter the WINS server IP addresses to provide IKE Configuration Method to clients. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned on. IPv4 Split include Select the address or address group from the dropdown list. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned on. Exclusive IP Range Enter the start and end IP addresses of the exclusive IP address range. Click the add icon to add more entries. This option is only available for dial up topologies with the role set to Hub and either Enable IKE ConfigurationMethod and Enable IP Assignment turned on, or Enable IKE ConfigurationMethod turned off. DHCP Server Select to enable or disable DHCP server. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod is off. Default Gateway Enter the default gateway IP address. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned off. DNS Service Select Use System DNS setting to use the system''s DNS settings, or Specify to specify DNS servers #1 to #3. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned off. Netmask Enter the netmask. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned off. IPsec Lease Hold Enter the IPsec lease hold time. FortiManager Administration Guide Fortinet Technologies Inc.VPN 251 This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned off. Auto-Configuration Select to enable or disable automatic configuration. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned off. DHCP Server IP Range Enter the start and end IP addresses of the DHCP server range. Click the add icon to add more entries. This option is only available for dial up topologies with the role set to Hub and Enable IKE ConfigurationMethod turned off. Advanced Options authpasswd Enter the XAuth client password for the FortiGate. authusr Enter the XAuth client user name for the FortiGate. banner Enter the banner value. Specify the message to send to IKE Configuration Method clients. Some clients display this message to users. dns-mode Select the DNSmode from the dropdown list: l auto: Assign DNS servers in the following order: a. Servers assigned to interfaces by DHCP b. Per-VDOM assigned DNS servers c. Global DNS servers l manual: Use the DNS servers specified in DNS Server #1 to #3. domain Enter the domain value. public-ip Enter the public IP address. Use this field to configure a VPN with dynamic interfaces. The value is the dynamically assigned PPPoE address that remains static and does not change over time. route-overlap Select the route overlap method from the dropdown list: allow, use-new, or use-old. spoke-zone Select a spoke zone from the dropdown list. unity-support Enable or disable unity support. vpn-interface- Set the VPN gateway interface priority. The default value is 1. priority vpn-zone Select a VPN zone from the dropdown list. FortiManager Administration Guide Fortinet Technologies Inc.VPN 252 Creating external gateways External gateways are not managed by the FortiManager device. To create an external gateway: 1. Go to VPN Manager > IPsec VPN. 2. Select a community from the tree menu, or double-click on a community in the list. 3. On the community information content pane, in the toolbar, select Create New > External Gateway. The New VPN External Gateway pane opens. 4. Configure the following settings, then clickOK to create the external gateway: Node Type Select eitherHUB or Spoke from the dropdown list. This option is only available for star and dial up VPN topologies. Gateway Name Enter the gateway name. Gateway IP Select the gateway IP address from the dropdown list. Hub IP Select the hub IP address from the dropdown list. This option is only available for star and dial up topologies with the role set to Hub. Create Phase2 per Protected Toggle the switch toOn to create a phase2 per protected subnet pair. Subnet Pair Routing Select the routing method: Manual (via DeviceManager, or Automatic. This option is only available for full meshed and star topologies. Peer Type Select one of the following: l Accept any peer ID l Accept this peer ID: Enter the peer ID in the text field l Accept a dialup group: Select a group from the dropdown list A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The local ID of a peer is called a Peer ID. The Local ID or peer ID can be used to uniquely identify one end of a VPN tunnel, enabling a more secure connection. If you have multiple VPN tunnels negotiating, this ensures the proper remote and local ends connect. FortiManager Administration Guide Fortinet Technologies Inc.VPN 253 When you configure the ID on your end, it is your local ID. When the remote end connects to you, they see it as your peer ID. If you are debugging a VPN connection, the local ID is part of the VPN negotiations. You can use it to help troubleshoot connection problems. The default configuration is to accept all local IDs (peer IDs). If your local ID is set, the remote end of the tunnel must be configured to accept your ID. This option is only available for dial up topologies. Protected Subnet Select a protected subnet from the list. You can add multiple subnets. Local Gateway Enter the local gateway IP address. Editing an IPsec VPN gateway To edit a VPN gateway, you must be logged in as an administrator with sufficient privileges. The gateway role and device (if applicable) cannot be edited. To edit IPsec VPN communities: 1. Go to VPN Manager > IPsec VPN. 2. Select a community from the tree menu, or double-click on a community in the list. 3. Double-click on a gateway, right-click on a gateway and then select Edit from the menu, or select the gateway then clickEdit in the toolbar. The Edit VPN Gateway pane opens. 4. Edit the settings as required, and then select OK to apply the changes. Deleting VPN gateways To delete a VPN gateway or gateways, you must be logged in as an administrator with sufficient privileges. To delete VPN gateways: 1. Go to VPN Manager > IPsec VPN. 2. Select a community from the tree menu, or double-click on a community in the list. 3. Select the gateway or gateways you need to delete. 4. ClickDelete in the toolbar, or right-click and select Delete. 5. Select OK in the confirmation box to delete the gateway or gateways. VPN security policies Once you have defined the IP source and destination addresses, the phase 1 authentication parameters, and the phase 2 parameters, you must define the VPN security policies. FortiGate unit VPNs can be policy-based or route-based. There is little difference between the two types. In both cases, you specify phase 1 and phase 2 settings. However there is a difference in implementation. A route-based VPN creates a virtual IPsec network interface that applies encryption or decryption as needed to any traffic that it carries. That is why FortiManager Administration Guide Fortinet Technologies Inc.VPN 254 route-based VPNs are also known as interface-based VPNs. A policy-based VPN is implemented through a special security policy that applies the encryption you specified in the phase 1 and phase 2 settings. An IPsec security policy enables the transmission and reception of encrypted packets, specifies the permitted direction of VPN traffic, and selects the VPN tunnel. In most cases, only a single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. For a route-based VPN, you create two security policies between the virtual IPsec interface and the interface that connects to the private network. In one policy, the virtual interface is the source. In the other policy, the virtual interface is the destination. The Action for both policies is Accept. This creates bidirectional policies that ensure traffic will flow in both directions over the VPN. For a policy-based VPN, one security policy enables communication in both directions. You must select IPSEC as the Action and then select the VPN tunnel dynamic object you have mapped to the phase 1 settings. You can then enable inbound and outbound traffic as needed within that policy, or create multiple policies of this type to handle different types of traffic differently. For example HTTPS traffic may not require the same level of scanning as FTP traffic. Defining policy addresses A VPN tunnel has two end points. These end points may be VPN peers, such as two FortiGate gateways. Encrypted packets are transmitted between the end points. At each end of the VPN tunnel, a VPN peer intercepts encrypted packets, decrypts the packets, and forwards the decrypted IP packets to the intended destination. You need to define firewall addresses for the private networks behind each peer. You will use these addresses as the source or destination address depending on the security policy. In general: l In a gateway-to-gateway, hub-and-spoke, dynamic DNS, redundant-tunnel, or transparent configuration, you need to define a policy address for the private IP address of the network behind the remote VPN peer. l In a peer-to-peer configuration, you need to define a policy address for the private IP address of a server or host behind the remote VPN peer. Defining security policies Security policies allow IP traffic to pass between interfaces on a FortiGate unit. You can limit communication to particular traffic by specifying source and destination addresses. Then only traffic from those addresses will be allowed. Policy-based and route-based VPNs require different security policies. A policy-based VPN requires an IPsec security policy. You specify the interface to the private network, the interface to the remote peer and the VPN tunnel. A single policy can enable traffic inbound, outbound, or in both directions. A route-based VPN requires an Accept security policy for each direction. As source and destination interfaces, you specify the interface to the private network and the virtual IPsec interface of the VPN. The IPsec interface is the destination interface for the outbound policy and the source interface for the inbound policy. One security policy must be configured for each direction of each VPN interface. If the security policy that grants the VPN connection is limited to certain services, DHCPmust be included, otherwise the client will not be able to retrieve a lease from the FortiGate’s (IPsec) DHCP server because the DHCP request (coming out of the tunnel) will be blocked. FortiManager Administration Guide Fortinet Technologies Inc.VPN 255 Before you define the IPsec policy, you must: l Define the IP source and destination addresses. l Specify the phase 1 authentication parameters. l Specify the phase 2 parameters. l Create a VPN Tunnel dynamic object (policy-based VPNs only). You must define at least one IPsec policy for each VPN tunnel. If the same remote server or client requires access to more than one network behind a local FortiGate unit, the FortiGate unit must be configured with an IPsec policy for each network. Multiple policies may be required to configure redundant connections to a remote destination or control access to different services at different times. To ensure a secure connection, the FortiGate unit must evaluate IPSEC policies before ACCEPT and DENY security policies. Because the FortiGate unit reads policies starting at the top of the list, you must move all IPsec policies to the top of the list. When you define multiple IPsec policies for the same tunnel, you must reorder the IPsec policies that apply to the tunnel so that specific constraints can be evaluated before general constraints. When you define a route-based VPN, you create a virtual IPsec interface on the physical interface that connects to the remote peer. You create ordinary Accept security policies to enable traffic between the IPsec interface and the interface that connects to the private network. This makes configuration simpler than for policy-based VPNs, which require IPsec security policies. For more information on IPsec VPN, see the FortiOS Handbook in the Fortinet Document Library. See Managing policies on page 166 for information on creating policies on your FortiManager. SSL VPN You can use the VPN Manager > SSL-VPN pane to create and monitor Secure Sockets Layer (SSL) VPNs. You can also create and manage SSL VPN portal profiles. Manage SSL VPNs Go to VPN Manager > SSL VPN to manage SSL VPNs. The following options are available: Add SSL VPN Create a new SSL VPN with the Create SSL VPN dialog box. See Creating SSL VPNs on page 256. Install Wizard Launch the Install Wizard to install SSL VPN settings to devices. Create New Create a new SSL VPN with the Create SSL VPN pane. This option is also available from the right-click menu. See Creating SSL VPNs on page 256. Edit Edit the selected VPN. This option is also available from the right-click menu. See Editing SSL VPNs on page 257. FortiManager Administration Guide Fortinet Technologies Inc.VPN 256 Delete Delete the selected VPN or VPNs. This option is also available from the right-click menu. See Deleting SSL VPNs on page 257. Search Enter a search term to search the VPN list. Creating SSL VPNs To create SSL VPNs, you must be logged in as an administrator with sufficient privileges. Multiple VPNs can be created. To add SSL-VPN: 1. Go to VPN Manager > SSL-VPN. 2. ClickAdd SSL VPN, or clickCreate New in the content toolbar. The Create SSL VPN dialog box or pane is displayed. 3. Configure the following settings, then clickOK to create the VPN. Device Select a FortiGate device or VDOM. Connection Settings Specify the connection settings. Listen on Define the interface the FortiGate will use to listen for SSL VPN tunnel Interface(s) requests. This is generally your external interface. Listen on Port Enter the port number for HTTPS access. Restrict Access Allow access from any hosts, or limit access to specific hosts. If limiting access, select the hosts that have access in the Hosts field. Idle Logout Select to enable idle timeout. When enabled, enter the amount of time that the connection can remain inactive before timing out in theInactive For field, in seconds(10 - 28800, default = 300). This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up. FortiManager Administration Guide Fortinet Technologies Inc.VPN 257 Server Certificate Select the signed server certificate to use for authentication. Alternately, select a certificate template that is configured to use the FortiManager CA. See Certificate templates on page 93. Require Client Select to use group certificates for authenticating remote clients. When the Certificate remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process. For information on using PKI to provide client certificate authentication, see the Authentication Guide. Tunnel Mode Client Settings Specify tunnel mode client settings. These settings determine how tunnel mode clients are assigned IP addresses. Address Range Either automatically assign address, or specify custom IP ranges. DNS Server Select to use the same DNS as the client system, or to specify DNS servers. Enter up to two DNS servers to be provided for the use of clients. Specify WINS Select to specify WINS servers. Enter up to two WINS servers to be Servers provided for the use of clients. Allow Endpoint Select to allow endpoint registration. Registration Authentication/Portal Mapping Select the users and groups that can access the tunnel. Note: the default portal cannot be empty. Create New Create a new authentication/portal mapping entry. Select the Users, Groups, Realm, and Portal, then clickOK. Edit Edit the selected mapping. Delete Delete the selected mapping or mappings. Advanced Options Configure advanced SSL VPN options. For information, see the FortiOS CLI Reference: http://help.fortinet.com/cli/fos60hlp/60/index.htm. Editing SSL VPNs To edit an SSL VPN, you must be logged in as an administrator with sufficient privileges. The device cannot be edited. To edit an SSL VPN: 1. Go to VPN Manager > SSL VPN. 2. Double-click on a VPN, right-click on a VPN and then select Edit from the menu, or select the VPN then clickEdit in the toolbar. The Create SSL VPN pane opens. 3. Edit the settings as required, and then select OK to apply the changes. Deleting SSL VPNs To delete an SSL VPN or VPNs, you must be logged in as an administrator with sufficient privileges. FortiManager Administration Guide Fortinet Technologies Inc.VPN 258 To delete SSL VPNs: 1. Go to VPN Manager > SSL VPN. 2. Select the VPN or VPNs you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. Select OK in the confirmation box to delete the selected VPN or VPNs. Portal profiles The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users. There are three pre-defined default portal profiles: l Full-access l Tunnel-access l Web-access Each portal type includes similar configuration options. You can also create custom portal profiles. To manage portal profiles, go to VPN Manager > SSL VPN and select Portal Profiles in the tree menu. The following options are available: Create New Create a new portal profile. Edit Edit the selected profile. Delete Delete the selected profile or profiles. Column Settings Adjust the visible columns. Search Enter a search term to search the portal profile list. Creating SSL VPN portal profiles To create SSL VPN portal profiles, you must be logged in as an administrator with sufficient privileges. Multiple profiles can be created. FortiManager Administration Guide Fortinet Technologies Inc.VPN 259 To create portal profiles: 1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu. 2. ClickCreate New in the toolbar, or right-click and select Create New. The Create New pane is displayed. 3. Configure the following settings, then select OK to create the profile. Name Enter a name for the portal. Limit Users to One SSL VPN Set the SSL VPN tunnel so that each user can only be logged in to the tunnel Connection at a Time one time per user log in. Once they are logged in to the portal, they cannot go to another system and log in with the same credentials until they log out of the first connection. Tunnel Mode Select to configure and enable tunnel mode access. These settings determine how tunnel mode clients are assigned IPv4 addresses. Enable Split Select so that the VPN carries only the traffic for the networks behind the Tunneling FortiGate unit. The user’s other traffic follows its normal route. Routing Address If you enable split tunneling, you are required to set the address that your corporate network is using. Traffic intended for the routing address will not be split from the tunnel. FortiManager Administration Guide Fortinet Technologies Inc.VPN 260 Source IP Pools Select an IPv4 pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own. IPv6 Tunnel Mode Select to configure and enable tunnel mode access. These settings determine how tunnel mode clients are assigned IPv6 addresses. Enable IPv6 Split Select so that the VPN carries only the traffic for the networks behind the Tunneling FortiGate unit. The user’s other traffic follows its normal route. IPv6 Routing If you enable split tunneling, you are required to set the address that your Address corporate network is using. Traffic intended for the routing address will not be split from the tunnel. Source IP Pools Select an IPv6 pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own. Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a checkbox for the corresponding option appears on the VPN log in screen in FortiClient, and is disabled by default. Allow client to The user''s password is stored on the user’s computer and will automatically save password populate each time they connect to the VPN. Allow client to When the FortiClient application is launched, for example after a reboot or connect system start up, FortiClient will automatically attempt to connect to the VPN automatically tunnel. Allow client to The FortiClient connection will not shut down. When not selected, during keep connections periods of inactivity, FortiClient will attempt to stay connected every three alive minutes for a maximum of 10 minutes. Enable Web Mode Select to enable web mode access. Portal Message The text header that appears on the top of the web portal. Theme A color styling specifically for the web portal: blue, green, mariner, melongene, or red. Show Session Display the Session Informationwidget on the portal page. The widget Information displays the log in name of the user, the amount of time the user has been logged in, and the inbound and outbound traffic statistics. Show Connection Display the Connection Launcherwidget on the portal page. Use the widget Launcher to connect to an internal network resource without adding a bookmark to the bookmark list. You select the type of resource and specify the URL or IP address of the host computer. Show Login Include user log in history on the web portal, then specify the number of History history entries. User Bookmarks Include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window opens with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser. FortiManager Administration Guide Fortinet Technologies Inc.VPN 261 Pre-Defined The list of predefined bookmarks. Bookmarks ClickCreate New to add a bookmark. See Predefined bookmarks on page 261 for information. Enable FortiClient Select to enable FortiClient downloads. Download Download Method Select the method to use for downloading FortiClient from the SSL VPN portal. Choose between Direct and SSL-VPN Proxy. This option is only available when Enable FortiClient Download isOn. Customize Select to specify a custom location to use for downloading FortiClient. You Download can specify a location for FortiClient (Windows) and FortiClient (Mac). Type Location the URL in theWindows box and/orMac box. This option is only available when Enable FortiClient Download isOn. Advanced Options Configure advanced options. For information, see the FortiOS CLI Reference. Predefined bookmarks Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a window opens with the requested web page. Telnet, RDP, and VNC open a window that requires a browser plug-in. FTP replaces the bookmark page with an HTML file-browser. A web bookmark can include log in credentials to automatically log the SSL VPN user into the web site. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site. Predefined bookmarks can be added to portal profiles when creating or editing a profile. To create a predefined bookmark: 1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu. 2. Edit an existing profile, or create a new profile. See Editing portal profiles on page 263 or Creating SSL VPN portal profiles on page 258. 3. ClickCreate New in the Pre-Defined Bookmark field. EnableWebModemust be selected for this field to be available. The Create New Bookmark dialog box opens. The available options will vary depending on the selected type. FortiManager Administration Guide Fortinet Technologies Inc.VPN 262 4. Configure the following settings, then select OK to create the bookmark. Name Enter a name for the bookmark. Type Select the bookmark type: CITRIX, FTP, HTTP/HTTPS, Port Forward, RDP, SMB, SSH, Telnet, or VNC. URL Enter the bookmark URL. This option is only available when Type isCitrix, or HTTP/HTTPS. Folder Enter the bookmark folder. This option is only available when Type is FTP or SMB. Host Enter the host name. This option is only available when Type is Port Forward, RDP, SSH, TELNET, or VNC. Remote Port Enter the remote port. This option is only available when Type is Port Forward. Listening Port Enter the listening port. This option is only available when Type is Port Forward. Show Status Window Enable to show the status window. This option is only available when Type is Port Forward. Port Enter the port number. This option is only available when Type isRDP or VNC. Username Enter the user name. This option is only available when Type isRDP. Password Enter the password. This option is only available when Type isRDP or VNC. Keyboard Layout Select the keyboard layout: German (QWERTZ), English (US), Unknown, French (AZERTY), Italian, or Swedish. This option is only available when Type isRDP. Security Select the security type: Allow the server to choose the type of security, Network Level Authentication, Standard RDP encryption, or TLS encryption. This option is only available when Type isRDP. Description Optionally, enter a description of the bookmark. Single Sign-on Select the SSO setting for links that require authentication: Disabled, Automatic, or Static. If Static is selected, click the add icon, then enter the Name and Value to add SSO Form Data. Multiple fields can be added. ClickRemove to remove a field. When including a link using SSO use the entire URL, not just the IP address. FortiManager Administration Guide Fortinet Technologies Inc.VPN 263 This option is only available when Type isCitrix, FTP, HTTP/HTTPS, RDP, or SMB. The Static option is only available when Type isCitrix, HTTP/HTTPS, or RDP. To edit a bookmark: 1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu. 2. Edit and existing profile, or create a new profile. See Editing portal profiles on page 263 or Creating SSL VPN portal profiles on page 258. 3. Click the Edit icon in the bookmark row. The Bookmark dialog box opens. 4. Edit the bookmark as required, then clickOK to apply your changes. To delete a bookmark: 1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu. 2. Edit and existing profile, or create a new profile. See Editing portal profiles on page 263 or Creating SSL VPN portal profiles on page 258. 3. Click the Delete icon in the bookmark row. Editing portal profiles To edit a portal profile, you must be logged in as an administrator with sufficient privileges. The device cannot be edited. To edit a portal profile: 1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu. 2. Double-click on a profile, right-click on a profile and then select Edit from the menu, or select the profile then click Edit in the toolbar. The Edit Portal Profile pane opens. 3. Edit the settings as required, and then select OK to apply the changes. Deleting portal profiles To delete a portal profile or profiles, you must be logged in as an administrator with sufficient privileges. To delete portal profiles: 1. Go to VPN Manager > SSL-VPN and select Portal Profiles in the tree menu. 2. Select the profile or profiles you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. Select OK in the confirmation box to delete the selected profile or profiles. Monitor SSL VPNs SSL VPNs can be monitored by going to VPN Manager > SSL VPN and selectingMonitor from the tree menu. FortiManager Administration Guide Fortinet Technologies Inc.VPN 264 The following information is shown: Device The device or VDOM name. User The user name. Remote Host The remote host. Last Login The time of the last log in. Active Connections The number of active connections on the VPN. FortiManager Administration Guide Fortinet Technologies Inc.Access Points Use AP Manager to manage FortiAP access points. The APManager pane includes the following tabs: Managed APs Displays unauthorized and authorized FortiAP devices. You can view, authorize, and edit authorized FortiAP devices. Monitor Monitor FortiAP devices and the clients connected to them. Map view View the locations of FortiAP devices on Google Maps. You can create a floor map, add an image of a floor map, and place the FortiAP devices on the map. WiFi profiles View, create, edit, and import AP profiles, SSIDs, and WIDS profiles. The APManager pane allows you to manage, configure, and assign profiles to FortiAP devices. You can configure multiple profiles that can be assigned to multiple devices. Profiles are installed to devices when you install configurations to the devices. In central management mode, WiFi templates share a common database. Templates can be applied to any device, regardless of which FortiGate controller it is connected to. In per-device mode, all FortiAP devices and WiFi templates (SSIDs, WIDS profiles, and AP profiles) are managed at the device level – there are no shared objects. The monitor and map view tabs will only show information for FortiAP devices connected to the selected FortiGate controller. The mode can be changed by editing the ADOM that contains the FortiGate controllers (Creating ADOMs on page 400). The following steps provide an overview of using APmanagement to configure and install profiles: 1. Create AP profiles. See WiFi profiles on page 281. 2. Assign profiles to FortiAP devices. See Assigning profiles to FortiAP devices on page 273. 3. Install FortiAP profiles to devices. On the DeviceManager pane, select the FortiGate device that controls the FortiAP device, then select Install > Install Config from the toolbar, and follow the prompts in the wizard. See Configuring a device on page 58. Managed APs TheManaged APs pane allows you to manage FortiAP devices that are controlled by FortiGate devices that are managed by the FortiManager. FortiAP devices, listed in the tree menu, are grouped based on the controller that they are connected to. The devices can also be further divided into platform based groups within a controller. FortiAP devices can be managed centrally, or per-device (see Creating ADOMs on page 400). In per-device mode, all WiFi profiles (SSIDs, AP profiles, and others), as well as managed FortiAP devices, are managed at the device level – there are no shared objects. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 266 Additional configuration options and short-cuts are available using the right-click content menu. Right-click on the mouse on different parts of the navigation panes on the GUI page to access these context menus. If workspace or workflow is enabled, the ADOM must be locked before changes can be made. See Locking an ADOM on page 406. Go to AP Manager > Managed APs to manage FortiAP devices. Managed APs are organized by their FortiGate controller and group. In per-device mode, there is no All_FortiGate group. Quick status bar You can quickly view the status of devices on theManaged AP pane by using the quick status bar, which contains the following options: l Managed APs l Online l Offline l Unauthorized l Rogue APs l Client Connected You can click each quick status to display in the content pane, or in a pop-up window, only the devices referenced in the quick status. To view the quick status bar: 1. Ensure that you are in the correct ADOM. 2. Go to AP Manager > Managed APs. The quick status bar is displayed above the content pane. 3. In the tree menu, select a FortiGate, group, or All_FortiGate if central management is enabled. The devices for the group are displayed in the content pane, and the quick status bar updates. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 267 4. Click on each quick status to filter the devices displayed on the content pane. For example, clickOffline, and the content pane will display only devices that are currently offline. 5. ClickRogue APs to open the rogue AP list in a pop-up window. 6. ClickClient Connected to open a list of WiFi clients in a pop-up window. Managing APs FortiAP devices can be managed from the content pane below the quick status bar on the AP Manager > Managed APs pane. The following options are available from the toolbar and right-click menu: Create New Add an AP. Edit Edit the selected AP. Delete Delete the selected AP. Assigned Profile Assign a profile from the list to the AP. Only applicable profiles will be listed. See Assigning profiles to FortiAP devices on page 273. Column Settings Click to select which columns to display or select Reset to Default to display the default columns. Authorize Authorize an unregistered AP. See Authorizing and deauthorizing FortiAP devices on page 273. This option is also available in the toolbar by selectingMore. Deauthorize Deauthorize a registered AP. See Authorizing and deauthorizing FortiAP devices on page 273. This option is also available in the toolbar by selectingMore. Grouping Move the selected FortiAP devices into a new group. The APsmust be the same model to be grouped. See FortiAP groups on page 272. This option is only available in the right-click menu. Upgrade Upgrade the AP. The APmust already be authorized. You can also select two or more AP devices of the same model and upgrade the devices at the same time. Restart Restart the AP. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 268 This option is only available in the toolbar, by selectingMore. Refresh Refresh the AP list, or refresh the selected FortiAP devices. View Clients View the clients connected to the AP. See Connected clients on page 275. View Rogue APs View the Rogue APs. See Rogue APs on page 273. This option is only available in the toolbar, by selectingMore. Show on Google Map Show the selected AP on Google Map. See Google map on page 278. This option is only available in the right-click menu. Show on Floor Map Show the selected AP on the floor map. See Floor map on page 279. This option is only available in the right-click menu. Search Enter a search string into the search field to search the AP list. This option is only available in the toolbar. The following information is available in the content pane: FortiGate The FortiGate unit that is managing the AP. Access Point The serial number of the AP. Connected Via The IP address of the AP. SSIDs The SSIDs associated with the AP. Channel The wireless radio channels that the access point uses. Clients The number of clients connected to the AP. Select a value to open the ViewWiFi Clients window to view more details about the clients connected to that radio. See Connected clients on page 275. OS Version The OS version on the FortiAP. AP Profile The AP Profile assigned to the device, if any. Comments User entered comments. Country The Country code that the FortiAP is using. Join Time The date and time that the FortiAP joined. LLDP The Link Layer Discovery Protocol Operating TX Power The transmit power of the wireless radios. Serials # The serial number of the device WTP Mode The Wireless Transaction Protocol (WTP) mode, or 0 if none. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 269 To add a FortiAP: 1. ClickCreate New on the content pane toolbar. The Add FortiAP dialog box opens. 2. Enter the following information, then clickOK to add the device: FortiGate Select the FortiGate that the AP will be added to from the dropdown list. If you have already selected a FortiGate in the tree menu, this field will contain that FortiGate. Serials Number Enter the device''s serial number. Name Enter a name for the device. AP Profile Select an AP profile to apply to the device from the dropdown list. See AP profiles on page 281. To edit FortiAP devices: 1. In the tree menu, select the group or FortiGate that contains the FortiAP device to be edited. 2. Locate the FortiAP device in the list in the content pane, or refine the list by selecting an option from the quick status bar. 3. Either select the FortiAP and clickEdit from the toolbar, double-click on the FortiAP, or right-click on the FortiAP and select Edit. The Config FortiAP window opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 270 4. Edit the following options, then clickApply to apply your changes: Serial Number The device’s serial number. This field cannot be edited. Name The name of the AP. Comments Comments about the AP, such as its location or function. Managed AP Status Various information about the AP. Status The status of the AP, such asConnected, or Idle. ClickRetart to restart the AP. Connected Via The method by which the device is connected to the controller. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 271 Base MAC The MAC address of the device. Address Join Time The time that the AP joined. Clients The number of clients currently connected to the AP. State The state of the AP, such asAuthorized, orDiscovered. Current The AP''s current firmware version. Select Upgrade to upgrade the firmware to a newer version if you have one available. See Firmware Management on page 86 FortiAP Profile Select a profile from the dropdown list (see AP profiles on page 281) Bonjour Profile Select a profile from the dropdown list (see Bonjour profiles on page 302) Override Radio Override the selected profiles settings. Band If applicable, select the wireless band, and select the wireless protocol from the dropdown list. The available options depend on the selected platform. In two radio devices, both radios cannot use the same band. Channels Select the channel or channels to include, or let them be automatically assigned. The available channels depend on the selected platform and band. TX Power Control Enable/disable automatic adjustment of transmit power. l Auto: Enter the TX power low and high values, in dBm. l Manual: Enter the TX power in the form of the percentage of the total available power. SSIDs Manually choose the SSIDs that APs using this profile will carry, or let them be selected automatically. Override AP Login Password Enable/disable overriding the login password: l Set: Set the AP login password. l Leave Unchanged: Leave the password unchanged. l Set Empty: Remove the password. Advanced Options Configure advanced options. For information, see the FortiOS CLI Reference: http://help.fortinet.com/cli/fos60hlp/60/index.htm. To delete FortiAP devices: 1. In the tree menu, select the group or FortiGate that contains the FortiAP device to be deleted. 2. Locate the FortiAP device in the list in the content pane, or refine the list by selecting an option from the quick status bar. 3. Either select the FortiAP and clickDelete from the toolbar, or right-click on the FortiAP and select Delete. 4. ClickOK in the confirmation dialog box to delete the AP. A FortiAP device cannot be deleted if it is currently being used. For example, if a firewall profile has been assigned to it. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 272 To upgrade multiple FortiAP devices: 1. In the tree menu, select the group or FortiGate that contains the FortiAP device to be upgraded. 2. Select two or more FortiAP devices of the same model in the list in the content pane. 3. Right-click on the selected FortiAP devices and select Upgrade. The Upgrade Firmware dialog box is displayed. 4. Select the firmware version for upgrade, and clickUpgrade Now. FortiAP groups FortiAP devices can be organized into groups based on FortiAP platforms. A group can only contain one model of FortiAP. A FortiAP can only belong to one group. Groups are listed in the tree menu under the FortiGate they were created in. They can be created, edited, and deleted as needed. To create a FortiAP group: 1. In theManaged APs pane, select FortiAP Group > Create New from the toolbar. The Create New FortiAP Group dialog box opens. 2. Configure the following: Name Enter a name for the group. FortiGate Select the FortiGate under which the group will be created. Platform Select the FortiAP platform that the group will apply to. FortiAPs Select FortiAPs to add to the group. Only FortiAPs in the selected FortiGate of the selected platform will be available for selection. 3. Select OK to create the group. To edit a group: 1. In theManaged APs pane, select a group from the tree menu, then select FortiAP Group > Edit from the toolbar. 2. Edit the group name and devices in the group as needed. The FortiGate and the platform cannot be changed. 3. Select OK to apply your changes. To delete a group: 1. In theManaged APs pane, select a group from the tree menu. 2. Select FortiAP Group > Delete from the toolbar. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 273 3. Select OK in the confirmation dialog box to delete the group. Authorizing and deauthorizing FortiAP devices To authorize FortiAP devices: 1. In the tree menu, select the group or FortiGate that contains the unauthorized FortiAP devices. 2. In the quick status bar, clickUnauthorized. The unauthorized FortiAP devices are displayed in the content pane. 3. Select the FortiAP devices and either clickMore > Authorize from the toolbar, or right-click and select Authorize. 4. Select OK in the confirmation dialog box to authorize the selected devices. To deauthorize FortiAP devices: 1. In the tree menu, select the group or FortiGate that contains the FortiAP devices to be deauthorized 2. Select the FortiAP devices and either clickMore > Deauthorize from the toolbar, or right-click and select Deauthorize. 3. Select OK in the confirmation dialog box to deauthorize the selected devices. Assigning profiles to FortiAP devices You use the APManager pane to assign profiles to FortiAP devices, and you use the Device Manager pane to install profiles to FortiAP devices when you install a configuration to the FortiGate that controls the FortiAP device. For more information about creating and managing AP profiles, see AP profiles on page 281. To assign profiles to FortiAP devices: 1. In the tree menu, select the group or FortiGate that contains the FortiAP device the profile will be applied to. 2. Locate the FortiAP device in the list in the content pane, or refine the list by selecting an option from the quick status bar. 3. Either select the FortiAP and clickAssigned Profile from the toolbar, or right-click on the FortiAP and select Assigned Profile. The Assign AP Profilewindow opens. 4. Select a FortiAP profile from the dropdown list, then clickOK to assign the profile. To install FortiAP profiles to devices: 1. Go to the DeviceManager pane. 2. Select the FortiGate device that controls the FortiAP device 3. Right click and select Install Config, or select Install > Install Config from the toolbar. 4. ClickOK in the confirmation dialog box to install the configuration to the device. See Configuring a device on page 58 for more information. Rogue APs A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. ClickRogue APs in the quick status bar to open the rogue AP list in a pop-up window. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 274 The following options are available: Mark As Mark a rogue AP as: l Accepted: for APs that are an authorized part of your network or are neighboring APs that are not a security threat. l Rogue: for unauthorized APs that On-wire status indicates are attached to your wired networks. l Unclassified: the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it asRogue or Accepted. Suppress AP Suppress the selected APs. This will prevent users from connecting to the AP. When suppression is activated against an AP, the controller sends deauthentication messages to the rogue AP’s clients posing as the rogue AP, and also sends deauthentication messages to the rogue AP posing as its clients. Before enabling this feature, verify that operation of Rogue Suppression is compliant with the applicable laws and regulations of your region. Unsuppress AP Turn of suppression for the selected rogue APs. Refresh Refresh the rogue AP list. Column Settings Click to select which columns to display or select Reset to Default to display the default columns. The following columns are available: State The state of the AP: l Suppressed: red suppressed icon l Rogue: orange rogue icon l Accepted: green wireless signal mark l Unclassified: gray question mark Status Whether the AP is active (green) or inactive (orange). SSID The wireless service set identifier (SSID) or network name for the wireless interface. Security Type The type of security currently being used. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 275 Channel The wireless radio channel that the access point uses. MAC Adddess The MAC address of the wireless interface. Vendor Info The name of the vendor. Signal Strength The relative signal strength of the AP. Detected By The name or serial number of the AP unit that detected the signal. On-Wire A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. An orange down-arrow indicates AP is not a suspected rogue. First Seen How long ago this AP was first detected. This column is not visible by default. Last Seen How long ago this AP was last detected. This column is not visible by default. Rate The data rate in, bps. This column is not visible by default. Connected clients To view connected wireless clients, clickClient Connected in the quick status bar to open the WiFi client list in a pop-up window that lists all the clients in the selected FortiGate or group. To view the clients connected to specific APs, select the APs in the content pane, then right-click on them and select View Clients. The following columns are available: SSID The SSID that the client connected to. FortiAP The serial number of the FortiAP unit that the client connected to. IP The IP address assigned to the wireless client. Device The type of device that the client is using. Channel The wireless radio channel that is used. Bandwidth Tx/Rx Client received and transmitted bandwidth, in Kbps. Signal Strength/Noise The signal-to-noise ratio in dBs calculated from signal strength and noise level. Signal Strength The relative signal strength of the AP. Association Time How long the client has been connected to this access point. Authentication The type of authentication used. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 276 Bandwidth RX Client received bandwidth, in Kbps. Bandwidth TX Client transmitted bandwidth, in Kbps. Device OS The OS version on the FortiAP. Host Information The host name of the WiFi client, if available. Idle Time The amount of time that the client has been idle. Manufacturer The manufacturer of the client device. Rate The connection rate between the WiFi client and the AP. Name The name of the FortiGate device that the FortiAP is attached to. Monitor TheMonitor pane includes a listing of connected clients, and a health monitor that display information about all the APs for the selected FortiGate or group in widgets. Clients Monitor The client monitor lists information about connected clients. Go to AP Manager > Monitor and select the Clients Monitor tab in the content pane to view the list. Select a specific FortiGate or group in the tree menu to filter the listed clients. You can search the table by entering a search term in the search field in the toolbar. The visible columns can be adjusted by selecting Column Settings in the toolbar. The following columns are available: SSID The SSID that the client connected to. FortiAP The serial number of the FortiAP unit that the client connected to. IP The IP address assigned to the wireless client. Device The type of device that the client is using. Channel The wireless radio channel that is used. Bandwidth TX/RX Client received and transmitted bandwidth, in Kbps. Signal Strength/Noise The signal-to-noise ratio in dBs calculated from signal strength and noise level. Signal Strength The relative signal strength of the AP. Association Time How long the client has been connected to this access point. Authentication The type of authentication used. Bandwidth RX Client received bandwidth, in Kbps. Bandwidth TX Client transmitted bandwidth, in Kbps. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 277 Device OS The OS version on the FortiAP. Host Information The host name of the WiFi client, if available. Idle Time The amount of time that the client has been idle. Manufacturer The manufacturer of the client device. Rate The connection rate between the WiFi client and the AP. Name The name of the FortiGate device that the FortiAP is attached to. Health Monitor Go to AP Manager > Monitor, select a FortiGate or group from the tree menu, and select the Health Monitor tab in the content pane to open the health monitor. Widgets can be moved by clicking and dragging their title bar into different locations on the screen. The information in the widgets can be refreshed by clicking the refresh icon in the widget title bar. Widgets with tables can be sorted by any column by clicking the column name. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 278 The following widgets are shown: Widget Description AP Status Displays a bar graph of: l Uptime > 24 hours: The number of APs that have been up for over 24 hours. l Rebooted within 24 hours: the number of APs that have been rebooted within the past 24 hours. l Down/Missing: Down or missing APs. Select a specific column to view a table of the APs represented in that column, along with other relevant information, such as the APs'' IP address, and the time of its last reboot. Select the name of a column in the legend to add or remove it from the graph. This widget is only available when the All FortiAPs group is selected in the tree menu. Client Count Over Time A graph of the number of connected clients over the specified time period: 1 hour, 1 day, or 30 days. This widget is only available when the All FortiAPs group is selected in the tree menu. Top Client Count Per-AP (2.4 GHz or 5 Lists the number of clients in the 2.4GHz and 5GHz band for each GHz Band) FortiAP. Also includes columns for the channel and bandwidth of the AP. Top Wireless Interference (2.4 GHz or 5 Lists the number of interfering APs in the 2.4GHz and 5GHz band for GHz Band) each FortiAP. Also includes columns for the channel and the number of MAC Errors for each AP. Login Failures Information Lists the time of a log in failure, the SSID involved, the Host Name/MAC, and the User Name. Map view The Map View shows the FortiAP devices in two ways: l Google Map - shows the FortiAP devices placed on Google Maps. See Google map on page 278 l Floor Map - create a floor map, add an image of a floor map, and place the FortiAP devices on the map. See Floor map on page 279 Google map Google Map shows all of the FortiGate devices on an interactive world map. Each FortiGate is designated by a map pin in its geographic location on the map. The number of APs connected to the FortiGate is listed in the pin. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 279 Clicking on a map pin opens a list of the APs connected to that FortiGate. Clicking on the name of an AP from the list will zoom the map into that location and provide further information about the AP, including the serial number, IP address, number of clients, usage, and the last time the APwas seen if it is offline. Click on the number of client to open the View WiFi Clients window (see Connected clients on page 275). Click on the AP''s serial number to open the Config FortiAP window, where you can edit the AP settings (see Managing APs on page 267). Floor map Floor Map allows you to create a customized map of your building, add an image of the floor layout, and place FortiAP devices on the map. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 280 To create a Floor Map: 1. ClickAdd Floor Map. 2. In the Add Floor Map screen, specify the following and clickNext: l Location - select a location or specify a new one. l Building - select a building or specify a new one. 3. Specify the Address and clickNext. 4. Specify the following and click Finish: l Floor Description - specify a description for the floor. This is displayed as the name of the floor map. l Floor Index - specify a numeric value. The floors are sorted from highest to lowest based on the Floor Index. l Contact - specify a contact name. l Phone Number - specify a phone number for this location. l Floor Map - upload a file by dragging and dropping here or clickBrowse to select an image of your floor map. To position FortiAP devices on the floor map: 1. Click Floor Map > [Floor Map name]. 2. Click the image of the floor map. 3. ClickEdit Mode to list the FortiAP devices in the Positioning APs pane. 4. Drag and drop the FortiAP devices from the Positioning APs pane to the image of the floor map. 5. ClickSave and Return. The FortiAP device is now shown on the floor map. To view the properties of a FortiAP device: 1. Click Floor Map > [Floor Map name]. 2. Click the image of the floor map. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 281 3. Hover over the FortiAP device to view the following details: l FortiAP Serial Number l IP Address l Number of Clients connected l Usage l Base MAC Address l State l Rogue APs To remove FortiAP devices from the floor map: 1. Click Floor Map > [Floor Map name]. 2. Click the image of the floor map. 3. ClickEdit Mode . 4. Right-click the FortiAP device and select Remove from Floor Map. 5. ClickSave and Return. The FortiAP device is now removed from the Floor Map and added to the Positioning APs pane. WiFi profiles TheWiFi Profiles pane allows you to create and manage SSIDs, and AP, Wireless Intrusion Detection System (WIDS), Bluetooth, Quality of Service (QoS), and Bonjour profiles that can be assigned to managed FortiAP devices. In per-device mode, templates are not shared between devices. Settings may vary for different ADOM versions. AP profiles AP profiles define radio settings for FortiAPmodels. The profile specifies details such as the operating mode of the device, SSIDs, and transmit power. Custom AP profiles can be created as needed for new devices. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 282 To view AP profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Profiles, and select AP Profile in the tree menu. The following options are available in the toolbar and right-click menu: Create New Create a new AP profile. Edit Edit the selected AP profile. Delete Delete the selected AP profile. Clone Clone the selected AP profile. Import Import AP profiles from a connected FortiGate (toolbar only). To create custom AP profiles: 1. On the AP Profile pane, clickCreate New in the toolbar, or select it from the right-click menu. The Create New AP Profilewindows opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 283 FortiManager Administration Guide Fortinet Technologies Inc.Access Points 284 2. Enter the following information: Name Type a name for the profile. Comment Optionally, enter comments. Platform Select the platform that the profile will apply to from the dropdown list. Country/ Region Select the country or region from the drop-down list. AP Login Password Set, leave unchanged (default), or empty the AP login password. Administrative Access Allow management access to the managed AP via telnet, http, https, and/or ssh. Radio 1 & 2 Configure the radio settings. The Radio 2 settings will only appear if the selected platform has two radios. Mode Select the radio operation mode: l Disabled: The radio is disabled. No further radio settings are available. l Access Point: The device is an access point. l DedicatedMonitor: The device is a dedicated monitor. Only theWIDS Profile setting is available. WIDS Profile Select a WIDS profile from the dropdown list. See WIDS profiles on page 294. Radio Resource Select to enable radio resource provisioning. Provision This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. Client Load Select the client load balancing methods to use: Frequency Handoff and/or Balance AP Handoff. Band Select the wireless protocol from the dropdown list. The available bands depend on the selected platform. In two radio devices, both radios cannot use the same band. Channel Width Select 20MHz or 40MHz channel width. This option is only available for 5GHz 802.11n bands. Short Guard Select to enable the short guard interval. Interval Channels Select the channel or channels to include. The available channels depend on the selected platform and band. TX Power Control Optionally, enable automatic adjustment of transmit power, then specify the minimum and maximum power levels, dBm. TX Power If TX Power Control isManual, enter the TX power in the form of the percentage of the total available power. If TX Power Control is Auto, enter the TX power low and high values, in dBm. SSIDs Manually choose the SSIDs that APs using this profile will carry, or let them be selected automatically. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 285 Monitor Channel Enable/disable monitoring channel utilization. Utilization FortiPresence Mode Select the FortiPresence mode: l Disable l Foreign channels only l Foreign and home channels Project name The FortiPresence project name. Password FortiPresence secret password. FortiPresence FortiPresence server IP address. server IP FortiPresence FortiPresence server UDP listening port (default = 3000). server port Report rogue APs Enable/disable FortiPresence reporting of Rogue APs. Report Enable/disable FortiPresence reporting of unassociated devices. unassociated clients Report transmit FortiPresence report transmit frequency, in seconds (5 - 65535, default = 30). frequency (in seconds) Ekahau blink Enable/disable Ekahau blink location based services. RTLS controller Enter the realtime location services (RTLS) controller server IP address. server IP RTLS controller The RTLS controller server port (default = 8569). server port Ekahau tag MAC Enter the Ekahau tag MAC address. address AeroScout Enable/disable AeroScout location based services. AeroScout server Enter the AeroScout server IP address. IP AeroScout server Enter the AeroScout server port. port MU mode dilution Enter the MUmode dilution factor (default = 20). factor MU mode dilution Enter the MUmode dilution timeout (default = 5). timeout Locate WiFi clients when Enable/disable locating WiFi client when they are not connected. not connected FortiManager Administration Guide Fortinet Technologies Inc.Access Points 286 Advanced Options Configure advanced options for the SSID: l control-message-offload: Configure CAPWAP control message data channel offload: aeroscout-mu, aeroscout-tag, ap-list, ebp-frame, sta- list, sta-cap-list, stats. l dtsl-in-kernal: Enable/disable data channel DTLS in kernel. l dtls-policy: Select the WTP data channel DTLS policy: clear-text, dtls-enabled, and/or ipsec-vpn. l energy-efficient-ethernet: Enable/disable use of energy efficient Ethernet on WTP. l ext-info-enable: Enable/disable station/VAP/radio extension information, providing more detailed statistics for troubleshooting purposes. l handoff-roaming: Enable/disable handoff when a client is roaming. l handoff-rssi: Enter the minimum RSSI handoff value. l handoff-sta-thresh: Enter the threshold value for AP handoff. l ip-fragment-preventing: Prevent IP fragmentation for CAPWAP tunneled control and data packets. Select tcp-mss-adjust and/or icmp- unreachable. l led-schedules: Recurring firewall schedules for illuminating LEDs on the FortiAP. If led-state is enabled, LEDs will be visible when at least one of the schedules is valid. l led-state: Enable/disable use of LEDs on WTP. l lldp: Enable/disable LLDP. l max-clients: Enter the maximum number of STAs supported by the WTP. l poe-mode: Set the WTP, FortiAP, or AP''s PoEmode: auto, 8023af, 8023at, or power-adapter (use the power adapter to control the mode). l split-tunneling-acl-local-ap-subnet: Enable/disable split tunneling ACL local AP subnet. l tun-mtu-downlink: Enter the downlink tunnel MTU. l tun-mtu-uplink: Enter the uplink tunnel MTU. l wan-port-mode: Set the WAN port mode: wan-only orwan-lan. 3. ClickOK to create the new AP profile. To edit a custom AP profile: 1. Either double-click a profile name, right-click a profile name and select Edit, or select a profile then clickEdit in the toolbar. The Edit AP Profile pane opens. 2. Edit the settings as required. The profile name cannot be edited. 3. ClickOK to apply your changes. To delete custom AP profiles: 1. Select the AP profile or profiles that will be deleted. Default profiles cannot be deleted. 2. Either select Delete from the toolbar, or right-click and select Delete. 3. ClickOK in the confirmation dialog box to delete the profile. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 287 To clone a custom AP profile: 1. Either select a profile and clickClone in the toolbar, or right-click a profile and select Clone. The Clone AP Profile pane opens. 2. Edit the name of the profile, then edit the remaining settings as required. 3. ClickOK to clone the profile. To import a AP profile: 1. Click Import in the toolbar. The Import dialog box opens. 2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM. 3. Select the profile or profiles to be imported from the dropdown list. 4. ClickOK to import the profile or profiles. SSIDs To view SSIDs and SSID groups, go to AP Manager > WiFi Profiles, and select SSID in the tree menu. The following options are available in the toolbar and right-click menu: Create New Create a new SSID (see Creating SSIDs on page 288) or SSID group. Edit Edit the selected SSID or group. Clone Clone the selected SSID or group. Delete Delete the selected SSID or group. Import Import SSIDs from a connected FortiGate (toolbar only). Where Used View where the SSID is used. Column Settings Adjust the visible columns. To create a new SSID group: 1. On the SSID pane, clickCreate New > SSID Group in the toolbar. The Create New SSID Groupwindows opens. 2. Enter a name for the group in the Name field. 3. Optionally, enter a brief description of the group in the Comment box. 4. Optionally, add SSIDs to the group in the Members field. 5. ClickOK to create the SSID group. To edit an SSID or groups: 1. Either double-click on an SSID, select as SSID and then clickEdit in the toolbar, or right-click then select Edit from the menu. The Edit SSIDor Edit SSID Groupwindow opens. 2. Edit the settings as required. The SSID name and traffic mode cannot be edited. 3. ClickOK to apply your changes. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 288 To delete SSIDs or groups: 1. Select the SSIDs and groups that you would like to delete. 2. Either clickDelete in the toolbar, or right-click and select Delete. 3. ClickOK in the confirmation dialog box to delete the selected SSIDs and groups. Deleting a group does not delete the SSIDs that are in the group. To clone an SSID or group: 1. Either select an SSID or group and clickClone in the toolbar, or right-click on the SSID or group name, and select Clone. The Clone SSID orClone SSID Group dialog box opens. 2. Edit the settings as required. An SSID''s traffic mode cannot be edited. 3. ClickOK to clone the SSID. To import an SSID: 1. Click Import in the toolbar. The Import dialog box opens. 2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM. 3. Select the SSID or SSIDs to be imported from the Profile dropdown list. 4. ClickOK to import the SSID or SSIDs. Creating SSIDs When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel , Bridge, orMesh. To create a new SSID: 1. On the SSID pane, clickCreate New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profilewindows opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 289 2. Enter the following information, then clickOK to create the new tunnel to wireless controller SSID: Interface Name Type a name for the SSID. Alias Set the alias for SSID. Traffic Mode Select the traffic mode: Tunnel, Bridge, orMesh. Address These options are only available when Traffic Mode is Tunnel. IP/Network Mask Enter the IP address and netmask. IPv6 Address Enter the IPv6 address. Administrative Select the allowed administrative service protocols from: AUTO-IPSEC, Access CAPWAP, FGFM, HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS- ACCT, SNMP, SSH, and TELNET. IPv6 Select the allowed administrative service protocols from: ANY, CAPWAP, Administrative FGFM, HTTP, HTTPS, PING, SNMP, SSH, and TELNET. Access DHCP Server Turn the DHCP server on or off. Address Range Configure address ranges for DHCP. ClickCreate to create a new range. Ranges can also be edited and deleted as required. This option is only available when DHCP Server isON andMode is Server. Netmask Enter the netmask. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 290 This option is only available when DHCP Server isON andMode is Server. Default Gateway Configure the default gateway: Same as Interface IP, or Specify. If set to Specify, enter the gateway IP address in the field. This option is only available when DHCP Server isON andMode is Server. DNS Server Configure the DNS server: Same as System DNS, Same as Interface IP, or Specify. This option is only available when DHCP Server isON andMode is Server. Mode Select the DHCPmode: Server orRelay. This option is only available when DHCP Server isON. NTP Server Configure the NTP server: Local, Same as System NTP, or Specify. If set to Specify, enter the NTP server IP address in the field. This option is only available when DHCP Server isON andMode is Server. Time Zone Configure the timezone: Disable, Same as System, or Specify. If set to Specify, select the timezone from the dropdown list. This option is only available when DHCP Server isON andMode is Server. Next Bootstrap Enter the IP address of the next bootstrap server. Server This option is only available when DHCP Server isON andMode is Server. Additional DHCP In the Lease Time field, enter the lease time, in seconds (default = 604800 (7 Options days)). Add DHCP options to the table. See To add additional DHCP options: on page 293 for details. Options can also be edited and deleted as required. This option is only available when DHCP Server isON andMode is Server. MAC Reservation Select the action to take with unknown MAC addresses: assign or block. + Access Control Add MAC address actions to the table. See To add a MAC address reservation: on page 293 for details. Reservations can also be edited and deleted as required. This option is only available when DHCP Server isON andMode is Server. DHCP Server IP Enter the DHCP server IP address. This option is only available when DHCP Server isON andMode isRelay. Type Select the type: Regular, or IPsec. This option is only available when DHCP Server isON. WiFi Settings SSID Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name. Security Mode Select a security mode: Captive Portal WPA Only Personal OPEN WPA Only Personal Captive Portal Osen WPA Personal FortiManager Administration Guide Fortinet Technologies Inc.Access Points 291 WEP 128 WPA Personal Captive Portal WEP 64 WPA2Only Enterprise WPA Enterprise WPA2Only Personal WPA Only Enterprise WPA2Only Personal Captive Portal OnlyWPA and WPA2 Personal modes are available when the traffic mode is Mesh. Pre-shared Key Enter the pre-shared key for the SSID. This option is only available when the security mode includesWPA or WPA2 personal. Local Standalone Enable/disable AP local standalone (default = disable). This option is only available when the traffic mode is Bridge. Local Enable/disable AP local authentication. Authentication This option is only available when the traffic mode is Bridge. Client Limit The maximum number of clients that can simultaneously connect to the AP (0 - 4294967295, default = 0, meaning no limitation). Client Limit per The maximum number of clients that can simultaneously connect to each Radio radio (0 - 4294967295, default = 0, meaning no limitation). This option is only available when Local Standalone is enabled. Multiple Pre- Enable/disable multiple pre-shared keys. Shared Keys In the table, clickCreate to create a new key. Enter the key name, value, client limit, and comments (optional), then clickOK. ClickEdit to edit the selected key. ClickDelete to delete the selected key or keys. This option is only available when the security mode includesWPA or WPA2 personal and the traffic mode is not Mesh. Default Client Enable/disable a maximum number of clients that can simultaneously Limit Per Key connect using each pre-shared key, then enter the maximum number. This option is only available when theMultiple Pre-Shared Keys is enabled. Portal Type Select the portal type: Authentication (default), Disclaimer + Authentication, Disclaimer Only, or Email Collection. This option is only available when the security mode includes captive portal. Authentication Select Local or External. If External is selected, enter the URL of the portal. Portal This option is only available when the portal type includes authentication. User Groups Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups. This option is only available when the portal type includes authentication. Exempt Sources Select exempt sources to add from the dropdown list. This option is only available when the portal type includes authentication. Devices Select exempt devices to add from the dropdown list. This option is only available when the portal type includes authentication. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 292 Exempt Select exempt destinations to add from the dropdown list. Destinations This option is only available when the portal type includes authentication. Exempt Services Select exempt services to add from the dropdown list. This option is only available when the portal type includes authentication. Customize Portal Select to allow for customized portal messages. Portal messages cannot be Messages customized until after the interface has been created. This option is only available when the portal type includes disclaimer, email collection, or CMCC without MAC authentication. Redirect after Select Original Request or Specific URL. If Specific URL is selected, enter Captive Portal the redirect URL. This option is only available when the security mode includes captive portal. Authentication Select the authentication method for the SSID, either Local orRADIUS Server, then select the requisite server or group from the dropdown list. This option is only available when the security mode is includesWPA or WPA2 enterprise. Broadcast SSID Enable/disable broadcasting the SSID (default = enable). Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, do not broadcast the SSID. Schedule Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object on page 200. Block Intra-SSID Enable/disable blocking communication between clients of the same AP Traffic (default = disable). Broadcast Optional suppression of broadcast message types: Suppression l All other broadcast: All other broadcast messages l All other multicast: All other multicast messages l ARP poison: ARP poison messages from wireless clients l ARP proxy: ARP requests for wireless clients as a proxy l ARP replies: ARP replies from wireless clients l ARPs for known clients: ARP for known messages l ARPs for unknown clients: ARP for unknown messages l DHCP downlink: Downlink DHCPmessages l DHCP starvation: DHCP starvation req messages l DHCP uplink: Uplink DHCPmessages l IPv6: IPv6 packets l NetBIOS datagram service: NetBIOS datagram services packets l NetBIOS name service: NetBIOS name services packets Filter Clients by Enable/disable using a RADIUS server to filter clients be MAC address, then MAC Address select the server from the drop-down list. See RADIUS servers on page 465 for information on adding a RADIUS server. VLAN Pooling Enable/disable VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 293 l Managed AP Group: Select devices to include in the group. l Round Robin l Hash This option is not available when the traffic mode isMesh. Quarantine Host Enable/disable station quarantine (default = enable). This option is only available when the security mode includesWPA or WPA2. Encrypt Select the data encryption protocol: l TKIP: Temporal Key Integrity Protocol, used by the older WPA standard. l AES: Advanced Encryption Standard, commonly used with the newer WPA2 standard (default). l TKIP-AES: Use both protocols to provide backward compatibility for legacy devices. This option is not recommended, as attackers will only need to breach the weaker encryption of the two (TKIP). This option is only available when the security mode includesWPA or WPA2. QoS Profile Select the QoS profile from the drop-down list. Advanced Options Configure advanced options. For information, see the FortiOS CLI Reference: http://help.fortinet.com/cli/fos60hlp/60/index.htm. To add additional DHCP options: 1. ClickCreate in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens. 2. Enter theOption Code. 3. Select the Type: hex, ip, or string. 4. Enter the corresponding value. 5. ClickOK to create the option. To add a MAC address reservation: 1. ClickCreate in theMAC Reservation + Access Control table toolbar. TheMAC Reservation + Access Control dialog box opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 294 2. Enter theMAC Address. 3. Select the End IP: Assign IP, Block, orReserve IP. If reserving the IP address, enter it in the field. 4. Optionally, enter a description. 5. ClickOK to create the reservation. WIDS profiles The WIDSmonitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected, a log message is recorded. To viewWIDS profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Profiles, and selectWIDS Profile in the tree menu. The following options are available in the toolbar and right-click menu: Create New Create a newWIDS profile. Edit Edit the selected WIDS profile. Delete Delete the selected WIDS profile. Clone Clone the selected WIDS profile. Import Import WIDS profiles from a connected FortiGate (toolbar only). To create a new WIDS profile: 1. On the WIDS Profile pane, clickCreate New in the toolbar, or select it from the right-click menu. The Create New WIDS Profilewindow opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 295 2. Enter the following information, then clickOK to create the newWIDS profile: Name Enter a name for the profile. Comments Optionally, enter comments. Sensor Mode Enable Rogue AP Detection Select to enable rogue AP detection. Background Scan Enter the number of seconds between background scans. Every Enable Passive Enable/disable passive scan mode. Scan Mode Auto Suppress Enable/disable automatically suppressing rogue APs in foreground scans. Rouge APs in This options is only available when the sensor mode is not disabled. Foreground Scan FortiManager Administration Guide Fortinet Technologies Inc.Access Points 296 Disable Enable/disable background scanning during the specified time. Specify the Background Scan days of week, and the start and end times. During Specified Time Intrusion Type The intrusion types that can be detected. Enable Select to enable the intrusion type. Threshold If applicable, enter a threshold for reporting the intrusion, in seconds except where specified. Interval (Seconds) If applicable, enter the interval for reporting the intrusion, in seconds. Advanced Options ap-bgscan- Listening time on a scanning channel, in milliseconds (10 - 1000, default = duration 20). ap-bgscan-idle Waiting time for channel inactivity before scanning this channel, in milliseconds (0 - 1000, default = 0). ap-bgscan-intv Period of time between scanning two channels, in seconds (1 - 600, default = 1). ap-bgscan-report- Period of time between background scan reports, in seconds (15 - 600, default intv = 30). ap-fgscan-report- Period of time between foreground scan reports, in seconds (15 - 600, default intv = 15). deauth-broadcast Enable/disable broadcasting deauthentication detection (default = disable). deauth-unknown- Threshold value per second to deauthenticate unknown sources for DoS src-thresh attacks, in seconds (0 - 65535, 0 = no limit, default = 10). invalid-mac-oui Enable/disable invalid MAC OUI detection (default = disable). Intrusion types Intrusion Type Description Asleap Attack ASLEAP is a tool used to perform attacks against LEAP authentication. Association Frame Flooding ADenial of Service attack using association requests. The default detection threshold is 30 requests in 10 seconds. Authentication Frame ADenial of Service attack using association requests. The default detection Flooding threshold is 30 requests in 10 seconds. Broadcasting This is a type of Denial of Service attack. A flood of spoofed de-authentication Deauthentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP. EAPOL Packet Flooding Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA (to AP) and WPA2 authentication. Flooding the APwith these packets can be a denial of service attack. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 297 Intrusion Type Description Several types of EAPOL packets can be detected: l EAPOL-FAIL l EAPOL-LOGOFF l EAPOL-START l EAPOL-SUCC Invalid MAC OUI Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged. Long Duration Attack To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200µ. Null SSID Probe Response When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding. Premature EAPOL Packet Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA Flooding (to client) and WPA2 authentication. Flooding the client with these packets can be a denial of service attack. Two types of EAPOL packets can be detected: l EAPOL-FAIL l EAPOL-SUCC Spoofed Deauthentication Spoofed de-authentication frames form the basis for most denial of service attacks. Weak WEP IV Detection A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weakWEP IVs in on-air traffic. Wireless Bridge WiFi frames with both the FromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network. To edit a WIDS profile: 1. Either double-click on a profile name, select a profile and then clickEdit in the toolbar, or right-click on the name then select Edit from the menu. The Edit WIDS window opens. 2. Edit the settings as required. 3. ClickOK to apply your changes. To delete WIDS profiles: 1. Select the profile or profiles that will be deleted from the profile list. 2. Either clickDelete from the toolbar, or right-click then select Delete. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 298 3. ClickOK in the confirmation dialog box to delete the profile or profiles. To clone a WIDS profile: 1. Either select a profile and clickClone in the toolbar, or right-click a profile and select Clone. The CloneWIDS pane opens. 2. Edit the name of the profile, then edit the remaining settings as required. 3. ClickOK to clone the profile. To import a WIDS profile: 1. Click Import in the toolbar. The Import dialog box opens. 2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM. 3. Select the profile or profiles to be imported from the dropdown list. 4. ClickOK to import the profile or profiles. Bluetooth profiles To view and configure Bluetooth profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Profiles, and select Bluetooth Profile in the tree menu (or from the tabs in version 5.6 ADOMs). Bluetooth profiles are not available in version 5.4 and 5.2 ADOMs. The following options are available in the toolbar and right-click menu: Create New Create a new Bluetooth profile. Edit Edit the selected Bluetooth profile. Delete Delete the selected Bluetooth profile. Clone Clone the selected Bluetooth profile. Import Import Bluetooth profiles from a connected FortiGate (toolbar only). To create a new Bluetooth profile: 1. On the Bluetooth Profile pane, clickCreate New in the toolbar, or select it from the right-click menu. The Create New Bluetooth Profilewindow opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 299 2. Enter the following information: Name Enter a name for the profile. Comments Optionally, enter comments. Advertising Select the advertising types: iBeacon, Eddystone-UID, and Eddystone-URL. iBeacon UUID The iBeacon Universally Unique Identifier (UUID) is automatically assigned, but can be manually reset (63 characters). Major ID The major ID (1 - 65535, default = 1000). Minor ID The minor ID (1 - 65535, default = 2000). Eddystone Namespace The eddystone namespace ID (10 characters). Eddystone Instance The eddystone instance ID (6 characters). Eddystone URL The eddystone URL (127 characters). TX Power Transmit power level: 0 = -21 dBm 5 = -6 dBm 10 = 3 dBm 1 = -18 dBm 6 = -3 dBm 11 = 4 dBm 2 = -15 dBm 7 = 0 dBm 12 = 5 dBm 3 = -12 dBm 8 = 1 dBm 4 = -9 dBm 9 = 2 dBm Beacon Interval The beacon interval, in milliseconds (40 - 3500, default = 100). BLE Scanning Enable/disable Bluetooth Low Energy (BLE) scanning. Advanced Options Enter the eddystone encoded URL hexadecimal string size (54 characters) in the eddystone-url-encode-hex field. 3. ClickOK to create the new Bluetooth profile. To edit a Bluetooth profile: 1. Either double-click on a profile name, select a profile and then clickEdit in the toolbar, or right-click on the name then select Edit from the menu. The Edit Bluetooth Profilewindow opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 300 2. Edit the settings as required. 3. ClickOK to apply your changes. To delete Bluetooth profiles: 1. Select the profile or profiles that will be deleted from the profile list. 2. Either clickDelete from the toolbar, or right-click then select Delete. 3. ClickOK in the confirmation dialog box to delete the profile or profiles. To clone a Bluetooth profile: 1. Either select a profile and clickClone in the toolbar, or right-click a profile and select Clone. The Clone Bluetooth Profile pane opens. 2. Edit the name of the profile, then edit the remaining settings as required. 3. ClickOK to clone the profile. To import a Bluetooth profile: 1. Click Import in the toolbar. The Import dialog box opens. 2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM. 3. Select the profile or profiles to be imported from the dropdown list. 4. ClickOK to import the profile or profiles. QoS profiles To view and configure Quality of Service (QoS) profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Profiles, and select QoS Profile in the tree menu (or from the tabs in version 5.6 ADOMs). QoS profiles are not available in version 5.4 and 5.2 ADOMs. The following options are available in the toolbar and right-click menu: Create New Create a new QoS profile. Edit Edit the selected QoS profile. Delete Delete the selected QoS profile. Clone Clone the selected QoS profile. Import Import QoS profiles from a connected FortiGate (toolbar only). To create a new QoS profile: 1. On the QoS Profile pane, clickCreate New in the toolbar, or select it from the right-click menu. The Create New QoS Profilewindow opens. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 301 2. Enter the following information: Name Enter a name for the profile. Comments Optionally, enter comments. Max Uplink Speed (VAPs) The maximum uplink speed (VAPs), in Kbps (0 - 2097152, default = 0). Max Downlink Speed (VAPs) The maximum downlink speed (VAPs), in Kbps (0 - 2097152, default = 0). Max Uplink Speed (Clients) The maximum uplink speed (Clients), in Kbps (0 - 2097152, default = 0). Max Downlink Speed The maximum downlink speed (Clients), in Kbps (0 - 2097152, default = 0). (Clients) Client Rate Burst Enable/disable client rate burst (default = disable). Wi-Fi MultiMedia Enable/disable WiFi Multimedia (WMM) control (default = enable). U-APSD Power Save Mode Enable/disable WMM Unscheduled Automatic Power Save Delivery (U-APSD) power save mode (default = enable). This option is only available ifWi-Fi MultiMedia is enabled. Call Admission Control Enable/disable WMM call admission control (default = disable). This option is only available ifWi-Fi MultiMedia is enabled. Call Capacity The maximum number of VoWLAN phones allowed (0 - 60, default = 10). This option is only available if Call Admission Control is enabled. Bandwidth Admission Enable/disable WMM bandwidth admission control (default = disable). Control This option is only available if Call Admission Control is enabled. Bandwidth The maximum bandwidth capacity allowed, in Kbps (1 - 600000, default = Capacity 2000). This option is only available if Bandwidth Admission Control is enabled. DSCP Mapping Enable/disable differentiated Services Code Point (DSCP) mapping (default = disable). FortiManager Administration Guide Fortinet Technologies Inc.Access Points 302 Voice Access DSCPmapping for voice access category (default = 48, 56). This option is only available if DSCP Mapping is enabled. Video Access DSCPmapping for video access category (default = 32, 40). This option is only available if DSCP Mapping is enabled. Best Effort Access DSCPmapping for best effort access category (default = 0, 24). This option is only available if DSCP Mapping is enabled. Background DSCPmapping for background access category (default = 8, 16). Access This option is only available if DSCP Mapping is enabled. 3. ClickOK to create the new QoS profile. To edit a QoS profile: 1. Either double-click on a profile name, select a profile and then clickEdit in the toolbar, or right-click on the name then select Edit from the menu. The Edit QoS Profilewindow opens. 2. Edit the settings as required. 3. ClickOK to apply your changes. To delete QoS profiles: 1. Select the profile or profiles that will be deleted from the profile list. 2. Either clickDelete from the toolbar, or right-click then select Delete. 3. ClickOK in the confirmation dialog box to delete the profile or profiles. To clone a QoS profile: 1. Either select a profile and clickClone in the toolbar, or right-click a profile and select Clone. The CloneQoS Profile pane opens. 2. Edit the name of the profile, then edit the remaining settings as required. 3. ClickOK to clone the profile. To import a QoS profile: 1. Click Import in the toolbar. The Import dialog box opens. 2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM. 3. Select the profile or profiles to be imported from the dropdown list. 4. ClickOK to import the profile or profiles. Bonjour profiles To view and configure Bonjour profiles, ensure that you are in the correct ADOM, go to AP Manager > WiFi Profiles, and select Bonjour Profile in the tree menu (or from the tabs in version 5.6 ADOMs). FortiManager Administration Guide Fortinet Technologies Inc.Access Points 303 Bonjour profiles are not available in version 5.4 and 5.2 ADOMs. The following options are available in the toolbar and right-click menu: Create New Create a new Bonjour profile. Edit Edit the selected Bonjour profile. Delete Delete the selected Bonjour profile. Clone Clone the selected Bonjour profile. Import Import Bonjour profiles from a connected FortiGate (toolbar only). To create a new Bonjour profile: 1. On the Bonjour Profile pane, clickCreate New in the toolbar, or select it from the right-click menu. The Create New Bonjour Profilewindow opens. 2. Enter the following information: Name Enter a name for the profile. Comments Optionally, enter comments. Policy List Configure the policy list. Create New Create a new policy list entry. Select the following, then clickOK: l Description: Description of the Bonjour profile policy. l From VLAN: The VLAN ID that the Bonjour service will be advertised from (0 - 4094, default = 0). l To VLAN: The VLAN ID that the Bonjour service will be made available to (0 - 4094, default = all). l Services: Services for the VLAN. Edit Edit the selected entry. Delete Delete the selected entries. 3. ClickOK to create the new Bonjour profile. FortiManager Administration Guide Fortinet Technologies Inc.Access Points 304 To edit a Bonjour profile: 1. Either double-click on a profile name, select a profile and then clickEdit in the toolbar, or right-click on the name then select Edit from the menu. The Edit Bonjour Profilewindow opens. 2. Edit the settings as required. 3. ClickOK to apply your changes. To delete Bonjour profiles: 1. Select the profile or profiles that will be deleted from the profile list. 2. Either clickDelete from the toolbar, or right-click then select Delete. 3. ClickOK in the confirmation dialog box to delete the profile or profiles. To clone a Bonjour profile: 1. Either select a profile and clickClone in the toolbar, or right-click a profile and select Clone. The Clone Bonjour Profile pane opens. 2. Edit the name of the profile, then edit the remaining settings as required. 3. ClickOK to clone the profile. To import a Bonjour profile: 1. Click Import in the toolbar. The Import dialog box opens. 2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM. 3. Select the profile or profiles to be imported from the dropdown list. 4. ClickOK to import the profile or profiles. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager The FortiSwitchManagermodule enables you to centrally manage FortiSwitch templates and VLANs, and monitor FortiSwitch devices that are connected to FortiGate devices. You can configure multiple templates for specific FortiSwitch platforms that can be assigned to multiple devices. The FortiSwitch Manager module includes the following tabs: Managed Switches Displays unauthorized and authorized FortiSwitch devices. You can view, authorize, and edit authorized switches, as well as apply templates to switches. Monitor Monitor FortiSwitch devices with a graphical representation of the connected switches. FortiSwitch View, create, and edit FortiSwitch templates, VLANs, and security policies. Templates can Templates also be imported. The following steps provide an overview of using centralized FortiSwitch management to configure and install templates: 1. Create FortiSwitch VLANs. See FortiSwitch VLANs on page 314. 2. Create or import FortiSwitch templates. See FortiSwitch Templates on page 311. 3. Assign templates to FortiSwitch devices. See Assigning templates to FortiSwitch devices on page 309. 4. Install the templates to the devices. On the DeviceManager pane, select the FortiGate device that controls the FortiAP device, then select Install > Install Config from the toolbar, and follow the prompts in the wizard. See Configuring a device on page 58. Managed Switches TheManaged Switches pane allows you to manage FortiSwitch devices that are controlled by FortiGate devices that are managed by the FortiManager. FortiSwitch devices, listed in the content pane, are grouped based on the controller that they are connected to. Additional configuration options and short-cuts are available using the right-click content menu. Right-click on the mouse on different parts of the navigation panes on the GUI page to access these context menus. If workspace or workflow is enabled, the ADOM must be locked before changes can be made. See Locking an ADOM on page 406. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 306 Go to FortiSwitchManager > Managed Switches to manage FortiSwitch devices. Managed switches are organized by their FortiGate controller. Quick status bar You can quickly view the status of devices on theManaged Switches pane by using the quick status bar, which contains the following options: l Managed FortiSwitch l Online l Offline l Unauthorized You can click each quick status to display in the content pane only the devices referenced in the quick status. To view the quick status bar: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to FortiSwitchManager > Managed Switches. The quick status bar is displayed above the content pane. 3. In the tree menu, select a FortiGate or All_FortiGate. The devices for the group are displayed in the content pane, and the quick status bar updates. 4. Click on each quick status to filter the devices displayed on the content pane. For example, clickOffline, and the content pane will display only devices that are currently offline. Managing FortiSwitches FortiSwitch devices can be managed from the content pane below the quick status bar on the FortiSwitchManager > Managed Switches pane. The following options are available from the toolbar and right-click menu: FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 307 Edit Edit the selected FortiSwitch. Delete Delete the switch or switches. Assign Template Assign a template to the switch. Only applicable templates will be listed. See Assigning templates to FortiSwitch devices on page 309. Authorize Authorize an unregistered switch. See Authorizing and deauthorizing FortiSwitch devices on page 309. This option is also available in the toolbar by selectingMore. Deauthorize Deauthorize a registered switch. See Authorizing and deauthorizing FortiSwitch devices on page 309. This option is also available in the toolbar by selectingMore. Restart Restart the switch. This option is also available in the toolbar by selectingMore. Upgrade Upgrade the switch. The FortiSwitch must already be authorized. This option is also available in the toolbar by selectingMore. Refresh Refresh the switch list. This option is also available in the toolbar by selectingMore. Connect to CLI Connect to FortiSwitch device''s CLI, if available. This option is also available in the toolbar by selectingMore. Column Settings Click to select which columns to display or select Reset to Default to display the default columns. This option is only available in the toolbar. Search Enter a search string into the search field to search the switch list. This option is only available in the toolbar. The following information is available in the content pane: FortiGate The FortiGate that the FortiSwitch is connected to. FortiSwitch Name The name assigned to the switch. Serial Number The serial number of the switch. Platform The FortiSwitch model. Connected Via The IP address of the switch. OS Version The OS version on the switch. Template The FortiSwitch template assigned to the device, if any. Join Time The date and time that the switch joined. Comments User entered comments. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 308 Editing switches FortiSwitch devices can be edited from the FortiSwitchManager > Managed Switches pane. To edit FortiSwitch devices: 1. In the tree menu, select the FortiGate that contains the FortiSwitch device to be edited, or select All_FortiGate to list all of the switches. 2. Select the appropriate option from the quick status bar, and locate the switch in the content pane. 3. Double-click on the switch, select the switch and clickEdit from the toolbar, or right-click on the switch and select Edit. The Edit Managed FortiSwitchwindow opens. 4. Edit the following options, then clickApply to apply your changes. Serial Number The device’s serial number. This field cannot be edited. Name The name of the FortiSwitch. Description A description of the FortiSwitch, such as its model. Template Select the template that will be applied to the FortiSwitch from the dropdown list. Only applicable templates are available. Status The status of the FortiSwitch, such asConnected. ClickRestart to restart the switch. Connecting From The IP address of the switch. Join Time The date and time that the switch joined. State The state of the AP, such asAuthorized. If the switch is authorized, clickDe-authorize to deauthorize the switch. If the switch is not authorized, clickAuthorize to authorize it. See Authorizing and deauthorizing FortiSwitch devices on page 309. FortiSwitch OS Version The OS version on the switch. ClickUpgrade to upgrade the firmware to a newer version if you have one available. See Firmware Management on page 86 FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 309 Deleting switches FortiSwitch devices can be deleted from the FortiSwitchManager > Managed Switches pane. To delete FortiSwitch devices: 1. In the tree menu, select the FortiGate that contains the switch or switches to be deleted, or select All_FortiGate to list all of the switches. 2. Select the appropriate option from the quick status bar, and locate the switch in the list in the content pane. 3. Select the switch or switches that you need to delete. 4. ClickDelete from the toolbar, or right-click and select Delete. 5. ClickOK in the confirmation dialog box to delete the switch or switches. Authorizing and deauthorizing FortiSwitch devices FortiSwitch devices can be authorized and deauthorized from theManaged Switches tab, or from the Edit Managed FortiSwitch pane (see Editing switches on page 308). To authorize FortiSwitch devices: 1. In the tree menu, select FortiGate that contains the unauthorized FortiSwitch devices, or select All_FortiGate to list all of the switches. 2. In the quick status bar, clickUnauthorized. The unauthorized FortiSwitch devices are displayed in the content pane. 3. Select the switches and either clickMore > Authorize from the toolbar, or right-click and select Authorize. 4. Select OK in the confirmation dialog box to authorize the selected devices. To deauthorize FortiSwitch devices: 1. In the tree menu, select FortiGate that contains the FortiSwitch devices to be deauthorized 2. Select the FortiSwitch devices and either clickMore > Deauthorize from the toolbar, or right-click and select Deauthorize. 3. Select OK in the confirmation dialog box to deauthorize the selected devices. Assigning templates to FortiSwitch devices You use the FortiSwitch Manager pane to assign templates to switches, and you use the Device Manager pane to install the templates to the switches when you install a configuration to the FortiGate that controls the FortiSwitch device. For more information about creating and managing FortiSwitch templates, see FortiSwitch Templates on page 311. To assign a templates: 1. In the tree menu, select the FortiGate that contains the FortiSwitch device that the template will be applied to, or select All_FortiGate to list all of the switches. 2. Select the appropriate option from the quick status bar, and locate the switch in the content pane. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 310 3. Select the switch and clickAssign Template from the toolbar, or right-click on the switch and select Assign Template. The Assign FortiSwitch Template dialog box opens. 4. Select a FortiSwitch template from the dropdown list, then clickOK to assign it. Only templates that apply to the specific device model will be available for selection. Templates can also be applied when editing a device. See Editing switches on page 308. To install templates to devices: 1. Go to the DeviceManager pane. 2. Select the FortiGate device that controls the FortiSwitch 3. Right click and select Install Config, or select Install > Install Config from the toolbar. 4. ClickOK in the confirmation dialog box to install the configuration to the device. See Configuring a device on page 58 for more information. Monitor The FortiSwitchManager > Monitor pane shows a graphical representation of the connected FortiSwitch devices. Use the Refresh button to refresh the view, the search box to find a specific device or filter the view, and the zoom buttons to enlarge or shrink the view. Ports that are transmitting and receiving data are highlighted in green. Port groups, such as PoE or SFP+ ports, are encircled in different colored boxes. Hovering the cursor over the edge of a port group will open a pop-up showing the type of port in the group. Hovering the cursor over a port will open a pop-up showing information about the port, including: Port The port number. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 311 Peer Device The device that this switch is connected to. The current port, as well as the port that it is connected to on the connected, and the connection between the two devices, will be highlighted. This item is only displayed when the port is connected to another FortiSwitch device. Native VLAN The native VLAN of the port. PoE Whether or not the port is currently providing PoE power. This item is only displayed on PoE ports. Link The state of the link, either up or down. Speed The speed of the port, such as 1000Mbps/Full Duplex. The value is 0Mbps if the link is down. Bytes Sent The total number of bytes sent by the port. Bytes Received The total number of bytes received by the port. FortiSwitch Templates The FortiSwitchManager > FortiSwitch Templates tab allows you to create and manage FortiSwitch templates, VLANs, and security policies that can be assigned to FortiSwitch devices. Templates can also be imported from FortiSwitch devices and then applied to other FortiSwitch devices of the same model. FortiSwitch templates FortiSwitch templates define VLAN, and PoE assignments for a FortiSwitch platform. To view FortiSwitch templates, ensure that you are in the correct ADOM, go to FortiSwitchManager > FortiSwitch Templates, and select FortiSwitch Templates in the tree menu. The following options are available in the toolbar and right-click menu: Create New Create a new FortiSwitch template. See Creating FortiSwitch templates on page 312. Edit Edit the selected template. Delete Delete the selected template or templates. Import Import a FortiSwitch template. See Importing FortiSwitch templates on page 314. Column Settings Adjust the visible columns. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 312 Search Enter a search string into the search field to search the template list. To edit a template: 1. Either double-click a template name, right-click a template and select Edit, or select a template then clickEdit in the toolbar. The Edit FortiSwitch Template pane opens. 2. Edit the settings as required, then clickOK to apply your changes. To delete templates: 1. Select the template or templates that will be deleted. 2. Either clickDelete from the toolbar, or right-click and select Delete. 3. ClickOK in the confirmation dialog box to delete the selected template or templates. Creating FortiSwitch templates When creating a new FortiSwitch template, the platform must be selected before configuring VLAN assignments. To create a FortiSwitch template: 1. On the FortiSwitch Template pane, clickCreate New in the toolbar. The Create New FortiSwitch Template window opens. 2. Enter the following information, then clickOK to create the new template. Template Name Type a name for the template. Comments Optionally, enter comments. Platforms Select the platform that the template will apply to from the dropdown list. Switch VLAN Assignments Configure VLAN assignments. A platform must be selected before VLAN assignments can be configured. Add Port Add a port to the table. Create Trunk Create a trunk. See To create a trunk group: on page 313. Edit Edit the selected trunk. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 313 Delete Delete the selected ports or trunks. Port Select a port profile from the dropdown list. Native VLAN Select the native VLAN from the available VLAN objects. See FortiSwitch VLANs on page 314. Allowed VLAN Select the allowed VLAN from the available VLAN objects. See FortiSwitch VLANs on page 314. Security Policy Select the security policies from the available switch controller security policies. See FortiSwitch security policies on page 321. POE If applicable, right-click to enable or disable PoE for the port. DHCP Blocking Right-click to enable or disable DHCP blocking for the port or trunk. If the port is in a trunk, then DHCP blocking can only be enabled for the trunk, and not the individual ports. IGMP Snooping Right-click to enable or disable IGMP snooping for the port or trunk. If the port is in a trunk, then IGMP snooping can only be enabled for the trunk, and not the individual ports. Loop Guard Right-click to enable or disable Loop Guard for the port. Loop Guard cannot be applied to trunks, or ports that are in trunks. STP Right-click to enable or disable STP for the port or trunk. If the port is in a trunk, then STP can only be enabled for the trunk, and not the individual ports. Edge Port Right-click to enable or disable Edge Port for the port or trunk. If the port is in a trunk, then STP can only be enabled for the trunk, and not the individual ports. STP BPDU Guard Right-click to enable or disable STP BPDU Guard for the port or trunk. If the port is in a trunk, then STP BPDU Guard can only be enabled for the trunk, and not the individual ports. STP Root Guard Right-click to enable or disable STPRoot Guard for the port or trunk. If the port is in a trunk, then STPRoot Guard can only be enabled for the trunk, and not the individual ports. To create a trunk group: 1. On the Create New FortiSwitch Template pane, clickCreate Trunk in the Switch VLAN Assignments toolbar. The New Trunk Group dialog box opens. 2. Enter a name for the trunk group in the Name field. 3. In theMembers field, select all the ports that will be in the group from the drop-down list. 4. Select the mode: lacp-active (active link aggregation), lacp-passive (passive link aggregation), or static. 5. ClickOK to create the trunk group. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 314 Importing FortiSwitch templates FortiSwitch templates can be imported from connected devices, and then applied to other FortiSwitch devices of the same model. To import a FortiSwitch template: 1. On the FortiSwitch Template pane, click Import in the toolbar. The Import window opens. 2. Select a FortiGate from the drop-down list. 3. Select the FortiSwitch whose template will be imported from the drop-down list. 4. Enter a name for the template in the New Name field. 5. ClickOK. The template is imported from the device. FortiSwitch VLANs VLANs are used when creating FortiSwitch templates. To view FortiSwitch VLANs, ensure that you are in the correct ADOM, go to FortiSwitchManager > FortiSwitch Templates, and select FortiSwitch VLANs in the tree menu. The following options are available in the toolbar and right-click menu: Create New Create a new FortiSwitch VLAN. See Creating FortiSwitch VLANs on page 315. Edit Edit the selected VLAN. Delete Delete the selected VLAN or VLANs. Search Enter a search string into the search field to search the VLAN list. To edit a VLAN: 1. Either double-click a VLAN, right-click a VLAN and select Edit, or select a VLAN then clickEdit in the toolbar. The Edit VLAN Definition pane opens. The interface name and VLAN ID cannot be edited. 2. Edit the settings as required, then clickOK to apply your changes. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 315 To delete VLANs: 1. Select the VLAN or VLANs that will be deleted. 2. Either clickDelete from the toolbar, or right-click and select Delete. 3. ClickOK in the confirmation dialog box to delete the selected VLAN or VLANs. Creating FortiSwitch VLANs To create a FortiSwitch VLAN: 1. On the FortiSwitch VLAN pane, clickCreate New in the toolbar. The Create New VLAN Definitionwindow opens. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 316 FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 317 2. Enter the following information, then clickOK to add the new VLAN. Interface Name Enter a name for the interface. VLAN ID Enter the VLAN ID Role Select the role for the interface: DMZ, LAN, UNDEFINED, or WAN. Estimated Bandwidth Enter the estimated upstream and downstream bandwidths. This option is only available when Role isWAN. Address Addressing mode The addressing mode. IP/Network Mask Enter the IP address and netmask. IPv6 Addressing mode Select the IPv6 addressing mode: Manual orDHCP. IPv6 Enter the IPv6 address. Address/Prefix This option is only available when IPv6 Addressingmode is Manual. Restrict Access Administrative Access Select the allowed administrative service protocols from: CAPWAP, DNP, FGFM,FTM,HTTP, HTTPS, PING, PROBE- RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET. IPv6 Administrative Access Select the allowed administrative service protocols from: CAPWAP, FGFM, HTTP, HTTPS, PING, SNMP, SSH, and TELNET. DHCP Server Turn the DHCP server on or off. This option is only available when Role is LAN orUNDEFINED. DHCP Server IP Enter the DHCP server IP address. This option is only available when DHCP Server isON andMode isRelay. Address Range Configure address ranges for DHCP. ClickCreate to create a new range. Ranges can also be edited and deleted as required. This option is only available when DHCP Server isON andMode is Server. Netmask Enter the netmask. This option is only available when DHCP Server isON andMode is Server. Default Gateway Configure the default gateway: Same as Interface IP, or Specify. If set to Specify, enter the gateway IP address in the field. This option is only available when DHCP Server isON andMode is Server. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 318 DNS Server Configure the DNS server: Same as System DNS, Same as Interface IP, or Specify. This option is only available when DHCP Server isON andMode is Server. DNS Server 1 - 3 Enter the DNS server IP addresses. This option is only available when DHCP Server isON, Mode is Server, and DNS Server is Specify. Mode Select the DHCPmode: Server orRelay. This option is only available when DHCP Server isON. NTP Server Configure the NTP server: Local, Same as System NTP, or Specify. If set to Specify, enter the NTP server IP address in the field. This option is only available when DHCP Server isON andMode is Server. Time Zone Configure the timezone: Disable, Same as System, or Specify. If set to Specify, select the timezone from the dropdown list. This option is only available when DHCP Server isON andMode is Server. Next Bootstrap Enter the IP address of the next bootstrap server. Server This option is only available when DHCP Server isON andMode is Server. Additional DHCP In the Lease Time field, enter the lease time, in seconds. Default: Options 604800 seconds (7 days). Add DHCP options to the table. See To add additional DHCP options: on page 320 for details. Options can also be edited and deleted as required. This option is only available when DHCP Server isON andMode is Server. MAC Reservation Select the action to take with unknown MAC addresses: assign or + Access Control block. Add MAC address actions to the table. See To add a MAC address reservation: on page 320 for details. Reservations can also be edited and deleted as required. This option is only available when DHCP Server isON andMode is Server. Type Select the type: Regular, or IPsec. This option is only available when DHCP Server isON. Networked Devices These options are only available when Role isDMZ, LAN, or UNDEFINED. Device Detection Turn device detection on or off. Active Scanning Turn active scanning on or off. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 319 This option is only available when Device Detection is on. Admission Control These options are only available when Role is LAN or UNDEFINED. Security Mode Select the security mode: CAPTIVE-PORTAL, orNONE. Authentication Configure the authentication portal: Local or External. If External Portal is selected, enter the portal in the field. This option is only available when Security Mode isCAPTIVE- PORTAL. User Access Select Restricted to Groups or Allow All. This option is only available when Security Mode isCAPTIVE- PORTAL. User Groups Select user groups from the available groups. This option is available when Security Mode isCAPTIVE- PORTAL and User Access isRestricted to Groups. Exempt Sources Select sources that are exempt from the available firewall addresses. This option is only available when Security Mode isCAPTIVE- PORTAL. Device Select user devices, device categories, and/or device groups. This option is only available when Security Mode isCAPTIVE- PORTAL. Exempt Select destinations that are exempt from the available firewall Destinations addresses. This option is only available when Security Mode isCAPTIVE- PORTAL. Exempt Services Select services that are exempt from the available firewall services. This option is only available when Security mode isCAPTIVE- PORTAL. Miscellaneous Scan Outgoing Connections Select Block, Disable, orMonitor. to Botnet Sites Secondary IP Address Turn secondary IP addresses on or off. Add IP addresses to the table. See To add a secondary IP address: on page 320 for details. Addresses can also be edited and deleted as required. Status Comments Optionally, enter comments. Interface State Select if the interface is Enabled orDisabled. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 320 Advanced Options color Change the color of the interface to one of the 32 options. Per-Device Mapping Enable per-device mapping. Add mappings to the table. See To add per device mapping: on page 321 for details. Mappings can also be edited and deleted as required. To add additional DHCP options: 1. ClickCreate in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens. 2. Enter theOption Code. 3. Select the Type: hex, ip, or string. 4. Enter the corresponding value. 5. ClickOK to create the option. To add a MAC address reservation: 1. ClickCreate in theMAC Reservation + Access Control table toolbar. TheMAC Reservation + Access Control dialog box opens. 2. Enter theMAC Address. 3. Select the End IP: Assign IP, Block, orReserve IP. If reserving the IP address, enter it in the field. 4. Optionally, enter a description. 5. ClickOK to create the reservation. To add a secondary IP address: 1. ClickCreate New in the Secondary IP address table toolbar. A dialog box opens. 2. Enter the IP address and netmask in the IP/Network Mask field. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 321 3. Select the allowed administrative service protocols from: CAPWAP, DNP, FGFM, FTM, HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET. 4. ClickOK to add the address. To add per device mapping: 1. ClickCreate New in the Per-DeviceMapping table toolbar. The Per-DeviceMapping dialog box opens. 2. Select the device to be mapped from theMapped Device drop-down list. 3. Enter the VLAN ID. 4. Enter the mapped IP address and netmask in theMapped IP/Netmask field. 5. If required, enable DHCP Server and configure the options (options are the same as when creating a new VLAN definition). 6. ClickOK to add the device mapping. FortiSwitch security policies To view FortiSwitch security policies , ensure that you are in the correct ADOM, go to FortiSwitchManager > FortiSwitch Templates, and select FortiSwitch Security Policies in the tree menu. FortiSwitch Security Policies are not available in version 5.4 and 5.2 ADOMs. The following options are available in the toolbar and right-click menu: Create New Create a new FortiSwitch security policy. See Creating FortiSwitch security policies on page 322. Edit Edit the selected policy. Delete Delete the selected policy or policies. Import Import security policies from a managed FortiGate device. Search Enter a search string into the search field to search the policy list. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 322 To edit a security policy: 1. Either double-click a policy, right-click a policy and select Edit, or select a policy then clickEdit in the toolbar. The Edit Security Policies pane opens. The name cannot be edited. 2. Edit the settings as required, then clickOK to apply your changes. To delete security policies: 1. Select the policy or policies that will be deleted. 2. Either clickDelete from the toolbar, or right-click and select Delete. 3. ClickOK in the confirmation dialog box to delete the selected policy or policies. To import security policies: 1. Click Import on the toolbar. The Import dialog box opens. 2. Select the FortiGate that the policies will be imported from in the drop-down list. 3. Select the policies that will be imported. 4. If only one policy is being imported, and its name is already used by a policy on the FortiManager, you can optionally enter a new name for the policy. If a new name is not entered, or if you are importing multiple policies, existing policies will be overwritten by imported policies. 5. ClickOK in the confirmation dialog box to import the policies. Creating FortiSwitch security policies To create a FortiSwitch security policy: 1. On the FortiSwitch Security Policies pane, clickCreate New in the toolbar. The Create New Security Policies window opens. 2. Enter the following information, then clickOK to create the new security policy. Name Type a name for the template. Security mode Select the security mode, Port-based orMAC-based. User groups Select the user groups that the security policy will apply to. Guest VLAN Enable a guest VLAN, and select the VLAN from the available VLAN objects. See FortiSwitch VLANs on page 314. FortiManager Administration Guide Fortinet Technologies Inc.FortiSwitch Manager 323 Guest authentication delay Set the guest authentication delay, in seconds (1 - 900, default = 30). Authentication fail VLAN Enable an authentication failure VLAN, and select the VLAN from the available VLAN objects. See FortiSwitch VLANs on page 314. This option is not available when Security mode isMAC-based. MAC authentication bypass Enable MAC Authentication Bypass (MAB). EAP pass-through Enable EAP pass-through. Override RADIUS timeout Enable overriding the RADIUS timeout. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance The FortiClient Manager pane enables you to centrally manage FortiClient profiles for multiple FortiGate devices and monitor FortiClient endpoints that are connected to FortiGate devices. Endpoint control ensures that workstation computers (endpoints) and other network devices meet security requirements. Otherwise they are not permitted access. Endpoint control enforces the use of FortiClient Endpoint Security and pushes a FortiClient profile to the FortiClient application. For information about FortiClient, see the FortiClient Administration Guide. Additional configuration options and shortcuts are available using the right-click menu. Right- click on different parts of the navigation panes in the GUI to access these menus. The FortiClient Manager pane includes the following tabs in the blue banner: FortiTelemetry View managed FortiGate devices with central FortiClient management enabled. You can enable or disable FortiTelemetry for interfaces, enable or disable FortiClient enforcement on interfaces, and assign FortiClient profile packages to devices. Monitor Monitor FortiClient endpoints by compliance status or interface. You can perform the following actions on FortiClient endpoints: block, unblock, quarantine, release quarantine, and unregister. You can also exempt non-compliant FortiClient endpoints from compliance rules. FortiClient profiles View and create profile packages and FortiClient profiles. You can also import FortiClient profiles from FortiGate devices. Centralized FortiClient management is enabled by default. You use the FortiClient Manager pane to enable FortiTelemetry and FortiClient enforcement on FortiGate interfaces as well as create and assign FortiClient profile packages to one or more FortiGate devices or VDOMs. Profile packages are installed to devices when you install configurations to the devices. The following steps provide an overview of using centralized FortiClient management to configure, assign, and install FortiClient profiles: To create and assign FortiClient profile packages: 1. Create a FortiClient profile package. See Creating FortiClient profile packages on page 331. 2. Select the profile package, and create one or more FortiClient profiles. See Creating FortiClient profiles on page 332. 3. Enable FortiTelemetry on FortiGate interfaces. See Enabling FortiTelemetry on interfaces on page 326. 4. Enable FortiClient enforcement on FortiGate interfaces. See Enabling endpoint control on interfaces on page 327. 5. Assign profile packages to FortiGate interfaces. See Assigning profile packages on page 336. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 325 To install configuration changes to devices: 1. On the FortiClient Manager > FortiClient Profiles pane, click Install Wizard. 2. Follow the prompts in the wizard. See Using the Install Wizard to install policy packages and device settings on page 67. How FortiManager fits into endpoint compliance The FortiClient settings available in FortiManager are intended to complement FortiClient support that is available with FortiClient EMS and FortiGate. Each product performs specific functions: l FortiClient EMS is used to deploy FortiClient (Windows) endpoints and FortiClient profiles, and the endpoints can connect FortiClient Telemetry to FortiGate or to FortiClient EMS. You can import FortiClient profiles from FortiGate devices to FortiClient EMS, and use FortiClient EMS to deploy the profiles. Alternately, you can use FortiClient EMS to create and deploy profiles. When FortiClient endpoints connect FortiClient Telemetry to EMS, you can use FortiClient EMS to monitor FortiClient endpoints. l FortiManager provides central FortiClient management for FortiGate devices that are managed by FortiManager. In FortiManager, you can create one or more FortiClient profiles that you can assign to multiple FortiGate devices. You can also import FortiClient profiles from one FortiGate device and assign the FortiClient profile to other FortiGate devices. When FortiClient endpoints are registered to managed FortiGate devices, you can use FortiManager to monitor FortiClient endpoints from multiple FortiGate devices. l FortiGate provides compliance rules for network access control. FortiGate devices enforce network compliance for connected FortiClient endpoints. FortiGate devices communicate between FortiClient endpoints and FortiManager. FortiTelemetry On the FortiClient Manager > FortiTelemetry pane, you can enable and disable FortiTelemetry and FortiClient enforcement on FortiGate interfaces to use for FortiClient communication. You can also assign FortiClient profile FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 326 packages to FortiGate devices. After you make configuration changes, install the changes to the device. See Installing to devices on page 67. Viewing devices The FortiClient Manager > FortiTelemetry pane displays FortiGate devices with central FortiClient management enabled. To view devices: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to FortiClient Manager > FortiTelemetry. The list of FortiGate devices is displayed in the tree menu. 3. Select a device. The following options are available in the toolbar for the selected device: Add Interface Click to enable FortiTelemetry on interfaces for the selected device to use for FortiClient communication. Remove Interface Click to disable FortiTelemetry on the selected interface. Assign Profile Click to assign a FortiClient profile package to the FortiGate. The following information is displayed in the content pane for the selected device: Virtual Domain Displays the name of the virtual domain for the selected FortiGate device if applicable. Interface Displays the interfaces with FortiTelemetry enabled for the FortiGate device. The interfaces are used for FortiClient communication, and FortiClient endpoints use the interface to connect or register to FortiGate. IP Displays the IP address for the interface. Enforce FortiClient Displays whether FortiClient is enforced on the interface. A green checkmark indicates FortiClient is enforced. An x in a circle indicates that FortiClient is not enforced. Profile Package Displays the name of the FortiClient profile package that is assigned to the FortiGate interface. Enabling FortiTelemetry on interfaces When you add an interface on the FortiClient Manager > FortiTelemetry pane, you are enabling FortiTelemetry for the interface, and the interface is used for connection and communication with FortiClient endpoints. When you remove an interface on the FortiClient Manager > FortiTelemetry pane, you are disabling FortiTelemetry for the interface. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 327 To enable FortiTelemetry on interfaces: 1. Go to FortiClient Manager > FortiTelemetry. The list of FortiGate devices is displayed in the tree menu. 2. Select a FortiGate device, and clickAdd Interface. 3. Select one or more interfaces to use for FortiClient communication, and clickOK. The selected interfaces are displayed in the Interface column, and FortiTelemetry is enabled for the interfaces. Enabling endpoint control on interfaces When you enable FortiClient enforcement on an interface, you are enabling endpoint control, and all FortiClient endpoints using the interface are required to adhere to the FortiGate compliance rules that are specified in the profile that is applied to the endpoint. When you disable FortiClient enforcement on an interface, you are disabling endpoint control, and FortiClient endpoints are not required to adhere to FortiGate compliance rules. To enable FortiClient enforcement on interfaces: 1. Go to FortiClient Manager > FortiTelemetry. The list of FortiGate devices is displayed in the tree menu. 2. Click a FortiGate device. 3. Right-click an interface, and select Enable Enforce FortiClient. You can disable FortiClient enforcement for the interface by selecting Disable Enforce FortiClient. Assigning FortiClient profile packages to devices You can use the FortiClient Manager > FortiTelemetry pane to assign FortiClient profile packages to interfaces for FortiGate devices, and you can use the Install Wizard to install profile packages to FortiGate devices when you install a configuration to the FortiGate device. To assign FortiClient profile packages: 1. In the left pane, select a device. 2. In the content pane, clickAssign Profile. The Assign Profile dialog box is displayed. 3. Select a profile package, and clickOK. The selected profile package is assigned to the added interface(s). 4. Install the configuration changes to the FortiGate device. Monitor On the FortiClient Manager > Monitor pane, you can monitor FortiClient endpoints that are registered to FortiGate devices. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 328 Monitoring FortiClient endpoints The list of FortiClient endpoints updates automatically when new endpoints are registered to the FortiGate device. You can also clickRefresh to update the list of FortiClient endpoints. To monitor FortiClient endpoints: 1. If using ADOMs, ensure that you are in the correct ADOM. 2. Go to FortiClient Manager > Monitor. 3. In the tree menu, select a FortiGate device. The following buttons are available on the toolbar for the selected device: Refresh Click to refresh the list of FortiClient endpoints for the selected device. Action Click to select one of the following actions for the selected FortiClient endpoint: l Block l Unblock l Quarantine l Release Quarantine l Unregister Column Settings Click to select which columns to display or select Reset to Default to display the default columns. By Interface Click to organize the display of FortiClient endpoints by the undetected interfaces and interface name. In the Device column, clickUndetected or the interface name to hide and display its list of FortiClient endpoints. By Compliance Status Click to organize the display of FortiClient endpoints by the following compliance statuses: Noncompliant and Exempt. In the Device column, click Noncompliant or Exempt to hide and display its list of FortiClient endpoints. The following default columns of information are available for the selected device: Device Displays the name of the FortiClient endpoint that is registered to the selected FortiGate device. It also displays an icon that represents the operating system on the FortiClient endpoint. You can hover over each device to view device details. User Displays the name of the user logged into the FortiClient endpoint. IP address Displays the IP address of the FortiClient endpoint. Status Displays one of the following statuses for the FortiClient endpoint: l Online l Offline l Registered-Online l Registered-Offline l Un-Registered FortiClient Version Displays the version of FortiClient software installed on the FortiClient endpoint. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 329 FortiClient Profile Displays the name of the FortiClient profile that is assigned to the FortiClient endpoint. Compliance Displays one of the following icons of compliance statuses for the FortiClient endpoint: l Compliant l Endpoint is not compliant with FortiClient profile l Quarantined l FortiTelemetry is disabled l Exempt Hover the mouse over the compliance status icon to view more information. Additional information about why the endpoint is not compliant may also be displayed. Monitoring FortiClient endpoints by compliance status To monitor FortiClient endpoints by compliance status: 1. Go to FortiClient Manager > Monitor. 2. In the tree menu, select a FortiGate device. 3. ClickBy Compliance Status. The list of FortiClient endpoints is displayed by compliance status. 4. In the Device column, click the compliance status to hide and display its list of FortiClient endpoints. For example, clickNoncompliant to hide and display the list of FortiClient endpoints with a status of noncompliant. 5. In the Compliance column, hover the mouse over the compliance status to view more details. Monitoring FortiClient endpoints by interface To monitor FortiClient endpoints by interface: 1. Go to FortiClient Manager > Monitor. 2. In the tree menu, select a FortiGate device. 3. ClickBy Interface. The list of FortiClient endpoints is displayed by compliance status. 4. In the Device column, clickUndetected or the name of the interface to hide and display its list of FortiClient endpoints. Exempting non-compliant FortiClient endpoints You can exempt FortiClient endpoints that are non-compliant from the compliance rules to allow the endpoints to access the network. To exempt non-compliant FortiClient endpoints: 1. Go to FortiClient Manager > Monitor. 2. In the tree menu, select a FortiGate device. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 330 3. Select one or more FortiClient endpoints. 4. Right-click the selected FortiClient endpoint, and select Exempt this device or Exempt all devices of this type. The FortiClient endpoint is exempt from the compliance rules. 5. Install the configuration changes to the FortiGate device. FortiClient profiles The FortiClient Manager > Profiles pane allows you to create and manage FortiClient profile packages and profiles for endpoints. You can create profile packages of profiles for endpoints that are running the following operating systems: Windows, Mac, iOS, and Android. The following information is displayed on the FortiClient Manager > FortiClient Profiles pane: Profile Package In the Profile Packagemenu, you can select to create, rename, or delete a FortiClient profile package. Assign Profile Package Assigns the selected FortiClient profile package to a device. Install Wizard Click to launch the Install Wizard to install device settings to devices. This process installs the FortiClient profile package that is assigned to the device. Viewing profile packages To view profile packages: 1. Go to FortiClient Manager > FortiClient Profiles. 2. ClickAll Profile Packages. The following options are available in the toolbar: Create New Click to create a new FortiClient profile package. Rename Click to rename the selected profile package. Delete Click to delete the selected profile package and all of its profiles. The following information is displayed in the content pane: Package Name Displays the name of the profile package. Device Targets Displays the name of the device to which the profile package has been assigned. Viewing FortiClient profiles To view FortiClient profiles: 1. Go to FortiClient Manager > FortiClient Profiles. 2. In the All Profile Packages tree menu, click a profile. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 331 The following options are available in the toolbar: Create New Click to create a new FortiClient profile for the selected FortiClient profile package. Edit Select a profile, and clickEdit to edit the profile. Alternatively, double click the profile to open the Edit FortiClient Profile pane. Delete Select a profile, and clickDelete to delete the profile from the ed FortiClient profile package. Alternately, right-click a profile, and select Delete. Move Change the order of the profiles. Import Select to import a FortiClient profile from an existing device or VDOM into the selected FortiClient profile package. Column Settings Click to select which columns to display or select Reset to Default to display the default columns. The following information is displayed in the content pane: Seq.# Displays the sequence number of the FortiClient profile. FortiClient Profile Displays the name of the FortiClient profile for the selected FortiClient profile package. Assign To Displays the device groups, user groups, and users associated with the FortiClient profile. Comments Displays any comments about the FortiClient profile. Non-Compliance Action Displays the selected non-compliance action settings from the FortiClient profile. The settings include:Warning, Block, or Auto-Update. Last Modified Shows the last modified date. Creating FortiClient profile packages FortiClient profile packages contain one or more FortiClient profiles. You assign FortiClient profile packages to devices or VDOMs. FortiManager includes a default FortiClient profile package, and you can create multiple profiles for the profile package. You can also create custom FortiClient profile packages and profiles. To create profile packages: 1. Go to FortiClient Manager > FortiClient Profiles. 2. From the Profile Packagemenu, select Create New. 3. Type a name, and clickOK. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 332 Creating FortiClient profiles You can create one or more FortiClient profiles in a FortiClient profile package. The FortiClient profile identifies the FortiGate compliance rules and the non-compliance action to apply to endpoints that fail to meet the compliance rules. The FortiClient profile does not contain any configuration information for FortiClient. The FortiClient profile only identifies the compliance rules that FortiClient endpoints must meet to maintain access to the network. You can enable compliance rules for the following categories in a FortiClient profile: l Endpoint Vulnerability Scan on Client l System Compliance l Security Posture Check For each category, you can specify how to handle endpoints that fail to meet the compliance rules. You can choose to block not-compliant endpoints from network access, or you can warn not-compliant endpoints, but allow network access. For example, you could set the non-compliance action to Block for Endpoint Vulnerability Scan on Client, and you can set the non-compliance action toWarning for Security Posture Check. For more information on configuring FortiClient Profiles and Endpoint Control, see the FortiOS Handbook and the FortiClient Administration Guide. FortiClient profiles can be created, edited, deleted, and imported from devices using the right-click menu and toolbar selections. In FortiOS, this feature is found at Security Profiles > FortiClient Profiles. To create a new FortiClient profile: 1. Go to FortiClient Manager > FortiClient Profiles. 2. In the tree menu, select the FortiClient profile package in which to create profiles. 3. In the content pane, clickCreate New. The Create New FortiClient Profile pane opens. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 333 4. Enter the following information: Profile Name Type a name for the new FortiClient profile. When creating a new FortiClient profile, XSS vulnerability characters are not allowed. Comments (Optional) Type a profile description. Assign Profile To Identify where to assign the profile: l Device Groups: Select device groups from the list. l User Groups: Select user groups from the list. l Users: Select users from the list. l Address: Select addresses from the list. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN. On-Net Detection By Identify whether to use an address to detect when endpoints are on-net. Address Select the address(es) from the list. 5. Set the compliance rules and non-compliance action for Endpoint Vulnerability Scan on Client: Endpoint Vulnerability Scan ToggleON to add a rule about Vulnerability Scanning on Client. When on Client toggledON, the Vulnerability Scanning module must be enabled in FortiClient on endpoints. ToggleOFF to exclude Vulnerability Scanning on Client from the compliance rules. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 334 Non-compliance Specify how to handle endpoints that fail to meet the compliance rules for action Endpoint Vulnerability Scan on Client. Select Block to block not-compliant endpoints from network access. SelectWarning to warn not-compliant endpoints, but allow network access. Vulnerability When Endpoint Vulnerability Scan on Client is toggled toON, you can select quarantine level a minimum quarantine level from the Vulnerability quarantine level list. Endpoints with detected vulnerabilities that hit the minimum severity level or higher are quarantined. 6. Set the compliance rules and non-compliance action for System Compliance: System compliance ToggleON to enable compliance rules for System compliance and display options for rules. ToggleOFF to exclude system compliance from the compliance rules. Minimum FortiClient ToggleON to add a rule about minimum FortiClient version. When Version toggledON, endpoints must have the minimum version or higher of FortiClient installed to remain compliant. Specify the minimum version in theWindows endpoints andMac endpoints boxes. ToggleOFF to remove a rule about minimum FortiClient version from the compliance rules. Windows WhenMinimum FortiClient Version is toggledON, you can type the endpoints minimum version of FortiClient that is required on endpoints running a Windows operating system. Mac endpoints WhenMinimum FortiClient Version is toggledON, you can type the minimum version of FortiClient that is required on endpoints running a Macintosh operating system. Upload logs to ToggleON to add a rule about logging. When toggledON, FortiClient FortiAnalyzer must send logs to FortiAnalyzer for the endpoint to remain compliant. Select which of the following FortiClient logs must be sent to FortiAnalyzer: l Traffic l Vulnerability l Event ToggleOFF to remove a rule about logging from the compliance rules. Non-compliance action Specify how to handle endpoints that fail to meet the compliance rules for System Compliance. Select Block to block not-compliant endpoints from network access. SelectWarning to warn not-compliant endpoints, but allow network access. 7. Set the compliance rules and non-compliance action for Security Posture Check: Security Posture Check ToggleON to enable compliance rules for Security Posture Check and display more options. When toggledON, select which modules must be enabled in FortiClient for endpoints to remain compliant. ToggleOFF to remove rules about Security Posture Check from the compliance rules. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 335 Real-time Protection ToggleON to add a rule about real-time protection to the compliance rules. When toggledON, FortiClient must have real-time protection enabled for endpoints to remain compliant. ToggleOFF to remove a rule about real-time protection from the compliance rules. Up-to-date ToggleON to add a rule about up-to-date signatures to the compliance signatures rules. When toggledON, FortiClient real-time protection must have up-to- date signatures for endpoints to remain compliant. ToggleOFF to remove a rule about up-to-date signatures from the compliance rules. Scan with ToggleON to add a rule about FortiSandbox scanning to the compliance FortiSandbox rules. When toggledON, FortiClient real-time protection must have FortiSandbox scanning enabled for endpoints to remain compliant. Note: A FortiSandbox devices is required, and the device must be configured to work with FortiClient. ToggleOFF to remove a rule about FortiSandbox scanning from the compliance rules. Third party AntiVirus on ToggleON to add a rule about third-party antivirus software for endpoints Windows running a Windows operating system to the compliance rules. When toggledON, endpoints running a Windows operating system must have recognized third-party antivirus software installed for endpoints to remain compliant. Note: Real-time Protectionmust be toggledOFF before you can toggle on Third party AntiVirus onWindows. ToggleOFF to remove the rule about third-party antivirus software from the compliance rules. Web Filter ToggleON to add a rule aboutWeb Filter to the compliance rules and display more options. ToggleOFF to exclude a rule aboutWeb Filter from the compliance rules. Profile WhenWeb Filter is toggledON, you can select a web filter profile. A default profile is selected by default. Application Firewall ToggleON to add a rule about Application Firewall to the compliance rules and display more options. ToggleOFF to exclude the setting from the compliance rules. Application When Application Firewall is toggledON, you can select an application Control Sensor control sensor. A default application control sensor is selected by default. Non-compliance action Specify how to handle endpoints that fail to meet the compliance rules for Security Posture Check. Select Block to block not-compliant endpoints from network access. SelectWarning to warn not-compliant endpoints, but allow network access. 8. ClickOK. FortiManager Administration Guide Fortinet Technologies Inc.Endpoint Compliance 336 Editing FortiClient profiles To edit a FortiClient profile: 1. Right-click a profile, and select Edit. The Edit FortiClient Profile pane is displayed. 2. Edit the settings, and clickOK. Deleting FortiClient profiles To delete a FortiClient profile: 1. Right-click a profile, and select Delete. 2. ClickOK in the confirmation dialog box to delete the profile. Importing FortiClient profiles You can import FortiClient profiles from FortiGate. To import a FortiClient profile: 1. Go to FortiClient Manager > FortiClient Profiles. 2. Select a profile package, and click Import. The Import dialog box is displayed. 3. Enter the following information: Import From Device Select a device from which to import the profile or profiles from the dropdown list. This list will include all the devices available in the ADOM. Profile Select the profile to import. New Name Select to create a new name for the profile being imported, and then type the name in the field. 4. ClickOK. The profile is imported into the selected profile package. Assigning profile packages To assign profile packages: 1. Go to FortiClient Manager > FortiClient Profiles. 2. Select a profile package, and clickAssign Profile Package. The Assign Profile Package dialog box is displayed. 3. Select one or more devices, and clickOK. The profile package is assigned to the device(s). 4. Install the configuration changes to the FortiGate device. See Configuring a device on page 58 for more information. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates The FortiGuard Distribution Network (FDN) provides FortiGuard services for your FortiManager system and its managed devices and FortiClient agents. The FDN is a world-wide network of FortiGuard Distribution Servers (FDS), which update the FortiGuard services on your FortiManager system on a regular basis so that your FortiManager system is protected against the latest threats. The FortiGuard services available on the FortiManager system include: l Antivirus and IPS engines and signatures l Web filtering and email filtering rating databases and lookups l Vulnerability scan and management support for FortiAnalyzer To view and configure these services, go to FortiGuard > Settings. In FortiGuard Management, you can configure the FortiManager system to act as a local FDS, or use a web proxy server to connect to the FDN. FortiManager systems acting as a local FDS synchronize their FortiGuard service update packages with the FDN, then provide FortiGuard these updates and look up replies to your private network’s FortiGate devices. The local FDS provides a faster connection, reducing Internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices. As an example, you might enable FortiGuard services to FortiGate devices on the built-in FDS, then specify the FortiManager system’s IP address as the override server on your devices. Instead of burdening your Internet connection with all the devices downloading antivirus updates separately, the FortiManager system would use the Internet connection once to download the FortiGate antivirus package update, then redistribute the package to the devices. FortiGuard Management also includes firmware revision management. To view and configure firmware options, go to FortiGuard > Firmware Images. You can download these images from the Customer Service & Support portal to install on your managed devices or on the FortiManager system. Before you can use your FortiManager system as a local FDS, you must: l Register your devices with Fortinet Customer Service & Support and enable the FortiGuard service licenses. See your device documentation for more information on registering your products. l If the FortiManager system’s Unregistered Device Options do not allow service to unregistered devices, add your devices to the device list, or change the option to allow service to unregistered devices. For more information, see the FortiManager CLI Reference. For information about FDN service connection attempt handling or adding devices, see Firewall Devices on page 38. l Enable and configure the FortiManager system’s built-in FDS. For more information, see Configuring network interfaces on page 385. l Connect the FortiManager system to the FDN. The FortiManager system must retrieve service update packages from the FDN before it can redistribute them to devices and FortiClient agents on the device list. For more information, see Connecting the built-in FDS to the FDN on page 341. l Configure each device or FortiClient endpoint to use the FortiManager system’s built-in FDS as their override server. You can do this when adding a FortiGate system. For more information, see Adding devices on page 39. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 338 This section contains the following topics: l Settings l Configuring devices to use the built-in FDS l Configuring FortiGuard services l Logging events related to FortiGuard services l Restoring the URL or antispam database l Licensing status l Package management l Query server management l Firmware images For information on current security threats, virus and spam sample submission, and FortiGuard service updates available through the FDN, including antivirus, IPS, web filtering, and email filtering, see the FortiGuard Center website, https://fortiguard.com. Settings FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system’s built-in FDS as an FDN override server. By default, this option is enabled. After configuring FortiGuard and configuring your devices to use the FortiManager system as their FortiGuard server, you can view overall and per device statistics on FortiGuard service benefits. To operate in a closed network, disable communication with the FortiGuard server. See Operating as an FDS in a closed network on page 342. Enable communication with When toggledOFF, you must manually upload packages, databases, and FortiGuard servers. licenses to your FortiManager. See Operating as an FDS in a closed network on page 342. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 339 Communication with Select Servers Located in the US Only to limit communication to FortiGuard FortiGuard Server servers located in the USA. Select Global Servers to communicate with servers anywhere. Enable Antivirus and IPS ToggleON to enable antivirus and intrusion protection service. Service When on, select what versions of FortiGate, FortiClient, FortiAnalyzer, and FortiMail to download updates for. Enable Web Filter and ToggleON to enable web filter services. When uploaded to FortiManager, the Services Web Filter database version is displayed. Enable Email Filter Services ToggleON to enable email filter services. When uploaded to FortiManager, the Email Filter databases versions are displayed. Server Override Mode Select Strict (Access Override Server Only) or Loose (Allow Access Other Servers) override mode. FortiGuard Antivirus and IPS Configure antivirus and IPS settings. See FortiGuard antivirus and IPS settings Settings on page 339. FortiGuard Web Filter and Configure web and email filter settings. See FortiGuard web and email filter Email Filter Settings settings on page 340. Override FortiGuard Server Configure web and email filter settings. See Override FortiGuard server (Local (Local FortiManager) FortiManager) on page 341. FortiGuard antivirus and IPS settings In this section you can enable settings for FortiGuard Antivirus and IPS settings. The following settings are available: Use Override Server Address Configure to override the default built-in FDS so that you can use a port or for FortiClient specific FDN server. Select the add icon to add additional override servers, up to a maximum of ten. Select the delete icon to remove entries. To override the default server for updating FortiClient device’s FortiGuard services, see Overriding default IP addresses and ports on page 348. Use Override Server Address Configure to override the default built-in FDS so that you can use a port or for FortiGate/FortiMail specific FDN server. Select the add icon to add additional override servers, up to a maximum of ten. Select the delete icon to remove entries. To override the default server for updating FortiGate/FortiMail device’s FortiGuard services, see Overriding default IP addresses and ports on page 348. Allow Push Update Configure to allow urgent or critical updates to be pushed directly to the FortiManager system when they become available on the FDN. The FortiManager system immediately downloads these updates. To enable push updates, see Enabling push updates on page 346. Use Web Proxy Configure the FortiManager system’s built-in FDS to connect to the FDN through a web proxy. To enable updates using a web proxy, see Enabling updates through a web proxy on page 348. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 340 Scheduled Regular Updates Configure when packages are updated without manually initiating an update request. To schedule regular service updates, see Scheduling updates on page 349. Advanced Enables logging of service updates and entries. If either option is not turned on, you will not be able to view these entries and events when you select View FDS and FortiGuard Download History. FortiGuard web and email filter settings In this section you can enable settings for FortiGuard Web Filter and Email Filter. The following settings are available: Connection to FortiGuard Configure connections for overriding the default built-in FDS or web proxy server Distribution Server(s) for web filter and email filter settings. To override an FDS server for web filter and email filter services, see Overriding default IP addresses and ports on page 348. To enable web filter and email filter service updates using a web proxy server, see Enabling updates through a web proxy on page 348. Use Override Server Address Configure to override the default built-in FDS so that you can use a port or for FortiClient specific FDN server. Select the add icon to add additional override servers, up to a maximum of ten. Select the delete icon to remove entries. Use Override Server Address Configure to override the default built-in FDS so that you can use a port or for FortiGate/FortiMail specific FDN server. Select the add icon to add additional override servers, up to a maximum of ten. Select the delete icon to remove entries. To override the default server for updating FortiGate device’s FortiGuard services, see Overriding default IP addresses and ports on page 348. Use Web Proxy Configure the FortiManager system’s built-in FDS to connect to the FDN through a web proxy. IPv4 and IPv6 are supported. To enable updates using a web proxy, see Enabling updates through a web proxy on page 348. Polling Frequency Configure how often polling is done. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 341 Log Settings Configure logging of FortiGuard server update, web filtering, email filter, and antivirus query events. l Log FortiGuard Server Update Events: enable or disable l FortiGuardWeb Filtering: Choose from Log URL disabled, Log non-URL events, and Log all URL lookups. l FortiGuard Anti-spam: Choose from Log Spam disabled, Log non-spam events, and Log all Spam lookups. l FortiGuard Anti-virus Query: Choose from Log Virus disabled, Log non- virus events, and Log all Virus lookups. To configure logging of FortiGuard web filtering and email filtering events, see Logging FortiGuard web or email filter events on page 350. Override FortiGuard server (Local FortiManager) Configure and enable alternate FortiManager FDS devices, rather than using the local FortiManager system. You can set up as many alternate FDS locations, and select what services are used. The following settings are available: Additional number of Private Select the add icon to add a private FortiGuard server. Select the delete icon to FortiGuard Servers (Excluding remove entries. This One) When adding a private server, you must type its IP address and time zone. Enable Antivirus and IPS When one or more private FortiGuard servers are configured, update antivirus Update Service for Private and IPS through this private server instead of using the default FDN. Server This option is available only when a private server has been configured. Enable Web Filter and Email When one or more private FortiGuard servers are configured, update the web Filter Update Service for filter and email filter through this private server instead of using the default FDN. Private Server This option is available only when a private server has been configured. Allow FortiGates to Access When one or more private FortiGuard servers are configured, managed FortiGate Public FortiGuard Servers units will go to those private servers for FortiGuard updates. Enable this feature to When Private Servers allow those FortiGate units to then try to access the public FDN servers if the Unavailable private servers are unreachable. This option is available only when a private server has been configured. The FortiManager system’s network interface settings can restrict which network interfaces provide FDN services. For more information, see Configuring network interfaces on page 385. Connecting the built-in FDS to the FDN When you enable the built-in FDS and initiate an update either manually or by a schedule, the FortiManager system attempts to connect to the FDN. If all connection attempts to the server list fail, the connection status will be Disconnected. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 342 If the connection status remainsDisconnected, you may need to configure the FortiManager system’s connection to the FDN by: l overriding the default IP address and/or port l configuring a connection through a web proxy. After establishing a connection with the FDN, the built-in FDS can receive FortiGuard service update packages, such as antivirus engines and signatures or web filtering database updates, from the FDN. To enable the built-in FDS: 1. Go to FortiGuard > Settings. 2. Enable the types of FDN services that you want to provide through your FortiManager system’s built-in FDS. For more information, see Configuring FortiGuard services on page 346. 3. ClickApply. The built-in FDS attempts to connect to the FDN. If the built-in FDS is unable to connect, you may need to enable the selected services on a network interface. For more information, see Configuring network interfaces on page 385. If you still cannot connect to the FDN, check routes, DNS, and any intermediary firewalls or NAT devices for policies that block necessary FDN ports and protocols. See the FortiOS HandBook: Security Fabric document in the Fortinet Document Library at http://docs.fortinet.com/fortigate/admin-guides for more information. Operating as an FDS in a closed network The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity. Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from support, and then uploaded to the FortiManager. As databases can be large, we recommend uploading them using the CLI. See Uploading packages with the CLI on page 344. Go to FortiGuard > Settings to configure FortiManager as a local FDS server and to upload update packages and license. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 343 Enable Communication with ToggleOFF to disable communication with the FortiGuard servers. FortiGuard Servers Enable Antivirus and IPS ToggleON to enable antivirus and intrusion protection service. Service When on, select what versions of FortiGate, FortiClient, FortiAnalyzer, and FortiMail to download updates for. Enable Web Filter Services ToggleON to enable web filter services. When uploaded to FortiManager, the Web Filter database is displayed. Enable Email Filter Services ToggleON to enable email filter services. When uploaded to FortiManager, the Email Filter database is displayed. Upload Options for FortiGate/FortiMail AntiVirus/IPS Packages Select to upload antivirus and IPS packages. Browse for the file you downloaded from the Customer Service & Support portal on your management computer, or drag and drop the file onto the dialog box. ClickOK to upload the package to FortiManager. Web Filter Database Select to upload the web filter database. Browse for the file you downloaded from the Customer Service & Support portal on your management computer, or drag and drop the file onto the dialog box. ClickOK to upload the package to FortiManager. As the database can be large, uploading with the CLI is recommended. See Uploading packages with the CLI on page 344. Email Filter Database Select to upload the email filter database. Browse for the file you downloaded from the Customer Service & Support portal on your management computer. ClickOK to upload the package to FortiManager. As the database can be large, uploading with the CLI is recommended. See Uploading packages with the CLI on page 344. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 344 Service License Select to import the FortiGate license. Browse for the file on your management computer, or drag and drop the file onto the dialog box. ClickOK to upload the package to FortiManager. A license file can be obtained from support by requesting your account entitlement for the device. Upload Options for FortiClient AntiVirus/IPS Packages Select to upload the FortiClient AntiVirus/IPS packages. Browse for the file you downloaded from the Customer Service & Support portal on your management computer, or drag and drop the file onto the dialog box. ClickOK to upload the package to FortiManager. Uploading packages with the CLI Packages and licenses can be uploaded using the CLI. This should be used when the packages being uploaded are large, like database packages. To upload packages and license files using the CLI: 1. If not already done, disable communications with the FortiGuard server and enable a closed network with the following CLI commands: config fmupdate publicnetwork set status disable end 2. Upload an update package or license: a. Load the package or license file to an FTP, SCP, or TFTP server b. Run the following CLI command: execute fmupdate {ftp | scp | tftp} import Configuring devices to use the built-in FDS After enabling and configuring the FortiManager system’s built-in FDS, you can configure devices to use the built-in FDS by providing the FortiManager system’s IP address and configured port as their override server. Devices are not required to be registered with FortiManager system’sDeviceManager to use the built-in FDS for FortiGuard updates and services. Procedures for configuring devices to use the built-in FDS vary by device type. See the documentation for your device for more information. If you are connecting a device to a FortiManager system’s built-in FDS, some types of updates, such as antivirus engine updates, require you to enable SSH and HTTPS Administrative Access on the network interface which will receive push updates. See Network on page 385 for details. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 345 Matching port settings When configuring a device to override default FDN ports and IP addresses with that of a FortiManager system, the default port settings for the device’s update or query requests may not match the listening port of the FortiManager system’s built-in FDS. If this is the case, the device’s requests will fail. To successfully connect them, you must match the devices’ port settings with the FortiManager system’s built-in FDS listening ports. For example, the default port for FortiGuard antivirus and IPS update requests is TCP 443 on FortiOS v4.0 and higher, but the FortiManager system’s built-in FDS listens for those requests on TCP 8890. In this case, the FortiGate unit’s update requests would fail until you configure the unit to send requests on TCP 8890. In some cases, the device may not be configurable; instead, you must configure the FortiManager system to listen on an alternate port. Handling connection attempts from unregistered devices The built-in FDS replies to FortiGuard update and query connections from devices registered with the device manager’s device list. If the FortiManager is configured to allow connections from unregistered devices, unregistered devices can also connect. For example, you might choose to manage a FortiGate unit’s firmware and configuration locally (from its GUI), but use the FortiManager system when the FortiGate unit requests FortiGuard antivirus and IPS updates. In this case, the FortiManager system considers the FortiGate unit to be an unregistered device, and must decide how to handle the connection attempt. The FortiManager system will handle the connection attempt based on how it is configured. Connection attempt handling is only configurable via the CLI. To configure connection attempt handling: 1. Go to the CLI Consolewidget in the System Settings > Dashboard pane. For information on widget settings, see Customizing the dashboard on page 373. 2. Click inside the console to connect. 3. To configure the system to add unregistered devices and allow service requests, type the following CLI command lines: config system admin setting set unreg_dev_opt add_allow_service end 4. To configure the system to add unregistered devices but deny service requests, type the following CLI command lines: config system admin setting set unreg_dev_opt add_no_service end For more information, see the FortiManager CLI Reference. Configure a FortiManager without Internet connectivity to access a local FortiManager as FDS By default, FortiManager connects to the public FDN to download security feature updates, including databases and engines for security feature updates such as Antivirus and IPS. Your FortiManager can be configured to use a second, local FortiManager for FDS updates. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 346 To use a second FortiManager as the FDS: 1. Go to FortiGuard > Settings. 2. Ensure that Communication with FortiGuard Server is set toGlobal Servers. 3. Under FortiGuard Antivirus and IPS Settings: a. Turn on UseOverride Server Address for FortiGate/FortiMail and enter the IP address of the FortiManager unit being used as the FDS, and port number 8890. b. If required, turn on UseOverride Server Address for FortiClient and enter the IP address of the FortiManager unit being used as the FDS, and port number 8891. 4. Under FortiGuardWeb Filter and Email Filter Settings: a. Turn on UseOverride Server Address for FortiGate/FortiMail and enter the IP address of the FortiManager unit being used as the FDS, and port number 8900. b. If required, turn on UseOverride Server Address for FortiClient and enter the IP address of the FortiManager unit being used as the FDS, and port number 8901. 5. ClickApply. The FortiManager will use the second FortiManager unit as the FDS. Configuring FortiGuard services FortiGuard Management provides a central location for configuring how the FortiManager system accesses the FDN and FDS, including push updates. The following procedures explain how to configure FortiGuard services and configuring override and web proxy servers, if applicable. If you need to host a custom URL list that are rated by the FortiGate unit, you can import a list using the CLI. l Enabling push updates l Enabling updates through a web proxy l Overriding default IP addresses and ports l Scheduling updates l Accessing public FortiGuard web and email filter servers Enabling push updates When an urgent or critical FortiGuard antivirus or IPS signature update becomes available, the FDN can push update notifications to the FortiManager system’s built-in FDS. The FortiManager system then immediately downloads the update. To use push update, you must enable both the built-in FDS and push updates. Push update notifications will be ignored if the FortiManager system is not configured to receive them. If TCP port 443 downloads must occur through a web proxy, you must also configure the web proxy connection. See Enabling updates through a web proxy on page 348. If push updates must occur through a firewall or NAT device, you may also need to override the default push IP address and port. For example, overriding the push IP address can be useful when the FortiManager system has a private IP address, and push connections to a FortiManager system must traverse NAT. Normally, when push updates are enabled, the FortiManager system sends its IP address to the FDN; this IP address is used by the FDN as the destination for push FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 347 messages; however, if the FortiManager system is on a private network, this IP address may be a private IP address, which is not routable from the FDN – causing push updates to fail. To enable push through NAT, type a push IP address override, replacing the default IP address with an IP address of your choice such as the NAT device’s external or virtual IP address. This causes the FDN to send push packets to the override IP address, rather than the FortiManager system’s private IP address. The NAT device can then forward the connection to the FortiManager system’s private IP address. The built-in FDSmay not receive push updates if the external IP address of any intermediary NAT device is dynamic (such as an IP address from PPPoE or DHCP). When the NAT device’s external IP address changes, the FortiManager system’s push IP address configuration becomes out-of-date. To enable push updates to the FortiManager system: 1. Go to FortiGuard > Settings. 2. Click the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings on page 339. 3. ToggleON beside Allow Push Update. 4. If there is a NAT device or firewall between the FortiManager system and the FDN which denies push packets to the FortiManager system’s IP address on UDP port 9443, type the IP Address and/or Port number on the NAT device which will forward push packets to the FortiManager system. The FortiManager system will notify the FDN to send push updates to this IP address and port number. l IP Address is the external or virtual IP address on the NAT device for which you will configure a static NAT or port forwarding. l Port is the external port on the NAT device for which you will configure port forwarding. 5. ClickApply. 6. If you performed step 4, also configure the device to direct that IP address and/or port to the FortiManager system. l If you entered a virtual IP address, configure the virtual IP address and port forwarding, and use static NAT mapping. l If you entered a port number, configure port forwarding; the destination port must be UDP port 9443, the FortiManager system’s listening port for updates. To enable push through NAT in the CLI: Enter the following commands: config fmupdate fds-setting config push-override-to-client set status enable config announce-ip edit 1 set ip set port end end end FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 348 Enabling updates through a web proxy If the FortiManager system’s built-in FDSmust connect to the FDN through a web (HTTP or HTTPS) proxy, you can specify the IP address and port of the proxy server. If the proxy requires authentication, you can also specify a user name and password. To enable updates to the FortiManager system through a proxy: 1. Go to FortiGuard > Settings. 2. If configuring a web proxy server to enable web and email filtering updates, expand FortiGuardWeb Filter and Email Filter Settings. 3. If configuring a web proxy to enable antivirus and IPS updates, expand FortiGuard Antivirus and IPS Settings. 4. ToggleON beside UseWeb Proxy and enter the IP address and port number of the proxy. 5. If the proxy requires authentication, enter the user name and password. 6. ClickApply. If the FDN connection status isDisconnected, the FortiManager system is unable to connect through the web proxy. Overriding default IP addresses and ports The FortiManager device’s built-in FDS connects to the FDN servers using default IP addresses and ports. You can override these defaults if you want to use a port or specific FDN server that is different from the default. To override default IP addresses and ports: 1. Go to FortiGuard > Settings. 2. If you need to override the default IP address or port for synchronizing with available FortiGuard antivirus and IPS updates, click the arrow to expand FortiGuard Antivirus and IPS Settings, then toggleON beside UseOverride Server Address for FortiGate/FortiMail and/orUseOverride Server Address for FortiClient. 3. If you need to override the FortiManager system’s default IP address or port for synchronizing with available FortiGuard web and email filtering updates, click the arrow to expand FortiGuardWeb Filter and Email Filter Settings, then toggleON beside UseOverride Server Address for FortiGate/FortiMail and/orUseOverride Server Address for FortiClient. 4. Enter the IP address and/or port number. 5. ClickApply. If the FDN connection status remains disconnected, the FortiManager system is unable to connect with the configured override. FDN port numbers and protocols Both the built-in FDS and devices use certain protocols and ports to successfully request and receive updates from the FDN or override server. Any intermediary proxies or firewalls must allow these protocols and ports, or the connection will fail. After connecting to the FDS, you can verify connection status on the FortiGuard Management page. For more information about connection status, see Connecting the built-in FDS to the FDN on page 341. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 349 Scheduling updates Keeping the built-in FDS up-to-date is important to provide current FortiGuard update packages and rating lookups to requesting devices. This is especially true as new viruses, malware, and spam sources pop-up frequently. By configuring a scheduled update, you are guaranteed to have a recent version of database updates. A FortiManager system acting as an FDS synchronizes its local copies of FortiGuard update packages with the FDN when: l you manually initiate an update request by selecting Update Now l it is scheduled to poll or update its local copies of update packages l if push updates are enabled, it receives an update notification from the FDN. If the network is interrupted when the FortiManager system is downloading a large file, it downloads all files again when the network resumes. To schedule antivirus and IPS updates: 1. Go to FortiGuard > Settings. 2. Click the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings on page 339. 3. In Polling Frequency, select the number of hours and minutes of the polling interval. 4. ClickApply. To schedule Web Filtering and Email Filter polling: 1. Go to FortiGuard > Settings. 2. Click the arrow to expand FortiGuardWeb Filter and Email Filter Settings. 3. In Polling Frequency, select the number of hours and minutes of the polling interval. 4. ClickApply. If you have formatted your FortiManager system’s hard disk, polling and lookups will fail until you restore the URL and email filter databases. For more information, see Restoring the URL or antispam database on page 351. Accessing public FortiGuard web and email filter servers You can configure the FortiManager system to allow the managed FortiGate units to access public FortiGuard web filter or email filter network servers in the event local FortiGuard web filter or email filter server URL lookups fail. You can specify private servers where the FortiGate units can send URL queries. To access public FortiGuard web and email filter servers: 1. Go to FortiGuard > Settings. 2. Click the arrow besideOverride FortiGuard Server (Local FortiManager). 3. Click the add icon next to Additional number of private FortiGuard servers (excluding this one). Select the delete icon to remove entries. 4. Type the IP Address for the server and select its Time Zone. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 350 5. Repeat step 4 as often as required. You can include up to ten additional servers. 6. Select the additional options to set where the FDS updates come from, and if the managed FortiGate units can access these servers if the local FDS is not available. l ToggleON beside Enable Antivirus and IPS update Service for Private Server if you want the FDS updates to come from a private server. l ToggleON beside EnableWeb Filter and Email Filter Service for Private Server if you want the updates to come from a private server. l ToggleON beside Allow FortiGates to Access Public FortiGuard Servers when Private Servers are Unavailable if you want the updates to come from public servers in case the private servers are unavailable. 7. ClickApply. Logging events related to FortiGuard services You can log a variety of events related to FortiGuard services. Logging events from the FortiManager system’s built-in FDS requires that you also enable local event logging. Logging FortiGuard antivirus and IPS updates You can track FortiGuard antivirus and IPS updates to both the FortiManager system’s built-in FDS and any registered FortiGate devices which use the FortiManager system’s FDS. To log updates and histories to the built-in FDS: 1. Go to FortiGuard > Settings. 2. Click the arrow to expand FortiGuard Antivirus and IPS Settings; see FortiGuard antivirus and IPS settings on page 339. 3. Under the Advanced heading, toggleON beside Log Update Entries from FDS Server. 4. ClickApply. To log updates to FortiGate devices: 1. Go to FortiGuard > Settings. 2. Click the arrow to expand FortiGuard Antivirus and IPS Settings. 3. Under the Advanced heading, toggleON beside Log Update Histories for Each FortiGate. 4. ClickApply. Logging FortiGuard web or email filter events You can track FortiGuard web filtering and email filtering lookup and non-events occurring on any registered FortiGate device which uses the FortiManager system’s FDS. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 351 Before you can view lookup and non-event records, you must enable logging for FortiGuard web filtering or email filter events. To log rating queries: 1. Go to FortiGuard > Settings. 2. Click the arrow to expand FortiGuardWeb Filtering and Email Filter Settings. 3. Configure the log settings, the clickApply: Log FortiGuard Server Update Enable or disable logging of FortiGuard server update events. Events FortiGuard Web Filtering Log URL disabled Disable URL logging. Log non-URL events Logs only non-URL events. Log all URL lookups Logs all URL lookups (queries) sent to the FortiManager system’s built-in FDS by FortiGate devices. FortiGuard Anti-spam Log Spam disabled Disable spam logging. Log non-spam events Logs email rated as non-spam. Log all Spam lookups Logs all spam lookups (queries) sent to the FortiManager system’s built-in FDS by FortiGate devices. FortiGuard Anti-virus Query Log Virus disabled Disable virus logging. Log non-virus events Logs only non-virus events. Log all Virus lookups Logs all virus queries sent to the FortiManager system’s built-in FDS by FortiGate devices. Restoring the URL or antispam database Formatting the hard disk or partition on FortiManager 3000 units and higher deletes the URL and antispam databases required to provide FortiGuard email filter and web filtering services through the built-in FDS. The databases will re- initialize when the built-in FDS is scheduled next, to synchronize them with the FDN. Before formatting the hard disk or partition, you can back up the URL and antispam database using the CLI, which encrypts the file. You can also back up licenses as well. The databases can be restored by importing them using the CLI. If you have created a custom URL database, you can also backup or restore this customized database (for FortiGate units). FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 352 Licensing status FortiManager includes a licensing overview page that allows you to view license information for all managed FortiGate devices. To view the licensing status, go to FortiGuard > Licensing Status. This page displays the following information: Refresh Select the refresh icon to refresh the information displayed on this page. Hide/Show license expired Toggle to hide and display devices with an expired license only. devices only Search Use the search field to find a specific device in the table. Device Name The device name or host name. You can change the order that devices are listed by clicking the column title. Serial Number The device serial number Platform The device type, or platform. ADOM ADOM information. You can change the order that ADOMs are listed by clicking the column title. Antivirus The license status and expiration date. You can change the order that devices are listed by clicking the column title. IPS The license status and expiration date. You can change the order that devices are listed by clicking the column title. Email Filtering The license status and expiration date. You can change the order that devices are listed by clicking the column title. Web Filtering The license status and expiration date. You can change the order that devices are listed by clicking the column title. Mobile Malware The license status and expiration date. You can change the order that devices are listed by clicking the column title. Support The license status and expiration date. You can change the order that devices are listed by clicking the column title. Icon states: l Green: License OK l Orange: License will expire soon l Red: License has expired Package management Antivirus and IPS signature packages are managed in FortiGuard > PackageManagement. Packages received from FortiGuard and the service status of managed devices are listed in Receive Status and Service Status, respectively. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 353 Receive status To view packages received from FortiGuard, go to FortiGuard > PackageManagement > Receive Status. This page lists received packages, grouped by platform. The following information is displayed: Refresh Select to refresh the table. Show Used Object Only Clear to show all package information. Select to show only relevant package information. Search Use the search field to find a specific object in the table. Seq.# The sequence number. Object Name The name of the object. Object Type The type of object for the package. Package Received The name of the package. Latest Version (Release The package version. Date/Time) Size The size of the package. To Be Deployed Version The package version that is to be deployed. Select Change to change the version. Update History Select the icon to view the package update history. Deployed version To change the to be deployed version of a received packaged, clickChange in the To BeDeployed Version column for the package. The Change Version dialog box is displayed, allowing you to select an available version from the dropdown list. Update history When you click the Update History button for a package, the Update History pane is displayed for the package. It shows the update times, the events that occurred, the statuses of the updates, and the versions downloaded. Service status To view service statuses, go to FortiGuard > PackageManagement > Service Status. The service status information can be displayed by installed package name or by device name. The following options are available in the toolbar: Push Pending Select the device or devices in the list, then clickPush Pending in the toolbar to push pending updates to the device or devices. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 354 Push All Pending Select Push All Pending in the toolbar to push pending updates to all of the devices in the list. Refresh Select to refresh the list. By Package Displays the service status information by installed package name. By Device Displays the service status information by device name. Search Use the search field to find a specific device or package in the table. Service status by Device When you click the By Device button in the toolbar, the Service Status page displays a list of all the managed FortiGate devices, their last update time, and their status. You can pushing pending updates to the devices, either individually or all at the same time. You can refresh the list by clicking Refresh in the toolbar. Device The device serial number or host name is displayed. Status The service update status. A device''s status can be one of the following: l Up to Date: The latest package has been received by the FortiGate unit. l Never Updated: The FortiGate unit has never requested or received the package. l Pending: The FortiGate unit has an older version of the package due to an acceptable reason (such as the scheduled update time having not come yet). Hover the mouse over a pending icon to view the package to be installed. l Problem: The FortiGate unit missed the scheduled query, or did not correctly receive the latest package. l Unknown: The FortiGate unit’s status is not currently known. Last Update Time The date and time of the last update. Service status by Package When you click the By Package button, the Service Status page shows a list of all the installed packages, the applicable firmware version, the package version, and the progress on package installation to devices. You can drill- down to view the installed device list. The content pane displays the following information: Installed Packages Name The name of the installed package. Applicable Firmware Version The firmware version of the device for which the installed package is created. Package Version The version of the installed package. Installed Devices The package installation progress for the devices. Click the of link to view the installed device list. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 355 To view the installed device list: 1. Go to FortiGuard > PackageManagement > Service Status. 2. In the toolbar, clickBy Package. The list of installed packages is displayed. 3. In the Installed Devices column, click the of link for the installed package. Device details are displayed. Device Name The name of the device. Current Version The version of the package. Status The device update status. Last Update Time The time of the last package update. 4. Click the Back arrow to return to the previous page. Query server management The query server manager shows when updates are received from the server, the update version, the size of the update, and the update history. It also has graphs showing the number of queries from all the managed FortiGate units made to the FortiManager device. Receive status The view the received packages, go to FortiGuard > Query Server Management > Receive Status. The following information is displayed: Refresh Select to refresh the table. Search Use the search field to find a specific entry in the table. History The record of received packages. Package Received The name of the received package. Latest Version (Release The latest version of the received package. Date/Time) Size The size of the package. Update History Click to view the package update history. Update history When you click the Update History button for a package, the Update History pane is displayed for the package. It shows the update times, the events that occurred, the statuses of the updates, and the versions downloaded. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 356 Query status Go to FortiGuard > Query Server Management > Query Status to view graphs that show: l The number of queries made from all managed devices to the FortiManager unit over a user selected time period l The top ten unrated sites l The top ten devices for a user selected time period The following information is displayed: Top 10 Unrated Sites Displays the top 10 unrated sites and the number of events. Hover the cursor over a row to see the exact number of queries. Top 10 Devices Displays the top 10 devices and number of sessions. Hover the cursor over a row to see the exact number of queries. Click a row to see a graph of the queries for that device. Number of Queries Displays the number of queries over a period of time. Firmware images Go to FortiGuard > Firmware Images to manage the firmware images stored on the FortiManager device. You can import firmware images for FortiGate, FortiCarrier, FortiAnalyzer, FortiManager, FortiAP, and FortiExtender. You can download only those images that are needed from the FDS systems, and customize which firmware images are available for deployment. The following information and settings are available: Import Images Select to open the firmware image import list. Models From the dropdown list, select All to show all the available models on the FortiGuard server, or select Managed to show only the models that are currently being managed by the FortiManager device. Product Select a managed product type from the dropdown list. Search Use the search field to find a specific entry in the table. FortiManager Administration Guide Fortinet Technologies Inc.Device Firmware and Security Updates 357 Seq.# The sequence number. Model The device model number that the firmware is applicable to. Latest Version (Release The latest version of the firmware that is available. Date/Time) Preferred Version The firmware version that you would like to use on the device. ClickChange to open the Change Version dialog box, then select the desired version from the dropdown list and select OK to change the preferred version. Size The size of the firmware image. Status The status of the image, that is, from where it is available. Action Status The status of the current action being taken. Release Notes A link to a copy of the release for the firmware image that has been downloaded. Download/Delete Download the firmware image from the FDS if it is available. If the firmware images has already been downloaded, then delete the firmware image from the FortiManager device. For information about upgrading your FortiManager device, see the FortiManager Release Notes or contact Fortinet Customer Service & Support. To import a firmware image: 1. Go to FortiGuard > Firmware Images, and click Import Images in the toolbar. 2. Select a device in the list, and click Import in the toolbar. The Firmware Upload dialog box, opens. 3. ClickBrowse to browse to the desired firmware image file, or drag and drop the file onto the dialog box. 4. ClickOK to import the firmware image. Firmware images can be downloaded from the Fortinet Customer Service & Support site at https://support.fortinet.com/ (support account required). To delete firmware images: 1. Go to FortiGuard > Firmware Images, and click Import Images in the toolbar. 2. Select the firmware images you would like to delete. 3. ClickDelete in the toolbar. A confirmation dialog box appears. 4. ClickOK to delete the firmware images. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes Workspace enables locking ADOMs, devices, or policy packages so that an administrator can prevent other administrators from making changes to the elements that they are working in. It can only be enabled or disabled from the CLI. In Normal mode, ADOMs, or individual devices or policy packages must be locked before policy, object, or device changes can be made. Multiple administrators can lock devices and policy packages within a single, unlocked ADOM at the same time. When an individual device or policy package is locked, other administrators can only lock the ADOM that contains the locked device or policy package by disconnecting the administrator that locked it. In Workflow mode, only the entire ADOM can be locked. The ADOM must be locked before changes can be made, and a workflow session must be started before policy changes can be made. See Workflow mode on page 362. In both modes, the ADOM must be locked before changes can be made in APManager, FortiClient Manager, VPN Manager, and FortiSwitch Manager, and some settings in System Settings. To enable or disable workspace: 1. Go to System Settings > Dashboard. 2. In the CLI Consolewidget enter the following CLI commands: config system global set workspace-mode {workflow | normal | disable} end A green padlock icon indicates that the current administrator locked the element. A red padlock icon indicates that another administrator locked the element. Normal mode Normal mode is used to control the creation, configuration, and installation of devices, policies, and objects. It helps to ensure that only one administrator can make changes to an element at one time. When normal mode is enabled, individual devices and policy packages can be locked, as well as entire ADOMs. When an individual device or policy package is locked, other administrators can only lock the ADOM that contains the locked device or policy package by disconnecting the administrator that locked it and thus breaking the lock. Devices and policy packages can only be added if the entire ADOM is locked. Individual devices cannot be locked if ADOMs are in advanced mode (ADOM device modes on page 395). FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 359 The entire ADOM must be locked to create a script, but the script can be run directly on a device when only the device is locked. See Run a script on page 96. Enable normal mode Normal mode can only be enabled or disabled from the CLI. After changing the workspace mode, your session will end, and you will be required to log back in to the FortiManager. To enable normal mode: 1. Go to System Settings > Dashboard. 2. In the CLI Consolewidget enter the following CLI commands in their entirety: config system global set workspace-mode normal end When workspace-mode is normal, DeviceManager and Policy & Objects are read-only. You must lock the ADOM, a device, or a policy package before you can make any changes. Locking an ADOM In normal workspace mode, an ADOM must be locked before you can make changes to it or add devices, policy packages, or objects. When an ADOM is locked, other administrators are unable to make changes to devices, policies, and objects in that ADOM until you either unlock the ADOM, or log out of the FortiManager. Policy packages and devices can also be locked individually. See Locking a device on page 360 and Locking a policy package on page 361. To lock the ADOM you are in: 1. Ensure you are in the ADOM that will be locked. 2. Click Lock in the banner, next to the ADOM name. The padlock icon changes to a locked state, and the ADOM is locked. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 360 To lock an ADOM from System Settings: 1. Go to System Settings > All ADOMs. 2. Right-click on the ADOM and select Lock, or select the ADOM then click Lock in the toolbar. You do not need to be in that ADOM to lock it. The padlock icon next to the ADOM''s name changes to a locked state, and the ADOM is locked. Locking an ADOM automatically removes locks on devices and policy packages that you have locked within that ADOM. If you have unsaved changes, a confirmation dialog box will give you the option to save or discard them. If another administrator has locked devices or policy packages within the ADOM, you will be given the option of forcibly disconnecting them, thus removing the locks, before you can lock the ADOM. To unlock the ADOM you are in: 1. Ensure you are in the locked ADOM. 2. Ensure that you have saved any changes by clicking Save in the toolbar. 3. ClickUnlock in the banner, next to the ADOM name. Only the administrator who locked the ADOM can unlock it. If you have not saved your changes, a confirmation dialog box will give you the option to save or discard your changes. The padlock icon changes to an unlocked state, and the ADOM is unlocked. To unlock an ADOM from System Settings: 1. Go to System Settings > All ADOMs. 2. Right-click on the locked ADOM and select unlock, or select the ADOM then clickUnlock in the toolbar. You do not need to be in that ADOM to unlock it, but you must be the administrator that locked it. If you have not saved your changes, a confirmation dialog box will give you the option to save or discard your changes. The padlock icon next to the ADOM''s name changes to a locked state, and the ADOM is unlocked. All elements are unlocked when you log out of the FortiManager. If you have unsaved changes, a confirmation dialog box will give you the option to save or discard your changes. Locking a device In normal workspace mode, a device must be locked before changes can be made to it. Other administrators will be unable to make changes to that device until you unlock it, log out of the FortiManager, or they forcibly disconnect you when they are locking the ADOM that the device is in. Individual device locks will be removed if you lock the ADOM that the device is in. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 361 To lock a device: 1. Ensure you are in the correct ADOM. 2. Go to DeviceManager > Device & Groups. 3. In the device list, right-click on the device and select Lock. A padlock icon in the locked state is shown next to the device name to indicate that the device is locked. Other administrators are now unable to make changes to the device, and cannot lock the ADOM without first forcing you to disconnect. Individual devices cannot be locked if ADOMs are in advanced mode (ADOM device modes on page 395). To unlock a device: 1. Ensure you are in the correct ADOM. 2. Go to DeviceManager > Device & Groups. 3. Ensure that you have saved any changes by clicking Save in the toolbar. 4. In the device list, right-click on the locked device and select Unlock. If you have not saved your changes, a confirmation dialog box will give you the option to save or discard your changes. After unlocking, the padlock icon next to the device name is removed, and the device is unlocked. The device will also be unlocked when you log out of the FortiManager. All devices are unlocked when you log out of the FortiManager. If you have unsaved changes, a confirmation dialog box will give you the option to save or discard them. Locking a policy package In normal workspace mode, a policy package must be locked before changes can be made to it. Other administrators will be unable to make changes to that policy package until you unlock it, log out of the FortiManager, or they forcibly disconnect you when they are locking the ADOM that the package is in. Individual device locks will be removed if you lock the ADOM that the package is in. To lock a policy package: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. In the policy package list, right-click on the package and select Lock. A padlock icon in the locked state is shown next to the package name to indicate that it is locked. Other administrators are now unable to make changes to the policy package, and cannot lock the ADOM without first forcing you to disconnect. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 362 To unlock a policy package: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects > Policy Packages. 3. Ensure that you have saved any changes by clicking Save in the toolbar. 4. In the policy package list, right-click on the locked package and select Unlock. If you have not saved your changes, a confirmation dialog box will give you the option to save or discard your changes. After unlocking, the padlock icon next to the package name is removed, and the package is unlocked. The package will also be unlocked when you log out of the FortiManager. All policy packages are unlocked when you log out of the FortiManager. If you have unsaved changes, a confirmation dialog box will give you the option to save or discard them. Workflow mode Workflow mode is used to control the creation, configuration, and installation of policies and objects. It helps to ensure all changes are reviewed and approved before they are applied. When workflow mode is enabled, the ADOM must be locked and a session must be started before policy or object changes can be made in an ADOM. Workflow approvals must be configured for an ADOM before any sessions can be started in it. Once the required changes have been made, the session can either be discarded and the changes deleted, or it can be submitted for approval. The session can also be saved and continued later, but no new sessions can be created until the saved session has been submitted or discarded. When a session is submitted for approval, email messages are sent to the approvers, who can then approve or reject the changes directly from the email message. Sessions can also be approved or rejected by the approvers from within the ADOM itself. Sessions must be approved in the order they were created. If one approver from each approval group approves the changes, then another email message is sent, and the changes are implemented. If any of the approvers reject the changes, then the session can be repaired and resubmitted as a new session, or discarded. When a session is discarded, all later sessions are also discarded. After multiple sessions have been approved, a previous session can be reverted to, undoing all the later sessions. The changes made in a session can be viewed at any time from the session list in the ADOM by selecting View Diff. The ADOM does not have to be locked to view the differences. Enable workflow mode Workflow mode can only be enabled or disabled from the CLI. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 363 After changing the workspace mode, your session will end, and you will be required to log back in to the FortiManager. To enable workflow mode: 1. Go to System Settings > Dashboard. 2. In the CLI Consolewidget enter the following CLI commands in their entirety: config system global set workspace-mode workflow end When workspace-mode is workflow, DeviceManager and Policy & Objects are read- only. You must lock the ADOM to create a new workflow session. Workflow approval Workflow approval matrices specify which users must approve or reject policy changes for each ADOM. Up to eight approval groups can be added to an approval matrix. One user from each approval group must approve the changes before they are accepted. An approval email will automatically be sent to each member of each approval group when a change request is made. Email notifications are automatically sent to each approver, as well as other administrators as required. Amail server must be configured, see Mail Server on page 430, and each administrator must have a contact email address configured, see Managing administrator accounts on page 441. This menu is only available when workspace-mode is set to workflow. To create a new approval matrix: 1. Go to System Settings > Admin > Approval Matrix. 2. ClickCreate New. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 364 3. Configure the following settings: ADOM Select the ADOM from the dropdown list. Approval Group Select to add approvers to the approval group. Select the add icon to create a new approval group. Select the delete icon to remove an approval group. At least one approver from each group must approve the change for it to be adopted. Send an Email Notification Select to add administrators to send email notifications to. to Mail Server Select the mail server from the dropdown list. A mail server must already be configured. See Mail Server on page 430. 4. ClickOK to create the approval matrix. Workflow sessions Administrators use workflow sessions to make changes to policies and objects. The session is then submitted for review and approval or rejection by the administrators defined in the ADOMs workflow approval matrix. Administrators with the appropriate permissions will be able to approve or reject any pending requests. When viewing the session list, they can choose any pending sessions, and click the approve or reject buttons. They can also add a comment to the response. A notification will then be sent to the administrator that submitted the session and all of the approvers. You cannot prevent administrators from approving their own workflow sessions. If the session was approved, no further action is required. If the session was rejected, the administrator will need to either repair or discard the session. The Global Database ADOM includes the Assignment option, for assigning the global policy package to an ADOM. Assignments can only be created and edited when a session is in progress. After a global database session is approved, the policy package can be assigned to the configured ADOM. A new session will be created on the assigned ADOM and automatically submitted; it must be approved for the changes to take effect. A session can be discarded at any time before it is approved. After multiple sessions have been submitted or approved, a previously approved session can be reverted to, undoing all the later sessions. This creates a new session at the top of the session list that is automatically submitted for approval. A workflow approval matrix must be configure for the ADOM to which the session applies before a workflow session can be started. See Workflow approval on page 363. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 365 Starting a workflow session Aworkflow session must be started before changes can be made to the policies and objects. A session can be saved and continued at a later time, discarded, or submitted for approval. While a session is in progress, devices cannot be added or installed. To start a workflow session: 1. Ensure that you are in the correct ADOM. 2. Go to Policy & Objects. 3. Click Lock in the banner. The padlock icon changes to a locked state and the ADOM is locked. 4. From the Sessions menu, select Session List. The Session List dialog box opens; see The session list on page 369. 5. ClickCreate New Session. 6. Enter a name for session, add a comment describing the session, then clickOK to start the session. You can now make the required changes to the policy packages and objects. See Firewall Policy & Objects on page 150. Saved sessions A session can be saved and continued later. A new session cannot be started until the in-progress or saved session has either been submitted for approval or discarded. To save your session: While currently working in a session, clickSave in the toolbar. After saving the session, the ADOM will remain locked, and you can continue to edit it. To continue a saved session: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects and lock the ADOM. 3. Go to Sessions > Session List. The Session List dialog box opens. 4. ClickContinue Session In Progress to continue the session. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 366 View session diff A session diff can be viewed prior to submitting the session for approval. To view the session diff: 1. While currently working in a session, ensure that the session has been saved. See Saved sessions on page 365. 2. ClickSessions > View Diff. The Revisions Diff dialog box opens. 3. Select Details to view specific changes within a policy package or the policy objects. 4. ClickDownload to download a CSV file of the changes to your management computer. 5. ClickClose to close the dialog box and return to the session. Discarding a session A session can be discarded at any time before it is approved. A session cannot be recovered after it is discarded. When a session is discarded, all sessions after it in the session list will also be discarded. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 367 To discard an in-progress session: 1. Select Session > Discard. 2. Enter comments in the Discard Session dialog box. 3. ClickOK. The changes are deleted and the session is discarded. To discard saved, submitted, or rejected sessions: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects and lock the ADOM. 3. Go to Sessions > Session List. The Session List dialog box opens. 4. Select the session that is to be discarded, then clickDiscard. 5. Select OK in the Discard Session pop-up. Submitting a session When all the required changes have been made, the session can be submitted for approval. A session must be open to be submitted for approval. When the session is submitted, email messages are sent to all of the approvers and other administrators defined in the approval matrix (see Workflow approval on page 363), and the ADOM is automatically unlocked. To submit a session for approval: 1. Select Sessions > Submit. 2. Enter the following in the Submit for Approval dialog box: Comments Enter a comment describing the changes that have been made in this session. Attach configuration change Select to attach configuration change details to the email message. details 3. ClickOK to submit the session. Approving or rejecting a session Sessions can be approved or rejected by the members of the approval groups either directly from the email message that is generated when the session is submitted, or from the session list. A session that has been rejected must be repaired or discarded before the next session can be approved. When a session is approved or rejected, new email messages are sent out. To approve or reject a session from the email message: 1. If the configuration changes HTML file is attached to the email message, open the file to review the changes. 2. Select Approve this request orReject this request to approve or reject the request. You can also Select Login FortiManager to process this request to log in to the FortiManager and approve or reject the session from the session list. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 368 A web page will open showing the basic information, approval matrix, and session log for the session, highlighting if the session was approved or rejected. A new email message will also be sent containing the same information. 3. On the last line of the session log on the web page, select Click here to add comments to add a comment about why the session was approved or rejected. To approve a session from the session list: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects and lock the ADOM. 3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 369. 4. Select a session that can be approved from the list. 5. Optionally, clickView Diff to view the changes that you are approving. 6. ClickApprove. 7. Enter a comment in the Approve Session pop-up, then clickOK to approve the session. To reject a session from the session list: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects and lock the ADOM. 3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 369. 4. Select a session that can be rejected from the list. 5. Optionally, clickView Diff to view the changes that you are rejecting. 6. ClickReject. 7. Enter a comment in the Reject Session pop-up, then clickOK to reject the session. Repairing a rejected session When a session is rejected, it can be repaired to correct the problems with it. To repair a workflow session: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects and lock the ADOM. 3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 369. 4. Select a rejected session, then clickRepair. A new session is created and started, with the changes from the rejected session, so it can be corrected. Reverting a session A session can be reverted to after other sessions have been submitted or approved. If this session is approved, it will undo all the changes made by later sessions, though those sessions must be approved before the reverting session can be approved. You can still revert to any of those sessions without losing their changes. When a session is reverted, a new session is created and automatically submitted for approval. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 369 To revert a session: 1. Ensure you are in the correct ADOM. 2. Go to Policy & Objects and lock the ADOM. 3. Go to Sessions > Session List. The Session List dialog box opens; see The session list on page 369. 4. Select the session, then clickRevert. The session list To view the session list, In Policy & Objects, go to Sessions > Session List. Different options will be available depending on the various states of the sessions (in progress, approved, etc.). When an ADOM is unlocked, only the comments and View Diff command are available. The following options and information are available: Approve Approve the selected session. Enter comments in the Approve Session dialog box as required. Reject Reject the selected session. Enter comments in the Reject Session dialog box as required. A rejected session must be repaired before the next session in the list can be approved. Discard Discard the selected session. If a session is discarded, all later sessions are also discarded. Repair Repair the selected rejected session. A new session will be created and added to the top of the session list with the changes from the rejected session so they can be repaired as needed. Revert Revert back to the selected session, undoing all the changes made by later sessions. A new session will be created, added to the top of the session list, and automatically submitted for approval. FortiManager Administration Guide Fortinet Technologies Inc.Locks for Restricting Configuration Changes 370 View Diff View the changes that were made prior to approving or rejecting the session. Select Details to view specific changes within a policy package. ID A unique number to identify the session. Name The user-defined name to identify the session. The icon shows the status of the session: waiting for approval, approved, rejected, repaired, or in progress. Hover the cursor over the icon to see a description. User The administrator who created the session. Date Submitted The date and time the session was submitted for approval. Approved/... The number of approval groups that have approved the session out of the number of groups that have to approve the session. Hover the cursor over the table cell to view the group members. Comments The comments for the session. All the comments are shown on the right of the dialog box for the selected session. Session approvers can also add comments to the selected session without having to approve or reject the session. Create New Session Select to create a new workflow session. This option is not available when a session has been saved or is already in progress. Continue Session in Select to continue a session that was previously saved or is already in progress. This Progress option is only available when a session is in progress or saved. Continue Without Select to continue without starting a new session. When a new session is not started, Session all policy and objects are read-only. FortiManager Administration Guide Fortinet Technologies Inc.System Settings System Settings allows you to manage system options for your FortiManager device. Additional configuration options and short-cuts are available using the right-click menu. Right- click the mouse on different navigation panes on the GUI page to access these options. This section contains the following topics: l Dashboard on page 372 l Logging Topology on page 384 l Network on page 385 l RAID Management on page 387 l Administrative Domains on page 394 l Certificates on page 408 l Fetcher Management on page 413 l Event Log on page 417 l Task Monitor on page 420 l SNMP on page 421 l Mail Server on page 430 l Syslog Server on page 432 l Meta Fields on page 433 l Device logs on page 434 l File Management on page 438 l Advanced Settings on page 439 FortiManager Administration Guide Fortinet Technologies Inc.System Settings 372 Dashboard The Dashboard contains widgets that provide performance and status information and enable you to configure basic system settings. The dashboard also contains a CLI widget that lets you use the command line through the GUI. The following widgets are available: Widget Description System Information Displays basic information about the FortiManager system, such as up time and firmware version. You can also enable or disable Administrative Domains and FortiAnalyzer features. For more information, see System Information widget on page 374. From this widget you can manually update the FortiManager firmware to a different release. For more information, see Updating the system firmware on page 376. The widget fields will vary based on how the FortiManager is configured, for example, if ADOMs are enabled. System Resources Displays the real-time and historical usage status of the CPU, memory and hard disk. For more information, see System Resources widget on page 379. License Information Displays the devices being managed by the FortiManager unit and the maximum numbers of devices allowed. For more information, see License Information widget on page 379. From this widget you can manually upload a license for VM systems. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 373 Widget Description Unit Operation Displays status and connection information for the ports of the FortiManager unit. It also enables you to shutdown and restart the FortiManager unit or reformat a hard disk. For more information, see Unit Operation widget on page 380. CLI Console Opens a terminal window that enables you to configure the FortiManager unit using CLI commands directly from the GUI. For more information, see CLI Console widget on page 381. Alert Message Console Displays log-based alert messages for both the FortiManager unit and connected devices. For more information, see Alert Messages Console widget on page 381. Log Receive Monitor Displays a real-time monitor of logs received. You can view data per device or per log type. For more information, see Log Receive Monitor widget on page 382. The Log ReceiveMonitorwidget is available when FortiAnalyzer Features is enabled. Insert Rate vs Receive Rate Displays the log insert and receive rates. For more information, see Insert Rate vs Receive Rate widget on page 382. The Insert Rate vs Receive Ratewidget is available when FortiAnalyzer Features is enabled. Log Insert Lag Time Displays how many seconds the database is behind in processing the logs. For more information, see Log Insert Lag Time widget on page 383. The Log Insert Lag Timewidget is available when FortiAnalyzer Features is enabled. Receive Rate vs Forwarding Displays the Receive Rate, which is the rate at which FortiManager is receiving Rate logs. When log forwarding is configured, the widget also displays the log forwarding rate for each configured server. For more information, see Receive Rate vs Forwarding Rate widget on page 383. The Receive Rate vs Forwarding Ratewidget is available when FortiAnalyzer Features is enabled. Disk I/O Displays the disk utilization, transaction rate, or throughput as a percentage over time. For more information, see Disk I/O widget on page 384. The Disk I/Owidget is available when FortiAnalyzer Features is enabled. Customizing the dashboard The FortiManager system dashboard can be customized. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized. It can also be viewed in full screen by selecting the full screen button on the far right side of the toolbar. Action Steps Move a widget Move the widget by clicking and dragging its title bar, then dropping it in its new location Add a widget Select ToggleWidgets from the toolbar, then select the name widget you need to add. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 374 Action Steps Delete a widget Click the Close icon in the widget''s title bar. Customize a For widgets with an edit icon, you can customize the widget by clicking the Edit icon and widget configuring the settings. Reset the Select ToggleWidgets > Reset to Default from the toolbar. The dashboards will be reset to dashboard the default view. System Information widget The information displayed in the System Informationwidget is dependent on the FortiManager model and device settings. The following information is available on this widget: Host Name The identifying name assigned to this FortiManager unit. Click the edit host name button to change the host name. For more information, see Changing the host name on page 375. Serial Number The serial number of the FortiManager unit. The serial number is unique to the FortiManager unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server. Platform Type Displays the FortiManager platform type, for example FMGVM64 (virtual machine). HA Status Displays if FortiManager unit is in High Availability mode and whether it is the Master or Slave unit in the HA cluster. For more information see High Availability on page 475. System Time The current time on the FortiManager internal clock. Click the edit system time button to change system time settings. For more information, see Configuring the system time on page 375. Firmware Version The version number and build number of the firmware installed on the FortiManager unit. To update the firmware, you must download the latest version from the Customer Service & Support website at https://support.fortinet.com. Click the update button, then select the firmware image to load from the local hard disk or network volume. For more information, see Updating the system firmware on page 376. System Configuration The date of the last system configuration backup. The following actions are available: l Click the backup button to backup the system configuration to a file; see Backing up the system on page 377. l Click the restore to restore the configuration from a backup file; see Restoring the configuration on page 378. You can also migrate the configuration to a different FortiManager model by using the CLI. See Migrating the configuration on page 378. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 375 Current Administrators The number of administrators currently logged in. Click the current session list button to view the session details for all currently logged in administrators. Up Time The duration of time the FortiManager unit has been running since it was last started or restarted. Administrative Domain Displays whether ADOMs are enabled. Toggle the switch to change the Administrative Domain state. See Enabling and disabling the ADOM feature on page 395. FortiAnalyzer Features Displays whether FortiAnalyzer features are enabled. Toggle the switch to change the FortiAnalyzer features state. FortiAnalyzer Features are not available on the FortiManager 100C. See FortiAnalyzer Features on page 22 for information. Changing the host name The host name of the FortiManager unit is used in several places. l It appears in the System Informationwidget on the dashboard. l It is used in the command prompt of the CLI. l It is used as the SNMP system name. The System Informationwidget and the get system status CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiManager1234567890, the CLI prompt would be FortiManager123456~#. To change the host name: 1. Go to System Settings > Dashboard. 2. In the System Informationwidget, click the edit host name button next to the Host Name field. 3. In the Host Name box, type a new host name. The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed. 4. Click the checkmark to change the host name. Configuring the system time You can either manually set the FortiManager system time or configure the FortiManager unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server. For many features to work, including scheduling, logging, and SSL-dependent features, the FortiManager system time must be accurate. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 376 To configure the date and time: 1. Go to System Settings > Dashboard. 2. In the System Informationwidget, click the edit system time button next to the System Time field. 3. Configure the following settings to either manually configure the system time, or to automatically synchronize the FortiManager unit’s clock with an NTP server: System Time The date and time according to the FortiManager unit’s clock at the time that this pane was loaded or when you last clicked the Refresh button. Time Zone Select the time zone in which the FortiManager unit is located and whether or not the system automatically adjusts for daylight savings time. Update Time By Select Set time to manually set the time, or Synchronize with NTP Server to automatically synchronize the time. Set Time Manually set the data and time. Select Date Set the date from the calendar or by manually entering it in the format: YYYY/MM/DD. Select Time Select the time. Synchronize with NTP Server Automatically synchronize the date and time. Sync Interval Enter how often, in minutes, the device should synchronize its time with the NTP server. For example, entering 1440 causes the Fortinet unit to synchronize its time once a day. Server Enter the IP address or domain name of an NTP server. Click the plus icon to add more servers. To find an NTP server that you can use, go to http://www.ntp.org. 4. Click the checkmark to apply your changes. Updating the system firmware To take advantage of the latest features and fixes, FortiManager provides two ways to upgrade its firmware: manually or through the FDN. For information about upgrading your FortiManager device, see the FortiManager UpgradeGuide, or contact Fortinet Customer Service & Support. Backup the configuration and database before changing the firmware of your FortiManager unit. Changing the firmware to an older or incompatible version may reset the configuration and database to the default values for that firmware version, resulting in data loss. For information on backing up the configuration, see Backing up the system on page 377. Before you can download firmware updates for your FortiManager unit, you must first register your FortiManager unit with Customer Service & Support. For details, go to https://support.fortinet.com/ or contact Customer Service & Support. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 377 To manually update the FortiManager firmware: 1. Download the firmware (the .out file) from the Customer Service & Support website, https://support.fortinet.com/. 2. Go to System Settings > Dashboard. 3. In the System Informationwidget, in the Firmware Version field, clickUpgrade Firmware. The Firmware Upload dialog box opens. 4. Drag and drop the file onto the dialog box, or clickBrowse to locate the firmware package (.out file) that you downloaded from the Customer Service & Support portal and then clickOpen. 5. ClickOK. Your device will upload the firmware image and you will receive a confirmation message noting that the upgrade was successful. Optionally, you can upgrade firmware stored on an FTP or TFTP server using the following CLI command: execute restore image {ftp | tftp} For more information, see the FortiManager CLI Reference. 6. Refresh the browser and log back into the device. 7. Launch the DeviceManagermodule and make sure that all formerly added devices are still listed. 8. Launch other functional modules and make sure they work properly. Installing firmware replaces the current network vulnerability management engine with the version included with the firmware release that you are installing. After you install the new firmware, make sure that your vulnerability definitions are up-to-date. For more information, see Device Firmware and Security Updates on page 337. The FortiManager firmware can also be updated through the FDN. For more information, see Firmware images on page 356. Backing up the system Fortinet recommends that you back up your FortiManager configuration to your management computer on a regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal affect to the network. You should also perform a back up after making any changes to the FortiManager configuration or settings that affect the connected devices. You can perform backups manually or at scheduled intervals. You can also create a backups - called checkpoints - that define a point where the FortiManager and network management is stable and functioning. Should any future configurations cause issues, you have a point where the system is stable. Fortinet recommends backing up all configuration settings from your FortiManager unit before upgrading the FortiManager firmware. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 378 To back up the FortiManager configuration: 1. Go to System Settings > Dashboard. 2. In the System Informationwidget, click the backup button next to System Configuration. The Backup System dialog box opens 3. If you want to encrypt the backup file, select the Encryption box, then type and confirm the password you want to use. The password can be a maximum of 63 characters. 4. Select OK and save the backup file on your management computer. Restoring the configuration You can use the following procedure to restore your FortiManager configuration from a backup file on your management computer. If your FortiManager unit is in HAmode, switch to Standalone mode. The restore operation will temporarily disable the communication channel between FortiManager and all managed devices. This is a safety measure, in case any devices are being managed by another FortiManager. To re-enable the communication, please go to System Settings >Advanced >Advanced Settings and disableOfflineMode. To restore the FortiManager configuration: 1. Go to System Settings > Dashboard. 2. In the System Informationwidget, click the restore button next to System Configuration. The Restore System dialog box opens. 3. Configure the following settings then select OK. Choose Backup File Select Browse to find the configuration backup file you want to restore, or drag and drop the file onto the dialog box. Password Type the encryption password, if applicable. Overwrite current IP, routing Select the checkbox to overwrite the current IP, routing, and HA settings. and HA settings Restore in Offline Mode Informational checkbox. Hover over the help icon for more information. Migrating the configuration You can back up the system of one FortiManager model, and then use the CLI and the FTP, SCP, or SFTP protocol to migrate the settings to another FortiManager model. If you encrypted the FortiManager configuration file when you created it, you need the password to decrypt the configuration file when you migrate the file to another FortiManager model. To migrate the FortiManager configuration: 1. In one FortiManager model, go to System Settings > Dashboard. 2. Back up the system. See Backing up the system on page 377. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 379 3. In the other FortiManager model, go to System Settings > Dashboard. 4. In the CLI Consolewidget, type the following command: execute migrate all-settings [cryptpasswd] System Resources widget The System Resources widget displays the usage status of the CPUs, memory, and hard disk. You can view system resource information in real-time or historical format, as well as average or individual CPU usage. On VMs, warning messages are displayed if the amount of memory or the number of CPUs assigned are too low, or if the allocated hard drive space is less than the licensed amount. These warnings are also shown in the notification list (see GUI overview on page 18). Clicking on a warning opens the FortiManager VM Install Guide. To toggle between real-time and historical data, clickEdit in the widget toolbar, select Historical orReal-time, edit the other settings as required, then clickOK. To view individual CPU usage, from the Real-Time display, click on the CPU chart. To go back to the standard view, click the chart again. License Information widget The License Informationwidget displays the number of devices connected to the FortiManager. VM License VM license information and status. Click the upload license button to upload a new VM license file. This field is only visible for FortiManager VM. The Duplicate status appears when users try to upload a license that is already in use. Additionally, the following message will be displayed in the Notifications: Duplicate License has been found! Your VM license will expire in XX hours (Grace time: 24 hours) Users will have 24 hours to upload a valid license before the duplicate license is blocked. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 380 Management Device/VDOMs The total number of devices and VDOMs connected to the FortiManager and the total number of device and VDOM licenses. FortiGates/Logging The number of connected FortiGates and other logging devices. Devices FortiAPs The number of connected FortiAPs. Logging This section is only shown when FortiAnalyzer Features is enabled. For more information, see FortiAnalyzer Features on page 22. Device/VDOMs The total number of devices and VDOMs connected to the FortiManager and the total number of device and VDOM licenses. GB/Day The gigabytes per day of logs allowed and used for this FortiManager. Click the show details button to view the GB per day of logs used for the previous 6 days. VM Storage The amount of VM storage used and remaining. This field is only visible for FortiManager VM. FortiGuard VM Meter Service The license status. Click the purchase button to go to the Fortinet Customer Service & Support website, where you can purchase a license. Secure DNS Server The SDNS server license status. Click the upload image button to upload a license key. Server Location The locations of the FortiGuard servers, either global or US only. Click the edit icon to adjust the location. Changing the server location will cause the FortiManager to reboot. Update Server AntiVirus and IPS The IP address and physical location of the Antivirus and IPS update server. Web and Email The IP address and physical location of the web and email filter update server. Filter FortiClient Update The IP address and physical location of the FortiClient update server. Unit Operation widget The Unit Operationwidget graphically displays the status of each port. The port name indicates its status by its color. Green indicates the port is connected. Grey indicates there is no connection. Hover the cursor over the ports to view a pop-up that displays the full name of the interface, the IP address and netmask, the link status, the speed of the interface, and the amounts of sent and received data. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 381 CLI Console widget The CLI Consolewidget enables you to type command lines through the GUI, without making a separate Telnet, SSH, or local console connection to access the CLI. The CLI Consolewidget requires that your web browser support JavaScript. For information on available CLI commands, see the FortiManager CLI Reference. When using the CLI Consolewidget, you are logged in with the same administrator account you used to access the GUI. You can enter commands by typing them, or you can copy and paste commands into or out of the console. ClickDetach in the widget toolbar to open the widget in a separate window. Alert Messages Console widget The Alert Message Consolewidget displays log-based alert messages for both the FortiManager unit itself and connected devices. Alert messages help you track system events on your FortiManager unit such as firmware changes, and network events such as detected attacks. Each message shows the date and time the event occurred. Alert messages can also be delivered by email, syslog, or SNMP. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 382 ClickEdit from the widget toolbar to view the Alert Message Console Settings, where you can adjust the number of entries that are visible in the widget, and the refresh interval. To view a complete list of alert messages, clickShow More from the widget toolbar. The widget will show the complete list of alerts. To clear the list, clickDelete All Messages. ClickShow Less to return to the previous view. Log Receive Monitor widget The Log ReceiveMonitorwidget displays the rate at which the FortiManager unit receives logs over time. Log data can be displayed by either log type or device. Hover the cursor over a point on the graph to see the exact number of logs that were received at a specific time. Click the name of a device or log type to add or remove it from the graph. ClickEdit in the widget toolbar to modify the widget''s settings. This widget is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Insert Rate vs Receive Rate widget The Insert Rate vs Receive Ratewidget displays the log insert and log receive rates over time. l Log receive rate: how many logs are being received. l Log insert rate: how many logs are being actively inserted into the database. If the log insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of logs waiting to be inserted. Hover the cursor over a point on the graph to see the exact number of logs that were received and inserted at a specific time. ClickReceive Rate or Insert Rate to remove those data from the graph. Click the edit icon in the widget toolbar to adjust the time interval shown on the graph and the refresh interval. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 383 This widget is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Log Insert Lag Time widget The Log Insert Lag Timewidget displays how many seconds the database is behind in processing the logs. Click the edit icon in the widget toolbar to adjust the time interval shown on the graph and the refresh interval (0 to disable) of the widget. This widget is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Receive Rate vs Forwarding Rate widget The Receive Rate vs Forwarding Ratewidget displays the rate at which the FortiManager is receiving logs. When log forwarding is configured, the widget also displays the log forwarding rate for each configured server. Click the edit icon in the widget toolbar to adjust the time period shown on the graph and the refresh interval, if any, of the widget. This widget is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 384 Disk I/O widget The Disk I/Owidget shows the disk utilization (%), transaction rate (requests/s), or throughput (KB/s), versus time. Click the edit icon in the widget toolbar to select which chart is displayed, the time period shown on the graph, and the refresh interval (if any) of the chart. This widget is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Logging Topology The Logging Topology pane shows the physical topology of devices in the Security Fabric. Click, hold, and drag to adjust the view in the content pane, and double-click or use the scroll wheel to change the zoom. The visualization can be filtered to show only FortiAnalyzer devices or all devices by device count or traffic. Hovering the cursor over a device in the visualization will show information about the device, such as the IP address and device name. Right-click on a device and select View Related Logs to go to the Log View pane, filtered for that device. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 385 This pane is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Network The network settings are used to configure ports for the FortiManager unit. You should also specify what port and methods that an administrators can use to access the FortiManager unit. If required, static routes can be configured. The default port for FortiManager units is port 1. It can be used to configure one IP address for the FortiManager unit, or multiple ports can be configured with multiple IP addresses for improved security. You can configure administrative access in IPv4 or IPv6 and include settings for HTTPS, HTTP, PING, SSH, TELNET, SNMP, and Web Service. You can prevent unauthorized access to the GUI by creating administrator accounts with trusted hosts. With trusted hosts configured, the administrator can only log in to the GUI when working on a computer with the trusted host as defined in the administrator account. For more information, see Trusted hosts on page 440 and Managing administrator accounts on page 441. Configuring network interfaces Fortinet devices can be connected to any of the FortiManager unit''s interfaces. The DNS servers must be on the networks to which the FortiManager unit connects, and should have two different IP addresses. If the FortiManager unit is operating as part of an HA cluster, it is recommended to configure interfaces dedicated for the HA connection / synchronization. However, it is possible to use the same interfaces for both HA and device management. The HA interface will have /HA appended to its name. The following port configuration is recommended: l Use port 1 for device log traffic, and disable unneeded services on it, such as SSH, TELNET, Web Service, and so on. l Use a second port for administrator access, and enable HTTPS, Web Service, and SSH for this port. Leave other services disabled. To configure port 1: 1. Go to System Settings > Network. The System Network Management Interface pane is displayed. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 386 2. Configure the following settings for port1, then clickApply to apply your changes. Name Displays the name of the interface. IP Address/Netmask The IP address and netmask associated with this interface. IPv6 Address The IPv6 address associated with this interface. Administrative Access Select the allowed administrative service protocols from: HTTPS, HTTP, PING, SSH, Telnet, SNMP, and Web Service. IPv6 Administrative Access Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, SSH, Telnet, SNMP, and Web Service. Service Access Select the Fortinet services that are allowed access on this interface. These include FortiGate Updates andWeb Filtering. By default all service access is enabled on port1, and disabled on port2. Default Gateway The default gateway associated with this interface. Primary DNS Server The primary DNS server IP address. Secondary DNS Server The secondary DNS server IP address. To configure additional ports: 1. Go to System Settings > Network and clickAll Interfaces. The interface list opens. 2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then clickEdit in the toolbar. The Edit System Interface pane is displayed. 3. Configure the settings as required. 4. ClickOK to apply your changes. The port name, default gateway, and DNS servers cannot be changed from the Edit System Interface pane. The port can be given an alias if needed. Disabling ports Ports can be disabled to prevent them from accepting network traffic To disable a port: 1. Go to System Settings > Network and clickAll Interfaces. The interface list opens. 2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then clickEdit in the toolbar. The Edit System Interface pane is displayed. 3. In the Status field, clickDisable 4. ClickOK to disable the port. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 387 Changing administrative access Administrative access defines the protocols that can be used to connect to the FortiManager through an interface. The available options are: HTTPS, HTTP, PING, SSH, TELNET, SNMP, and Web Service. To change administrative access: 1. Go to System Settings > Network and clickAll Interfaces. The interface list opens. 2. Double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then clickEdit in the toolbar. The Edit System Interface pane is displayed. 3. Select one or more access protocols for the interface for IPv4 and IPv6, if applicable. 4. ClickOK to apply your changes. Static routes Static routes can managed from the routing tables for IPv4 and IPv6 routes. The routing tables can be accessed by going to System Settings > Network and clicking Routing Table and IPv6 Routing Table. To add a static route: 1. From the IPv4 or IPv6 routing table, clickCreate New in the toolbar. The Create New Network Route pane opens. 2. Enter the destination IP address and netmask, or IPv6 prefix, and gateway in the requisite fields. 3. Select the network interface that connects to the gateway from the dropdown list. 4. ClickOK to create the new static route. To edit a static route: 1. From the IPv4 or IPv6 routing table: double-click on a route, right-click on a route then select Edit from the pop-up menu, or select a route then clickEdit in the toolbar. The Edit Network Route pane opens. 2. Edit the configuration as required. The route ID cannot be changed. 3. ClickOK to apply your changes. To delete a static route or routes: 1. From the IPv4 or IPv6 routing table, right-click on a route then select Delete from the pop-up menu, or select a route or routes then clickDelete in the toolbar. 2. ClickOK in the confirmation dialog box to delete the selected route or routes. RAID Management RAID helps to divide data storage over multiple disks, providing increased data reliability. For FortiManager devices containing multiple hard disks, you can configure the RAID array for capacity, performance, and/or availability. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 388 The RAID Management tree menu is only available on FortiManager devices that support RAID. Supported RAID levels FortiManager units with multiple hard drives can support the following RAID levels: See the FortiManager datasheet to determine your devices supported RAID levels. Linear RAID A Linear RAID array combines all hard disks into one large virtual disk. The total space available in this option is the capacity of all disks used. There is very little performance change when using this RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost. RAID 0 ARAID 0 array is also referred to as striping. The FortiManager unit writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any single drive fails, the data on that drive cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiManager unit can distribute disk writing across multiple disks. l Minimum number of drives: 2 l Data protection: No protection RAID 0 is not recommended for mission critical environments as it is not fault-tolerant. RAID 1 ARAID 1 array is also referred to as mirroring. The FortiManager unit writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are backup hard disks available. l Minimum number of drives: 2 l Data protection: Single-drive failure One write or two reads are possible per mirrored pair. RAID 1 offers redundancy of data. A re- build is not required in the event of a drive failure. This is the simplest RAID storage design with the highest disk overhead. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 389 RAID 1s ARAID 1 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard disk fails, within a minute of the failure the hot spare is substituted for the failed drive, integrating it into the RAID array and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the new hot spare. The total disk space available is the total number of disks minus two. RAID 5 ARAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiManager unit writes information evenly across all drives but additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than with writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiManager unit will restore the data on the new disk by using reference information from the parity volume. l Minimum number of drives: 3 l Data protection: Single-drive failure RAID 5s ARAID 5 with hot spare array uses one of the hard disks as a hot spare (a stand-by disk for the RAID). If a hard disk fails, within a minute of the failure, the hot spare is substituted for the failed drive, integrating it into the RAID array, and rebuilding the RAID’s data. When you replace the failed hard disk, the new hard disk is used as the new hot spare. The total disk space available is the total number of disks minus two. RAID 6 ARAID 6 array is the same as a RAID 5 array with an additional parity block. It uses block-level striping with two parity blocks distributed across all member disks. l Minimum number of drives: 4 l Data protection: Up to two disk failures. RAID 6s ARAID 6 with hot spare array is the same as a RAID 5 with hot spare array with an additional parity block. RAID 10 RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2, for example: l 2 RAID 1 arrays of two disks each, l 3 RAID 1 arrays of two disks each, l 6 RAID1 arrays of two disks each. One drive from a RAID 1 array can fail without the loss of data; however, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible. l Minimum number of drives: 4 l Data protection: Up to two disk failures in each sub-array. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 390 Alternative to RAID 1 when additional performance is required. RAID 50 RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The total disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail without the loss of data. l Minimum number of drives: 6 l Data protection: Up to one disk failure in each sub-array. Higher fault tolerance than RAID 5 and higher efficiency than RAID 0. RAID 50 is only available on models with 9 or more disks. By default, two groups are used unless otherwise configured via the CLI. Use the diagnose system raid status CLI command to view your current RAID level, status, size, groups, and hard disk drive information. RAID 60 ARAID 60 (6+ 0) array combines the straight, block-level striping of RAID 0 with the distributed double parity of RAID 6. l Minimum number of drives: 8 l Data protection: Up to two disk failures in each sub-array. High read data transaction rate, medium write data transaction rate, and slightly lower performance than RAID 50. Configuring the RAID level Changing the RAID level will delete all data. To configure the RAID level: 1. Go to System Settings > RAID Management. 2. ClickChange in the RAID Level field. The RAID Settings dialog box is displayed. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 391 3. From the RAID Level list, select a new RAID level, then clickOK. The FortiManager unit reboots. Depending on the selected RAID level, it may take a significant amount of time to generate the RAID array. Monitoring RAID status To view the RAID status, go to System Settings > RAID Management. The RAID Management pane displays the RAID level, status, and disk space usage. It also shows the status, size, and model of each disk in the RAID array. The Alert Message Consolewidget, located in System Settings > Dashboard, provides detailed information about RAID array failures. For more information see Alert Messages Console widget on page 381. Summary Shows summary information about the RAID array. Graphic Displays the position and status of each disk in the RAID array. Hover the cursor over each disk to view details. RAID Level Displays the selected RAID level. ClickChange to change the selected RAID level. When you change the RAID settings, all data is deleted. Status Displays the overall status of the RAID array. Disk Space Usage Displays the total size of the disk space, how much disk space is used, and how much disk space is free. Disk Management Shows information about each disk in the RAID array. Disk Number Identifies the disk number for each disk. Disk Status Displays the status of each disk in the RAID array. l Ready: The hard drive is functioning normally. l Rebuilding: The FortiManager unit is writing data to a newly added hard drive in order to restore the hard drive to an optimal state. The FortiManager unit is not fully fault tolerant until rebuilding is complete. l Initializing: The FortiManager unit is writing to all the hard drives in the device in order to make the array fault tolerant. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 392 l Verifying: The FortiManager unit is ensuring that the parity data of a redundant drive is valid. l Degraded: The hard drive is no longer being used by the RAID controller. l Inoperable: One or more drives are missing from the FortiManager unit. The drive is no longer available to the operating system. Data on an inoperable drive cannot be accessed. Size (GB) Displays the size, in GB, of each disk. Disk Model Displays the model number of each disk. Checking RAID from command line Use command line to check if your device uses hardware or software RAID. To check RAID type from the command line: 1. Go to System Settings. 2. ClickCLI Console. 3. Type the command diagnose system raid status and pressEnter. 4. The following information is shown in the output: l Mega RAID - this output shows that the device uses hardware RAID. l Software RAID - this output shows that the device uses software RAID. Sample command line output showing hardware RAID: [Product_Name_Model] # diagnose system raid status Mega RAID: <-- this is hardware RAID RAID Level: Raid-50 RAID Status: OK RAID Size: 11175GB Groups: 2 [Product_Name_Model] # diagnose system raid status Software RAID: <-- this is software RAID RAID Level: Raid-50 RAID Status: OK RAID Size: 11175GB Groups: 2 Swapping hard disks If a hard disk on a FortiManager unit fails, it must be replaced. On FortiManager devices that support hardware RAID, the hard disk can be replaced while the unit is still running - known as hot swapping. On FortiManager units with software RAID, the device must be shutdown prior to exchanging the hard disk. To identify which hard disk failed, read the relevant log message in the Alert Message Consolewidget. See Alert Messages Console widget on page 381. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 393 Electrostatic discharge (ESD) can damage FortiManager equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiManager chassis. When replacing a hard disk, you need to first verify that the new disk is the same size as those supplied by Fortinet and has at least the same capacity as the old one in the FortiManager unit. Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to possible differences in sector layout between disks, the only way to guarantee that two disks have the same size is to use the same brand and model. The size provided by the hard drive manufacturer for a given disk model is only an approximation. The exact size is determined by the number of sectors present on the disk. To hot swap a hard disk on a device that supports hardware RAID: 1. Remove the faulty hard disk. 2. Install a new disk. The FortiManager unit automatically adds the new disk to the current RAID array. The status appears on the console. The RAID Management pane displays a green checkmark icon for all disks and the RAID Status area displays the progress of the RAID re-synchronization/rebuild. Adding hard disks Some FortiManager units have space to add more hard disks to increase your storage capacity. Fortinet recommends you use the same disks as those supplied by Fortinet. Disks of other brands will not be supported by Fortinet. For information on purchasing extra hard disks, contact your Fortinet reseller. To add more hard disks: 1. Obtain the same disks as those supplied by Fortinet. 2. Back up the log data on the FortiManager unit. You can also migrate the data to another FortiManager unit, if you have one. Data migration reduces system down time and the risk of data loss. 3. Install the disks in the FortiManager unit. If your unit supports hot swapping, you can do so while the unit is running. Otherwise the unit must be shut down first. See Unit Operation widget on page 380 for information. 4. Configure the RAID level. See Configuring the RAID level on page 390. 5. If you backed up the log data, restore it. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 394 Administrative Domains Administrative domains (ADOMs) enable administrators to manage only those devices that they are specifically assigned, based on the ADOMs to which they have access. When the ADOM mode is advanced, FortiGate devices with multiple VDOMs can be divided among multiple ADOMs. Administrator accounts can be tied to one or more ADOMs, or denied access to specific ADOMs. When a particular administrator logs in, they see only those devices or VDOMs that have been enabled for their account. Super user administrator accounts, such as the admin account, can see and maintain all ADOMs and the devices within them. When FortiAnalyzer features are enabled, each ADOM specifies how long to store and how much disk space to use for its logs. You can monitor disk utilization for each ADOM and adjust storage settings for logs as needed. The maximum number of ADOMs you can add depends on the FortiManager system model. Please refer to the FortiManager data sheet for more information. By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by administrators with the Super_ User profile. See Administrators on page 440. Non-FortiGate devices, except for FortiAnalyzer devices, are automatically located in specific ADOMs for their device type. They cannot be moved to other ADOMs. One FortiAnalyzer device can be added to each ADOM. For more information, see Adding FortiAnalyzer devices on page 51. Default ADOMs FortiManager includes default ADOMs for specific types of devices. When you add one or more of these devices to the FortiManager, the devices are automatically added to the appropriate ADOM, and the ADOM becomes selectable. When a default ADOM contains no devices, the ADOM is not selectable. For example, when you add a FortiClient EMS device to the FortiManager, the FortiClient EMS device is automatically added to the default FortiClient ADOM. After the FortiClient ADOM contains a FortiClient EMS device, the FortiClient ADOM is selectable when you log into FortiManager or when you switch between ADOMs. You can view all of the ADOMs, including default ADOMs without devices, on the System Settings > All ADOMs pane. Organizing devices into ADOMs You can organize devices into ADOMs to allow you to better manage these devices. Devices can be organized by whatever method you deem appropriate, for example: l Firmware version: group all devices with the same firmware version into an ADOM. l Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a different region into another ADOM. l Administrative users: group devices into separate ADOMs based for specific administrators responsible for the group of devices. l Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 395 Enabling and disabling the ADOM feature By default, ADOMs are disabled. Enabling and configuring ADOMs can only be done by super user administrators. When ADOMs are enabled, the DeviceManager, Policy & Objects, AP Manager, FortiClient Manager, and VPN Manager panes are displayed per ADOM. If FortiAnalyzer features are enabled, the FortiView, Log View, Event Manager, and Reports panes are also displayed per ADOM. You select the ADOM you need to work in when you log into the FortiManager unit. Switching between ADOMs on page 21. ADOMsmust be enabled to support FortiMail and FortiWeb logging and reporting. When a FortiMail or FortiWeb device is promoted to the DVM table, the device is added to their respective default ADOM and will be visible in the left-hand tree menu. FortiGate and FortiCarrier devices cannot be grouped into the same ADOM. FortiCarrier devices are added to a specific default FortiCarrier ADOM. To enable the ADOM feature: 1. Log in to the FortiManager as a super user administrator. 2. Go to System Settings > Dashboard. 3. In the System Informationwidget, toggle the Administrative Domain switch toON. You will be automatically logged out of the FortiManager and returned to the log in screen. To disable the ADOM feature: 1. Remove all the devices from all non-root ADOMs. That is, add all devices to the root ADOM. 2. Delete all non-root ADOMs. See Deleting ADOMs on page 404. Only after removing all the non-root ADOMs can ADOMs be disabled. 3. Go to System Settings > Dashboard. 4. In the System Informationwidget, toggle the Administrative Domain switch toOFF. You will be automatically logged out of the FortiManager and returned to the log in screen. The ADOMs feature cannot be disabled if ADOMs are still configured and have managed devices in them. ADOM device modes An ADOM has two device modes: Normal (default) and Advanced. In Normalmode, you cannot assign different FortiGate VDOMs to different ADOMs. The FortiGate unit can only be added to a single ADOM. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 396 In Advancedmode, you can assign a VDOM from a single device to a different ADOM. This allows you to analyze data for individual VDOMs, but will result in more complicated management scenarios. It is recommended only for advanced users. To change from Advancedmode back to Normalmode, you must ensure no FortiGate VDOMs are assigned to an ADOM. To change the ADOM device mode: 1. Go to System Settings > Advanced > Advanced Settings. 2. In the ADOM Mode field, select eitherNormal or Advanced. 3. Select Apply to apply your changes. ADOM modes When creating an ADOM, the mode can be set to Normal or Backup. Normal mode ADOMs When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are able to make changes to the ADOM and managed devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every 5 seconds. If there has been a configuration change, the FortiGate unit will send a diff revision on the change to the FortiManager using the FGFM protocol. Backup mode ADOMs When creating an ADOM in Backup Mode, the ADOM is considered ReadOnly, where you cannot make changes to the ADOM and managed devices from FortiManager. Changes are made via scripts, which are run on the managed device, or through the device’s GUI or CLI directly. Revisions are sent to the FortiManager when specific conditions are met: l Configuration change and session timeout l Configuration change and log out l Configuration change and reboot l Manual configuration backup from the managed device. When you add a device to an ADOM in backup mode, you can import firewall address and service objects to FortiManager, and FortiManager stores the objects in the Device Manager database. You can view the objects on the Policy & Objects pane. Although you can view the objects on the Policy & Objects pane, the objects are not stored in the central database. This lets you maintain a repository of objects used by all devices in the backup ADOM that is separate from the central database. All devices that are added to the ADOM will only have their configuration backed up. Configuration changes cannot be made to the devices in a backup ADOM. You can push any existing revisions to managed devices. You can still monitor and review the revision history for these devices, and scripting is still allowed for pushing scripts directly to FortiGate units. Creating backup ADOMs You can create an ADOM with backup mode enabled, and then add devices to the ADOM. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 397 When an ADOM is in backup mode, the following panes are available: l DeviceManager l Policy & Objects l FortiGuard l NOC - SOC l System Settings To create backup ADOMs: 1. Go to System Settings > All ADOMs, and clickCreate New. 2. Set the following options, and clickOK: Name Type a name for the ADOM. Type Select the type of device and ADOM version. Devices Select a device. Alternately, you can add a device to the ADOM later by using the AddDevicewizard. Mode Select Backup. The ADOM in backup mode is created. Importing objects to backup ADOMs You can use the AddDevicewizard to add FortiGate devices to an ADOM in backup mode. The wizard also lets you import Firewall address and service objects. Policies are not imported. Alternately, you can import objects after adding devices by using the Import Policy button on the DeviceManager pane. All imported objects are stored in the Device Manager database. They are not stored in the central database, which is used to store objects used in policies. To import objects when adding devices: 1. Go to DeviceManager > Device & Groups, and clickAddDevice. 2. Follow the AddDevicewizard, until the Import button is displayed. 3. Click Import to import firewall address and service objects to the Device Manager database. The objects are imported into the Device Manager database. Alternately you can import the objects after you add the device. 4. Go to the Policy & Objects pane to view the objects. You can also create, edit, and delete objects. To import objects after adding devices: 1. Go to DeviceManager > Device & Groups. 2. Select a device and click Import Policy. The objects are imported into the Device Manager database. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 398 3. Go to the Policy & Objects pane to view the objects. You can also create, edit, and delete objects. Viewing read-only polices in backup ADOMs When an ADOM is in backup mode, you can view information about read-only policies To view read-only polices: 1. Ensure you are in an ADOM with backup mode enabled. 2. Go to DeviceManager > Device & Groups. 3. In the tree menu, select the device group, for example, Managed FortiGates. The list of devices display in the content pane and in the bottom tree menu. 4. In the bottom tree menu, select a device. The System dashboard is displayed. For a description of the widgets, see System dashboard widgets on page 64. 5. In the dashboard toolbar, clickCLI Configurations to view information about policies. The policies are read-only. Managing ADOMs The ADOMs feature must be enabled before ADOMs can be created or configured. See Enabling and disabling the ADOM feature on page 395. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 399 To create and manage ADOMs, go to System Settings > All ADOMs. Create New Create a new ADOM. See Creating ADOMs on page 400. Edit Edit the selected ADOM. This option is also available from the right-click menu. See Editing an ADOM on page 403. Delete Delete the selected ADOM or ADOMs. You cannot delete default ADOMs. This option is also available from the right-click menu. See Deleting ADOMs on page 404. Enter ADOM Switch to the selected ADOM. This option is also available from the right-click menu. More Select Expand Devices to expand all of the ADOMs to show the devices in each ADOM. Select Collapse Devices to collapses the device lists. Select Upgrade to upgrade the ADOM; see ADOM versions on page 404. These options are also available from the right-click menu. Search Enter a search term to search the ADOM list. Name The name of the ADOM. ADOMs are listed in the following groups: Central Management, BackupMode (if there are any backup mode ADOMs), andOther Device Types. A group can be collapsed or expanded by clicking the triangle next to its name. Firmware Version The firmware version of the ADOM. Devices in the ADOM should have the same firmware version. See ADOM versions on page 404 for more information. Central VPN Whether or not central VPN management is enabled for the ADOM. Allocated Storage The amount of hard drive storage space allocated to the ADOM. Devices The number of devices and VDOMs that the ADOM contains. The device list can be expanded or by clicking the triangle. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 400 Creating ADOMs To create a new ADOM, you must be logged in as a super user administrator. Consider the following when creating ADOMs: l The maximum number of ADOMs that can be created depends on the FortiManager model. For more information, see the FortiManager data sheet at https://www.fortinet.com/products/management/fortimanager.html. l You must use an administrator account that is assigned the Super_User administrative profile. l You can add a device to only one ADOM. You cannot add a device to multiple ADOMs. l You cannot add FortiGate and FortiCarrier devices to the same ADOM. FortiCarrier devices are added to a specific, default FortiCarrier ADOM. l You can add one or more VDOMs from a FortiGate device to one ADOM. If you want to add individual VDOMs from a FortiGate device to different ADOMs, you must first enable advanced device mode. See ADOM device modes on page 395. l When FortiAnalyzer features are enabled, you can configure how an ADOM handles log files from its devices. For example, you can configure how much disk space an ADOM can use for logs, and then monitor how much of the allotted disk space is used. You can also specify how long to keep logs indexed in the SQL database and how long to keep logs stored in a compressed format. To create an ADOM 1. Ensure that ADOMs are enabled. See Enabling and disabling the ADOM feature on page 395. 2. Go to System Settings > All ADOMs. 3. ClickCreate New in the toolbar. The Create New ADOM pane is displayed. 4. Configure the following settings, then clickOK to create the ADOM. Name Type a name that allows you to distinguish this ADOM from your other ADOMs. ADOM namesmust be unique. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 401 Type Select either FortiGate or FortiCarrier from the dropdown menu. The ADOM type cannot be edited. Other device types are added to their respective default ADOM when registering with FortiManager. Version Select the version of the devices in the ADOM. The ADOM version cannot be edited. Devices Add a device or devices with the selected versions to the ADOM. The search field can be used to find specific devices. See Assigning devices to an ADOM on page 402. Central Management Select the VPN checkbox to enable central VPN management. Select the SD-WAN checkbox to enable central SD-WANmanagement. Select the FortiAP checkbox to enable central FortiAPmanagement. This checkbox is selected by default. This option is only available when theMode isNormal. Mode Select Normalmode if you want to manage and configure the connected FortiGate devices from the FortiManager GUI. Select Backupmode if you want to backup the FortiGate configurations to the FortiManager, but configure each FortiGate locally. See ADOM modes on page 396 for more information. Default Device Selection for Select either Select All orUnselect All. Install This option is only available when theMode isNormal. Perform Policy Check Before TurnOn to perform a policy consistency check before every install. Only added Every Install or modified policies are checked. See Perform a policy consistency check on page 164. Action When Select an action to take when a conflict occurs during the automatic policy Conflicts Occur consistency check , eitherContinue Installation or Stop Installation. During Policy Check Auto-Push Policy Packages Automatically push policy package updates to currently offline managed When Device Back Online devices when the devices come back online. Data Policy Specify how long to keep logs in the indexed and compressed states. This section is only available when FortiAnalyzer features are enabled. See FortiAnalyzer Features on page 22. Keep Logs for Specify how long to keep logs in the indexed state. Analytics During the indexed state, logs are indexed in the SQL database for the specified amount of time. Information about the logs can be viewed in the FortiView, Event Manager, and Reports modules. After the specified length of time expires, Analytics logs are automatically purged from the SQL database. Keep Logs for Specify how long to keep logs in the compressed state. Archive FortiManager Administration Guide Fortinet Technologies Inc.System Settings 402 During the compressed state, logs are stored in a compressed format on the FortiManager unit. When logs are in the compressed state, information about the log messages cannot be viewed in the FortiView, Event Manager, or Reports modules. After the specified length of time expires, Archive logs are automatically deleted from the FortiManager unit. Disk Utilization Specify how much disk space to use for logs. This section is only available when FortiAnalyzer features are enabled. See FortiAnalyzer Features on page 22. Maximum Allowed Specify the maximum amount of FortiManager disk space to use for logs, and select the unit of measure. The total available space on the FortiManager unit is shown. Analytics : Archive Specify the percentage of the allotted space to use for Analytics and Archive logs. Analytics logs require more space than Archive logs. For example, a setting of 70% and 30% indicates that 70% of the allotted disk space will be used for Analytics logs, and 30% of the allotted space will be used for Archive logs. Select theModify checkbox to change the setting. Alert and Delete Specify at what data usage percentage an alert messages will be generated When Usage and logs will be automatically deleted. The oldest Archive log files or Analytics Reaches database tables are deleted first. Assigning devices to an ADOM To assign devices to an ADOM you must be logged in as a super user administrator. Devices cannot be assigned to multiple ADOMs. To assign devices to an ADOM: 1. Go to System Settings > All ADOMs. 2. Double-click on an ADOM, right-click on an ADOM and then select the Edit from the menu, or select the ADOM then clickEdit in the toolbar. The Edit ADOM pane opens. 3. ClickSelect Device. The Select Device list opens on the right side of the screen. 4. Select the devices that you want to add to the ADOM. Only devices with the same version as the ADOM can be added. The selected devices are displayed in the Devices list. If the ADOM mode is Advanced you can add separate VDOMs to the ADOM as well as units. 5. When done selecting devices, clickClose to close the Select Device list. 6. ClickOK. The selected devices are removed from their previous ADOM and added to this one. Assigning VDOMs to an ADOM To assign VDOMs to an ADOM you must be logged in as a super user administrator and the ADOM mode must be Advanced (see ADOM device modes on page 395). VDOMs cannot be assigned to multiple ADOMs. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 403 To assign VDOMs to an ADOM: 1. Go to System Settings > All ADOMs. 2. Double-click on an ADOM, right-click on an ADOM and then select the Edit from the menu, or select the ADOM then clickEdit in the toolbar. The Edit ADOM pane opens. 3. ClickSelect Device. The Select Device list opens on the right side of the screen. 4. Select the VDOMs that you want to add to the ADOM. Only VDOMs on devices with the same version as the ADOM can be added. The selected VDOMs are displayed in the Devices list. 5. When done selecting VDOMs, clickClose to close the Select Device list. 6. ClickOK. The selected VDOMs are removed from their previous ADOM and added to this one. Assigning administrators to an ADOM Super user administrators can create other administrators and either assign ADOMs to their account or exclude them from specific ADOMs, constraining them to configurations and data that apply only to devices in the ADOMs they can access. By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root domain, which contains all devices in the device list. For more information about creating other ADOMs, see Creating ADOMs on page 400. To assign an administrator to specific ADOMs: 1. Log in as a super user administrator. Other types of administrators cannot configure administrator accounts when ADOMs are enabled. 2. Go to System Settings > Admin > Administrator. 3. Double-click on an administrator, right-click on an administrator and then select the Edit from the menu, or select the administrator then clickEdit in the toolbar. The Edit Administrator pane opens. 4. Edit the Administrative Domain field as required, either assigning or excluding specific ADOMs. 5. Select OK to apply your changes. The admin administrator account cannot be restricted to specific ADOMs. Editing an ADOM To edit an ADOM you must be logged in as a super user administrator. The ADOM type and version cannot be edited. For the default ADOMs, the name cannot be edited. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 404 To edit an ADOM: 1. Go to System Settings > All ADOMs. 2. Double-click on an ADOM, right-click on an ADOM and then select Edit from the menu, or select the ADOM then clickEdit in the toolbar. The Edit ADOM pane opens. 3. Edit the settings as required, and then select OK to apply the changes. Deleting ADOMs To delete an ADOM, you must be logged in as a super-user administrator (see Administrator profiles on page 453), such as the admin administrator. Prior to deleting an ADOM: l All devices must be removed from the ADOM. Devices can be moved to another ADOM, or to the root ADOM. See Assigning devices to an ADOM on page 402. l Global policy packages assigned to the ADOM must be unassigned. See Assign a global policy package on page 158. l References to the ADOM must be removed from administrator accounts (or the accounts deleted). See Assigning administrators to an ADOM on page 403. To delete an ADOM: 1. Go to System Settings > All ADOMs. 2. Ensure that the ADOM or ADOMs being deleted have no devices in them. 3. Select the ADOM or ADOMs you need to delete. 4. ClickDelete in the toolbar, or right-click and select Delete. 5. ClickOK in the confirmation box to delete the ADOM or ADOMs. Default ADOMs cannot be deleted. ADOM versions ADOMs can concurrently manage FortiGate units running FortiOS 5.2, 5.4, and 5.6, allowing devices running these versions to share a common database. This allows you to continue to manage an ADOM as normal while upgrading the devices within that ADOM. When adding a new FortiGate unit to an ADOM, the FortiGate unit should have the same FortiOS version as the ADOM. This feature can be used to facilitate upgrading to new firmware. Importing policies from devices running higher versions than the ADOM is not supported. Installation to devices running higher versions is supported. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 405 FortiManager 5.6 supports FortiOS 5.2, 5.4, and 5.6 ADOMs. For a complete list of supported devices and firmware versions, see the FortiManager Release Notes. Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that are in that ADOM. This version is selected when creating a new ADOM (see Creating ADOMs on page 400), and can be updated only after all of the devices within the ADOM have been updated to the same FortiOS firmware version. The general steps for upgrading an ADOM containing multiple devices running FortiOS 5.4 from 5.4 to 5.6 are as follows: 1. In the ADOM, upgrade one of the FortiGate units to FortiOS 5.6, and then resynchronize the device. See Firmware on page 85 for more information. All of the ADOM objects, including Policy Packages, remain as 5.4 objects. 2. Upgrade the rest of the FortiGate units in the ADOM to FortiOS 5.6. 3. Upgrade the ADOM to 5.6. See Upgrading an ADOM on page 407 for more information. All of the database objects will be converted to 5.6 format, and the GUI content for the ADOM will change to reflect 5.6 features and behavior. An ADOM can only be upgraded after all the devices within the ADOM have been upgraded. Global database version The global database is reset when the database version is edited. The database is not reset when the global database ADOM is upgraded using the Upgrade command. The global database ADOM should only be upgraded after all the ADOMs that are using a global policy package have been upgraded. To upgrade the global database ADOM: 1. Go to System Settings > All ADOMs. 2. Select Global Database then clickMore > Upgrade in the toolbar, or right-clickGlobal Database and select Upgrade. If the ADOM has already been upgraded to the latest version, this option will not be available. 3. ClickOK in the Upgrade ADOM dialog box. 4. After the upgrade finishes, clickClose to close the dialog box. To edit the global database version: Editing the global database version will reset the database. All global policy packages will be lost. This should only be used when starting to use the global database for the first time, or when resetting the database is required. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 406 1. Go to System Settings > All ADOMs. 2. Select Global Database then clickEdit in the toolbar, or right-clickGlobal Database and select Edit. The Edit Global Databasewindow opens. 3. Select the version. 4. ClickOK to save the setting. 5. A confirmation dialog box will be displayed. ClickOK to continue. Concurrent ADOM access Concurrent ADOM access is controlled by enabling or disabling the workspace function. Concurrent access is enabled by default. To prevent multiple administrators from making changes to the FortiManager database at the same time and causing conflicts, the workspace function must be enabled. When workspace mode is enabled, concurrent ADOM access is disabled. An administrator must lock the ADOM before they can make device-level changes to it, and only one administrator can hold the lock at a time, while other administrators have read-only access. Optionally, ADOM lock override can be enabled, allowing an administrator to unlock an ADOM that is locked by another administrator. See Locking an ADOM on page 406 When workspace is disabled, concurrent ADOM access is enabled, and multiple administrators can log in and make changes to the same ADOM at the same time. To enable workspace mode, and disable concurrent ADOM access: 1. Enter the following CLI commands: config system global set workspace-mode normal end To disable workspace mode, and enable concurrent ADOM access: 1. Enter the following CLI commands: config system global set workspace-mode disabled Warning: disabling workspaces may cause some logged in users to lose their unsaved data. Do you want to continue? (y/n) y end After changing the workflow mode, your session will end and you will be required to log back in to the FortiManager. Locking an ADOM If workspace is enabled, you must lock an ADOM prior to performing device-level changes to it. If you are making changes at the ADOM level, you can leave the ADOM unlocked and lock policy packages or objects independently. The padlock icon, shown next to the ADOM name on the banner and in the All ADOMs list, will turn from gray to green when you lock an ADOM. If it is red, it means that another administrator has locked the ADOM. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 407 Optionally, ADOM lock override can be enabled, allowing an administrator to unlock an ADOM that has been locked by another administrator and discard all of their unsaved changes. To lock an ADOM: l Ensure that you are in the specific ADOM that you will be editing (top right corner of the GUI), then select Lock from the banner. l Or, go to System Settings > All ADOMs, right-click on an ADOM, and select Lock from the right-click menu. The ADOM will now be locked, allowing you to make changes to it and preventing other administrators from making changes unless lock override is enabled. The lock icon will turn into a green locked padlock. For other administrators To unlock an ADOM: l Ensure you have saved any changes you may have made to the ADOM then select Unlock ADOM from the banner. l Or, go to System Settings > All ADOMs, right-click on an ADOM, and select Lock from the right-click menu. If there are unsaved changes to the ADOM, a dialog box will give you the option of saving or discarding your changes before unlocking the ADOM. The ADOM will now be unlocked, allowing any administrator to lock the ADOM and make changes. To enable or disable ADOM lock override: Enter the following CLI commands: config system global set lock-prempt {enable | disable} end Upgrading an ADOM To upgrade an ADOM, you must be logged in as a super user administrator. An ADOM can only be upgraded after all the devices within the ADOM have been upgraded. See ADOM versions on page 404 for more information. To upgrade an ADOM: 1. Go to System Settings > All ADOMs. 2. Right-click on an ADOM and select Upgrade, or select an ADOM and then select More > Upgrade from the toolbar. If the ADOM has already been upgraded to the latest version, this option will not be available. 3. Select OK in the confirmation dialog box to upgrade the device. If all of the devices within the ADOM are not already upgraded, the upgrade will be aborted and an error message will be shown. Upgrade the remaining devices within the ADOM, then return to step 1 to try upgrading the ADOM again. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 408 Certificates The FortiManager generates a certificate request based on the information you entered to identify the FortiManager unit. After you generate a certificate request, you can download the request to a management computer and then forward the request to a CA. Local certificates are issued for a specific server, or website. Generally they are very specific, and often for an internal enterprise network. CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to an entire company. The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and include the date and time when the next CRL will be issued, as well as a sequence number to help ensure you have the most current versions. Local certificates The FortiManager unit generates a certificate request based on the information you enter to identify the FortiManager unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiManager unit and then forward the request to a CA. The certificate window also enables you to export certificates for authentication, importing, and viewing. The FortiManager has one default local certificate: Fortinet_Local. You can manage local certificates from the System Settings > Certificates > Local Certificates page. Some options are available in the toolbar and some are also available in the right-click menu. Creating a local certificate To create a certificate request: 1. Go to System Settings > Certificates > Local Certificates. 2. ClickCreate New in the toolbar. TheGenerate Certificate Signing Request pane opens. 3. Enter the following information as required, then clickOK to save the certificate request: Certificate Name The name of the certificate. Subject Information Select the ID type from the dropdown list: l Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field. l Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field. l Email: Select to use an email address. Enter the email address in the Email Address field. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 409 Optional Information Organization Unit The name of the department. You can enter a series of OUs up to a maximum (OU) of 5. To add or remove an OU, use the plus (+) or minus (-) icons. Organization (O) Legal name of the company or organization. Locality (L) Name of the city or town where the device is installed. State/Province Name of the state or province where the FortiGate unit is installed. (ST) Country (C) Select the country where the unit is installed from the dropdown list. E-mail Address Contact email address. (EA) Subject Optionally, enter one or more alternative names for which the certificate is Alternative Name also valid. Separate names with a comma. A name can be: l e-mail address l IP address l URI l DNS name (alternatives to the Common Name) l directory name (alternatives to the Distinguished Name) You must precede the name with the name type. Examples: l IP:1.1.1.1 l email:test@fortinet.com l email:my@other.address l URI:http://my.url.here/ Key Type The key type can be RSA or Elliptic Curve. Key Size Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type isRSA. Curve Name Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve. Enrollment Method The enrollment method is set to File Based. Importing local certificates To import a local certificate: 1. Go to System Settings > Certificates > Local Certificates. 2. Click Import in the toolbar or right-click and select Import. The Import dialog box opens. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 410 3. Enter the following information as required, then clickOK to import the local certificate: Type Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, orCertificate. Certificate File ClickBrowse... and locate the certificate file on the management computer, or drag and drop the file onto the dialog box. Key File ClickBrowse... and locate the key file on the management computer, or drag and drop the file onto the dialog box. This option is only available when Type isCertificate. Password Enter the certificate password. This option is only available when Type is PKCS #12 Certificate or Certificate. Certificate Name Enter the certificate name. This option is only available when Type is PKCS #12 Certificate or Certificate. Deleting local certificates To delete a local certificate or certificates: 1. Go to System Settings > Certificates > Local Certificates. 2. Select the certificate or certificates you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation dialog box to delete the selected certificate or certificates. Viewing details of local certificates To view details of a local certificate: 1. Go to System Settings > Certificates > Local Certificates. 2. Select the certificates that you would like to see details about, then clickView Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens. 3. ClickOK to return to the local certificates list. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 411 Downloading local certificates To download a local certificate: 1. Go to System Settings > Certificates > Local Certificates. 2. Select the certificate that you need to download. 3. ClickDownload in the toolbar, or right-click and select Download, and save the certificate to the management computer. CA certificates The FortiManager has one default CA certificate, Fortinet_CA. In this sub-menu you can delete, import, view, and download certificates. Importing CA certificates To import a CA certificate: 1. Go to System Settings > Certificates > CA Certificates. 2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens. 3. ClickBrowse... and locate the certificate file on the management computer, or drag and drop the file onto the dialog box. 4. ClickOK to import the certificate. Viewing CA certificate details To view a CA certificate''s details: 1. Go to System Settings > Certificates > CA Certificates. 2. Select the certificates you need to see details about. 3. ClickView Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The View CA Certificate page opens. 4. ClickOK to return to the CA certificates list. Downloading CA certificates To download a CA certificate: 1. Go to System Settings > Certificates > CA Certificates. 2. Select the certificate you need to download. 3. ClickDownload in the toolbar, or right-click and select Download, and save the certificate to the management computer. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 412 Deleting CA certificates To delete a CA certificate or certificates: 1. Go to System Settings > Certificates > CA Certificates. 2. Select the certificate or certificates you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation dialog box to delete the selected certificate or certificates. The Fortinet_CA certificate cannot be deleted. Certificate revocation lists When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and Certificate Revocation List (CRL) from the issuing CA. The CRL is a list of certificates that have been revoked and are no longer usable. This list includes expired, stolen, or otherwise compromised certificates. If your certificate is on this list, it will not be accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL will be issued as well as a sequence number to help ensure you have the most current version of the CRL. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiManager unit according to the procedures given below. Importing a CRL To import a CRL: 1. Go to System Settings > Certificates > CRL. 2. Click Import in the toolbar, or right-click and select Import. The Import dialog box opens. 3. ClickBrowse... and locate the CRL file on the management computer, or drag and drop the file onto the dialog box. 4. ClickOK to import the CRL. Viewing a CRL To view a CRL: 1. Go to System Settings > Certificates > CRL. 2. Select the CRL you need to see details about. 3. ClickView Certificate Detail in the toolbar, or right-click and select View Certificate Detail. The Result page opens. 4. ClickOK to return to the CRL list. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 413 Deleting a CRL To delete a CRL or CRLs: 1. Go to System Settings > Certificates > CRL. 2. Select the CRL or CRLs you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation dialog box to delete the selected CRL or CRLs. Fetcher Management Log fetching is used to retrieve archived logs from one FortiManager device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis. The fetching FortiManager can query the server FortiManager and retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports. Log fetching can only be done on two FortiManager devices running the same firmware. A FortiManager device can be either the fetch server or the fetching client, and it can perform both roles at the same time with different FortiManager devices. Only one log fetching session can be established at a time between two FortiManager devices. The basic steps for fetching logs are: 1. On the client, create a fetching profile. See Fetching profiles on page 413. 2. On the client, send the fetch request to the server. See Fetch requests on page 414. 3. If this is the first time fetching logs with the selected profile, or if any changes have been made to the devices and/or ADOMs since the last fetch, on the client, sync devices and ADOMs with the server. See Synchronizing devices and ADOMs on page 416. 4. On the server, review the request, then either approve or reject it. See Request processing on page 416. 5. Monitor the fetch process on either FortiManager. See Fetch monitoring on page 417. 6. On the client, wait until the database is rebuilt before using the fetched data for analysis. This pane is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Fetching profiles Fetching profiles can be managed from the Profiles tab on the System Settings > Fetcher Management pane. Profiles can be created, edited, and deleted as required. The profile list shows the name of the profile, as well as the IP address of the server it fetches from, the server and local ADOMs, and the administrator name on the fetch server. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 414 To create a new fetching profile: 1. On the client, go to System Settings > Fetcher Management. 2. Select the Profiles tab, then clickCreate New in the toolbar, or right-click and select Create New from the menu. The Create New Profile dialog box opens. 3. Configure the following settings, then clickOK to create the profile. Name Enter a name for the profile. Server IP Enter the IP address of the fetch server. User Enter the username of an administrator on the fetch server, which, together with the password, authenticates the fetch client''s access to the fetch server. Password Enter the administrator''s password, which, together with the username, authenticates the fetch client''s access to the fetch server. The fetch server administrator user name and password must be for an administrator with either a Standard_User or Super_User profile. To edit a fetching profile: 1. Go to System Settings > FetchingManagement. 2. Double-click on a profile, right-click on a profile then select Edit, or select a profile then clickEdit in the toolbar. The Edit Profile pane opens. 3. Edit the settings as required, then clickOK to apply your changes. To delete a fetching profile or profiles: 1. Go to System Settings > FetchingManagement. 2. Select the profile or profiles you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation dialog box to delete the selected profile or profiles. Fetch requests A fetch request requests archived logs from the fetch server configured in the selected fetch profile. When making the request, the ADOM on the fetch server the logs are fetched from must be specified. An ADOM on the fetching client FortiManager Administration Guide Fortinet Technologies Inc.System Settings 415 must be specified or, if needed, a new one can be created. If logs are being fetched to an existing local ADOM, you must ensure the ADOM has enough disk space for the incoming logs. The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy. For example: Today is July 1, the ADOM''s data policy is configured to keep analytics logs for 30 days (June 1 - 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched. To send a fetch request: 1. On the fetch client, go to System Settings > Fetcher Management and select the Profiles tab 2. Select the profile then clickRequest Fetch in the toolbar, or right-click and select Request Fetch from the menu. The Fetch Logs dialog box opens. 3. Configure the following settings, then clickRequest Fetch. The request is sent to the fetch server. The status of the request can be viewed in the Sessions tab. Name Displays the name of the fetch server you have specified. Server IP Displays the IP address of the server you have specified. User Displays the username of the server administrator you have provided. Secure Connection Select to use SSL connection to transfer fetched logs from the server. Server ADOM Select the ADOM on the server the logs will be fetched from. Only one ADOM can be fetched from at a time. Local ADOM Select the ADOM on the client where the logs will be received. Either select an existing ADOM from the dropdown list, or create a new ADOM by entering a name for it into the field. Devices Add the devices and/or VDOMs that the logs will be fetched from. Up to 256 devices can be added. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 416 ClickSelect Device, select devices from the list, then clickOK. Enable Filters Select to enable filters on the logs that will be fetched. Select All or Any of the Following Conditions in the Logmessages that match field to control how the filters are applied to the logs. Add filters to the table by selecting the Log Field, Match Criteria, and Value for each filter. Time Period Specify what date and time range of log messages to fetch. Index Fetch Logs If selected, the fetched logs will be indexed in the SQL database of the client once they are received. Select this option unless you want to manually index the fetched logs. Synchronizing devices and ADOMs If this is the first time the fetching client is fetching logs from the device, or if any changes have been made the devices or ADOMs since the last fetch, then the devices and ADOMsmust be synchronized with the server. To synchronize devices and ADOMs: 1. On the client, go to System Settings > Fetcher Management and select the Profiles tab 2. Select the profile then clickSync Devices in the toolbar, or right-click and select Sync Devices from the menu. The Sync Server ADOM(s) & Device(s) dialog box opens and shows the progress of the process. Once the synchronization is complete, you can verify the changes on the client. For example, newly added devices in the ADOM specified by the profile. If a new ADOM is created, the new ADOM will mirror the disk space and data policy of the corresponding server ADOM. If there is not enough space on the client, the client will create an ADOM with the maximum allowed disk space and give a warning message. You can then adjust disk space allocation as required. Request processing After a fetching client has made a fetch request, the request will be listed on the fetch server in the Received Request section of the Sessions tab on the Fetcher Management pane. It will also be available from the notification center in the GUI banner. Fetch requests can be approved or rejected. To process the fetch request: 1. Go to the notification center in the GUI banner and click the log fetcher request, or go to the Sessions tab on the System Settings > Fetcher Management pane. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 417 2. Find the request in the Received Request section. You may have to expand the section, or select Expand All in the content pane toolbar. The status of the request will beWaiting for approval. 3. ClickReview to review the request. The Review Request dialog box will open. 4. ClickApprove to approve the request, or clickReject to reject the request. If you approve the request, the server will start to retrieve the requested logs in the background and send them to the client. If you reject the request, the request will be canceled and the request status will be listed asRejected on both the client and the server. Fetch monitoring The progress of an approved fetch request can be monitored on both the fetching client and the fetch server. Go to System Settings > Fetcher Management and select the Sessions tab to monitor the fetch progress. A fetch session can be paused by clicking Pause, and resumed by clicking Resume. It can also be canceled by clicking Cancel. Once the log fetching is completed, the status changes to Done and the request record can be deleted by clicking Delete. The client will start to index the logs into the database. It can take a long time for the client to finish indexing the fetched logs and make the analyzed data available. A progress bar is shown in the GUI banner; for more information, click on it to open the Rebuild Log Database dialog box. Log and report features will not be fully available until the rebuilding process is complete. Event Log The Event Log pane provides an audit log of actions made by users on FortiManager. It allows you to view log messages that are stored in memory or on the internal hard disk drive. You can use filters to search the messages and download the messages to the management computer. See the FortiManager LogMessage Reference, available from the Fortinet Document Library, for more information about the log messages. Go to System Settings > Event Log to view the local log list. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 418 The following options are available: Add Filter Filter the event log list based on the log level, user, sub type, or message. See Event log filtering on page 419. Last... Select the amount of time to show from the available options, or select a custom time span or any time. Download Download the event logs in either CSV or the normal format to the management computer. Raw Log / Formatted Log Click on Raw Log to view the logs in their raw state. Click Formatted Log to view them in the formatted into a table. Historical Log Click to view the historical logs list. Back Click the back icon to return to the regular view from the historical view. View View the selected log file. This option is also available from the right-click menu, or by double-clicking on the log file. This option is only available when viewing historical event logs. Delete Delete the selected log file. This option is also available from the right-click menu. This option is only available when viewing historical event logs. Clear Clear the selected file of logs. This option is also available from the right-click menu. This option is only available when viewing historical event logs. Type Select the type from the dropdown list: l Event Log l FDS Upload Log: Select the device from the dropdown list. l FDS Download Log: Select the service (FDS, or FCT) from the Service dropdown list, select the event type (All Event, Push Update, Poll Update, orManual Update) from the Event dropdown list, and then clickGo to browse the logs. This option is only available when viewing historical logs. Search Enter a search term to search the historical logs. This option is only available when viewing historical event logs. Pagination Browse the pages of logs and adjust the number of logs that are shown per page. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 419 The following information is shown: # The log number. Date Time The date and time that the log file was generated. Level The log level: Debug Error Information Critical Notification Alert Warning Emergency User The user that the log message relates to. Sub Type The log sub-type: System manager event HA event FG-FM protocol event Firmware manager event Device configuration event FortiGuard service event Global database event FortiClient manager event Script manager event FortiMail manager event Web portal event Debug I/O log event Firewall objects event Configuration change event Policy console event Device manager event VPN console event Web service event Endpoint manager event FortiAnalyzer event Revision history event Log daemon event Deployment manager event FIPS-CC event Real-time monitor event Managered devices event Log and report manager event Description A description of the event. Message Log message details. Event log filtering The event log can be filtered using the Add Filter box in the toolbar. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 420 To filter FortiView summaries using the toolbar: 1. Specify filters in the Add Filter box. l Regular Search: In the selected summary view, click in the Add Filter box, select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters at a time, and connect them with an "or". l Advanced Search: Click the Switch to Advanced Search icon at the right end of the Add Filter box to switch to advanced search mode. In this mode, you type in the whole search criteria (log field names and values). Click the Switch to Regular Search icon to return to regular search. 2. ClickGo to apply the filter. Task Monitor Using the task monitor, you can view the status of the tasks you have performed. Go to System Settings > Task Monitor to view the task monitor. The task list size can also be configured; see Advanced Settings on page 439. The following options are available: Delete Remove the selected task or tasks from the list. This changes to Cancel Running Task(s)when View isRunning. View Select which tasks to view from the dropdown list, based on their status. The available options are: Running, Pending, Done, Error, Cancelling, Cancelled, Aborting, Aborted,Warning, and All. Expand Arrow In the Source column, select the expand arrow icon to display the specific actions taken under this task. To filter the specific actions taken for a task, select one of the options on top of the action list. Select the history icon to view specific information on task progress. This can be useful when troubleshooting warnings and errors. Group Error Select Group Error Devices to create a group of the failed devices, allowing for Devices re-installations to easily be done on only the failed devices. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 421 History Click the history icon to view task details in a new window. Pagination Browse the pages of tasks and adjust the number of tasks shown per page. The following information is available: ID The identification number for a task. Source The platform from where the task is performed. Click the expand arrow to view details of the specific task and access the history button. Description The nature of the task. Click the arrow to display the specific actions taken under this task. User The user or users who performed the tasks. Status The status of the task (hover over the icon to view the description): l Done: Completed with success. l Error: Completed without success. l Canceled: User canceled the task. l Canceling: User is canceling the task. l Aborted: The FortiManager system stopped performing this task. l Aborting: The FortiManager system is stopping performing this task. l Running: Being processed. In this status, a percentage bar appears in the Status column. l Pending l Warning Start Time The time that the task was started. ADOM The ADOM associated with the task. History Click the history button to view task details. SNMP Enable the SNMP agent on the FortiManager device so it can send traps to and receive queries from the computer that is designated as its SNMPmanager. This allows for monitoring the FortiManager with an SNMPmanager. SNMP has two parts - the SNMP agent that is sending traps, and the SNMPmanager that monitors those traps. The SNMP communities on monitored FortiGate devices are hard coded and configured by the FortiManager system - they are not user configurable. The FortiManager SNMP implementation is read-only— SNMP v1, v2c, and v3 compliant SNMPmanager applications, such as those on your local computer, have read-only access to FortiManager system information and can receive FortiManager system traps. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 422 SNMP agent The SNMP agent sends SNMP traps originating on the FortiManager system to an external monitoring SNMPmanager defined in a SNMP community. Typically an SNMPmanager is an application on a local computer that can read the SNMP traps and generate reports or graphs from them. The SNMPmanager can monitor the FortiManager system to determine if it is operating properly, or if there are any critical events occurring. The description, location, and contact information for this FortiManager system will be part of the information an SNMPmanager will have — this information is useful if the SNMPmanager is monitoring many devices, and it will enable faster responses when the FortiManager system requires attention. Go to System Settings > Advanced > SNMP to configure the SNMP agent. The following information and options are available: SNMP Agent Select to enable the SNMP agent. When this is enabled, it sends FortiManager SNMP traps. Description Optionally, type a description of this FortiManager system to help uniquely identify this unit. Location Optionally, type the location of this FortiManager system to help find it in the event it requires attention. Contact Optionally, type the contact information for the person in charge of this FortiManager system. SNMP v1/2c The list of SNMP v1/v2c communities added to the FortiManager configuration. Create New Select Create New to add a new SNMP community. If SNMP agent is not selected, this control will not be visible. For more information, see SNMP v1/v2c communities on page 423. Edit Edit the selected SNMP community. Delete Delete the selected SNMP community or communities. Community Name The name of the SNMP community. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 423 Queries The status of SNMP queries for each SNMP community. The enabled icon indicates that at least one query is enabled. The disabled icon indicates that all queries are disabled. Traps The status of SNMP traps for each SNMP community. The enabled icon indicates that at least one trap is enabled. The disabled icon indicates that all traps are disabled. Enable Enable or disable the SNMP community. SNMP v3 The list of SNMPv3 users added to the configuration. Create New Select Create New to add a new SNMP user. If SNMP agent is not selected, this control will not be visible. For more information, see SNMP v3 users on page 426. Edit Edit the selected SNMP user. Delete Delete the selected SNMP user or users. User Name The user name for the SNMPv3 user. Security Level The security level assigned to the SNMPv3 user. Notification Hosts The notification host or hosts assigned to the SNMPv3 user. Queries The status of SNMP queries for each SNMP user. The enabled icon indicates queries are enabled. The disabled icon indicates they are disabled. SNMP v1/v2c communities An SNMP community is a grouping of equipment for network administration purposes. You must configure your FortiManager to belong to at least one SNMP community so that community’s SNMPmanagers can query the FortiManager system information and receive SNMP traps from it. These SNMP communities do not refer to the FortiGate devices the FortiManager system is managing. Each community can have a different configuration for SNMP traps and can be configured to monitor different events. You can add the IP addresses of up to eight hosts to each community. Hosts can receive SNMP device traps and information. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 424 To create a new SNMP community: 1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled. 2. In the SNMP v1/v2c section, clickCreate New in the toolbar. The New SNMP Community pane opens. 3. Configure the following options, then clickOK to create the community. Name Enter a name to identify the SNMP community. This name cannot be edited later. Hosts The list of hosts that can use the settings in this SNMP community to monitor the FortiManager system. When you create a new SNMP community, there are no host entries. Select Add to create a new entry that broadcasts the SNMP traps and information to the network connected to the specified interface. IP Enter the IP address and netmask of an SNMPmanager. Address/Netmask By default, the IP address is 0.0.0.0 so that any SNMPmanager can use this SNMP community. Interface Select the interface that connects to the network where this SNMPmanager is located from the dropdown list. This must be done if the SNMPmanager is on the Internet or behind a router. Delete Click the delete icon to remove this SNMPmanager entry. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 425 Add Select to add another entry to the Hosts list. Up to eight SNMPmanager entries can be added for a single community. Queries Enter the port number (161 by default) the FortiManager system uses to send v1 and v2c queries to the FortiManager in this community. Enable queries for each SNMP version that the FortiManager system uses. Traps Enter the Remote port number (162 by default) the FortiManager system uses to send v1 and v2c traps to the FortiManager in this community. Enable traps for each SNMP version that the FortiManager system uses. SNMP Event Enable the events that will cause SNMP traps to be sent to the community. l Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart l CPU usage exclude NICE threshold l HA Failover l RAID Event (only available for devices that support RAID) l Power Supply Failed (only available on supported hardware devices) l Fan SpeedOut of Range l Temperature Out of Range l VoltageOut of Range FortiAnalyzer feature set SNMP events: l High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate To edit an SNMP community: 1. Go to System Settings > Advanced > SNMP. 2. In the SNMP v1/v2c section, double-click on a community, right-click on a community then select Edit, or select a community then clickEdit in the toolbar. The Edit SNMP Community pane opens. 3. Edit the settings as required, then clickOK to apply your changes. To delete an SNMP community or communities: 1. Go to System Settings > Advanced > SNMP. 2. In the SNMP v1/v2c section, select the community or communities you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation dialog box to delete the selected community or communities. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 426 SNMP v3 users The FortiManager SNMP v3 implementation includes support for queries, traps, authentication, and privacy. SNMP v3 users can be created, edited, and deleted as required. To create a new SNMP user: 1. Go to System Settings > Advanced > SNMP and ensure the SNMP agent is enabled. 2. In the SNMP v3 section, clickCreate New in the toolbar. The New SNMP User pane opens. 3. Configure the following options, then clickOK to create the community. User Name The name of the SNMP v3 user. Security Level The security level of the user. Select one of the following: l NoAuthentication, No Privacy l Authentication, No Privacy: Select the Authentication Algorithm (SHA1, MD5) and enter the password. l Authentication, Privacy: Select the Authentication Algorithm (SHA1, MD5), the Private Algorithm (AES, DES), and enter the passwords. Queries Select to enable queries then enter the port number. The default port is 161. Notification Hosts The IP address or addresses of the host. Click the add icon to add multiple IP addresses. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 427 SNMP Event Enable the events that will cause SNMP traps to be sent to the SNMP manager. l Interface IP changed l Log disk space low l CPU Overuse l Memory Low l System Restart l CPU usage exclude NICE threshold l HA Failover l RAID Event (only available for devices that support RAID) l Power Supply Failed (only available on supported hardware devices) l Fan SpeedOut of Range l Temperature Out of Range l VoltageOut of Range FortiAnalyzer feature set SNMP events: l High licensed device quota l High licensed log GB/day l Log Alert l Log Rate l Data Rate To edit an SNMP user: 1. Go to System Settings > Advanced > SNMP. 2. In the SNMP v3 section, double-click on a user, right-click on a user then select Edit, or select a user then clickEdit in the toolbar. The Edit SNMP User pane opens. 3. Edit the settings as required, then clickOK to apply your changes. To delete an SNMP user or users: 1. Go to System Settings > Advanced > SNMP. 2. In the SNMP v3 section, select the user or users you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation dialog box to delete the selected user or users. SNMP MIBs The Fortinet and FortiManager MIBs, along with the two RFCMIBs, can be obtained from Customer Service & Support (https://support.fortinet.com). You can download the FORTINET-FORTIMANAGER-FORTIANALYZER-MIB.mib MIB file in the firmware image file folder. The FORTINET-CORE-MIB.mib file is located in the main FortiManager 5.00 file folder. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414). FortiManager Administration Guide Fortinet Technologies Inc.System Settings 428 To be able to communicate with the SNMP agent, you must include all of these MIBs into your SNMPmanager. Generally your SNMPmanager will be an application on your local computer. Your SNMPmanager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet and FortiManager proprietary MIBs to this database. MIB file name or RFC Description FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. Your SNMPmanager requires this information to monitor Fortinet unit configuration settings and receive traps from the Fortinet SNMP agent. FORTINET-FORTIMANAGER- The proprietary FortiManager MIB includes system information and trap MIB.mib information for FortiManager units. RFC-1213 (MIB II) The Fortinet SNMP agent supports MIB II groups with the following exceptions. l No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). l Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all Fortinet traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB. RFC-2665 (Ethernet-like MIB) The Fortinet SNMP agent supports Ethernet-like MIB information with the following exception. No support for the dot3Tests and dot3Errors groups. SNMP traps Fortinet devices share SNMP traps, but each type of device also has traps specific to that device type. For example FortiManager units have FortiManager specific SNMP traps. To receive Fortinet device SNMP traps, you must load and compile the FORTINET-CORE-MIB into your SNMPmanager. Traps sent include the trap message as well as the unit serial number (fnSysSerial) and host name (sysName). The Trap Message column includes the message that is included with the trap, as well as the SNMPMIB field name to help locate the information about the trap. Trap message Description ColdStart, WarmStart, LinkUp, Standard traps as described in RFC 1215. LinkDown CPU usage high CPU usage exceeds the set percent. This threshold can be set in the CLI using (fnTrapCpuThreshold) the following commands: config system snmp sysinfo set trap-high-cpu-threshold end CPU usage excluding NICE CPU usage excluding NICE processes exceeds the set percentage. This processes threshold can be set in the CLI using the following commands: (fmSysCpuUsageExcludedNice) config system snmp sysinfo set trap-cpu-high-exclude-nice-threshold end FortiManager Administration Guide Fortinet Technologies Inc.System Settings 429 Trap message Description Memory low Memory usage exceeds 90 percent. This threshold can be set in the CLI using (fnTrapMemThreshold) the following commands: config system snmp sysinfo set trap-low-memory-threshold end Log disk too full Log disk usage has exceeded the configured threshold. Only available on (fnTrapLogDiskThreshold) devices with log disks. Temperature too high A temperature sensor on the device has exceeded its threshold. Not all devices (fnTrapTempHigh) have thermal sensors. See manual for specifications. Voltage outside acceptable Power levels have fluctuated outside of normal levels. Not all devices have range voltage monitoring instrumentation. (fnTrapVoltageOutOfRange) Power supply failure Power supply failure detected. Available on some devices that support (fnTrapPowerSupplyFailure) redundant power supplies. Interface IP change The IP address for an interface has changed. The trap message includes the (fnTrapIpChange) name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE. HA switch FortiManager HA cluster has been re-arranged. A new master has been (fmTrapHASwitch) selected and asserted. Fortinet & FortiManager MIB fields The Fortinet MIB contains fields reporting current Fortinet unit status information. The below tables list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMPmanager and browsing the Fortinet MIB fields. System MIB fields: MIB field Description fnSysSerial Fortinet unit serial number. Administrator accounts: MIB field Description fnAdminNumber The number of administrators on the Fortinet unit. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 430 MIB field Description fnAdminTable Table of administrators. fnAdminIndex Administrator account index number. fnAdminName The user name of the administrator account. fnAdminAddr An address of a trusted host or subnet from which this administrator account can be used. fnAdminMask The netmask for fnAdminAddr. Custom messages: MIB field Description fnMessages The number of custom messages on the Fortinet unit. MIB fields and traps MIB field Description fmModel A table of all FortiManager models. fmTrapHASwitch The FortiManager HA cluster has been re-arranged. A new master has been selected and asserted. Mail Server Amail server allows the FortiManager to sent email messages, such as notifications when reports are run or specific events occur. Mail servers can be added, edited, deleted, and tested. Go to System Settings > Advanced > Mail Server to configure SMTPmail server settings. If an existing mail server is in use, the delete icon is removed and the mail server entry cannot be deleted. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 431 To add a mail server: 1. Go to System Settings > Advanced > Mail Server. 2. ClickCreate New in the toolbar. The Create New Mail Server Settings pane opens. 3. Configure the following settings and then select OK to create the mail server. SMTP Server Name Enter a name for the SMTP server. Mail Server Enter the mail server information. SMTP Server Port Enter the SMTP server port number. The default port is 25. Enable Authentication Select to enable authentication. Email Account Enter an email account. This option is only accessible when authentication is enabled. Password Enter the email account password. This option is only accessible when authentication is enabled. To edit a mail server: 1. Go to System Settings > Advanced > Mail Server. 2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then clickEdit in the toolbar. The Edit Mail Server Settings pane opens. 3. Edit the settings as required, and then clickOK to apply the changes. To test the mail server: 1. Go to System Settings > Advanced > Mail Server. 2. Select the server you need to test. 3. Click Test from the toolbar, or right-click and select Test. 4. Type the email address you would like to send a test email to and clickOK. A confirmation or failure message will be displayed. 5. ClickOK to close the confirmation dialog box. To delete a mail server or servers: 1. Go to System Settings > Advanced > Mail Server. 2. Select the server or servers you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation box to delete the server. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 432 Syslog Server Go to System Settings > Advanced > Syslog Server to configure syslog server settings. Syslog servers can be added, edited, deleted, and tested. If an existing syslog server is in use, the delete icon is removed and the server entry cannot be deleted. To add a syslog server: 1. Go to System Settings > Advanced > Syslog Server. 2. ClickCreate New in the toolbar. The Create New Syslog Server Settings pane opens. 3. Configure the following settings and then select OK to create the mail server. Name Enter a name for the syslog server. IP address (or FQDN) Enter the IP address or FQDN of the syslog server. Syslog Server Port Enter the syslog server port number. The default port is 514. To edit a syslog server: 1. Go to System Settings > Advanced > Syslog Server. 2. Double-click on a server, right-click on a server and then select Edit from the menu, or select a server then clickEdit in the toolbar. The Edit Syslog Server Settings pane opens. 3. Edit the settings as required, and then clickOK to apply the changes. To test the syslog server: 1. Go to System Settings > Advanced > Syslog Server. 2. Select the server you need to test. 3. Click Test from the toolbar, or right-click and select Test. A confirmation or failure message will be displayed. To delete a syslog server or servers: 1. Go to System Settings > Advanced > Syslog Server. 2. Select the server or servers you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation box to delete the server or servers. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 433 Meta Fields Meta fields allow administrators to add extra information when configuring, adding, or maintaining FortiGate units or adding new administrators. You can make the fields mandatory or optional, and set the length of the field. With the fields set as mandatory, administrators must supply additional information when they create a new FortiGate object, such as an administrator account or firewall policy. Fields for this new information are added to the FortiGate unit dialog boxes in the locations where you create these objects. You can also provide fields for optional additional information. The one exception to this is the System Administrators object. This object applies only to administrators on the FortiManager unit. All other objects are related to FortiGate units. Go to System Settings > Advanced > Meta Fields to configure meta fields. Meta fields can be added, edited, and deleted. Select Expand All orContract All from the toolbar or right-click menu to view all of or none of the meta fields under each object. To create a new meta field: 1. Go to System Settings > Advanced > Meta Fields. 2. ClickCreate New in the toolbar. The Create New Meta Field pane opens. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 434 3. Configure the following settings and then select OK to create the meta field. Object The object this metadata field applies to: System Administrators, Devices, Device Groups, Chassis, Administrative Domain, Firewall Addresses, Firewall Address Groups, Firewall Services, Firewall Service Groups, or Firewall Policy. Name Enter the label to use for the field. Length Select the maximum number of characters allowed for the field from the dropdown list: 20, 50, or 255. Importance Select Required to make the field compulsory, otherwise select Optional. Status Select Disabled to disable this field. The default selection is Enabled. This field is only available for non-firewall objects. To edit a meta field: 1. Go to System Settings > Advanced > Meta Fields. 2. Double-click on a field, right-click on a field and then select Edit from the menu, or select a field then clickEdit in the toolbar. The Edit Meta Fields pane opens. 3. Edit the settings as required, and then clickOK to apply the changes. TheObject and Name fields cannot be edited. To delete a meta field or fields: 1. Go to System Settings > Advanced > Meta Fields. 2. Select the field or fields you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. ClickOK in the confirmation box to delete the field or fields. The default meta fields cannot be deleted. Device logs The FortiManager allows you to log system events to disk. You can control device log file size and the use of the FortiManager unit’s disk space by configuring log rolling and scheduled uploads to a server. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 435 As the FortiManager unit receives new log items, it performs the following tasks: l Verifies whether the log file has exceeded its file size limit. l Checks to see if it is time to roll the log file if the file size is not exceeded. When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiManager unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog.1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file. Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the GUI, they are in the following format: FG3K6A3406600001-tlog.1252929496.log-2017-09-29-08-03-54.gz If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload. Log rolling and uploading can be enabled and configured using the GUI or CLI. This pane is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Configuring rolling and uploading of logs using the GUI Go to System Settings > Advanced > Device Log Setting to configure device log settings. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 436 Configure the following settings, and then select Apply: Registered Device Logs Roll log file when size exceeds Enter the log file size, from 10 to 500MB. Default: 200MB. Roll log files at scheduled time Select to roll logs daily or weekly. l Daily: select the hour and minute value in the dropdown lists. l Weekly: select the day, hour, and minute value in the dropdown lists. Upload logs using a standard Select to upload logs and configure the following settings. file transfer protocol Upload Server Type Select one of FTP, SFTP, or SCP. Upload Server IP Enter the IP address of the upload server. User Name Enter the username used to connect to the upload server. Password Enter the password used to connect to the upload server. Remote Directory Enter the remote directory on the upload server where the log will be uploaded. Upload Log Files Select to upload log files when they are rolled according to settings selected underRoll Logs, or daily at a specific hour. Upload rolled files in Select to gzip the logs before uploading. This will result in smaller logs gzip file format and faster upload times. Delete files after Select to remove device log files from the FortiManager system after uploading they have been uploaded to the Upload Server. Local Device Log Send the local event logs to Select to send local event logs to another FortiAnalyzer or FortiManager FortiAnalyzer / FortiManager device. IP Address Enter the IP address of the FortiAnalyzer or FortiManager. Upload Option Select to upload logs in real time or at a scheduled time. When selecting a scheduled time, you can specify the hour and minute to upload logs each day. Severity Level Select the minimum log severity level from the dropdown list. This option is only available when UploadOption isRealtime. Reliable log Select to use reliable log transmission. transmission Secure connection Select to use a secure connection for log transmission. This option is only available when Reliable log transmission is selected. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 437 Configuring rolling and uploading of logs using the CLI Log rolling and uploading can be enabled and configured using the CLI. For more information, see the FortiManager CLI Reference. Enable or disable log file uploads Use the following CLI commands to enable or disable log file uploads. To enable log uploads: config system log settings config rolling-regular set upload enable end To disable log uploads: config system log settings config rolling-regular set upload disable end Roll logs when they reach a specific size Use the following CLI commands to specify the size, in MB, at which a log file is rolled. To roll logs when they reach a specific size: config system log settings config rolling-regular set file-size end Roll logs on a schedule Use the following CLI commands to configure rolling logs on a set schedule, or never. To disable log rolling: config system log settings config rolling-regular set when none end To enable daily log rolling: config system log settings config rolling-regular set upload enable set when daily FortiManager Administration Guide Fortinet Technologies Inc.System Settings 438 set hour set min end To enable weekly log rolling: config system log settings config rolling-regular set when weekly set days {mon | tue | wed | thu | fri | sat | sun} set hour set min end File Management FortiManager allows you to configure automatic deletion of device log files, quarantined files, reports, and content archive files after a set period of time. Go to System Settings > Advanced > File Management to configure file management settings. Configure the following settings, and then select Apply: Device log files older than Select to enable automatic deletion of compressed log files. Enter a value in the text field, select the time period (Days,Weeks, orMonths), and choose a time of day. Reports older than Select to enable automatic deletion of reports of data from compressed log files. Enter a value in the text field, select the time period, and choose a time of day. Content archive files older Select to enable automatic deletion of IPS and DP archives from Archive logs. than Enter a value in the text field, select the time period, and choose a time of day. Quarantined files older than Select to enable automatic deletion of compressed log files of quarantined files. Enter a value in the text field, select the time period, and choose a time of day. The time period you select determines how often the item is checked. If you select Months, then the item is checked once per month. If you selectWeeks, then the item is checked once per week, and so on. For example, if you specify Device log files older than 3Months, then on July 1, the logs for April, May, and June are kept and the logs for March and older are deleted. FortiManager Administration Guide Fortinet Technologies Inc.System Settings 439 This pane is only available when the FortiAnalyzer features are manually enabled. For more information, see FortiAnalyzer Features on page 22. Advanced Settings Go to System Settings > Advanced > Advanced Settings to view and configure advanced settings and download WSDL files. Configure the following settings and then select Apply: Offline Mode EnablingOfflineMode shuts down the protocol used to communicate with managed devices. This allows you to configure, or troubleshoot, the FortiManager without affecting managed devices.The FortiManager cannot automatically connect to a FortiGate if offline mode is enabled. ADOM Mode Select the ADOM mode, eitherNormal or Advanced. Advanced mode will allow you to assign a VDOM from a single device to a different ADOM, but will result in more complicated management scenarios. It is recommended only for advanced users. Download WSDL file Select the required WSDL functions then click the Download button to download the WSDL file to your management computer. When selecting Legacy Operations, no other options can be selected. Web services is a standards-based, platform independent, access method for other hardware and software APIs. The file itself defines the format of commands the FortiManager will accept as well as the responses to expect. Using the WSDL file, third-party or custom applications can communicate with the FortiManager unit and operate it or retrieve information, just as an administrator can from the GUI or CLI. Chassis Management Enable chassis management, then enter the chassis update interval, from 4 to 1440 minutes. Default: 15 minutes. Configuration Changes Select to either automatically accept changes (default) or to prompt the Received from FortiGate administrator to accept the changes. Task List Size Set a limit on the size of the task list. Default: 2000. Verify Installation Select to preview the installation before proceeding. Allow Install Interface Policy Select to manage and install only interface based policies, instead of all device Only and policy configuration. Policy Hit Count Enable or disable policy hit counting. Display Policy & Objects in Enable to display both the Policy Packages andObject Configurations tabs on a Dual Pane single pane in the Policy & Objects module. See Display options on page 154. Display Device/Group tree Enable to display devices and groups within a single tree menu and include Add view in Device Manager Device and Install Wizard commands in the right click menu. FortiManager Administration Guide Fortinet Technologies Inc.Administrators The System Settings > Adminmenu enables you to configure administrator accounts, access profiles, remote authentication servers, and adjust global administrative settings for the FortiManager unit. Administrator accounts are used to control access to the FortiManager unit. Local and remote authentication is supported, as well as two-factor authentication. Administrator profiles define different types of administrators and the level of access they have to the FortiManager unit, as well as the devices registered to it. If you use ServiceNow apps for FortiManager, we recommend creating an account to use for integration with the app. This account does not need to be a Super_User account and you don''t need to set trusted hosts for this account. Global administration settings, such as the GUI language and password policies, can be configured on the Admin Settings pane. See Global administration settings on page 467 for more information. In workflow mode, approval matrices can be create and managed on the Approval Matrix pane. See Workflow approval on page 363 for more information. This section contains the following topics: l Trusted hosts on page 440 l Monitoring administrators on page 441 l Disconnecting administrators on page 441 l Managing administrator accounts on page 441 l Administrator profiles on page 453 l Authentication on page 460 l Global administration settings on page 467 l Two-factor authentication on page 471 Trusted hosts Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative permissions. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255. When you set trusted hosts for all administrators, the FortiManager unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access. The trusted hosts you define apply to both the GUI and to the CLI when accessed through SSH. CLI access through the console connector is not affected. If you set trusted hosts and want to use the Console Access feature of the GUI, you must also set 127.0.0.1/255.255.255.255 as a trusted host. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 441 Monitoring administrators The Admin Session List lets you view a list of administrators currently logged in to the FortiManager unit. To view logged in administrators: 1. Go to System Settings > Dashboard. 2. In the System Informationwidget, in the Current Administrators field, click the Current Session List button. The Admin Session List opens in the widget. The following information is available: User Name The name of the administrator account. Your session is indicated by (current). IP Address The IP address where the administrator is logging in from. This field also displays the logon type (GUI, jsconsole, SSH, or telnet). Start Time The date and time the administrator logged in. Time Out (mins) The maximum duration of the session in minutes (1 to 480 minutes). Disconnecting administrators Administrators can be disconnected from the FortiManager unit from the Admin Session List. To disconnect administrators: 1. Go to System Settings > Dashboard. 2. In the System Informationwidget, in the Current Administrators field, click the Current Session List button. The Admin Session List opens in the widget. 3. Select the administrator or administrators you need to disconnect. 4. ClickDelete in the toolbar, or right-click and select Delete. The selected administrators will be automatically disconnected from the FortiManager device. Managing administrator accounts Go to System Settings > Admin > Administrator to view the list of administrators and manage administrator accounts. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 442 Only administrators with the Super_User profile can see the complete administrators list. If you do not have certain viewing permissions, you will not see the administrator list. When ADOMs are enabled, administrators can only access the ADOMs they have permission to access. The following options are available: Create New Create a new administrator. See Creating administrators on page 443. Edit Edit the selected administrator. See Editing administrators on page 446. Clone Clone the selected administrator. Delete Delete the selected administrator or administrators. See Deleting administrators on page 446. Table View/Tile View Change the view of the administrator list. Table view shows a list of the administrators in a table format. Tile view shows a separate card for each administrator in a grid pattern. Column Settings Change the displayed columns. Search Search the administrators. Change Password Change the selected administrator''s password. This option is only available from the right-click menu. See Editing administrators on page 446. The following information is shown: Seq.# The sequence number. Name The name the administrator uses to log in. Type The user type, as well as if the administrator uses a wildcard. Profile The profile applied to the administrator. See Administrator profiles on page 453 ADOMs The ADOMs the administrator has access to or is excluded from. Policy Packages The policy packages the administrator can access. Comments Comments about the administrator account. This column is hidden by default. Trusted IPv4 Hosts The IPv4 trusted host(s) associated with the administrator. See Trusted hosts on page 440. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 443 Trusted IPv6 Hosts The IPv6 trusted host(s) associated with the administrator. See Trusted hosts on page 440. This column is hidden by default. Contact Email The contact email associated with the administrator. This column is hidden by default. Contact Phone The contact phone number associated with the administrator. This column is hidden by default. Creating administrators To create a new administrator account, you must be logged in to an account with sufficient privileges, or as a super user administrator. You need the following information to create an account: l Which authentication method the administrator will use to log in to the FortiManager unit. Local, remote, and Public Key Infrastructure (PKI) authentication methods are supported. l What administrator profile the account will be assigned, or what system privileges the account requires. l If ADOMs are enabled, which ADOMs the administrator will require access to. l If using trusted hosts, the trusted host addresses and network masks. For remote or PKI authentication, the authentication must be configured before you create the administrator. See Authentication on page 460 for details. To create a new administrator: 1. Go to System Settings > Admin > Administrators. 2. In the toolbar, clickCreate New to display the New Administrator pane. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 444 3. Configure the following settings, and then clickOK to create the new administrator. User Name Enter the name of the administrator will use to log in. Avatar Apply a custom image to the administrator. ClickAdd Photo to select an image already loaded to the FortiManager, or to load an new image from the management computer. If no image is selected, the avatar will use the first letter of the user name. Comments Optionally, enter a description of the administrator, such as their role, location, or the reason for their account. Admin Type Select the type of authentication the administrator will use when logging into the FortiManager unit. One of: LOCAL, RADIUS, LDAP, TACACS+, PKI, orGroup. See Authentication on page 460 for more information. Server or Group Select the RADIUS server, LDAP server, TACACS+ server, or group, as required. The server must be configured prior to creating the new administrator. This option is not available if the Admin Type is LOCAL or PKI. Wildcard Select this option to set the password as a wildcard. This option is not available if the Admin Type is LOCAL or PKI. Subject Enter a comment for the PKI administrator. This option is only available if the Admin Type is PKI. CA Select the CA certificate from the dropdown list. This option is only available if the Admin Type is PKI. Required two-factor Select to enable two-factor authentication. authentication This option is only available if the Admin Type is PKI. New Password Enter the password. This option is not available ifWildcard is selected. If the Admin Type is PKI, this option is only available when Require two- factor authentication is selected. If the Admin Type isRADIUS, LDAP, or TACACS+, the password is only used when the remote server is unreachable. Confirm Password Enter the password again to confirm it. This option is not available ifWildcard is selected. If the Admin Type is PKI, this option is only available when Require two- factor authentication is selected. Force this administrator to Force the administrator to change their password the next time that they log in change password upon next to the FortiManager. log on. This option is only available if Password Policy is enabled in Admin Settings. See Password policy on page 469. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 445 Admin Profile Select an administrator profile from the list. The profile selected determines the administrator’s access to the FortiManager unit’s features. See Administrator profiles on page 453. Administrative Domain Choose the ADOMs this administrator will be able to access. l All ADOMs: The administrator can access all the ADOMs. l All ADOMs except specified ones: The administrator cannot access the selected ADOMs. l Specify: The administrator can access the selected ADOMs. Specifying the ADOM shows the Specify Device Group to Access check box. Select the Specify Device Group to Access check box and select the Device Group this administrator is allowed to access. The newly created administrator will only be able to access the devices within the Device Group and sub-groups. If the Admin Profile is Super_User, then this setting is All ADOMs. This field is available only if ADOMs are enabled. See Administrative Domains on page 394. Policy Package Access Choose the policy packages this administrator will have access to. l All Packages: The administrator can access all the packages. l Specify: The administrator can access the selected packages or package folder. If you specify a policy package folder, the administrator can access the policy packages in the selected folder and all sub-folders. This option is only available when the Admin Profile is not a Restricted Admin profile. See Restricted administrators on page 447. Web Filter Profile Select the web filter profiles that the restricted administrator will be able to edit. This option is only available when the Admin Profile is set to a Restricted Admin profile. Security profiles can be configured by going to Policy & Objects > Object Configuration. See Managing objects and dynamic objects on page 200. IPS Sensor Select the IPS profiles that the restricted administrator will be able to edit. This option is only available when the Admin Profile is set to a Restricted Admin profile. Security profiles can be configured by going to Policy & Objects > Object Configuration. See Managing objects and dynamic objects on page 200. Application Sensor Select the application control profiles that the restricted administrator will be able to edit. This option is only available when the Admin Profile is set to a Restricted Admin profile. Security profiles can be configured by going to Policy & Objects > Object Configuration. See Managing objects and dynamic objects on page 200. Trusted Hosts Optionally, turn on trusted hosts, then enter their IP addresses and netmasks. Up to ten IPv4 and ten IPv6 hosts can be added. See Trusted hosts on page 440 for more information. Meta Fields Optionally, enter the new administrator''s email address and phone number. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 446 The email address is also used for workflow session approval notifications, if enabled. See Workflow mode on page 362. Editing administrators To edit an administrator, you must be logged in as a super user administrator. The administrator''s name cannot be edited. An administrator''s password can be changed using the right-click menu, if the password is not a wildcard. To edit an administrator: 1. Go to System Settings > Admin > Administrators. 2. Double-click on an administrator, right-click on an administrator and then select Edit from the menu, or select the administrator then clickEdit in the toolbar. The Edit Administrator pane opens. 3. Edit the settings as required, and then select OK to apply the changes. To change an administrator''s password: 1. Go to System Settings > Admin > Administrators. 2. Right-click on an administrator and select Change Password from the menu. The Change Password dialog box opens. 3. If you are editing the admin administrator''s password, enter the old password in theOld Password field. 4. Enter the new password for the administrator in the New Password and Confirm Password fields. 5. Select OK to change the administrator''s password. The current administrator''s password can also be changed from the admin menu in the GUI banner. See GUI overview on page 18 for information. Deleting administrators To delete an administrator or administrators, you must be logged in as a super user administrator. You cannot delete an administrator that is currently logged in to the device. The admin administrator can only be deleted using the CLI. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 447 To delete an administrator or administrators: 1. Go to System Settings > Admin > Administrators. 2. Select the administrator or administrators you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. Select OK in the confirmation box to delete the administrator or administrators. To delete an administrator using the CLI: 1. Open a CLI console and enter the following command: config system admin user delete end Restricted administrators Restricted administrator accounts are used to delegate management of Web Filter, IPS, and Application Control profiles, and then install those objects to their assigned ADOM. Restricted administrators cannot be used when workflow mode is enabled. See Workflow mode on page 362. When a restricted administrators logs in to the FortiManager, they enter the Restricted AdminMode. This mode consists of a simplified GUI where they can make changes to the profiles that they have access to, and then install those changes using the Install command in the toolbar, to their designated ADOM. To create a restricted administrator: 1. Create an administrator profile with the Type set to Restricted Admin and the required permissions selected. See Creating administrator profiles on page 457. 2. Create a new administrator and select the restricted administrator profile for the Admin Profile, then select the specific ADOM and profiles that the administrator can manage. See Creating administrators on page 443 FortiManager Administration Guide Fortinet Technologies Inc.Administrators 448 Web Filter Select a web filter profile from the tree menu to edit the profile details. ClickApply to apply any changes to the profile. Name The profile name. Comment Optionally, enter a description of the profile. Advanced Options Configure advanced options, including: l https-replacemsg: enable/disable l replacemsg-group: select a group from the list l web-filter-activex-log: enable/disable l web-filter-command-block-log: enable/disable l web-filter-cookie-removal-log: enable/disable l web-filter-js-log: enable/disable l web-filter-jscript-log: enable/disable l web-filter-referer-log: enable/disable l web-filter-unknown-log: enable/disable l web-filter-vbs-log: enable/disable l wisp: enable/disable l wisp-algorithm: auto-learning, primary-secondary, or round-robin Inspection Mode Select Proxy or Flow Based. Log all URLs Select to log all URLs. FortiGuard Categories Select FortiGuard categories. Right-click on a category to change the action: Allow, Block,Warning, Monitor, Authenticate, or, if available, Disable. Use the filter drop-down menu to filter the categories shown in the table based on the action. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 449 Allow Users to override Select to allow users to override blocked categories. blocked categories This option is only available if InspectionMode is Proxy. Override Permit Select the override permits: bannedword-override, contenttype-check-override, fortiguard-wf-override, and urlfilter-override. Groups that can Select groups that can override blocked categories. override Profile can switch Select profiles that the user can switch to. to Switch applies to Select what the switch applies to: ask, browser, ip, user, or user-group. Switch Duration Select the switch duration, either ask or constant. Duration Enter the duration of the switch. This option is only available if Switch Duration is constant. Enforce ''Safe Search'' on Select to enforce Safe Search. Google, Yahoo!, Bing, This option is only available if InspectionMode is Proxy. Yandex Restrict YouTube Access Select to restrict access to YouTube. Select Strict orModerate. This option is only available if InspectionMode is Proxy. Log all search keywords Select to log all search keywords. This option is only available if InspectionMode is Proxy. Block Invalid URLs Select to block invalid URLs. This option is only available if InspectionMode is Proxy. URL Filter Select to enable URL filters. Select URL filters from the dropdown list, and/or create and manage filters in the table. Block malicious URLs Select to block URLs that FortiSandbox deemsmalicious. discovered by FortiSandbox Web Content Filter Select to apply web content filters. ClickAdd to add filters to the table. Edit and delete filters as required. Allow Websites When a Select to allow access to websites if a rating error occurs. Rating Error Occurs Rate URLs by Domain and IP Select to rate URLs by both their domain and IP address. Address Block HTTP Redirects by Select to block HTTP redirects based on the site''s rating. Rating This option is only available if InspectionMode is Proxy. Rate Images by URL (Blocked Select to rate images based on the URL. images will be replaced with This option is only available if InspectionMode is Proxy. blanks) FortiManager Administration Guide Fortinet Technologies Inc.Administrators 450 Restrict Google account Select to restrict Google account usage to specific domains. ClickAdd to add the usage to specific domains domains to the table. This option is only available if InspectionMode is Proxy. Provide Details for Blocked Select to receive details about blocked HTTP errors. HTTP 4xx and 5xx Errors This option is only available if InspectionMode is Proxy. HTTP POST Action: Block Select to set the HTTP POST action to block. This option is only available if InspectionMode is Proxy. Remove Java Applet Filter Select to remove the Java applet filter. This option is only available if InspectionMode is Proxy. Remove ActiveX Filter Select to remove the ActiveX filter. This option is only available if InspectionMode is Proxy. Remove Cookie Filter Select to remove the cookie filter. This option is only available if InspectionMode is Proxy. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 451 Intrusion Prevention Select an IPS profile from the tree menu to edit the profile details. ClickApply to apply any changes to the profile. Name The profile name. Comment Optionally, enter a description of the profile. IPS Signatures ClickAdd Signatures to add IPS signatures to the table. The signatures list can be filtered to simplify adding them. To add or edit a signature''s IP exemptions, select a signature then clickEdit IP Exemptions. Right-click on a signature to change the action (Pass, Monitor, Block, Reset, Default, orQuarantine), and to enable or disable Packet Logging. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 452 IPS Filters ClickAdd Filter to add IPS filters to the table. The filters list can be searched and filtered to simplify adding them. Right-click on a signature to change the action (Pass, Monitor, Block, Reset, Default, orQuarantine), and to enable or disable Packet Logging. Rate Based Signatures Enable the required rate based signatures, then configure its options: Threshold, Duration, Track By, Action, and Block Duration. Advanced Options Enable or disable blocking malicious URLs. Application Control Select an application control profile from the tree menu to edit the profile details. ClickApply to apply any changes to the profile. Name The profile name. Comment Optionally, enter a description of the profile. Categories Select the action to take for each of the available categories: Allow, Monitor, Block, Traffic Shaping, Quarantine, orReset. Application Overrides ClickAdd Signatures to add application override signatures to the table. The signatures list can be filtered to simplify adding them. Right-click on a signature to change the action (Allow, Monitor, Block, Traffic Shaping, Quarantine, orReset). Filter Overrides ClickAdd Filter to add filter overrides to the table. The filters list can be searched and filtered to simplify adding them. Right-click on an override to change the action (Allow, Monitor, Block, Traffic Shaping, Quarantine, orReset). FortiManager Administration Guide Fortinet Technologies Inc.Administrators 453 Deep Inspection of Cloud Select to enable deep inspections of cloud applications. Applications Allow and Log DNS Traffic Select to allow and log DNS traffic. Replacement Messages for Select to enable replacement messages for HTTP based applications. HTTP-based Applications Logging of Other Select to enable the logging of other applications. Applications Logging of Unknown Select to enable the logging of unknown applications. Applications Advanced Options Configure advanced options: l p2p-black-list: Select from bittorent, edonkey, and skype. l replacemsg-group: Select an option from the dropdown list. Administrator profiles Administrator profiles are used to control administrator access privileges to devices or system features. Profiles are assigned to administrator accounts when an administrator is created. The profile controls access to both the FortiManager GUI and CLI. There are four predefined system profiles: Restricted_User Restricted user profiles have no system privileges enabled, and have read-only access for all device privileges. Standard_User Standard user profiles have no system privileges enabled, and have read/write access for all device privileges. Super_User Super user profiles have all system and device privileges enabled. It cannot be edited. Package_User Package user profile have read/write policy and objects privileges enabled, and have read-only access for system and other privileges. These profiles cannot be deleted, but standard and restricted profiles can be edited. New profiles can also be created as required. Only super user administrators can manage administrator profiles. Package user administrators can view the profile list. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 454 Go to System Settings > Admin > Profile to view and manage administrator profiles. The following options are available: Create New Create a new administrator profile. See Creating administrator profiles on page 457. Edit Edit the selected profile. See Editing administrator profiles on page 459. Clone Clone the selected profile. See Cloning administrator profiles on page 459. Delete Delete the selected profile or profiles. See Deleting administrator profiles on page 460. Search Search the administrator profiles list. The following information is shown: Name The name the administrator uses to log in. Type The profile type, either System Admin orRestricted Admin. Description A description of the system and device access permissions allowed for the selected profile. Permissions The below table lists the default permissions for the predefined administrator profiles. When Read-Write is selected, the user can view and make changes to the FortiManager system. When Read-Only is selected, the user can only view information. When None is selected, the user can neither view or make changes to the FortiManager system. Setting Predefined Administrator Profile Super User Standard User Restricted User Package User System Settings Read-Write None None Read-Only system-setting Administrative Domain Read-Write Read-Write None Read-Write adom-switch FortiManager Administration Guide Fortinet Technologies Inc.Administrators 455 Setting Predefined Administrator Profile Super User Standard User Restricted User Package User FortiGuard Center Read-Write None None Read-Only fgd_center License Management Read-Write None None Read-Only fgd-center- licensing Firmware Read-Write None None Read-Only Management fgd-center-fmw- mgmt Advanced Read-Write None None Read-Only fgd-center- advanced Device Manager Read-Write Read-Write Read-Only Read-Write device-manager Add/Delete/Edit Read-Write Read-Write None Read-Write Devices/Groups device-op Retrieve Read-Write Read-Write Read-Only Read-Only Configuration from Devices config-retrieve Revert Configuration Read-Write Read-Write Read-Only Read-Only from Revision History config-revert Delete Device Read-Write Read-Write Read-Only Read-Write Revision device-revision- deletion Terminal Access Read-Write Read-Write Read-Only Read-Only term-access Manage Device Read-Write Read-Write Read-Only Read-Write Configurations device-config Provisioning Read-Write Read-Write Read-Only Read-Write Templates device-profile FortiManager Administration Guide Fortinet Technologies Inc.Administrators 456 Setting Predefined Administrator Profile Super User Standard User Restricted User Package User SD-WAN Read-Write Read-Write Read-Only Read-Write device-wan-link- load-balance Policy & Objects Read-Write Read-Write Read-Only Read-Write policy-objects Global Policy Read-Write Read-Write None Read-Write Packages & Objects global-policy- packages Assignment Read-Write None None Read-Only assignment Policy Packages & Read-Write Read-Write Read-Only Read-Write Objects adom-policy- packages Policy Check Read-Write Read-Write Read-Only Read-Only consistency- check Edit Installation Read-Write Read-Write Read-Only Read-Write Targets set-install- targets Lock/Unlock ADOM Read-Write Read-Write Read-Only Read-Write adom-lock Lock/Unlock Device/Policy Read-Write Read-Write Read-Only Read-Write Package device-policy-package- lock Install Policy Package or Device Read-Write Read-Write Read-Only Read-Write Configuration deploy-management Import Policy Package Read-Write Read-Write Read-Only Read-Write import-policy-packages Interface Mapping Read-Write Read-Write Read-Only Read-Write intf-mapping AP Manager Read-Write Read-Write Read-Only Read-Write FortiManager Administration Guide Fortinet Technologies Inc.Administrators 457 Setting Predefined Administrator Profile Super User Standard User Restricted User Package User device-ap FortiClient Manager Read-Write Read-Write Read-Only Read-Write device-forticlient FortiSwitch Manager Read-Write Read-Write Read-Only Read-Write device-fortiswitch VPN Manager Read-Write Read-Write Read-Only Read-Write vpn-manager NOC - SOC Read-Write Read-Write Read-Only Read-Only log-viewer Log View/FortiView/NOC - SOC Read-Write Read-Write Read-Only Read-Only log-viewer Event Manager Read-Write Read-Write Read-Only Read-Only event-management Reports Read-Write Read-Write Read-Only Read-Only report-viewer CLI only settings realtime-monitor Read-Write Read-Write Read-Only Read read-passwd Read-Write None None Read-Only The NOC - SOC setting is only available when FortiAnalyzer features are disabled. The Log View/FortiView/NOC - SOC, Event Manager, and Reports settings are only available when FortiAnalyzer features are enabled. See FortiAnalyzer Features on page 22. Creating administrator profiles To create a new administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 458 To create a custom administrator profile: 1. Go to System Settings > Admin > Profile. 2. ClickCreate New in the toolbar. The New Profile pane is displayed. 3. Configure the following settings, and then clickOK to create the new administrator profile. Profile Name Enter a name for this profile. Description Optionally, enter a description for this profile. While not a requirement, a description can help to know what the profiles is for, or the levels it is set to. Type Select the type of profile, either System Admin orRestricted Admin. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 459 Permission Select which permissions to enable fromWeb Filter Profile, Application Filter, and IPS Sensor. This option is only available when Type isRestricted Admin. See Restricted administrators on page 447 for information. Permissions Select None, ReadOnly, orRead-Write access for the categories as required. This option is only available when Type is System Admin. Privacy Masking Enable/disable privacy masking. This option is only available when FortiAnalyzer features are enabled. Masked Data Fields Select the fields to mask: Destination Name, Source IP, Destination IP, User, Source Name, Email, Message, and/or SourceMAC. Data Mask Key Enter the data masking encryption key. You need the DataMask Key to see the original data. Editing administrator profiles To edit an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator. The profile''s name cannot be edited. The Super_User profile cannot be edited, and the predefined profiles cannot be delete. To edit an administrator: 1. Go to System Settings > Admin > Profile. 2. Double-click on a profile, right-click on a profile and then select Edit from the menu, or select the profile then click Edit in the toolbar. The Edit Profile pane opens. 3. Edit the settings as required, and then select OK to apply the changes. Cloning administrator profiles To clone an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator. To edit an administrator: 1. Go to System Settings > Admin > Profile. 2. Right-click on a profile and select Clone from the menu, or select the profile then clickClone in the toolbar. The Clone Profile pane opens. 3. Edit the settings as required, and then select OK to apply the changes. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 460 Deleting administrator profiles To delete a profile or profiles, you must be logged in to an account with sufficient privileges, or as a super user administrator. The predefined profiles cannot be deleted. To delete a profile or profiles: 1. Go to System Settings > Admin > Profile. 2. Select the profile or profiles you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. Select OK in the confirmation box to delete the profile or profiles. Authentication The FortiManager system supports authentication of administrators locally, remotely with RADIUS, LDAP, or TACACS+ servers, and using PKI. Remote authentication servers can also be added to authentication groups that administrators can use for authentication. To use PKI authentication, you must configure the authentication before you create the administrator accounts. See Public Key Infrastructure on page 460 for more information. To use remote authentication servers, you must configure the appropriate server entries in the FortiManager unit for each authentication server in your network. New LDAP remote authentication servers can be added and linked to all ADOMs or specific ADOMs. See LDAP servers on page 463, RADIUS servers on page 465, TACACS+ servers on page 465, and Remote authentication server groups on page 466 for more information. Public Key Infrastructure Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary. To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates: l an X.509 certificate for the FortiManager administrator (administrator certificate) l an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate) To get the CA certificate: 1. Log into your FortiAuthenticator. 2. Go to Certificate Management > Certificate Authorities > Local CAs. 3. Select the certificate and select Export in the toolbar to save the ca_fortinet.com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 461 To get the administrator certificate: 1. Log into your FortiAuthenticator. 2. Go to Certificate Management > End Entities > Users. 3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is admin_fortinet.com.p12. This PCKS#12 file is password protected. You must enter a password on export. To import the administrator certificate into your browser: 1. In Mozilla Firefox, go toOptions > Advanced > Certificates > View Certificates > Import. 2. Select the file admin_fortinet.com.p12 and enter the password used in the previous step. To import the CA certificate into the FortiManager: 1. Log into your FortiManager. 2. Go to System Settings > Certificates > CA Certificates. 3. Click Import, and browse for the ca_fortinet.com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed asCA_Cert_1. To create a new PKI administrator account: 1. Go to System Settings > Admin > Administrator. 2. ClickCreate New. The New Administrator dialog box opens. See Creating administrators on page 443 for more information. 3. Select PKI for the Admin Type. 4. Enter a comment in the Subject field for the PKI administrator. 5. Select the CA certificate from the dropdown list in the CA field. 6. ClickOK to create the new administrator account. PKI authentication must be enabled via the FortiManager CLI with the following commands: config system global set clt-cert-reg enable end When connecting to the FortiManager GUI, you must use HTTPSwhen using PKI certificate authentication. When both set clt-cert-req and set admin-https-pki-required are enabled, only PKI administrators can connect to the FortiManager GUI. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 462 Managing remote authentication servers The FortiManager system supports remote authentication of administrators using LDAP, RADIUS, and TACACS+ remote servers. To use this feature, you must configure the appropriate server entries for each authentication server in your network, see LDAP servers on page 463, RADIUS servers on page 465, and TACACS+ servers on page 465 for more information. Remote authentication servers can be added, edited, deleted, and added to authentication groups (CLI only). Go to System Settings > Admin > Remote Authentication Server to manage remote authentication servers. The following options are available: Create New Add an LDAP, RADIUS, or TACACS+ remote authentication server. See LDAP servers on page 463, RADIUS servers on page 465, and TACACS+ servers on page 465. Edit Edit the selected remote authentication server. See Editing remote authentication servers on page 462. Delete Delete the selected remote authentication server or servers. See Deleting remote authentication servers on page 463. The following information is displayed: Name The name of the server. Type The server type: LDAP, RADIUS, or TACACS+. ADOM The administrative domain(s) which are linked to the remote authentication server. Details Details about the server, such as the IP address. Editing remote authentication servers To edit a remote authentication server, you must be logged in to an account with sufficient privileges, or as a super user administrator. The server''s name cannot be edited. To edit a remote authentication server: 1. Go to System Settings > Admin > Remote Authentication Server. 2. Double-click on a server, right-click on a server and then select Edit from the menu, or select the server then click Edit in the toolbar. The Edit Server pane for that server type opens. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 463 3. Edit the settings as required, and then select OK to apply the changes. See LDAP servers on page 463, RADIUS servers on page 465, and TACACS+ servers on page 465 for more information. Deleting remote authentication servers To delete a remote authentication server or servers, you must be logged in to an account with sufficient privileges, or as a super user administrator. To delete a remote authentication server or servers: 1. Go to System Settings > Admin > Remote Authentication Server. 2. Select the server or servers you need to delete. 3. ClickDelete in the toolbar, or right-click and select Delete. 4. Select OK in the confirmation box to delete the server or servers. LDAP servers Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data- representation scheme, a set of defined operations, and a request/response network. If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiManager unit sends the administrator’s credentials to the LDAP server for authentication. If the LDAP server can authenticate the administrator, they are successfully authenticated with the FortiManager unit. If the LDAP server cannot authenticate the administrator, the FortiManager unit refuses the connection. To use an LDAP server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it. To add an LDAP server: 1. Go to System Settings > Admin > Remote Authentication Server. 2. Select Create New > LDAP Server from the toolbar. The New LDAP Server pane opens. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 464 3. Configure the following settings, and then clickOK to add the LDAP server. Name Enter a name to identify the LDAP server. Server Name/IP Enter the IP address or fully qualified domain name of the LDAP server. Port Enter the port for LDAP traffic. The default port is 389. Common Name Identifier The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID. Distinguished Name The distinguished name is used to look up entries on the LDAP server. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Clicking the query distinguished name icon will query the LDAP server for the name and open the LDAP Distinguished NameQuery window to display the results. Bind Type Select the type of binding for LDAP authentication: Simple, Anonymous, or Regular. User DN When the Bind Type is set to Regular, enter the user DN. Password When the Bind Type is set to Regular, enter the password. Secure Connection Select to use a secure LDAP server connection for authentication. Protocol When Secure Connection is enabled, select either LDAPS or STARTTLS. Certificate When Secure Connection is enabled, select the certificate from the dropdown list. Administrative Domain Choose the ADOMs this server will be linked to: All ADOMs, or Specify for specific ADOMs. Advanced Options adom-attr Specify an attribute for the ADOM. attributes Specify the attributes such asmember, uniquemember, ormemberuid. connect-timeout Specify the connection timeout in millisecond. filter Specify the filter in the format (objectclass=*) group Specify the name of the LDAP group. memberof-attr Specify the value for this attribute. This value must match the attribute of the group in LDAP Server. All users part of the LDAP group with the attribute matching thememberof-attrwill inherit the administrative permissions specified for this group. profile-attr Specify the attribute for this profile. secondary-server Specify a secondary server. tertiary-server Specify a tertiary server. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 465 RADIUS servers Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they type a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network. You can create or edit RADIUS server entries in the server list to support authentication of administrators. When an administrator account’s type is set to RADIUS, the FortiManager unit uses the RADIUS server to verify the administrator password at log on. The password is not stored on the FortiManager unit. To use a RADIUS server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it. To add a RADIUS server: 1. Go to System Settings > Admin > Remote Authentication Server. 2. Select Create New > RADIUS Server from the toolbar. The New RADIUS Server pane opens. 3. Configure the following settings, and then clickOK to add the RADIUS server. Name Enter a name to identify the RADIUS server. Server Name/IP Enter the IP address or fully qualified domain name of the RADIUS server. Port Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port 1645. Server Secret Enter the RADIUS server secret. Secondary Server Name/IP Enter the IP address or fully qualified domain name of the secondary RADIUS server. Secondary Server Secret Enter the secondary RADIUS server secret. Authentication Type Select the authentication type the RADIUS server requires. If you select the default ANY, FortiManager tries all authentication types. TACACS+ servers Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers. It allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 466 If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiManager unit contacts the TACACS+ server for authentication. If the TACACS+ server can authenticate the administrator, they are successfully authenticated with the FortiManager unit. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiManager unit. To use a TACACS+ server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it. To add a TACACS+ server: 1. Go to System Settings > Admin > Remote Authentication Server. 2. Select Create New > TACACS+ Server from the toolbar. The New TACACS+ Server pane opens. 3. Configure the following settings, and then clickOK to add the TACACS+ server. Name Enter a name to identify the TACACS+ server. Server Name/IP Enter the IP address or fully qualified domain name of the TACACS+ server. Port Enter the port for TACACS+ traffic. The default port is 49. Server Key Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length. Authentication Type Select the authentication type the TACACS+ server requires. If you select the default ANY, FortiManager tries all authentication types. Remote authentication server groups Remote authentication server groups can be used to extend wildcard administrator access. Normally, a wildcard administrator can only be created for a single server. If multiple servers of different types are grouped, a wildcard administrator can be applied to all of the servers in the group. Multiple servers of the same type can be grouped to act as backups - if one server fails, the administrator can still be authenticated by another server in the group. To use a server group to authenticate administrators, you must configure the group before configuring the administrator accounts that will use it. Remote authentication server groups can only be managed using the CLI. For more information, see the FortiManager CLI Reference. To create a new remote authentication server group: 1. Open the admin group command shell: config system admin group FortiManager Administration Guide Fortinet Technologies Inc.Administrators 467 2. Create a new group, or edit an already create group: edit 3. Add remote authentication servers to the group: set member ... 4. Apply your changes: end To edit the servers in a group: 1. Enter the following CLI commands: config system admin group edit set member ... end Only the servers listed in the command will be in the group. To remove all the servers from the group: 1. Enter the following CLI commands: config system admin group edit unset member end All of the servers in the group will be removed. To delete a group: 1. Enter the following CLI commands: config system admin group delete end Global administration settings The administration settings page provides options for configuring global settings for administrator access to the FortiManager device. Settings include: l Ports for HTTPS and HTTP administrative access To improve security, you can change the default port configurations for administrative connections to the FortiManager. When connecting to the FortiManager unit when the port has changed, the port must be included, such as https://:. For example, if you are connecting to the FortiManager unit using port 8080, the URL would be https://192.168.1.99:8080. When you change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique. l Idle timeout settings By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management computer is left unattended. l GUI language The language the GUI uses. For best results, you should select the language used by the management computer. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 468 l GUI theme The default color theme of the GUI is Blueberry. You can choose another color or an image. l Password policy Enforce password policies for administrators. l Display options Display or hide advanced configuration options in the GUI. Only the admin administrator can configure these options. Only super user administrators can access and configure the administration settings. The settings are global and apply to all administrators of the FortiManager unit. To configure the administration settings: 1. Go to System Settings > Admin > Admin Settings. 2. Configure the following settings as needed, then clickApply to save your changes to all administrator accounts: Administration Settings HTTP Port Enter the TCP port to be used for administrative HTTP access. Default: 80. Select Redirect to HTTPS to redirect HTTP traffic to HTTPS. HTTPS Port Enter the TCP port to be used for administrative HTTPS access. Default: 443. HTTPS & Web Select a certificate from the dropdown list. Service Server Certificate Idle Timeout Enter the number of minutes an administrative connection can be idle before the administrator must log in again, from 1 to 480 (8 hours). See Idle timeout on page 471 for more information. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 469 View Settings Language Select a language from the dropdown list. See GUI language on page 470 for more information. Theme Select a theme for the GUI. The selected theme is not applied until you click Apply, allowing to you to sample different themes. Default: Blueberry. Password Policy Click to enable administrator password policies. See Password policy on page 469 and Password lockout and retry attempts on page 470 for more information. Minimum Length Select the minimum length for a password, from 8 to 32 characters. Default: 8. Must Contain Select the types of characters a password must contain. Admin Password Select the number of days a password is valid for, after which it must be Expires after changed. Display Options on GUI Click to expand the display options. Show Script Display the Script menu item. This menu is located on the DeviceManager pane. This is an advanced FortiManager feature. Show Add Display the AddMultiple Devices option. Multiple Button This option is located on the DeviceManager > Devices & Groups pane, under theMore option in the toolbar. This is an advanced FortiManager feature. Show Device List Select to display the Import Device List and Export Device List buttons. This Import/Export option is located on the DeviceManager > Devices & Groups pane, under theMore option in the toolbar. This is an advanced FortiManager feature. Password policy You can enable and configure password policy for the FortiManager. To configure the password policy: 1. Go to System Settings > Admin > Admin Settings. 2. Click to enable Password Policy. 3. Configure the following settings, then clickApply to apply to password policy. Minimum Length Specify the minimum number of characters that a password must be, from 8 to 32. Default: 8. Must Contain Specify the types of characters a password must contain: uppercase and lowercase letters, numbers, and/or special characters. Admin Password Specify the number of days a password is valid for. When the time expires, an Expires after administrator will be prompted to enter a new password. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 470 Password lockout and retry attempts By default, the number password retry attempts is set to three, allowing the administrator a maximum of three attempts at logging in to their account before they are locked out for a set amount of time (by default, 60 seconds). The number of attempts and the default wait time before the administrator can try to enter a password again can be customized. Both settings can be configured using the CLI. To configure the lockout duration: 1. Enter the following CLI commands: config system global set admin-lockout-duration end To configure the number of retry attempts: 1. Enter the following CLI commands: config system global set admin-lockout-threshold end Example To set the lockout threshold to one attempt and set a five minute duration before the administrator can try to log in again, enter the following CLI commands: config system global set admin-lockout-duration 300 set admin-lockout-threshold 1 end GUI language The GUI supports multiple languages, including: l English l Simplified Chinese l Traditional Chinese l Japanese l Korean By default, the GUI language is set to Auto Detect, which automatically uses the language used by the management computer. If that language is not supported, the GUI defaults to English. For best results, you should select the language used by the operating system on the management computer. For more information about language support, see the FortiManager Release Notes. To change the GUI language: 1. Go to System Settings > Admin > Admin Settings. 2. Under the View Settings, In the Language field, select a language, or Auto Detect, from the dropdown list. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 471 3. ClickApply to apply the language change. Idle timeout To ensure security, the idle timeout period should be short. By default, administrative sessions are disconnected if no activity takes place for five minutes. This idle timeout is recommended to prevent anyone from using the GUI on a PC that was logged in to the GUI and then left unattended. The idle timeout period can be set from 1 to 480 minutes. To change the idle timeout: 1. Go to System Settings > Admin > Admin Settings. 2. Change the Idle Timeout period as required. 3. ClickApply. Two-factor authentication To configure two-factor authentication for administrators you will need the following: l FortiManager l FortiAuthenticator l FortiToken Configuring FortiAuthenticator On the FortiAuthenticator, you must create a local user and a RADIUS client. Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiManager, and created or imported FortiTokens. For more information, see the Two-Factor Authenticator Interoperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library. Create a local user: 1. Go to Authentication > User Management > Local Users. 2. ClickCreate New in the toolbar. 3. Configure the following settings: Username Enter a user name for the local user. Password creation Select Specify a password from the dropdown list. Password Enter a password. The password must be a minimum of 8 characters. Password confirmation Re-enter the password. The passwords must match. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 472 Allow RADIUS Enable to allow RADIUS authentication. authentication Role Select the role for the new user. Enable account expiration Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. 4. ClickOK to continue to the Change local user page. 5. Configure the following settings, then clickOK. Disabled Select to disable the local user. Password-based Leave this option selected. Select [Change Password] to change the authentication password for this local user. Token-based authentication Select to enable token-based authentication. Deliver token Select to deliver token by FortiToken, email, or SMS. code by Click Test Token to test the token. Allow RADIUS Select to allow RADIUS authentication. authentication Enable account expiration Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. User Role Role Select either Administrator orUser. Full Permission Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator. Web service Select to allowWeb service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 473 Restrict admin Select to restrict admin login from trusted management subnets only, then login from trusted enter the trusted subnets in the table. This option is only available when Role management is Administrator. subnets only Allow LDAP Select to allow LDAP browsing. This option is only available when Role is Browsing User. Create a RADIUS client: 1. Go to Authentication > RADIUS Service > Clients. 2. ClickCreate New in the toolbar. 3. Configure the following settings, then clickOK. Name Enter a name for the RADIUS client entry. Client name/IP Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiManager. Secret Enter the server secret. This value must match the FortiManager RADIUS server setting at System Settings > Admin > Remote Authentication Server. First profile name See the FortiAuthenticator Administration Guide. Description Enter an optional description for the RADIUS client entry. Apply this profile based on Select to apply the profile based on RADIUS attributes. RADIUS attributes Authentication method Select Enforce two-factor authentication from the list of options. Username input format Select specific user name input formats. Realms Configure realms. Allow MAC-based Optional configuration. authentication Check machine Select to check machine based authentication and apply groups based on the authentication success or failure of the authentication. Enable captive portal Enable various portals. EAP types Optional configuration. For more information, see the FortiAuthenticator Administration Guide, available in the Fortinet Document Library. Configuring FortiManager On the FortiManager, you need to configure the RADIUS server and create an administrator that uses the RADIUS server for authentication. FortiManager Administration Guide Fortinet Technologies Inc.Administrators 474 Configure the RADIUS server: 1. Go to System Settings > Admin > Remote Authentication Server. 2. ClickCreate New > RADIUS in the toolbar. 3. Configure the following settings, then clickOK. Name Enter a name to identify the FortiAuthenticator. Server Name/IP Enter the IP address or fully qualified domain name of your FortiAuthenticator. Server Secret Enter the FortiAuthenticator secret. Secondary Server Name/IP Enter the IP address or fully qualified domain name of the secondary FortiAuthenticator, if applicable. Secondary Server Secret Enter the secondary FortiAuthenticator secret, if applicable. Port Enter the port for FortiAuthenticator traffic. Authentication Type Select the authentication type the FortiAuthenticator requires. If you select the default ANY, FortiManager tries all authentication types. Note: RADIUS server authentication for local administrator users stored in FortiAuthenticator requires the PAP authentication type. Create the administrator: 1. Go to System Settings > Admin > Administrator. 2. ClickCreate New from the toolbar. 3. Configure the settings, selecting the previously added RADIUS server from the RADIUS Server dropdown list. See Creating administrators on page 443. 4. ClickOK to save the settings. Test the configuration: 1. Attempt to log in to the FortiManager GUI with your new credentials. 2. Enter your user name and password and click Login. 3. Enter your FortiToken pin code and clickSubmit to log in to the FortiManager. FortiManager Administration Guide Fortinet Technologies Inc.High Availability FortiManager high availability (HA) provides a solution for a key requirement of critical enterprise management and networking components: enhanced reliability. Understanding what’s required for FortiManager reliability begins with understanding what normal FortiManager operations are and how to make sure normal operations continue if a FortiManager unit fails. Most of the FortiManager operations involve storing FortiManager and FortiGate configuration and related information in the FortiManager database on the FortiManager unit hard disk. A key way to enhance reliability of FortiManager is to protect the data in the FortiManager database from being lost if the FortiManager unit fails. This can be achieved by dynamically backing up FortiManager database changes to one or more backup FortiManager units. Then, if the operating FortiManager unit fails, a backup FortiManager unit can take the place of the failed unit. A FortiManager HA cluster can have a maximum of five units: one primary or master unit with up to four backup or slave units. All units in the cluster must be of the same FortiManager series. All units are visible on the network. The primary unit and the backup units can be in the same location or different locations. FortiManager HA supports geographic redundancy so the primary unit and backup units can be in different locations attached to different networks as long as communication is possible between them (for example, on the Internet, on a WAN, or in a private network). Administrators connect to the primary unit GUI or CLI to perform FortiManager operations. Managed devices connect with the primary unit for normal management operations (configuration push, auto-update, firmware upgrade, and so on). If FortiManager is used to distribute FortiGuard updates to managed devices, managed devices can connect to the primary FortiManager unit or one of the backup units. If the primary FortiManager unit fails you must manually configure one of the backup units to become the primary unit. The new primary unit will have the same IP addresses as it did when it was the backup unit. You don''t need to reboot the FortiManager device when it is promoted from a backup to the primary unit. When devices with different licenses are used to create an HA cluster, the license that allows for the smallest number of managed devices is used. Synchronizing the FortiManager configuration and HA heartbeat All changes to the FortiManager database are saved on the primary unit, and then these changes are synchronized to the backup units. The FortiManager configuration of the primary unit is also synchronized to the backup units (except for the HA parameters). As a result, the backup units always match the primary unit. So if the primary unit fails, a backup unit can be configured to take the place of the primary unit and continue functioning as a standalone FortiManager unit. While the FortiManager cluster is operating, all backup units in the cluster exchange HA heartbeat packets with the primary unit so the primary unit can verify the status of the backup units and the backup units can verify the status of the primary unit. The HA heartbeat packets use TCP port 5199. HA heartbeat monitoring, as well as FortiManager database and configuration synchronization takes place using the connections between the FortiManager units in the cluster. As FortiManager Administration Guide Fortinet Technologies Inc.High Availability 476 part of configuring the primary unit you add peer IPs and peer serial numbers of each of the backup FortiManager units in the cluster. You also add the peer IP of the primary unit and the primary unit serial number to each of the backup units. Depending on the peer IPs that you use, you can isolate HA traffic to specific FortiManager interfaces and connect those interfaces together so they function as synchronization interfaces between the FortiManager units in the cluster. Communication between the units in the cluster must be maintained for the HA cluster to operate. The interfaces used for HA heartbeat and synchronization communication can be connected to your network. However, if possible you should isolate HA heartbeat and synchronization packets from your network to save bandwidth. If the primary or a backup unit fails If the primary unit fails, the backup units stop receiving HA heartbeat packets from the primary unit. If one of the backup units fails, the primary unit stops receiving HA heartbeat packets from the backup unit. In either case, the cluster is considered down until it is reconfigured. When the cluster goes down, the cluster units still operating send SNMP traps and write log messages to alert the system administrator that a failure has occurred. You can also see the failure on the HA Status page. Reconfigure the cluster by removing the failed unit from the cluster configuration. If the primary unit has failed, this means configuring one of the backup units to be the primary unit and adding peer IPs for all of the remaining backup units to the new primary unit configuration. If a backup unit has failed, reconfigure the cluster by removing the peer IP of the failed backup unit from the primary unit configuration. Once the cluster is reconfigured, it will continue to operate as before but with fewer cluster units. If the failed unit is restored you can reconfigure the cluster again to add the failed unit back into the cluster. In the same way you can add a new unit to the cluster by changing the cluster configuration to add it. FortiManager HA cluster startup steps FortiManager units configured for HA start up begin sending HA heartbeat packets to their configured peer IP addresses and also begin listening for HA heartbeat packets from their configured peer IP addresses. When the FortiManager units receive HA heartbeat packets with a matching HA cluster ID and password from a peer IP address, the FortiManager unit assumes the peer is functioning. When the primary unit is receiving HA heartbeat packets from all of the configured peers or backup units, the primary unit sets the cluster status to up. Once the cluster is up the primary unit then synchronizes its configuration to the backup unit. This synchronization process can take a few minutes depending on the size of the FortiManager database. During this time database and configuration changes made to the primary unit are not synchronized to the backup units. Once synchronization is complete, if changes were made during synchronization, they are re-synchronized to the backup units. Most of the primary unit configuration, as well as the entire FortiManager database, are synchronized to the backup unit. Interface settings and HA settings are not synchronized. These settings must be configured on each cluster unit. Once the synchronization is complete, the FortiManager HA cluster begins normal operation. FortiManager Administration Guide Fortinet Technologies Inc.High Availability 477 Configuring HA options To configure HA options go to System Settings > HA. Use the Cluster Settings pane to configure FortiManager units to create an HA cluster or change cluster configuration. To configure a cluster, set theOperationMode of the primary unit toMaster and the modes of the backup units to Slave. Then add the IP addresses and serial numbers of each backup unit to primary unit peer list. The IP address and serial number of the primary unit must be added to each backup unit''s HA configuration. The primary unit and all backup units must have the same Cluster ID andGroup Password. You can connect to the primary unit GUI to work with FortiManager. Using configuration synchronization, you can configure and work with the cluster in the same way as you work with a standalone FortiManager unit. Configure the following settings: Cluster Status Monitor FortiManager HA status. See Monitoring HA status on page 481. SN The serial number of the device. Mode The high availability mode, eitherMaster or Slave. IP The IP address of the device. Enable Shows if the peer is currently enabled. Module Data Module data synchronized in bytes. Synchronized Pending Module Pending module data in bytes. Data Cluster Settings Operation Mode Select Master to configure the FortiManager unit to be the primary unit in a cluster. Select Slave to configure the FortiManager unit to be a backup unit in a cluster. Select Standalone to stop operating in HAmode. Peer IP Select the peer IP version from the dropdown list, either IPv4 or IPv6. Then, type the IP address of another FortiManager unit in the cluster. For the primary unit you can add up to four Peer IP addresses for up to four backup units. For a backup unit you can only add the IP address of the primary unit. FortiManager Administration Guide Fortinet Technologies Inc.High Availability 478 Type the IP address of another FortiManager unit in the cluster. For the primary unit you can add up to four Peer IP addresses for up to four backup units. For a backup unit you can only add the IP address of the primary unit. Peer SN Type the serial number of the FortiManager unit corresponding to the entered IP address. Cluster ID A number between 1 and 64 that identifies the HA cluster. All members of the HA cluster must have the same cluster ID. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different cluster ID. The FortiManager GUI browser window title changes to include the cluster ID when FortiManager unit is operating in HAmode. Group Password A password for the HA cluster. All members of the HA cluster must have the same password. If you have more than one FortiManager HA cluster on the same network, each HA cluster must have a different password. The maximum password length is 19 characters. File Quota Enter the file quota, from 2048 to 20480 MB (default: 4096 MB). You cannot configure the file quota for backup units. Heart Beat Interval The time the primary unit waits between sending heartbeat packets, in seconds. The heartbeat interval is also the amount of time that backup units waits before expecting to receive a heartbeat packet from the primary unit. The default heartbeat interval is 5 seconds. The heartbeat interval range is 1 to 255 seconds. You cannot configure the heartbeat interval on the backup units. Failover Threshold The number of heartbeat intervals that one of the cluster units waits to receive HA heartbeat packets from other cluster units before assuming that the other cluster units have failed. The default failover threshold is 3. The failover threshold range is 1 to 255. You cannot configure the failover threshold of the backup units. In most cases you do not have to change the heartbeat interval or failover threshold. The default settings mean that if the a unit fails, the failure is detected after 3 x 5 or 15 seconds; resulting in a failure detection time of 15 seconds. If the failure detection time is too short, the HA cluster may detect a failure when none has occurred. For example, if the primary unit is very busy it may not respond to HA heartbeat packets in time. In this situation, the backup unit may assume the primary unit has failed when the primary unit is actually just busy. Increase the failure detection time to prevent the backup unit from detecting a failure when none has occurred. If the failure detection time is too long, administrators will be delayed in learning that the cluster has failed. In most cases, a relatively long failure detection time will not have a major effect on operations. But if the failure detection time is too long for your network conditions, then you can reduce the heartbeat interval or failover threshold. Download Debug Select to download the HA debug log file to the management computer. Log FortiManager Administration Guide Fortinet Technologies Inc.High Availability 479 General FortiManager HA configuration steps 1. Configure the FortiManager units for HA operation: l Configure the primary unit. l Configure the backup units. 2. Change the network configuration so the remote backup unit and the primary unit can communicate with each other. 3. Connect the units to their networks. 4. Add basic configuration settings to the cluster: l Add a password for the admin administrative account. l Change the IP address and netmask of the port1 interface. l Add a default route. GUI configuration steps Use the following procedures to configure the FortiManager units for HA operation from the FortiManager unit GUI. It assumes you are starting with three FortiManager units with factory default configurations. The primary unit and the first backup unit are connected to the same network. The second backup unit is connected to a remote network and communicates with the primary unit over the Internet. Sample configuration settings are also shown. To configure the primary unit for HA operation: 1. Connect to the primary unit GUI. 2. Go to System Settings > HA. 3. Configure HA settings. Example HAmaster configuration: Operation Mode Master Peer IP 172.20.120.23 Peer SN Peer IP 192.268.34.23 Peer SN Cluster ID 15 Group Password password File Quota 4096 Heartbeat Interval 5 (Keep the default setting.) Failover Threshold 3 (Keep the default setting.) 4. ClickApply. FortiManager Administration Guide Fortinet Technologies Inc.High Availability 480 To configure the backup unit on the same network for HA operation: 1. Connect to the backup unit GUI. 2. Go to System Settings > HA. 3. Configure HA settings. Example local backup configuration: Operation Mode Slave Priority 5 (Keep the default setting.) Peer IP 172.20.120.45 Peer SN Cluster ID 15 Group Password password File Quota 4096 Heartbeat Interval 5 (Keep the default setting.) Failover Threshold 3 (Keep the default setting.) 4. ClickApply. To configure a remote backup unit for HA operation: 1. Connect to the backup unit GUI. 2. Go to System Settings > HA. 3. Configure HA settings. Example remote backup configuration: Operation Mode Slave Priority 5 (Keep the default setting.) Peer IP 192.168.20.23 Peer SN Cluster ID 15 Group Password password File Quota 4096 Heartbeat Interval 5 (Keep the default setting.) Failover Threshold 3 (Keep the default setting.) 4. ClickApply. FortiManager Administration Guide Fortinet Technologies Inc.High Availability 481 To change the network configuration so that the remote backup unit and the primary unit can communicate with each other: Configure the appropriate firewalls or routers to allow HA heartbeat and synchronization traffic to pass between the primary unit and the remote backup unit using the peer IPs added to the primary unit and remote backup unit configurations. HA traffic uses TCP port 5199. To connect the cluster to the networks: 1. Connect the cluster units. No special network configuration is required for the cluster. 2. Power on the cluster units. The units start and use HA heartbeat packets to find each other, establish the cluster, and synchronize their configurations. To add basic configuration settings to the cluster: Configure the cluster to connect to your network as required. Monitoring HA status Go to System Settings > HA to monitor the status of the FortiManager units in an HA cluster. The FortiManager HA status pane displays information about the role of each cluster unit, the HA status of the cluster, and the HA configuration of the cluster. The FortiManager GUI browser window title changes to indicate that the FortiManager unit is operating in HAmode. The following text is added to the title HA (Group ID: ). Where is the HAGroup ID. You can use the CLI command get system ha to display the same HA status information. The following information is displayed: Cluster Status The cluster status can be Up if this unit is received HA heartbeat packets from all of its configured peers. The cluster status will be Down if the cluster unit is not receiving HA heartbeat packets from one or more of its configured peers. Mode The role of the FortiManager unit in the cluster. The role can be: l Master: for the primary (or master) unit. l Slave: for the backup units. Module Data Synchronized The amount of data synchronized between this cluster unit and other cluster units. FortiManager Administration Guide Fortinet Technologies Inc.High Availability 482 Pending Module Data The amount of data waiting to be synchronized between this cluster unit and other cluster units. Upgrading the FortiManager firmware for an operating cluster You can upgrade the firmware of an operating FortiManager cluster in the same way as upgrading the firmware of a standalone FortiManager unit. To do the upgrade, connect to the primary unit GUI or CLI to upgrade the firmware. Similar to upgrading the firmware of a standalone FortiManager unit, normal FortiManager operations are temporarily interrupted while the cluster firmware upgrades. Because of this interruption, you should upgrade cluster firmware during a maintenance period. To upgrade FortiManager HA cluster firmware: 1. Log into the primary unit GUI. 2. Upgrade the primary unit firmware. The firmware is sent to all backup units, and then all units (primary and backup) are rebooted. See the FortiManager Release Notes and FortiManager UpgradeGuide in the Fortinet Document Library for more information. You might not be able to connect to the FortiManager GUI until the upgrade synchronization process is complete. During the upgrade, using SSH or telnet to connect to the CLI might be slow. If necessary, use the console to connect to the CLI. FortiManager Administration Guide Fortinet Technologies Inc.Appendix A - Supported RFC Notes This section identifies the request for comment (RFC) notes supported by FortiManager. RFC 3414 Description: User-Based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). Category: SNMP Webpage: http://tools.ietf.org/html/rfc3414 RFC 2665 Description: Ethernet-like MIB parts that apply to FortiManager units. Category: FortiManager (SNMP) Webpage: http://tools.ietf.org/html/rfc2665 RFC 1213 Description: MIB II parts that apply to FortiManager units. Category: FortiManager (SNMP) FortiManager Administration Guide Fortinet Technologies Inc.Appendix A - Supported RFC Notes 484 Webpage: http://tools.ietf.org/html/rfc1213 Notes RFC support for SNMP v3 includes Architecture for SNMP Frameworks (as described in RFC 3411). Generic Fortinet traps : ColdStart, WarmStart, LinkUp, LinkDown (as described in RFC 1215). FortiManager Administration Guide Fortinet Technologies Inc.Change Log Date Change Description 2018-11-02 Initial release. 2018-11-15 Updated workflow mode description. FortiManager Administration Guide Fortinet Technologies Inc.Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performancemetrics and, in such event, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.">

To view the full page, please visit: Fortinet FortiManager (BYOL) Centralized Security Management Product Userguide

Fortinet FortiManager (BYOL) Centralized Security Management

Reduce costs, simplify configuration, automate provisioning & maintain compliance with FortiManager

Buy now