Fortimanager admin-40-mr3

FortiManager v4.0 MR3
Administration Guide

April 06, 2012
02-434-167503-20120406
Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and
FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions, and performance may vary. Network
variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet
disclaims all warranties, whether express or implied, except to the extent Fortinet enters
a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to the performance
metrics herein. For absolute clarity, any such warranty will be limited to performance in
the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any
guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be
applicable.

Technical Documentation: http://docs.fortinet.com
Knowledge Base: http://kb.fortinet.com
Customer Service & Support: https://support.fortinet.com
Training Services: http://training.fortinet.com

Table of Contents

Change Log ............................................................................................ 16
Introduction ............................................................................................ 17
About this document ...................................................................................... 17
FortiManager documentation ......................................................................... 19
What’s New in v4.0 MR3........................................................................ 20
Global Policy improvements........................................................................... 20
Administrative Domain (ADOM) ...................................................................... 21
Install Wizard/Import Wizard........................................................................... 21
Policy usability ................................................................................................ 22
FortiToken support ......................................................................................... 22
Management model........................................................................................ 22
FortiManager VM licensing changes .............................................................. 23
Web-based Manager changes ....................................................................... 23
User Workspaces ........................................................................................... 24
Search improvements..................................................................................... 24
Improvements to Device Manager.................................................................. 24
Firewall Policies Consistency Check .............................................................. 24
Java Client for Windows ................................................................................. 25
IPv6 support ................................................................................................... 25
Audit logging................................................................................................... 25
FortiGate to FortiManager Protocol................................................................ 25
FortiMail support............................................................................................. 25
High Availability improvements ...................................................................... 25
SNMPv3 support added ................................................................................. 26
Additional XML API extensions....................................................................... 26
Fortinet Management Theory ............................................................... 27
Key features of the FortiManager system....................................................... 27
Configuration Revision Control and Tracking ........................................... 27
Centralized Management.......................................................................... 27
Administrative Domains ............................................................................ 27
Local FortiGuard Service Provisioning ..................................................... 27
Firmware Management ............................................................................. 27
Scripting.................................................................................................... 27
FortiClient Management ........................................................................... 27
Fortinet Device Lifecycle Management .................................................... 28
Inside the FortiManager system ..................................................................... 28
Inside the FortiManager Management Module......................................... 30

FortiManager v4.0 MR3 Patch Release 3 Administration Guide
02-434-167503-20120406 3
http://docs.fortinet.com/ • Feedback

Table of Contents

Using the Web-based Manager............................................................ 32
System requirements...................................................................................... 32
Connecting to the Web-based Manager ........................................................ 32
Web-based Manager overview....................................................................... 33
Viewing the Web-based Manager............................................................. 33
Using the main tool bar............................................................................. 34
Using the tab bar ...................................................................................... 34
Using the navigation pane ........................................................................ 35
Configuring Web-based Manager settings..................................................... 35
Changing the Web-based Manager language .......................................... 35
Changing administrative access to your FortiManager system................ 36
Changing the Web-based Manager idle timeout...................................... 36
Reboot and shutdown of the FortiManager unit............................................. 37
Administrative Domains ........................................................................ 38
Enabling and disabling the ADOM feature ..................................................... 38
About ADOM modes....................................................................................... 39
Switching between ADOMs ...................................................................... 40
Normal mode ADOMs............................................................................... 40
Backup mode ADOMs .............................................................................. 40
Managing ADOMs .......................................................................................... 41
Concurrent ADOM access ........................................................................ 42
Adding an ADOM ...................................................................................... 42
Deleting an ADOM .................................................................................... 44
Assigning devices to an ADOM ................................................................ 44
Assigning administrators to an ADOM...................................................... 45
Viewing ADOM assignments .......................................................................... 45
Viewing ADOM properties ........................................................................ 46
System Settings ..................................................................................... 47
Viewing the system status .............................................................................. 48
Customizing the Dashboard ..................................................................... 49
Viewing System Information ..................................................................... 51
Viewing System Resource Information ..................................................... 52
Viewing the Device Summary ................................................................... 54
Viewing License Information ..................................................................... 54
Viewing Unit Operation ............................................................................. 55
Viewing RAID status ................................................................................. 55
Viewing Alert Messages............................................................................ 56
Using the CLI Console widget .................................................................. 58
Configuring General settings .......................................................................... 58
Changing the host name........................................................................... 59
Configuring the system time ..................................................................... 60
Updating the system firmware.................................................................. 61
Backing up and restoring the system ....................................................... 62

02-434-167503-20120406 4

Table of Contents

Configuring RAID ...................................................................................... 65
Configuring Network settings ................................................................... 68
Managing Certificates ............................................................................... 73
Configuring High Availability ..................................................................... 75
Managing administrators ................................................................................ 77
Monitoring administrator sessions............................................................ 77
Configuring administrator accounts ......................................................... 78
Managing administrator access................................................................ 82
Managing remote authentication servers ................................................. 86
Configuring global admin settings ............................................................ 91
Managing FortiGuard Services ....................................................................... 93
Configuring FortiGuard services ............................................................... 94
Configuring FortiGuard updates ............................................................... 95
Managing firmware images....................................................................... 96
Viewing local event logs ................................................................................. 96
Configuring Advanced Settings ...................................................................... 97
Configuring SNMP .................................................................................... 97
Configuring metadata requirements ....................................................... 104
Configuring advanced settings ............................................................... 107
Alerts....................................................................................................... 108
Device Log .............................................................................................. 112
Using FortiManager Wizards .............................................................. 115
Using the Add Device Wizard ....................................................................... 115
Launching the Add Device Wizard.......................................................... 115
Importing a device .................................................................................. 119
Adding a Device...................................................................................... 125
Using the Install Wizard ................................................................................ 130
Launching the Install Wizard................................................................... 130
Installing a Policy Package ..................................................................... 130
Installing Device Settings........................................................................ 135
Overview of the Add Device Wizard ....................................................... 138
Device Management............................................................................ 140
Device Manager overview............................................................................. 140
Viewing device summaries ........................................................................... 140
Viewing managed devices ...................................................................... 140
Viewing a single device........................................................................... 142
Using list filters........................................................................................ 145
Managing devices......................................................................................... 147
Adding a device ...................................................................................... 147
Replacing a managed device ................................................................. 147
Deleting a device .................................................................................... 148
Editing device information ...................................................................... 148
Refreshing a device ................................................................................ 150

02-434-167503-20120406 5

Table of Contents

Importing policies to a device................................................................. 150
Importing and exporting devices ............................................................ 150
Setting unregistered device options ....................................................... 155
Configuring devices ...................................................................................... 155
Configuring a device ............................................................................... 156
Configuring virtual domains (VDOMs)..................................................... 157
Working with device groups ......................................................................... 161
Adding a device group............................................................................ 161
Deleting a device group .......................................................................... 162
Editing device group information............................................................ 162
Viewing the device group summary........................................................ 162
Managing FortiGate chassis devices............................................................ 163
Viewing chassis dashboard .................................................................... 165
Using the CLI console for managed devices................................................ 169
Policies and Objects............................................................................ 170
About Policies............................................................................................... 170
Policy Theory .......................................................................................... 171
Policy Workflow ............................................................................................ 173
Provisioning New Devices ...................................................................... 173
Day-to-Day Management of Devices...................................................... 173
Managing policy packages ........................................................................... 173
Create a new policy package or folder ................................................... 173
Remove a policy package or folder ........................................................ 174
Rename a policy package or folder ........................................................ 174
Install a policy package .......................................................................... 174
Perform a policy consistency check....................................................... 175
About Objects and Dynamic Objects ........................................................... 177
Managing Objects and Dynamic Objects ..................................................... 178
Create a new object or group ................................................................. 178
Remove an object or group .................................................................... 179
Edit an object or group ........................................................................... 179
Clone an object or group ........................................................................ 179
Search where an object or group is used............................................... 179
Search objects ........................................................................................ 180
FortiToken configuration example .......................................................... 180
VPN Console ........................................................................................ 182
Configuring a VPN ........................................................................................ 183
Enable or disable VPN consoles............................................................. 183
Create a firewall address ........................................................................ 183
Create a VPN configuration .................................................................... 183
Add a VPN gateway ................................................................................ 189
Create VPN firewall policies.................................................................... 191

02-434-167503-20120406 6

Table of Contents

Installing Device Configurations ........................................................ 192
Checking device configuration status .......................................................... 192
Managing configuration revision history....................................................... 193
Downloading and importing a configuration file ..................................... 195
Comparing different configuration files .................................................. 195
Advanced Features.............................................................................. 197
About Global Policies and Objects............................................................... 197
Assigning Global Policies to ADOMs............................................................ 198
Searching for Global Objects content .......................................................... 198
IP address search rules .......................................................................... 200
Configuring Web Portals............................................................................... 203
Creating a web portal ............................................................................. 204
Configuring the web portal profile .......................................................... 205
Creating a portal user account ............................................................... 208
External users ......................................................................................... 209
Using the web portal............................................................................... 210
Application Program Interfaces ......................................................... 211
XML API ........................................................................................................ 211
Connecting to FortiManager Web Services............................................ 211
Web Portal Service Development Kit (SDK) ................................................. 212
Java-based Administration Client ...................................................... 213
System requirements.................................................................................... 213
Installing and logging in to the Java-based client ........................................ 213
Java-based manager overview..................................................................... 214
Using the main tool bar........................................................................... 215
Using the navigation pane ...................................................................... 215
Using the content pane........................................................................... 215
Java-based manager features ...................................................................... 216
Drag and drop......................................................................................... 216
Tabs ........................................................................................................ 216
Improved adding and editing windows................................................... 217
Working with Scripts ........................................................................... 218
Device View .................................................................................................. 218
Individual device view ............................................................................. 218
Scheduling a script ................................................................................. 220
Script View.................................................................................................... 221
Creating or editing a script ..................................................................... 222
Cloning a script....................................................................................... 223
Exporting a script.................................................................................... 224
Script Samples ............................................................................................. 224
CLI scripts............................................................................................... 225
Tcl scripts ............................................................................................... 230

02-434-167503-20120406 7

Table of Contents

FortiGuard Services ............................................................................ 247
FortiGuard Center ......................................................................................... 248
Connecting the built-in FDS to the FDN ................................................. 253
Configuring devices to use the built-in FDS ................................................. 254
Matching port settings............................................................................ 254
Handling connection attempts from unregistered devices..................... 254
Configuring FortiGuard services in the FortiGuard Center ........................... 255
Enabling push updates ........................................................................... 255
Enabling updates through a web proxy.................................................. 256
Overriding default IP addresses and ports ............................................. 257
Scheduling updates ................................................................................ 257
Accessing public FortiGuard Web Filtering and Email Filter servers...... 258
Viewing FortiGuard services from devices and groups ................................ 260
FortiGuard AntiVirus and IPS Statistics for a device .............................. 261
Web Filter Category Detail ...................................................................... 261
FortiGuard Web Filter and Email Filter Statistics .................................... 262
License Information ................................................................................ 262
Device History......................................................................................... 264
Logging events related to FortiGuard services............................................. 264
Logging FortiGuard AntiVirus and IPS updates...................................... 264
Logging FortiGuard Web Filtering or Email Filter events ........................ 265
Viewing service update log events ......................................................... 266
Restoring the URL or Antispam database .................................................... 267
Firmware and Revision Control .......................................................... 268
Viewing a device or group’s firmware........................................................... 268
Downloading firmware images ..................................................................... 271
Installing firmware images ............................................................................ 273
Real-Time Monitor ............................................................................... 274
RTM monitoring ............................................................................................ 274
RTM Dashboards.................................................................................... 274
FortiManager system alerts .......................................................................... 277
Alerts event ............................................................................................. 277
Configuring alerts.................................................................................... 279
Alert console ........................................................................................... 284
Device Log .................................................................................................... 285
Device log setting ................................................................................... 285
Device log access................................................................................... 286
FortiClient Manager............................................................................. 287
FortiClient Manager maximum managed agents ......................................... 287
About FortiClient Manager clustering ........................................................... 288
FortiClient Manager window......................................................................... 288
Main Menu Bar........................................................................................ 289

02-434-167503-20120406 8

Table of Contents

Navigation Pane...................................................................................... 289
Client Group Tree.................................................................................... 291
FortiClient menu...................................................................................... 291
Message Center............................................................................................ 292
Dashboard .............................................................................................. 292
Management Event................................................................................. 293
Client Alert .............................................................................................. 294
Working with Clients (FortiClient agents)...................................................... 296
Viewing the clients lists........................................................................... 296
Filtering the clients list ............................................................................ 298
Searching for FortiClient agents ............................................................. 298
Adding or removing temporary clients.................................................... 299
Removing or relicensing unlicensed clients............................................ 300
Deploying licenses to Standard (Free) Edition clients ............................ 301
Deleting FortiClient agents ..................................................................... 301
Working with FortiClient groups ................................................................... 302
Overview of client groups ....................................................................... 302
Viewing FortiClient groups...................................................................... 303
Adding a FortiClient agent group............................................................ 303
Deleting a FortiClient agent group .......................................................... 304
Editing a FortiClient agent group ............................................................ 304
Viewing group summaries ...................................................................... 304
Configuring settings for client groups..................................................... 305
Managing client configurations and software............................................... 306
Deploying FortiClient agent configurations ............................................ 306
Retrieving a FortiClient agent configuration ........................................... 307
Working with FortiClient software upgrades .......................................... 308
FortiClient license keys ........................................................................... 309
Working with Web Filter profiles................................................................... 310
About Web Filtering ................................................................................ 310
Viewing and editing Web Filter profiles .................................................. 311
Configuring a Web Filter profile .............................................................. 311
Configuring FortiClient Manager system settings ........................................ 312
Configuring FortiClient Manager clustering .................................................. 313
Configuring FortiClient Manager cluster members................................. 313
Configuring email alerts ................................................................................ 314
Configuring LDAP for Web Filtering.............................................................. 315
Configuring LDAP settings...................................................................... 315
Configuring an LDAP server ................................................................... 315
Working with Windows AD users and groups ........................................ 316
Active Directory Organizational Units Grouping ..................................... 317
Configuring FortiClient group-based administration .................................... 319
Assigning group administrators .............................................................. 320

02-434-167503-20120406 9

Table of Contents

Configuring enterprise license management ................................................ 320
Configuring an enterprise license ........................................................... 321
Creating a customized FortiClient installer ............................................. 322
Configuring FortiClient agent settings .......................................................... 322
Viewing system status of a FortiClient agent.......................................... 323
Configuring system settings of a FortiClient agent................................. 325
Adding trusted FortiManager units to a FortiClient agent ...................... 327
Managing pending actions for a FortiClient agent.................................. 328
Configuring the log settings of a FortiClient agent ................................. 329
Configuring Lockdown Settings ............................................................. 330
Configuring the VPN settings of a FortiClient agent ............................... 330
Configuring a VPN security policy on a FortiClient agent....................... 331
Configuring VPN options of a FortiClient agent...................................... 331
Configuring WAN Optimization settings of a FortiClient agent .............. 332
Configuring AntiVirus settings on a FortiClient agent ............................. 333
AntiVirus scans ....................................................................................... 334
Configuring AntiVirus options ................................................................. 335
Viewing the firewall monitor of a FortiClient agent ................................. 340
Creating firewall policies on a FortiClient agent ..................................... 341
Configuring firewall addresses on a FortiClient agent ............................ 343
Configuring firewall address groups on a FortiClient agent ................... 344
Defining firewall applications on a FortiClient agent............................... 345
Defining firewall protocols on a FortiClient agent................................... 346
Configuring firewall protocol groups on a FortiClient agent ................... 347
Configuring firewall schedules on a FortiClient agent ............................ 348
Configuring firewall schedule groups ..................................................... 349
Configuring trusted IPs exempted from intrusion detection................... 349
Configuring ping servers for a FortiClient agent firewall......................... 350
Setting the firewall options of a FortiClient agent................................... 350
Selecting a Web Filter profile for a FortiClient agent .............................. 352
Configuring Web Filter options on a FortiClient agent ........................... 353
Configuring Email Filter settings on a FortiClient agent ......................... 354
Configuring Email Filter options.............................................................. 355
Configuring anti-leak options on a FortiClient agent .............................. 356
High Availability.................................................................................... 357
HA overview.................................................................................................. 357
Synchronizing the FortiManager configuration and HA heartbeat ......... 358
If the primary unit or a backup unit fails ................................................. 358
FortiManager HA cluster startup steps................................................... 359
Configuring HA options ................................................................................ 359
General FortiManager HA configuration steps ....................................... 361
Web-based Manager configuration steps .............................................. 362

02-434-167503-20120406 10

Table of Contents

Monitoring HA status .................................................................................... 364
Upgrading the FortiManager firmware for an operating cluster ................... 365
FortiManager Firmware ...................................................................... 366
Introduction to FortiManager OS v4.0 Major Release 3 ............................... 366
Cautions and Limitations .............................................................................. 366
Limitations............................................................................................... 367
Upgrade Information..................................................................................... 368
Upgrading from FortiManager v4.0 MR2 ................................................ 368
Upgrading from FortiManager v4.0 MR3 ................................................ 369
Upgrading from FortiManager Beta release ........................................... 370
Upgrading FortiManager firmware for a cluster...................................... 370
Downgrading FortiManager .................................................................... 370
FortiManager Best Practices ........................................................................ 370
Appendix A ............................................................................................ 371
Product Life Cycle Information ..................................................................... 371
Software Support Policy............................................................................... 371
Appendix B ............................................................................................ 372
FortiManager-VM System Requirements ..................................................... 372
FortiManager-VM Licence Enhancements ................................................... 372
Index ......................................................................................................373

02-434-167503-20120406 11

Table of Figures

FortiManager conceptual diagram .................................................................. 28
Management module....................................................................................... 30
Default FortiManager Configuration window ................................................... 33
Main tool bar.................................................................................................... 34
Unit operation actions in the Web-based Manager......................................... 37
Enabling ADOMs ............................................................................................. 39
Backup mode ADOM device revision history .................................................. 41
ADOM table ..................................................................................................... 41
Add an ADOM.................................................................................................. 43
ADOM dashboard example ............................................................................. 46
FortiManager system dashboard..................................................................... 48
Adding a widget............................................................................................... 49
A minimized widget ......................................................................................... 50
System Information widget.............................................................................. 51
System Resource widget (Real Time display).................................................. 52
System Resource widget (Historical display) .................................................. 52
Edit System Resources Settings window........................................................ 53
Device Summary widget.................................................................................. 54
VM License Information widget ....................................................................... 54
Unit Operation widget...................................................................................... 55
RAID Monitor displaying a RAID array without any failures............................. 55
Alert Message Console widget ........................................................................ 57
List of all alert messages ................................................................................. 57
CLI Console widget ......................................................................................... 58
Edit Host Name dialog box.............................................................................. 59
Time Settings dialog box ................................................................................. 60
Firmware Upgrade dialog box ......................................................................... 61
Backup dialog box........................................................................................... 63
All Settings Configuration Restore dialog box................................................. 64
RAID Settings .................................................................................................. 66
Network screen................................................................................................ 69
Network interface list ....................................................................................... 70
Configure network interfaces........................................................................... 71
Routing Table................................................................................................... 72
Create New route............................................................................................. 72
Local Certificates window ............................................................................... 73
Local Certificate Detail..................................................................................... 74
Cluster Settings dialog box ............................................................................. 75
Administrator session list................................................................................. 77
Administrator list.............................................................................................. 78
Creating a new Administrator account ............................................................ 79
Editing an administrator account..................................................................... 80
Administrator profile list................................................................................... 82
Create new administrator profile ..................................................................... 84
Edit administrator profile window .................................................................... 85

02-434-167503-20120406 12

Table of Figures

RADIUS server list ........................................................................................... 86
New RADIUS Server window........................................................................... 87
LDAP server list ............................................................................................... 88
New LDAP server dialog box........................................................................... 89
New TACACS+ server dialog box.................................................................... 91
Administrative settings dialog box................................................................... 92
FortiGuard Center dialog box .......................................................................... 94
Server settings dialog box ............................................................................... 95
Firmware images list ........................................................................................ 96
SNMP configuration ........................................................................................ 98
FortiManager SNMP Community................................................................... 100
System objects metadata .............................................................................. 104
Add meta-field (system object)...................................................................... 105
Config objects metadata ............................................................................... 106
Add meta-field (config object) ....................................................................... 106
Advanced settings ......................................................................................... 107
Alert event window ........................................................................................ 108
Create new alert event window ..................................................................... 108
Mail server window ........................................................................................ 110
Mail server settings........................................................................................ 110
Syslog server window.................................................................................... 110
Syslog server settings.................................................................................... 111
Alert message console window ..................................................................... 111
Alert console settings .................................................................................... 111
Log setting window ....................................................................................... 113
Add Device icon............................................................................................. 115
Add Device Wizard Login window ................................................................. 116
Import device summary window.................................................................... 116
Discover method summary window .............................................................. 117
Add Model Device method window............................................................... 118
Importing device additional information window........................................... 119
Zone map window ......................................................................................... 120
Import policy summary .................................................................................. 121
Import object summary.................................................................................. 122
Device import successful window ................................................................. 123
Import device summary window.................................................................... 124
Adding device additional information window............................................... 125
Adding device model additional information window.................................... 126
Confirmation of success or failure ................................................................. 127
Zone map window ......................................................................................... 128
Add device summary window ....................................................................... 129
Add model device summary window ............................................................ 129
Install icon...................................................................................................... 130
Install policy package .................................................................................... 130
Policy package device selection window ...................................................... 131
Policy package zone validation window........................................................ 132
Policy package policy validation window ...................................................... 133
Policy package installation window............................................................... 134
Device installation history .............................................................................. 134
Install device settings only............................................................................. 135

02-434-167503-20120406 13

Table of Figures

Device settings device selection window ...................................................... 136
Device settings successful installation window............................................. 137
Device settings failed installation window ..................................................... 137
Device installation history .............................................................................. 138
Device Manager device list layout ................................................................. 140
Right click menu options ............................................................................... 141
Example FortiGate unit summary .................................................................. 143
A device list filter set to display devices with IP addresses in the range of
1.1.1.1-1.1.1.2................................................................................................ 145
A device list filter set to display all devices except one named “MyDevice” 146
A device list filter set to display devices with Connection Status set to
“Connection Up”............................................................................................ 146
Device Manager right-click menu .................................................................. 150
Create new virtual domain ............................................................................. 158
Adding a group .............................................................................................. 161
Device group summary screen ...................................................................... 162
Enable chassis management......................................................................... 163
CLI Console ................................................................................................... 169
Management module..................................................................................... 171
Policy window................................................................................................ 171
Create new policy package ........................................................................... 173
Enter new policy package details .................................................................. 174
Edit Policy Package dialog box ..................................................................... 175
Consistency Check dialog box ...................................................................... 176
Policy Check dialog box ................................................................................ 176
Consistency check results window ............................................................... 177
Managing Objects and Dynamic Objects ...................................................... 178
Example Object table .................................................................................... 178
Creating a new Firewall object address......................................................... 179
Where Used dialog box ................................................................................. 180
Search Objects dialog box ............................................................................ 180
New local user window.................................................................................. 181
VPN List ......................................................................................................... 182
Create VPN window....................................................................................... 184
Add VPN Managed Gateway dialog box ....................................................... 189
Add VPN External Gateway dialog box ......................................................... 190
Configuration and Installation Status widget................................................. 192
Revision History Tab...................................................................................... 193
Add a tag to a configuration version ............................................................. 194
Revision Diff window ..................................................................................... 196
Dashboard Licensing widget ......................................................................... 197
Web Portal Window ....................................................................................... 205
Add a Web Portal Profile ............................................................................... 205
Blank Web Portal Window ............................................................................. 206
Adding web portal content ............................................................................ 206
Logo Preferences .......................................................................................... 207
Portal Properties window .............................................................................. 208
Add User window .......................................................................................... 209
Add External User window ............................................................................ 209
Java-based administration client login screen .............................................. 213

02-434-167503-20120406 14

Table of Figures

Java-based administration client main window ............................................ 214
Default main menu bar .................................................................................. 215
Java-based manager content pane............................................................... 216
Reorganizing tabs in the Java-based administration client........................... 217
Policy Editor widow ....................................................................................... 217
Individual Device View ................................................................................... 219
Scheduling a script ........................................................................................ 220
CLI Script Repository .................................................................................... 221
Create or Edit a script.................................................................................... 222
Cloning a script.............................................................................................. 224
Enable FortiGuard settings ............................................................................ 249
FortiGuard AntiVirus and IPS Settings........................................................... 251
Overriding FortiGuard Server......................................................................... 258
Manually uploading AV or IPS updates ......................................................... 259
Device group Service Usage: License Information........................................ 263
Firmware Information (device) ....................................................................... 269
Firmware Information (group) ........................................................................ 269
Firmware Images ........................................................................................... 271
Upload Firmware Image dialog box............................................................... 273
Example RTM Dashboards............................................................................ 275
Rename a dashboard .................................................................................... 276
Reset a dashboard ........................................................................................ 276
Add Monitor window ..................................................................................... 276
Viewing alert events....................................................................................... 277
Adding alert events ........................................................................................ 278
Mail server list ................................................................................................ 279
Adding mail servers ....................................................................................... 280
SNMP access list........................................................................................... 281
Adding a SNMP community .......................................................................... 282
Syslog server list............................................................................................ 283
Adding Syslog Server .................................................................................... 283
Alert message console .................................................................................. 284
Device Log Setting ........................................................................................ 285
Device Log Access ........................................................................................ 286
FortiClient Manager ....................................................................................... 289
Example of how FortiClient Manager determines the group names for OU
groups............................................................................................................ 318
Cluster Settings ............................................................................................. 360
FortiManager HA status................................................................................. 364

02-434-167503-20120406 15

Change Log

Date Change Description
2012-04-06 Initial Release
2012-04-12 Updated chassis management, under devices chapter. Updated Advanced Settings section.
2012-06-08 Removed references to device locks.
2012-06-18 Revised section on ADOM locking.

02-434-167503-20120406 16

Introduction

FortiManager centralized management appliances deliver the essential tools needed to
effectively manage your Fortinet-based security infrastructure.
Using the FortiManager system, you can:
• configure multiple FortiGate units (including FortiGate, FortiWiFi, FortiGate-One,
and FortiGate-Virtual Machine), FortiCarrier units, FortiMail units, FortiSwitch units,
and FortiClient endpoint security agents,
• segregate management of large deployments easily and securely by grouping
devices and agents into geographic or functional administrative domains (ADOMs),
• configure and manage VPN policies,
• monitor the status of these units,
• view device logs,
• update the AntiVirus and attack signatures,
• provide Web Filtering and Email Filter service to the licensed devices as a local
FortiGuard Distribution Network (FDN) server.
• update the firmware images of the devices.
The FortiManager system scales to manage up to 5,000 devices and virtual domains
(VDOMS) and up to 120,000 FortiClient agents from a single FortiManager interface. It
is designed for medium to large enterprises and managed security service providers.
FortiManager system architecture emphasizes reliability, scalability, ease of use, and
easy integration with third-party systems.
This section contains the following topics:
• About this document
• FortiManager documentation

About this document

This document describes how to configure and manage your FortiManager system and
the devices that it manages.
The FortiManager system documentation assumes you have one or more FortiGate
units, you have FortiGate unit documentation, and you are familiar with configuring
your FortiGate units before using the FortiManager system. Where FortiManager
system features or parts of features are identical to FortiGate unit, the FortiManager
system documentation refers to the FortiGate unit documentation for further
configuration assistance with that feature.
This document contains the following information:
• What’s New in v4.0 MR3 lists and describes some of the new features and changes
in FortiManager v4.0 MR3 Patch Release 3.
• Fortinet Management Theory describes key features of the FortiManager system.

02-434-167503-20120406 17

Introduction About this document

• Using the Web-based Manager introduces the FortiManager Web-based Manager
interface that is used to manage and configure supported Fortinet units and
FortiClient agents, and to view FortiGate unit configuration, device status, system
health, real time logs, and historical logs.
• Administrative Domains (ADOMs) describes ADOMs that can define sets of devices
to be controlled by one or more administrators.
• System Settings describes how to control and monitor the operation of the
FortiManager system, including network settings, managing firmware revisions,
configuration backup and administrator access.
• Using FortiManager Wizards describes how to use the Install, Add Device, and
Import Device wizards.
• Device Management describes adding, configuring and managing devices, Virtual
Domains (VDOMs) and working with device groups.
• Policies and Objects describes policy workflow, provisioning, policy packages,
objects and dynamic objects.
• VPN Console describes how to configure a VPN and firewall policies.
• Installing Device Configurations describes installing configuration changes to the
devices and pulling the existing configurations from the devices.
• Advanced Features describes administrative web portals and portal access.
• Application Program Interfaces
• Java-based Administration Client introduces the FortiManager java-based
administration client tool that can used to manage and configure supported devices
and FortiClient agents.
• Working with Scripts describes how to create and manage scripts from devices that
are in operation. Administrators can use functions, such as the configure function,
the debug function, the show function, and the get function, to manage devices
using scripts.
• FortiGuard Services describes how to use the FortiManager system as a local
update server for AV and IPS signatures and a on-site FDN server for FortiGuard
Web Filtering and Email Filter services.
• Firmware and Revision Control describes how to view, download and install device
firmware images.
• Real-Time Monitor describes how to monitor the status of a number of devices,
system alerts and device log.
• FortiClient Manager describes how to use the FortiClient Manager to centrally
manage FortiClient agents.
• High Availability describes how to configure and manage a FortiManager high
availability clusters.
• FortiManager Firmware

02-434-167503-20120406 18

Introduction FortiManager documentation

FortiManager documentation

The following FortiManager product documentation is available:
• FortiManager Administration Guide
This document describes how to set up the FortiManager system and use it to
manage supported Fortinet units and FortiClient agents. It includes information on
how to configure multiple Fortinet units and FortiClient agents, configuring and
managing the FortiGate VPN policies, monitoring the status of the managed
devices, viewing and analyzing the FortiGate logs, updating the virus and attack
signatures, providing Web Filtering and Email Filter service to the licensed FortiGate
units as a local FortiGuard Distribution Network (FDN) server, firmware revision
control and updating the firmware images of the managed units and agents.
• FortiManager System QuickStart Guide
This document is included with your FortiManager system package. Use this
document to install and begin working with FortiManager system and FortiManager
Web-based Manager.
• FortiManager online help
You can get online help from the FortiManager Web-based Manager. FortiManager
online help contains detailed procedures for using the FortiManager Web-based
Manager to configure and manage FortiGate units.
• FortiManager CLI Reference
This document describes how to use the FortiManager CLI and contains a
reference to all FortiManager CLI commands.
• FortiManager Release Notes
This document describes the new features and enhancements in the FortiManager
system since the last release and lists the resolved and known issues. This
document also defines supported platforms and firmware versions.
• FortiManager Log Message Reference Guide
The FortiManager Log Message Reference Guide describes the structure of
FortiManager log messages and provides information about the log messages that
are generated by the FortiManager system.

02-434-167503-20120406 19

What’s New in v4.0 MR3

This chapter lists and describes some of the key changes and new features added to
the FortiManager system.

Note: This document was written for FortiManager v4.0 MR3 Patch Release 5.

Global Policy improvements

Global Policy evaluation
FortiManager v4.0 MR3 Patch Release 3 includes a limited Global Policy feature that
allows administrators to evaluate the Global Policy feature before purchasing the
Global Policy license.
When a license key is not installed on the FortiManager, you will be able to enable the
Global Policy feature, however the following will be enforced:
• Only the default policy package can be used
• A maximum of ten policies can be defined in the default package
• A maximum of ten objects can be defined.

Note: The Global Policy license is now available for the FortiManager 400B, 400C, 1000C,
3000B, 3000C, 5001A and FortiManager VM-Base (4.3).

Assigning Global Policies to ADOMs
FortiManager v4.0 MR3 Patch Release 3 allows you to specify which policy package
within each ADOM, will inherit the Global Policy or Global Database. This enhancement
provides a finer granularity to assign specific policy packages within each ADOM.

Add Global Zone to Global Policy
FortiManager v4.0 MR3 Patch Release 3 adds a Global Zone objects menu and table
for adding global zones to global policies. The following changes are included:
• Within an ADOM, the global zones are read-only and can not be deleted or edited in
the Objects database.
• You will need to populate the global zones with interfaces from each device
manager.
• Global zones can be used for both Global level policy packages as well as ADOM
level policy packages, after it is assigned from global to the specified ADOM.

02-434-167503-20120406 20

What’s New in v4.0 MR3 Administrative Domain (ADOM)

Section View for Global and ADOM Policy Packages
FortiManager v4.0 MR3 Patch Release 3 improves the section view menu, by zone
with custom label sections. This change adds the following features:
• View with global sections or with zone sections with custom labels
• Option to toggle between views
• Support for both ADOM and Global Policy packages.

Administrative Domain (ADOM)

The following improvements have been made to the ADOM list page:
• When the global admin user logs in, they are directed to the ADOM list page.
• When selecting the ADOM name, the left menu item will be selected and the ADOM
dashboard will be displayed.
• The right-click context menu has a new option to enter the ADOM.
• A search field has been added to the navigation pane to quickly search for a
specific ADOM.
• If backup mode has been configured, backup is displayed beside the ADOM name
in the column.
• A new column has been added to show if the ADOM has any alerts and a count of
the number of alerts.
• A status icon is displayed beside each device to show if communication is up or
down.
• When you hover the mouse pointer over an ADOM, an Enter dialogue box appears.
Left-click Enter to enter the ADOM menu.

ADOM Backup and Revision Control
FortiManager v4.0 MR3 Patch Release 2 introduced two administrative domain
(ADOM) configuration modes: Normal, and Backup. FortiManager v4.0 MR3 Patch
Release 3, introduces improvements with how the FortiManager handles backup and
revision control in both these modes of operation. See “Administrative Domains” on
page 38 for more information.

Install Wizard/Import Wizard

FortiManager v4.0 MR3 Patch Release 3 provides enhancements to the install wizard
and import wizard. These changes include:
• Clear description of error messages
• Preview option to view the installation changes for a policy package
• Preview option for device settings installation

Add Device Wizard, Fast Forward Support
An option has been added to device discovery that allows you to ignore prompts when
adding or importing a device unless errors occur. If the device has VDOMs, this option
is hidden on the discovery page and displayed on the VDOM page.

02-434-167503-20120406 21

What’s New in v4.0 MR3 Policy usability

Import Policy
FortiManager v4.0 MR3 Patch Release 3 provides enhancements to the import policy
wizard which allows you to select specific policies to import. This granularity provides
you with more control over the device and policy import process. Both IPv4 and IPv6
policies are supported.

Virtual Domain (VDOM)
FortiManager v4.0 MR3 Patch Release 3 provides the following improvements to the
Import Wizard and Device Management to handle the import of multiple VDOMs and
import of devices/VDOMs when upgrading or moving devices between ADOMS:
• New Add VDOM page in the Import Wizard
• If the device has VDOMs enabled with more than one VDOM, the ADD VDOM page
will be displayed.
• The first VDOM will be selected by default, as each VDOM is imported, it will be
greyed out in the list.
• You can specify a specific VDOM to import
• You can select the Import All checkbox to automatically import all VDOMs, or any
remaining VDOMs that have not been imported.
• You can choose the Skip Remaining button to ignore any remaining VDOMs and
jump straight to the summary page.
Once a VDOM is added, you will return to the Add VDOM page.

Policy usability

FortiManager v4.0 MR3 Patch Release 3 adds a Set Profile option in the right-click
menu on the policy page. You can use option to assign a new profile to the firewall
policy without having to remove and re-add the profile or open the edit policy page.

Multiple policy edit
FortiManager v4.0 MR3 Patch Release 3 provides an enhancement to allow you to
select multiple policies and then right-click to modify the UTM settings for all the
selected policies.

FortiToken support

FortiManager v4.0 MR3 Patch Release 3 provides FortiToken support as a configurable
object. See “FortiToken configuration example” on page 180.

Management model

The FortiManager system in v4.0 MR3 has been changed from what you may be used
to from earlier versions. In previous versions there were 2 modes of operation: EMS
and GMS. In v4.0 MR3, these have been combined into a single, united workflow that
is suitable for users of either mode.

02-434-167503-20120406 22

What’s New in v4.0 MR3 FortiManager VM licensing changes

The new management model has the following configuration management
components per ADOM:
• Policy & Objects
• Real-Time Monitor
• FortiClient Manager
• Add Device Wizard
• Install Wizard
• Device Settings Management:
• Device Summary & Status
• VDOM Synchronization
• Web-based Manager Scripts
For more information on the new management model, see “Fortinet Management
Theory” on page 25.

FortiManager VM licensing changes

With FortiManager v4.0 MR3 Patch Release 3, the following changes have been made
to FortiManager-VM:
• Automatic fifteen (15) day evaluation license
• Removal of requirement to have FortiManager-VM contact FortiGuard Distribution
Servers (FDS) for license activation
• Stackable license model for FortiManager-VM license add-ons
• License can be applied through the FortiManager-VM CLI.
See “FortiManager-VM Licence Enhancements” on page 372.

Web-based Manager changes

FortiManager v4.0 MR3 includes a number of changes to the Web-based Manager:
• Tab Bar
The Web-based Manager now features a tab bar to improve its organization and
simplify access to important system functions.
• System Settings
The System menu in the Web-based Manager has been improved to make it easier
to use. Improved support for widgets has been added.
• Installation Improvements
FortiManager v4.0 MR3 simplifies installation of updates to managed devices,
allowing “1-click” installation of updates.
• Policy Table Improvements
The Policy Table has had several improvements made, including contextual menus,
to improve usability.

02-434-167503-20120406 23

Fortimanager admin-40-mr3

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (15)

Similar to Fortimanager admin-40-mr3

Similar to Fortimanager admin-40-mr3 (20)

Recently uploaded

Recently uploaded (20)

Fortimanager admin-40-mr3