Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.9
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiManager 7.4.9 Administration Guide
    7.4.9
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Adding FortiSASE

    Adding FortiSASE

    FortiSASE can be added to FortiManager for central management. Only one FortiSASE can be onboarded per FortiManager.

    When FortiManager is used for central management of FortiManager, a FortiSASE Connector is created to enable communication between FortiManager and FortiSASE. Administrators can use the connector to configure which FortiManager objects are synchronized to the FortiSASE. Currently, central management supports only one-way synchronization of configurations from FortiManager to FortiSASE. Therefore, administrators should avoid deleting objects from FortiManager to prevent any conflicts.

    Note

    Only select FortiSASE configuration settings are supported for central management using FortiManager.

    For full configuration steps, supported objects, and information about what FortiManager versions are supported for central management of FortiSASE, see the FortiSASE documentation on the Fortinet Documentation Library.
    Caution

    FortiSASE can only be added to FortiGate and Fabric ADOMs. Other ADOMs where the connector appears including FortiProxy, FortiFirewallCarrier, FortiFirewall, FortiCarrier, and the Global Database ADOMs are not supported.

    Additionally, FortiSASE cannot be added to ADOMs operating in Backup mode. Attempting to do so will present the user with the error message "An unexpected error has occurred".
    Prerequisites

    In order to add FortiSASE to FortiManager, the following prerequisite steps must be completed:

    • The FortiCloud account must include a valid FortiSASE entitlement.

    • The FortiManager must be included in the same FortiCloud account as the FortiSASE entitlement.

    To add FortiSASE to FortiManager:

    1. When FortiSASE is on the same FortiCloud account as FortiManager, you will receive a notification in the FortiManager toolbar that the FortiSASE management license is detected. Click on the notification to begin.

    2. Select the ADOM where the FortiSASE device will be added.

      Tooltip

      FortiSASE cannot be added to version 7.0 ADOMs or the Global Database ADOM.

      Once added, FortiSASE devices cannot be moved to other ADOMs.

    3. In the Edit FortiSASE Connector dialog, enable the connector.

      You can specify Advanced settings or leave them as None according to your needs.

      Connector Settings Configure the FortiSASE connector settings.

      Name

      		 Enter a name for the connector.

      Status

      		 Toggle the status of the connector ON.
      Advanced

      You can define the supported FortiManager objects to be synchronized to FortiSASE.

      For each object type, you can click Specify and Click to select to see a list of existing FortiManager objects. Click +v or + to create new objects from the dialog.

      Firewall Address and Address Group

      		 Select or create Firewall Address and Firewall Address Groups.

      Security Profile Group

      Select or create Security Profile Group and Security Profiles (selected types are supported only)

      User Group

      Select or create User Groups.

      User

      Select or create Users.

      Service and Service Group

      Select or create Service and Service Groups.

      Certificate

      Select or import Certificates.

    4. Click OK to save the connector. You will see the Connect to FortiSASE dialog and Add FortiSASE service step marked as Completed when the onboarding is successful.

    5. Go to Fabric View > Fabric Connector and you can see that the FortiSASE Connector is enabled. When hovering your mouse over the connector, you can observe the status of the connector and the list of synchronized objects.

    6. In the FortiManager Device Manager, you can see the Managed FortiSASE device has been added after the FortiSASE Connector has been enabled.

    7. Use the Install Wizard to Install Device Settings (only) to push the object configurations to FortiSASE. See Install device settings only.

    To edit the FortiSASE connector:

    1. Go to Fabric View > Fabric Connectors.

    2. Double-click the FortiSASE Connector tile, or right-click and choose Edit.

    3. In the Edit FortiSASE Connector dialog, configure the settings as required.

    4. Click OK.

    5. Use the Install Wizard to Install Device Settings (only) to push any object configuration changes to FortiSASE. See Install device settings only.

    Installing policy packages to FortiSASE

    Once the FortiSASE connector is enabled, you can view the Policy Package Status column for the FortiSASE controller in Device Manager.

    FortiManager automatically retrieves built-in FortiSASE interfaces/zones through the connector. These interfaces/zones and their mappings can be viewed in Policy & Objects > Normalized Interface:

    • SASE_ingress_zone

    • SASE_public_zone

    • SASE_secure_private_access_zone

    The FortiSASE connector does not require any special configuration to install policy packages to FortiSASE. The objects used in policies are implicitly synced to FortiSASE during the policy package installation.

    Firewall policies and proxy policies can be installed from FortiManager to FortiSASE. They are partially supported. See the tables below for requirements when installing to FortiSASE.

    Firewall Policy requirements

    Action

    Must be set to ACCEPT or DENY only.

    Type

    Must be set to Standard.

    Incoming/Outgoing Interfaces

    Limited to the following normalized interfaces/zones:

    • SASE_ingress_zone

    • SASE_public_zone

    • SASE_secure_private_access_zone

    Supported traffic directions

    • Internet access > SASE_ingress_zone > SASE_public_zone

    • Private access to hubs > SASE_ingress_zone > SASE_secure_private_access_zone

    • Private access from hubs > SASE_secure_private_access_zone > SASE_ingress_zone

    Inspection Mode

    Must be set to Proxy-based.

    Security Profile

    Status must be enabled, and Profile Type set to Use Security Profile Group.

    For more information about creating firewall policies, see Create a new firewall policy.

    Proxy Policy requirements

    Explicit Proxy Type

    Must be set to Explicit Web.

    Outgoing Interface

    Must be either SASE_public_zone or SASE_secure_private_access_zone.

    Action

    Must be set to ACCEPT or DENY only.

    Service

    Must be explicitly defined.

    For more information about creating proxy policies, see Create a new proxy policy.

    Note

    The Proxy configuration and Secure Private Access Network configuration must both be enabled in order to install policies using the SASE_secure_private_access_zone in FortiSASE.
    Previous
    Next

    Adding FortiSASE

    Adding FortiSASE

    FortiSASE can be added to FortiManager for central management. Only one FortiSASE can be onboarded per FortiManager.

    When FortiManager is used for central management of FortiManager, a FortiSASE Connector is created to enable communication between FortiManager and FortiSASE. Administrators can use the connector to configure which FortiManager objects are synchronized to the FortiSASE. Currently, central management supports only one-way synchronization of configurations from FortiManager to FortiSASE. Therefore, administrators should avoid deleting objects from FortiManager to prevent any conflicts.

    Note

    Only select FortiSASE configuration settings are supported for central management using FortiManager.

    For full configuration steps, supported objects, and information about what FortiManager versions are supported for central management of FortiSASE, see the FortiSASE documentation on the Fortinet Documentation Library.
    Caution

    FortiSASE can only be added to FortiGate and Fabric ADOMs. Other ADOMs where the connector appears including FortiProxy, FortiFirewallCarrier, FortiFirewall, FortiCarrier, and the Global Database ADOMs are not supported.

    Additionally, FortiSASE cannot be added to ADOMs operating in Backup mode. Attempting to do so will present the user with the error message "An unexpected error has occurred".
    Prerequisites

    In order to add FortiSASE to FortiManager, the following prerequisite steps must be completed:

    • The FortiCloud account must include a valid FortiSASE entitlement.

    • The FortiManager must be included in the same FortiCloud account as the FortiSASE entitlement.

    To add FortiSASE to FortiManager:

    1. When FortiSASE is on the same FortiCloud account as FortiManager, you will receive a notification in the FortiManager toolbar that the FortiSASE management license is detected. Click on the notification to begin.

    2. Select the ADOM where the FortiSASE device will be added.

      Tooltip

      FortiSASE cannot be added to version 7.0 ADOMs or the Global Database ADOM.

      Once added, FortiSASE devices cannot be moved to other ADOMs.

    3. In the Edit FortiSASE Connector dialog, enable the connector.

      You can specify Advanced settings or leave them as None according to your needs.

      Connector Settings Configure the FortiSASE connector settings.

      Name

      		 Enter a name for the connector.

      Status

      		 Toggle the status of the connector ON.
      Advanced

      You can define the supported FortiManager objects to be synchronized to FortiSASE.

      For each object type, you can click Specify and Click to select to see a list of existing FortiManager objects. Click +v or + to create new objects from the dialog.

      Firewall Address and Address Group

      		 Select or create Firewall Address and Firewall Address Groups.

      Security Profile Group

      Select or create Security Profile Group and Security Profiles (selected types are supported only)

      User Group

      Select or create User Groups.

      User

      Select or create Users.

      Service and Service Group

      Select or create Service and Service Groups.

      Certificate

      Select or import Certificates.

    4. Click OK to save the connector. You will see the Connect to FortiSASE dialog and Add FortiSASE service step marked as Completed when the onboarding is successful.

    5. Go to Fabric View > Fabric Connector and you can see that the FortiSASE Connector is enabled. When hovering your mouse over the connector, you can observe the status of the connector and the list of synchronized objects.

    6. In the FortiManager Device Manager, you can see the Managed FortiSASE device has been added after the FortiSASE Connector has been enabled.

    7. Use the Install Wizard to Install Device Settings (only) to push the object configurations to FortiSASE. See Install device settings only.

    To edit the FortiSASE connector:

    1. Go to Fabric View > Fabric Connectors.

    2. Double-click the FortiSASE Connector tile, or right-click and choose Edit.

    3. In the Edit FortiSASE Connector dialog, configure the settings as required.

    4. Click OK.

    5. Use the Install Wizard to Install Device Settings (only) to push any object configuration changes to FortiSASE. See Install device settings only.

    Installing policy packages to FortiSASE

    Once the FortiSASE connector is enabled, you can view the Policy Package Status column for the FortiSASE controller in Device Manager.

    FortiManager automatically retrieves built-in FortiSASE interfaces/zones through the connector. These interfaces/zones and their mappings can be viewed in Policy & Objects > Normalized Interface:

    • SASE_ingress_zone

    • SASE_public_zone

    • SASE_secure_private_access_zone

    The FortiSASE connector does not require any special configuration to install policy packages to FortiSASE. The objects used in policies are implicitly synced to FortiSASE during the policy package installation.

    Firewall policies and proxy policies can be installed from FortiManager to FortiSASE. They are partially supported. See the tables below for requirements when installing to FortiSASE.

    Firewall Policy requirements

    Action

    Must be set to ACCEPT or DENY only.

    Type

    Must be set to Standard.

    Incoming/Outgoing Interfaces

    Limited to the following normalized interfaces/zones:

    • SASE_ingress_zone

    • SASE_public_zone

    • SASE_secure_private_access_zone

    Supported traffic directions

    • Internet access > SASE_ingress_zone > SASE_public_zone

    • Private access to hubs > SASE_ingress_zone > SASE_secure_private_access_zone

    • Private access from hubs > SASE_secure_private_access_zone > SASE_ingress_zone

    Inspection Mode

    Must be set to Proxy-based.

    Security Profile

    Status must be enabled, and Profile Type set to Use Security Profile Group.

    For more information about creating firewall policies, see Create a new firewall policy.

    Proxy Policy requirements

    Explicit Proxy Type

    Must be set to Explicit Web.

    Outgoing Interface

    Must be either SASE_public_zone or SASE_secure_private_access_zone.

    Action

    Must be set to ACCEPT or DENY only.

    Service

    Must be explicitly defined.

    For more information about creating proxy policies, see Create a new proxy policy.

    Note

    The Proxy configuration and Secure Private Access Network configuration must both be enabled in order to install policies using the SASE_secure_private_access_zone in FortiSASE.
    Previous
    Next