FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Setting up FortiManager
- Connecting to the GUI
  - FortiManager Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- FortiAnalyzer Features
  - Enable or disable FortiAnalyzer features
- Initial setup
- Restarting and shutting down
FortiManager Key Concepts
- Communication through protocols
- Configuration through Device Manager
- ADOMs and devices
- Operations
- Key features of the FortiManager system
Dashboard
- Customizing the dashboard
- System Information widget
- System Resources widget
- License Information widget
- Unit Operation widget
- Alert Messages Console widget
- Log Receive Monitor widget
- Insert Rate vs Receive Rate widget
- Log Insert Lag Time widget
- Receive Rate vs Forwarding Rate widget
- Disk I/O widget
- Device widgets
- Restart, shut down, or reset FortiManager
Device Manager
- ADOMs
- Device & Groups
- Scripts
- Provisioning Templates
- Firmware templates
- Monitors
- FortiGate chassis devices
  - Viewing chassis dashboard
Policy & Objects
- About policies
  - Policy theory
  - Global policy packages
- Policy workflow
  - Provisioning new devices
  - Day-to-day management of devices
- Feature visibility
- Managing policy packages
- Managing policies
- Using Policy Blocks
- Managing objects and dynamic objects
- ADOM revisions
SD-WAN Manager
- SD-WAN Network
  - SD-WAN Devices
  - SD-WAN Monitor
- SD-WAN Templates
- SD-WAN overlay orchestration
- SD-WAN rules
- Upgrading FortiManager with SD-WAN devices and templates
AP Manager
- Managed FortiAPs
- WiFi Maps
  - Google map
  - Floor map
- WiFi profiles and settings for central management
- WiFi profiles and settings for per-device management
  - Enabling FortiAP per-device management
  - Creating profiles
VPN Manager
- Overview
- Enabling central VPN management
- DDNS support
- VPN Setup Wizard supports device groups
- IPsec VPN
- Agentless VPN
- VPN security policies
  - Defining policy addresses
  - Defining security policies
- VPN CLI configurations
FortiView
Fabric View
- Security Fabric Topology
- Security Rating
  - Viewing Security Fabric Ratings
  - Security Fabric score
- Fabric Connectors
  - Core Network Security
    - Creating FortiClient EMS connectors
- External Connectors
- Cloud Orchestration
FortiAI
- Enabling administrator access to FortiAI
- Using FortiAI
- FortiAI data privacy
- FortiAI tokens
- FortiAI example tasks
- Submitting feedback for FortiAI
- Configuring role-based access control for FortiAI
FortiGuard
- Device licenses
  - View licensing status
- Package management
- Query services
- Firmware images
- External resources
- Settings
- Enabling FDN third-party SSL validation and Anycast support
- Configuring devices to use the built-in FDS
  - Handling connection attempts from unauthorized devices
  - Configure a FortiManager without Internet connectivity to access a local FortiManager as FDS
- Configuring FortiGuard services
- Logging events related to FortiGuard services
  - Logging FortiGuard antivirus and IPS updates
  - Logging FortiGuard web or email filter events
- Restoring the URL or antispam database
FortiSwitch Manager
- Managed FortiSwitches
- FortiSwitch central management
  - Enabling FortiSwitch central management
  - FortiSwitch Templates
- FortiSwitch per-device management
Extender Manager
- Managed extenders
  - Managing FortiExtender devices
- Extender profiles
  - FortiExtender profiles
  - Using Fortinet recommended extender profiles
- Data plans
- FortiExtender SSIDs
- Preview the JSON API or CLI script for Extender Manager configurations
System Settings
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Fabric Management
- Certificates
- Event Log
  - Event log filtering
- Task Monitor
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
  - Configuring rolling and uploading of logs using the GUI
  - Configuring rolling and uploading of logs using the CLI
- Miscellaneous Settings
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Restricted administrators
- Administrator profiles
- Workspace
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiManager
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Synchronizing the FortiManager configuration and HA heartbeat
- If the primary or a backup unit fails
- FortiManager HA cluster startup steps
- Configuring HA options
- Monitoring HA status
- Upgrading the FortiManager firmware for an operating cluster
Appendix A - Supported RFC Notes
Appendix B - Policy ID support
Appendix C - FortiManager Ansible Collection documentation
Appendix D - FortiAI token entitlements for FortiManager
Appendix E - VM license migration
Change Log

Home FortiManager 7.6.6 Administration Guide

7.6.6

Trusted platform module support

On supported FortiManager hardware devices, the Trusted Platform Module (TPM) is used to protect system against malicious attacks.

The dedicated module hardens the FortiManager by storing your master‑encryption‑password which is created when the private data encryption feature is enabled. For more information about which models feature TPM support, see the FortiManager Data Sheet.

By default, the TPM is disabled. To enable it, you must enable private-data-encryption and set the 32 hexadecimal digit master‑encryption‑password.

When private data encryption is enabled, the master-encryption-password is used to generate a primary key which encrypts and protects the individual passwords stored on the FortiManager (for example, FortiManager Admin passwords, HA passwords, SNMP passwords, and others). These individual passwords are not stored within the TPM themselves.

The primary key is never displayed in the FortiManager backup file or the system CLI, thereby obscuring the information and leaving the encrypted information in the TPM.

The TPM module does not encrypt the FortiManager disk drive or protect sensitive data contained in managed FortiGate configurations that are stored in FortiManager databases.

Configuration backups and migrations

The primary key binds the encrypted backup file to a specific FortiManager unit and never leaves the TPM. When backing up the configuration, the TPM uses the key to encrypt the master‑encryption‑password in the FortiManager backup file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

If TPM is enabled but has a different master‑encryption‑password than the FortiManager backup file, then the configuration cannot be restored.
If TPM is enabled and the master‑encryption‑password is the same in the FortiManager backup file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Backing up the system and Restoring the configuration.

The master-encryption-password is also required when migrating the configuration, regardless if TPM is available on the other FortiManager model. For more information, see

Migrating the configuration.

To check if your FortiManager device has a TPM:

Enter the following command in the FortiManager CLI:

diagnose hardware info

The output in the CLI includes ### TPM info, which displays if the TPM is detected (enabled), not detected (disabled), or not available.

To enable TPM and input the master‑encryption‑password:

Enter the following command in the FortiManager CLI:

config system global

set private-data-encryption enable

end

Please type your private data encryption key (32 hexadecimal numbers):

********************************

Please re-enter your private data encryption key (32 hexadecimal numbers) again:

********************************

Your private data encryption key is accepted.