Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Settings

License

To activate your license:

  1. Go to support.fortinet.com and log in or register for a new account before proceeding
  2. Once you are logged in, go to the home page and click Register/Activate Contracts under the Asset section.
  3. Enter the license registration code as listed on your license certificate when prompted, and click Next.
  4. On the Specify Fortinet Registration Information page, enter a brief product description and select your Fortinet Partner. Find your computer ID by going to the FortiADC-Manager CLI and entering the command: execute computerid, and input it into the Computer ID field.
  5. Follow the remaining prompts to complete the activation process.

License overview:

  • The default license is an evaluation license. With it, you can only manage two ADCs.
  • A base license supports up to ten devices.
  • An unlimited license supports any number of ADCs.

Date & Time

See the FortiADC Handbook.

Upgrading firmware

Before you begin:

  • Download the firmware file from the Fortinet Customer Service & Support website:
  • https://support.fortinet.com/
  • Read the release notes for the version you plan to install.
  • Back up your configuration before beginning this procedure. Reverting to an earlier firmware version could reset settings that are not compatible with the new firmware.
  • You must have super user permission (user admin) to upgrade firmware.

To boot the firmware on the alternate partition:

  • Click Boot Alternate Firmware.

The system reboots, the alternate becomes the active firmware, and the active becomes the alternate firmware.

To upgrade firmware:

  1. Go to Settings > System.
  2. Click Upgrade Firmware
  3. Click Choose File to locate and select the file.
  4. Click save

Configuration Backup/Restore

You use the backup procedure to save a copy of your system configuration. A full backup is a zip file.

The backup feature has a few basic uses:

  • Saving the configuration as CLI commands that a co-worker or Fortinet support can use to help you resolve issues with misconfiguration.
  • Restoring the system to a known functional configuration.
  • Creating a template configuration you can edit and then load into another system using the restore procedure.

A complete configuration backup is a zip file that includes the complete configuration files, plus any files you have imported, including error page files, script files, and ISP address book files.

In the event that FortiADC Manager experiences hardware failure, being able to restore the entire backup configuration minimizes the time to reconfigure the system.

All backup files follow the same file-naming convention: hostname_date_time. For example, a backup file named "FortiADCManager-VM_20171214_0830.txt" means that the backup is made of a system whose hostname is "FortiADCManager-VM", the backup is made at 08:30 on December 14, 2017. It must be noted that the date and time in the backup file name reflects the date and time in your FortiADC Manager's system settings when the backup is performed.

Note: Configuration backups do not include data such as logs and reports.

Back up files can include sensitive information, such as HTTPS certificate private keys. We strongly recommend that you password-encrypt your backup files and store them in a secure location.

Run a manual backup

You can back up your FortiADC Manager system configuration at any time from the Settings > System > Configuration > Backup/Restore

  1. Select Back Up.
  2. Select a storage location for the backup file, Local PC/Server or FortiADC Manager.
  3. Specify a name
  4. The maximum total backup file size differs by model. For more information, see Table 131.
  5. Click Save.

If you've chosen to back up to FortiADC Manager, the backup file will show up below on a table below Configuration > Backup > FortiADC Manager. You will then have the option of restoring from this backup. Moreover, it will appear in Individual ADC > System > Configuration.

Restore a backup configuration

Use the following procedures to restore a backup of a previous configuration.

  1. Select Restore.
  2. Select the storage location where the backup file resides.
  3. To restore from the Local PC/Server, click Choose File, then upload the desired file.
  4. To restore from FortiADC Manager, select the backup from the table, and click the corresponding Restore icon, on the far right.

Note: The time required to restore a backup file varies, depending on the size of the file and the speed of your network connection. Your web UI session is terminated when the system restarts. To continue using the web UI, refresh the web page and log in again.

Static Routes

Static routes specify the IP address of a next-hop router that is reachable from that network interface. Routers are aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations. The FortiADC system itself does not need to know the full route, as long as the routers can pass along the packet.

You must configure at least one static route that points to a router, often a router that is the gateway to the Internet. You might need to configure multiple static routes if you have multiple gateway routers, redundant ISP links, or other special routing cases.

For more information about static routes, see the FortiADC Handbook.

DNS

Primary DNS

The system must be able to contact DNS servers to resolve IP addresses and fully qualified domain names. Your Internet service provider (ISP) might supply IP addresses of DNS servers, or you might want to use the IP addresses of your own DNS servers. You must provide unicast, non-local addresses for your DNS servers. Localhost and broadcast addresses are not accepted.

Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features, such as FortiGuard services and NTP system time.

Secondary DNS

IPv4/IPv6 address of the secondary DNS server for your local network.

User

Name

Name of the administrator account, such as admin1 or admin@example.com.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.

If you use LDAP or RADIUS, specify the LDAP or RADIUS username. This is the user name that the administrator must provide when logging in to the CLI or web UI. The users are authenticated against the associated LDAP or RADIUS server.

After you initially save the configuration, you cannot edit the name.

Trusted Hosts

Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator must connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:

192.0.2.1/32

2001:0db8:85a3::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:

0.0.0.0/0

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex New Password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

Password

Set a strong password for all administrator accounts. The password should be at least eight characters long, be sufficiently complex, and be changed regularly.

Settings

License

To activate your license:

  1. Go to support.fortinet.com and log in or register for a new account before proceeding
  2. Once you are logged in, go to the home page and click Register/Activate Contracts under the Asset section.
  3. Enter the license registration code as listed on your license certificate when prompted, and click Next.
  4. On the Specify Fortinet Registration Information page, enter a brief product description and select your Fortinet Partner. Find your computer ID by going to the FortiADC-Manager CLI and entering the command: execute computerid, and input it into the Computer ID field.
  5. Follow the remaining prompts to complete the activation process.

License overview:

  • The default license is an evaluation license. With it, you can only manage two ADCs.
  • A base license supports up to ten devices.
  • An unlimited license supports any number of ADCs.

Date & Time

See the FortiADC Handbook.

Upgrading firmware

Before you begin:

  • Download the firmware file from the Fortinet Customer Service & Support website:
  • https://support.fortinet.com/
  • Read the release notes for the version you plan to install.
  • Back up your configuration before beginning this procedure. Reverting to an earlier firmware version could reset settings that are not compatible with the new firmware.
  • You must have super user permission (user admin) to upgrade firmware.

To boot the firmware on the alternate partition:

  • Click Boot Alternate Firmware.

The system reboots, the alternate becomes the active firmware, and the active becomes the alternate firmware.

To upgrade firmware:

  1. Go to Settings > System.
  2. Click Upgrade Firmware
  3. Click Choose File to locate and select the file.
  4. Click save

Configuration Backup/Restore

You use the backup procedure to save a copy of your system configuration. A full backup is a zip file.

The backup feature has a few basic uses:

  • Saving the configuration as CLI commands that a co-worker or Fortinet support can use to help you resolve issues with misconfiguration.
  • Restoring the system to a known functional configuration.
  • Creating a template configuration you can edit and then load into another system using the restore procedure.

A complete configuration backup is a zip file that includes the complete configuration files, plus any files you have imported, including error page files, script files, and ISP address book files.

In the event that FortiADC Manager experiences hardware failure, being able to restore the entire backup configuration minimizes the time to reconfigure the system.

All backup files follow the same file-naming convention: hostname_date_time. For example, a backup file named "FortiADCManager-VM_20171214_0830.txt" means that the backup is made of a system whose hostname is "FortiADCManager-VM", the backup is made at 08:30 on December 14, 2017. It must be noted that the date and time in the backup file name reflects the date and time in your FortiADC Manager's system settings when the backup is performed.

Note: Configuration backups do not include data such as logs and reports.

Back up files can include sensitive information, such as HTTPS certificate private keys. We strongly recommend that you password-encrypt your backup files and store them in a secure location.

Run a manual backup

You can back up your FortiADC Manager system configuration at any time from the Settings > System > Configuration > Backup/Restore

  1. Select Back Up.
  2. Select a storage location for the backup file, Local PC/Server or FortiADC Manager.
  3. Specify a name
  4. The maximum total backup file size differs by model. For more information, see Table 131.
  5. Click Save.

If you've chosen to back up to FortiADC Manager, the backup file will show up below on a table below Configuration > Backup > FortiADC Manager. You will then have the option of restoring from this backup. Moreover, it will appear in Individual ADC > System > Configuration.

Restore a backup configuration

Use the following procedures to restore a backup of a previous configuration.

  1. Select Restore.
  2. Select the storage location where the backup file resides.
  3. To restore from the Local PC/Server, click Choose File, then upload the desired file.
  4. To restore from FortiADC Manager, select the backup from the table, and click the corresponding Restore icon, on the far right.

Note: The time required to restore a backup file varies, depending on the size of the file and the speed of your network connection. Your web UI session is terminated when the system restarts. To continue using the web UI, refresh the web page and log in again.

Static Routes

Static routes specify the IP address of a next-hop router that is reachable from that network interface. Routers are aware of which IP addresses are reachable through various network pathways, and can forward those packets along pathways capable of reaching the packets’ ultimate destinations. The FortiADC system itself does not need to know the full route, as long as the routers can pass along the packet.

You must configure at least one static route that points to a router, often a router that is the gateway to the Internet. You might need to configure multiple static routes if you have multiple gateway routers, redundant ISP links, or other special routing cases.

For more information about static routes, see the FortiADC Handbook.

DNS

Primary DNS

The system must be able to contact DNS servers to resolve IP addresses and fully qualified domain names. Your Internet service provider (ISP) might supply IP addresses of DNS servers, or you might want to use the IP addresses of your own DNS servers. You must provide unicast, non-local addresses for your DNS servers. Localhost and broadcast addresses are not accepted.

Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features, such as FortiGuard services and NTP system time.

Secondary DNS

IPv4/IPv6 address of the secondary DNS server for your local network.

User

Name

Name of the administrator account, such as admin1 or admin@example.com.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.

If you use LDAP or RADIUS, specify the LDAP or RADIUS username. This is the user name that the administrator must provide when logging in to the CLI or web UI. The users are authenticated against the associated LDAP or RADIUS server.

After you initially save the configuration, you cannot edit the name.

Trusted Hosts

Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator must connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:

192.0.2.1/32

2001:0db8:85a3::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:

0.0.0.0/0

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex New Password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

Password

Set a strong password for all administrator accounts. The password should be at least eight characters long, be sufficiently complex, and be changed regularly.