Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 6.2.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiDeceptor 6.2.1 Administration Guide
    6.2.1
    6.2.1
    6.2.0
    6.1.1
    6.1.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.2
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Top Management

    Top Management

    Top Management (TM) mode provides centralized control of multiple remote FortiDeceptor Central Management(CM) devices from a single console. In this mode, the top-level manager manages all remote FortiDeceptor managers as clients, focusing on administration, entity management, and permission control. The Top Manager also acts as a proxy console, allowing access to remote FortiDeceptor managers.

    You can configure a FortiDeceptor hardware or VM appliance to function as a Top Management Device. This device does not provide deception capabilities but serves exclusively to manage other FortiDeceptor central management devices.

    License requirements:
    • Central Management License
    Network communication requirements:

    Communication between

    From

    Top Management device and Central Management devices

    Central Management device to Top Management device:

    • Port1 IP and a self-defined port (default 9443).

    The communication port for Top Management mode must not be the same as the communication port used by Central Management devices and appliances.

    Top management device console

    When Top Management mode is enabled, the navigation pane displays only the Top Management, Network, System, and Log modules.

    Use the toolbar to manage Central Management devices:

    Button

    Description

    Approve

    Allow the selected CM Managers to be connected to this Top Management device.

    Hold

    Pause the selected CM Manager’s connection to this Top Management device.

    Delete

    Delete the selected CM Manager from this Top Management device.

    This action does not delete or change any data in the CM Manager device.

    If the CM Manager device is configured to connect to this TM device, its status will display as On-hold. To reconnect, click Approve.

    Refresh

    Force connection resynchronization between the Top Management and Central Management devices.

    Configuring top management

    To configure Top Management:
    1. Enable TM Settings on the TM Device.
    2. Enable TM Settings on the CM Device.
    3. Approve the CM device on the TM Device.
    4. Create entities.
    5. Log into the CM device.
    To configure TM Settings on the TM Device:
    1. Go to Dashboard > TM Settings and click +TM Server.
    2. Configure the Listening Interface and Port.
    3. Select the Supported Encryption Methods.
    4. Click Save.

    To configure TM Settings on the CM Device:
    1. Go to Dashboard > Status.
    2. In the System Information widget locate TM Settings and click Change.
    3. Enable Join Top Management.
    4. Configure the Manager IP, Port, Proxy Server and Encryption Method.
    5. Click Ok.

    To approve a CM Device on the TM Device:

    1. On the TM Device, go to Top Management > CM Managers . The Approval Status for the CM Manager (TM Client) will display On-Hold, and the Live Status displays Offline.

    2. Select the CM Manager (TM Client) and click Approve. The Approval Status changes to Approved and the Live Status changes to Online.

    To hold a CM Device on the TM Device:

    1. On the TM Device, go to Top Management > CM Managers.

    2. Select the CM Manager (TM Client) and click Hold. The Approval Status changes to On-Hold and the Live Status changes to Offline.

    To delete a CM Device from the TM Device:
    1. On the TM Device, go to Top Management > CM Managers.
    2. Select the CM Manager (TM Client) you want to remove.
    3. Click Delete.

    If the CM Manager device is configured to connect to this TM device, its status will display as On-hold. To reconnect, click Approve.

    Entity management

    In Top Management mode, an entity is a group within a TM device that organizes connected CM devices and associated admin users. Each entity has its own access rights, enabling different admins to manage specific CM devices independently.

    To create an entity:

    1. On the TM Device, go to Top Management > Entities and click Create New.

    2. Configure the entity and then click OK.

      Name Enter a name for the entity.
      Description Enter a descriptive name for the entity. This field is optional.
      CM Managers

      Click the plus sign (+) to select the available CM Managers.

      Admins shown in gray are assigned to other entities.

      Entity Admins

      Click the drop-down menu to select an existing administrator on this TM device. To configure the administrator accounts go to System > Administrators.

      Click the plus sign (+) to allow multiple admin accounts to access the CM Managers for this entity.

      Click the drop-down to grant Read/Write or Read privileges to CM devices in the entity.

    Accessing CM devices

    To access CM devices from the TM device:

    1. Log into FortiDeceptor with an admin account that is assigned to an entity.

    2. The top-right corner of the page displays a folder icon. Click it to access the CM device of the current entity.

    3. Click the CM device to view its dashboard, and start managing it.

    Previous
    Next

    Top Management

    Top Management

    Top Management (TM) mode provides centralized control of multiple remote FortiDeceptor Central Management(CM) devices from a single console. In this mode, the top-level manager manages all remote FortiDeceptor managers as clients, focusing on administration, entity management, and permission control. The Top Manager also acts as a proxy console, allowing access to remote FortiDeceptor managers.

    You can configure a FortiDeceptor hardware or VM appliance to function as a Top Management Device. This device does not provide deception capabilities but serves exclusively to manage other FortiDeceptor central management devices.

    License requirements:
    • Central Management License
    Network communication requirements:

    Communication between

    From

    Top Management device and Central Management devices

    Central Management device to Top Management device:

    • Port1 IP and a self-defined port (default 9443).

    The communication port for Top Management mode must not be the same as the communication port used by Central Management devices and appliances.

    Top management device console

    When Top Management mode is enabled, the navigation pane displays only the Top Management, Network, System, and Log modules.

    Use the toolbar to manage Central Management devices:

    Button

    Description

    Approve

    Allow the selected CM Managers to be connected to this Top Management device.

    Hold

    Pause the selected CM Manager’s connection to this Top Management device.

    Delete

    Delete the selected CM Manager from this Top Management device.

    This action does not delete or change any data in the CM Manager device.

    If the CM Manager device is configured to connect to this TM device, its status will display as On-hold. To reconnect, click Approve.

    Refresh

    Force connection resynchronization between the Top Management and Central Management devices.

    Configuring top management

    To configure Top Management:
    1. Enable TM Settings on the TM Device.
    2. Enable TM Settings on the CM Device.
    3. Approve the CM device on the TM Device.
    4. Create entities.
    5. Log into the CM device.
    To configure TM Settings on the TM Device:
    1. Go to Dashboard > TM Settings and click +TM Server.
    2. Configure the Listening Interface and Port.
    3. Select the Supported Encryption Methods.
    4. Click Save.

    To configure TM Settings on the CM Device:
    1. Go to Dashboard > Status.
    2. In the System Information widget locate TM Settings and click Change.
    3. Enable Join Top Management.
    4. Configure the Manager IP, Port, Proxy Server and Encryption Method.
    5. Click Ok.

    To approve a CM Device on the TM Device:

    1. On the TM Device, go to Top Management > CM Managers . The Approval Status for the CM Manager (TM Client) will display On-Hold, and the Live Status displays Offline.

    2. Select the CM Manager (TM Client) and click Approve. The Approval Status changes to Approved and the Live Status changes to Online.

    To hold a CM Device on the TM Device:

    1. On the TM Device, go to Top Management > CM Managers.

    2. Select the CM Manager (TM Client) and click Hold. The Approval Status changes to On-Hold and the Live Status changes to Offline.

    To delete a CM Device from the TM Device:
    1. On the TM Device, go to Top Management > CM Managers.
    2. Select the CM Manager (TM Client) you want to remove.
    3. Click Delete.

    If the CM Manager device is configured to connect to this TM device, its status will display as On-hold. To reconnect, click Approve.

    Entity management

    In Top Management mode, an entity is a group within a TM device that organizes connected CM devices and associated admin users. Each entity has its own access rights, enabling different admins to manage specific CM devices independently.

    To create an entity:

    1. On the TM Device, go to Top Management > Entities and click Create New.

    2. Configure the entity and then click OK.

      Name Enter a name for the entity.
      Description Enter a descriptive name for the entity. This field is optional.
      CM Managers

      Click the plus sign (+) to select the available CM Managers.

      Admins shown in gray are assigned to other entities.

      Entity Admins

      Click the drop-down menu to select an existing administrator on this TM device. To configure the administrator accounts go to System > Administrators.

      Click the plus sign (+) to allow multiple admin accounts to access the CM Managers for this entity.

      Click the drop-down to grant Read/Write or Read privileges to CM devices in the entity.

    Accessing CM devices

    To access CM devices from the TM device:

    1. Log into FortiDeceptor with an admin account that is assigned to an entity.

    2. The top-right corner of the page displays a folder icon. Click it to access the CM device of the current entity.

    3. Click the CM device to view its dashboard, and start managing it.

    Previous
    Next