Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

system central-management

Use this command to configure central management for your FortiGate unit. Central management uses a remote location to backup, restore, and monitor the FortiGate unit's configuration. This can be either a FortiManager or the FortiCloud network.

config system central-management
    set mode {normal | backup}   Central management mode.
            normal  Manage and configure this FortiGate from FortiManager.
            backup  Manage and configure this FortiGate locally and back up its configuration to FortiManager.
    set type {fortimanager | fortiguard | none}   Central management type.
            fortimanager  FortiManager.
            fortiguard    Central management of this FortiGate using FortiCloud.
            none          No central management.
    set schedule-config-restore {enable | disable}   Enable/disable allowing the central management server to restore the configuration of this FortiGate.
    set schedule-script-restore {enable | disable}   Enable/disable allowing the central management server to restore the scripts stored on this FortiGate.
    set allow-push-configuration {enable | disable}   Enable/disable allowing the central management server to push configuration changes to this FortiGate.
    set allow-push-firmware {enable | disable}   Enable/disable allowing the central management server to push firmware updates to this FortiGate.
    set allow-remote-firmware-upgrade {enable | disable}   Enable/disable remotely upgrading the firmware on this FortiGate from the central management server.
    set allow-monitor {enable | disable}   Enable/disable allowing the central management server to remotely monitor this FortiGate.
    
    set serial-number {string}   Serial number.
    set fmg {string}   IP address or FQDN of the FortiManager.
    set fmg-source-ip {ipv4 address}   IPv4 source address that this FortiGate uses when communicating with FortiManager.
    set fmg-source-ip6 {ipv6 address}   IPv6 source address that this FortiGate uses when communicating with FortiManager.
    set vdom {string}   Virtual domain (VDOM) name to use when communicating with FortiManager. size[31] - datasource(s): system.vdom.name
    config server-list
        edit {id}
        # Additional severs that the FortiGate can use for updates (for AV, IPS, updates) and ratings (for web filter and antispam ratings) servers.
            set id {integer}   ID. range[0-4294967295]
            set server-type {update | rating}   FortiGuard service type.
                    update  AV, IPS, and AV-query update server.
                    rating  Web filter and anti-spam rating server.
            set addr-type {ipv4 | ipv6 | fqdn}   Indicate whether the FortiGate communicates with the override server using an IPv4 address, an IPv6 address or a FQDN.
                    ipv4  IPv4 address.
                    ipv6  IPv6 address.
                    fqdn  FQDN.
            set server-address {ipv4 address}   IPv4 address of override server.
            set server-address6 {ipv6 address}   IPv6 address of override server.
            set fqdn {string}   FQDN address of override server. size[255]
        next
    set include-default-servers {enable | disable}   Enable/disable inclusion of public FortiGuard servers in the override server list.
    set enc-algorithm {default | high | low}   Encryption strength for communications between the FortiGate and central management.
            default  High strength algorithms and these medium-strength 128-bit key length algorithms: RC4-SHA, RC4-MD5, RC4-MD.
            high     128-bit and larger key length algorithms: DHE-RSA-AES256-SHA, AES256-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA.
            low      64-bit or 56-bit key length algorithms without export restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5.
end

mode {normal | backup}

Identify central management mode. Default is normal.

  • normal:  manage and configure the connected FortiGate devices from the FortiManager GUI.
  • backup:  backup the FortiGate configurations to the FortiManager, but configure each FortiGate locally.

type {fortiguard | fortimanager | none}

Specify the type of central management. Setting type to fortiguard in the CLI is the same as setting it to FortiCloud in the GUI. FortiCloud used to be known as the FortiGuard Analysis and Management Service network. Default is fortimanager.

schedule-config-restore {enable | disable}

Enable/disable scheduling the restoration of your FortiGate's configuration. Default is enable.

schedule-script-restore {enable | disable}

Enable/disable scheduling the restoration of your FortiGate's configuration through scripts. Default is enable.

allow-push-configuration {enable | disable}

Enable/disable configuration image push updates for your FortiGate. Default is enable.

allow-pushd-firmware  {enable | disable}

Enable/disable push firmware. Default is enable.

allow-remote-firmware-upgrade {enable | disable}

Enable/disable remote upgrading of your FortiGate to a new firmware. Default is enable.

allow-monitor {enable | disable}

Enable/disable remote monitoring of your FortiGate unit. Default is enable.

fmg <fmg_ipv4>

Specify the IP address or FQDN of the remote FortiManager server. Appears only when type is set to fortimanager.

fmg-source-ip <address_ipv4>

Specify the source IPv4 address to use when connecting to FortiManager. Appears only when type is set to fortimanager.

fmg-source-ip6

Specify the source IPv6 address to use when connecting to FortiManager. Appears only when type is set to fortimanager.

vdom <name_str>

Optional. Specify name of virtual domain (VDOM) to use when communicating with FortiManager. Default is root.

enc-algorithm {default | high | low}

Specify encryption strength for communications between the FortiGate unit and FortiManager. Default is high.

  • default:  high- and medium-strength algorithms
  • high:  128-bit and larger key length algorithms
  • low:  64-bit or 56-bit key length algorithms without export restrictions

config server-list

server-type {rating | update}

Specify the FortiGuard service type.

  • rating:  web filter or anti-spam rating server
  • update: AV, IPS, or AV-query server

addr-type {ipv4 | ipv6}

Identify override server's address type.

server-address <ipv4>

Specify the override server's IPv4 address.

server-address6 <ipv6>

Specify the override server's IPv6 address.

system central-management

Use this command to configure central management for your FortiGate unit. Central management uses a remote location to backup, restore, and monitor the FortiGate unit's configuration. This can be either a FortiManager or the FortiCloud network.

config system central-management
    set mode {normal | backup}   Central management mode.
            normal  Manage and configure this FortiGate from FortiManager.
            backup  Manage and configure this FortiGate locally and back up its configuration to FortiManager.
    set type {fortimanager | fortiguard | none}   Central management type.
            fortimanager  FortiManager.
            fortiguard    Central management of this FortiGate using FortiCloud.
            none          No central management.
    set schedule-config-restore {enable | disable}   Enable/disable allowing the central management server to restore the configuration of this FortiGate.
    set schedule-script-restore {enable | disable}   Enable/disable allowing the central management server to restore the scripts stored on this FortiGate.
    set allow-push-configuration {enable | disable}   Enable/disable allowing the central management server to push configuration changes to this FortiGate.
    set allow-push-firmware {enable | disable}   Enable/disable allowing the central management server to push firmware updates to this FortiGate.
    set allow-remote-firmware-upgrade {enable | disable}   Enable/disable remotely upgrading the firmware on this FortiGate from the central management server.
    set allow-monitor {enable | disable}   Enable/disable allowing the central management server to remotely monitor this FortiGate.
    
    set serial-number {string}   Serial number.
    set fmg {string}   IP address or FQDN of the FortiManager.
    set fmg-source-ip {ipv4 address}   IPv4 source address that this FortiGate uses when communicating with FortiManager.
    set fmg-source-ip6 {ipv6 address}   IPv6 source address that this FortiGate uses when communicating with FortiManager.
    set vdom {string}   Virtual domain (VDOM) name to use when communicating with FortiManager. size[31] - datasource(s): system.vdom.name
    config server-list
        edit {id}
        # Additional severs that the FortiGate can use for updates (for AV, IPS, updates) and ratings (for web filter and antispam ratings) servers.
            set id {integer}   ID. range[0-4294967295]
            set server-type {update | rating}   FortiGuard service type.
                    update  AV, IPS, and AV-query update server.
                    rating  Web filter and anti-spam rating server.
            set addr-type {ipv4 | ipv6 | fqdn}   Indicate whether the FortiGate communicates with the override server using an IPv4 address, an IPv6 address or a FQDN.
                    ipv4  IPv4 address.
                    ipv6  IPv6 address.
                    fqdn  FQDN.
            set server-address {ipv4 address}   IPv4 address of override server.
            set server-address6 {ipv6 address}   IPv6 address of override server.
            set fqdn {string}   FQDN address of override server. size[255]
        next
    set include-default-servers {enable | disable}   Enable/disable inclusion of public FortiGuard servers in the override server list.
    set enc-algorithm {default | high | low}   Encryption strength for communications between the FortiGate and central management.
            default  High strength algorithms and these medium-strength 128-bit key length algorithms: RC4-SHA, RC4-MD5, RC4-MD.
            high     128-bit and larger key length algorithms: DHE-RSA-AES256-SHA, AES256-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA.
            low      64-bit or 56-bit key length algorithms without export restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5.
end

mode {normal | backup}

Identify central management mode. Default is normal.

  • normal:  manage and configure the connected FortiGate devices from the FortiManager GUI.
  • backup:  backup the FortiGate configurations to the FortiManager, but configure each FortiGate locally.

type {fortiguard | fortimanager | none}

Specify the type of central management. Setting type to fortiguard in the CLI is the same as setting it to FortiCloud in the GUI. FortiCloud used to be known as the FortiGuard Analysis and Management Service network. Default is fortimanager.

schedule-config-restore {enable | disable}

Enable/disable scheduling the restoration of your FortiGate's configuration. Default is enable.

schedule-script-restore {enable | disable}

Enable/disable scheduling the restoration of your FortiGate's configuration through scripts. Default is enable.

allow-push-configuration {enable | disable}

Enable/disable configuration image push updates for your FortiGate. Default is enable.

allow-pushd-firmware  {enable | disable}

Enable/disable push firmware. Default is enable.

allow-remote-firmware-upgrade {enable | disable}

Enable/disable remote upgrading of your FortiGate to a new firmware. Default is enable.

allow-monitor {enable | disable}

Enable/disable remote monitoring of your FortiGate unit. Default is enable.

fmg <fmg_ipv4>

Specify the IP address or FQDN of the remote FortiManager server. Appears only when type is set to fortimanager.

fmg-source-ip <address_ipv4>

Specify the source IPv4 address to use when connecting to FortiManager. Appears only when type is set to fortimanager.

fmg-source-ip6

Specify the source IPv6 address to use when connecting to FortiManager. Appears only when type is set to fortimanager.

vdom <name_str>

Optional. Specify name of virtual domain (VDOM) to use when communicating with FortiManager. Default is root.

enc-algorithm {default | high | low}

Specify encryption strength for communications between the FortiGate unit and FortiManager. Default is high.

  • default:  high- and medium-strength algorithms
  • high:  128-bit and larger key length algorithms
  • low:  64-bit or 56-bit key length algorithms without export restrictions

config server-list

server-type {rating | update}

Specify the FortiGuard service type.

  • rating:  web filter or anti-spam rating server
  • update: AV, IPS, or AV-query server

addr-type {ipv4 | ipv6}

Identify override server's address type.

server-address <ipv4>

Specify the override server's IPv4 address.

server-address6 <ipv6>

Specify the override server's IPv6 address.