Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system central-management

Configure central management.

config system central-management

Description: Configure central management.

set mode [normal|backup]

set type [fortimanager|fortiguard|...]

set schedule-config-restore [enable|disable]

set schedule-script-restore [enable|disable]

set allow-push-configuration [enable|disable]

set allow-push-firmware [enable|disable]

set allow-remote-firmware-upgrade [enable|disable]

set allow-monitor [enable|disable]

set serial-number {user}

set fmg {user}

set fmg-source-ip {ipv4-address}

set fmg-source-ip6 {ipv6-address}

set local-cert {string}

set ca-cert {user}

set vdom {string}

config server-list

Description: Additional severs that the FortiGate can use for updates (for AV, IPS, updates) and ratings (for web filter and antispam ratings) servers.

edit <id>

set server-type {option1}, {option2}, ...

set addr-type [ipv4|ipv6|...]

set server-address {ipv4-address}

set server-address6 {ipv6-address}

set fqdn {string}

next

end

set fmg-update-port [8890|443]

set include-default-servers [enable|disable]

set enc-algorithm [default|high|...]

set interface-select-method [auto|sdwan|...]

set interface {string}

end

config system central-management

Parameter

Description

Type

Size

Default

mode

Central management mode.

option

-

normal

 

Option

Description

normal

Manage and configure this FortiGate from FortiManager.

backup

Manage and configure this FortiGate locally and back up its configuration to FortiManager.

type

Central management type.

option

-

none

 

Option

Description

fortimanager

FortiManager.

fortiguard

Central management of this FortiGate using FortiCloud.

none

No central management.

schedule-config-restore

Enable/disable allowing the central management server to restore the configuration of this FortiGate.

option

-

enable

 

Option

Description

enable

Enable scheduled configuration restore.

disable

Disable scheduled configuration restore.

schedule-script-restore

Enable/disable allowing the central management server to restore the scripts stored on this FortiGate.

option

-

enable

 

Option

Description

enable

Enable scheduled script restore.

disable

Disable scheduled script restore.

allow-push-configuration

Enable/disable allowing the central management server to push configuration changes to this FortiGate.

option

-

enable

 

Option

Description

enable

Enable push configuration.

disable

Disable push configuration.

allow-push-firmware

Enable/disable allowing the central management server to push firmware updates to this FortiGate.

option

-

enable

 

Option

Description

enable

Enable push firmware.

disable

Disable push firmware.

allow-remote-firmware-upgrade

Enable/disable remotely upgrading the firmware on this FortiGate from the central management server.

option

-

enable

 

Option

Description

enable

Enable remote firmware upgrade.

disable

Disable remote firmware upgrade.

allow-monitor

Enable/disable allowing the central management server to remotely monitor this FortiGate

option

-

enable

 

Option

Description

enable

Enable remote monitoring of device.

disable

Disable remote monitoring of device.

serial-number

Serial number.

user

Not Specified

fmg

IP address or FQDN of the FortiManager.

user

Not Specified

fmg-source-ip

IPv4 source address that this FortiGate uses when communicating with FortiManager.

ipv4-address

Not Specified

0.0.0.0

fmg-source-ip6

IPv6 source address that this FortiGate uses when communicating with FortiManager.

ipv6-address

Not Specified

::

local-cert

Certificate to be used by FGFM protocol.

string

Maximum length: 35

ca-cert

CA certificate to be used by FGFM protocol.

user

Not Specified

vdom

Virtual domain (VDOM) name to use when communicating with FortiManager.

string

Maximum length: 31

root

fmg-update-port

Port used to communicate with FortiManager that is acting as a FortiGuard update server.

option

-

8890

 

Option

Description

8890

Use port 8890 to communicate with FortiManager that is acting as a FortiGuard update server.

443

Use port 443 to communicate with FortiManager that is acting as a FortiGuard update server.

include-default-servers

Enable/disable inclusion of public FortiGuard servers in the override server list.

option

-

enable

 

Option

Description

enable

Enable inclusion of public FortiGuard servers in the override server list.

disable

Disable inclusion of public FortiGuard servers in the override server list.

enc-algorithm

Encryption strength for communications between the FortiGate and central management.

option

-

high

 

Option

Description

default

High strength algorithms and these medium-strength 128-bit key length algorithms: RC4-SHA, RC4-MD5, RC4-MD.

high

128-bit and larger key length algorithms: DHE-RSA-AES256-SHA, AES256-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA.

low

64-bit or 56-bit key length algorithms without export restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5.

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

Parameter

Description

Type

Size

Default

server-type

FortiGuard service type.

option

-

 

Option

Description

update

AV, IPS, and AV-query update server.

rating

Web filter and anti-spam rating server.

addr-type

Indicate whether the FortiGate communicates with the override server using an IPv4 address, an IPv6 address or a FQDN.

option

-

ipv4

 

Option

Description

ipv4

IPv4 address.

ipv6

IPv6 address.

fqdn

FQDN.

server-address

IPv4 address of override server.

ipv4-address

Not Specified

0.0.0.0

server-address6

IPv6 address of override server.

ipv6-address

Not Specified

::

fqdn

FQDN address of override server.

string

Maximum length: 255

config system central-management

Configure central management.

config system central-management

Description: Configure central management.

set mode [normal|backup]

set type [fortimanager|fortiguard|...]

set schedule-config-restore [enable|disable]

set schedule-script-restore [enable|disable]

set allow-push-configuration [enable|disable]

set allow-push-firmware [enable|disable]

set allow-remote-firmware-upgrade [enable|disable]

set allow-monitor [enable|disable]

set serial-number {user}

set fmg {user}

set fmg-source-ip {ipv4-address}

set fmg-source-ip6 {ipv6-address}

set local-cert {string}

set ca-cert {user}

set vdom {string}

config server-list

Description: Additional severs that the FortiGate can use for updates (for AV, IPS, updates) and ratings (for web filter and antispam ratings) servers.

edit <id>

set server-type {option1}, {option2}, ...

set addr-type [ipv4|ipv6|...]

set server-address {ipv4-address}

set server-address6 {ipv6-address}

set fqdn {string}

next

end

set fmg-update-port [8890|443]

set include-default-servers [enable|disable]

set enc-algorithm [default|high|...]

set interface-select-method [auto|sdwan|...]

set interface {string}

end

config system central-management

Parameter

Description

Type

Size

Default

mode

Central management mode.

option

-

normal

 

Option

Description

normal

Manage and configure this FortiGate from FortiManager.

backup

Manage and configure this FortiGate locally and back up its configuration to FortiManager.

type

Central management type.

option

-

none

 

Option

Description

fortimanager

FortiManager.

fortiguard

Central management of this FortiGate using FortiCloud.

none

No central management.

schedule-config-restore

Enable/disable allowing the central management server to restore the configuration of this FortiGate.

option

-

enable

 

Option

Description

enable

Enable scheduled configuration restore.

disable

Disable scheduled configuration restore.

schedule-script-restore

Enable/disable allowing the central management server to restore the scripts stored on this FortiGate.

option

-

enable

 

Option

Description

enable

Enable scheduled script restore.

disable

Disable scheduled script restore.

allow-push-configuration

Enable/disable allowing the central management server to push configuration changes to this FortiGate.

option

-

enable

 

Option

Description

enable

Enable push configuration.

disable

Disable push configuration.

allow-push-firmware

Enable/disable allowing the central management server to push firmware updates to this FortiGate.

option

-

enable

 

Option

Description

enable

Enable push firmware.

disable

Disable push firmware.

allow-remote-firmware-upgrade

Enable/disable remotely upgrading the firmware on this FortiGate from the central management server.

option

-

enable

 

Option

Description

enable

Enable remote firmware upgrade.

disable

Disable remote firmware upgrade.

allow-monitor

Enable/disable allowing the central management server to remotely monitor this FortiGate

option

-

enable

 

Option

Description

enable

Enable remote monitoring of device.

disable

Disable remote monitoring of device.

serial-number

Serial number.

user

Not Specified

fmg

IP address or FQDN of the FortiManager.

user

Not Specified

fmg-source-ip

IPv4 source address that this FortiGate uses when communicating with FortiManager.

ipv4-address

Not Specified

0.0.0.0

fmg-source-ip6

IPv6 source address that this FortiGate uses when communicating with FortiManager.

ipv6-address

Not Specified

::

local-cert

Certificate to be used by FGFM protocol.

string

Maximum length: 35

ca-cert

CA certificate to be used by FGFM protocol.

user

Not Specified

vdom

Virtual domain (VDOM) name to use when communicating with FortiManager.

string

Maximum length: 31

root

fmg-update-port

Port used to communicate with FortiManager that is acting as a FortiGuard update server.

option

-

8890

 

Option

Description

8890

Use port 8890 to communicate with FortiManager that is acting as a FortiGuard update server.

443

Use port 443 to communicate with FortiManager that is acting as a FortiGuard update server.

include-default-servers

Enable/disable inclusion of public FortiGuard servers in the override server list.

option

-

enable

 

Option

Description

enable

Enable inclusion of public FortiGuard servers in the override server list.

disable

Disable inclusion of public FortiGuard servers in the override server list.

enc-algorithm

Encryption strength for communications between the FortiGate and central management.

option

-

high

 

Option

Description

default

High strength algorithms and these medium-strength 128-bit key length algorithms: RC4-SHA, RC4-MD5, RC4-MD.

high

128-bit and larger key length algorithms: DHE-RSA-AES256-SHA, AES256-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA.

low

64-bit or 56-bit key length algorithms without export restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5.

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

Parameter

Description

Type

Size

Default

server-type

FortiGuard service type.

option

-

 

Option

Description

update

AV, IPS, and AV-query update server.

rating

Web filter and anti-spam rating server.

addr-type

Indicate whether the FortiGate communicates with the override server using an IPv4 address, an IPv6 address or a FQDN.

option

-

ipv4

 

Option

Description

ipv4

IPv4 address.

ipv6

IPv6 address.

fqdn

FQDN.

server-address

IPv4 address of override server.

ipv4-address

Not Specified

0.0.0.0

server-address6

IPv6 address of override server.

ipv6-address

Not Specified

::

fqdn

FQDN address of override server.

string

Maximum length: 255