Fortinet black logo

Administration Guide

Configuring FortiManager

Configuring FortiManager

When a FortiManager device is added to the Security Fabric, it automatically synchronizes with any connected downstream devices.

To add a FortiManager to the Security Fabric, configure it on the root FortiGate. The root FortiGate then pushes this configuration to downstream FortiGate devices. The FortiManager provides remote management of FortiGate devices over TCP port 541. The FortiManager must have internet access for it to join the Security Fabric.

Once configured, the FortiGate can receive antivirus and IPS updates, and allows remote management through FortiManager or the FortiGate Cloud service. The FortiGate management option must be enabled so that the FortiGate can accept management updates to its firmware and FortiGuard services.

Adding a FortiManager device to the Security Fabric requires the following steps in FortiOS:

  • Specify the FortiManager IP address or domain name.
  • Approve the FortiManager serial number that is returned by the provided IP address or domain name.

You can complete the steps in FortiOS by using the GUI or CLI.

After you complete the steps in FortiOS, go to FortiManager to complete the process by authorizing the FortiGate.

To add a FortiManager to the Security Fabric using the CLI:
  1. Provide FortiManager connection information:
    config system central-management
        set type fortimanager
        set fmg {<IP_address> | <Domain name>}
    end
    
  2. Approve the returned FortiManager serial number:

    When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Therefore you must provide the following command:

    execute central-mgmt <fmg-serial-no> <PSK>
    Note

    If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

  3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
To add a FortiManager to the Security Fabric using the GUI:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiManager card.

    The FortiManager card is used to configure the FortiManager connection information.

  2. For Status, click Enable.
  3. For Type, click On-Premise.

  4. Enter the IP/Domain Name of the FortiManager.
  5. Click OK.

    The Confirm pane appears.

  6. Review the serial number, and click OK.
  7. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
Authorizing the FortiGate in FortiManager

After completing the GUI or CLI steps in FortiOS, go to FortiManager to authorize the FortiGate, which completes the process.

To authorize the FortiGate in FortiManager:
  1. On FortiManager, go to Device Manager and find the FortiGate in the Unauthorized Devices list.

    The unauthorized device list is located in the root ADOM, regardless of the firmware version of the root ADOM or FortiOS.

  2. Select the FortiGate device or devices, and click Authorize in the toolbar.
  3. In the Authorize Device pop-up, adjust the device names as needed, select the appropriate ADOM (if applicable), and click OK.

For more information about using FortiManager, see the FortiManager Administration Guide.

Configuring FortiManager

When a FortiManager device is added to the Security Fabric, it automatically synchronizes with any connected downstream devices.

To add a FortiManager to the Security Fabric, configure it on the root FortiGate. The root FortiGate then pushes this configuration to downstream FortiGate devices. The FortiManager provides remote management of FortiGate devices over TCP port 541. The FortiManager must have internet access for it to join the Security Fabric.

Once configured, the FortiGate can receive antivirus and IPS updates, and allows remote management through FortiManager or the FortiGate Cloud service. The FortiGate management option must be enabled so that the FortiGate can accept management updates to its firmware and FortiGuard services.

Adding a FortiManager device to the Security Fabric requires the following steps in FortiOS:

  • Specify the FortiManager IP address or domain name.
  • Approve the FortiManager serial number that is returned by the provided IP address or domain name.

You can complete the steps in FortiOS by using the GUI or CLI.

After you complete the steps in FortiOS, go to FortiManager to complete the process by authorizing the FortiGate.

To add a FortiManager to the Security Fabric using the CLI:
  1. Provide FortiManager connection information:
    config system central-management
        set type fortimanager
        set fmg {<IP_address> | <Domain name>}
    end
    
  2. Approve the returned FortiManager serial number:

    When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Therefore you must provide the following command:

    execute central-mgmt <fmg-serial-no> <PSK>
    Note

    If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

  3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
To add a FortiManager to the Security Fabric using the GUI:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiManager card.

    The FortiManager card is used to configure the FortiManager connection information.

  2. For Status, click Enable.
  3. For Type, click On-Premise.

  4. Enter the IP/Domain Name of the FortiManager.
  5. Click OK.

    The Confirm pane appears.

  6. Review the serial number, and click OK.
  7. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
Authorizing the FortiGate in FortiManager

After completing the GUI or CLI steps in FortiOS, go to FortiManager to authorize the FortiGate, which completes the process.

To authorize the FortiGate in FortiManager:
  1. On FortiManager, go to Device Manager and find the FortiGate in the Unauthorized Devices list.

    The unauthorized device list is located in the root ADOM, regardless of the firmware version of the root ADOM or FortiOS.

  2. Select the FortiGate device or devices, and click Authorize in the toolbar.
  3. In the Authorize Device pop-up, adjust the device names as needed, select the appropriate ADOM (if applicable), and click OK.

For more information about using FortiManager, see the FortiManager Administration Guide.