Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.15 Administration Guide
7.0.15
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Configuring FortiManager

Configuring FortiManager

When a FortiManager device is added to the Security Fabric, it automatically synchronizes with any connected downstream devices.

To add a FortiManager to the Security Fabric, configure it on the root FortiGate. The root FortiGate then pushes this configuration to downstream FortiGate devices. The FortiManager provides remote management of FortiGate devices over TCP port 541. The FortiManager must have internet access for it to join the Security Fabric.

Once configured, the FortiGate can receive antivirus and IPS updates, and allows remote management through FortiManager or the FortiGate Cloud service. The FortiGate management option must be enabled so that the FortiGate can accept management updates to its firmware and FortiGuard services.

Adding a FortiManager device to the Security Fabric requires the following steps in FortiOS:

  • Specify the FortiManager IP address or domain name.
  • Approve the FortiManager serial number returned by the FortiManager server certificate. This ensures that the administrator is connecting the FortiGate to the desired FortiManager.

You can complete the steps in FortiOS by using the GUI or CLI.

After you complete the steps in FortiOS, go to FortiManager to complete the process by authorizing the FortiGate.

To add a FortiManager to the Security Fabric using the CLI:
  1. Provide FortiManager connection information:
    config system central-management
    set type fortimanager
    set fmg {<IP_address> | <Domain name>}
    set serial-number <FMG serial number>
end
  2. Approve the returned FortiManager serial number:

    When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Therefore you must provide the following command:

    execute central-mgmt <fmg-serial-no> <PSK>
    Note

    If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

  3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  4. If necessary on FortiGate, use the diagnose fdsm central-mgmt-status command to diagnose the connection.
    • If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed:
      # diagnose fdsm central-mgmt-status
Connection status: Handshake
Registration status: Unknown
Serial: FMGVMSTM2300xxxx

    • If the connection is up, but the FortiGate has not been authorized by FortiManager, the following information is displayed:

      # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Unregistered
Serial: FMGVMSTM2300xxxx

    • If the connection is up, and the FortiGate has been authorized, the following information is displayed:

      # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FMGVMSTM2300xxxx
To add a FortiManager to the Security Fabric using the GUI:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiManager card.

    The FortiManager card is used to configure the FortiManager connection information.

  2. For Status, click Enable.
  3. For Type, click On-Premise.

  4. Enter the IP/Domain Name of the FortiManager.
  5. Click OK.

    The Verify FortiManager Serial Number pane appears.

  6. Review the serial number, and click Accept.

    The Confirm pane appears, indicating the FortiGate must be authorized on FortiManager.

  7. Click OK.
  8. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  9. After the FortiGate is registered, log in to FortiGate again as either read-only or read/write.
  10. Go to Security Fabric > Fabric Connectors and double-click the FortiManager card. The Status is updated to Enabled.

Authorizing the FortiGate in FortiManager

After completing the GUI or CLI steps in FortiOS, go to FortiManager to authorize the FortiGate, which completes the process.

To authorize the FortiGate in FortiManager:
  1. On FortiManager, go to Device Manager and find the FortiGate in the Unauthorized Devices list.

    The unauthorized device list is located in the root ADOM, regardless of the firmware version of the root ADOM or FortiOS.

  2. Select the FortiGate device or devices, and click Authorize in the toolbar.
  3. In the Authorize Device pop-up, adjust the device names as needed, select the appropriate ADOM (if applicable), and click OK.

For more information about using FortiManager, see the FortiManager Administration Guide.

Previous
Next

More Links

Adding a Security Fabric Group

Configuring FortiManager

When a FortiManager device is added to the Security Fabric, it automatically synchronizes with any connected downstream devices.

To add a FortiManager to the Security Fabric, configure it on the root FortiGate. The root FortiGate then pushes this configuration to downstream FortiGate devices. The FortiManager provides remote management of FortiGate devices over TCP port 541. The FortiManager must have internet access for it to join the Security Fabric.

Once configured, the FortiGate can receive antivirus and IPS updates, and allows remote management through FortiManager or the FortiGate Cloud service. The FortiGate management option must be enabled so that the FortiGate can accept management updates to its firmware and FortiGuard services.

Adding a FortiManager device to the Security Fabric requires the following steps in FortiOS:

  • Specify the FortiManager IP address or domain name.
  • Approve the FortiManager serial number returned by the FortiManager server certificate. This ensures that the administrator is connecting the FortiGate to the desired FortiManager.

You can complete the steps in FortiOS by using the GUI or CLI.

After you complete the steps in FortiOS, go to FortiManager to complete the process by authorizing the FortiGate.

To add a FortiManager to the Security Fabric using the CLI:
  1. Provide FortiManager connection information:
    config system central-management
    set type fortimanager
    set fmg {<IP_address> | <Domain name>}
    set serial-number <FMG serial number>
end
  2. Approve the returned FortiManager serial number:

    When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Therefore you must provide the following command:

    execute central-mgmt <fmg-serial-no> <PSK>
    Note

    If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

  3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  4. If necessary on FortiGate, use the diagnose fdsm central-mgmt-status command to diagnose the connection.
    • If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed:
      # diagnose fdsm central-mgmt-status
Connection status: Handshake
Registration status: Unknown
Serial: FMGVMSTM2300xxxx

    • If the connection is up, but the FortiGate has not been authorized by FortiManager, the following information is displayed:

      # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Unregistered
Serial: FMGVMSTM2300xxxx

    • If the connection is up, and the FortiGate has been authorized, the following information is displayed:

      # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FMGVMSTM2300xxxx
To add a FortiManager to the Security Fabric using the GUI:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiManager card.

    The FortiManager card is used to configure the FortiManager connection information.

  2. For Status, click Enable.
  3. For Type, click On-Premise.

  4. Enter the IP/Domain Name of the FortiManager.
  5. Click OK.

    The Verify FortiManager Serial Number pane appears.

  6. Review the serial number, and click Accept.

    The Confirm pane appears, indicating the FortiGate must be authorized on FortiManager.

  7. Click OK.
  8. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  9. After the FortiGate is registered, log in to FortiGate again as either read-only or read/write.
  10. Go to Security Fabric > Fabric Connectors and double-click the FortiManager card. The Status is updated to Enabled.

Authorizing the FortiGate in FortiManager

After completing the GUI or CLI steps in FortiOS, go to FortiManager to authorize the FortiGate, which completes the process.

To authorize the FortiGate in FortiManager:
  1. On FortiManager, go to Device Manager and find the FortiGate in the Unauthorized Devices list.

    The unauthorized device list is located in the root ADOM, regardless of the firmware version of the root ADOM or FortiOS.

  2. Select the FortiGate device or devices, and click Authorize in the toolbar.
  3. In the Authorize Device pop-up, adjust the device names as needed, select the appropriate ADOM (if applicable), and click OK.

For more information about using FortiManager, see the FortiManager Administration Guide.

Previous
Next