Fortinet black logo

CLI Reference

config system central-management

config system central-management

Configure central management.

config system central-management
    Description: Configure central management.
    set allow-monitor [enable|disable]
    set allow-push-configuration [enable|disable]
    set allow-push-firmware [enable|disable]
    set allow-remote-firmware-upgrade [enable|disable]
    set allow-remote-lte-firmware-upgrade [enable|disable]
    set ca-cert {user}
    set enc-algorithm [default|high|...]
    set fmg {user}
    set fmg-source-ip {ipv4-address}
    set fmg-source-ip6 {ipv6-address}
    set fmg-update-port [8890|443]
    set include-default-servers [enable|disable]
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set local-cert {string}
    set ltefw-upgrade-frequency [everyHour|every12hour|...]
    set ltefw-upgrade-time {string}
    set mode [normal|backup]
    set schedule-config-restore [enable|disable]
    set schedule-script-restore [enable|disable]
    set serial-number {user}
    config server-list
        Description: Additional severs that the FortiGate can use for updates (for AV, IPS, updates) and ratings (for web filter and antispam ratings) servers.
        edit <id>
            set server-type {option1}, {option2}, ...
            set addr-type [ipv4|ipv6|...]
            set server-address {ipv4-address}
            set server-address6 {ipv6-address}
            set fqdn {string}
        next
    end
    set type [fortimanager|fortiguard|...]
    set use-elbc-vdom [enable|disable]
    set vdom {string}
end

config system central-management

Parameter

Description

Type

Size

Default

allow-monitor

Enable/disable allowing the central management server to remotely monitor this FortiGate unit.

option

-

enable

Option

Description

enable

Enable remote monitoring of device.

disable

Disable remote monitoring of device.

allow-push-configuration

Enable/disable allowing the central management server to push configuration changes to this FortiGate.

option

-

enable

Option

Description

enable

Enable push configuration.

disable

Disable push configuration.

allow-push-firmware

Enable/disable allowing the central management server to push firmware updates to this FortiGate.

option

-

enable

Option

Description

enable

Enable push firmware.

disable

Disable push firmware.

allow-remote-firmware-upgrade

Enable/disable remotely upgrading the firmware on this FortiGate from the central management server.

option

-

enable

Option

Description

enable

Enable remote firmware upgrade.

disable

Disable remote firmware upgrade.

allow-remote-lte-firmware-upgrade *

Enable/disable remotely upgrading the lte firmware on this FortiGate from the central management server.

option

-

enable

Option

Description

enable

Enable remote lte firmware upgrade.

disable

Disable remote lte firmware upgrade.

ca-cert

CA certificate to be used by FGFM protocol.

user

Not Specified

enc-algorithm

Encryption strength for communications between the FortiGate and central management.

option

-

high

Option

Description

default

High strength algorithms and medium-strength 128-bit key length algorithms.

high

128-bit and larger key length algorithms.

low

64-bit or 56-bit key length algorithms without export restrictions.

fmg

IP address or FQDN of the FortiManager.

user

Not Specified

fmg-source-ip

IPv4 source address that this FortiGate uses when communicating with FortiManager.

ipv4-address

Not Specified

0.0.0.0

fmg-source-ip6

IPv6 source address that this FortiGate uses when communicating with FortiManager.

ipv6-address

Not Specified

::

fmg-update-port

Port used to communicate with FortiManager that is acting as a FortiGuard update server.

option

-

8890

Option

Description

8890

Use port 8890 to communicate with FortiManager that is acting as a FortiGuard update server.

443

Use port 443 to communicate with FortiManager that is acting as a FortiGuard update server.

include-default-servers

Enable/disable inclusion of public FortiGuard servers in the override server list.

option

-

enable

Option

Description

enable

Enable inclusion of public FortiGuard servers in the override server list.

disable

Disable inclusion of public FortiGuard servers in the override server list.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

local-cert

Certificate to be used by FGFM protocol.

string

Maximum length: 35

ltefw-upgrade-frequency *

Set LTE firmware auto pushdown frequency.

option

-

Option

Description

everyHour

Auto check and pushdown LTE firmware every hour

every12hour

Auto check and pushdown LTE firmware every 12 hours

everyDay

Auto check and pushdown LTE firmware every day

everyWeek

Auto check and pushdown LTE firmware every week

ltefw-upgrade-time *

Schedule next LTE firmware upgrade time (Local Time). Format: YYYY-MM-DD HH:MM:SS

string

Maximum length: 35

mode

Central management mode.

option

-

normal

Option

Description

normal

Manage and configure this FortiGate from FortiManager.

backup

Manage and configure this FortiGate locally and back up its configuration to FortiManager.

schedule-config-restore

Enable/disable allowing the central management server to restore the configuration of this FortiGate.

option

-

enable

Option

Description

enable

Enable scheduled configuration restore.

disable

Disable scheduled configuration restore.

schedule-script-restore

Enable/disable allowing the central management server to restore the scripts stored on this FortiGate.

option

-

enable

Option

Description

enable

Enable scheduled script restore.

disable

Disable scheduled script restore.

serial-number

Serial number.

user

Not Specified

type

Central management type.

option

-

none

Option

Description

fortimanager

FortiManager.

fortiguard

Central management of this FortiGate using FortiCloud.

none

No central management.

use-elbc-vdom *

Enable/disable use of special ELBC config sync VDOM to connect to FortiManager.

option

-

disable

Option

Description

enable

enable

disable

disable

vdom

Virtual domain (VDOM) name to use when communicating with FortiManager.

string

Maximum length: 31

root

* This parameter may not exist in some models.

config server-list

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

server-type

FortiGuard service type.

option

-

Option

Description

update

AV, IPS, and AV-query update server.

rating

Web filter and anti-spam rating server.

iot-query

IoT query server.

iot-collect

IoT device collection server.

addr-type

Indicate whether the FortiGate communicates with the override server using an IPv4 address, an IPv6 address or a FQDN.

option

-

ipv4

Option

Description

ipv4

IPv4 address.

ipv6

IPv6 address.

fqdn

FQDN.

server-address

IPv4 address of override server.

ipv4-address

Not Specified

0.0.0.0

server-address6

IPv6 address of override server.

ipv6-address

Not Specified

::

fqdn

FQDN address of override server.

string

Maximum length: 255

config system central-management

Configure central management.

config system central-management
    Description: Configure central management.
    set allow-monitor [enable|disable]
    set allow-push-configuration [enable|disable]
    set allow-push-firmware [enable|disable]
    set allow-remote-firmware-upgrade [enable|disable]
    set allow-remote-lte-firmware-upgrade [enable|disable]
    set ca-cert {user}
    set enc-algorithm [default|high|...]
    set fmg {user}
    set fmg-source-ip {ipv4-address}
    set fmg-source-ip6 {ipv6-address}
    set fmg-update-port [8890|443]
    set include-default-servers [enable|disable]
    set interface {string}
    set interface-select-method [auto|sdwan|...]
    set local-cert {string}
    set ltefw-upgrade-frequency [everyHour|every12hour|...]
    set ltefw-upgrade-time {string}
    set mode [normal|backup]
    set schedule-config-restore [enable|disable]
    set schedule-script-restore [enable|disable]
    set serial-number {user}
    config server-list
        Description: Additional severs that the FortiGate can use for updates (for AV, IPS, updates) and ratings (for web filter and antispam ratings) servers.
        edit <id>
            set server-type {option1}, {option2}, ...
            set addr-type [ipv4|ipv6|...]
            set server-address {ipv4-address}
            set server-address6 {ipv6-address}
            set fqdn {string}
        next
    end
    set type [fortimanager|fortiguard|...]
    set use-elbc-vdom [enable|disable]
    set vdom {string}
end

config system central-management

Parameter

Description

Type

Size

Default

allow-monitor

Enable/disable allowing the central management server to remotely monitor this FortiGate unit.

option

-

enable

Option

Description

enable

Enable remote monitoring of device.

disable

Disable remote monitoring of device.

allow-push-configuration

Enable/disable allowing the central management server to push configuration changes to this FortiGate.

option

-

enable

Option

Description

enable

Enable push configuration.

disable

Disable push configuration.

allow-push-firmware

Enable/disable allowing the central management server to push firmware updates to this FortiGate.

option

-

enable

Option

Description

enable

Enable push firmware.

disable

Disable push firmware.

allow-remote-firmware-upgrade

Enable/disable remotely upgrading the firmware on this FortiGate from the central management server.

option

-

enable

Option

Description

enable

Enable remote firmware upgrade.

disable

Disable remote firmware upgrade.

allow-remote-lte-firmware-upgrade *

Enable/disable remotely upgrading the lte firmware on this FortiGate from the central management server.

option

-

enable

Option

Description

enable

Enable remote lte firmware upgrade.

disable

Disable remote lte firmware upgrade.

ca-cert

CA certificate to be used by FGFM protocol.

user

Not Specified

enc-algorithm

Encryption strength for communications between the FortiGate and central management.

option

-

high

Option

Description

default

High strength algorithms and medium-strength 128-bit key length algorithms.

high

128-bit and larger key length algorithms.

low

64-bit or 56-bit key length algorithms without export restrictions.

fmg

IP address or FQDN of the FortiManager.

user

Not Specified

fmg-source-ip

IPv4 source address that this FortiGate uses when communicating with FortiManager.

ipv4-address

Not Specified

0.0.0.0

fmg-source-ip6

IPv6 source address that this FortiGate uses when communicating with FortiManager.

ipv6-address

Not Specified

::

fmg-update-port

Port used to communicate with FortiManager that is acting as a FortiGuard update server.

option

-

8890

Option

Description

8890

Use port 8890 to communicate with FortiManager that is acting as a FortiGuard update server.

443

Use port 443 to communicate with FortiManager that is acting as a FortiGuard update server.

include-default-servers

Enable/disable inclusion of public FortiGuard servers in the override server list.

option

-

enable

Option

Description

enable

Enable inclusion of public FortiGuard servers in the override server list.

disable

Disable inclusion of public FortiGuard servers in the override server list.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

local-cert

Certificate to be used by FGFM protocol.

string

Maximum length: 35

ltefw-upgrade-frequency *

Set LTE firmware auto pushdown frequency.

option

-

Option

Description

everyHour

Auto check and pushdown LTE firmware every hour

every12hour

Auto check and pushdown LTE firmware every 12 hours

everyDay

Auto check and pushdown LTE firmware every day

everyWeek

Auto check and pushdown LTE firmware every week

ltefw-upgrade-time *

Schedule next LTE firmware upgrade time (Local Time). Format: YYYY-MM-DD HH:MM:SS

string

Maximum length: 35

mode

Central management mode.

option

-

normal

Option

Description

normal

Manage and configure this FortiGate from FortiManager.

backup

Manage and configure this FortiGate locally and back up its configuration to FortiManager.

schedule-config-restore

Enable/disable allowing the central management server to restore the configuration of this FortiGate.

option

-

enable

Option

Description

enable

Enable scheduled configuration restore.

disable

Disable scheduled configuration restore.

schedule-script-restore

Enable/disable allowing the central management server to restore the scripts stored on this FortiGate.

option

-

enable

Option

Description

enable

Enable scheduled script restore.

disable

Disable scheduled script restore.

serial-number

Serial number.

user

Not Specified

type

Central management type.

option

-

none

Option

Description

fortimanager

FortiManager.

fortiguard

Central management of this FortiGate using FortiCloud.

none

No central management.

use-elbc-vdom *

Enable/disable use of special ELBC config sync VDOM to connect to FortiManager.

option

-

disable

Option

Description

enable

enable

disable

disable

vdom

Virtual domain (VDOM) name to use when communicating with FortiManager.

string

Maximum length: 31

root

* This parameter may not exist in some models.

config server-list

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

server-type

FortiGuard service type.

option

-

Option

Description

update

AV, IPS, and AV-query update server.

rating

Web filter and anti-spam rating server.

iot-query

IoT query server.

iot-collect

IoT device collection server.

addr-type

Indicate whether the FortiGate communicates with the override server using an IPv4 address, an IPv6 address or a FQDN.

option

-

ipv4

Option

Description

ipv4

IPv4 address.

ipv6

IPv6 address.

fqdn

FQDN.

server-address

IPv4 address of override server.

ipv4-address

Not Specified

0.0.0.0

server-address6

IPv6 address of override server.

ipv6-address

Not Specified

::

fqdn

FQDN address of override server.

string

Maximum length: 255