Administration Guide

Setting up FortiManager
- Connecting to the GUI
  - FortiManager Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- FortiAnalyzer Features
  - Enable or disable FortiAnalyzer features
- Initial setup
- Restarting and shutting down
FortiManager Key Concepts
- Communication through protocols
- Configuration through Device Manager
- ADOMs and devices
- Operations
- Key features of the FortiManager system
Dashboard
- Customizing the dashboard
- System Information widget
- System Resources widget
- License Information widget
- Unit Operation widget
- Alert Messages Console widget
- Log Receive Monitor widget
- Insert Rate vs Receive Rate widget
- Log Insert Lag Time widget
- Receive Rate vs Forwarding Rate widget
- Disk I/O widget
- Device widgets
- Restart, shut down, or reset FortiManager
Device Manager
- ADOMs
- Device & Groups
- Scripts
- Provisioning Templates
- Firmware templates
- Monitors
- FortiMeter
- FortiGate chassis devices
  - Viewing chassis dashboard
Policy & Objects
- About policies
  - Policy theory
  - Global policy packages
- Policy workflow
  - Provisioning new devices
  - Day-to-day management of devices
- Feature visibility
- Managing policy packages
- Managing policies
- Using Policy Blocks
- Managing objects and dynamic objects
- ADOM revisions
AP Manager
- Managed FortiAPs
- WiFi Maps
  - Google map
  - Floor map
- WiFi profiles and settings for central management
- WiFi profiles and settings for per-device management
  - Enabling FortiAP per-device management
  - Creating profiles
VPN Manager
- Overview
- Enabling central VPN management
- DDNS support
- VPN Setup Wizard supports device groups
- IPsec VPN
- SSL VPN
- VPN security policies
  - Defining policy addresses
  - Defining security policies
Fabric View
- Security Fabric Topology
- Security Rating
  - Viewing Security Fabric Ratings
  - Security Fabric score
- Fabric Connectors
  - Core Network Security
    - Creating FortiClient EMS connectors
- External Connectors
- Cloud Orchestration
FortiGuard
- Device licenses
  - View licensing status
- Package management
- Query services
- Firmware images
- Download prioritization
  - Product download prioritization
  - Package download prioritization
- External resources
- Settings
- Enabling FDN third-party SSL validation and Anycast support
- Configuring devices to use the built-in FDS
- Configuring FortiGuard services
- Logging events related to FortiGuard services
  - Logging FortiGuard antivirus and IPS updates
  - Logging FortiGuard web or email filter events
- Restoring the URL or antispam database
FortiSwitch Manager
- Managed FortiSwitches
- FortiSwitch central management
  - Enabling FortiSwitch central management
  - FortiSwitch Templates
- FortiSwitch per-device management
Extender Manager
- Managed extenders
  - Managing FortiExtender devices
- Extender profiles
System Settings
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Certificates
- Event Log
  - Event log filtering
- Task Monitor
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
  - Configuring rolling and uploading of logs using the GUI
  - Configuring rolling and uploading of logs using the CLI
- File Management
- Miscellaneous Settings
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Restricted administrators
- Administrator profiles
- Workspace
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiManager
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Synchronizing the FortiManager configuration and HA heartbeat
- If the primary or a backup unit fails
- FortiManager HA cluster startup steps
- Configuring HA options
- Monitoring HA status
- Upgrading the FortiManager firmware for an operating cluster
Management Extensions
- FortiAIOps MEA
- FortiSigConverter MEA
- FortiSOAR MEA
- FortiWLM MEA
- Policy Analyzer MEA
- Universal Connector MEA
- Enabling management extension applications
  - CLI for management extensions
- Accessing management extension logs
- Checking for new versions and upgrading
Appendix A - Supported RFC Notes
Appendix B - Policy ID support
Appendix C - Re-establishing the FGFM tunnel after VM license migration
Appendix D - FortiManager Ansible Collection documentation
Change Log

Home FortiManager 7.4.5 Administration Guide

7.4.5

Configuring network interfaces

Fortinet devices can be connected to any of the FortiManager unit's interfaces. The DNS servers must be on the networks to which the FortiManager unit connects, and should have two different IP addresses.

If the FortiManager unit is operating as part of an HA cluster, it is recommended to configure interfaces dedicated for the HA connection / synchronization. However, it is possible to use the same interfaces for both HA and device management. The HA interface will have /HA appended to its name.

The following port configuration is recommended:

Use port 1 for device log traffic, and disable unneeded services on it, such as SSH, Web Service, and so on.
Use a second port for administrator access, and enable HTTPS, Web Service, and SSH for this port. Leave other services disabled.

To configure port 1:

Go to System Settings > Network.The Interface pane is displayed at the top of the page.
In the Interface pane, double-click Port1. The Edit System Interface pane is displayed.

Configure the following settings for port1, then click OK to apply your changes.

Name

Displays the name of the interface.

IP Address/Netmask

The IP address and netmask associated with this interface.

IPv6 Address

The IPv6 address associated with this interface.

Administrative Access

Select the allowed administrative service protocols from: HTTPS, HTTP, PING, SSH, SNMP, and Web Service.

IPv6 Administrative Access

Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, SSH, SNMP, and Web Service.

Service Access

Select the Fortinet services that are allowed access on this interface. These include FortiGate Updates and Web Filtering. Service access is not enabled on any port by default.

Specify the Bind to IP Address:

The IP address specified in Bind to IP Address address should be a unique address on the same subnet as the IP address of the interface. This IP address is used for update and rating requests to FortiManager over TCP/443.
FortiManager can only configure one interface with update and rating service using port 443.

When configuring FortiManager as a local FortiGuard server for FortiGate, you must use the Bind to IP addresses for the update and rating services over TCP/443.

The Bind to IP address does not need to be configured for update services if the default port was not changed to TCP/443. See the FortiGate Admin Guide for more information.

Status

Select Enable or Disable.

Configure the DNS settings, and click Apply.
Primary DNS Server
The primary DNS server IP address.
Secondary DNS Server
The secondary DNS server IP address.

To configure additional ports:

Go to System Settings > Network. The Interface pane is displayed at the top of the page.
In the Interface pane, double-click on a port, right-click on a port then select Edit from the pop-up menu, or select a port then click Edit in the toolbar. The Edit System Interface pane is displayed.
Configure the settings as required.
Click OK to apply your changes.

The port name, default gateway, and DNS servers cannot be changed from the Edit System Interface pane. The port can be given an alias if needed.