Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Basic setup

The portal interacts with FortiManager. To avoid the portal becoming a bottleneck, you can adjust the maximum CPU and memory sizes so that they equal the values for the FortiManager devices they interact with.

Basic setup covers the following tasks:

MySQL prerequisite

Before using MySQL, you need to check if MySQL is configured properly. The 'local_infile' variable needs to be on.

To check if the 'local_infile' variable is on, run the following query from the MySQL console:

SHOW GLOBAL VARIABLES LIKE 'local_infile';

 

If the 'local_infile' variable is off, run the following query to turn it on:

SET GLOBAL local_infile = 'ON';

 

When the 'local_infile' variable is off, FortiPortal will experience various issues, such as FortiView finding no matching records for session logs.

Sizing

FortiPortal sizing can be complex. Fortinet recommends that you work with your Fortinet systems engineer when possible. However, using the following guidelines, you can successfully complete this task:

  • Portal VM—The default storage disk size is 80 GB, which is the recommended minimum. (The 2-GB disk in the VM is the flash memory; the 80-GB disk is storage.) If you have many customer logins and many devices, then increase the memory and disk sizes for improved performance.

Default login credentials

The following are the default user names and passwords for the FortiPortal components:

Component

Default User Name

Default password

Portal

admin

No password

Database installation

Fortinet does not provide this server as part of FortiPortal. Fortinet supports the databases created by FortiPortal and the connections to them.

The following is the overall installation procedure, which starts by configuring the database servers:

  1. After you create the database server image, you must install at least once instance for the portal database.
  2. Create the server VM and install the database server. FortiPortal supports MariaDB 10.2 and MySQL 5.7.
  3. Install the portal. The portal requires a license.
  4. After FortiPortal is running, you can add FortiManager devices and set up customers. See FortiManager devices and Add or edit a customer.
After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):
  1. Set the MySQL server bind-address and sql_mode parameters in the [mysqld] section of one of the following files:

    For MariaSQL:/etc/mysql/my.cnf
    For MariaDB 10.2:/etc/mysql/mysql.conf.d/mysqld.cnf
    For MariaDB 10.2.x:/etc/mysql/mariadb.conf.d/50-server.cnf

    For example:

    [mysqld]
    ...
    bind-address = 10.220.64.121
    ...
    sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION


  2. From the MySQL console, use the show variables command to check that the following parameters are correctly set:

    mysql -u root -p

  3. Create a user for the portal, grant privileges to the user, and check that the user is created:

    create user '<database_user_name>'@'%' identified by '<database_user_password>';
    GRANT ALL PRIVILEGES ON *.* TO '<database_user_name>'@'%' IDENTIFIED BY <database_user_password>;
    flush privileges;

    # Use the following query to check that the user and host are entered correctly
    select host,user from mysql.user;


    For example:

    > create user 'fpc'@'%' identified by 'fpc';
    > GRANT ALL PRIVILEGES ON *.* TO 'fpc'@'%' IDENTIFIED BY 'fpc';
    > flush privileges;
    > select host,user from mysql.user;

    Ensure that from the MySQL instance you can resolve the MySQL server hostname (e.g. by pinging it), and that you can resolve the portal IP. Adding entries to /etc/hosts on the MySQL instance is one way of doing this.

Portal installation

Before doing the portal installation, Fortinet recommends taking a snapshot of the portal database server in its initial state. If there are any errors installing portal, you can revert the database server to its initial state.

  1. Install the portal VM image. For a new VMware installation, use the fpcvm64imagePortal.out.ovf.zip file. For the KVM version, see Appendix: Installation using OpenStack.
  2. Configure the CLI settings. For example:

    config system global

    set hostname portal # use whatever name that you want to give the VM

    set timezone 28 # use ? to identify the correct value for your region

    end

    config system interface

    edit port1

    set ip 10.220.64.120/24

    set allowaccess ping https ssh http

    end

    config system route

    edit 1

    set device port1

    set gateway 10.220.64.1

    end

    config system sql

    set status remote

    set database-name fp_fazlite

    set database-type mysql # REQUIRED. If you omit this step, there will be problems with generating the portal database.

    set database-port 3365 # this example changes the default MySQL port from 3306 to 3365

    set username fpc # use the database user name instead of fpc

    set password xyz # use the password for the database user name

    set server 10.220.64.121

    end

    FortiPortal must be rebooted after a change is made to config system sql.

    Using the config system sql command updates the database property file with the current values even if no changes are made. This causes the GUI session to disconnect.

    If you want to only check the SQL settings, use show system sql command.

  3. Check the NTP settings with the show system ntp command. Modify the settings for your environment if necessary.

    The NTP source should be the same for all portal VMs to synchronize the log time stamps across all devices.

  4. Reboot the VM.
  5. From the database console, check the FortiPortal version information:

    select * from ftntpmcdb.fpc_version;

  6. Log in to FortiPortal using the user name spuser and the password test123:

    https://10.220.64.120/fpc/login



    The left pane is common for all of the pages (Dashboard, Customers, Devices, Admin, and Audit).
  7. Next, you need to set the portal database size available on the portal database server. Go to Admin > Settings to specify the FPC Data Store Size.

    For example, 1024 GB.

    The mail settings must also be configured during the first-time configuration.

  8. Next, upload the license file. Go to Admin > System Info and select Upload License.
  9. After the license is uploaded, check that the license status is valid and the number of devices allowed is correct.

    The individual portal VM does not have serial numbers.

Updating the SSL certificate file

If you are setting up a demo server, you can skip this procedure.

You must upload the license first.

Use the following steps to import an SSL certificate for the FortiPortal VM.

From the Admin portal, select Admin > System Info to display information about the SSL certificate.

System Info page

The Certificate Information panel displays the certificate file name and private key file name.

From this panel, you can select and upload a new certificate and private key for the FortiPortal (using the PKCS#8 format).

Do not use certificate import and export commands from the portal VMs because they apply to the administration interface and not the FortiPortal application. The certificate signing request must be done on an external host and the signed certificate imported. For example:

openssl genrsa -des3 -out server.key 1024

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

openssl req -new -key server.key -out server.csr

openssl pkcs8 -topk8 -nocrypt -in server.key -out portal.key

openssl x509 -req -days 365 -in server.csr -signkey portal.key -out server.crt

After these steps are done, you need to upload the certificate file (*.crt file) and portal.key file from the FortiPortal UI (as instructed in the administration guide). After uploading the certificate file, restart your portal VM.

FortiManager configuration

You need to configure FortiManager to work with FortiPortal.

  1. The ADOM mode must be enabled for FortiManager to work with FortiPortal. If needed, enable ADOMs and the advanced adom-mode on FortiManager so that you can add VDOMs on the same physical device to different ADOMs.

    config system global

    set adom-status enable

    set adom-mode advanced

    y

    end


  2. Create a portal user with read-and-write permission:

    config system admin user

    edit fpc

    set profileid Super_User

    set adom all_adoms

    set policy-package all_policy_packages

    set password fortinet

    set rpc-permit read-write

    next

    end


  3. The workspace mode must be enabled for FortiManager to work with FortiPortal.

    config system global

    set workspace-mode normal

    end

  4. Add your FortiManager device using the JSON port. You must poll FortiManager to see the device list. For more information about adding FortiManagers to the portal, see FortiManager devices.

FortiAnalyzer configuration

You need to configure FortiAnalyzer to work with FortiPortal.

  1. The ADOM mode must be enabled for FortiAnalyzer to work with FortiPortal. You must enable the interface permission webservice on FortiAnalyzer for the portal-facing interface.
  2. You must allow remote procedure calls. Create an admin user for portal:

    config system admin user

    edit <user_name>

    set profileid Super_User

    set rpc-permit read-write

    end

To add a FortiAnalyzer, see FortiAnalyzer devices.

Basic setup

The portal interacts with FortiManager. To avoid the portal becoming a bottleneck, you can adjust the maximum CPU and memory sizes so that they equal the values for the FortiManager devices they interact with.

Basic setup covers the following tasks:

MySQL prerequisite

Before using MySQL, you need to check if MySQL is configured properly. The 'local_infile' variable needs to be on.

To check if the 'local_infile' variable is on, run the following query from the MySQL console:

SHOW GLOBAL VARIABLES LIKE 'local_infile';

 

If the 'local_infile' variable is off, run the following query to turn it on:

SET GLOBAL local_infile = 'ON';

 

When the 'local_infile' variable is off, FortiPortal will experience various issues, such as FortiView finding no matching records for session logs.

Sizing

FortiPortal sizing can be complex. Fortinet recommends that you work with your Fortinet systems engineer when possible. However, using the following guidelines, you can successfully complete this task:

  • Portal VM—The default storage disk size is 80 GB, which is the recommended minimum. (The 2-GB disk in the VM is the flash memory; the 80-GB disk is storage.) If you have many customer logins and many devices, then increase the memory and disk sizes for improved performance.

Default login credentials

The following are the default user names and passwords for the FortiPortal components:

Component

Default User Name

Default password

Portal

admin

No password

Database installation

Fortinet does not provide this server as part of FortiPortal. Fortinet supports the databases created by FortiPortal and the connections to them.

The following is the overall installation procedure, which starts by configuring the database servers:

  1. After you create the database server image, you must install at least once instance for the portal database.
  2. Create the server VM and install the database server. FortiPortal supports MariaDB 10.2 and MySQL 5.7.
  3. Install the portal. The portal requires a license.
  4. After FortiPortal is running, you can add FortiManager devices and set up customers. See FortiManager devices and Add or edit a customer.
After you create the server VM and install the database server, configure the following settings in MySQL (version 5.7 or later) or MariaDB (version 10.2):
  1. Set the MySQL server bind-address and sql_mode parameters in the [mysqld] section of one of the following files:

    For MariaSQL:/etc/mysql/my.cnf
    For MariaDB 10.2:/etc/mysql/mysql.conf.d/mysqld.cnf
    For MariaDB 10.2.x:/etc/mysql/mariadb.conf.d/50-server.cnf

    For example:

    [mysqld]
    ...
    bind-address = 10.220.64.121
    ...
    sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION


  2. From the MySQL console, use the show variables command to check that the following parameters are correctly set:

    mysql -u root -p

  3. Create a user for the portal, grant privileges to the user, and check that the user is created:

    create user '<database_user_name>'@'%' identified by '<database_user_password>';
    GRANT ALL PRIVILEGES ON *.* TO '<database_user_name>'@'%' IDENTIFIED BY <database_user_password>;
    flush privileges;

    # Use the following query to check that the user and host are entered correctly
    select host,user from mysql.user;


    For example:

    > create user 'fpc'@'%' identified by 'fpc';
    > GRANT ALL PRIVILEGES ON *.* TO 'fpc'@'%' IDENTIFIED BY 'fpc';
    > flush privileges;
    > select host,user from mysql.user;

    Ensure that from the MySQL instance you can resolve the MySQL server hostname (e.g. by pinging it), and that you can resolve the portal IP. Adding entries to /etc/hosts on the MySQL instance is one way of doing this.

Portal installation

Before doing the portal installation, Fortinet recommends taking a snapshot of the portal database server in its initial state. If there are any errors installing portal, you can revert the database server to its initial state.

  1. Install the portal VM image. For a new VMware installation, use the fpcvm64imagePortal.out.ovf.zip file. For the KVM version, see Appendix: Installation using OpenStack.
  2. Configure the CLI settings. For example:

    config system global

    set hostname portal # use whatever name that you want to give the VM

    set timezone 28 # use ? to identify the correct value for your region

    end

    config system interface

    edit port1

    set ip 10.220.64.120/24

    set allowaccess ping https ssh http

    end

    config system route

    edit 1

    set device port1

    set gateway 10.220.64.1

    end

    config system sql

    set status remote

    set database-name fp_fazlite

    set database-type mysql # REQUIRED. If you omit this step, there will be problems with generating the portal database.

    set database-port 3365 # this example changes the default MySQL port from 3306 to 3365

    set username fpc # use the database user name instead of fpc

    set password xyz # use the password for the database user name

    set server 10.220.64.121

    end

    FortiPortal must be rebooted after a change is made to config system sql.

    Using the config system sql command updates the database property file with the current values even if no changes are made. This causes the GUI session to disconnect.

    If you want to only check the SQL settings, use show system sql command.

  3. Check the NTP settings with the show system ntp command. Modify the settings for your environment if necessary.

    The NTP source should be the same for all portal VMs to synchronize the log time stamps across all devices.

  4. Reboot the VM.
  5. From the database console, check the FortiPortal version information:

    select * from ftntpmcdb.fpc_version;

  6. Log in to FortiPortal using the user name spuser and the password test123:

    https://10.220.64.120/fpc/login



    The left pane is common for all of the pages (Dashboard, Customers, Devices, Admin, and Audit).
  7. Next, you need to set the portal database size available on the portal database server. Go to Admin > Settings to specify the FPC Data Store Size.

    For example, 1024 GB.

    The mail settings must also be configured during the first-time configuration.

  8. Next, upload the license file. Go to Admin > System Info and select Upload License.
  9. After the license is uploaded, check that the license status is valid and the number of devices allowed is correct.

    The individual portal VM does not have serial numbers.

Updating the SSL certificate file

If you are setting up a demo server, you can skip this procedure.

You must upload the license first.

Use the following steps to import an SSL certificate for the FortiPortal VM.

From the Admin portal, select Admin > System Info to display information about the SSL certificate.

System Info page

The Certificate Information panel displays the certificate file name and private key file name.

From this panel, you can select and upload a new certificate and private key for the FortiPortal (using the PKCS#8 format).

Do not use certificate import and export commands from the portal VMs because they apply to the administration interface and not the FortiPortal application. The certificate signing request must be done on an external host and the signed certificate imported. For example:

openssl genrsa -des3 -out server.key 1024

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

openssl req -new -key server.key -out server.csr

openssl pkcs8 -topk8 -nocrypt -in server.key -out portal.key

openssl x509 -req -days 365 -in server.csr -signkey portal.key -out server.crt

After these steps are done, you need to upload the certificate file (*.crt file) and portal.key file from the FortiPortal UI (as instructed in the administration guide). After uploading the certificate file, restart your portal VM.

FortiManager configuration

You need to configure FortiManager to work with FortiPortal.

  1. The ADOM mode must be enabled for FortiManager to work with FortiPortal. If needed, enable ADOMs and the advanced adom-mode on FortiManager so that you can add VDOMs on the same physical device to different ADOMs.

    config system global

    set adom-status enable

    set adom-mode advanced

    y

    end


  2. Create a portal user with read-and-write permission:

    config system admin user

    edit fpc

    set profileid Super_User

    set adom all_adoms

    set policy-package all_policy_packages

    set password fortinet

    set rpc-permit read-write

    next

    end


  3. The workspace mode must be enabled for FortiManager to work with FortiPortal.

    config system global

    set workspace-mode normal

    end

  4. Add your FortiManager device using the JSON port. You must poll FortiManager to see the device list. For more information about adding FortiManagers to the portal, see FortiManager devices.

FortiAnalyzer configuration

You need to configure FortiAnalyzer to work with FortiPortal.

  1. The ADOM mode must be enabled for FortiAnalyzer to work with FortiPortal. You must enable the interface permission webservice on FortiAnalyzer for the portal-facing interface.
  2. You must allow remote procedure calls. Create an admin user for portal:

    config system admin user

    edit <user_name>

    set profileid Super_User

    set rpc-permit read-write

    end

To add a FortiAnalyzer, see FortiAnalyzer devices.