Administration Guide

Setting up FortiManager
- Connecting to the GUI
  - FortiManager Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- FortiAnalyzer Features
  - Enable or disable FortiAnalyzer features
- Initial setup
- Restarting and shutting down
FortiManager Key Concepts
- Communication through protocols
- Configuration through Device Manager
- ADOMs and devices
- Operations
- Key features of the FortiManager system
Dashboard
- Customizing the dashboard
- System Information widget
- System Resources widget
- License Information widget
- Unit Operation widget
- Alert Messages Console widget
- Log Receive Monitor widget
- Insert Rate vs Receive Rate widget
- Log Insert Lag Time widget
- Receive Rate vs Forwarding Rate widget
- Disk I/O widget
- Device widgets
- Restart, shut down, or reset FortiManager
Device Manager
- ADOMs
- Device & Groups
- Scripts
- Provisioning Templates
- Firmware templates
- Monitors
- FortiMeter
- FortiGate chassis devices
  - Viewing chassis dashboard
Policy & Objects
- About policies
  - Policy theory
  - Global policy packages
- Policy workflow
  - Provisioning new devices
  - Day-to-day management of devices
- Feature visibility
- Managing policy packages
- Managing policies
- Using Policy Blocks
- Managing objects and dynamic objects
- ADOM revisions
SD-WAN Manager
- SD-WAN Network
  - SD-WAN Devices
  - SD-WAN Monitor
- SD-WAN Templates
- SD-WAN overlay orchestration
- SD-WAN rules
AP Manager
- Managed FortiAPs
- WiFi Maps
  - Google map
  - Floor map
- WiFi profiles and settings for central management
- WiFi profiles and settings for per-device management
  - Enabling FortiAP per-device management
  - Creating profiles
VPN Manager
- Overview
- Enabling central VPN management
- DDNS support
- VPN Setup Wizard supports device groups
- IPsec VPN
- SSL VPN
- VPN security policies
  - Defining policy addresses
  - Defining security policies
Fabric View
- Security Fabric Topology
- Security Rating
  - Viewing Security Fabric Ratings
  - Security Fabric score
- Fabric Connectors
  - Core Network Security
    - Creating FortiClient EMS connectors
- External Connectors
- Cloud Orchestration
FortiAI
- Enabling administrator access to FortiAI
- Using FortiAI
- FortiAI data privacy
- FortiAI tokens
- FortiAI example tasks
FortiGuard
- Device licenses
  - View licensing status
- Package management
- Query services
- Firmware images
- External resources
- Settings
- Enabling FDN third-party SSL validation and Anycast support
- Configuring devices to use the built-in FDS
  - Handling connection attempts from unauthorized devices
  - Configure a FortiManager without Internet connectivity to access a local FortiManager as FDS
- Configuring FortiGuard services
- Logging events related to FortiGuard services
  - Logging FortiGuard antivirus and IPS updates
  - Logging FortiGuard web or email filter events
- Restoring the URL or antispam database
FortiSwitch Manager
- Managed FortiSwitches
- FortiSwitch central management
  - Enabling FortiSwitch central management
  - FortiSwitch Templates
- FortiSwitch per-device management
Extender Manager
- Managed extenders
  - Managing FortiExtender devices
- Extender profiles
System Settings
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Fabric Management
- Certificates
- Event Log
  - Event log filtering
- Task Monitor
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
  - Configuring rolling and uploading of logs using the GUI
  - Configuring rolling and uploading of logs using the CLI
- File Management
- Miscellaneous Settings
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Restricted administrators
- Administrator profiles
- Workspace
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiManager
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Synchronizing the FortiManager configuration and HA heartbeat
- If the primary or a backup unit fails
- FortiManager HA cluster startup steps
- Configuring HA options
- Monitoring HA status
- Upgrading the FortiManager firmware for an operating cluster
Management Extensions
- FortiAIOps MEA
- FortiSigConverter MEA
- FortiSOAR MEA
- FortiWLM MEA
- Policy Analyzer MEA
- Universal Connector MEA
- Enabling management extension applications
  - CLI for management extensions
- Accessing management extension logs
- Checking for new versions and upgrading
Appendix A - Supported RFC Notes
Appendix B - Policy ID support
Appendix C - Re-establishing the FGFM tunnel after VM license migration
Appendix D - FortiManager Ansible Collection documentation
Appendix E - FortiAI token entitlements for FortiManager
Change Log

Home FortiManager 7.6.1 Administration Guide

7.6.1

Permissions

The below table lists the default permissions for the Super_User, Standard_User, Restricted_User and Package_User administrator profiles.

When Read-Write is selected, the user can view and make changes to the FortiManager system. When Read-Only is selected, the user can only view information. When None is selected, the user can neither view or make changes to the FortiManager system.

The FortiView setting is only available in the GUI when FortiAnalyzer features are disabled.

The Log View/FortiView, Incidents & Events, Create & Update Incidents, Triage Event, Reports, and Run Report settings are only available in the GUI when FortiAnalyzer features are enabled. See FortiAnalyzer Features.

Setting		Predefined Administrator Profile
Setting		Super User	Standard User	Restricted User	Package User
System Settings `system-setting`		Read-Write	None	None	Read-Only
Administrative Domain `adom-switch`		Read-Write	Read-Write	None	Read-Write
FortiGuard Center `fgd_center`		Read-Write	None	None	Read-Only
	License Management `fgd-center-licensing`	Read-Write	None	None	Read-Only
	Firmware Management `fgd-center-fmw-mgmt`	Read-Write	None	None	Read-Only
	Settings `fgd-center-advanced`	Read-Write	None	None	Read-Only
Device Manager `device-manager`		Read-Write	Read-Write	Read-Only	Read-Write
	Add/Delete/Edit Devices/Groups `device-op`	Read-Write	Read-Write	None	Read-Write
	Retrieve Configuration from Devices `config-retrieve`	Read-Write	Read-Write	Read-Only	Read-Only
	Revert Configuration from Revision History `config-revert`	Read-Write	Read-Write	Read-Only	Read-Only
	Delete Device Revision `device-revision-deletion`	Read-Write	Read-Write	Read-Only	Read-Write
	Terminal Access `term-access`	Read-Write	Read-Write	Read-Only	Read-Only
	Manage Device Configurations `device-config`	Read-Write	Read-Write	Read-Only	Read-Write
	Provisioning Templates `device-profile`	Read-Write	Read-Write	Read-Only	Read-Write
	SD-WAN `device-wan-link-load-balance`	Read-Write	Read-Write	Read-Only	Read-Write
	Script Access `script-access`	Read-Write	Read-Write	None	Read-Write
Policy & Objects `policy-objects`		Read-Write	Read-Write	Read-Only	Read-Write
	Global Policy Packages & Objects `global-policy-packages`	Read-Write	Read-Write	None	Read-Write
	Assignment `assignment`	Read-Write	None	None	Read-Only
	Policy Packages & Objects `adom-policy-packages`	Read-Write	Read-Write	Read-Only	Read-Write
	Policy Check `consistency-check`	Read-Write	Read-Write	Read-Only	Read-Only
	Edit Installation Targets `set-install-targets`	Read-Write	Read-Write	Read-Only	Read-Write
	IPS Objects `ips-objects`	Read-Write	Read-Write	Read-Only	Read-Write
	Edit Policy IPS Attributes `policy-ips-attrs`	Read-Write	Read-Write	Read-Only	Read-Write
Lock/Unlock ADOM `adom-lock`		Read-Write	Read-Write	Read-Only	Read-Write
Lock/Unlock Device/Policy Package `device-policy-package-lock`		Read-Write	Read-Write	Read-Only	Read-Write
Install Policy Package or Device Configuration `deploy-management`		Read-Write	Read-Write	Read-Only	Read-Write
Import Policy Package `import-policy-packages`		Read-Write	Read-Write	Read-Only	Read-Write
Interface Mapping `intf-mapping`		Read-Write	Read-Write	Read-Only	Read-Write
AP Manager `device-ap`		Read-Write	Read-Write	Read-Only	Read-Write
FortiSwitch Manager `device-fortiswitch`		Read-Write	Read-Write	Read-Only	Read-Write
Extender Manager `device-fortiextender`		Read-Write	Read-Write	Read-Only	Read-Write
VPN Manager `vpn-manager`		Read-Write	Read-Write	Read-Only	Read-Write
Extension Access `extension-access`		Read-Write	Read-Write	None	Read-Only
FortiView `log-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
Log View/FortiView `log-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
Incidents & Events `event-management`		Read-Write	Read-Write	Read-Only	Read-Only
Create & Update Incidents `update-incidents`		Read-Write	Read-Write	None	None
Triage Event `triage-events`		Read-Write	Read-Write	None	None
Reports `report-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
Run Report `run-report`		Read-Write	Read-Write	None	None
Fabric View `fabric-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
CLI only settings
`ips-lock`		Read-Write	Read-Write	Read-Only	Read-Write

For a description of each permission, see the FortiManager CLI Reference.

Remote GUI access

The Remote GUI Access toggle can be enabled to grant administrators with the specified Admin Profile the ability to remotely access managed FortiGate devices. By default, this setting is enabled for the Super_User profile and is disabled when creating a new profile. See Remotely access a managed FortiGate.

Permissions

The below table lists the default permissions for the Super_User, Standard_User, Restricted_User and Package_User administrator profiles.

The FortiView setting is only available in the GUI when FortiAnalyzer features are disabled.

Setting		Predefined Administrator Profile
Setting		Super User	Standard User	Restricted User	Package User
System Settings `system-setting`		Read-Write	None	None	Read-Only
Administrative Domain `adom-switch`		Read-Write	Read-Write	None	Read-Write
FortiGuard Center `fgd_center`		Read-Write	None	None	Read-Only
	License Management `fgd-center-licensing`	Read-Write	None	None	Read-Only
	Firmware Management `fgd-center-fmw-mgmt`	Read-Write	None	None	Read-Only
	Settings `fgd-center-advanced`	Read-Write	None	None	Read-Only
Device Manager `device-manager`		Read-Write	Read-Write	Read-Only	Read-Write
	Add/Delete/Edit Devices/Groups `device-op`	Read-Write	Read-Write	None	Read-Write
	Retrieve Configuration from Devices `config-retrieve`	Read-Write	Read-Write	Read-Only	Read-Only
	Revert Configuration from Revision History `config-revert`	Read-Write	Read-Write	Read-Only	Read-Only
	Delete Device Revision `device-revision-deletion`	Read-Write	Read-Write	Read-Only	Read-Write
	Terminal Access `term-access`	Read-Write	Read-Write	Read-Only	Read-Only
	Manage Device Configurations `device-config`	Read-Write	Read-Write	Read-Only	Read-Write
	Provisioning Templates `device-profile`	Read-Write	Read-Write	Read-Only	Read-Write
	SD-WAN `device-wan-link-load-balance`	Read-Write	Read-Write	Read-Only	Read-Write
	Script Access `script-access`	Read-Write	Read-Write	None	Read-Write
Policy & Objects `policy-objects`		Read-Write	Read-Write	Read-Only	Read-Write
	Global Policy Packages & Objects `global-policy-packages`	Read-Write	Read-Write	None	Read-Write
	Assignment `assignment`	Read-Write	None	None	Read-Only
	Policy Packages & Objects `adom-policy-packages`	Read-Write	Read-Write	Read-Only	Read-Write
	Policy Check `consistency-check`	Read-Write	Read-Write	Read-Only	Read-Only
	Edit Installation Targets `set-install-targets`	Read-Write	Read-Write	Read-Only	Read-Write
	IPS Objects `ips-objects`	Read-Write	Read-Write	Read-Only	Read-Write
	Edit Policy IPS Attributes `policy-ips-attrs`	Read-Write	Read-Write	Read-Only	Read-Write
Lock/Unlock ADOM `adom-lock`		Read-Write	Read-Write	Read-Only	Read-Write
Lock/Unlock Device/Policy Package `device-policy-package-lock`		Read-Write	Read-Write	Read-Only	Read-Write
Install Policy Package or Device Configuration `deploy-management`		Read-Write	Read-Write	Read-Only	Read-Write
Import Policy Package `import-policy-packages`		Read-Write	Read-Write	Read-Only	Read-Write
Interface Mapping `intf-mapping`		Read-Write	Read-Write	Read-Only	Read-Write
AP Manager `device-ap`		Read-Write	Read-Write	Read-Only	Read-Write
FortiSwitch Manager `device-fortiswitch`		Read-Write	Read-Write	Read-Only	Read-Write
Extender Manager `device-fortiextender`		Read-Write	Read-Write	Read-Only	Read-Write
VPN Manager `vpn-manager`		Read-Write	Read-Write	Read-Only	Read-Write
Extension Access `extension-access`		Read-Write	Read-Write	None	Read-Only
FortiView `log-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
Log View/FortiView `log-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
Incidents & Events `event-management`		Read-Write	Read-Write	Read-Only	Read-Only
Create & Update Incidents `update-incidents`		Read-Write	Read-Write	None	None
Triage Event `triage-events`		Read-Write	Read-Write	None	None
Reports `report-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
Run Report `run-report`		Read-Write	Read-Write	None	None
Fabric View `fabric-viewer`		Read-Write	Read-Write	Read-Only	Read-Only
CLI only settings
`ips-lock`		Read-Write	Read-Write	Read-Only	Read-Write

For a description of each permission, see the FortiManager CLI Reference.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Permissions

Permissions

Remote GUI access

Permissions

Permissions

Remote GUI access