Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.3
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiManager 7.6.3 Administration Guide
    7.6.3
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Operating as an FDS in a closed network

    Operating as an FDS in a closed network

    The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity.

    Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from the Fortinet Support portal, and then uploaded to the FortiManager.

    Example topology

    In the topology example below, FortiManager is operating in a closed network without access to the FortiGuard Distribution Server (FDS), and is acting as the FDS for managed FortiGate devices. Update packages, license files and metadata files are downloaded from the Fortinet Support portal and an online FortiManager, and then uploaded to the air-gapped FortiManager.


    To use FortiManager as FDS in a closed network:

    1. On FortiGate, enable the update services/profiles that you require.

    2. On FortiManager, go to FortiGuard > Settings to configure FortiManager as a local FDS server:

      Enable Communication with FortiGuard Servers

      Toggle OFF to disable communication with the FortiGuard servers.

      Enable Antivirus and IPS Service

      Toggle ON to enable antivirus and intrusion protection service, and select what versions for each product to support.

      Enable Web Filter Services

      Toggle ON to enable web filter services. When uploaded to FortiManager, the Web Filter database is displayed.

      Enable Email Filter Services

      Toggle ON to enable email filter services. When uploaded to FortiManager, the Email Filter database is displayed.

    3. Download the service update package(s) that are required by your managed devices.

      1. Required: Download the service update package(s) that are required by your managed device from the Fortinet Support Portal. Alternatively, you can export service update packages from an online FortiManager.

        Tooltip

        FortiGate only downloads service updates from FortiManager for the services/profiles that it has enabled. For more information on available services, see FortiGuard in the FortiGate Administration Guide.

      2. Optional: If your managed FortiGate devices are using features which require metadata packages (for example, IPS or Application Control ), the relevant metadata packages must also be manually imported into the FortiManager. For example, FortiGates using the Slim Extended Database will require the Signature Meta Data (IPS Slim) package. Metadata packages are not available for download through the Fortinet Support Portal; instead, they can only be exported from an online FortiManager. See Exporting packages example.

      3. Optional: FortiClient EMS receives AntiVirus, Web Filter, Application Firewall, Vulnerability Scan, and Sandbox signatures and engines updates from FortiManager and deploys the updates to FortiClient while in an air-gapped or isolated network. You can export the relevant FortiGuard packages that provide signature and engine from an online FortiManager and import them on the offline FortiManager.

        Note

        Online FortiManager devices used to export packages must include a valid license.

    4. Go to FortiGuard > Settings and upload the service update packages:

      Upload Options for FortiGate/FortiMail (and FortiSOAR)

      Packages and Database

      Select to upload antivirus and IPS packages, web filter databases, and email filter databases.

      Browse for the file you downloaded from the Fortinet Support portal on your management computer, or drag and drop the file onto the dialog box, and click OK.

      As databases can be large, we recommend uploading them using the CLI. See Uploading packages with the CLI.

      Service License

      Select to import the FortiGate or FortiSOAR license.

      License files can be obtained from support by requesting your account entitlement for the device. See Requesting account entitlement files.

      Browse for the file you downloaded from the Fortinet Support portal on your management computer, or drag and drop the file onto the dialog box, and click OK.

      Upload Options for FortiClient

      AntiVirus/IPS Packages

      Select to upload the FortiClient AntiVirus/IPS packages.

      Browse for the file you downloaded from the Fortinet Support portal on your management computer, or drag and drop the file onto the dialog box, and click OK.

    Uploading packages with the CLI

    Packages and licenses can be uploaded using the CLI. This should be used when the packages being uploaded are large, like database packages.

    To upload packages and license files using the CLI:
    1. If not already done, disable communications with the FortiGuard server and enable a closed network with the following CLI commands:

      config fmupdate publicnetwork

      set status disable

      end

    2. Upload an update package or license:
      1. Load the package or license file to an FTP, SCP, or TFTP server
      2. Run the following CLI command:

        execute fmupdate {ftp | scp | tftp} import <av-ips | fct-av | url | spam | file-query | license-fgt | license-fct | custom-url | domp> <remote_file> <ip> <port> <remote_path> <user> <password>

    Previous
    Next

    Operating as an FDS in a closed network

    Operating as an FDS in a closed network

    The FortiManager can be operated as a local FDS server when it is in a closed network with no internet connectivity.

    Without a connection to a FortiGuard server, update packages and licenses must be manually downloaded from the Fortinet Support portal, and then uploaded to the FortiManager.

    Example topology

    In the topology example below, FortiManager is operating in a closed network without access to the FortiGuard Distribution Server (FDS), and is acting as the FDS for managed FortiGate devices. Update packages, license files and metadata files are downloaded from the Fortinet Support portal and an online FortiManager, and then uploaded to the air-gapped FortiManager.


    To use FortiManager as FDS in a closed network:

    1. On FortiGate, enable the update services/profiles that you require.

    2. On FortiManager, go to FortiGuard > Settings to configure FortiManager as a local FDS server:

      Enable Communication with FortiGuard Servers

      Toggle OFF to disable communication with the FortiGuard servers.

      Enable Antivirus and IPS Service

      Toggle ON to enable antivirus and intrusion protection service, and select what versions for each product to support.

      Enable Web Filter Services

      Toggle ON to enable web filter services. When uploaded to FortiManager, the Web Filter database is displayed.

      Enable Email Filter Services

      Toggle ON to enable email filter services. When uploaded to FortiManager, the Email Filter database is displayed.

    3. Download the service update package(s) that are required by your managed devices.

      1. Required: Download the service update package(s) that are required by your managed device from the Fortinet Support Portal. Alternatively, you can export service update packages from an online FortiManager.

        Tooltip

        FortiGate only downloads service updates from FortiManager for the services/profiles that it has enabled. For more information on available services, see FortiGuard in the FortiGate Administration Guide.

      2. Optional: If your managed FortiGate devices are using features which require metadata packages (for example, IPS or Application Control ), the relevant metadata packages must also be manually imported into the FortiManager. For example, FortiGates using the Slim Extended Database will require the Signature Meta Data (IPS Slim) package. Metadata packages are not available for download through the Fortinet Support Portal; instead, they can only be exported from an online FortiManager. See Exporting packages example.

      3. Optional: FortiClient EMS receives AntiVirus, Web Filter, Application Firewall, Vulnerability Scan, and Sandbox signatures and engines updates from FortiManager and deploys the updates to FortiClient while in an air-gapped or isolated network. You can export the relevant FortiGuard packages that provide signature and engine from an online FortiManager and import them on the offline FortiManager.

        Note

        Online FortiManager devices used to export packages must include a valid license.

    4. Go to FortiGuard > Settings and upload the service update packages:

      Upload Options for FortiGate/FortiMail (and FortiSOAR)

      Packages and Database

      Select to upload antivirus and IPS packages, web filter databases, and email filter databases.

      Browse for the file you downloaded from the Fortinet Support portal on your management computer, or drag and drop the file onto the dialog box, and click OK.

      As databases can be large, we recommend uploading them using the CLI. See Uploading packages with the CLI.

      Service License

      Select to import the FortiGate or FortiSOAR license.

      License files can be obtained from support by requesting your account entitlement for the device. See Requesting account entitlement files.

      Browse for the file you downloaded from the Fortinet Support portal on your management computer, or drag and drop the file onto the dialog box, and click OK.

      Upload Options for FortiClient

      AntiVirus/IPS Packages

      Select to upload the FortiClient AntiVirus/IPS packages.

      Browse for the file you downloaded from the Fortinet Support portal on your management computer, or drag and drop the file onto the dialog box, and click OK.

    Uploading packages with the CLI

    Packages and licenses can be uploaded using the CLI. This should be used when the packages being uploaded are large, like database packages.

    To upload packages and license files using the CLI:
    1. If not already done, disable communications with the FortiGuard server and enable a closed network with the following CLI commands:

      config fmupdate publicnetwork

      set status disable

      end

    2. Upload an update package or license:
      1. Load the package or license file to an FTP, SCP, or TFTP server
      2. Run the following CLI command:

        execute fmupdate {ftp | scp | tftp} import <av-ips | fct-av | url | spam | file-query | license-fgt | license-fct | custom-url | domp> <remote_file> <ip> <port> <remote_path> <user> <password>

    Previous
    Next