DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Setting up FortiManager
- Connecting to the GUI
  - FortiManager Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- FortiAnalyzer Features
  - Enable or disable FortiAnalyzer features
- Initial setup
- Restarting and shutting down
FortiManager Key Concepts
- Communication through protocols
- Configuration through Device Manager
- ADOMs and devices
- Operations
- Key features of the FortiManager system
Dashboard
- Customizing the dashboard
- System Information widget
- System Resources widget
- License Information widget
- Unit Operation widget
- Alert Messages Console widget
- Log Receive Monitor widget
- Insert Rate vs Receive Rate widget
- Log Insert Lag Time widget
- Receive Rate vs Forwarding Rate widget
- Disk I/O widget
- Device widgets
- Restart, shut down, or reset FortiManager
Device Manager
- ADOMs
- Device & Groups
- Scripts
- Provisioning Templates
- Firmware templates
- Monitors
- FortiGate chassis devices
  - Viewing chassis dashboard
Policy & Objects
- About policies
  - Policy theory
  - Global policy packages
- Policy workflow
  - Provisioning new devices
  - Day-to-day management of devices
- Feature visibility
- Managing policy packages
- Managing policies
- Using Policy Blocks
- Managing objects and dynamic objects
- ADOM revisions
SD-WAN Manager
- SD-WAN Network
  - SD-WAN Devices
  - SD-WAN Monitor
- SD-WAN Templates
- SD-WAN overlay orchestration
- SD-WAN rules
- Upgrading FortiManager with SD-WAN devices and templates
AP Manager
- Managed FortiAPs
- WiFi Maps
  - Google map
  - Floor map
- WiFi profiles and settings for central management
- WiFi profiles and settings for per-device management
  - Enabling FortiAP per-device management
  - Creating profiles
VPN Manager
- Overview
- Enabling central VPN management
- DDNS support
- VPN Setup Wizard supports device groups
- IPsec VPN
- Agentless VPN
- VPN security policies
  - Defining policy addresses
  - Defining security policies
- VPN CLI configurations
FortiView
Fabric View
- Security Fabric Topology
- Security Rating
  - Viewing Security Fabric Ratings
  - Security Fabric score
- Fabric Connectors
  - Core Network Security
    - Creating FortiClient EMS connectors
  - Other Fortinet Products
    - Creating a FortiAIOps connector
    - Creating a FortiTelemetry agent connector
- External Connectors
- Cloud Orchestration
FortiAI
- Enabling administrator access to FortiAI
- Using FortiAI
- FortiAI data privacy
- FortiAI tokens
- FortiAI example tasks
- Submitting feedback for FortiAI
- Configuring role-based access control for FortiAI
FortiGuard
- Device licenses
  - View licensing status
- Package management
- Query services
- Firmware images
- External resources
- Settings
- Enabling FDN third-party SSL validation and Anycast support
- Configuring devices to use the built-in FDS
- Configuring FortiGuard services
- Logging events related to FortiGuard services
  - Logging FortiGuard antivirus and IPS updates
  - Logging FortiGuard web or email filter events
- Restoring the URL or antispam database
FortiSwitch Manager
- Managed FortiSwitches
- FortiSwitch central management
  - Enabling FortiSwitch central management
  - FortiSwitch Templates
- FortiSwitch per-device management
Extender Manager
- Managed extenders
  - Managing FortiExtender devices
- Extender profiles
  - FortiExtender profiles
  - Using Fortinet recommended extender profiles
- Data plans
- FortiExtender SSIDs
- Preview the JSON API or CLI script for Extender Manager configurations
System Settings
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Fabric Management
- Certificates
- Event Log
  - Event log filtering
- Task Monitor
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
  - Configuring rolling and uploading of logs using the GUI
  - Configuring rolling and uploading of logs using the CLI
- Miscellaneous Settings
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Restricted administrators
- Administrator profiles
- Workspace
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiManager
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Synchronizing the FortiManager configuration and HA heartbeat
- If the primary or a backup unit fails
- FortiManager HA cluster startup steps
- Configuring HA options
- Monitoring HA status
- Upgrading the FortiManager firmware for an operating cluster
Appendix A - Supported RFC Notes
Appendix B - Policy ID support
Appendix C - FortiManager Ansible Collection documentation
Appendix D - FortiAI token entitlements for FortiManager
Appendix E - VM license migration
Change Log

Home FortiManager 7.6.7 Administration Guide

7.6.7

Control administrative access with a local-in policy

Administrative access to FortiManager can be controlled by a IPv4/IPv6 local-in policy. This feature can only be configured using the FortiManager CLI.

For more information, see the FortiManager CLI Reference Guide on the Fortinet Docs Library.

To create an IPv4 local-in policy to control administrator access to FortiManager:

Access the FortiManager CLI.
Enter the following command to create the IPv4 local-in policy:
config system local-in-policy
edit <policy ID>
new entry '<Policy ID>' added
Configure additional settings for the local-in policy using the set command.
For example:
set
action - Action performed on traffic matching this policy.
dport - Destination port number (0 for all).
dst - Destination IP and mask.
intf - Incoming interface name.
protocol - Traffic protocol.
src - Source IP and mask.

To create an IPv6 local-in policy to control administrator access to FortiManager:

Access the FortiManager CLI.
Enter the following command to create the IPv6 local-in policy:
config system local-in-policy6
(local-in-policy6)# edit <policy ID>
new entry '<Policy ID>' added
Configure additional settings for the local-in policy using the set command.
For example:
set
action - Action performed on traffic matching this policy.
dport - Destination port number (0 for all).
dst - Destination IP and mask.
intf - Incoming interface name.
protocol - Traffic protocol.
src - Source IP and mask.

FortiManager local-in policies support multiple entries when configuring ports, addresses, and interfaces. For example:

config system local-in-policy

edit 1

set description "IP group 123"

set dport "22" "443" "80" "8080" "514"

set dst "1.1.1.1/16" "2.2.2.2/24" "3.3.3.3/32"

set intf "port1" "port2"

set src "1.1.1.1/16" "2.2.2.2/24"