Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiManager 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Adding FortiGate devices using automatic onboarding

    Adding FortiGate devices using automatic onboarding

    FortiManager supports the automatic onboarding of FortiGate devices (FOS 7.6.5 and later).

    The auto-onboarding process allows you to initiate the onboarding process from a new FortiGate. When the process is initiated, FortiManager automatically creates a corresponding model device which auto-links to the real device, and the device is authorized and moved into the specified ADOM. Optionally, the onboarding rule can also assign the device to a device group, enforce a firmware version, install a default configuration, and install a FortiGate-VM license through the Flex VM connector or BYOL VM license pool.

    Configuration and use of automatic onboarding follows this process:

    1. Create REST API Administrators

    2. Configure the automatic onboarding rules

    3. Initiate automatic onboarding from the FortiGate

    Create REST API Administrators

    A REST API Administrator is required in order to use the auto-onboarding feature with the Administrator Type onboarding.

    For license installation, both the Flex VM and BYOL VM license installation types each require their own unique REST API Administrator with the Automatic Register setting enabled. Each administrator is assigned to one of the VM license installation types in an onboarding rule, and will activate licenses on FortiGate-VMs using a different API key.

    To create a REST API admin:

    1. Create REST API Administrators.

      1. Go to System Settings > Administrators, and click Create New > REST API Admin.

      2. Enable the Automatic Register toggle.

      3. Configure the remaining settings, and click OK.

      4. On the next screen, copy the New API Key that is displayed.

    To create a FortiManager REST API admin in the CLI:
    config system admin user
	edit "api-test"
		set password ENC *****************************
		set trusthost1 10.59.8.0 255.255.255.0
		set profileid "Super_User"
		set policy-package "all_policy_packages"
		set policy-block "all_policy_blocks"
		set user_type api
		set rpc-permit read-write
		set autoreg-user enable
	next
end
    Configure the automatic onboarding rules
    To enable automatic onboarding:

    1. In the root ADOM, go to Device Manager > Device & Groups.

      Automatic onboarding configuration is only supported in the root ADOM.

    2. Select the dropdown next to Add Device, and select Auto Onboarding.


      The Auto Onboarding menu appears.

    3. Enable Allow Auto Onboarding.

      A prompt will appear asking you to confirm enabling auto onboarding.

    4. Click OK.

    To create an onboarding rule:

    1. In the root ADOM, go to Device Manager > Device & Groups.

    2. Select the dropdown next to Add Device, and select Auto Onboarding.

      The Auto Onboarding menu appears.

    3. Click Create New to create a new onboarding rule.

    4. Configure the following settings:

      Status

      Toggle the status of the auto-onboarding rule ON or OFF.

      When the status is OFF, automatic onboarding using this rule will not occur.
      Matching Criteria

      Configure the following settings that define the automatic onboarding rules.

      Only devices which match all of the specified matching criteria will be onboarded to the FortiManager.

      Type

      Select a onboarding type as Administrator or Pre-Shared Key.

      Administrator

      Select a REST API Administrator to use for administrator-based onboarding.

      This setting is only displayed when the Administrator Type is selected.
      Platform Select a specific device platform or select All Platforms.
      Pre-shared Key

      Enter a pre-shared key.

      This setting is only displayed when the Pre-shared Key Type is selected.

      Actions

      Configure the following settings that determine the actions that will occur for automatic onboarding.

      Device Name Prefix

      (Optional) Enter a device prefix name.

      When a device matches the Matching Criteria and is added to the FortiManager through automatic onboarding, it will be given a name using this prefix.

      For example, if the prefix is fgt, the first device added will be fgt_1.

      If this field is left blank, the device name will be the device's serial number.

      ADOM

      Choose the ADOM where the device will be moved after being added to FortiManager. This is required before a Platform can be selected.

      Device Group

      (Optional) Select a device group. Devices added through this automatic onboarding rule will be placed within the specified device group.

      Enforce Firmware Version

      (Optional) Select a firmware version to enforce. When the device is added through automatic-onboarding, it will be automatically upgraded to the selected firmware version.

      Install License

      Select one of the following options:

      Disable

      No license installation will occur. Administrators will need to perform this action manually.
      Flex VM

      Install licenses on FortiGate-VM devices using a Flex VM connector.

      When choosing Flex VM, you must also select a Flex VM Connector from the dropdown menu.

      FortiFlex Connectors can be configured at Fabric View > External Connectors.
      BYOL License

      Install licenses on FortiGate-VM devices using a BYOL license.

      When using BYOL licenses, you must import the FortiGate VM licenses to FortiManager.

      You can import licenses by clicking on the License Pool tab, and clicking Import.

      Install Configuration

      Select one of the following options:

      Disable

      No configuration installation will occur. Administrators will need to perform this action manually.
      By Device Group Provisioning templates that are assigned to the device group containing this device will be installed to the device as part of the onboarding process.
      Manual Configuration Manually select a Template Group and Policy Package to apply to the onboarded device.

      Description

      (Optional) Provide a description of the onboarding rule.

    5. Click OK to save the onboarding rule.

      You can use the License Pool tab in the Auto Onboarding menu to view additional information about Flex VM and BYOL licenses, including the license State (Idle, Released, or Installed).

    Initiate automatic onboarding from the FortiGate
    To initiate automatic onboarding from FortiGate:

    1. Trigger the automatic registration process through one of the following methods:

      1. Automatic onboarding using a REST API key.

        1. On the FortiGate, initiate onboarding to the FortiManager using the following CLI:

          execute central-mgmt register-device-by-address <FMG address> <admin api key>

      2. Automatic onboarding using a pre-shared key.

        1. On the FortiGate, configure central management settings to use the FortiManager.

          config system central-management
	set type fortimanager
	set fmg <FMG address>
	set serial-number FMGVMSTM********
end

          Once successfully registered, the FortiGate will be listed as an unauthorized device on FortiManager.

        2. Initiate automatic authorization and onboarding from the FortiGate using the following CLI:

          execute central-mgmt register-device <FMG serial number> <pre-shared key>

    2. Once the automatic onboarding process has started, the following sequence of operations is followed:

      1. A matching onboarding rule is determined on FortiManager based on its sequence in the Onboarding Rule table.

      2. FortiGate-VM devices that require a license will request the license from FortiManager JSON RPC port 443.

      3. If Install License is enabled on the onboarding rule, the FortiManager sends the license to FortiGate-VM using the CLI.

        The license is installed, and the FortiGate-VM is rebooted.

      4. FortiManager creates a model device that corresponds with the FortiGate. The model device is created in the ADOM that is specified in the onboarding rule.

      5. The FortiGate configures central management settings to use the FortiManager.

      6. FortiManager auto-links the model device to the real FortiGate.

      7. If Install Configuration is enabled in the onboarding rule, the specified configuration is pushed to the FortiGate.

      8. Authorization and registration of the license (if one is provided to FortiGate-VM) is completed.

    Previous
    Next

    Adding FortiGate devices using automatic onboarding

    Adding FortiGate devices using automatic onboarding

    FortiManager supports the automatic onboarding of FortiGate devices (FOS 7.6.5 and later).

    The auto-onboarding process allows you to initiate the onboarding process from a new FortiGate. When the process is initiated, FortiManager automatically creates a corresponding model device which auto-links to the real device, and the device is authorized and moved into the specified ADOM. Optionally, the onboarding rule can also assign the device to a device group, enforce a firmware version, install a default configuration, and install a FortiGate-VM license through the Flex VM connector or BYOL VM license pool.

    Configuration and use of automatic onboarding follows this process:

    1. Create REST API Administrators

    2. Configure the automatic onboarding rules

    3. Initiate automatic onboarding from the FortiGate

    Create REST API Administrators

    A REST API Administrator is required in order to use the auto-onboarding feature with the Administrator Type onboarding.

    For license installation, both the Flex VM and BYOL VM license installation types each require their own unique REST API Administrator with the Automatic Register setting enabled. Each administrator is assigned to one of the VM license installation types in an onboarding rule, and will activate licenses on FortiGate-VMs using a different API key.

    To create a REST API admin:

    1. Create REST API Administrators.

      1. Go to System Settings > Administrators, and click Create New > REST API Admin.

      2. Enable the Automatic Register toggle.

      3. Configure the remaining settings, and click OK.

      4. On the next screen, copy the New API Key that is displayed.

    To create a FortiManager REST API admin in the CLI:
    config system admin user
	edit "api-test"
		set password ENC *****************************
		set trusthost1 10.59.8.0 255.255.255.0
		set profileid "Super_User"
		set policy-package "all_policy_packages"
		set policy-block "all_policy_blocks"
		set user_type api
		set rpc-permit read-write
		set autoreg-user enable
	next
end
    Configure the automatic onboarding rules
    To enable automatic onboarding:

    1. In the root ADOM, go to Device Manager > Device & Groups.

      Automatic onboarding configuration is only supported in the root ADOM.

    2. Select the dropdown next to Add Device, and select Auto Onboarding.


      The Auto Onboarding menu appears.

    3. Enable Allow Auto Onboarding.

      A prompt will appear asking you to confirm enabling auto onboarding.

    4. Click OK.

    To create an onboarding rule:

    1. In the root ADOM, go to Device Manager > Device & Groups.

    2. Select the dropdown next to Add Device, and select Auto Onboarding.

      The Auto Onboarding menu appears.

    3. Click Create New to create a new onboarding rule.

    4. Configure the following settings:

      Status

      Toggle the status of the auto-onboarding rule ON or OFF.

      When the status is OFF, automatic onboarding using this rule will not occur.
      Matching Criteria

      Configure the following settings that define the automatic onboarding rules.

      Only devices which match all of the specified matching criteria will be onboarded to the FortiManager.

      Type

      Select a onboarding type as Administrator or Pre-Shared Key.

      Administrator

      Select a REST API Administrator to use for administrator-based onboarding.

      This setting is only displayed when the Administrator Type is selected.
      Platform Select a specific device platform or select All Platforms.
      Pre-shared Key

      Enter a pre-shared key.

      This setting is only displayed when the Pre-shared Key Type is selected.

      Actions

      Configure the following settings that determine the actions that will occur for automatic onboarding.

      Device Name Prefix

      (Optional) Enter a device prefix name.

      When a device matches the Matching Criteria and is added to the FortiManager through automatic onboarding, it will be given a name using this prefix.

      For example, if the prefix is fgt, the first device added will be fgt_1.

      If this field is left blank, the device name will be the device's serial number.

      ADOM

      Choose the ADOM where the device will be moved after being added to FortiManager. This is required before a Platform can be selected.

      Device Group

      (Optional) Select a device group. Devices added through this automatic onboarding rule will be placed within the specified device group.

      Enforce Firmware Version

      (Optional) Select a firmware version to enforce. When the device is added through automatic-onboarding, it will be automatically upgraded to the selected firmware version.

      Install License

      Select one of the following options:

      Disable

      No license installation will occur. Administrators will need to perform this action manually.
      Flex VM

      Install licenses on FortiGate-VM devices using a Flex VM connector.

      When choosing Flex VM, you must also select a Flex VM Connector from the dropdown menu.

      FortiFlex Connectors can be configured at Fabric View > External Connectors.
      BYOL License

      Install licenses on FortiGate-VM devices using a BYOL license.

      When using BYOL licenses, you must import the FortiGate VM licenses to FortiManager.

      You can import licenses by clicking on the License Pool tab, and clicking Import.

      Install Configuration

      Select one of the following options:

      Disable

      No configuration installation will occur. Administrators will need to perform this action manually.
      By Device Group Provisioning templates that are assigned to the device group containing this device will be installed to the device as part of the onboarding process.
      Manual Configuration Manually select a Template Group and Policy Package to apply to the onboarded device.

      Description

      (Optional) Provide a description of the onboarding rule.

    5. Click OK to save the onboarding rule.

      You can use the License Pool tab in the Auto Onboarding menu to view additional information about Flex VM and BYOL licenses, including the license State (Idle, Released, or Installed).

    Initiate automatic onboarding from the FortiGate
    To initiate automatic onboarding from FortiGate:

    1. Trigger the automatic registration process through one of the following methods:

      1. Automatic onboarding using a REST API key.

        1. On the FortiGate, initiate onboarding to the FortiManager using the following CLI:

          execute central-mgmt register-device-by-address <FMG address> <admin api key>

      2. Automatic onboarding using a pre-shared key.

        1. On the FortiGate, configure central management settings to use the FortiManager.

          config system central-management
	set type fortimanager
	set fmg <FMG address>
	set serial-number FMGVMSTM********
end

          Once successfully registered, the FortiGate will be listed as an unauthorized device on FortiManager.

        2. Initiate automatic authorization and onboarding from the FortiGate using the following CLI:

          execute central-mgmt register-device <FMG serial number> <pre-shared key>

    2. Once the automatic onboarding process has started, the following sequence of operations is followed:

      1. A matching onboarding rule is determined on FortiManager based on its sequence in the Onboarding Rule table.

      2. FortiGate-VM devices that require a license will request the license from FortiManager JSON RPC port 443.

      3. If Install License is enabled on the onboarding rule, the FortiManager sends the license to FortiGate-VM using the CLI.

        The license is installed, and the FortiGate-VM is rebooted.

      4. FortiManager creates a model device that corresponds with the FortiGate. The model device is created in the ADOM that is specified in the onboarding rule.

      5. The FortiGate configures central management settings to use the FortiManager.

      6. FortiManager auto-links the model device to the real FortiGate.

      7. If Install Configuration is enabled in the onboarding rule, the specified configuration is pushed to the FortiGate.

      8. Authorization and registration of the license (if one is provided to FortiGate-VM) is completed.

    Previous
    Next