FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Setting up FortiManager
- Connecting to the GUI
  - FortiManager Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- FortiAnalyzer Features
  - Enable or disable FortiAnalyzer features
- Initial setup
- Restarting and shutting down
FortiManager Key Concepts
- Communication through protocols
- Configuration through Device Manager
- ADOMs and devices
- Operations
- Key features of the FortiManager system
Dashboard
- Customizing the dashboard
- System Information widget
- System Resources widget
- License Information widget
- Unit Operation widget
- Alert Messages Console widget
- Log Receive Monitor widget
- Insert Rate vs Receive Rate widget
- Log Insert Lag Time widget
- Receive Rate vs Forwarding Rate widget
- Disk I/O widget
- Device widgets
- Restart, shut down, or reset FortiManager
Device Manager
- ADOMs
- Device & Groups
- Scripts
- Provisioning Templates
- Firmware templates
- Monitors
- FortiGate chassis devices
  - Viewing chassis dashboard
Policy & Objects
- About policies
  - Policy theory
  - Global policy packages
- Policy workflow
  - Provisioning new devices
  - Day-to-day management of devices
- Feature visibility
- Managing policy packages
- Managing policies
- Using policy blocks
- Managing objects and dynamic objects
- ADOM revisions
- Changing object selection pane display mode
- Applying tags to address objects and policies
SD-WAN Manager
- SD-WAN Network
  - SD-WAN Devices
  - SD-WAN Monitor
- SD-WAN Templates
- SD-WAN overlay orchestration
- SD-WAN rules
- Upgrading FortiManager with SD-WAN devices and templates
AP Manager
- Managed FortiAPs
- WiFi Maps
  - Google map
  - Floor map
- WiFi profiles and settings for central management
- WiFi profiles and settings for per-device management
  - Enabling FortiAP per-device management
  - Creating profiles
VPN Manager
- Overview
- Enabling central VPN management
- DDNS support
- VPN Setup Wizard supports device groups
- IPsec VPN
- Agentless VPN
- VPN security policies
  - Defining policy addresses
  - Defining security policies
- VPN CLI configurations
FortiView
Fabric View
- Security Fabric Topology
- Security Rating
  - Viewing Security Fabric Ratings
  - Security Fabric score
- Fabric Connectors
  - Core Network Security
    - Creating FortiClient EMS connectors
  - Other Fortinet Products
    - Creating a FortiAIOps connector
    - Creating a FortiTelemetry agent connector
- External Connectors
- Cloud Orchestration
FortiAI
- Enabling administrator access to FortiAI
  - Role-based access control for FortiAI
- Using FortiAI
- FortiAI agents
- FortiAI data privacy
- FortiAI tokens
- FortiAI example tasks
- Submitting feedback for FortiAI
FortiGuard
- Device licenses
  - View licensing status
- Package management
- Query services
- Firmware images
- External resources
- Settings
- Using FortiManager as a local FDS
- Configuring FortiGuard services
- Logging events related to FortiGuard services
  - Logging FortiGuard antivirus and IPS updates
  - Logging FortiGuard web or email filter events
- Restoring the URL or antispam database
FortiSwitch Manager
- Managed FortiSwitches
- FortiSwitch central management
  - Enabling FortiSwitch central management
  - FortiSwitch Templates
- FortiSwitch per-device management
Extender Manager
- Managed extenders
  - Managing FortiExtender devices
- Extender profiles
  - FortiExtender profiles
  - Using Fortinet recommended extender profiles
- Data plans
- FortiExtender SSIDs
- Preview the JSON API or CLI script for Extender Manager configurations
System Settings
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Fabric Management
- Certificates
- Event Log
  - Event log filtering
- Task Monitor
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
  - Configuring rolling and uploading of logs using the GUI
  - Configuring rolling and uploading of logs using the CLI
- Miscellaneous Settings
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Restricted administrators
- Administrator profiles
- Workspace settings
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiManager
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Synchronizing the FortiManager configuration and HA heartbeat
- If the primary or a backup unit fails
- FortiManager HA cluster startup steps
- Configuring HA options
- Monitoring HA status
- Upgrading the FortiManager firmware for an operating cluster
Appendix A - Supported RFC Notes
Appendix B - Policy ID support
Appendix C - FortiManager Ansible Collection documentation
Appendix D - FortiAI token entitlements for FortiManager
Appendix E - VM license migration
Change Log

Home FortiManager 8.0.0 Administration Guide

8.0.0

Role-based access control for provisioning templates and scripts

In the following example, there are two administrator levels: Level 1 and Level 2. Level 1 administrators are tasked with the creation and maintenance of provisioning templates and scripts, whereas Level 2 administrators are responsible for the assignment and installation of those scripts/templates to FortiGate devices, but should not have access to make changes to the script or template itself.

In order to create administrative profiles that can be applied to Level 1 and Level 2 administrators to grant them the appropriate capabilities, the following permissions are used:

Provisioning Templates	This permission determines an administrators ability to create, edit, delete and assign provisioning templates to devices. When set to Read-Write, administrators can create, edit, and delete provisioning templates. When set to Read-Only, administrators can only view existing provisioning templates in read-only mode.
Assign to Device	This permission determines an administrators ability to assign provisioning templates to devices. When set to Read-Write, administrators can assign provisioning templates to devices. When set to Read-Only, administrators cannot assign provisioning templates to devices.
Script Access	This permission determines an administrators ability to create, edit, delete, and assign scripts. When set to Read-Write, administrators can create, edit, delete and assign scripts. When set to Read-Only, administrators can only view existing scripts in read-only mode.
Execute Script	This permission determines an administrators ability to assign and execute scripts: When set to Read-Write, administrators can execute scripts on devices. When set to Read-Only, administrators cannot execute scripts.

The functioning of the permissions above will only work when other permissions related to the desired task are also set to the appropriate permission level. For example, in order to execute scripts against the Device Database or Remote FortiGate Directly (via CLI), you must also set the Manage Device Configurations permission to Read-Write.

For example, the following permissions can be used for the Level 1 administrator to allow them to manage provisioning templates and scripts without being able to assign and execute them:

Provisioning Template: Read-Write
Assign to Device: Read-Only
Script Access: Read-Write
Execute Script: Read-Only

The following permissions can be used for the Level 2 administrator to allow them to have read-only access to provisioning templates and scripts but allow them to assign/execute them:

Provisioning Template: Read-Only
Assign to Device: Read-Write
Script Access: Read-Only
Execute Script: Read-Write

Using this combination of permissions for each administrator profile can ensure that Level 1 administrators have full access to configure and modify provisioning template and scripts, and Level 2 administrators retain only essential access required to install templates and execute scripts.