FortiManager Install Guide - Fortinet Knowledge...

FortiManager™

Version 4.0 MR1Install Guide

FortiManager Install GuideVersion 4.0 MR115 September 200902-401-0436-20090915

© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory complianceFCC Class A Part 15 CSA/CUS

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.

Contents

F0h

ContentsIntroduction .............................................................................................. 5Register your FortiManager system.............................................................................. 5

About the FortiManager system .................................................................................... 5

Management tools........................................................................................................... 6

About this document ...................................................................................................... 6Document conventions ............................................................................................... 7

FortiManager documentation......................................................................................... 7

Fortinet Tools and Documentation CD ......................................................................... 8

Installing ................................................................................................. 11Environmental specifications ...................................................................................... 11

Cautions and warnings................................................................................................. 11Grounding................................................................................................................. 11Rack mount instructions ........................................................................................... 12

Mounting ........................................................................................................................ 12FortiManager-100 ..................................................................................................... 12FortiManager-400A and FortiManager-400B............................................................ 12FortiManager-3000 ................................................................................................... 13

Mounting the FortiManager-3000B .............................................................................. 15Disassembling the slide rail ...................................................................................... 15Attaching the slide rail to the FortiManager unit ....................................................... 16Mounting the FortiManager unit................................................................................ 16

Plugging in the FortiManager ...................................................................................... 17FortiManager-100 ..................................................................................................... 17FortiManager-400A/400B ......................................................................................... 17FortiManager-3000 and FortiManager-3000B .......................................................... 18Connecting to the network ........................................................................................ 18

Turning off the FortiManager system.......................................................................... 18

Configuring............................................................................................. 19Connecting to the FortiManager system .................................................................... 19

Connecting to the web-based manager.................................................................... 19Connecting to the CLI ............................................................................................... 20

Configuring the FortiManager system for the network ............................................. 21Using the web-based manager................................................................................. 21

Device support .............................................................................................................. 23

Adding a FortiGate unit ................................................................................................ 23Register the FortiGate unit........................................................................................ 23Configure the FortiGate unit ..................................................................................... 24Add the FortiGate unit in FortiManager .................................................................... 24

ortiManager Version 4.0 MR1 Install Guide2-401-0436-20090915 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/

http://docs.fortinet.com/surveyredirect.html

Contents

Adding a FortiClient installation.................................................................................. 24

Adding a FortiAnalyzer unit ......................................................................................... 25

Backing up the configuration ...................................................................................... 25

Restoring a configuration ............................................................................................ 26

Backup and restore considerations ............................................................................ 26

Additional configuration............................................................................................... 27Set the time and date................................................................................................ 27Set the Administrator password................................................................................ 27Configure FortiGuard ................................................................................................ 28

Firmware ................................................................................................. 29Backing up the FortiManager....................................................................................... 29

Backing up the configuration .................................................................................... 29

Upgrading the firmware using the web-based manager ........................................... 29

Upgrading the firmware using the CLI ........................................................................ 29

Installing firmware images from a system reboot using the CLI.............................. 30

FortiManager Version 4.0 MR1 Install Guide4 02-401-0436-20090915

http://docs.fortinet.com/ • Feedback



Introduction Register your FortiManager system

F0h

IntroductionThe FortiManager system is an integrated platform for centralized management of Fortinet devices and FortiClient installations across a local network or across the country. The FortiManager system provides a one-stop location to configure and control network protection throughout your corporation.This chapter introduces you to the FortiManager system and outlines additional resources for further reading.This chapter contains the following topics:• Register your FortiManager system• About the FortiManager system• About this document• FortiManager documentation• Customer service and technical support

Register your FortiManager systemBefore your begin, take a moment to register your FortiManager system by visiting http://support.fortinet.com and select Product Registration.To register, enter your contact information and the serial numbers of the FortiManager system that you or your organization have purchased. By registering your FortiManager system, you will receive antivirus and IPS updates and will also ensure your access to technical support, as well as access to new firmware releases.

About the FortiManager systemThe FortiManager system is an integrated management platform that enables organizations of any size to easily manage Fortinet products. The FortiManager system minimizes the administrative effort required to deploy, configure, and maintain the full range of network protection services to FortiGate units and FortiClient installations throughout your organization. The FortiManager form factor eases deployment and provides increased security and reliability. FortiManager also integrates seamlessly with FortiAnalyzer to complete the Fortinet central management solution; providing centralized logging and reporting services for Fortinet security networks.Using the FortiManager system, you can:• configure multiple FortiGate and FortiMail units and FortiClient PCs,• configure and manage the FortiGate VPN policies,• monitor the status of multiple FortiGate units,• view and analyze the FortiGate logs,• update the virus and attack signatures,• provide web filtering and antispam service to the licensed FortiGate units as a local

Fortinet Distribution Network (FDN) server.• update the firmware images of the managed FortiGate units.


http://www.support.fortinet.com

http://support.fortinet.com



Management tools Introduction

• provide web portals for remote administrators and clients.The FortiManager System scales to manage up hundreds of FortiGate units and FortiClient PCs simultaneously. It is designed for large enterprises and managed security service providers. FortiManager system architecture emphasizes reliability, scalability, ease of use, and easy integration with third-party systems.

Management toolsThere are three ways to manage and configure the FortiManager system and/or the devices that it manages.

Web-based managerYou can use the FortiManager web-based manager to manage and configure FortiGate units, FortiMail units, FortiAnalyzer units, and FortiClient PCs as well as to view unit configuration, status, system health, and real time logs. The FortiManager web-based manager supports role-based administration. Permissions and device access can be set individually for each manager account added to the FortiManager web-based manager.Administrators with read and write access can view the configuration, health status and logs, and can change the configurations of the managed devices assigned to them. The FortiManager web-based manager also allows these users to remotely upgrade FortiGate unit firmware and virus and attack definitions.

Command Line InterfaceYou can also use the Command Line Interface (CLI) to access and manage the FortiManager system and other devices that it manages. For detailed information about using the CLI, see the FortiManager CLI Reference.

The control buttons and LCDYou can use the control buttons and LCD of the FortiManager system to configure the FortiManager system IP address and netmask.

About this documentThis Install Guide provides you the information on how to install, set up and administer the FortiManager system and perform basic configurations to FortiGate units and FortiClient PCs.This document contains the following chapters:• Installing - describes how to mount the FortiManager system and includes information

regarding environmental specifications and warnings. • Configuring - describes how to access the operating system and configure the

FortiManager system onto your network, and how to add devices to the system to get you started.

• Firmware - describes how to upgrade the firmware for the FortiManager system using the web-based manager or CLI.





Introduction FortiManager documentation

F0h

Document conventionsThe following document conventions are used in this guide:• In the examples, private IP addresses are used for both private and public IP

addresses.• Notes and Cautions are used to provide important information:

Typographic conventionsFortinet documentation uses the following typographical conventions:

FortiManager documentationThe most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.fortinet.com. The following FortiManager product documentation is available:

Note: Highlights useful additional information.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Table 1: Typographic conventions

Convention ExampleMenu commands Select Group > Add Group from the main menu to create a device

group.

Keyboard input Select Create New, add the list entry for the selected list according to the following table, and then select OK.

Code examples config fmsystem adminsettingset verify_serial_number enable

end

CLI command syntax config router staticedit 1

set device "port1"set gateway 172.20.120.2

nextend

Document names FortiManager Administration Guide

File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><H4>You must authenticate to use this service.</H4>

Program output Welcome!

Variables <hostname>


http://docs.forticare.com



Fortinet Tools and Documentation CD Introduction

• FortiManager Administration GuideThis document describes how to set up the FortiManager system and use it to manage FortiGate units, FortiMail units, FortiAnalyzer units, and FortiClient PCs. It includes information on how to configure multiple FortiGate units, FortiAnalyzer units, and FortiClient PCs, configuring and managing the FortiGate VPN policies, monitoring the status of the managed devices, viewing and analyzing the FortiGate logs, updating the virus and attack signatures, providing web filtering and antispam service to the licensed FortiGate units as a local Fortinet Distribution Network (FDN) server, and updating the firmware images of the managed FortiGate units.

• FortiManager System QuickStart GuideThis document is included with your FortiManager system package. Use this document to install and begin working with FortiManager system and FortiManager web-based manager.

• FortiManager online helpYou can get online help from the FortiManager web-based manager. FortiManager online help contains detailed procedures for using the FortiManager web-based manager to configure and manage FortiGate units.

• FortiManager CLI ReferenceThis document describes how to use the FortiManager CLI and contains a reference to all FortiManager CLI commands.

• FortiManager Installation GuideThis document describes how to install a FortiManager system. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures.

• FortiManager Release NotesThis document describes the new features and enhancements in the FortiManager system since the last release and lists the resolved and known issues.

• FortiManager Log Message Reference GuideThe FortiManager Log Message Reference Guide describes the structure of FortiManager log messages and provides information about the log messages that are generated by the FortiManager system.

Fortinet Tools and Documentation CDAll Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation, see the Fortinet Technical Documentation web site at http://docs.fortinet.com.

Fortinet Knowledge Base Additional Fortinet technical documentation is available from the Fortinet Knowledge Base. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.



http://docs.forticare.com



http://kc.forticare.com

Introduction Fortinet Tools and Documentation CD

F0h

Comments on Fortinet technical documentationPlease send information about errors or omissions in this document or any Fortinet technical documentation to [email protected].

Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.





Fortinet Tools and Documentation CD Introduction





Installing Environmental specifications

F0h

InstallingThis chapter describes installing your FortiManager system in your server room, environmental specifications and how to mount the FortiManager system in a standard 19” rack if applicable.This chapter contains the following topics:• Environmental specifications• Cautions and warnings• Mounting• Plugging in the FortiManager• Turning off the FortiManager system

Environmental specifications• Operating temperature: 32 to 104°F (0 to 40°C)

If you install the FortiManager system in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, make sure to install the equipment in an environment compatible with the manufacturer's maximum rated ambient temperature.

• Storage temperature: -13 to 158°F (-25 to 70°C)• Humidity: 5 to 90% non-condensing• Air flow - For rack installation, make sure that the amount of air flow required for safe

operation of the equipment is not compromised.• For free-standing installation, make sure that the appliance has at least 1.5 in. (3.75

cm) of clearance on each side to allow for adequate air flow and cooling.This device complies with part FCC Class A, Part 15, UL/CUL, C Tick, CEand VCCI. Operation is subject to the following two conditions:• This device may not cause harmful interference, and• This device must accept any interference received, including interference that may

cause undesired operation.

Cautions and warningsReview the following cautions before installing your FortiManager system.

Grounding• Ensure the FortiManager system is connected and properly grounded to a lightning

and surge protector. LAN connections that enter the premises from outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.

• Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than Unshielded Twisted Pair (UTP).

• Do not connect or disconnect cables during lightning activity to avoid damage to the FortiManager system or personal injury.




Mounting Installing

Rack mount instructionsElevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) specified by the manufacturer.Reduced Air Flow - Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.Mechanical Loading - Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.Circuit Overloading - Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.Reliable Earthing - Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips).If required to fit into a rack unit, remove the rubber feet from the bottom of the FortiManager system.

MountingThis section describes how to place or mount your FortiManager system. Depending on your model, the instructions vary.

FortiManager-100Adhere the rubber feet included in the package to the underside of the FortiManager system, near the corners of the device if not already affixed.Place the FortiManager system on any flat, stable surface. Ensure the unit has sufficient clearance on each side to ensure adequate airflow for cooling.

FortiManager-400A and FortiManager-400BThe FortiManager system can be placed on any flat surface, or mounted in a standard 19-inch rack unit.When placing the FortiManager system on any flat, stable surface, ensure the unit has sufficient clearance on each side to ensure adequate airflow for cooling.For rack mounting, use the mounting brackets and screws included with the FortiManager system.

To install the FortiManager unit into a rack1 Attach the mounting brackets to the side to the unit so that the brackets are on the front

portion of the FortiManager system. Ensure that the screws are tight and not loose.The following photos illustrate how the brackets should be mounted. Note that the screw configuration may vary.

Caution: To avoid personal injury, you may require two or more people to install the FortiManager system in the rack.





Installing Mounting

F0h

Figure 1: Installed mounting brackets

2 Position the FortiManager system in the rack to allow for sufficient air flow.3 Line up the mounting bracket holes to the holes on the rack, ensuring the FortiManager

system is level.4 Finger tighten the screws to attach the FortiManager system to the rack.5 Once you verify the spacing of the FortiManager system and that it is level, tighten the

screws with a screwdriver. Ensure that the screws are tight and not loose.The following photos illustrate how the mounting brackets and FortiManager system should be attached to the rack.

Figure 2: Mounting in a rack

FortiManager-3000The FortiManager system can be placed on any flat surface, or mounted in a standard 19-inch rack unit.When placing the FortiManager system on any flat, stable surface, ensure the unit has sufficient clearance on each side to ensure adequate airflow for cooling.For rack mounting, use the mounting brackets and screws included with the FortiManager system.

Caution: To avoid personal injury, you may require two or more people to install the unit in the rack.




Mounting Installing

To install the FortiManager system into a rack1 Attach the mounting brackets to the side to the unit so that the brackets are on the front

portion of the FortiManager system. Ensure that the screws are tight and not loose.The following photos illustrate how the brackets should be mounted. Note that the screw configuration may vary depending on your FortiManager system.

Figure 3: Installed mounting brackets

2 Position the FortiManager system in the rack to allow for sufficient air flow.3 Line up the mounting bracket holes to the holes on the rack, ensuring the FortiManager

system is level.4 Finger tighten the screws to attach the FortiManager system to the rack.5 Once you verify the spacing of the FortiManager system and that it is level, tighten the

screws with a screwdriver. Ensure that the screws are tight and not loose.The following photos illustrate how the mounting brackets and FortiManager system should be attached to the rack.

Figure 4: Mounting in a rack





Installing Mounting the FortiManager-3000B

F0h

Mounting the FortiManager-3000BTo mount the FortiManager unit on a 19 in rack or cabinet, use the slide rails included with the product. The rails enable you to safely pull the FortiManager units out from the rack to access the back or top of the unit.

Mounting requires three steps:• disassembling the slide rail from the rail housing• attaching the slide rail to the sides of the FortiManager unit• mounting the FortiManager unit to the rack or cabinet.

Disassembling the slide railThe slide rail assembly has two moving rails within the rail housing. You need to remove the innermost rail. This rail will attach to the sides of the FortiManager unit.

Figure 5: FortiManager side rail

To remove the side rail1 Open the slide rails package and remove the rails.2 Extend the slide rail and locate the slide rail lock on the inside of the top sliding rail.

Caution: To avoid personal injury or damage to the FortiManager unit, it is highly recommended a minimum of two people perform this procedure.

Rail housing Sliding Rail

Rail Lock




Mounting the FortiManager-3000B Installing

3 Pull down on the lock while pulling the rail completely out of the slide rail assembly.

4 Repeat these steps for the other slide rail assembly.

You will attach this part to the side of the FortiManager unit.

Attaching the slide rail to the FortiManager unitAttach the disconnected slide rails from the previous step to the sides of the FortiManager unit. Align the holes of the slide rail with the mounting holes on the sides of the FortiManager unit. Use the screws provided with the slide rail package, being sure to securely fasten the rail to the FortiManager chassis.

Mounting the FortiManager unitMounting the FortiManager-3000B is a two step process. First, you must attached the slide rail housing to the rack or cabinet, then insert the FortiManager unit.





Installing Plugging in the FortiManager

F0h

To mount the FortiManager unit1 Mount the slide rail housing to the rack or cabinet frame. Adjust the outside L-shaped

brackets for a proper fit. Ensure that both housings are level to ensure the FortiManager unit can easily glide into place and is level.

2 Use the screws and additional L-brackets (if required) to securely fasten the housing.3 Position the FortiManager unit so that the back of the unit is facing the rack or cabinet,

and the slide rails affixed in the previous step line up with the slide rail housing.4 Gently push the FortiManager unit into the rack or cabinet. You will hear a click when

the slide rail lock has been engaged.5 Push the FortiManager unit until it is fully inserted into the rack.

Plugging in the FortiManagerUse the following steps to connect the power supply to the FortiManager system.

FortiManager-100The FortiManager-100 does not have an on/off switch.

To power on the FortiManager system 1 Connect the AC adapter to the power connection at the back of the FortiManager

system.2 Connect the AC adapter to the power cable.3 Connect the power cable to a power outlet.

The FortiManager system starts and the Power and Status LEDs light up. The Status LEDs flash while the FortiManager system starts up, and remain lit when the system is running.

FortiManager-400A/400BUse the following steps to connect the power supply to the FortiManager system.

To power on the FortiManager system1 Ensure the power switch, located at the back of the FortiManager system is in the off

position, indicated by the “O”.2 Connect the power cord at the back of the FortiManager system.3 Connect the power cable to a power outlet.4 Set the power switch on the back left of the FortiManager system to the on position

indicated by the “I”.After a few seconds, SYSTEM STARTING appears on the LCD. The main menu setting appears on the LCD when the system is running.




Turning off the FortiManager system Installing

FortiManager-3000 and FortiManager-3000BThe FortiManager-3000 and FortiManager-3000B does not have an on/off switch.

To power on the FortiManager system1 Connect the power cables to the power connections on the back of the FortiManager

system. 2 Connect the power cables to power outlets.

Each power cable should be connected to a different power source. If one power source fails, the other may still be operative.

After a few seconds, SYSTEM STARTING appears on the LCD. The main menu setting appears on the LCD when the system is running.The FortiManager system starts and the Power LED lights up and remains lit when the system is running.

Connecting to the networkUsing the supplied Ethernet cable, connect one end of the cable to your router or switch, connect the other end to port 1 on the FortiManager system.

Turning off the FortiManager systemAlways shut down the FortiManager operating system properly before turning off the power switch to avoid potential hardware problems.

To power off the FortiManager system1 In System Settings, go to General > Dashboard.2 In the Unit Operation display, select Shutdown, or from the CLI enter:

execute shutdown

3 Disconnect the power cables from the power supply.

Note: If only one power supply is connected, an audible alarm sounds to indicate a failed power supply. Press the red alarm cancel button on the rear panel next to the power supply to stop the alarm.

Caution: The FortiManager-3000B has a reset button on the front panel. DO NOT press this button unless you have performed the above steps. By pressing the reset button, the RAID will not shut down properly and can cause the RAID to re-calculate parity block and potentially lose data.





Configuring Connecting to the FortiManager system

F0h

ConfiguringThis chapter describes how to configure the FortiManager system. There are two ways you can configure the FortiManager system, using the web-based manager or the command line interface (CLI). This section will step through using both methods. Use whichever you are most comfortable with.This chapter includes the following topics: • Connecting to the FortiManager system• Configuring the FortiManager system for the network• Adding a FortiGate unit• Adding a FortiClient installation• Backing up the configuration• Restoring a configuration• Additional configuration

Connecting to the FortiManager systemTo configure, maintain and administer the FortiManager system, you need to connect to it. There are two methods for these tasks:• using the web-based manger, a GUI interface using a current web browser such as

FireFox or Internet Explorer.• using the command line interface (CLI), a command line interface similar to DOS or

UNIX commands using an SSH terminal or Telnet terminal.

Connecting to the web-based managerTo connect to the web-based manager, you require: • a computer with an Ethernet connection• a web browser such as FireFox or Microsoft Internet Explorer version 6.0 or higher• an Ethernet cable connected directly to the management computer and FortiManager

system, or an Ethernet hub and two Ethernet cables

To connect to the web-based manager1 Set the IP address of the management computer to the static IP address 192.168.1.2

with a netmask of 255.255.255.0.2 Using an Ethernet cable, connect the internal interface of the Fortinet unit to the

computer Ethernet connection.




Connecting to the FortiManager system Configuring

3 Start Internet Explorer and browse to the address https://192.168.1.99. (remember to include the “s” in https://).To support a secure HTTPS authentication method, the FortiManager system ships with a self-signed security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiManager system. When you connect, the FortiManager system displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiManager system’s self-signed security certificate. If you do not accept the certificate, the FortiManager system refuses the connection. If you accept the certificate, the FortiManager system login page appears. The credentials entered are encrypted before they are sent to the FortiManager system. If you choose to accept the certificate permanently, the warning is not displayed again. Just before the FortiManager system page is displayed, a second warning informs you that the FortiManager certificate distinguished name differs from the original request. This warning occurs because the FortiManager system redirects the connection. This is an informational message. Select OK to continue logging in.

4 Type admin in the Name field and select Login.

Connecting to the CLITo connect to the FortiGate CLI you require: • a computer with an available communications port• a serial cable, either a RJ-45 to DB-9 or null modem cable, whichever was included in

your FortiManager package• terminal emulation software such as HyperTerminal for Microsoft Windows

To connect to the CLI1 Connect the serial cable to the communications port of your computer and to the

FortiGate console port. 2 Start HyperTerminal, enter a name for the connection and select OK. 3 Configure HyperTerminal to connect directly to the communications port on your

computer and select OK. 4 Select the following port settings and select OK:

5 Press Enter to connect to the FortiGate CLI.6 When the login prompt appears, type admin and press Enter twice. Type ? to list available commands. For information about how to use the CLI, see the FortiManager CLI Reference.

Note: The following procedure uses Microsoft Windows HypterTerminal software. You can apply these steps to any terminal emulation program.

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None





Configuring Configuring the FortiManager system for the network

F0h

Configuring the FortiManager system for the networkConfiguring FortiManager system to connect to your network involves defining an interface address and default routes. You can use the web-based manager or the CLI to configure the FortiManager system.

Using the web-based managerAfter connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiManager system. Ensure you read the section “Connecting to the web-based manager” on page 19 before beginning.

Configure the interfacesWhen shipped, the FortiManager system has a default address of 192.168.1.99 and a netmask of 255.255.255.0. for port 1. You need to configure this port for use on your network.

To configure an interface — web-based manager1 Go to System Settings > Network > Interface.2 Select port1 and complete the following:

3 Select OK.

To configure an interface — CLIconfig fmsystem interfaceedit <port_num>set status {up | down}set ip <interface_ip> <netmask_ip>set allowaccess {http | https | ping | ssh | telnet}set serviceaccess {antispam | fclupdates | fgtupdates |

webfilter}end

Enable Select to enable the port for network communications.

IP Address/Netmask

Enter the IP address and netmask for the port.

Administrative Access

Select the types of administrative access permitted on this interface.HTTP - Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party.HTTPS - Allow secure HTTPS connections to the web-based manager through this interface.PING - Interface responds to pings. Use this setting to verify your installation and for testing.SSH - Allow SSH connections to the CLI through this interface.Telnet - Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.SNMP - Allow SNMP traps using the port.

Service Access Select the FortiGuard services which the FortiManager unit can access through the port.

Note: If you change the IP address of the interface you are connecting to, you must connect through a web browser again using the new address. Browse to https:// followed by the new IP address of the interface. If the new IP address of the interface is on a different subnet, you may have to change the IP address of your computer to the same subnet.




Configuring the FortiManager system for the network Configuring

Configure a DNS serverA DNS server is a service that converts symbolic node names to IP addresses. A domain name server (DNS server) implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet.DNS server IP addresses are typically provided by your internet service provider.

To configure DNS server settings — web-based manager1 Go to System Settings > Network > DNS.2 Enter a primary and secondary DNS IP address.3 Select OK.

To configure DNS server settings — CLIconfig fmsystem dnsset primary <address_ip>set secondary <address_ip>

end

Adding a default route and gatewayA route provides the FortiManager system with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the default gateway. You define static routes manually. Static routes control traffic exiting the FortiManager system-you can specify through which interface the packet will leave and to which device the packet should be routed.In the factory default configuration, entry number 1 in the Static Route list is associated with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route is called the “static default route”. If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiManager system, the factory configured static default route causes the FortiManager system to forward the packet to the default gateway.For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiManager system. This will enable the flow of data through the FortiManager system.For details on adding additional static routes, see the FortiManager Administration Guide.

To modify the default gateway — web-based manager1 Go to System Settings> Network > Static Routing.2 Set the following:

3 Select OK.

Destination/Mask Enter the destination IP address and netmask for the routing.

Gateway Enter the default gateway IP address.

Interface Select the port number for this routing.





Configuring Device support

F0h

To modify the default gateway — CLIconfig fmsystem routeedit <route_num>set device <interface>set dst <interface_ip> <netmask_ip>set gateway <interface_ip>

end

Device supportTo help with scaling guidelines, the table below outlines the number of FortiGate, FortiAnalyzer units and FortiClient installations supported by each FortiManager system. FortiGate units includes registered and unregistered devices. The FortiManager system supports one FortiAnalyzer unit.

To help with scaling guidelines, the FortiManager system displays a warning message when adding a high end FortiGate unit (FortiGate-1000 or higher) to a low end FortiManager unit (FortiManager-400A or lower). This does not prevent you from continuing, and you can still add the device and manage it. There is no impact in functionality or ability to manage high end units.The Update Manager on low end FortiManager systems support IPS and AntiVirus updates only. High end FortiManager systems support all update services.

Adding a FortiGate unitBefore adding a FortiGate unit to the FortiManager system, you must complete a few steps on the FortiGate unit. These steps ensure that the FortiGate unit will be able to receive updated antivirus and IPS updates, and allow remote management through the FortiManager system.You can add a FortiGate unit whether it is running in either NAT/Route mode or Transparent mode.

Register the FortiGate unitIf you have not already done so, register the Fortinet unit by visiting http://support.fortinet.com and select Product Registration.By registering your Fortinet unit, you will receive updates to threat detection and prevention databases (Antivirus, Intrusion Detection, etc.) and will also ensure your access to technical support.

Table 2: FortiManager scaling guidelines

FortiGate or VDOMs

FortiGate Models

FortiAnalyzerModels

FortiClient Installations

FortiManager-100 10 50A - 224B 100 - 400 100

FortiManager-400 100 50A - 800 100 - 800 1000

FortiManager-400AFortiManager-400B

200 50A - 800 100 - 2000A 2000

FortiManager-3000FortiManager-3000B

500 All All 5000


http://www.support.fortinet.com




Adding a FortiClient installation Configuring

Configure the FortiGate unitYou must enable the FortiGate management option so the FortiGate unit can accept management updates to firmware, antivirus signatures and IPS signatures.

To configure the FortiGate unit1 Log in to the FortiGate unit.2 Go to System > Admin > Central Management.3 Select Enable Central Management.4 Select FortiManager as the Type.5 Enter the IP address for the FortiManager system.6 Select Apply.

Add the FortiGate unit in FortiManagerAdd a FortiGate unit to the FortiManager system in the Device Manager. Ensure you have completed the above steps before preceding.

To add a FortiGate unit1 Select Add Device from the Main menu at the top of the FortiManager web-based

manager.2 Complete the following information and select Discover:

The FortiManager system searches for the IP address and returns the information for the FortiGate unit.

For more information on managing FortiGate units using the FortiManager system, see the FortiManager Administration Guide.

Adding a FortiClient installationTo add FortiClient PCs to the FortiManager system, you configure the FortiManager system to search the network for PCs running FortiClient software. The FortiManager system can search for a single PC or the network for any FortiClient installations.

To search and add FortiClient PCs1 Go to FortiClient Manager > Client/Group > Client.2 Select Add Client from the Main menu at the top of the screen.3 To search for a single PC, select Lookup single client and enter the IP address.4 To search multiple PCs, select Scan attached network(s).5 Select the interface through which the FortiManager unit is connected to the

network(s).

IP Address Enter the IP address of the FortiGate unit.

Name Enter a name for the FortiGate unit to identify its model or location.

Device Type Select FortiGate from the drop-down list.

Admin user If the admin administrator user name is different than the default admin, select Other and enter the administrator login name for the FortiGate unit.

Password Enter the password for the admin user. Remember that passwords are case-sensitive.





Configuring Adding a FortiAnalyzer unit

F0h

6 Select Search.The FortiManager system lists the discovered PCs with hostnames and IP addresses.

7 Select the PCs from the list by selecting the check box next to the PC and selecting Add to Managed.To add all the discovered PCs, select the check box at the top and select Add to Managed.

For more information on managing FortiClient installations, see the FortiManager Administration Guide.

Adding a FortiAnalyzer unitYou can add a FortiAnalyzer unit to the FortiManager system. From FortiManager, you can configure and administer the FortiAnalyzer unit and log to the unit.FortiAnalyzer units receive remote management connection from a FortiManager device. Remote management connection requirements include:• a web-based manager connection from your computer to both the FortiManager and

FortiAnalyzer units• enable WEBSERVICES for the FortiAnalyzer network interface networked to the

FortiManager unit• register the FortiManager device with the FortiAnalyzer unit's device list with proper

permissions• register the FortiAnalyzer device with the FortiManager unit, providing the admin

administrator account password

To add a FortiAnalyzer unit1 Select Add Device from the Main menu at the top of the FortiManager web-based

manager.2 Complete the following information and select Discover:

The FortiManager system searches for the IP address and returns the information for the FortiManager unit.

Backing up the configurationOnce you have determined your FortiManager system is configured and working correctly, it is extremely important that you back up your configuration. By backing up the configuration, you ensure that if you need to reset the FortiManager system for whatever reason, you will be able to quickly return it to operation with minimal effort.

IP Address Enter the IP address of the FortiAnalyzer unit.

Name Enter a name for the FortiAnalyzer unit to identify its model or location.

Device Type Select FortiAnalyzer from the drop-down list.

Admin user If the admin administrator user name is different than the default admin, select Other and enter the administrator login name for the FortiAnalyzer unit.

Password Enter the password for the admin user. Remember that passwords are case-sensitive.




Restoring a configuration Configuring

To back up the FortiManager system configuration1 Go to System Settings, General > Backup & Restore.2 Select the Backup icon.The FortiManager system backs up the configuration file to memory, downloads a backup file and updates the table to indicate when the last backup occurred.It is a good practice to backup the FortiManager configuration after any modification to any of the FortiManager settings.Alternatively, you can configure the FortiManager system to perform scheduled backups of the configuration and upload the file to an FTP or SFTP server.

To configure a scheduled backup1 Go to System Settings, General > Backup & Restore.2 Select the Scheduled Backup icon.3 Select Enable.4 Complete the following and select OK

Alternatively, before performing an upgrade to the firmware, ensure you backup the configuration before upgrading. Should anything happen during the upgrade that changes the configuration, you can easily restore the saved configuration.

Restoring a configurationShould you need to restore the configuration file, use the following steps.

To restore the FortiManager configuration1 Go to System Settings, General > Backup & Restore.2 Select the Restore icon.3 Select Choose File to locate the file on your hard disk or a network volume.4 Select OK.The FortiManager system will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Backup and restore considerationsA FortiManager configuration can typically be upgraded via a FortiManager firmware upgrade. See the release notes for any limitation that may exist if upgrading between major release versions.

Backup Destination Enter the IP address of the backup server.

Backup to Remote Path

Enter the path to where the FortiManager system backs up the configuration.

Backup Protocol Select the upload protocol.

User Name Enter a username to log into the backup server if required.

Password Enter the password for the above username if required.

Day Set the day(s) of the week when the FortiManager system performs the backup.

Time Set the time of day when the FortiManager system performs the backup.





Configuring Additional configuration

F0h

You cannot downgrade a FortiManager configuration using a FortiManager firmware downgrade. If attempted, the firmware of the FortiManager will downgrade, but the configuration and data may be corrupt.You cannot restore a FortiManager configuration to a firmware version which is different than that on which the backup was generated. If attempted, the restore process may seem to complete properly, but the configuration and data may be corrupt.You should only restore a FortiManager configuration file to a FortiManager unit which has been completely cleared and reformatted back to factory defaults. Attempting to restore a configuration file on top of an existing configuration, or a system that hasn't been fully reset, may result in corrupt configuration and data. To reset a FortiManager unit to factory defaults, use the following two commands:exe reset allexe format disk

Additional configurationWith the FortiManager system connected and FortiGate units added and managed, there are a few other configuration settings for the FortiManager system. While not mandatory, they will help in ensuring better control with the firewall.

Set the time and dateFor effective scheduling and logging, the FortiGate system date and time must be accurate. You can either manually set the system date and time or configure the FortiManager system to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.

To set the date and time1 Go to System Settings > General > Dashboard.2 Under System Information > System Time, select Change.3 Select your Time Zone.4 Optionally, select Automatically adjust clock for daylight saving changes.5 Select Set Time and set the FortiManager system date and time.6 If you want to synchronize the time with an NTP server, enable the option.7 Select OK.

Set the Administrator passwordThe default administrator password is no password. You will want to apply a password to secure against anybody logging into the FortiManager system and changing configuration options.

To change the administrator password1 Go to System Settings > Administration > Administrator.2 Select the admin administrator to edit the options.

Note: If you choose the option Automatically adjust clock for daylight saving changes, the system time must be manually adjusted after daylight savings time ends.

As Part of the U.S.'s Energy Policy Act of 2005, Daylight Saving Time, has been extended by four weeks for most of North America. Check with your location to verify whether this change applies to your location, as this can affect the logging and updates times.




Additional configuration Configuring

3 Select Change Password and enter a new password.4 Select OK.Alternatively, you can also add new administrator users by selecting Create New, however, you cannot remove the admin administrator. Applying a password for this account is recommended.

Configure FortiGuardConfigure the FortiManager system to connect to the FortiGuard Distribution Network (FDN) to update the antivirus, antispam and IPS attack definitions. The FDN is a world wide network of FortiGuard Distribution Servers (FDS). When the Fortinet unit connects to the FDN, it connects to the nearest FDS. To do this, all Fortinet units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiManager system. Before you can begin receiving updates, you must register your FortiManager and Fortinet unit(s) from the Fortinet web page. For information about registering your Fortinet unit, see “Register your FortiManager system” on page 5. FortiGuard service updates and lookups are provided through the Fortinet Distribution Network (FDN). The FDN is a world-wide network of Fortinet Distribution Servers (FDS), providing current:• anti-virus and IPS engines and signatures• web filtering and anti-spam rating databases and lookups• firmware images• RVS updatesYou can configure FortiGate units to connect to the FortiManager system acting as a private FDS rather than directly to the FDN. This on-site FDS provides a faster connection, reducing Internet connection load and time required to apply frequent updates, such as anti-virus signatures, to many devices.To configure FortiGuard services, go to System Settings > FortiGuard Center.For details on further FortiGuard configuration, see the FortiManager Administration Guide.

To configure the FortiGate unit to use the FortiManager as an on-site FDS1 Log into the FortiGate unit.2 Go to System > Maintenance > FortiGuard.3 Select the blue arrow for AntiVirus and IPS options to expand the options.4 Select Use override server address and enter the IP address of the FortiManager

system.5 Select Apply.Ensure the FortiGate unit is added to the Device Manager in FortiManager.





Firmware Backing up the FortiManager

F0h

FirmwareFortinet periodically updates the FortiManager firmware to include enhancements and address issues. After you have registered your FortiManager system, FortiManager firmware is available for download at http:// support.fortinet.com.Only the FortiManager administrators, whose access profiles contain system configuration read and write privileges, and the FortiManager admin user can change the FortiManager firmware.

Backing up the FortiManagerBefore upgrading the FortiManager firmware, it is good practice to backup your configuration information and logs stored on the hard disk in the event something goes wrong during the upgrade.

Backing up the configurationBackup the FortiManager configuration to a local PC using the web-based manager or the CLI before performing any firmware upgrade.For details on backing up the FortiManager configuration, see “Backing up the configuration” on page 29.

Upgrading the firmware using the web-based manager

To upgrade the firmware1 Download the firmware image file to your management computer.2 Log into the web-based manager as the admin administrative user.3 Go to System Settings > General > Dashboard.4 In System Information > Firmware Version, select Update.The FortiManager system uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiManager login. This process takes a few minutes.

Upgrading the firmware using the CLITo use the following procedure, you must have a TFTP server the FortiManager system can connect to.

To upgrade the firmware using the CLI1 Make sure the TFTP server is running.2 Copy the new firmware image file to the root directory of the TFTP server.

Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges.

Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges.





Installing firmware images from a system reboot using the CLI Firmware

3 Log into the CLI.4 Make sure the FortiManager system can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:execute ping 192.168.1.168

5 Enter the following command to copy the firmware image from the TFTP server to the FortiManager system:execute restore image tftp <name_str> <tftp_ip>

Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image.out 192.168.1.168

The FortiManager system responds with the message:This operation will replace the current firmware version!Do you want to continue? (y/n)

6 Type y.The FortiManager system uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.7 Reconnect to the CLI.8 To confirm the new firmware image is successfully installed, enter:

get system status

Installing firmware images from a system reboot using the CLIThis procedure installs a specified firmware image and resets the FortiManager system to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version.To use this procedure, you must connect to the CLI using the FortiManager console port and a RJ-45 to DB-9 or null-modem cable. This procedure reverts the FortiManager system to its factory default configuration.For this procedure you:• Access the CLI by connecting to the FortiManager console port using a RJ-45 to DB-9

or null-modem cable.• Install a TFTP server that you can connect to from the FortiManager interface. The

TFTP server should be on the same subnet as the internal interface.

To install firmware from a system reboot1 Connect to the CLI using the RJ-45 to DB9 or null-modem cable and FortiManager

console port.2 Make sure the TFTP server is running.3 Copy the new firmware image file to the root directory of the TFTP server.4 Make sure the internal interface is connected to the same network as the TFTP server.





Firmware Installing firmware images from a system reboot using the CLI

F0h

5 Enter the following command to restart the FortiManager:execute reboot

The FortiManager system responds with the following message:This operation will reboot the system !Do you want to continue? (y/n)

6 Type y.As the FortiManager system starts, a series of system startup messages is displayed.When one of the following messages appears:

Press any key to display configuration menu.......

Immediately press any key to interrupt the system startup.

If you successfully interrupt the startup process, one of the following messages appears:

[G]: Get firmware image from TFTP server.[F]: Format boot device.[B]: Boot with backup firmware and set as default[C]: Configuration and information[Q]: Quit menu and continue to boot with default firmware.[H]: Display this list of options.

Enter G,F,B,C,Q,or H:

7 Type G to get the new firmware image from the TFTP server.The following message appears:Enter TFTP server address [192.168.1.168]:

8 Type the address of the TFTP server and press Enter.The following message appears:Enter Local Address [192.168.1.188]:

9 Type an IP address that can be used by the FortiManager to connect to the FTP server.The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network.The following message appears:Enter File Name [image.out]:

10 Enter the firmware image file name and press Enter.The TFTP server uploads the firmware image file to the FortiManager and messages similar to the following are displayed:

Save as Default firmware/Run image without saving:[D/R]

11 Type D.The FortiManager installs the new firmware image and restarts. The installation might take a few minutes to complete.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiManager system reboots and you must log in and repeat the execute reboot command.




Installing firmware images from a system reboot using the CLI Firmware





www.fortinet.com

FortiManager Install Guide - Fortinet Knowledge...

Documents

Transcript of FortiManager Install Guide - Fortinet Knowledge...