Fortinet FortiManager

Details

Support: Level 5

Supported Versions: 4.3.6, 5.x, 6.0-6.4

Automation Notes:

  • Super User with read/write permission

    • In order to use the REST API in FortiManager 5.2.3 and above, the admin user needs this set on their admin account using the following command: set rpc-permit read-write. REST Port should be 443.

Connecting to SIP

The Normalize UTM Profiles as Applications setting has been removed from the Security Manager settings page because the process has been incorporated with the introduction of security profiles.

To use a Fortinet FortiManager management station, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. On your FortiManager device, add an administrator user account. Write down the user name and password. You will need this information for a later step.
    1. Access System Settings > Admin > Administrators > Create.
    2. Enter a User Name and Password for the account.
    3. Select Super_User as the Admin Profile.
    4. Select All ADOMs for Administrative Domain.
    5. Select All Packages for Policy Package Access.
    6. Click OK.
  2. If using version 5.2.3 and above, the REST API permissions must be given at the administrator account level that Security Manager will use.

    If you will be using Policy Automation, in order to use the REST API in FortiManager 5.2.3 and above, the Remote Procedure Call (RPC) needs to be set to read-write using: set rpc-permit read-write.

    config system admin user

    edit username (replace username with the user name used in step 1.b)

    set rpc-permit read (see Note above)

    end

  3. Enable access and allowable ports.
    1. Access System Settings > Network.
    2. Select the HTTPS, HTTP, PING, SSH, and Web Service check boxes for Administrative Access.
    3. Set allowed ports. Port 443 must be allowed to use REST API. Port 8080 must be allowed to use SOAP API.
    4. Click OK.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Management Stations.
  2. Click Create, and then click Fortinet > FortiManager.
  1. General Properties section.
  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.
  1. Device Settings section.

Credentials

  • User Name—type the user name used for the administrator account.
  • Password—type the password used for the administrator account.
  • Re-enter Password—retype the password entered above.

Retrieval

  • By default, the SSH Port for retrieval is 22.
  • For Protocol, select either SSH & REST or SSH & SOAP.

If using automation, you must select SSH & REST and use port 443. Using SOAP API (SSH & SOAP) requires port 8080, super user credentials and cannot support automation.

  1. Policy Automation section.

    Credentials

    Prerequisites: A valid Policy Automation license is required to complete this section and you needed to create a secondary SuperUser Read/Write account.

  1. In the User Name box, type the user name used for the secondary administrator account.
  1. In the Password box, type the password used for the secondary administrator account.
  2. In the Re-enter Password box, retype the password entered above.

Policy Automation

Select Push Changes to Firewalls to enable the ability to push changes to firewalls when the commit flag is set to true.

  1. Monitoring section.

Change Monitoring

Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected. This will activate additional fields to complete.

  • Enter an optional Alternate Syslog Source IP.
  • Select the Perform Change Verification check box to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.
  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    1. You can set the Child Configuration Retrieval Timeout. The default is 1200 seconds (20 minutes). This value determines how long the SSH portion of child configuration retrieval will wait before giving up and marking the retrieval a failure.
    2. Select the Force Interfaces to Set Layer 2 Enforcement check box to enable to force normalization of all interfaces with layer 2 enforcement set to true.
  2. Click Save.
    Devices being managed will be listed in the Discovered Devices section.