The Fortinet FortiManager provides central remote management for FortiGate devices. FortiGate firewalls use the Security Fabric Connectors to establish secure connectivity to FortiManager using tcp port 541. Once connectivity is established, FortiManager can manage policies, objects, firmware updates and FortiGuard services.
Configuration
FortiManager connectivity can be established using the GUI and CLI, this post covers the steps for both methods.
GUI Configuration
Before configuring the FortiGate with FortiManager, confirm basic connectivity between the FortiGate and FortiManager (assuming ping is allowed) on the FortiManager and any intermediate Firewall.
BRANCH1 # execute ping 192.168.10.29 PING 192.168.10.29 (192.168.10.29): 56 data bytes 64 bytes from 192.168.10.29: icmp_seq=0 ttl=61 time=12.8 ms 64 bytes from 192.168.10.29: icmp_seq=1 ttl=62 time=8.2 ms ^C --- 192.168.10.29 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 8.2/10.5/12.8 ms
- From the GUI of the FortiGate, navigate to Security Fabric > Fabric Connectors
- Under Security Fabric Connectors, click under Central Management
- Click the Edit button when it appears
- Select Status as Enabled
- Select Type as On-premises
- Select Mode as Normal
- Enter the IP/Domain Name of the FortiManager
- Click Ok
A message should pop up stating “Request Sent & Received”
A pop-up will appear on the FortiGate GUI, stating “This FortiGate is not authorised on FortiManager. Click “Authorise” button below to review the approval status on FortiManager.”
- Click Authorise
- Click Approve
- Click Ok
The FortiGate will communicate with the FortiManager, the approving status bar will display progress.
Once complete the FortiGate will confirm it is authorised by FortiManager.
- Click Close
- From FortiManager GUI navigate to Device Manager > Device & Groups
You will now see the new FortiGate device as a managed device.
To verify connectivity, from the CLI of the FortiGate you can run the command diagnose fdsm central-mgmt-status to confirm connection is up and registration status.
BRANCH1 # diagnose fdsm central-mgmt-status Connection status: Up Registration status: Registered
CLI Configuration
Connectivity can be established from the CLI of the FortiGate.
Enter the following commands: –
config system central-management set type fortimanager set fmg "192.168.10.29" end
After you enter the command end the connection request is sent to the FortiManager and will appear under Unauthorised Devices waiting for approval.
- Select the device and click Authorize button
- Select the required policy package and provisioning template and click Ok
Add a Virtual Machine to FortiManager
From FortiManager version 7.4.7 and 7.6.3 or newer, you must explicitly configure the FortiManager to accept connections from FortiGate Virtual Machines (VM), otherwise the registration connection request will be denied.
If using physical hardware, this step can be skipped, from FortiManager CLI enter the following command: –
config system global set fgfm-allow-vm enable end
Once configured, the registration should succeed.
References