Deployment Guide for FortiManager Security

Management Virtual Appliance on MCP Cloud

Table of Contents

Introduction 2
License and System Requirements 2
Licensing 2
Evaluation license 3
Minimum system requirements 3
FortiManager on MCP 2.0 Overview 4
FortiManager VM Initial Configuration 5
Enable GUI access 5
Connect to the GUI 6
Upload the license file 6
Adding devices 8
Adding devices with the wizard 9
Adding devices manually 15
Add a VDOM to a device 15
Import policy wizard 15
Importing devices 17
Importing detected devices 17
Importing and exporting device lists 18
Technical Support Services 21
BYOL – Bring your own license 21

1
Introduction

The FortiManager Security Management virtual appliance allows you to centrally manage any number of Fortinet
Network Security devices, starting from just a few to thousands, and including devices such as the FortiGate,
FortiWiFi, and FortiCarrier etc. Network administrators can provide better control of their network by logically grouping
devices into administrative domains (ADOMs), which enables you to efficiently apply policies, the distribution of
content security and firmware updates. FortiManager is one of several versatile Network Security Management
Products that provides a diversity of deployment types, extensibility, flexibility, advanced customization through APIs
and a simple licensing model.

This document describes how to deploy a FortiManager virtual appliance in several virtualization server environments.
This includes how to configure the virtual hardware settings of the virtual appliance. This guide presumes that the
reader has a thorough understanding of server virtualization.

This document does not cover configuration and operation of the virtual appliance after it has been successfully
installed and running. For that information, see the FortiManager Administration Guide in the Fortinet Document
Library located here: FortiManager 5.4.2 Administration Guide

License and System Requirements

Licensing

Fortinet offers the FortiManager VM in a stackable license model. This model allows you to expand your VM solution
as your environment expands. For information on purchasing a FortiManager VM license, contact your Fortinet
Authorized Reseller, or visit http://www.fortinet.com/how_to_buy/.

When configuring your FortiManager VM, ensure you configure the hardware settings as outlined in the following table
and consider future expansion. Contact your Fortinet Authorized Reseller for more information.

Licensed Network Devices Administrative Domains

VM-BASE 10 10
VM-10-UG +10 +10
VM-100-UG +100 +100
VM-1000-UG +1000 +1000
VM-5000-UG +5000 +5000
VM-10K-UG +10000 +10000

For more information, see Minimum system requirements on page 8, and the FortiManager product data sheet:
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiManager.pdf

After placing an order for the FortiManager VM, a license registration code is sent to the email address used in the
order form. Use the license registration code provided to register the FortiManager VM with Customer Service &
Support at https://support.fortinet.com.

Upon registration, you can download the license file. You will need this file to activate your FortiManager VM. You can
configure basic network settings from the CLI to complete the deployment. Once the license file is uploaded and
validated, the CLI and GUI will be fully functional.

2
Evaluation license

FortiManager VM includes a free, full featured 15-day trial license. No activation is required for the built-in evaluation
license.

The trial period begins the first time you start the FortiManager VM. When the trial expires, all functionality is disabled
until you upload a license file.

Technical support is not included with the 15-day evaluation.

Minimum system requirements

The following table lists the minimum system requirements for your VM hardware, based on the number of devices,
VDOMs, or ADOMs that your VM manages.

This table does not take into account other hardware specifications, such as bus speed, CPU model, or storage type.

Enabling FortiAnalyzer features will require more resources.

3
FortiManager on MCP 2.0 Overview

Through MCP (Managed Cloud Platform) 2.0 and Fortinet’s FortiGate Next Generation Firewall Virtual Appliance, we are
able to offer clients a fully managed, secure foundation upon which to establish and grow their Cloud platform. Below is an
example of using the FortiGate NGFW to secure a customer’s Cloud environment which is managed by FortiManager.

4
FortiManager VM Initial Configuration

Before you can connect to the FortiManager VM you must setup the basic configuration via the CLI console.
Once configured, you can connect to the FortiManager VM GUI and upload the FortiManager VM license file that
you downloaded from the Customer Service & Support portal.

The following topics are included in this section:

l GUI access
l Upload the license file

Enable GUI access

To enable GUI access to the FortiManager VM you must configure the port1 IP address and network mask of the
FortiManager VM.

To configure the port1 IP address and netmask:

To access the console

1. Click the setting button and Start the FortiManager VM. Click on the setting button Servers (example
FortiManagerTest). Select Console

5
 1. At the FortiManager VM login prompt, enter the username admin, then press Enter. By default, there is no
password.
NOTE: Be sure to set a strong password for the admin administrator account, and change the password
regularly. Failure to maintain the password of the admin administrator account could compromise the
security of your FortiManager appliance. As such, it can constitute a violation of PCI DSS compliance
and is against best practices. For improved security, the password should be at least eight characters
long, be sufficiently complex, and be changed regularly. To check the strength of your password, you
can use a utility such as Microsoft’s password strength meter.
2. Using CLI commands, configure the port1 IP address and netmask.
For example:
config system interface
edit port1
set ip <IP address> <Netmask>
end

You can also use the append allowaccess command to enable other access
protocols, such as auto-ipsec and snmp. The ping, https, ssh, and fgfm protocols are
enabled by default.
For more information, see the FortiManager CLI Reference in the Fortinet
Document Library.

The port management interface should match the first network adapter and virtual
switch that you have configured in the hypervisor virtual machine settings.

3. To configure the default gateway, enter the following commands:

config system route
edit 1
set device port1
set gateway <gateway_ipv4_address>
end

The Customer Service & Support portal does not currently support IPv6 for
FortiManager VM license validation. You must specify an IPv4 address in both the
support portal and the port management interface.

Connect to the GUI

Once you have configured the port1 IP address and network mask, launch a web browser and enter the IP
address you configured for the port management interface. At the login page, enter the user name admin and no
password, then select Login.

The GUI will open with an Evaluation License dialog box.

Upload the license file

FortiManager VM includes a free, full featured 15-day trial.

Before using the FortiManager VM you must enter the license file that you downloaded from the Customer
Service & Support portal upon registration.
6
Device Manager ADOMs

Configure your FortiManager VM

To upload the license via the CLI:

1. Open the license file in a text editor and copy the VM license string.
2. In a FortiManager VM console window, enter the following:
execute add-vm-license <vm license string>

To upload the license file via the GUI:

1. In the Evaluation License dialog box, select Enter License.

Optionally, you can also select Upload License in the License Information dashboard widget.

2. In the license upload page, select Browse, locate the VM license file (.lic) on your computer, then select OK to
upload the license file.
A reboot message will be shown, then the FortiManager VM system will reboot and load the license file.

3. Refresh your browser and log back into the FortiManager VM with username admin and no password.
The VM registration status appears as valid in the License Information widget once the license has been
validated.

As a part of the license validation process FortiManager VM compares its IP address

with the IP information in the license file. If a new license has been imported or the
FortiManager’s IP address has been changed, the FortiManager VM must be rebooted
in order for the system to validate the change and operate with a valid license.

7
 Adding devices Device Manager

If the IP address in the license file and the IP address configured in the FortiManager VM do not match, you
will receive an error message when you log back into the VM.

If this occurs, you will need to change the IP address in the Customer Service &
Support portal to match the management IP and re-download the license file.
After an invalid license file has been loaded onto the FortiManager VM, the GUI will be
locked until a valid license file is uploaded. A new license file can be uploaded via the
CLI.

Adding devices

You must add devices to the FortiManager system to use FortiManager to manage the devices. You must also
enable Central Management on the managed device by using FortiOS. You can add an existing, operational
device or an unregistered device. You can also provision a new device.

You can add individual devices, or multiple devices. When adding devices by using the Add Device wizard, you
have more configuration options than when you use the Add Multiple option.

For a device that is currently online, use the Add Device wizard, select Discover, and follow the steps in the
wizard. Adding an existing device will not result in an immediate connection to the device. Device connection
happens only when you successfully synchronize the device. To provision a new device which is not yet online,
use the Add Device wizard, but select Add Model Device instead of Discover.

Adding an operating FortiGate HA cluster to the Device Manager pane is similar to adding a standalone device.
Type the IP address of the master device, the FortiManager handles a cluster as a single managed device.

8
 Device Manager ADOMs

Adding devices with the wizard

You can add devices to the FortiManager unit by using the Add Device wizard. You can use the wizard to
discover devices or add model devices to you FortiManager unit.

Use the Discover option for devices that are currently online and discoverable on your network.

Use the Add Model Device option to add a device that is not yet online. You can configure a model device to
automatically register with FortiManager when the device is online.

When configuring a model device to automatically promote or register with FortiMan-

ager, add the model device to FortiManager by using a pre-shared key. When the
device connects to FortiManager, run the executive central-mgmt
register-device <FMGSN> <KEY> command from the FortiGate console. The
device is automatically promoted or registered, and the configuration of the matched
model device is applied.

For FortiOS 5.4.1 or earlier, you must run the execute central-mgmt
register-device <FMGSN> <KEY> <username> <password> command.

Use the fast forward support feature to ignore prompts when adding or importing a
device. The wizard will only stop if there are errors with adding a device or importing
policies or objects from a device or VDOM.

To confirm that a device model or firmware version is supported by current firmware

version running on FortiManager run the following CLI command:
diagnose dvm supported-platforms list

9
Adding devices Device Manager

Add a device using discover mode

The following steps will guide you through the Add Device wizard phases to add a device using Discover mode.

FortiManager will not be able to communicate with the FortiGate if offline mode is
enabled. Enabling offline mode will prevent FortiManager from discovering devices.

To add a device using discover mode:

1. If ADOMs are enabled, select the ADOM to which you want to add the device.
2. Go to Device Manager > Device & Groups.
3. Click Add Device. The wizard opens.

10
Device Manager Adding devices

4. Select Discover. Type the IP address, user name, and password for the device, then click Next.
FortiManager probes the IP address on your network to discover device details, including:

l IP address
l Host name
l Serial number
l Device model
l Firmware version (build)
l High Availability mode
l Administrator user name

5. Configure the following settings:

Name Type a unique name for the device. The device name cannot contain
spaces or special characters.

Description Type a description of the device (optional).

System Template System templates can be used to centrally manage certain device-level
options from a central location. f required, assign a system template using the drop-
down menu. Alternatively, you can select to configure all settings per-device inside
Device Manager. For more information, see Provisioning Templates on page 131.

Add to Groups Select to add the device to any predefined groups.

11
Adding devices Device Manager

6. Click Next.
The wizard discovers the device, and performs some or all of the following checks:
• Discovering device
• Creating device database
• Retrieving high availability status
• Initializing configuration database
• Retrieving interface information
• Retrieving configuration
• Loading to database
• Creating initial configuration file
• Retrieving IPS signature information
• Retrieving support data
• Updating group membership
• Successfully add device
• Check device status
7. Choose whether to import policies and objects for the device now or later.
8. Select Next to continue.
9. System templates can be used to centrally manage certain device-level options from a central location.
If required, assign a system template using the drop-down menu. Alternatively, you can select to configure all
settings per-device inside Device Manager. For more information, see Provisioning Templates on page 131.

10. Select Next to continue.

If VDOMs are not enabled on the device, the wizard will skip the VDOM phase. You can Select to import each
VDOM step by step, one at a time, or automatically import all VDOMs.

The following import options are available:

Import Options The wizard will detect if the device contains virtual domains (VDOMs). You
can select the behavior for FortiManager to take to import these VDOMs.
Import options include:
• Import each VDOM step by step
• Import VDOM one at a time
• Automatically import all VDOMs

11. Select Next to complete the VDOM import.

When selecting to import the VDOM step-by-step or one of the time, you can use the global zone map
section of the wizard to map your dynamic interface zones.

12. Select Next to continue to interface mapping.

12
Device Manager Adding devices

When importing configurations from a device, all enabled interfaces require a

mapping.

13. Map all the enabled interfaces to ADOM level interfaces.

14. If required, select Add mappings for all unused device interfaces, than select Next to continue.
15. The wizard will perform a policy search in preparation for importing them into FortiManager’s database. When
complete, a summary of the policies will be shown.
Choose a folder from the drop-down list, type a new policy package name, and select the policies and objects
that need to be imported.

16. Select Next to continue. The wizard searches the unit for objects to import, and reports any conflicts it detects. If
conflicts are detected, you must decide whether to use the FortiGate value or the FortiManager value.
If there are conflicts, you can select View Details to view details of each individual conflict, or you can
download an HTML conflict file to view all the details about the conflicts.

17. Select Next. The objects that are ready to be imported are shown.
18. Select Next to import policies and objects into the database.
19. Select Next.
A detailed summary of the import is shown, and the Import Report can be downloaded. This report is only
available on this page.

20. Click Finish to close the wizard.

Add a model device

The following steps will guide you through the Add Device wizard phases to add a device using Add Model
Device mode.

To confirm that a device model or firmware version is supported by the FortiManager's

current firmware version, run the following CLI command:
diagnose dvm supported-platforms list

When adding devices to product-specific ADOMs, you can only add that product type
to the ADOM. When selecting to add a non-FortiGate device to the root ADOM, the
device will automatically be added to the product specific ADOM.

To add a model device:

1. If ADOMs are enabled, select the ADOM to which you want to add the device.
2. Go to Device Manager > Device & Groups.
3. Click Add Device. The Add Device wizard is displayed.

13
Adding devices Device Manager

4. Select Add Model Device, and enter the following information:

Add Model Device Device will be added using the chosen model type and other explicitly
entered information.

Name Type a descriptive name for the device. This name is displayed in the
Device Name column. Each device must have a unique name. Otherwise
the wizard will fail.

Link Device By The method by which the device will be added, either Serial Number or
Pre-Shared Key.

Serial Number or Pre- Type the device serial number or pre-shared key. This field is mandatory.
Shared Key

Device Model Select the device model from the list. If linking by serial number, the serial
number must be entered before selecting a device model.

Firmware Version Select the device's firmware version from the drop-down list.

5. Select Next to continue. The device will be created in the FortiManager database.

Each device must have a unique name and pre-shared key (if selected), otherwise the
wizard will fail.

6. Click Finish to exit the wizard.

A device added using the Add Model Device wizard has similar dashboard options as a device which is
added using the Discover option. As the device is not yet online, some options are not available.

The pre-shared key can be edited after the model device has been added, but must
always be unique.

14
 Device Manager Adding devices

Adding devices manually

You can manually add devices to the FortiManager unit. The process requires the following steps:

l In FortiOS, you must enable central management on the device by adding the IP address of the FortiManager unit.
As a result, the device is displayed on the FortiManager GUI in the root ADOM on the Device Manager pane in the
Unregistered Devices list.
l In FortiManager, you must manually add unregistered devices. As a result, the device is registered with the
FortiManager unit, and you can use FortiManager to manage the device.
When ADOMs are enabled, the device must be assigned to an ADOM when it is registered.

To manually add devices:

1. In FortiOS, enable central management for the device.

2. In FortiManager, select the root ADOM, and go to Device Manager.
3. In the tree menu, click Unregistered Devices. The content pane displays the unregistered devices.
4. Select the unregistered device or devices, then click Add. The Add Device dialog box opens.

5. If ADOMs are enabled, select the ADOM in the Add the following device(s) to ADOM list. If ADOMs are disabled,
select root.
6. Type the login and password for the device or devices.
7. Click OK to register the device or devices.
The device or devices are added.

Add a VDOM to a device

To add a VDOM to a managed FortiGate device, right-click on the content pane for a particular device and select
Add VDOM from the pop-up menu.

The number of VDOMs you can add is dependent on the device model. For more
information, see the Maximum Values Table in the Fortinet Document Library.

To add a VDOM to a FortiGate device:

1. Go to Device Manager > Device & Groups.

2. In the tree menu, click the group. The devices in the group are displayed in the content pane.
3. In the content pane, right-click a device, and select Add VDOM.

15
 Device Manager Adding devices

4. Configure the following options, and click OK.

Name Type a name for the new virtual domain.

Description Optionally, enter a description of the VDOM.

Enable Select to enable the VDOM.

Operation Mode Select either NAT or Transparent.

Inspection Mode Select an inspection mode.

Interface Members Click to select each port one by one.

Import policy wizard

On the Device Manager > Device & Groups pane, right-click a device, and select Import Policy to launch the
Import Device wizard. This wizard will allow you to import interface maps, policy databases, and objects.

After initially importing policies from the device, all changes related to policies and
objects should be made in Policy & Objects on the FortiManager.
Making changes directly on the FortiGate device will require reimporting policies to
resynchronize the policies and objects.

Device Interface

The Device Interface page allows you to choose an ADOM interface for each device interface. When importing
configuration from a device, all enabled interfaces require a mapping.

Interface maps will be created automatically for unmapped interfaces.

15
Adding devices Device Manager

16
 Select Add mapping for all unused device interfaces to automatically create interface maps for unused
interfaces.

Policy
The policy page allows you to create a new policy package for import.
Select a folder from the drop-down menu, specify a policy package name, then configure the following options:

Policy Package Name Type a name for the policy package.

Folder Select a folder on the drop-down menu.

Policy Selection Select to import all, or select specific policies and policies groups to import.

Object Selection Select Import only policy dependent objects to import policy dependent
objects only for the device.
Select Import all objects to import all objects for the selected device.

Object
The object page will search for dependencies, and reports any conflicts it detects. If conflicts are detected, you
must decide whether to use the FortiGate value or the FortiManager value. If there are conflicts, you can select
View Details to view details of each individual conflict, or you can download an HTML conflict file to view all the
details about the conflicts. Duplicates will not be imported.

Click Next to view the objects that are ready to be imported, and then click Next again to proceed with importing.

Import
Objects are imported into the common database, and the policies are imported into the selected package. Click
Next to continue to the summary.

The import process removes all policies that have FortiManager generated policy IDs,
such as 1073741825, that were previously learned by the FortiManager device. The
FortiGate unit may inherit a policy ID from the global header policy, global footer
policy, or VPN console.

Summary
The summary page allows you to download the import device summary results. It cannot be downloaded from
anywhere else.

Importing devices

Importing detected devices

You can import detected devices for each device.

17
 To import detected devices:

1. Ensure that you are in the correct ADOM.

2. Go to the Device Manager tab, and from the Tools menu, click Display Options.
3. In the Detected Devices area, select Detected Devices, and click OK.
4. In the tree menu, select a device. The device dashboard is displayed.
5. Click Detected Devices. The Detected Devices pane is displayed.
6. Click Import.

Importing and exporting device lists

You can import or export large numbers of devices, ADOMs, device VDOMs, and device groups, using the
Import Device List and Export Device List toolbar buttons. The device list is a compressed text file in JSON
format.

Advanced configuration settings such as dynamic interface bindings are not part
of import/export device lists. Use the backup/restore function to backup the
FortiMan- ager configuration.

The Import and Export Device List features are disabled by default. To enable, go
to System Settings -> Admin -> Admin Settings, and select the Show Device List
Import/Export check box under Display Options on GUI.

Proper logging must be implemented when importing a list. If any add or discovery
operation fails, there must be appropriate event logs generated so you can trace what
occurred.

You can create the compressed text file by exporting a device list from FortiManager.

To export a device list:

1. Go to Device Manager > Device & Groups.

2. Select a device group, such as Managed FortiGate’s.
3. From the More menu, select Export Device List.
A device list in JSON format is exported in a compressed file (device_list.dat).

To import a device list:

1. Go to Device Manager > Device & Groups.

2. Select a device group, such as Managed FortiGate’s.
3. From the More menu, select Import Device List.
4. Click Browse and locate the compressed device list file (device_list.dat) that you exported
from FortiManager.
5. Click OK.
Shutting down FortiManager VM

FortiManager VM can be shut down, restart or clone.

19
Changing the hardware configuration

Changing the hardware configuration for the FortiManager VM to reflect the appropriate CPU for the license type.
Technical Support Services

BYOL – Bring your own license

The client is to call the vendor or reseller direct depending on where the license was procured for any
software/configuration issues

21