FortiManager makes managing large networks way easier by centralizing control:

• Single-pane management and provisioning.
  FortiManager offers centralized management of Fortinet devices, addressing challenges like mass provisioning and configuration changes. Manage tons of FortiGate devices from one console for example.
• Local FortiGuard cache server. It also acts as a private FortiGuard Distribution Network (FDN) server and automates device provisioning. Run private FortiGuard services and automate provisioning.
• Helps to maintain regulatory compliance.
• Acts as logging and reporting device.
• Keep track of all configuration changes and schedule updates.

Key features:

• Policies and Objects Management: Creating, editing, and maintaining rule sets, address and service objects, and policies to enforce security controls.
• Firewall Provisioning: Automating the deployment of security policies to FortiGate or similar devices, ensuring rapid and uniform deployment.
• Central repository for configuration revisions and audit.
  • Configuration Revision Control: Tracking changes over time, facilitating rollback if needed, and maintaining an audit trail of modifications. : Every change made within FortiManager is logged, enabling administrators to review, compare, and revert configurations to previous states.
  • Global Database ADOM and Central Management: Orchestrating across multiple ADOMs and managing devices at a global scale for enterprise environments
• VPN Deployment: Streamlining the setup and management of site-to-site or remote access VPNs. Deploy mesh and start IPsec VPN.
• Device Provisioning Automation: Using scripts and batch processes to mass-configure devices, reducing manual effort and minimizing errors.
• Logging and reporting. FortiManager has FortiAnalyzer capacities when used with a specific license (imitated, but can receive logs and generate reports).
• Scripting Support: CLI and TCL scripting facilitate automation of complex setup processes, configuration deployment, and maintenance routines.

Administrative DOMAINs – ADOMs.

Logical grouping of devices based on their geographical location, function, or organizational unit. ADOMs provide scalable management, allowing organizations to delegate control efficiently.

• ADOMs allow administrators to logically group devices and assign management permissions 
• ADOMs can operate in normal or advanced mode. Default is NORMAL mode with advanced mode enabling the assignment of different FortiGate VDOMs to different ADOMs. 

  • If the environment does not have VDOMs deployed on the FortiGates. NORMAL mode is enough and less resource consuming.

  •  

    In Advanced, it can assign different FortiGate VDOMs to different ADOMs.
  • Note: Cannot enable advanced ADOM mode if FortiManager is been used to manage FortiAnalyzer.
• The number of ADOMs supported depends on the FortiManager model and license. 
• The ADOM type MUST match the devices added to the ADOM. Including ADOM version. The only exception is ADOM FABRIC TYPE.
• Super_admin users can manage all ADOMs and devices within them.

FortiManager Managing FortiAnalyzer

FortiAnalyzer can be added to the FortiManager for central managment. Logs are stored on FortiAnalyzer, but most of the menus and options are enabled on the FortiManager GUI (it is like FortiAnalyzer becomes an extension of FortiManager). 

• This is the recommended solution for environments with a high volume of logs.
• FortiManager can manage multiple FortiAnalyzers, but each FortiAnalyzer must be in its own ADOM.
• FortiAnalyzer can be added to more than one ADOM in FortiManager. The features and visibility in the ADOM are limited to the logging devices in that FortiManager ADOM.
• FortiManager does not support advanced ADOM mode if FortiAnalyzer is aggregated for management.
• FortiManager and FortiAnalyzer must be running v5.6 or later, and the versions must be the same on both devices.
• FortiManager access needs to be enabled on the FortiAnalyzer interface

After adding FortiAnalyzer to FortiManager the following panes are enabled:

• FortiView and LogView
• Incident / Events
• Threat Hunting and Outbreak alerts
• Reports

Another option is FortiManager with LOGING functions: If there is not a FortiAnalyzer deployed on the network, using an specific license can enable logging and report functions on the FortiManager alone. This will increase consuming on CPU, memory, and disk space. Log rate and daily log quota restrictions are in place. It is an option that need to be previously analyzed.

• FortiManager supports up to 150 logs/sec only. Less than FortiAnalyzer 500-150,000 logs/sec.
• FortiAnalyzer related licensing is not stackable.
• Enable policies quotas logic on FortiManager (assigned disk space and retention period).
• Another FortiAnalyzer ca not be added for managment to the FortiManager.
• FortiManager HA is not support it either if the FortiManager has FortiAnalyzer features enable it.
• In most of the cases this works fine for small and middle deployments depending on the number of devices sending logs and the volume of logs.

Inside FortiManager:

• Device manager; revision history, dns, routing, interface and specific settings of the devices.
• ADOM Layer: Policies, and firewall objects (address objects, groups, VIPs, security profiles). AP, FortiSwitch, VPN panes.
• Fabric View: view security ratings and create fabric connectors.

For best practices: connect the FortiManager to a FortiSwitch and then to a FortiGate. That will protect the FortiManager using FortiGate capabilities and protects access to the FortiManager on the local network in case FortiGate is unavailable.

FDS; for close networks where FortiGate does not have internet access.

Two scenarios:

1. CASCADE MODE; Only the FortiManager has internet access. Therefore, the FortiManager MUST have internet access. Other FortiManager or FortiGate goes to the core FortiManager to get the updates.
2. Air Gap Mode: One FortiManager has internet access and downloads all databases. Export it and then import it manually to other FortiManagers. Others FortiManager has not connection to the core FortiManager. This is manual administration.

FortiManager PORTS:       

WebFiltering and FortiGate Updates SERVICES on the INTERFACE: On the FortiManager interfaces can enable 'Service Access FortiGate Update' or 'Web Filtering' and 'Bind to IP address'. This means the FortiGate will receive queries of either type, and the FortiManager will redirect it to specific FortiGuard servers via proxy.

MSSPs with AutoScaling: Auto Scaling is when additional FortiGates on Cloud are create it to handle the volume of traffic. The FortiManager supports it. The 'new' FortiGate will be added to the FortiManager, authorized. When destroyed, it will remove it from FortiManager too.

Application Program Interface API:

• Follow standard JSON-RPC.
• It is used to integrate FortiManager with third party solutions.
• Allows to monitor and configure.
• Requires having an admin user with RPC-PERMIT set to read-write. This is the account that will be used for the initial authentication.

API methods:

• get – Status of an object.
• Add – Creates an object.
• update
• delete
• set – creates or overwrite and object (mix of ADD and UPDATE).
• move – moves policies within a package.
• clone
• exec

RESPONSE CODES:

                200 – OK.

                400 – BAD REQUEST.

                403 – FORBIDDEN. Bad token or admin has no RPC permissions.

                404 – NO FOUND.

ALL requests are sent as a standard HTTP POST to https://FORTIMANAGER/jsonrpc.

For product documentation, see FortiManager v7.4 - Fortinet products.

For training material, see FortiManager Administrator - Fortinet training course.