FortiManager-7.0-New Features Guide

New Features Guide
FortiManager 7.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
May 6, 2021
FortiManager 7.0.0 New Features Guide
02-700-698018-20210506
TABLE OF CONTENTS
Change Log 5
FortiManager 7.0 New Features Guide 6
Device Manager 7
Device and Groups 7
Model HA Cluster Wizard Improvements 7
SD-WAN 9
New SD-WAN template 9
SD-WAN monitoring improvements 21
Templates 24
Interface template support for meta fields 25
Static route template with support for meta fields 30
Pre-defined IPsec template with recommended settings 35
Un-assign IPsec template to remove VPN-related configuration 37
Central Management 39
FortiSwitch Manager 39
FortiSwitch Manager central management improvements 39
Extender Manager 46
Extender Manager for central managed FortiExtender devices 46
FortiExtender Template for ZTP 50
Policy and Objects 52
Policy 52
Policy revision history 52
Objects 55
New IPS signatures monitoring page 55
Object revision history 60
System 63
High Availability (HA) 63
FortiManager verifies if FortiAnalyzer features are disabled before forming HA cluster 63
Administrators 65
Theme mode 66
Admin Permission to enable/disable script tab access 67
Admins can use a SAML SSO FortiCloud account to log in to FortiManager 68
ADOM 72
ADOM health check tool reports warnings on devices, configurations, and policy
package status 73
Management Extensions 76
CPU and RAM maximum values for Management Extension Applications can be
configured in CLI 76
New management extension - FortiSOAR 76
Other 80
FortiManager Setup wizard 80
FortiManager VM licenses 85
Requesting and activating a trial license 85
FortiManager 7.0.0 New Features Guide 3

Fortinet Technologies Inc.
Activating a new license 88
Activating an add-on license 90

Change Log
Date Change Description
2021-04-22 Initial release of FortiManager 7.0.0.
2021-04-27 Added New management extension - FortiSOAR on page 76.
2021-05-06 Added Extender Manager for central managed FortiExtender devices on page 46 and
FortiExtender Template for ZTP on page 50.

FortiManager 7.0 New Features Guide
This document describes the new features added to FortiManager 7.0. The FortiManager new features are organized
into the following categories:
l Device Manager on page 7
l Central Management on page 39
l Policy and Objects on page 52
l System on page 63
l Management Extensions on page 76
l Other on page 80

Device Manager
Device Manager
This section lists the new features added to FortiManager for the device manager:
l Device and Groups on page 7
l SD-WAN on page 9
l Templates on page 24
Device and Groups
This section lists the new features added to FortiManager for devices and groups:
l Model HA Cluster Wizard Improvements on page 7
Model HA Cluster Wizard Improvements
You can configure the member devices in an HA Cluster with the HA Status widget in the Device Manager.
To configure HA cluster member settings:
1. Go to Device Manager > Device & Groups > Managed FortiGate.

2. In HA Status widget, under Cluster Members, then select a member device, and click Edit. The Edit HA Member
dialog is displayed.
3. Configure the member Host Name, Management Interface Reservation, Session Pickup, and Session Pickup
Connectionless settings.

Device Manager
4. When Management Interface Reservation enabled, you can create new management interface.
Click Create New to add a new interface.
Click OK to save the new interface.

Device Manager
5. Select another device in the cluster, and repeat the steps above.
SD-WAN
This section lists the new features added to FortiManager for SD-WAN:
l New SD-WAN template on page 9
l SD-WAN monitoring improvements on page 21
New SD-WAN template
With the new SD-WAN template, you can use Device VDOM meta fields in the member interface/ interface gateway,
neighbor IP, and health-check server definitions.
In addition, how you enable and configure SD-WAN per-device management and central management has changed.
You now use the following methods to enable and configure each:

Device Manager
l For per-device management, use the device database to configure SD-WAN settings on each device.
l For central management, use SD-WAN templates to configure SD-WAN settings on one or more devices. SD-WAN
templates have moved in Device Manager to Provisioning Templates.
When you assign an SD-WAN template to a device, you have enabled SD-WAN central management for the
device.
Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and add
interface members to the SD-WAN zones. You must bind the interface members by name to physical interfaces or
VPN interfaces.
When using SD-WAN templates with other types of provisioning templates, such as interface templates and IPsec
templates, you should execute the templates in the following order:
l Interface template
l IPsec template
l SD-WAN template
This topic contains the following sections:
l SD-WAN per-device management on page 10
l SD-WAN central management on page 11
l SD-WAN template support for meta fields on page 18
SD-WAN per-device management
For SD-WAN per-device management, you can create, edit, and delete interface members, performance SLA, SD-WAN
rules, Neighbor, and duplication. After configuring SD-WAN settings, install the configuration to the device.
To access SD-WAN per-device management:
1. If using ADOMs, ensure that you are in the correct ADOM.

2. Open the device database for the device:
a. Go to Device Manager > Device & Groups.
b. From the toolbar, select Table View.
c. In the tree menu, select a device group.
The devices in the group are displayed in the content pane.
d. In the content pane, double-click a device.
Alternately, select a device, and select Configuration from the More menu.
The device database is displayed in the content pane.
3. In the toolbar, click the System menu, and select SD-WAN.
The SD-WAN pane opens.

Device Manager
4. Configure the following sections for the device, and click Apply:
l Interface Members
l Performance SLA
l SD-WAN Rules
l Neighbor
l Duplication
5. Install the configuration to the device.
SD-WAN central management
For SD-WAN central management, you can create an SD-WAN template, and assign the template to one or more
devices.
Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and add
interface members to the SD-WAN zones. You must bind the interface members by name to physical interfaces or
VPN interfaces.
Create performance SLA and SD-WAN rules. You can also configure BGP neighbors and packet duplication. Advanced
configuration options are also available.
After configuring an SD-WAN template, assign the template to one or more devices, and then install the configuration to
the devices.
To access SD-WAN central management:
1. If using ADOMs, ensure that you are in the correct ADOM.

2. Go to Device Manager > Provisioning Templates > SD-WAN Templates.
The SD-WAN templates are displayed.

Device Manager
3. Click Create New, and select Template.

The SD-WAN Template pane is displayed.
4. In the Interface Members section, create one or more zones:

a. Click Create New > SD-WAN Zone.
The Create New SD-WAN Zone dialog box is displayed.
b. In the Name box, type a name for the zone.

Device Manager
c. Beside Interface Members, click the box to select interface members.
d. Click OK.
The SD-WAN zone is created.
5. In the Interface Members section, create SD-WAN interface members:
a. Click Create New > SD-WAN Member.
The Create New SD-WAN Interface Member dialog box is displayed.
b. In the Interface Members box, type the name of the interface.
Bind the interfaces by name to physical or VPN interfaces.

Device Manager
c. Click OK.
The SD-WAN interface member is created.
6. Create Performance SLA:
a. In the Performance SLA section, click Create New.
The Performance SLA dialog box is displayed.

Device Manager
b. Complete the options, and click OK.

The Performance SLA settings are saved.
7. Create SD-WAN rules.
a. In the SD-WAN Rules section, click Create New.
The SD-WAN Rule dialog box is displayed.

The SD-WAN rules are saved.
8. Configure BGP neighbors.
a. In the Neighbor section, click Create New.
The Neighbor dialog box is displayed.

Device Manager

The neighbor settings are saved.
9. Configure packet duplication.
a. In the Duplication section, click Create New.
The Duplication dialog box is displayed.

Device Manager

The packet duplication settings are saved.
10. Click OK.

The SD-WAN template is saved.
11. Assign the SD-WAN template to one or more devices.
a. Select the SD-WAN template, and click Assign to Device.
The Assign to Device dialog box is displayed.
b. In the Available Entries list, select the device, and click the right arrow to move the device to the Selected
Entries list, and click OK.
The SD-WAN template is assigned to the device.
12. Go to Device Manager > Device & Groups, and view the assigned provisioning templates in the Template Status
column.

Device Manager
13. Click Install Wizard to install the device settings.

You can preview the settings.
SD-WAN template support for meta fields
SD-WAN templates support Device VDOM meta fields. You can use meta fields in SD-WAN templates for the following
options:
l SD-WAN interface member
l Interface member option
l Gateway IP option
l Neighbor
l IP option
l Performance SLA
l Health-Check Server option
To create meta fields:
1. Go to System Settings > Advanced > Meta Fields.

2. Click Create New.
The Create New Meta Fields pane is displayed.

Device Manager
3. In the Object box, select Device VDOM.
4. In the Name box, type a name for the meta field.

The name of the field becomes the variable name that you can use in SD-WAN templates.
5. In the Values area, click Create New to define a value for one or more devices.
6. Click OK.
The meta field is created.
In the following SD-WAN template example, meta fields are used for the following interface member options: Interface
Member and Gateway IP:

Device Manager
In the following SD-WAN template example, a meta field is used for the Health-Check Server option in Performance
SLA:
In the following SD-WAN template example, a meta field is used for the IP option in Neighbor:

Device Manager
SD-WAN monitoring improvements
SD-WAN Monitor now includes information about ADVPN shortcut interfaces for monitoring SD-WAN networks. When
device history monitoring is enabled for SD-WAN Monitor, the device history also includes information about
ADVPN shortcut interfaces.
Monitoring SD-WAN interfaces (without shortcuts)
When an SD-WAN network is configured without ADVPN shortcuts, no shortcut information is displayed on VPN Monitor
and on the graphs on SD-WAN Monitor.
In this example, device history monitoring is disabled for SD-WAN Monitor.
To view VPN monitor:
1. Go to Device Manager > Monitors > VPN Monitor.

The VPN Monitor is displayed. No shortcuts are configured.
To view SD-WAN monitor:
1. Disable device history monitoring by using the following command:

config system admin setting
set sdwan-monitor-history disable
end

Device Manager
2. Go to Device Manager > Monitors > SD-WAN Monitor.

The SD-WAN Monitor is displayed.
3. In the toolbar, click Table View.
Table View is displayed.
4. In the Device column, click a device.
SD-WAN monitoring information for the last 10 minutes for the device is displayed. In the SD-WAN Interfaces
section, you can view interfaces.
Scroll down to view SLA information, such as latency, jitter, and packet loss.
Monitoring SD-WAN interfaces (with shortcuts)
When an SD-WAN network is configured to use ADVPN shortcuts, you can view information about the shortcuts on
VPN Monitor and in graphs on SD-WAN Monitor.
In this example, device history monitoring is enabled for SD-WAN Monitor.

Device Manager
To view shortcut information on VPN monitor:
1. Go to Device Manager > Monitors > VPN Monitor.

The VPN Monitor is displayed. Shortcuts are configured.
To view shortcut information on SD-WAN monitor:
1. Enable device history monitoring by using the following command:

config system admin setting
set sdwan-monitor-history enable
end
2. Go to Device Manager > Monitors > SD-WAN Monitor.
The SD-WAN Monitor is displayed.
3. In the toolbar, click Table View.
Table View is displayed.
4. In the Device column, click a device.
SD-WAN monitoring information for the device is displayed. You can choose the length of history to display. In the
SD-WAN Interfaces section, you can view interfaces, including ADVPN shortcuts.
Scroll down to view SLA information, such as latency, jitter, and packet loss, for each interface. The SLA graphs
include information for dynamic interfaces.

Device Manager
Scroll down to view more interfaces.
Templates
This section lists the new features added to FortiManager for templates:
l Interface template support for meta fields on page 25
l Static route template with support for meta fields on page 30
l Pre-defined IPsec template with recommended settings on page 35
l Un-assign IPsec template to remove VPN-related configuration on page 37

Device Manager
Interface template support for meta fields
When you create a meta field for a device object, a variable name is automatically created, and you can use the variable
in interface templates when provisioning FortiGates.
When you create a meta field, you can specify whether it is required or optional. When the meta field is required for
device objects, you must define a value for all FortiGate devices. A column is automatically displayed on the Device
Manager pane to indicate required meta fields and to help you identify when values are missing.
After you assign interface templates to devices, you can view the post action values before you install the configuration
to devices.
This topic includes the following sections:
l Creating meta field variables on page 25
l Using meta field variables in interface templates on page 26
l Viewing required meta fields in Device Manager on page 27
l Assigning interface templates to devices on page 28
l Overriding meta field values in interface templates on page 29
Creating meta field variables
When you create a meta field, a variable name is automatically created, and you can set a value for the variable for each
device.
This example describes how to create a meta field named storenumber for a device object. The storenumber meta field
is set to Required. When a meta field is set to Required, a value must be defined for all devices. Set the meta field to
Optional to avoid this requirement.
To create meta field variables:
1. Go to System Settings > Advanced > Meta Fields, and click Create New.

The Create New Meta Fields dialog box is displayed.
2. In the Object list, select Device.
3. In the Name box, type storenumber.
The name identifies the meta field, and a variable name is automatically created for the
meta field. View the Variable option to see the variable name that you can use in interface
templates. For example, $(storenumber) is the variable name for the storenumber meta
field.
4. Beside Importance, select Required.

5. Define the value:
a. Under Values, click Create New.
The Create Meta Field Value dialog box is displayed.
b. In the Device list, select the device.
c. In the Value box, type the store number.
d. Click OK.
The value is saved.

Device Manager
6. Click OK.
Using meta field variables in interface templates
You can use meta field variables in interface templates. When you create a meta field, a variable is automatically created
for you. You can use the variable in interface templates.
To use meta field variables in interface templates:
1. Go to Device Manager > Provisioning Templates.

The widgets are displayed.
2. Display the Interface widget.
a. In the tree menu, go to System Templates > Default.
b. From the Toggle Widgets menu, select Interface.
The Interface widget is displayed.
3. In the Interface widget, create a new Config Interface action that uses the storenumber variable.
a. In the Interface widget, click +.
b. In the Action list, select Config Interface.
c. In the Model list, select all.
d. In the Interface Name list, type port2.

Device Manager
e. In the IP/Netmask box, type the variable with the IP/netmask, such as 192.162.$(storenumber).254/25,
and click OK.
Note that $(storenumber) is the variable name for the meta field.
The action is created.

4. In the Interface widget, create a new VLAN Interface action that uses the variable.
a. In the Interface widget, click +.
b. In the Action list, select Add VLAN Interface.
c. In the Model list, select all.
d. In the Physical Interface Name list, type port3.
e. In the VLAN Name box, type the variable name, such as $(Address), and click OK.
The action is created.
Viewing required meta fields in Device Manager
When a meta field is required for devices, you must assign an interface template to devices. If a device lacks a meta field
value, a conflict symbol is displayed, and you cannot assign an interface template to it. You must define a value for the
meta field for the device before you can assign an interface template to it.
To view required meta fields in Device Manager:
1. Go to Device Manager > Device & Groups.

2. In the tree menu, click Managed Devices.
The managed devices are displayed in the content pane. A column is displayed for each required meta field. In the
following example, a column for each of the following required meta fields is displayed: Address and storenumber.
A conflict symbol is displayed for storenumber for one of the FortiGates, indicating that a value is not defined for the
meta field for the device.

Device Manager
Assigning interface templates to devices
You must assign an interface template to devices when Required is enabled for certain meta fields.
You can also preview the meta field value.
To assign interface templates to devices:
1. Go to Device Manager > Provisioning Templates, and select the template.

2. In the content pane, expand This template is assigned to <number> devices.
3. Click Assigned to Devices.
4. In the Available Entries list, select the device, and click > to move it to the Selected Entries list. Click OK.
The interface template is assigned to the device.
When a FortiGate lacks a value for a meta field, a red conflict icon is displayed:
When you try to assign the template, an error message is displayed:

Device Manager
5. In the Interface widget, select the action, and click Post Action View.
The Post Action Preview is displayed. The meta field displays the expected value.
6. Click Cancel.
Overriding meta field values in interface templates
You can enable Allow Override in interface templates for some options. After you assign the interface template to a
device, you can edit the interface action to override the option.
To override meta field values in interface templates:
1. Go to Device Manager > Provisioning Templates, and select the template.

2. Edit the interface template to allow overrides.
a. In the Interface widget, select the action, and click Edit.
b. Under the option, select Allow Override, and click OK.
Overrides are allowed for the option.

Device Manager
3. Override the value.

a. Under This template is assigned to <number> devices widget, select the device, and click Edit Widget Override
Value.
The Edit Action dialog box is displayed.
b. Type the override value, and click OK.

4. Install the configuration to the device.
The override value is installed to the device.
Static route template with support for meta fields
You can provision static routes to FortiGate devices by using a static route template. Both IPv4 and IPv6 are supported.
After creating the static route template, you can assign the template to one or more devices, and install the configuration
to devices.
For IPv4, you can create static routes for the following destinations:
l Subnet
l Internet service
l Custom Internet service

Device Manager
You can use meta field variables created for an object type of Device VDOM when creating IPv4 static routes for
subnets.
For IPv6, you can create a static route:

l Creating meta field variables on page 31
l Creating static route templates on page 32
Creating meta field variables
You can create meta field variables for an object type of Device VDOM, and then use the variable in static route
templates.

Device Manager
When you create a meta field, a variable name is automatically created, and you can set a value for the variable for each
device.
This example describes how to create a meta field named vdom-ip for a Device VDOM object.
To create meta field variables:
1. Go to System Settings > Advanced > Meta Fields, and click Create New.

The Create New Meta Fields dialog box is displayed.
2. In the Object list, select Device VDOM.
3. In the Name box, type vdom-ip.
The name identifies the meta field, and a variable name is automatically created for the
meta field. View the Variable option to see the variable name that you can use in interface
templates. For example, $(vdom-ip) is the variable name for the vdom-ip meta field.
4. Beside Importance, select Required.

5. Define the value:
a. Under Values, click Create New.
The Create Meta Field Value dialog box is displayed.
b. In the Device list, select the device.
c. In the Value box, type the IP address.
d. Click OK.
The value is saved.
6. Click OK.
Creating static route templates
You can use meta field variables created for an object type of Device VDOM when creating IPv4 static routes for
subnets.

Device Manager
To create a new static route template:
1. Go to Device Manager > Provisioning Templates > Static Route Templates.
2. Create a static route template:

a. In the toolbar, click Create New. The Create New Route Template dialog box appears.
b. In the Name box, type a name for the template, and click OK. The new template is created.

Device Manager
3. Open the template for editing, and create a static route:

a. In the content pane, double-click the template. The template opens for editing.
b. In the toolbar, click Create New. The Create New Static Route pane is displayed.
For IPv4 subnets, you can use a meta field variable created for an object type of Device VDOM instead of
typing an IP address. For example:
c. Complete the options, and click OK.

The static route is created.
4. Assign the template of static routes to one or more devices.
5. Install the configuration to devices.

Device Manager
Pre-defined IPsec template with recommended settings
FortiManager includes a default IPsec template called IPSec_Fortinet_Recommended. The default template contains
recommended VPN tunnel settings and best practices. You can clone the template and customize settings in the clone
to create new IPsec templates.
After editing the cloned template, assign the template to devices. When you install the settings to devices,
phase1/phase2 interface settings are installed to devices.
To use the default IPsec template:
1. Go to Device Manager > Provisioning Templates > IPsec Tunnel Templates.

The templates are displayed in the content pane, including the IPsec_Fortinet_Recommended template.
2. Clone the IPsec_Fortinet_Recommended template:
a. Select the IPsec_Fortinet_Recommended template, and click Clone.
The Clone IPsec Template dialog box is displayed.
b. In the Name box, type a name for the cloned template, and click OK.
The cloned template is displayed in the content pane.
c. Select the cloned template, and click Edit.
The cloned template opens for editing. The cloned template includes default tunnel settings named default.
3. Select default, and click Edit.
The default tunnel settings open for editing.

Device Manager
4. Edit the tunnel settings, and click OK to save the changes.

5. Assign the template to one or more devices:
a. Click IPsec Tunnel Templates to display all templates.
b. Select the template, and click Assign to Device.
The Assign to Device dialog box is displayed.
c. In the Available Entries list, select devices, and click > to move them to the Selected Entries list, and click OK.
The template is assigned to the devices in the Selected Entries list and ready for use.
6. Install device settings to install phase1/phase2 interface configuration to devices.

Device Manager
Un-assign IPsec template to remove VPN-related configuration
When you un-assing an IPsec template from a device, FortiManager modifies the configuration for affected devices.
When you install the modified configuration to devices, FortiManager automatically uninstalls the configuration
(phase1/phase2 interfaces) generated by the IPsec template from devices.
This topic describes how you can view the changes in the FortiManager GUI.
To view how un-assigned IPsec templates affect devices:
1. Create an IPsec template named toHQ-1, and install it to devices.

After installing the IPsec template, go to Device Manager > Device & Groups, and select Table View. In the Config
Status column, view a status of Synchronized for all affected devices, and the Provisioning Templates column
shows that the toHQ-1 template has been applied.
2. Un-assign the IPsec template from eight devices.

After un-assigning the toHQ-1 template from eight devices, the Config Status column now shows a status of
Modified for all devices, and the Provisioning Templates column no longer displays the toHQ-1 template.
3. Install the modified device configuration to the devices.

FortiManager removes phase1 and phase2 interface configuration from the devices. You can check the Install Log
for affected devices to confirm that FortiManager removed phase2 and phase1 interfaces settings.

Device Manager

Central Management
Central Management
This section lists the new features added to FortiManager for central management:
l FortiSwitch Manager on page 39
l Extender Manager on page 46
FortiSwitch Manager
This section lists the new features added to FortiManager for FortiSwitch manager:
l FortiSwitch Manager central management improvements on page 39
FortiSwitch Manager central management improvements
FortiSwitch Manager central management includes new improvements for MCLAG, QSFP split-port, switch custom
commands and importing switch/AP configuration settings from FortiGate.
l Importing FortiSwitch and FortiAP settings from FortiGate on page 39
l Split port configuration and display on page 41
l FortiSwitch custom commands in central management mode on page 44
l FortiSwitch custom commands in per-device management mode on page 45
Importing FortiSwitch and FortiAP settings from FortiGate
To import FortiSwitch and FortiAP settings from FortiGate:
1. In Device Manager, right-click the FortiGate, click Import Configuration, then click Import FortiAP Profiles and
FortiSwitch Templates.

Central Management
2. In the access point profile list and FortiSwitch template list, you can change or keep the default name.

Central Management
3. Click Next, and you will see the import progress.
4. After the import is successful, go to AP Manager > WiFi Templates > AP Profile.

The imported AP profiles are listed and they will be assigned to the managed APs directory.
5. Go to FortiSwitch Manager > FortiSwitch Templates > FortiSwitch Template.

The imported FortiSwitch templates are listed.
Split port configuration and display
To configure and view split ports:
1. Before adding the FortiSwitch to FortiGate, you must enable phy-mode on the FortiSwitch. Once the FortiSwitch
has been authorized by FortiGate, you can add the FortiGate to FortiManager.

Central Management
2. In central management mode, import the template from the managed FortiSwitch, and the split port configuration
will be retained.
You can edit the template including the split ports, and the changes can be installed to FortiGate when the template
is assigned to the managed FortiSwitch.
3. In the managed FortiSwitch, you can right-click on the FortiSwitch and click View Ports. The split ports are visible.

Central Management
While mousing over the split ports, the port status is displayed.
4. In per-device management mode, users can edit split ports in the Port Configuration page.

Central Management
While mousing over the split ports, the port status is displayed.
FortiSwitch custom commands in central management mode
To configure custom commands in central management mode:
1. Go to FortiSwitch Manager > FortiSwitch Templates > Custom Command, and create a new custom command
entry.

Central Management
2. In FortiSwitch Template, edit or create a new template. Select Create New under Custom Command Entry to create
a new command entry. Select your previously configured custom command, and click OK.
3. When the template is assigned to the FortiSwitch, the Install Wizard will install the custom command entry to
FortiGate.
FortiSwitch custom commands in per-device management mode
To configure custom commands in per-device management mode:
1. A custom command entry can be created/edited in FortiSwitch Profiles > Custom Command page for each FortiGate.

Central Management
2. In Managed Switches, select and edit a FortiSwitch device, and in the custom command entry, select Create New to
create a new command entry. Select your previously configured custom command, and click OK.
3. Use the Install Wizard to deploy the changes to FortiGate.
Extender Manager
This section lists the new features added to FortiManager for Extender manager:
l Extender Manager for central managed FortiExtender devices on page 46
l FortiExtender Template for ZTP on page 50
Extender Manager for central managed FortiExtender devices
The Extender Manager allows you to create FortiExtender templates, SIM profiles, and Data plans. After a template is
created, you can assign it to a managed device and install the profiles and plans on FortiExtender.
The FortiExtender module is always displayed in Central Management mode regardless of whether there is connection
to a FortiExtender device.

Central Management
To create profiles with the Extender Manager:
1. Go to Extender Manager.
2. Create a FortiExtender template.

a. In the tree menu, go to Profiles > FortiExtender Templates.
b. In the toolbar, click Create New. The Create New FortiExtender Template page opens.
c. Enter the template Name and click OK.

Central Management
3. Import a FortiExtender template.

a. In the toolbar, click Import. The Import FortiExtender Template dialog opens.
b. Configure the template settings and click OK.
After importing the template, the template will be assigned to the FortiExtender where the template was
imported from.
4. After creating a new template, the template can be assigned to an existing FortiExtender.
5. Create a SIM profile.

a. In the tree menu, go to Profiles > SIM Profile.
b. In the toolbar click Create New. The Create New SIN Profile dialog opens.

Central Management
c. Configure the profile settings and click OK.
6. Create a Data Plan profile.

a. In the tree menu go to Profiles > Data Plan. The Create New Data Plan dialog opens.
b. Configure the Data Plan profile settings and click OK.
7. Link the SIM profile and Data Plan profile to the FortiExtender template.

Central Management
8. After the template is assigned to a FortiExtender, the changes to the SIM profiles and Data plans can be installed to
the FortiGate and FortiExtender.
FortiExtender Template for ZTP
Use FortiExtender templates to configure SIM Profiles and Data Plans. After the template is created, you can assign it to
a managed device.
To create a FortiExtender template:
1. Go to Extender Manager > Profiles > FortiExtender Templates.

2. In the toolbar, click Create New. The Create New FortiExtender Template page opens.
3. Enter the template Name, and select a SIM Profile and Data Plan from the dropdown list.
4. Add the profile to a model FortiExtender.

a. Go to Managed Extenders > Managed FortiGate(#) and select a managed FortiGate.
b. In the toolbar, click Create new. The Create New Model FortiExtender dialog opens.

Central Management
c. From the FortiExtender Template dropdown, select the template you created and click OK.
The model device is added to the list.
5. Click Install Wizard to deploy the template to FortiGate.

Policy and Objects
Policy and Objects
This section lists the new features added to FortiManager for policy and objects:
l Policy on page 52
l Objects on page 55
Policy
This section lists the new features added to FortiManager for policies:
l Policy revision history on page 52
Policy revision history
You are now required to enter a change note when you create or edit a policy. Policy revisions can be viewed in the
Revision History table.
To view the revision history:
1. Go to Policy & Objects > Policy Packages.

2. Double-click a policy in the list to edit it.
3. Revise the policy and then describe your edits in the Change Note field. You cannot save your changes until you
enter a change note.

Policy and Objects
4. Click OK. The number of revisions are displayed in the Revision History column.
5. Click the link in the Revision History column to view the version history.
6. Double-click a policy in the list. The Revision History table displays the changes to the policy.

Policy and Objects
7. Select a revision, and click View Diff to compare versions.
8. Right-click a policy in the tree-menu, and select Policy Revision.
The Policy Revision history page is displayed.

Policy and Objects
Objects
This section lists the new features added to FortiManager for objects:
l New IPS signatures monitoring page on page 55
l Object revision history on page 60
New IPS signatures monitoring page
The new IPS Signatures page allows you to quickly view and manage IPS signatures.
To display the IPS Signatures page:
1. Go to Policy & Objects > Object Configurations.

2. In the toolbar, click Tools > Display Options.
3. In the Security Profiles module, select IPS Profiles, and then click OK.
Admins can view the page by going to Policy & Objects > Object Configurations > Security Profiles > IPS
Signatures.

Policy and Objects
Restricted Admin users can view the page by going to Policy & Objects > Object Configurations > Intrusion
Prevention > IPS Signatures.
To view and edit IPS signatures:

2. Go to Security Profiles > IPS Signatures.

Policy and Objects
3. Click a predefined signature name. The Information page is displayed.
4. Click a predefined signature ID. The FortiGuard signature page opens in a new tab.

Policy and Objects
5. Right-click the signature row. The context menu displays, Edit,Clone and Delete actions for custom signatures.
6. From the context menu, select Where Used. The Where Used dialog displays where the IPS profile signature is
used. Clicking an IPS profile will open the IPS profile Edit window.
7. Click Close.
8. From the context menu, select Add to IPS Profile. the Create New IPS Profile and Add to Existing IPS Profile(s)
options are displayed.

Policy and Objects
9. Click Cancel.
10. Type a search term in the in the Search field. The search results are highlighted in the signatures list.

Policy and Objects
11. Click the Add Filter button to add a filter.
12. To clear search terms and filters, click Rest Search and Reset Filters buttons.
Object revision history
You are now required to provide a Change Note when you create or edit an object. You can also use the new Revision
History table to revert a change or compare versions of an object.
To view the revision history:

2. Double-click an object to edit it.
3. Revise the object, and then enter a description in the Change Note field. You cannot save your changes until you
provide a change note.

Policy and Objects
4. Click OK. The number of revisions are displayed in the Revision History column. Click the link in the column to view
the revision history.
5. Double-click the object you edited. The Revision History table appears at the bottom of the page.

Policy and Objects
6. Select a revision, and click View Diff. The Difference between Revision <#> and <#> page is displayed.
7. Select a revision, and click Revert. Click OK to revert the change.

System
System
This section lists the new features added to FortiManager for system settings:
l High Availability (HA) on page 63
l Administrators on page 65
l ADOM on page 72
High Availability (HA)
This section lists the new features added to FortiManager for high availability (HA):
l FortiManager verifies if FortiAnalyzer features are disabled before forming HA cluster on page 63
FortiManager verifies if FortiAnalyzer features are disabled before forming HA

cluster
With FortiManager 7.0.0, you cannot enable FortiAnalyzer features on FortiManager nodes that are part of an
HA cluster.
If FortiAnalyzer features are enabled on FortiManager nodes in an HA cluster before you upgrade to FortiManager 7.0.0,
FortiAnalyzer features are automatically disabled on each FortiManager in the HA cluster during upgrade.
After upgrading to FortiManager 7.0.0, you cannot enable FortiAnalyzer features on any FortiManager nodes that are
part of an HA cluster, and the FortiAnalyzer Features option is hidden in the GUI.
For standalone FortiManager units with FortiAnalyzer features enabled, you must disable FortiAnalyzer features before
you can form a FortiManager HA cluster after upgrading to FortiManager 7.0.0.
l FortiAnalyzer features disabled during upgrade on page 63
l FortiAnalyzer features disabled when HA enabled on page 64
l FortiAnalyzer features disabled before forming HA on page 64
FortiAnalyzer features disabled during upgrade
If FortiAnalyzer features are enabled before you upgrade to FortiManager 7.0.0, FortiAnalyzer features will be
automatically disabled during upgrade to FortiManager 7.0.0.
For example, FortiAnalyzer features are enabled on FortiManager before upgrading to FortiManager 7.0.0. On the
System Settings > Dashboard pane, the System Information widget shows FortiAnalyzer Features toggled ON.

System
After the upgrade to FortiManager 7.0.0 completes, FortiAnalyzer features are disabled, and the FortiAnalyzer Features
option is hidden from the GUI.
FortiAnalyzer features disabled when HA enabled
After upgrading to FortiManager 7.0.0, you cannot enable FortiAnalyzer features on any FortiManager nodes that are
part of an HA cluster.
In the GUI, the FortiAnalyzer Features option is hidden:
In the CLI, an error message is displayed if you try to enable FortiAnalyzer features:
FMG-VM64 # config system global
(global)# set faz-status enable
(global)# end
Please disable HA before enabling FortiAnalyzer feature.
object set operator error, -7 discard the setting
Command fail. Return code -7
FortiAnalyzer features disabled before forming HA
When FortiAnalyzer features are enabled on FortiManager in stand-alone mode, you cannot form an HA cluster.

System
When you try to form an HA cluster, FortiManager checks each FortiManager node for enabled FortiAnalyzer features.
In the GUI, when enabled FortiAnalyzer features are found, a message is displayed, asking you to disable FortiAnalyzer
features first:
In the CLI, when you try to enable HA mode, an error message is displayed, asking you to disable FortiAnalyzer features
first:
FMG-VM64 # config system ha
(ha)# set mode primary
(ha)# end
Please disable FortiAnalyzer feature before enabling HA.
FMG-VM64 #
FMG-VM64 # config system ha
(ha)# set mode secondary
(ha)# end
Please disable FortiAnalyzer feature before enabling HA.
FMG-VM64 #
When FortiManager detects disabled FortiAnalyzer features on each FortiManager node, you can form a FortiManager
HA cluster by using the GUI or the CLI.
Administrators
This section lists the new features added to FortiManager for administrators:
l Theme mode on page 66
l Admin Permission to enable/disable script tab access on page 67
l Admins can use a SAML SSO FortiCloud account to log in to FortiManager on page 68

System
Theme mode
When you create a new user, you can to apply a theme to all the administrator accounts, or allow admins to choose their
own theme
To enable themes per admin:
1. Go to Admin > Administrators.

2. In the toolbar, click Create New. The New Administrator page is displayed.
3. Set Theme Mode to Use Own Theme.

4. From the User Theme menu, select a theme.
5. Click OK.
When a user logs into their account, they can change the theme by clicking their username, and selecting Change
Profile.

System
Admin Permission to enable/disable script tab access
User profiles now contain a Script Access setting to allow administrators to create, edit, or delete a script. Users with
read-write and read-only privileges will see the Scripts tab in the tree-menu at the left side of the page.
To enable Script Access:
1. Go to System Settings > Admin > Profile. The Script Access setting is located in the Device Manager section.
2. Set Script Access to Read-Write, and click OK. The Scripts module is displayed in the tree-menu.
3. When the setting is set it to Read-Only, the user can see scripts but cannot create, edit, or delete a script. The
Return button is displayed.

System
4. When the setting is set to None, the Script tab does not appear in the tree-menu.
Admins can use a SAML SSO FortiCloud account to log in to FortiManager
Admins can use SAML SSO through their FortiCloud account to log in to FortiManager.

System
To enable SAML SSO using FortiCloud:
1. By default, administrators can only log in using a local or remote user account configured on FortiManager.
2. To enable SAML SSO using FortiCloud, you must first register your FortiManager on FortiCloud. You can confirm
the FortiCloud registration status in System Settings > Dashboard under License Information.

System
3. Go to System Settings > Admin > SAML SSO, and set the Allow admins to login with FortiCloud toggle to the ON
position. Click Apply.
4. Sign out of FortiManager and return to the login page.

You can now see a new option to log in using your FortiCloud account.
5. Click Login with FortiCloud and you are redirected to the FortiCloud login portal. Enter your FortiCloud credentials,
and click LOGIN.

System
You are logged in to FortiManager with your FortiCloud account.
By default, only the account ID which the FortiManager is registered to can be used to log in to FortiManager. To
enable login for additional user accounts using FortiCloud, you can configure multiple IAM users in FortiCloud.

System
6. Go to FortiCloud and create one or more IAM users. For more information on creating an IAM user, see Identity
& Access Management (IAM).
7. Go to the FortiManager sign in page and click Login with FortiCloud, and click the option to Sign in as IAM user
(BETA) at the bottom of the login portal.
8. Enter your IAM user credentials, and you will be logged in to FortiManager as the IAM user.
ADOM
This section lists the new features added to FortiManager for ADOMs:
l ADOM health check tool reports warnings on devices, configurations, and policy package status on page 73

System
ADOM health check tool reports warnings on devices, configurations, and policy
package status
From the System Settings > All ADOMs pane, you can check the status of all devices in all ADOMs. You can check the
status of the following criteria for all devices in all ADOMs:
l Device connection is down.
l Device configuration status is not synchronized.
l Device policy package status is not synchronized.
You can also choose whether to exclude model devices from the health check.
When the health check status is displayed, you can view what ADOMs contain problematic devices, and go directly to
the Device Manager pane in the ADOM with problematic devices. You can also return to the ADOM Health Check dialog
box, and continue checking ADOM statuses.
To check ADOM health:
1. Go to System Settings > All ADOMs.

2. From the More menu, select ADOM Health Check.
The ADOM Health Check dialog box is displayed.
3. In the Health Check Criteria section, select what criteria to check, and click Check Now.
The results of the check are displayed. In the following example, Warning ADOMs <number> is selected, and the
list of ADOMs with warnings are displayed. The root ADOM has a warning.

System
4. Under Warning ADOMs <number>, click root <number> to display the Device Manager pane, and view details
about the warning.
The Device Manager pane is displayed for the ADOM with the warning. The ADOM Health Check button remains at
the bottom of the pane.
5. At the bottom-right of the Device Manager pane, click the ADOM Health Check button to return to the ADOM Health
Check dialog box, and continue checking ADOMs.
The ADOM Health Check dialog box is displayed.

System
6. Click All ADOMs <number>.

A summary of all ADOMs is displayed. In the following example, a warning status (orange triangle) displays beside
the root ADOM, and a synchronized status (green checkmark) displays beside the 64 ADOM.
7. Click the x on the top-right corner to close the dialog box.

Management Extensions
This section lists the other new features added to FortiManager for management extensions:
l CPU and RAM maximum values for Management Extension Applications can be configured in CLI on page 76
l New management extension - FortiSOAR on page 76
CPU and RAM maximum values for Management Extension

Applications can be configured in CLI
You can allocate up to 50% (between 10% and 50 %) of the total FortiManager resource to management extension
applications. This ensures that there are no performance issues in the host FortiManager.
To limit CPU and RAM for management extensions:
1. In the FortiManager CLI, use the following commands:

config system docker
set cpu <integer> #use this variable to set the maximum % of CPU usage.
set mem <integer> #use this variable to set the maximum % of RAM usage.
end
For details about the CLI commands and variables used here, see the FortiManager 7.0.0 CLI Reference on the
Fortinet Docs Library.
l The CLI commands allow you to set the resource limit globally for all management
extensions.
l If management extensions reach the limit of allocated FortiManager resource, a warning
appears in the Alert Message Console widget in System Settings > Dashboard.
New management extension - FortiSOAR
This feature adds the FortiSOAR application as a management extension application (MEA). FortiSOAR is an
enterprise-built security orchestration and security automation workbench that empowers security operation teams.
By default, FortiSOAR MEA is disabled. You can enable FortiSOAR MEA by using the GUI or the CLI.
There are minimum system resources recommended for FortiManager when using FortiSOAR MEA. See the
FortiManager Release Notes for additional information.
The following CLI commands are available for FortiSOAR MEA:
l config system docker
l diagnose docker status
l diagnose docker upgrade fortisoar

To enable FortiSOAR MEA by using the GUI:
1. Go to the Management Extensions tile.
The management extension application options are displayed.

2. Click FortiSOAR.
A confirmation dialog box is displayed.

3. In the confirmation dialog box, click OK.
FortiSOAR MEA is downloaded from the Fortinet registry (registry.fortinet.com).

A progress bar displays under the FortiSOAR tile.

After FortiSOAR downloads, it initializes.
After initialization, the license agreement is displayed.

4. Read the license agreement, and click Agree.

5. Log in to FortiSOAR by using your FortiManager login.
The FortiSOAR dashboard is displayed.
The version and build information for FortiSOAR can be found on the bottom-left corner of the Dashboard. Clicking
on this information displays the version and build dialog.

Other
This section lists other new features added to FortiManager:

l FortiManager Setup wizard on page 80
l FortiManager VM licenses on page 85
FortiManager Setup wizard
The FortiManager Setup wizard lets you register with FortiCare as well as perform the following actions:
l Registering with FortiCare
l Changing your password
l Setting the time zone
l Specifying a hostname
When an action is complete, a green checkmark displays it in the wizard, and the wizard no longer displays after you log
in to FortiManager.
To use the FortiManager Setup wizard:
1. Log in to FortiManager.
The FortiManager Setup dialog box is displayed.

Other
2. Click Begin to start the setup process now.

Alternately, click Later to postpone the setup tasks.
3. When prompted, register with FortiCare.
a. In the Account ID/Email box, type your FortiCare account ID or email.

If you do not yet have a FortiCare account, click Register to create a new account.

Other
b. In the Password box, type your FortiCare password.

If you have forgotten your FortiCare password, click Forgot your password to proceed through the password
recovery process.
c. In the Country/Region box, select your country or region from the dropdown.
d. In the Reseller box, select your reseller from the dropdown.
e. Set the FortiCloud Single Sign-On toggle to the ON or OFF position to enable or disable FortiCloud SSO sign
on.
When enabled, you must also enter the SP Server Address.
f. Click Next.
4. When prompted, change your password.
a. In the Old Password box, type the old password.

b. In the New Password box, type the new password.
c. In the Confirm Password box, type the new password again.
d. Click Next.

Other
5. When prompted, set the time zone.
a. From the list, select the time zone.

b. (Optional) Clear the Automatically adjust clock for daylight savings changes checkbox if desired.
By default FortiManager is configured to automatically adjust closed for daylight savings.
c. Click Next.

Other
6. When prompted, specify the hostname.
a. In the Hostname box, type a hostname.

b. Click Next.
7. When prompted, complete the setup by clicking Finish.

Other
You are logged in to FortiManager.
FortiManager VM licenses
For FortiManager virtual machines (VMs), you can use the FortiManager GUI to:
l Request and activate a trial license
l Activate a perpetual or VM-S license
l Activate an add-on perpetual or VM-S license
FortiManager must be able to access the Internet to communicate with FortiCloud to complete the licensing process.
The licensing process requires you to log in to FortiCloud. If you do not have a FortiCloud account, you can create one to
complete the licensing process.
l Requesting and activating a trial license on page 85
l Activating a new license on page 88
l Activating an add-on license on page 90
Some of the screen shots in the following examples are for FortiManager, but the process applies to both FortiManager
and FortiAnalyzer.
Requesting and activating a trial license
You can use the FortiManager GUI to request and activate a trial license for a FortiManager VM.
To request and activate a trial license:
1. In a browser, access the IP address for the FortiManager GUI.

The login dialog box is displayed.

Other
2. Select Free Trial, and click Login with FortiCloud.

If you do not have a FortiCloud account, click Register with FortiCloud to create one.
The Free Trial License Agreement is displayed.

Other
3. Accept the license agreement:

a. Read the license agreement.
b. Select the I have read and accept the terms in the License Agreement checkbox.
c. Click Accept.
The license is applied, and you are logged in to FortiManager.

Other
4. Go to System Settings > Dashboard > License Information widget.

The VM License option displays Trial License.
Activating a new license
You can use the FortiManager GUI to activate a new license for virtual machines. Licenses for VM-S subscriptions and
perpetual subscriptions are supported.
To activate a new license:
1. In a browser, access the IP address for the FortiManager GUI.

The login dialog box is displayed.

Other
2. Select Activate License, enter your license key, and click Login with FortiCloud.
The License Agreement is displayed.

Other

c. Click Accept.
The license is applied, and you are logged in to FortiManager.
The VM License option displays Valid.
Activating an add-on license
You can use the FortiManager GUI to activate an add-on license for a VM-S subscription or a perpetual subscription.
In the following example, the FortiManager VM has a base license, and you want to apply an add-on perpetual license
named 1000UG.

Other
To activate an add-on license:
1. Log in to FortiManager, and go to System Settings > Dashboard.

2. In the License Information widget, beside the VM License option, click the Add License button.
The Add License dialog box is displayed.
3. Complete the following options, and click OK:

a. In the Account ID/Email box, type the email for your FortiCloud account.
b. In the Password box, type the password for your FortiCloud account.
c. In the Registration Code box, enter the contract registration code for the add-on license.
The License Agreement is displayed.

c. Click OK.
The Restart Device dialog box is displayed.

Other
5. Click Restart Now to apply the license.

FortiManager restarts, and the license is applied.
The VM License option displays Valid 1000UG.

www.fortinet.com
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiManager-7.0-New Features Guide

Uploaded by

Copyright:

Available Formats

FortiManager-7.0-New Features Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiManager-7.0-New Features Guide

Uploaded by

Copyright:

Available Formats

New Features Guide

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

FortiManager 7.0.0 New Features Guide 3

FortiManager 7.0.0 New Features Guide 4

Date Change Description

2021-04-22 Initial release of FortiManager 7.0.0.

2021-04-27 Added New management extension - FortiSOAR on page 76.

FortiManager 7.0.0 New Features Guide 5

FortiManager 7.0.0 New Features Guide 6

Device and Groups

Model HA Cluster Wizard Improvements

To configure HA cluster member settings:

1. Go to Device Manager > Device & Groups > Managed FortiGate.

FortiManager 7.0.0 New Features Guide 7

Click Create New to add a new interface.

Click OK to save the new interface.

FortiManager 7.0.0 New Features Guide 8

New SD-WAN template

FortiManager 7.0.0 New Features Guide 9

SD-WAN per-device management

To access SD-WAN per-device management:

1. If using ADOMs, ensure that you are in the correct ADOM.

FortiManager 7.0.0 New Features Guide 10

5. Install the configuration to the device.

SD-WAN central management

To access SD-WAN central management:

1. If using ADOMs, ensure that you are in the correct ADOM.

FortiManager 7.0.0 New Features Guide 11

3. Click Create New, and select Template.

4. In the Interface Members section, create one or more zones:

FortiManager 7.0.0 New Features Guide 12

c. Beside Interface Members, click the box to select interface members.

FortiManager 7.0.0 New Features Guide 13

FortiManager 7.0.0 New Features Guide 14

b. Complete the options, and click OK.

b. Complete the options, and click OK.

FortiManager 7.0.0 New Features Guide 15

b. Complete the options, and click OK.

FortiManager 7.0.0 New Features Guide 16

b. Complete the options, and click OK.

10. Click OK.

FortiManager 7.0.0 New Features Guide 17

13. Click Install Wizard to install the device settings.

SD-WAN template support for meta fields

To create meta fields:

1. Go to System Settings > Advanced > Meta Fields.

FortiManager 7.0.0 New Features Guide 18

3. In the Object box, select Device VDOM.

4. In the Name box, type a name for the meta field.

FortiManager 7.0.0 New Features Guide 19

FortiManager 7.0.0 New Features Guide 20

SD-WAN monitoring improvements

Monitoring SD-WAN interfaces (without shortcuts)

To view VPN monitor:

1. Go to Device Manager > Monitors > VPN Monitor.

To view SD-WAN monitor: