FortiManager in the Fortinet Security Fabric

In this recipe, you will add a FortiManager to the Fortinet Security Fabric. This will simplify network administration because you can manage all of the FortiGates in the network from the FortiManager.

This recipe is in Fortinet Security Fabric Collection. You can also use it as a standalone recipe.

In this example, the FortiManager is added to an existing Security Fabric, with an HA cluster, called External, configured as the root FortiGate. In this network, the subnet is used for external devices, such as a FortiAnalyzer. The FortiManager will be added to this subnet.

This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Connecting External and the FortiManager

In this example, External’s port 16 will connect to port 2 on the FortiManager.

On External, go to Network > Interfaces and edit port 16.

Configure Administrative Access to allow FMG-Access and FortiTelemetry.

On the FortiManager, go to System Settings > Network, select All Interfaces, and edit port 2.

Set IP Address/Netmask to an internal IP address (in the example,

Select Routing Table and add a default route for port 2. Set Gateway to the IP address of External’s port 16.

If you have not already done so, connect port 2 on the FortiManager to port 16 on External.

2. Configuring central management on External

On External, go to System > Settings. Under Central Management, select FortiManager and enter the IP/Domain Name.

After you select Apply, a message appears stating that the FortiGate’s message was received by the FortiManager and is now waiting for confirmation.

On the FortiManager, go to Device Manager > Unregistered Devices. Select External, then select + Add.

Add External to the root ADOM.

External is now on the Managed FortiGates list and shown as part of a Security Fabric group. The * beside External indicates that it is the root FortiGate in the Security Fabric.

Connect to External. A warning message appears stating that the FortiGate is now managed by a FortiManager.

Select Login Read-Only.

Go to System > Settings. Under Central Management, the Status is now Registered on FortiManager.

3. Configuring central management on the ISFW FortiGates

For each FortiGate in the Security Fabric, make sure that the interface connected to External allows FMG-Access.

Once this is confirmed, you can repeat the process shown in Step 2 for all FortiGates in the Security Fabric.

4. Allowing the FortiManager to have Internet access

In order to communicate with FortiGuard, the FortiManager requires Internet access.

On External, go to Policy & Objects Addresses and create an address for the FortiManager.

Go to Policy & Objects > IPv4 Policy and create a policy that allows the FortiManager to access the Internet.

5. Results

All FortiGates in the Security Fabric are shown in the Managed FortiGates list on the FortiManager.

To show all FortiGates in the Security Fabric group, right-click on External (the root FortiGate), and select Refresh Device.

Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.

For further reading, check out Central Management in the FortiOS 5.6 Handbook.

You may also need to refresh the page before all devices are shown in the Security Fabric group.