Fortiwan Manager v4.4.0 Handbook

FortiWAN Manager - Handbook
VERSION 4.4.0
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
May 12, 2017
FortiWAN Manager 4.4.0 HandbookRevision 1
38-440-423374-20170512
TABLEOFCONTENTS
Introduction 5
Scope 6
What's new 7
Installation 9
Basic topology 9
Licensing 12
Evaluation License 12
Trial License 12
Permanent License (Base License) 13
Upgrade License 13
Installing a License 13
License Installation Limitation 13
System requirements 14
Downloading software & registering with support 14
Deploying the OVF file 15
Accessing to the Web UI and CLI 16
Access to Web UI 16
Network setting for login 16
Login to the Web UI 18
Web UI overview 18
Access to CLI 21
CLI command branches 22
Start using FortiWAN Manager 27
System setting and summary 28
Network Settings 28
Authentication of Web UI and CLI 28
Local Authentication Database 28
RADIUS Authentication 30
System Date and Time 31
System information, resources and license 31
System logs 33
System maintenance 34
System configuration backup/restore 34
Firmware update 34
System maintenance 35
Registering the FortiWAN devices to FortiWAN Manager 36
Adding a FortiWAN device 36
Device IP 36
Redundant device IP 40
Administrator User Name & Monitor User Name 40
FortiWAN setup for FortiWAN Manager 42
Add Device 47
Device table 49
Grouping the FortiWAN devices 50
Add Group 50
Group table 51
Monitoring the FortiWAN devices 52
Device Status 52
System information and individual WAN link state 54
Central Reports 55
Defining the data range 56
Bandwidth report 56
CPU report 58
Session report 59
WAN Status report 61
Managing configurations of FortiWAN 63
Configuration backup 63
Configuration Management 67
Configuration Restore 70
Scheduled configuration backup 71
Managing firmware update for FortiWAN 73
Firmware management 74
Firmware update 75
Scheduled firmware update 77
Managing the accounts of FortiWAN 78
Appendix A: License verification failure 80
Appendix B: Changing a registered IP address 81
Introduction
FortiWAN Manager is a web-based system used to centrally manage multiple remote (and local)
FortiWAN devices. Rather than managing them through individual FortiWAN Web UI one by one, the
manager is a centralized interface performing management actions to these FortiWAN devices through
the Internet or through Tunnel Routing Multi-Link VPNs and IPSec VPNs. For a distributed enterprise
with branches, FortiWAN Manager provides a efficient and systematic approach to deal with the routine
jobs managing lots of FortiWAN devices in regional network sites. Through the FortiWAN Manager, you
can:
l Monitor the system information and WAN link states of each FortiWAN appliance.
l Backup/Restore configurations from/to each FortiWAN appliance.
l Perform firmware updates to each FortiWAN appliance, including updates to HA pairs with no local
presence required.
l Change passwords to accounts of each FortiWAN appliance.
l Access the Web UI of each FortiWAN appliance.
l Store and manage configuration and firmware files on FortiWAN Manager.
l Schedule the configuration backup/restore and firmware updates.
l Have the basic statistics reports from each of FortiWAN appliances.
Firmware update and configuration backup/restore can be performed to multiple devices at the same
time through a operation on FortiWAN Manager Web UI. Note that FortiWAN Manager requires the
managed FortiWAN devices running the firmware version later than FWN 4.2.0. Earlier versions are not
supported.
Scope
This document describes how to set up your FortiWAN Manager and how to use it for managing
devices. For the first-time deploying it, the suggested processes are:
Installation
It should start with making a plan for deployment topology, registering and getting a license for your
FortiWAN Manager. Then the next step is preparing the virtual machine environment and start the
installation of FortiWAN Manager. Please refer to Installation for further information.
Access the CLI and Web UI

Accessing FortiWAN Manager's Web UI requires necessary setting on FortiWAN Manager's network
interface first. See Accessing to the Web UI and CLI for instructions to get into FortiWAN Manager's
Web UI and CLI, and information about the CLI commands and Web UI operations.
Start using the FortiWAN Manager

Start using FortiWAN Manager gives an overview about what to do when the first time using FortiWAN
Manager. You might need to have FortiWAN Manager's system settings configured first (such as
system time and accounts). Adding and organizing FortiWAN devices to FortiWAN Manager is the
necessary step to start managing the devices through FortiWAN Manager. You will be redirected to
individual section for details of each topic here.
Management operations
The rest sections introduce each FortiWAN Manager function in details. They are divided into two parts:
monitoring devices and performing actions to devices.
l Monitoring FortiWAN devices through device status, system information, WAN link state and central
reports (see Monitoring the FortiWAN devices).
l Performing configuration backup/restore, firmware update and account changing to FortiWAN devices
(see Managing configurations of FortiWAN, Managing firmware update for FortiWAN and Managing the
accounts of FortiWAN).
What's new
The following features are new or changed since FortiWAN 4.2.0:
FortiWAN Manager 4.4.0
l Central report - FortiWAN Manager can centrally provide the Bandwidth, CPU, Session and WAN
Status reports of each of the managed FortiWAN appliances so that you can have an overview of the
report pages at a glance. See Central Reports.
l Scheduled configurations backup and firmware upgrade - Configuration backup and firmware
upgrade to a FortiWAN appliance can be scheduled based on either the FortiWAN Manager's local
time or the FortiWAN's time. See Settings for configuration backup and Scheduled configuration
backup.
l Device management - In the Device Manager > Device page, a new field Version is added to
display the current firmware version that a FortiWAN appliance is running. See Device table.
l Device status - In the Dashboard > Device Status page, the following fields are added:
l Version - The current firmware version that the FortiWAN appliance is running.
l Config Backup - Status of scheduled configuration backup on the FortiWAN appliance. This
filed displays the time of last successful backup, the time of last failed backup and the
corresponding error message.
l Time Zone - The time zone at where the FortiWAN appliance is located.
lHA - Indicate whether the FortiWAN appliance is deployed as HA mode.
See Device Status.
l HA peer information - the Info buttons in the Device Manager > Device, Config > Config
Backup/Restore and Firmware > Firmware Update pages will display information of the HA peer if
the managed FortiWAN appliance is deployed as HA mode. See System information and individual
WAN link state.
l Scheduled configuration backup - It can be scheduled for FortiWAN Manager to

automatically and periodically backup configuration files from the FortiWAN appliances. See
Scheduled configuration backup.
l Scheduled firmware upgrade - It can be scheduled for FortiWAN Manager to automatically
perform firmware upgrades to the FortiWAN appliances. See Scheduled firmware update.
l Device management - A failover mechanism is provided for FortiWAN Manager to connect
to a FortiWAN appliance by employing a pair of IP addresses (master and slave) of the
FortiWAN's network interfaces. The management connectivity to a FortiWAN will be switched
to its stand-by IP address if the master one is not available. See Redundant device IP.
l Firmware upgrade - In the firmware upgrade page (Firmware > Firmware Update), a new
field Version is added to display the current firmware version that a FortiWAN appliance is
running. See Firmware update.
l Web UI - New look and feel.
Bug fixes only. Please refer to FortiWAN Manager 4.2.1 Release Notes.

FortiWAN Manager is a new Fortinet product used to centrally manage remote FortiWAN devices (all
the models of FortiWAN are supported). The standalone FortiWAN Manager is available as a virtual
appliance, which requires a virtual machine environment.
To assess the benefit of deploying FortiWAN Manager 4.2.0 on your network, review the following
features.
l Quantity of supported devices - The base license allows FortiWAN Manager managing up
to 10 FortiWAN devices (see "Licensing"). However, two upgrade licenses are available:
l 10-device extension license: extends the limitation of a base license to extra 10
devices. This upgrade is stackable. Number of FortiWAN device that FortiWAN
Manager can manage adds every time a 10-device extension upgrade is performed.
l Unlimited-device extension license: allows FortiWAN Manager to manage unlimited

FortiWAN devices.
l Device management -
l Supports grouping and navigation tree to organize the managed FortiWAN devices.
See "Grouping the FortiWAN devices".
l Supports automatic login to Web UI of individual FortiWAN device. See "Adding a

FortiWAN device".
l Supports account management (password changing, account creating and removing)

to individual FortiWAN device. See "Managing the accounts of FortiWAN".
l Device monitoring - Provides system information and WAN link states of the managed
FortiWAN devices for monitoring. See "Monitoring the FortiWAN devices".
l Configuration management - Supports managing configuration files stored in FortiWAN

Manager's hard disk, and the following actions can be taken (see "Managing configurations of
FortiWAN"):
l Backup a configuration from individual FortiWAN device to FortiWAN Manager
l Restore a configuration to FortiWAN devices from FortiWAN Manager
l Open a configuration in readable format
l Firmware management - Supports managing firmware files stored on FortiWAN Manager's

hard disk. FortiWAN devices can be upgraded through FortiWAN Manager with the firmware
files. See "Managing firmware update for FortiWAN".
Installation
FortiWAN Manager is available as a virtual appliance, which requires a virtual machine environment
such as VMware vSphere. You must first have virtual machine (VM) environment software (a hardware
abstraction layer (HAL) that is sometimes called a hypervisor) on your server. FortiWAN Manager is a
virtual appliance that runs inside that environment. See the following sections for details:
l Basic topology
l Licensing
l System requirements
l Downloading software & registering with support
l Deploying the OVF file
Basic topology
FortiWAN Manager is deployed in a virtual machine environment such as VMware vSphere. A

FortiWAN Manager VM can be located in a private LAN or the near WAN of a FortiWAN in your local
site (see the illustrations below).
Deploying FortiWAN Manager in a private LAN
Here are the properties of deploying FortiWAN Manager in a private LAN:
l Configuration of the FortiWAN Manager's network interface (IP address, default gateway and netmask)
must correspond to the LAN subnet in this case (see Accessing to the Web UI and CLI).
l Management messages to the remote devices (FortiWAN-B and FortiWAN-C) must pass through the
local device (FortiWAN-A) and can be distributed over multiple WAN links by Auto Routing.
l FortiWAN Manager manages the local device (FortiWAN-A) through either the LAN port or one of the
FortiWAN-A's WAN ports (see Register and organize the FortiWAN devices to FortiWAN Manager).
Deploying FortiWAN Manager in a near WAN
Depend on the WAN type of a WAN link configured on the FortiWAN, near WAN could be a subnet in
WAN, subnet in WAN and DMZ, IP(s) in WAN and IP(s) in DMZ (see FortiWAN Handbook). Here are
the properties of deploying FortiWAN Manager in a near WAN:
l Configuration of the FortiWAN Manager's network interface (IP address, default gateway and netmask)
must correspond to the WAN link in this case (see Accessing to the Web UI and CLI).
l Management messages transferring to remote FortiWAN devices (FortiWAN-B and FortiWAN-C) are
fixed on the WAN link and will not pass through the local FortiWAN device (FortiWAN-A).
l FortiWAN Manager manages the local device (FortiWAN-A) only through one of the FortiWAN-A's WAN
ports (see Register and organize the FortiWAN devices to FortiWAN Manager).
l There might be security issues to expose a FortiWAN Manager VM to the Internet.
Before registering a permanent license for a FortiWAN Manager, it is better to define the topology well
and decide an IP address to the FortiWAN Manager VM. A permanent license requires the IP address
deployed on the FortiWAN Manager (see "Licensing").
Note that FortiWAN Manager polls information from FortiWAN devices. FortiWANs do not
push any information to FortiWAN Manager. Thus, no path (static route, public IP, etc.) is
required from FortiWAN to FortiWAN Manager.
Back to home topic > Installation
Licensing
Before installing a FortiWAN Manager VM, an overview of licensing is given first. There are 3 types of
FortiWAN Manager licenses provided. The VM comes with an automatic 15-day evaluation license. You
can request a longer trial license from Fortinet Customer Support or you can purchase a permanent
license from your Fortinet channel partner. Moreover, there are 2 types of upgrade licenses provided for
extending the management capability of FortiWAN Manager. Management capability is determined by
the number of FortiWAN devices that a FortiWAN Manager can manage.
Evaluation License
The evaluation license of FortiWAN Manager provides a 15-day, no-cost trial. An evaluation license is
built-in to every FortiWAN Manager package, and activated automatically after the FortiWAN Manager
is deployed. No registration is required for it. The trial period of the 15-day trial starts at the first time
the FortiWAN manager is booted. After the 15-day trial is expired (see "Appendix A: License verification
failure"), you need to purchase a permanent license to continue using the FortiWAN Manager.
FortiWAN Manager activated by evaluation license manages unlimited FortiWAN devices.
Time Lim- Max. Sup- Devices Exten- Pre-allocated Pre-sized Vir- Pre-sized Vir-
itation ported sion Virtual CPU tual RAM tual Disk
FortiWAN (vCPU) (vRAM) (vDisk)
Devices
15 days Unlimited Not support 1 2 GB 10 GB
Evaluation licenses will activate the complete functions of a FortiWAN Manager, just like a permanent
license, except the Technical Support.
Trial License
Trial license for FortiWAN Manager is available through Fortinet Customer Support. The normal trial
license is valid 90-days from installation. After the trial period has expired (See Appendix A: License
verification failed), in order to continue using FortiWAN Manager, you need to purchase a permanent
license from your Fortinet channel partner.
The trial license allows managing of unlimited FortiWAN devices. It will be invalid (or result in frequent
rebooting) to allocate more FortiWAN devices to a FortiWAN Manager appliance than the licensing limit
allows. The pre-sized vCPU, vRAM and vDisk are the default size of vCPU, vRAM and vDisk allocated
when a FortiWAN Manager VM is installed. It is not a limitation. You can resize the vCPU, vRAM and
vDisk with higher values after the FortiWAN Manager VM is deployed (see Deploying the OVF file).
Devices
90 days Unlimited Not support 1 2 GB 10 GB

Permanent License (Base License)
When you place an order for the permanent license of FortiWAN Manager, Fortinet Technologies Inc.
emails a registration number to the recipient address you supplied on the order form. A license file,
which is available from the support web site by entering the registration number, is required to
permanently activate FortiWAN Manager (See Downloading software & registering with support).The
base permanent license also activates FortiWAN Manager with managing up to 10 FortiWAM devices,
but an upgrade license can extend the limitation. There is no difference between a trial license and a
permanent license to the sizing levels on system resources.
Devices
Unlimited 10 Support 1 2 GB 10 GB
Upgrade License
An upgrade license extends the management limitation of base license, managing more FortiWAN
devices. Upgrade license requires a permanently activated FortiWAN Manager (permanent license). It
is invalid to an evaluation license.There are 2 types of upgrade license provided, 10-device extension
and unlimited-device extension.
10-Device Extension
A 10-device extension license extends the limitation of a FortiWAN Manager for extra 10 FortiWAN
devices. For example, a FortiWAN Manager with base license manages up to 10 FortiWAN devices,
however it can manage up to 20 FortiWAN device after a 10-device extension upgrade. The 10-device
extension upgrade license is stackable. The number of FortiWAN device that a FortiWAN Manager can
manage will increase 10 when every time the FortiWAN Manager is upgraded with a 10-device
extension license. It allows the management capability of a FortiWAN Manage flexibly increases as the
deployment scale increases.
Unlimited-Device Extension
A unlimited-device extension license allows FortiWAN Manager to manage unlimited FortiWAN
devices.
Installing a License
You can request a evaluation or trial license from Fortinet Customer Support or you can purchase a
permanent license from your Fortinet channel partner (see Downloading software & registering with
support). To install or upgrade a license to FortiWAN Manager, please go to Dashboard > Summary
on the Web UI, and see System information, resources and license for details.
License Installation Limitation

Every license file is permitted to activate only one FortiWAN Manager VM. Therefore, an IP address is
required to be registered for a license (See Downloading software & registering with support). The
registered IP address contained in the license file must be deployed to the FortiWAN Manager's
network interface, so that it can be verified that the FortiWAN Manager appliance is the only one
activated by the license file. We suggest you having a clear network topology to deploy your FortiWAN
Manager before the registration (see Basic topology), and then having a proper IP address registered.
The built-in evaluation license for 15-day trial does not requires a verification IP address.
Verification fails if the registered IP address is not deployed on the FortiWAN Manager's network
interface. Failure of verification causes FortiWAN Manager to reboot every 5 minutes (see Appendix A:
License verification failed). For some reasons, you might need to re-deploy the networks and change
the IP addresses of FortiWAN-VM's network interface. To change the registered IP address of a license,
see Appendix B: Changing a registered IP address.
If FortiWAN devices have been added to the FortiWAN Manager for managing during the 15-day
evaluation, please make sure the devices are less than 10 before applying a permanent license or a 90-
day trial license to FortiWAN Manager, or the license status becomes invalid (see System information,
resources and license).
System requirements
Before you can install FortiWAN Manager, you must first have virtual machine (VM) environment
software (a hardware abstraction layer (HAL) that is sometimes called a hypervisor) on your server.
FortiWAN Manager is a virtual appliance that runs inside that environment.
FortiWAN Manager supports the following hypervisor versions:
l VMware vSphere ESXi 5.0/5.1

l VMware vSphere Hypervisor 5.0/5.1
Downloading software & registering with support
After you purchase a FortiWAN Manager, you receive an email that contains a registration number.
This number is used to register your purchase with Fortinet Customer Service & Support, so that you
can download the software, the license file, and related technical support. Please note that the register
process requires an IP address of your FortiWAN Manager appliance. A license and a FortiWAN
Manager appliance are associated by the IP address, therefore this IP should be configured to the
ForiWAN Manager stably. Please predefine the topology well for introducing FortiWAN Manager in your
network before registration (see Basic topology). Please see Downloading software & registering
with support in FortiWAN-VM Installation Guide for the details.
Many Fortinet customer services such as firmware updates and technical support require product
registration. For more information, see the Fortinet Knowledge Base article Registration Frequently
Asked Questions.

Deploying the OVF file
Please see the FortiWAN-VM Installation Guide and follow the instructions described in Deploying
FortiWAN-VM on VMware vSphere > Deploying the OVF file to deploy the OVF file.
After this, you should configure the virtual appliance's virtual hardware for your FortiWAN Manager
before power it on.
Virtual Disk
By default, you have two pre-sized virtual disks allocated on FortiWAN Manager, which are configured
as 1 GB and 10 GB respectively. The first vDisk contains the operation system and is used to boot the
FortiWAN Manager. The second vDisk is used to store configuration and firmware files for managing
FortiWAN devices. Only the second vDisk is allowed to be resized. See Deploying FortiWAN-VM on
VMware vSphere > Configuring the virtual appliances virtual hardware > Resizing the virtual
disk (vDisk) in FortiWAN-VM Installation Guide.
Virtual CPU
The virtual appliance is configured to use 1 vCPU for FortiWAN Manager, but you can allocate more
vCPU to it without limitation. See Deploying FortiWAN-VM on VMware vSphere > Configuring
the virtual appliances virtual hardware > Configuring the number of virtual CPUs (vCPUs) in
FortiWAN-VM Installation Guide.
Virtual RAM
FortiWAN Manager comes pre-configured to use 2 GB of vRAM. You can increase this value without
limitation.You can configure FortiWAN Manager to use less vRAM, such as 1 GB, but it is not
recommended for performance reasons. See Deploying FortiWAN-VM on VMware vSphere >
Configuring the virtual appliances virtual hardware > Configuring the virtual RAM (vRAM)
limit in FortiWAN-VM Installation Guide.
Virtual NIC
There is one vNIC created for FortiWAN Manager by default. You can create more vNICs to the virtual
appliance, but they are invalid to FortiWAN Manager. FortiWAN Manager is always equipped with only
the first vNIC.
Power on the virtual appliance to start your FortiWAN Manager. See Deploying FortiWAN-VM on
VMware vSphere > Powering on the virtual appliance in FortiWAN-VM Installation Guide.

Accessing to the Web UI and CLI
FortiWAN Manager provides web-based user interface and command line interface, however, you can
only manage FortiWAN devices through the Web UI while the simple CLI commands are just used to
configure FortiWAN Manager's system settings. In this section, we introduce how to access the Web UI
and CLI, and give you an overview of Web UI and CLI commands.
Access to Web UI
l Network setting for login

l Login to the Web UI
l Overview to the Web UI
Access to CLI
l CLI command branches
Access to Web UI
To access the Web UI of FortiWAN Manager, you are required to have the network setting configured
through the command line interface (CLI) first. Different from FortiWAN, there is no default IP address
assigned to the network interface of FortiWAN Manager. FortiWAN Manager's Web UI is accessible
only if its network setting is get configured first. After FortiWAN Manager is installed, the next step is to
set the network interface for access to the Web UI. An overview about the common operations to
FortiWAN Manager Web UI is also provided here. These operations are available on most of the
function pages for operating the FortiWAN Manager, such as multi-user Login, navigation tree, paging
for a table, sorting for a table and automatic login to FortiWAN's Web UI.
Network setting for login
Login to the Web UI
Overview to the Web UI
Back to home topic > Accessing to the Web UI and CLI
Network setting for login

Follow the next steps to connect to CLI and complete network settings:
1. Use the VMware vSphere Client to log into the vSphere server.
2. In the left pane, select the name of the virtual appliance, such as FWNMGR-1.
3. Click the Console tab to open the console of the FortiWAN Manager virtual appliance.
4. At the login prompt for the local console, type admin.
5. Press Enter twice. (Initially, there is no password.)
After logging to the CLI, please follow the steps below to configure the settings of DNS, IP address and
default gateway to the network interface. The following is an configuration example deploying
FortiWAN Manager in a private LAN of FortiWAN (see Basic topology).
1. Type the commands to assign an IP address to the interface:
configure system interface
edit port1
set ip 192.168.10.10 255.255.255.0
end
2. Type the commands to assign the default gateway to the interface:
configure router static
edit 0
set gateway 192.168.10.254
end
3. Type the commands to assign a DNS server to the interface:
configure system dns
set primary 8.8.8.8
end
In this case, 192.168.10.10 is the IP address used to register for a permanent license (see Licensing
and Downloading software & registering with support). It is also the IP connecting to for the access to
FortiWAN Manager Web UI.
If you deploy FortiWAN Manager in a near WAN of a FortiWAN (see Basic topology), please follow the
steps below to configure the settings of DNS, IP address and default gateway on the network interface.
Note that depending on the WAN type of the WAN link, it could be a subnet in WAN, subnet in WAN
and DMZ, subnet in DMZ, IP(s) in WAN or IP(s) in DMZ. Network settings of FortiWAN Manager must
correspond with the WAN link (see FortiWAN Handbook).
1. Type the commands to assign an IP address to the interface:
configure system interface
edit port1
set ip 10.10.10.11 255.255.255.0
end
2. Type the commands to assign the default gateway to the interface:
configure router static
edit 0
set gateway 10.10.10.254
end
3. Type the commands to assign a DNS server to the interface:
configure system dns
set primary 8.8.8.8
end
In this case, 10.10.10.11 is the IP address used to register for a permanent license (see Licensing and
Downloading software & registering with support). It is also the IP connecting to for the access to
FortiWAN Manager Web UI.
Back to home topic > Access to Web UI
Login to the Web UI

After the network setting is configured, you can connect to FortiWAN Manager's Web UI by starting a
web browser and going to the IP address that is assigned to the network interface of the FortiWAN
Manager (such as https://192.168.10.10 or https://10.10.10.11 in the previous cases). Login to Web UI
with the default username admin and leave password blank. See Authentication of Web UI and CLI for
details.
Web UI overview
The opening page of FortiWAN Manager's Web UI is similar to FortiWAN's, which is divided into three
parts, the header, the navigation menu and the content panel (See How to set up your FortiWAN >
Web UI and CLI Overview > Using the Web UI in FortiWAN Handbook).
Here are the things you will mostly meet when operating on FortiWAN Manager's Web UI pages.
Multi-user Login
FortiWAN Manager's Web UI supports multiple sign-in from different hosts. A maximum of 20 users can
be concurrently logged-in, no matter the type (See Authentication of Web UI and CLI). Login will fail if
there are already 20 concurrent users logged-in. FortiWAN Manager Web UI does not accept multiple
login from the same browser on a host. Users that attempt to login to Web UI via different tabs or
windows of the same browser on a host will be logged out (including the one who has already logged
into Web UI). Current operations to a FortiWAN device from multiple users will be arranged and
processed in order (one by one). It takes time for system to complete every single task; therefore, if
there have been tasks queued to perform, it might take longer to complete one's task. It includes the
extra time waiting for system getting previous tasks done.
Navigation tree - Devices & Groups

The navigation tree in the left of the main area is used to display the organization of FortiWAN devices
that FortiWAN Manager is managing. By default (no customized groups are defined), all the devices are
listed in a default group All FortiWAN . These FortiWAN devices can be also classified into a user-
defined group (see Grouping the FortiWAN devices). Any FortiWAN device must belong to the default
group All FortiWAN, and it can also belong to a customized group at the same time. The navigation tree
appears in Dashboard > Device Status, Device Manager > Device, Device Manager > Account
Control, Config > Config Backup/Restore and Firmware > Firmware Update.
The operations on the navigation tree are:

l Click + to expand a group in the navigation tree.
l Click - to collapse a group in the navigation tree.
l Click on a group to display the devices of the group.
l Click on any device in the navigation tree to edit the configurations of the device.
In the navigation tree, a number aside the group name indicates the number of devices belonging to
this group.
Paging for a table

At the upper-right corner of every table is the configurations for paging the table.
It is available for tables in the following pages:
l Dashboard > Device Status

l Device Manager > Device
l Device Manager > Group
l Device Manager > Account Control
l Config > Config Management
l Config > Config Backup/Restore
l Firmware > Firmware Management
l Firmware > Firmware Update
Through the setting, you can control how the table is displayed in pages.
Show rows Set the number of rows that the table displays in every page. Select the
number from the drop-down menu. The options are 10, 20 and 50.
Go to Specify the page number in the field and press Enter (on your keyboard) to
go the specified table page directly.
Page[current]of[total] Go to next page from current page by clicking the rightward arrow button
or back to previous page from current page by clicking the leftward arrow
button. It shows the current page number and the total pages.
Checkbox
From the Web UI, you usually select items by checking the checkbox on the tables for operations.
Selecting multiple elements is allowed and it implies applying an action to multiple devices at the same
time. If you want unselect an item, just uncheck the checkbox. There is always a check-box in the field
header for checking (unchecking) all the items on the page. Here are the checkbox fields in FortiWAN
Manager:
l Table field Delete in pages Device Manager > Device, Device Manager > Group, Config > Config
Management and Firmware > Firmware Management.
l Table field Change Account in page Device Manager > Account Control.
l Table field Backup/Restore in page Config > Config Backup/Restore.
l Table field Update in page Firmware > Firmware Update.
Sorting for a table
FortiWAN Manager provides necessary information of FortiWAN devices, groups, configuration files
and firmware files for management by displaying it in tables. Data in a table can be sorted by categories
(fields). By default, data is displayed without sorting. Clicking the field header on the table can sort data
by the field (the field header becomes clickable when the mouse cursor is pointing on it). Repeat it to
switch the order among ascending sort and descending sort. The followings are the fields of each table
for sorting data by.
l Device table: Fields Device name, IP and Group (sorting the data of a device table by the device name,
IP or group, see Adding a FortiWAN device, Device Status, Managing the accounts of FortiWAN,
Configuration backup and Firmware update).
l Group table: Fields Group name (sorting the data of a group table by the group name, see Grouping the
FortiWAN devices).
l Configuration table: Fields Device name, Version, Config name (sorting the data of a configuration
table by the device name, version and config name, see Configuration Management).
l Firmware table: Fields Firmware name, Version, Model (sorting the data of a firmware table by the
firmware name, version and model, see Firmware management).
Automatic login to FortiWAN

Automatic login to FortiWAN is a method to login to FortiWAN's Web UI through FortiWAN Manager
without manually typing an account and password for authentication. Identity declaration for login to
the FortiWAN's Web UI will be performed automatically by FortiWAN Manager with the Administrator
User Name or Monitor User Name and the corresponding Password predefined on FortiWAN Manager
(see Adding a FortiWAN device). It does not require manually typing to authenticate to the FortiWAN
for logging.
Click a button Go on a device table to automatically login to Web UI of the device. A new browser tab
opens for the web UI access. You will directly see the operation page of the Web UI rather than a login
page, which means the login process has been done by FortiWAN Manager. Please make sure window
pop-up will not be blocked by your browser. If you are in FortiWAN Manager as an Administrator, you
will be authenticated to the FortiWAN's Web UI with the Administrator User Name and have the full
permission to control the device. However, if you are in FortiWAN Manager as a Monitor, you will be
authenticated to the FortiWAN's Web UI with the Monitor User Name and only limited permission are
allowed on the device (see Adding a FortiWAN device).
Automatic login to FortiWAN is available in Dashboard > Device Status and Device Manager >
Device (see Device Status and Adding a FortiWAN device).
Access to CLI
To connect to the CLI:

1. Use the VMware vSphere Client to log into the vSphere server.
2. In the left pane, select the name of the virtual appliance, such as FWNMGR-1.
3. Click the Console tab to open the console of the FortiWAN Manager virtual appliance.
4. At the login prompt for the local console, type admin.
5. Press Enter twice. (Initially, there is no password.)
See CLI command branches for the details about the CLI commands.
Back to home topic > Accessing to the Web UI and CLI
CLI command branches

The FortiWAN Manager CLI consists of the two command branches:
l config branch
l get branch
Examples showing how to enter command sequences within each branch are provided in the following
sections.
config branch
The config command configures objects of FortiWAN Manager system administration. The objects
are organized in two-level hierarchy. The top-level objects are not configurable, they are containers for
more specific lower level objects. To configure an object, you use the config command to navigate to
the objects command shell. The objects that config command uses to configure for FortiWAN
Manager are as follows:
system
admin
dns
interface
router
static
To configure an object, you use the config command to navigate to the objects command shell. For
example, to configure administrators, you enter the command
config system admin
The config branch is organized into configuration shells. You can complete and save the
configuration within each shell for that shell, or you can leave the shell without applying the
configuration. You can only use the configuration commands for the shell that you are working in. To
use the configuration commands for another shell you must leave the shell you are working in and enter
the other shell. The root prompt is the FortiWAN Manager host or model name followed by a #, such as
fwnmgr #. The command prompt changes to show the shell that you are working in, such as fwnmgr
(admin) #. You can use the following command in an object's command shell:
edit Edit an existing entry to the FortiWAN Manager configuration. For example in the
config system admin shell, type edit admin and press Enter to edit the
settings for the default admin administrator account.
end Return to the root FortiWAN Manager CLI prompt.
set Assign values. For example from the edit admin command shell, typing set
password new_password changes the password of the admin administrator
account to new_password. The value will be applied to system by pressing Enter
(without performing command end).
system object
The system object contains three sub-objects for administrators, DNS addresses, and network
interfaces.
admin
admin is a sub-object of object - system. You can use the command in the object command shell to
change password of Administrator accounts. FortiWAN Manager provides one default account admin,
which belongs to Administrator group (See FortiWAN Handbook). You can create other accounts to the
Administrator group for FortiWAN Manager through its Web UI. Password of all the Administrator
accounts can be reset by configuring the admin object.
Syntax
config system admin
edit <admin_account>
set password <new_password>
end
Variable Description
admin_account The account belongs to Administrator group that you would like to reset
password to.
password <new_password> Enter a new password for the Administrator account above.
Example
This example shows how to change the password of the default account admin to 1234.
config system admin
edit admin
set password 1234
end
Note that FortiWAN Manager uses a common authentication database for Web UI and CLI. New
password becomes effective to both Web UI and CLI.
dns
dns is a sub-object of object - system. You can use the command in the object command shell to
configure DNS addresses for FortiWAN Manager. A DNS server is required when FortiWAN Manager
synchronizes system time through NTP.
Syntax
config system dns
set primary <IP>
set secondary <IP>
end
primary <IP> Enter an IP address to assign the primary DNS server to FortiWAN
Manager.
secondary <IP> Enter an IP address to assign the secondary DNS server to FortiWAN
Manager. Secondary DNS is optional.
Example
This example shows how to configure DNS for FortiWAN Manager.
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
end
interface
interface is a sub-object of object - system. You can use the command in the object command
shell to configure the network interface on FortiWAN Manager. FortiWAN Manager provides only one
network interface to communicate with remote FortiWAN devices and for Web UI access. Well-
deployed network interface is necessary to make FortiWAN Manager functions well.
Syntax
config system interface
edit port1
set ip <IP/PREFIX>
set ip <IP> <MASK>
end
set ip <IP/PREFIX> Enter an IP address and the prefix for the network interface port1.
set ip <IP> <MASK> Enter an IP address and netmask for the network interface port1.
System accepts the configuration input in two formats: <IP/PREFIX> and <IP> <MASK>. You can have
the command in any of the two formats.
Example
This example shows how to deploy the IP address to the network interface.
config system interface
edit port1
set ip 192.168.10.10 255.255.255.0
end
router object
The router object provides only one sub-object to configure default gateway (static route) to the
FortiWAN Manager.
static
static is a sub-object of object - router. You can use the command in the object command shell to
assign a gateway to your FortiWAN Manager.
Syntax
config router static
edit 0
set gateway <IP>
end
set gateway <IP> Enter the IP address of the gateway for the FortiWAN Manager.
Example
This example shows how to assign a default gateway to FortiWAN Manager.
config router static
edit 0
set gateway 192.168.10.254
end
get branch
The get command displays the settings of network interface, DNS and default gateway. The get
command requires that the object or table whose settings you want to display are specified.
system dns
Use this command to view DNS configuration.
Syntax
get system dns
Example
This example shows the output for get system dns:
primary: 8.8.8.8
secondary: 0.0.0.0
The secondary in the example is not assigned.
system interface
Use this command to view interface configuration.
Syntax
get system interface
Example
This example shows the output for get system interface:
== [port1]
type: physical
ip: 192.168.10.10/24
status: up
router static
Use this command to view default gateway configuration
Syntax
get router static
Example
This example shows the output for get router static:
== [0]
destination: 0.0.0.0/0
gateway: 192.168.10.254
Start using FortiWAN Manager
So far, everything has been well prepared by getting FortiWAN Manager installed, network configured
and Web UI accessable. For the first time using FortiWAN Manager, you could start it with the following
steps:
Having an overview on FortiWAN Manager system

Giving an overview on the system settings of your FortiWAN Manager is suggested while the first time
you login to Web UI.
l Make sure the license to the FortiWAN Manager appliance is correct, or you need to have the license
updated. See Licensing and System information and resource for details.
l Make sure the system time is correct, or you need to access to an NTP server to have it synchronized. See
System Date and Time for details.
l Reset the password of the default account admin from none. If necessary, create accounts for other
users. See Authentication of Web UI and CLI for details.
Organizing FortiWAN devices to FortiWAN Manager

To manage FortiWAN devices through your FortiWAN Manager, connectivity between the devices and
FortiWAN Manager must be established first. These devices can be further grouped in a navigation
tree, so that it is easy to find a set of devices and perform a management action to them at the same
time. See Register and organize the FortiWAN devices to FortiWAN Manager for details.
Managing the devices

After the FortiWAN devices are defined in FortiWAN Manager, the following operations can be
performed for managing the devices:
l Monitoring states and information of each device (see Get information and states of FortiWAN).
l Performing configuration backup and restore from/to each device (see Managing configurations of
FortiWAN).
l Performing firmware update to each device (see Managing firmware update for FortiWAN).
l Creating accounts, removing accounts and changing passwords to accounts for each device (see
Managing the accounts of FortiWAN).
Managing configuration and firmware files on FortiWAN Manager

The files used to perform configuration backup/restore and firmware update can be stored in FortiWAN
Manager's hard disk. A management platform is provided for this, see Managing configurations of
FortiWAN and Managing firmware update for FortiWAN.
Monitoring the statistics reports of each FortiWAN device through Central Reports
Reports is the monitoring and traffic pattern analysis tool built in FortiWAN appliances for instant status
of WAN connections and traffic statistics analysis. FortiWAN Manager's Central Reports is capable to
collect the basic Reports data from each of the managed FortiWAN appliances and display it in the
same way as FortiWAN's Reports. See
System setting and summary
Correct system settings are necessary to start a FortiWAN Manager VM.Monitoring system
information, states and logs of a FortiWAN Manager appliance ensures it working normally. System
maintenance, such as firmware update/downgrade and configuration backup/restore, keeps the
FortiWAN Manager system running properly. This section contains the topics about all of these
operations.
System settings
l Network Setting, see FortiWAN Manager Network Settings.

l Authentication of Web UI and CLI, see Authentication of Web UI and CLI.
l System date and time, see System Date and Time.
System information and states
l System information, resources and license, see System information, resources and license.
l System logs, see System logs.
System maintenance (Maintenance, Firmware Update/Downgrade, Configuration Backup/Restore),
see System maintenance.
Network Settings
Network setting on your FortiWAN Manager is the first necessary to make the manager workable.
Connectivity between FortiWAN Manager and a FortiWAN device is not available without FortiWAN
Manager's network interface being set, even the Web UI is not available. Although a virtual appliance
can be equipped with more than one virtual NIC, FortiWAN Manager supports only one network
interface (see Deploying the OVF file). Management messages (including Web UI access) are
transferred through the interface. Different from FortiWAN, FortiWAN Manager is deployed with no
default IP address on the interface. After FortiWAN Manager being installed, you must have network
setting configured first to access the Web UI and manage FortiWAN devices. Command line interface
(CLI) is the only way to configure network settings. You have to get the IP address, netmask (or prefix),
DNS and default gateway configured for FortiWAN Manager. See Access to Web UI and CLI command
branches for details. Note that the IP address deployed on FortiWAN Manager's network
interface must be the same as the one registered for current license (see Licensing and
Downloading software & registering with support). To change the registered IP address of a license, see
Appendix B: Changing a registered IP address.
Back to home topic > System setting and summary
Authentication of Web UI and CLI
Local Authentication Database

FortiWAN Manager maintains a common local authentication database for its Web UI and CLI (see
Connecting to the Web UI and the CLI). Accounts for authentication are classified into two groups,
Administrator and Monitor, with different permissions. Accounts belonging to Administrator have the
permission to monitor and modify system parameters via Web UI and CLI, while limited operations are
allowed (monitor system and change personal account password via Web UI ONLY) to accounts
belonging to Monitor. Managing devices, system settings and maintenance (network settings, license
update, firmware update/downgrade, account management, set system to factory default, reboot
system, system configuration backup/restore) and CLI access are invalid for Monitor group. A user login
to FortiWAN Manager with administrator permission manages a FortiWAN device through an
Administrator account of the device; a user login to FortiWAN Manager with monitor permission
manages a FortiWAN devices through an Monitor account of the device(see Adding the FortiWAN
devices).
Default account/password
admin is the default account used to access to FortiWAN Manager's Web UI and CLI, which belongs to
Administrator group. Password of account admin is null. You can login to Web UI and CLI as admin
without entering a password. Before your first time logging to Web UI, you have to login to CLI as
admin to configure the network setting (see Network Settings). You can reset password to admin via
Web UI or CLI.
Create, modify and delete the account and password for Administrators or Monitors.
To create , modify or delete an account of FortiWAN Manager, go to System > Administration on the
Web UI. You can manage the accounts of Administrator and Monitor groups in the setting panels,
Administrator Password and Monitor Password.
Select Account The drop-down menu lists all the accounts of Administrator or Monitor
group, including the default account admin. You can select an existing
account to delete or reset its password, or select the label Add New to
create a new account to the group.
New Account Enter the new account ID here. This field is available only if the label Add
New in Select Account is selected. All the accounts are case sensitive and
the first character must be a lowercase letter.
New Password Enter the new password for an new account set in field New Account, or
an existing account selected in Select Account.
Password Verification Verification confirm the new password.
Add Account Click to add the new account set in fields New Account, New Password
and Password Verification. This button is available only if the label Add
New in Select Account is selected.
Remove Account Click to remove the selected account. This button is available only if an
existing account in Select Account is selected.
Set Password Click to set the new password to the selected account. This button is
available only if an existing account in Select Account is selected.
It is not possible to edit the user name of an exiting account. The only way to achieve it is to delete this
exiting account and create a new one with the user name you want. Remember that only accounts of
Administrator group are able to manage the accounts. An account of Monitor group can only reset its
personal password.
FortiWAN Manager provides a CLI command to reset password to accounts of Administrator group, see
CLI command branches for details.
RADIUS Authentication
Along with FortiWAN Manager's local authentication database described above, FortiWAN Manager
supports RADIUS authentication for Web UI login. Please make sure the following settings are
complete on the RADIUS server working with FortiWAN Manager.
Add Fortinet's Vender Specific Attribute (VSA) to /etc/raddb/dictionary:

VENDOR Fortinet 12356
BEGINVENDOR Fortinet
...
ATTRIBUTE FortinetFWNAVPair 26 string
...
ENDVENDOR Fortinet
"12356" is Fortinet's vender ID, "Fortinet-FWN-AVPair" is the attribute used for working with
FortiWAN Manager and "26" is the attribute ID. If the RADIUS server serves with other Fortinet
products, please add the correspondent attributes between BEGINVENDOR Fortinet and END
VENDOR Fortinet.
Construct user database on RADIUS server for authentication. For example, we have accounts
"Administrator/1234" and "admin/(null)" belong to Administrator group, and "Monitor/5678" belongs to
Monitor group.
Add the followings to /etc/raddb/users:

Administrator UserPassword := "1234"
FortinetFWNAVPair := "usergroup=Administrator"
admin UserPassword := ""
FortinetFWNAVPair := "usergroup=Administrator"
Monitor UserPassword := "5678"
FortinetFWNAVPair := "usergroup=Monitor"
Please make sure "user-group" is specified for every account, or FortiWAN Manager denies the login
even the account and password are authorized by RADIUS server.
To enable FortiWAN Manager's RADIUS authentication, go to System > Administration on the Web
UI. In the setting panel RADIUS Authentication, please click the checkbox and complete the
configuration below.
Priority Determines priority to the two authentications:
RADIUS, Local Database: Authorize a login via RADIUS first, then try local
database if the authentication failed in RADIUS.
Local Database, RADIUS: Authorize a login via local database first, then
try RADIUS if the authentication failed in local database.
Server IP IP address of the RADIUS server.
Server Port UDP port number of the RADIUS server (The standard port is 1812, but it might be
1645 for earlier RADIUS).
Secret The secret (password) shared with the RADIUS server.

NAS IP Enter the correspondent NAS-IP-Address attribute for Request/Response
Authenticator if it is necessary, or leave it blank. See RFC2865 for details.
NAS Port Enter the correspondent NAS-Port attribute for Request/Response Authenticator if
it is necessary, or leave it blank. See RFC2865 for details.
Apply Click to apply the configuration.
Note that RADIUS works for local logins to FortiWAN Manager and FortiWAN but will not
work for a remote login from FortiWAN Manager to a FortiWAN device. A local
administrative login must be available on each FortiWAN device managed and that account
must be entered in the FortiWAN Manager Device Configuration page. FortiWAN Manager
and FortiWAN use these accounts to validate management messages between the devices.
System Date and Time
To correct system time, go to System > Date/Time on the Web UI. On the setting panel Date/Time
Settings, you can configure the settings of time, date, and time zone.
Date Enter the date in the format year/month/day.
Time Enter the time in the format hour:minute:second (24-hour time system).
Time Zone Select the continent and city, for example [America] and [New York].
Time Server The drop-down menu lists the time servers for synchronizing system time. You
add and delete at your preference by clicking the buttons aside the menu. Make
sure a DNS server is assigned to the FortiWAN Manager, see FortiWAN Manager
Network Settings for details.
Synchronize Time Click to perform accurate time synchronization through the NTP time server
selected in field "Time Server". Access to an NTP Time Server is highly
recommended.
System information, resources and license
As soon as you log in to the FortiWAN Manager Web UI, you see the page Dashboard > Summary.It
shows the basic information of a FortiWAN Manager appliance, including System Information, System
Resources,and License Information.
System Information
Version The firmware version of the FortiWAN Manager appliance.
Serial Number The serial number of the FortiWAN Manager appliance.
Uptime The time the FortiWAN Manager appliance has been up and running.
Hard Disk Configuration and firmware files of FortiWAN devices can be stored in
FortiWAN Manager's hard disk for managing (see Managing
configurations of FortiWAN and Managing firmware update for
FortiWAN). Besides, FortiWAN Manager's system logs are also kept
in the hard disk (see System logs). The hard disk is being consumed
by increasing files logs. Once the disk space is used up, FortiWAN
Manager might fail to continue device managing. This field monitors
the disk space status of FortiWAN Manager by displaying the total
space and consumed space.
To ensure FortiWAN Manager working normally, please appropriately

remove configuration, firmware files and system logs from the hard
disk if it is in high disk usage.
System Resources
CPU Usage The CPU usage of the FortiWAN Manager in percentage.
Memory Usage The memory usage of the FortiWAN Manager in percentage.
Hard Disk Usage The hard disk usage of the FortiWAN Manager in percentage.
License Information
This table displays the states of a FortiWAN Manager appliance's license as follows (see Licensing for
more information about licenses):
License Status Trial License is in use. (Expire in x days x hours x mins): This
is a 90-day trail or evaluation license, and the license will expire in x
days x hours x mins.
Valid: This is a permanent license.

Expired: This license is expired. System will be forced to reboot
every 5 minutes. Please purchase a permanent license.
Invalid (The number of devices more than license limits):

Number of FortiWAN devices added to FortiWAN Manager (see
Registering the FortiWAN devices to FortiWAN Manager) exceeds
current license supports (the value displayed in License Limit field).
System will be forced to reboot every 5 minutes. Please remove the
added devices to match the limit (go to Device Manager > Device),
or upgrade current license to extend the limit.
Invalid License IP: The IP address deployed on FortiWAN

Manager's network interface (see Network Settings) does not match
the one registered for the license. System will be forced to reboot
every 5 minutes. Please re-configure the IP address for FortiWAN
Manager's network interface to match the registered IP, or replace
the IP address of the license with one that is using.
See Appendix A: License verification failure and Appendix B:

Changing a registered IP address for more details.
Click Update button and upload a license file to update your

FortiWAN Manager VM. You can request a evaluation or trial license
from Fortinet Customer Support or you can purchase a permanent
license from your Fortinet channel partner (see Licensing and
Downloading software & registering with support).
License Limit Number of FortiWAN device that the license supports. A trial license
manages unlimited devices and a permanent license manages up to 10
devices. This value increases (20, 30, 40 ...) every time the base license is
upgraded with a 10-Device extension license. "None" indicates the license
manages unlimited devices.
The built-in 15-day evaluation license and 90-day trial license allow unlimited FortiWAN device
managing; a permanent license can manage up to 10 FortiWAN devices. You might manage more than
10 devices through FortiWAN Manager during the 15-day evaluation (more that 10 devices are added to
FortiWAN Manager). However, the license status becomes invalid after a permanent license is applied
if the added devices are more than 10. Please remove the added devices to match the limitation first.
System logs
FortiWAN Manager keeps logs in two types, system log and device management log. System logs
record the system events of FortiWAN Manager, such as the login/logout, account password changing,
network setting changing, system time synchronized and etc.. Device management logs record the
events managing FortiWAN devices, such as updating firmware to a device, restoring a configuration
file to devices and etc.. Go to System > Log and choose the log type, the corresponding events will be
shown in display window. Please be aware that this page is only for online viewing of current events.
Log Type Choose log type to view its events in the display window Recent Event. The
log types are:
l System Log
l Device Management Log
Recent Event Log events listed in time order.
Refresh Click the Refresh button to get the latest log events.
Clear Click the Clean button to clean up log records from FortiWAN Manager's hard
disk. Logs are kept in FortiWAN Manager's hard disk. Clearing them up
periodically will be suggested to avoid system in high disk usage (see System
information, resources and license).
Note that FortiWAN Manager does not maintain system logs from FortiWAN devices.
System maintenance
Go to System > Administration on the Web UI, Maintenance, Configuration File and Firmware
Update are the tools provided for FortiWAN Manager system maintenance.
System configuration backup/restore

You can download a backup of FortiWAN Manager's configurations to your PC. A configuration file
contains the configurations of system settings, device groups and device settings of the FortiWAM
Manager. The file is saved in .json format, which is readable and editable. On the setting panel
Configuration File:
Save Click to save current configurations in one file to your PC.
Restore Click to recover whole system with the backed up configurations. Note that
Restore will apply the configurations to system and after this, system
automatically reboot.
Do NOT to turn off the power while restoring the configuration file, or repetitively clicking on the
Restore button.
Firmware update
On the setting panel Firmware Update, the current version is shown to you. Click button Update or
Downgrade and follow the on-screen instructions to perform firmware update/downgrade. Note that
firmware downgrade will reset current configurations to factory default, please backup current
configurations in advance. Firmware update and downgrade support jump directly to a version from
current version without applying all the updates or downgrades that have been released between the
versions.
l Updating the FortiWAN Manager Firmware:

l Before proceeding with the firmware update, ALWAYS backup system configurations.
l Obtain the latest firmware upgrade pack from https://support.fortinet.com.
l Log onto the Web UI with administrator account and go to System > Administration.
l Click on "Update".
l Use [ Browse...] to select the path of the new firmware image.
l Click [ Upload File] to start updating.
l The firmware update will take a while, so please be patient. During the update process, be sure NOT to
turn off the system. DO NOT click on the [ Upload] button more than once.
l Update is completed when the "Update succeeded" message appears. FortiWAN Manager will reboot
automatically then.
Errors might occur during the update, see System Configurations > Administration > Firmware Update
in FortiWAN Handbook for the reasons. When a firmware update has being processed in system, other
users (multi-user login, see Access to Web UI) are unable to perform firmware updates at the same
time.
System maintenance
Click Factory Default to reset configurations to factory default. Click Reboot to reboot FortiWAN
Manager.

Registering the FortiWAN devices to FortiWAN
Manager
To manage FortiWAN devices through FortiWAN Manager, it is necessary to register the devices to
FortiWAN Manager first, which means establishing connectivity between FortiWAN Manager and the
devices (see Adding a FortiWAN device). It requires necessary information of the devices to add them
to FortiWAN Manager. Note that FortiWAN Manager requires the FortiWAN running the firmware
version v4.2.0 or later. Earlier versions are not supported.
The grouping function helps you to organize the FortiWAN devices on FortiWAN Manager (see
Grouping the FortiWAN devices). For better management, sometimes you might need to group the
devices according categories like the regions they are deployed in. The devices are organized in a two-
level navigation tree by grouping, so that the hierarchy is obvious for quickly finding out a category of
devices from lots of devices.
Adding a FortiWAN device
Go to Device Manager > Device on FortiWAN Manager Web UI. As the previous discussion,
registering a FortiWAN device to FortiWAN Manager is necessary to start managing it through
FortiWAN Manager. Through this page you can:
l Adding a FortiWAN device to FortiWAN Manager for managing it.

l Organizing the FortiWAN devices by grouping.
l Monitoring system information and WAN link states of every FortiWAN device.
l Having access to every FortiWAN's Web UI.
Device IP
Device IP here is one of the IP addresses deployed on FortiWAN device's localhost, which FortiWAN
Manager connects to for managing. It could be a WAN port IP or a LAN port IP (see FortiWAN
Handbook). Management messages are exchanged between FortiWAN Manager and the FortiWAN
device through the IP address. Once the device IP becomes not available to FortiWAN Manager,
operations to manage the FortiWAN device fail. Acceptable device IP varies depending on the
deployments. The following diagrams show the way to decide the device IP to FortiWAN Manager. It is
assumed that only one IP address is deployed on each WAN port and LAN port in the following
diagrams.
Deploying FortiWAN Manager in LAN, and managing devices through the Internet
Device IP for FortiWAN-A Device IP for FortiWAN-B Device IP for FortiWAN-C
10.10.10.10 or 192.168.10.254 20.20.20.20 30.30.30.30
If the FortiWAN Manager is installed in the LAN subnet of FortiWAN-A as the example shows above,
the FortiWAN Manager will be able to access FortiWAN-A through not only the LAN port
(192.168.10.254) but also all the WAN ports (10.10.10.10). Therefor, in the example, the device IP for
the FortiWAN Manager to manage FortiWAN-A could be 192.168.10.254 or 10.10.10.10. As for
FortiWAN-B and FortiWAN-C, their LAN port IPs are invisible to the manager; the device IPs for the two
devices can only be the public WAN ports 20.20.20.20 and 30.30.30.30 respectively.
Deploying FortiWAN Manager in LAN, and managing devices through Tunnel Routing
VPNs
10.10.10.10 or 192.168.10.254 20.20.20.20 or 192.168.20.254 30.30.30.30 or 192.168.30.254
If the FortiWANs connect to each other through a Tunnel Routing VPN (no matter the simple Tunnel
Routing or Tunnel Routing over IPSec transport mode, see FortiWAN Handbook), LAN ports of
remote devices FortiWAN-B and FortiWAN-C will become accessible to the FortiWAN Manager behind
FortiWAN-A. Therefor, the device IP for FortiWAN-B set on FortiWAN Manager could be 20.20.20.20
(WAN port) or 192.168.20.254 (LAN port). Similarly, the device IP for FortiWAN-C set on FortiWAN
Manager could be 30.30.30.30 (WAN port) or 192.168.30.254 (LAN port). As for FortiWAN-A, the
device IP still could be 10.10.10.10 (WAN port) or 192.168.10.254 (LAN port).
Deploying FortiWAN Manager in LAN, and managing devices through IPSec VPNs
10.10.10.10 or 192.168.10.254 192.168.20.254 192.168.30.254
If the FortiWANs connect to each other through a IPSec VPN (IPSec tunnel mode, see FortiWAN
Handbook), LAN ports of remote devices FortiWAN-B and FortiWAN-C will become accessible to the
FortiWAN Manager behind FortiWAN-A. However, any host in LAN of FortiWAN-A can not access the
public IP addresses (WAN port IPs 20.20.20.20 and 30.30.30.30) of FortiWAN-B and FortiWAN-C used
to establish IPSec connectivity through the IPSec tunnels. This is a limitation of FortiWAN's IPSec that
a quick mode selector of IKE phase 2 does not accept a destination IP which is used to establish the
ISAKMP SA in IKE phase 1. Therefor, if the FortiWAN Manager would like to manage the remote
devices FortiWAN-B and FortiWAN-C through IPSec VPN, the device IPs to the manager will be
192.168.20.254 and 192.168.30.254 respectively. The manager can manages the two devices through
20.20.20.20 and 30.30.30.30 only if the management messages are transferred through non-IPSec
network. As for FortiWAN-A, the device IP still could be 10.10.10.10 (WAN port) or 192.168.10.254
(LAN port).
Deploying FortiWAN Manager in near WAN, and managing devices through the
Internet
10.10.10.10 20.20.20.20 30.30.30.30
Installing FortiWAN Manager in the near WAN (see FortiWAN Handbook) of a FortiWAN-A' s WAN link
as the example shows above implies the FortiWAN Manager and the WAN port are located in the same
subnet (as the diagram showing, the FortiWAN Manager is deployed with 10.10.10.11) and the WAN
port is the only interface that FortiWAN Manager can access for managing it. Therefor, the device IPs
for adding FortiWAN-A, FortiWAN-B and FortiWAN-C to the FortiWAN Manager are 10.10.10.10,
20.20.20.20 and 30.30.30.30 respectively.
See Basic topology in Installation for details about the difference between the two deployments.
Redundant device IP
For each connectivity between FortiWAN Manager and a FortiWAN device, a fail-over mechanism is
provided by employing a redundant device IP. It pairs two localhost IP addresses of the FortiWAN
device, FortiWAN Manager takes one of them as the master IP and another one as the slave IP. Under
normal usage, FortiWAN Manager connects to the FortiWAN for management through the master IP
and the slave one is just a backup. Once the master IP goes down (or unavailable), the slave IP will
takeover to become the master and FortiWAN Manger will switch the connectivity to the FortiWAN on
the new master IP to continue management. At the same time, the original master IP (the failed one)
becomes the slave for a backup and this relationship will not change until next takeover. FortiWAN
Manager will disconnect to a FortiWAN if both of the two device IPs are unavailable.
Administrator User Name & Monitor User Name

Administrator User Name, Monitor User Name and corresponding passwords are the information
required for adding a FortiWAN device to FortiWAN Manager. FortiWAN Manager uses the login to
access devices for managing. In other words, the accounts and passwords must be configured in the
FortiWAN's local authentication database for verifying accesses from the FortiWAN Manager. The
following diagram is an example to explain the usage of Administrator User Name and Monitor
User Name that a FortiWAN device sets to the FortiWAN Manager.
In the diagram, FMGR_ad01 is one of the accounts belong to Administrator group and FMGR_mo01
is one of the accounts belong to Monitor group on FortiWAN device A. FMGR_ad02 is one of the
accounts belong to Administrator group and FMGR_mo02 is one of the accounts belong to Monitor
group on FortiWAN device B. Device A and device B are registered to FortiWAN Manager with these
accounts. On the FortiWAN Manager, the fields Administrator User Name and Monitor User
Name of device A are configured as FMGR_ad01 and FMGR_mo01 respectively, and fields
Administrator User Name and Monitor User Name of device B are configured as FMGR_ad02
and FMGR_mo02. These accounts are used for FortiWAN Manager to authenticate to FortiWAN
device A and device B. There are also two permissions for the accounts used to login to FortiWAN
Manager, Administrator group and Monitor group (See Authentication of Web UI and CLI). In the
example above, a user who belongs to the Administrator group of FortiWAN Manager login to
FortiWAN Manager as account Alice. Then Alice not only has the full permission on system settings of
the FortiWAN Manager (See System setting and summary), but also fully control operations to manage
FortiWAN device A and device B through the Administrator User NameFMGR_ad01 and FMGR_
ad02. As for the user Morris who belongs to the Monitor group of FortiWAN Manager, he login to
FortiWAN Manager with the Monitor permission. Morris can only monitor the system information of
FortiWAN Manager (get system information and WAN states) and access Web UI of the two devices
through the Monitor User NameFMGR_mo01 and FMGR_mo02.
Make sure that the a local login (the account and password) is configured on the FortiWAN device's
local authentication database (such as FMGR_ad01 in Device A above), then enter the same login in
FortiWAN Manager for that FortiWAN device when registering it to FortiWAN Manager (such as
Administrator User Name: FMGR_ad01 in the FortiWAN Manager above). The login (such as FMGR_
ad01 and its password) does not need to match any FortiWAN Manager's local login (such as Alice,
Albert, Morris and Mike above).
Both FortiWAN and FortiWAN Manager support local login through RADIUS authentication (see
FortiWAN Handbook and Authentication of Web UI and CLI), but RADIUS is not supported for login to
FortiWAN devices from FortiWAN Manager.
FortiWAN setup for FortiWAN Manager

It requires appropriate Firewall settings on the managed FortiWAN devices for FortiWAN Manager to
remotely manage them through the Internet (non-tunnel routing network or non-IPSec network).
FortiWAN Manager requires HTTP(80) and HTTPs(443) services on a managed FortiWAN's localhost
for managing. However, FortiWAN's firewall denies the packets requesting HTTP(80) and HTTPs(443)
services on its localhost from WAN (any source IP that is not deployed on the FortiWAN's network
setting) by default. The firewall must be configured to accept these requests so that FortiWAN Manager
can access the services on the remote devices for managing. For managing devices through a Tunnel
Routing VPN or an IPSec VPN, it requires appropriate routing rules on the devices to route the
management messages to the VPNs and deliver them to the destinations (device IPs). The followings
are the necessary settings on FortiWANs for various deployments (using the same examples as
previous ones).
Deploying FortiWAN Manager in LAN, and managing devices through the Internet
Firewall settings on FortiWAN-B and FortiWAN-C
Go to Service > Firewall on the FortiWAN-B and FortiWAN-C Web UI, disable or remove the following
two rules:
When=All-Time, Source=WAN, Destination=Localhost, Service=HTTP(80),
Action=Deny
When=All-Time, Source=WAN, Destination=Localhost, Service=HTTPS(443),

Action=Deny
You can also keep the two rules enabled but change the Action to Accept.
Note that this will allow all the accesses to FortiWAN's Web UI coming from the Internet, not only from
FortiWAN-A. For stronger access control, you should keep the two default rules original but add two
new rules above them to allow the accesses coming from only FortiWAN-A. For example:
When=All-Time, Source=10.10.10.10, Destination=Localhost, Service=HTTP
(80), Action=Accept
When=All-Time, Source=10.10.10.10, Destination=Localhost, Service=HTTPS

(443), Action=Accept
Source IP of accesses from the internal FortiWAN Manager (192.168.10.10) to FortiWAN-B and
FortiWAN-C will be NATed to the WAN link IP 10.10.10.10 by FortiWAN-A. In the example, we assume
that there is only one WAN link deployed on FortiWAN-A. For FortiWAN-B and FortiWAN-C, source IPs
of the coming management messages are certainly 10.10.10.10. However in real network, you might
have multiple WAN links deployed on FortiWAN-A. You can fix the management messages being
passed through one WAN link or distribute them over multiple WAN links (by Auto Routing). However, it
will require more firewall rules added on FortiWAN-B and FortiWAN-C to accept the management
messages coming from different WAN links of FortiWAN-A (Source=IP of every WAN link), if
packets are distributed over the multiple WAN links. By setting in this way, accesses from the Internet
to FortiWAN-B and FortiWAN-C Web UI can still be denied except coming from the FortiWAN-A
(10.10.10.10 or other WAN links).
Since the FortiWAN Manager is deployed in the LAN of FortiWAN-A, access to FortiWAN-A's Web UI
(192.168.10.254 and 10.10.10.10) will not be denied by default. No settings are required on Firewall for
the accessing.
Deploying FortiWAN Manager in near WAN, and managing devices through the
Internet
First, ensuring that the IP 10.10.10.11 for FortiWAN Manager is exactly deployed in the near WAN or
DMZ of the WAN link (10.10.10.10) no matter what type it is (see FortiWAN Handbook).
Firewall settings on FortiWAN-B and FortiWAN-C
Go to Service > Firewall on the FortiWAN-B and FortiWAN-C Web UI, disable or remove the following
two rules:
When=All-Time, Source=WAN, Destination=Localhost, Service=HTTP(80),
Action=Deny
When=All-Time, Source=WAN, Destination=Localhost, Service=HTTPS(443),

Action=Deny
You can also keep the two rules enabled but change the Action to Accept.
Note that this will allow all the accesses to FortiWAN's Web UI coming from the Internet, not only from
FortiWAN-A. For stronger access control, you should keep the two default rules original but add two
new rules above them to allow the accesses coming from only the FortiWAN Manager. For example:
When=All-Time, Source=10.10.10.11, Destination=Localhost, Service=HTTP
(80), Action=Accept
When=All-Time, Source=10.10.10.11, Destination=Localhost, Service=HTTPS

(443), Action=Accept
By setting in this way, accesses from the Internet to FortiWAN-B and FortiWAN-C Web UI can still be
denied except coming from the FortiWAN Manager (10.10.10.11).
Since the FortiWAN Manager is deployed in near WAN or DMZ of a WAN link of FortiWAN-A, access to
FortiWAN-A's Web UI will not be denied by default. No settings are required on Firewall for the
accessing.
Deploying FortiWAN Manager in LAN, and managing devices through Tunnel Routing
VPNs
For this deployment, it is assumed that the settings of Tunnel Routing (or Tunnel Routing over IPSec
Transport mode) have already been configured on the three FortiWAN devices (Tunnel Routing VPN
has been established between the devices). Then the corresponding routing rules are required to
transfer FortiWAN Manager's management messages between the devices through the Tunnel Routing
VPN. For the details of deploying a Tunnel Routing VPN between FortiWAN devices, see FortiWAN
Handbook.
TR Routing Rules on FortiWAN-A
Go to Service > Tunnel Routing on the FortiWAN-A Web UI, and add two routing rules as followings:
Source=192.168.10.10, Destination=20.20.20.20 or 192.168.20.254,
Service=Any, Group=A-to-B
Source=192.168.10.10, Destination=30.30.30.30 or 192.168.30.254,

Service=Any, Group=A-to-C
,where A-to-B is the tunnel group defined on FortiWAN-A used for TR connectivity between FortiWAN-
A and FortiWAN-B; A-to-C is the tunnel group defined on FortiWAN-A used for TR connectivity
between FortiWAN-A and FortiWAN-C. Destination of the first routing rule must be the device ID
(20.20.20.20 or 192.168.20.254) set to the FortiWAN Manager for FortiWAN-B, and Destination of the
second routing rule must be the device ID (30.30.30.30 or 192.168.30.254) set to the FortiWAN
Manager for FortiWAN-C.
TR Routing Rules on FortiWAN-B
Go to Service > Tunnel Routing on the FortiWAN-B Web UI, and add a routing rule as following:
Source=20.20.20.20 or 192.168.20.254, Destination=192.168.10.10,
Service=Any, Group=B-to-A
,where B-to-A is the tunnel group defined on FortiWAN-B used for TR connectivity between FortiWAN-
A and FortiWAN-B. Source of the routing rule must be the device ID (20.20.20.20 or 192.168.20.254)
set to the FortiWAN Manager for FortiWAN-B.
TR Routing Rules on FortiWAN-C
Go to Service > Tunnel Routing on the FortiWAN-C Web UI, and add a routing rule as following:
Source=30.30.30.30 or 192.168.30.254, Destination=192.168.10.10,
Service=Any, Group=C-to-A
,where C-to-A is the tunnel group defined on FortiWAN-C used for TR connectivity between FortiWAN-
A and FortiWAN-C. Source of the routing rule must be the device ID (30.30.30.30 or 192.168.30.254)
set to the FortiWAN Manager for FortiWAN-C.
FortiWAN's Firewall accepts all the accesses to localhost coming from the LAN of opposite FortiWAN
through a Tunnel Routing VPN by default, therefor firewall setting is not required for this deployment.
Deploying FortiWAN Manager in LAN, and managing devices through IPSec VPNs
For this deployment, it is assumed that the settings of IPSec Tunnel mode have already been
configured on the three FortiWAN devices (IPSec VPN has been established between the devices).
Then the corresponding Phase 2 Quick Mode selectors are required to transfer FortiWAN Manager's
management messages between the devices through the IPSec VPN. For the details of deploying a
IPSec VPN between FortiWAN devices, see FortiWAN Handbook.
IPSec Phase 2 Quick Mode selectors on FortiWAN-A
Go to Service > IPSec on the FortiWAN-A Web UI, and add two IKE phase 2 configurations as
followings:
Add a new phase 2 configuration named A-to-B-P2-FWNMGR (for example) to an existing phase 1
A-to-B-P1, and configure its Quick Mode as:
Source=192.168.10.10, Port=Any, Destination=192.168.20.254, Port=Any,
Protocol=Any
Add a new phase 2 configuration named A-to-C-P2-FWNMGR (for example) to an existing phase 1
A-to-C-P1, and configure its Quick Mode as:
Protocol=Any
,where A-to-B-P1 and A-to-C-P1 are two existing IKE phase 1 configurations on FortiWAN-A used to
establish the ISAKMP SAs with FortiWAN-B and FortiWAN-C respectively. A-to-B-P2-FWNMGR and
A-to-C-P2-FWNMGR are the IKE phase 2 configurations added on FortiWAN-A to establish the IPSec
SAs for delivering FortiWAN Manager's messages to FortiWAN-B and FortiWAN-C respectively. Note
that since the device IDs set on the FortiWAN Manager for FortiWAN-B and FortiWAN-C must be the
LAN port IPs (192.168.20.254 and 192.168.30.254) of the two devices, Destination of the two Quick
Mode selectors must be configured as the corresponding IPs.
IPSec Phase 2 Quick Mode selectors on FortiWAN-B
Go to Service > IPSec on the FortiWAN-B Web UI, and add an IKE phase 2 configuration as following:
Add a new phase 2 configuration named B-to-A-P2-FWNMGR (for example) to an existing phase 1
B-to-A-P1, and configure its Quick Mode as:
Protocol=Any
,where B-to-A-P1 is an existing IKE phase 1 configuration on FortiWAN-B used to establish the
ISAKMP SA with FortiWAN-A. B-to-A-P2-FWNMGR is the IKE phase 2 configuration added on
FortiWAN-B to establish the IPSec SA for delivering the responses to the FortiWAN Manager behind
FortiWAN-A. Note that since the device ID set on the FortiWAN Manager for FortiWAN-B must be the
LAN port IP (192.168.20.254) of the device, Source of the Quick Mode selector must be configured as
the corresponding IP.
IPSec Phase 2 Quick Mode selectors on FortiWAN-A
Go to Service > IPSec on the FortiWAN-C Web UI, and add an IKE phase 2 configuration as
following:
Add a new phase 2 configuration named C-to-A-P2-FWNMGR (for example) to an existing phase 1
C-to-A-P1, and configure its Quick Mode as:
Protocol=Any
,where C-to-A-P1 is an existing IKE phase 1 configuration on FortiWAN-C used to establish the
ISAKMP SA with FortiWAN-A. C-to-A-P2-FWNMGR is the IKE phase 2 configuration added on
FortiWAN-C to establish the IPSec SA for delivering the responses to the FortiWAN Manager behind
FortiWAN-A. Note that since the device ID set on the FortiWAN Manager for FortiWAN-C must be the
LAN port IP (192.168.30.254) of the device, Source of the Quick Mode selector must be configured as
the corresponding IP.
FortiWAN's Firewall accepts all the accesses to localhost coming from the LAN of opposite FortiWAN
through an IPSec VPN by default, therefor firewall setting is not required for this deployment.
Add Device
To register a FortiWAN device to FortiWAN Manager, go to Device Manager > Device and click the
button Add Device in the upper-left corner (this is only available for Administrator permission). A
setting panel is then displayed in the main area of the page.
Device Name A unique name used to indicate the FortiWAN device you are adding.
IP address An accessible IP address of the FortiWAN device you are adding. This is
the device IP that FortiWAN Manager will connect to for managing the
FortiWAN device. So that management messages can be delivered
between FortiWAN Manager and that device. It is usually an IP address of
a WAN link of the device. See the subsection Device IP below for details.
IP address (fail-over) Another accessible IP address of the FortiWAN device you are
adding. This is the redundant device IP that FortiWAN Manager uses
in the fail-over mechanism for connecting the FortiWAN device. See
Redundant device IP.
Leave this field blank if you do not apply connectivity fail-over to the
FortiWAN device.
Administrator User Name An account that belongs to Administrator group on the FortiWAN
device you are adding. This account must be in the local
authentication database of the managed FortiWAN (Not RADIUS).
See FortiWAN Handbook.
When you login to FortiWAN Manager with a Administrator

permission (See Authentication of Web UI and CLI), this account will
be used to authenticate to the FortiWAN device for performing the
following actions to the FortiWAN device:
l Ask for system information and states

l Change account password
l Backup and restore configurations
l Firmware update
l Have access to the FortiWAN's Web UI as an administrator account
A user login to FortiWAN Manager with administrator permission
communicates with the FortiWAN device via this Administrator User
Name. Management actions get failed if the account set here is not
acceptable to the FortiWAN device. See the subsection
Administrator User Name & Monitor User Name below for
details.
Administrator Password Password of the account set in Administrator User Name. The password
and corresponding Administrator User Name must be acceptable to the
FortiWAN device, or management fails.
Monitor User Name An account that belongs to Monitor group on the FortiWAN
appliance you are adding. This account must be in the local
authentication database of the managed FortiWAN (Not RADIUS).
See FortiWAN Handbook.
When you login to FortiWAN Manager with a Monitor permission

(See Authentication of Web UI and CLI), this account will be used to
authenticate to the FortiWAN device for performing the following
actions to the FortiWAN device:
l Ask for system information and states

l Have access to the FortiWAN's Web UI as an monitor account
A user login to FortiWAN Manager with monitor permission
communicates with the FortiWAN device via this Monitor User
Name. Management actions get failed if the account set here is not
acceptable to the FortiWAN device. See the subsection
Administrator User Name & Monitor User Name below for
details.
Monitor Password Password of the account set in Monitor User Name. The password and
corresponding Monitor User Name must be acceptable to the FortiWAN
device, or management fails.
Note content A note describing this FortiWAN device.

Group The group that this FortiWAN device belongs to (See Grouping the
FortiWAN devices). All the predefined device groups (defined in
Device Manager > Group) are listed in the drop-down menu for
options. Select None if grouping is not required to this device.
Save Click to apply the configuration.
After the configuration is applied, try buttons Info and WAN on the
device table to see if the information and states of the added device
are available (see Monitoring the FortiWAN devices). Go to
Dashboard > Device Status to check connectivity state of devices.
Make sure the IP address, User Name and Password set above
are correct if it fails to get the information and states.
Make sure that the IP address, User Name and Password above are correct, or FortiWAN Manager
fails to connect to the FortiWAN device for managing. Note that FortiWAN Manager will be forced
to reboot every 5 minutes if the number of FortiWAN device added here exceeds current
license supports (see Licensing).
Device table
Device table lists the information of added devices and the allowed actions to the devices. For the first
time you login to FortiWAN Manager and go to Device Manager > Device, this table is just empty (no
devices have been added to FortiWAN Manager). You have to get a FortiWAN device registered to the
FortiWAN Manager by clicking button Add Device. Then, every time you get into Device Manager >
Device, you see the added devices from the navigation tree and the device table of default group All
FortiWAN. Click any group in the navigation tree to display the corresponding devices in the device
table (if devices are grouped).
Device Name Device name of the FortiWAN. This is the field Device Name that you
set for adding this device to FortiWAN Manager. Click the field header to
sort the table by device name.
IP IP address(es) of the FortiWAN that FortiWAN Manager connects

to. This is the fields IP address and IP address (fail-over) that
you set for adding this device to FortiWAN Manager. Click the field
header to sort the table by IP address.
Version The firmware version that the FortiWAN appliance is running.
Group Group that the FortiWAN belongs to. This is the field Group that you set
for adding this device to FortiWAN Manager. Click it to edit the group
(See Grouping the FortiWAN devices). Click the field header to sort the
table by group name.
Description Textual description of the FortiWAN. This the Note Content that you set
for adding this device to FortiWAN Manager.
Action Info Click to check the system information of the device. This is the System
Information on System > Summary page of the FortiWAN's Web UI.
WAN Click to check the individual WAN link state of the device. This is the
WAN Link State on System > Summary page of the FortiWAN's Web
UI.
Go Click Go to automatically login to Web UI of the device. A new

browser tab opens for the access, please make sure window pop-up
will not be blocked by your browser. See Overview to the Web UI for
details.
If connectivity between FortiWAN Manager and the FortiWAN

device is broken, it fails to access to the Web UI.
Edit Click to edit the configuration of the device.
Delete Check the checkbox and click Delete Device below the table to remove
the device from FortiWAN Manager.
See Overview to the Web UI for details about table operations.
Back to home topic > Registering the FortiWAN devices to FortiWAN Manager
Grouping the FortiWAN devices
Grouping is a feature used to organize your FortiWAN devices on FortiWAN Manager. It helps you to
quickly find the devices out from lots of devices and perform actions on them. Added devices can be
classified into categories by customized groups. FortiWAN Manager has a default group named All
FortiWANwhich is uneditable, undeletable and invisible on the group table. All FortiWAN in the
navigation tree contains all the added FortiWAN devices no matter whether the devices belong to
customized groups or not. Go to Device Manager > Group to create and manage the groups.
Add Group
Click the Add Group in the upper-left corner of page Device Manager > Group, the setting panel for
creating a group to FortiWAN Manager is displayed in the main area of the page.
Group Name A unique name used to indicate the device group you are adding.
Note content A note describing this device group.
Save Click to apply the configuration.
Once a device group is added, a node named as the Group Name appears in the navigation tree (see
Web UI overview). It also becomes an option in the drop-down menu for configuring Group when
adding a FortiWAN device to FortiWAN Manager. To add a device to a group, go to Device Manager >
Device and configure Group for the device by clicking Edit on the device table (See Adding a
FortiWAN device).
Group table
Group table lists the information of every defined group and the allowed actions to the groups.
Group Name Name of the group. Click the field header to sort the table by group
name.
Description Textual description of the device group.
Action Edit Click to edit the configuration to the group.
Delete Check the checkbox and click Delete Group above the table to remove
the group from FortiWAN Manager.
Back to home topic > Registering the FortiWAN devices to FortiWAN Manager
Monitoring the FortiWAN devices
After getting the FortiWAN devices registered to FortiWAN Manager (See Device Manager), you might
want to confirm that the connectivity between Manager and the device is correct. Then sometimes you
might need information of the devices before taking management actions to them, for example the
firmware vision of a device is the important information before a firmware update. Sometimes, you may
just need to monitor the devices to see if they are running normally. FortiWAN provides necessary
information, state and basic statistics reports of individual FortiWAN device to complete the device
management. Note that only when a FortiWAN device and FortiWAN Manager are in good connectivity,
information and states of the devices can be available. Monitoring is available from:
l Device status
l System information and individual WAN link state
l Central Reports
Device Status
Go to Dashboard > Device Status, the navigation tree presents the organization of the managed
FortiWAN devices and a table displays the WAN states and connectivity of each device.
Device Name Device name of the FortiWAN. This is the field Device Name that you set
for adding this device to FortiWAN Manager. Click the field header to sort
the table by device name.
IP IP address(es) of the FortiWAN that FortiWAN Manager connects to. This

is the fields IP address and IP address (fail-over) that you set for
adding this device to FortiWAN Manager. Click the field header to sort the
table by IP address.
Version The firmware version that the FortiWAN appliance is running.
Config Backup The results of the scheduled config backup operations on the FortiWAN
appliance (see Scheduled configuration backup).
If any of the backup operations succeeds, this field displays the time of
the last successful backup; at the same time, if any of the backup
operations fails, this field displays the time of the last failed backup and
the error message. For example, it displays "2017-05-08 15:00
Completed 2017-03-29 10:00 Fail (Could not resolve host)".
This field is available only when a scheduled config backup is enabled.
the table by group name.
Description Textual description of the FortiWAN. This the field Note Content that
you set for adding this device to FortiWAN Manager.
Time Zone The time zone at where the FortiWAN appliance is located.
HA Indicate whether the FortiWAN appliance is deployed as HA mode.
WAN The number of enabled and alive WAN links on the FortiWAN device.
It is presented in format "alive / enabled". An enabled WAN link on
FortiWAN is a configured and activated WAN link. Connectivity of an
enable WAN link might be alive (connected) or failed (disconnected).
See FortiWAN Handbook for details.
This field displays how many WAN link are enabled on the FortiWAN
and how many of them are alive. FortiWAN Manager will fail to get
the states if connectivity to the device is broken. N/A will be shown
for the failure.
Click the field header to sort the table by the number of alive WAN
link.
If you need a state list of individual WAN link on the FortiWAN, go to

Device Manager > Device (see System information and individual
WAN link state).
Connectivity The current connectivity between FortiWAN Manager and the

FortiWAN device, which is represented by the color-code:
l Green: The connectivity is good. Monitoring and management operations

to the device are available.
l Red: The connection is broken. Monitoring and management operations to
the device are unavailable. This only means a loss of contact, not a system
problem. It might caused by a WAN link failure. Please make sure the IP
address of the device used to connect for managing (the IP field in the
table) is exactly accessible or please replace the Device IP of the device in
Device Manager > Device with an accessible IP (see Adding a FortiWAN
device).
Click the field header to sort the table by the status.
Action Click Go to automatically login to Web UI of the device. A new

browser tab opens for the access, please make sure window pop-up
will not be blocked by your browser. See Overview to the Web UI for
details.
If connectivity between FortiWAN Manager and the FortiWAN device

is broken, it fails to access to the Web UI.
Back to home topic > Monitoring the FortiWAN devices

System information and individual WAN link state
You can have the system information of a FortiWAN device from tables in Device Manager > Device,
Config > Config Backup/Restore, and Firmware > Firmware Update by clicking the button Info.
System information of a FortiWAN device
Version The firmware version of the FortiWAN device.
Model / Max Bandwidth The model of the FortiWAN device and the bandwidth capability that the
(Total RAM) model supports. For a deployment of FortiWAN-VM, the Total RAM is
displayed here rather than Max Bandwidth.
Serial Number The serial number of the FortiWAN device.
Uptime The time the FortiWAN device has been up and running since the latest
boot.
Connections The number of connections that the FortiWAN device is processing.
CPU Usage % The CPU usage of the FortiWAN device in percentage.
Packets/ Second The number of packets that the FortiWAN device is processing per
second.
VRRP State The state of VRRP (Virtual Router Redundancy Protocol) on the
FortiWAN device - Enabled or Disabled.
Hard Disk The Hard Disk usage of the FortiWAN device in the format
"consumed space/total space". Once the disk space is used up,
FortiWAN's Reports will fail to continue log processing.
License Status This field is visible only when model of the FortiWAN device is
FortiWAN-VM. This field displays the status of a FortiWAN-VM
license as follows:
l Trial License is in use. (Expire in x days x hours x mins): This is a trail

or evaluation license.
l Valid: This is a permanent license.
l Expired: This license is expired. Click Update button and upload your
FortiWAN-VM license file to update your FortiWAN-VM appliance.
You can request a evaluation or trial license from Fortinet Customer
Support or you can purchase a permanent license from your Fortinet
channel partner.
Peer information The peer information (see below) is available only when this FortiWAN
appliance is deployed as HA mode. In Dashboard > Device Status, the
HA field indicates whether it is.
Version The firmware version of the slave unit.

Model The model of the slave unit.
Serial Number The serial number of the slave unit.
Uptime The time the slave unit has been up and running since the latest boot.
State The state of the slave unit:
l Slave: the peer unit is running as a slave normally.

l Booting: the peer unit is during the procedure of booting.
l Panic: a system panic happens on the peer unit.
l None: the peer unit is lost (power-off or Ethernet cable disconnected).
l Incompatible: the firmware versions, FortiWAN models or
throughput licenses of the two HA units are not the same.
WAN link state of a FortiWAN device

You can have the WAN link state of a FortiWAN device (the state of every single WAN link) from table in
Device Manager > Device by clicking the button WAN. The WAN Link State panel displays the state
of every FortiWAN's WAN link. The number of WAN links displayed here varies depending on the model
of the FortiWAN device. Taking FortiWAN 200B for example, it supports 25 WAN link connections in
maximum. Each WAN link is color-coded to indicate its state.
OK (Green) The WAN link is configured, enabled and connecting for data
transmission.
Backup Line (Blue) The WAN link is sat as a backup line.
Failed (Red) The WAN link is configured and enabled, but disconnected.
Disabled (Black) The WAN link is not active (probably configured or not).
Back to home topic > Monitoring the FortiWAN devices
Central Reports
Reports is the monitoring and traffic pattern analysis tool built in FortiWAN appliances for instant status
of WAN connections and traffic statistics analysis. MIS personnel can perform more detailed analysis of
the data to gain insight into user traffic patterns for better network design and management policy
definition. For long-term or trend analysis, Reports is an online companion tool that greatly simplifies
the analysis of the data. See FortiWAN Handbook for details.
FortiWAN Manager's Central Reports collects the basic report data from each of the managed
FortiWAN appliance and centrally displays it so that you can easily have an overview of the reports
without logging to FortiWAN one by one. The basic reports that FortiWAN Manager Central Report
provides are:
l Bandwidth report
l CPU report
l Session report
l WAN Status report
Defining the data range

On the upper-right corner of each central report page there is a data range definer. Clicking the definer
displays a date specifier (the Date field) as following:
When you click the Date field a calendar is popped up for specifying a date to display the corresponding
report data.
After you select a date from the calendar, click the Apply button and the corresponding reports of the
managed FortiWAN appliances will be displayed.
Bandwidth report
The Bandwidth report shows the traffic distribution of each managed FortiWAN appliance by the date
range defined. This report will help you determine if you are using the correct FortiWAN model and
bandwidth capability for the data volumes at the site.
The steps to see the specified bandwidth reports of FortiWAN appliances are:
1. Go to Central Reports > Bandwidth.

2. select a device group from the navigation tree to list all the devices of the group.
3. Specify a day (see Defining the data range).
The fields of a FortiWAN appliance in the device table are as following:
Fields Description
Device Name Device name of the FortiWAN. This is the field Device Name that you set for adding
this device to FortiWAN Manager. Click the field header to sort the table by device
name.
IP IP address(es) of the FortiWAN that FortiWAN Manager connects to. This is the IP
address and IP address (fail-over) fields that you set for adding this device to
FortiWAN Manager. Click the field header to sort the table by IP address.
Bandwidth The traffic distribution of the FortiWAN appliance over the specified date. See
Bandwidth distribution for the details about the statistics chart.
Connectivity The current connectivity between FortiWAN Manager and the FortiWAN
device, which is represented by the color-code:
l Green: The connectivity is good. Monitoring and management operations to the

device are available.
l Red: The connection is broken. Monitoring and management operations to the
device are unavailable. This only means a loss of contact, not a system problem.
It might caused by a WAN link failure. Please make sure the IP address of the
device used to connect for managing (the IP field in the table) is exactly
accessible or please replace the Device IP of the device in Device Manager >
Device with an accessible IP (see Adding a FortiWAN device).
This is about the current connectivity, not relative to the specified report date.
Action If you are interested in the details of this report, you can check this report on the
FortiWAN further by clicking Go. A new browser tab opens for the access,
please make sure window pop-up will not be blocked by your browser. See
Overview to the Web UI for details.
If connectivity between FortiWAN Manager and the FortiWAN device is broken,

it fails to access to the Web UI.
Bandwidth distribution
The bandwidth distribution chart consists of the following items:
Fields Description
X axis Time between 00:00 to 23:59.
Y axis Bandwidth in Kbps or Mbps.
Green line Distribution of inbound data rate.
Blue line Distribution of outbound data rate.
Moving the mouse over the statistics lines pops up a panel contains the time, date and corresponding
traffic at the time point (as shown below):
CPU report
The CPU report shows the distribution of CPU usage of each managed FortiWAN appliance by the date
range defined. CPU usage is a measure of how much traffic is being managed or how much services
the FortiWAN is required to do on that traffic. Sustained usage near 80% is a good indicator that a
larger FortiWAN model is required to handle the required traffic and services load. Use this chart to
compare your target maximum usage with the actual usage over time.
The steps to see the specified CPU reports of FortiWAN appliances are:
1. Go to Central Reports > CPU.

Fields Description
name.
CPU The CPU usage distribution of the FortiWAN appliance over the specified date. See
CPU usage distribution for the details about the statistics chart.


Fields Description

CPU usage distribution

The CPU usage distribution chart consists of the following items:
Fields Description
Y axis CPU usage in %.
Yellow line Distribution of CPU usage.
CPU usage at the time point (as shown below):
Session report
The Session report shows the distribution of number of established sessions (connections) on each
managed FortiWAN appliance by the date range defined. Your FortiWAN model is rated by the number
of simultaneous connections it can process (among other things as noted above). This report will help
you determine if you are using the correct FortiWAN model for the number of connections in use by your
users.
The steps to see the specified session reports of FortiWAN appliances are:
1. Go to Central Reports > Session.

Fields Description
name.
Fields Description
Session The session quantity distribution of the FortiWAN appliance over the specified date.
See Session quantity distribution for the details about the statistics chart.


Session quantity distribution

The session quantity distribution chart consists of the following items:
Fields Description
Y axis Number of Sessions in 1, 10's, 100's or 1,000s (the measure varies according to the
real number).
Blue line Distribution of session quantity.
session quantity at the time point (as shown below):
WAN Status report
The WAN Status report shows the status variety of WAN links health of the managed FortiWAN
appliances by the date range defined. The possible statuses are:
l OK: The WAN link is enabled, well-configured and connected correctly.

l Fail: The WAN link is enabled and well-configured, but disconnected.
l Disable: WAN link is not enabled from FortiWAN Web UI.
This report tells that when and how many time the failures happened on a WAN link, so that you can
drill into this FortiWAN to figure out the problem. See FortiWAN Handbook for the details about the
WAN links.
The steps to see the specified session reports of FortiWAN appliances are:
1. Go to Central Reports > WAN Status.

Fields Description
name.
WAN Status The status variety of WAN links health of the FortiWAN appliance over the specified
date. See Status variety of WAN link health for the details about the statistics chart.


Status variety of WAN link health
The status variety chart consists of the following items:
Fields Description
Hour 24 hours in a day. 0 indicates 00:00~00:59, 1 indicates 01:00~01:59, 2 indicates

02:00~02:59 and so on.
WAN links A WAN link that is currently enabled or was once enabled will be listed as WAN#,
such as WAN1, WAN2 and WAN3.
Status The status is represented as the following color-codes:
l Green: If a time period is marked as green, it implies that no failures happened

during the period and the last (for the passed hours) or the current status (for the
current hour) of the WAN link is OK (maybe switches happened between OK and
Disabled).
l Red (without a number): If a time period is marked as red without a number, it
implies that the WAN link remains Failed in the entire period (no status
changes). It has never been OK or Disabled during the period.
l Red (with a number): It indicates status changes several times (the number) in
a time period. If a time period is marked as red without a number, it implies that
the WAN link fails several times (the number indicates the times) in a time
period. It does not indicate the last status (for the passed hours) or the current
status (for the current hour). Status changes several times in the period, and the
last or current status might be Disabled, OK or Failed.
l Gray: If a time period is marked as gray, it implies that no failures happened
during the period and the last (for the passed hours) or the current status (for the
current hour) of the WAN link is Disabled (maybe switches happened between
OK and Disabled).
During a time period, once a failure happened the period will remain red no matter
what the last or current status is. If no failure happened, a period will be marked
according the last or current status.
Managing configurations of FortiWAN
A configuration file contains the settings of every FortiWAN's functions. Periodical configuration backup
might save your system from mistakes by backing it to the previous check point. Configuration
management is one of the important and general jobs for administrators. An administrator can manage
(backup and restore) the configurations of a FortiWAN through its Web UI, but FortiWAN Manager
gives a platform to centrally manage the configurations of multiple FortiWAN devices at the same time.
A configuration backup can be restored to multiple FortiWANs, this saves time from manually
configuring devices one by one. See the following sections for details:
l Configuration Management
l Configuration backup
l Configuration Restore
l Scheduled configuration backup
Configuration backup
What FortiWAN Manager does to backup a configuration is to download the configuration file of a
FortiWAN device and save it in FortiWAN Manager's hard disk. You can check and take actions to these
configuration files through FortiWAN Manager. To have an immediate configuration backup or create a
scheduled configuration backup, go to Config > Config Backup/Restore.
Select FortiWAN to backup configuration

Select a device group from the navigation tree and specify the devices that you would like to perform
the immediate or automatic configuration backup from in the table.
Device Name Device name of the FortiWAN. This is the field Device Name that you set
the table by device name.
IP Address IP address(es) of the FortiWAN that FortiWAN Manager connects to. This
is the fields IP address and IP address (fail-over) that you set for adding
this device to FortiWAN Manager. Click the field header to sort the table by
IP address.
Action Two actions are available to take on the device, Info and Export.
l Info: click to display system information of the FortiWAN device (See

System information and individual WAN link state).
l Export: click to export configuration file from the FortiWAN to your
local computer. Exporting is different from configuration backup
(backup saves configuration files in FortiWAN Manager's hard disk).
Instant status of process exporting configuration is displayed in the
field Status of the table.
Backup / Restore Check (uncheck) the check-box to select (unselect) the FortiWAN device
that you want to perform configuration backup from/restore to.
Status The status of the backup or restore process
Backup config ok: configuration of the FortiWAN has been

downloaded to FortiWAN Manager's hard disk. To check the
configuration out, go to Config > Config Management (See
Configuration Management).
Restore config ok: configuration has been restored to the FortiWAN

devices.
Save config ok: configuration of the FortiWAN has been exported to

your local computer from the FortiWAN device.
Backup Device Config Backup Device Config is located in the left side below the device table.
(button) Click the button to open the Backup Device Config panel for saving the
configurations of the selected FortiWAN devices to FortiWAN Manager's
hard disk.
Restore Device Config Restore Device Config is located in the left side below the device table.
(button) Click the button to open the Restore Device Config panel for restoring a
configuration existing in FortiWAN Manager's hard disk or your local
computer to the selected FortiWAN devices (see Configuration Restore).
Click a group on the navigation tree (to display all the FortiWAN devices of the group on the table) and
check the check-box in the field header Backup/Restore (to select all the devices) on the table if you
would like to backup the configurations of all the devices in the group.
Settings for configuration backup

After selecting the FortiWAN devices from the device table and click Backup Device Config, a setting
panel is displayed for specifying the textual description to the configuration backups.
Device Name All the FortiWAN devices selected in the device table above are listed
here. Configuration files of the selected devices would be saved in
FortiWAM Manager's hard disk. You can unselect a device here by clicking
the cross symbol of the device. Note the operation specified below will be
applied to all the devices here at the same time.
Description The textual description for the configurations downloaded from the
selected FortiWAN devices. Note that if multiple devices are selected, this
description will be applied to each of the configurations.
Schedule Specify whether to have this configuration backup be performed
automatically and periodically on a specified time.
l None: do not add this configuration backup to a schedule.

l Daily: have the configuration backup being automatically perform on
a specified time everyday.
l Weekly: have the configuration backup being automatically perform
on a specified time and day every week.
l Monthly: have the configuration backup being automatically perform
on a specified time and day every month.
Time Type Specify the time zone using for the scheduled backup. In case that the
managed FortiWAN appliances are deployed over different time zones
from where the FortiWAN Manager is located at, you might need to
schedule the automatic backups based on local time of each FortiWAN
appliance.
l FWNMGR Time: the following Day and Time you specified are based
on the local time of the FortiWAN Manager.
l Device Time: the following Day and Time you specified are based on
the local time of the FortiWAN appliance.
Day Select a date for the scheduled configuration backup. This is available
only when Schedule is Weekly or Monthly.
Time Select a time for the scheduled configuration backup. This is available
only when Schedule is Daily, Weekly or Monthly.
Delete old scheduled Specify whether to overwrite the current configuration file (stored on
config the FortiWAN Manager) came from last scheduled configuration
backup when every time the scheduled configuration backup is
performed to the same FortiWAN devices. For example, if an
automatic configuration backup is daily performed to units
FortiWAN-A and FortiWAN-B and this feature is enabled, the
configuration files of the two units backed up on the FortiWAN
Manager today will deleted when the same backup is performed
tomorrow.
All the configuration files came from the same scheduled

configuration backup will be kept on the FortiWAN Manager if this
feature is disabled.
The configuration files that came from any single manual

(immediate) backup are not counted here. For example, if a backup
is manually perform to unit FortiWAN-A beyond the scheduled
backup above, this backup configuration file of FortiWAN-A will not
be deleted when the scheduled backup is performed next time.
Backup Device Config Click to immediately backup configurations of the selected FortiWANs.
Instant status of the process downloading configurations is displayed in
the field Status of the device table above. "Backup config ok" will be
shown if FortiWAN Manager completes the configuration backup. To
check out the downloaded configuration backup, go to Config > Config
Management (See Configuration Management). A configuration backup
is named automatically by system with the device name and a time
stamp. Configuration backup fails if FortiWAN Manager is running at 95%
disk usage.
Configuration Export
Rather than storing the configuration backups in FortiWAN Manager, you might need to have the
backups saved in your local computer sometimes. You can export the configuration file from a
FortiWAN device to your local computer directly, or export configuration files that have been already
saved in FortiWAN Manager to the local computer.
Here are the ways to export a configuration to a local computer:

l To export from a FortiWAN device, go to Config > Config Backup/Restore and click the button Export
correspondent to the FortiWAN device in the device table (See Configuration backup).
l To export from FortiWAN Manager, go to Config > Config Management and click the button Export
correspondent to the configuration file in the configuration table (See Configuration Management).
Back to home topic > Managing configurations of FortiWAN
Configuration Management
For those configuration backups stored in FortiWAN Manager, a platform is provided to manage them.
As the previous description, FortiWAN's configuration backups are stroed in FortiWAN Manager's hard
disk (see Configuration backup). Moreover, you can upload a configuration file from local computer to
FortiWAN Manager, so that the configuration file become manageable to FortiWAN Manager.
Information of all the saved configuration backups is available from a configuration table, and you can
take management actions to them.
The ways to have a configuration file stored on FortiWAN Manager:
l Perform configuration backup of a FortiWAN device to download the configuration file to FortiWAN
Manager (see Configuration backup).
l Upload a configuration file from a local computer to FortiWAN Manager.
Add configuration file

To upload a configuration file of FortiWAN device to FortiWAN Manager from local computer. Go to
Config > Config Management, and click Add Config File in the upper-left corner. The setting panel
for adding a configuration file to FortiWAN Manager is displayed in the main area of the page.
Device Name Specify the FortiWAN device that the configuration file belongs to. The
drop-down menu lists all the added FortiWAN devices for selecting (see
Adding a FortiWAN device).
Description The textual description for the configuration file.
Upload Config File Click Browser to select the configuration file from the local computer.
Save Click to start uploading the configuration file. The uploaded configuration
file will be listed in the configuration table below. Configuration
uploading fails if FortiWAN Manager is running at 95% disk
usage.
Configuration table
Configuration table lists the information of configuration files stored in FortiWAN Manager and the
allowed actions to the configurations. Configuration files listed here are downloaded directly from
FortiWAN devices or uploaded from local computers.
Device Name FortiWAN device name that the configuration file belongs to. Click the
field header to sort the table by device name.
Version Firmware version that the FortiWAN is running the configuration on.
Click the field header on the table to sort the table by version.
Config name File name of the configuration. If the configuration file came from a
configuration backup (see Configuration backup), it is named
automatically by system with the device name and a time stamp. If the
configuration file was uploaded from a local computer, it could be any
name that it originally was. Click the field header on the table to sort the
table by config name.
Description The textual description of this configuration.
Backup Date The date and time when a configuration file was saved in FortiWAN
Manage at.
l For a configuration backup, it is the time when the configuration is

downloaded from a FortiWAN device to FortiWAN Manager.
l Fort a uploaded configuration, it is the time when the file is uploaded from
a local computer to FortiWAN Manager; not the time when it was
downloaded from a FortiWAN device.
Action Export Click to export the configuration file from FortiWAN Manager to your local
computer.
Show Click to open a new browser tab to display the configuration in a readable
format.
Edit Click to edit description of the configuration file. Note that Device Name,
Version, Config Name and Backup Date of a configuration is not editable.
Delete Check the checkbox and click the Delete Config File above the table to
remove the configuration file from FortiWAN Manager.

Configuration Restore
Through FortiWAN Manager, a configuration can be restored back to one or multiple FortiWAN devices.
You can restore a configuration file that is stored in FortiWAN Manager or a local computer to FortiWAN
devices.
To restore a configuration to FortiWAN device(s), go to Config > Config Backup/Restore. Select the
FortiWAN device(s) that you want to restore a configuration file to by checking the check-box of field
Backup/Restore in the device table and click Restore Device Config below the device table (See
Configuration backup), a setting panel is then displayed. Click a group on the navigation tree (to display
all the FortiWAN devices of the group on the table) and check the check-box in the field header
Backup/Restore (to select all the devices) on the table if you would like to restore the configuration to
all the devices in the group.
Setting panel - Restore Device Config
Device Name All the selected FortiWAN devices in the device table are listed here. You
can unselect a device here by clicking the cross symbol of the device.
Config File Click Browser to select a configuration file from local computer to be
restored to the selected devices above.
Config File from The drop-down menu lists all the configuration files stored in FortiWAN
FWNMGR Manager. Select one of them to be restored to the selected devices
above.
Restore Device Config Click to restore the selected configuration file to the selected
FortiWANs. Instant status of the process restoring the configuration
is displayed in the field Status of the config table. "Restore config ok"
will be shown if FortiWAN Manager completes the configuration
restore.
FortiWAN reboots automatically after the configuration is restored.

FortiWAN's configuration is compatible to different firmware
versions. However, in case of system reboot failure, reset FortiWAN
to factory default via CLI (see FortiWAN Handbook).
Scheduled configuration backup
You can create a schedule for FortiWAN Manager to automatically and periodically backup
configurations from one or a batch of FortiWAN devices on the specified time.
To create a scheduled firmware update, here are the steps:
1. Go to Config > Config Backup/Restore

2. From the device table, select the FortiWAN devices to which the scheduled configuration backup will be
performed (see Select FortiWAN to backup configuration).
3. Click Backup Device Config to specify a scheduling time to the backup (see Settings for configuration
backup).
4. The created schedule will be listed in Config > Config Schedule.
To manage and check the created scheduled configuration backups, go to Config > Config
Schedule.
Schedule Display the time on when the scheduled configuration backup will be
performed
Time Type Indicate that the schedule is based on the local time of the FortiWAN
Manager or the FortiWAN appliance. See Settings for configuration
backup for details.
Device Name Display the FortiWAN devices that the scheduled configuration backup
will be performed to.
Delete old scheduled config Display whether to overwrite the current configuration file (stored on
the FortiWAN Manager) came from last scheduled configuration
backup when every time the scheduled configuration backup is
performed to the same FortiWAN devices.
Description Display the description of the scheduled configuration backup.
Status Display the status of the last scheduled configuration backup.
Pending: the time has not yet come to run the first automatic
configuration backup.
YYYY-MM-DD HH:MM backup: the time when the last

configuration backup is performed on.
[Device Name:] + Complete: the scheduled task is performed

and the configuration is successfully backed up from the
FortiWAN device.
[Device Name:] + Failed: the scheduled task has been

performed, but it failed in the backup.
[Device Name:] + Does Not Exist: the scheduled task has

been performed, but the target FortiWAN device is lost.
Action Click to edit the scheduled configuration backup. You can remove the
devices from the task, edit the description and enable/disable the
overwriting feature. The schedule time can not be changed, and
devices can not be added to the task.
Delete Check and click Delete Schedule (on the upper-left corner) to remove
the scheduled configuration backup.
Back to home topic >Managing configurations of FortiWAN

Managing firmware update for FortiWAN
Rather than updating firmware to multiple FortiWANs through individual Web UI one by one, FortiWAN
Manager provides one platform to centrally perform these updates at the same time. The management
system gives clear information about FortiWAN devices and firmware files, which is helpful and time-
saving while applying firmware upgrade to lots of FortiWAN devices. To update a firmware file to
FortiWAN through FortiWAN Manager, it is required to keep the file on FortiWAN Manager first.
FortiWAN Manager delivers firmware file to the remote device and triggers the update process on it.
For FortiWAN devices deployed in HA mode, although the salve unit is invisible to FortiWAN Manager,
firmware update can be applied to both the mast and slave units. FortiWAN Manager delivers firmware
file to the master unit only, and the master unit takes care of updating the slave unit (see FortiWAN
Handbook).
See the following sections for details:
l Firmware management
l Firmware update
l Scheduled firmware update
Firmware management
Go to Firmware > Firmware Manager on FortiWAN Manager Web UI. As the previous discussion, a
firmware file must be stored in FortiWAN Manager before using it to updat FortiWAN devices (see
Managing firmware update for FortiWAN). This page is the platform used to upload and manage the
firmware files.To add a firmware file to FortiWAN Manager, click Add Firmware File in the top-left
corner of the page.
Add firmware file
Version Enter the version of the firmware file.
Model Enter the FortiWAN model that the firmware file belongs to.
Description Enter the textual description for the firmware file.
Upload Firmware File Click Browser to select a firmware file to upload to FortiWAN Manager.
Save Click to start uploading the firmware file to FortiWAN Manager. The
uploaded firmware file will be listed in the firmware table below.
Firmware uploading fails if FortiWAN Manager is running at 95%
disk usage.
Firmware table
The firmware table in the page lists all the firmware files stored in FortiWAN Manager.
Firmware name File name of the firmware.
Version Version of the firmware.
Model FortiWAN model that the firmware belongs to.
Description Textual description for the firmware.
File Size File size of the firmware.
Upload Date Date that the firmware is uploaded on.
Action Click Edit to open an edit panel. Version, model and description are
editable for the firmware. Others are not editable.
Delete Check the checkbox and click Delete Firmware File above the table to
remove the firmware file from FortiWAN Manager.
Back to home topic > Managing firmware update for FortiWAN

Firmware update
Go to Firmware > Firmware Update, it displays a device table listing the FortiWAN devices that
FortiWAN Manager is managing. You can either perform an immediate firmware update or schedule an
automatic update.
Select FortiWAN devices to update firmware

Select a device group from the navigation tree and specify the devices that you would like to perform
the immediate or automatic firmware update to from the table.
Device name Device name of the FortiWAN. This is the field Device Name that you
set for adding this device to FortiWAN Manager. Click the field header
to sort the table by device name.
IP address IP address(es) of the FortiWAN that FortiWAN Manager connects to.

This is the fields IP address and IP address (fail-over) that you set
for adding this device to FortiWAN Manager. Click the field header to
sort the table by IP address.
Version Current firmware version that the FortiWAN device is running. This is
the same as the Version displayed in Device information.
Device information Click the button Info to display system information of the FortiWAN
device (See System information and individual WAN link state).
Update Check (uncheck) to select (unselect) the FortiWAN device that you
want to perform firmware update to.
Status The process status of an immediate firmware update on the

FortiWAN device.
Update Device Firmware The button is located below the device table. Click the button to open
(button) the setting panel for an immediate firmware update.
Update Device Firmware on The button is located below the device table. Click the button to open
Schedule (button) the setting panel to create a scheduled firmware update.
check the check-box in the field header Update (to select all the devices) on the table if you would like
to perform firmware update to all the devices in the group.
Specify firmware file and schedule for firmware update

After selecting the FortiWAN devices that you want to perform firmware update to and click either
Update Device Firmware or Update Device Firmware on Schedule, a setting panel is displayed
for specifying the firmware file and schedule to update the devices.
here. Configure the following settings for updating the devices
immediately or adding the devices to a scheduled update. You can
unselect a device here by clicking the cross symbol of the device. Note
that the operation specified below will be applied to all the devices here.
Update Slave Check the check-box to inform the selected devices (the master units) to
perform firmware update to both master and slave units in HA mode (see
Managing firmware update for FortiWAN).
Firmware File The drop-down menu list all the firmware files stored in FortiWAN
Manager (see Firmware management). Select a firmware file used to
update the selected FortiWAN devices.
One-Time Scheduled Specify the schedule to update the specified FortiWAN devices with
the specified firmware. The firmware update will be automatically
performed on the specified time. Select the Year, Month, Day, Hour
and Minute for the scheduling time.
This is available only when you click Update Device Firmware on

Schedule on the device table.
Update Device Firmware Click to update the selected FortiWANs with the selected firmware.
Instant status of the process updating is displayed in the field Status
of the device table above.
The status shows "Firmware update ok" if FortiWAN Manager

completes the firmware update.
It takes time to update firmware on a FortiWAN, and the FortiWAN

reboots automatically after the update is completed. During the
period, the connectivity between FortiWAN Manager and this
FortiWAN device will be broken. Connectivity state of the FortiWAN
device in the device table in Dashboard > Device Status indicates
a disconnection (see Device Status). After it recovers from rebooting,
connectivity will be automatically re-established (the color-code in
device table indicates it). Go to Device Manager > Device and
check system information of the device you just updated by clicking
Info on the table (see System information and individual WAN link
state), the version of this FortiWAN should be updated. However, in
case of system reboot failure, reset the FortiWAN to factory default
via CLI (see FortiWAN Handbook).

the device table.
Update Device Firmware Click to create a schedule with the specified FortiWAN devices,
on Schedule firmware file and time. The created schedules are listed in Firmware
> Firmware Schedule (see Scheduled firmware update).
Schedule on the device table.
Back to home topic > Managing firmware update for FortiWAN

Scheduled firmware update
You can create a schedule for FortiWAN Manager to automatically perform firmware update to one or a
batch of FortiWAN devices on the specified time. This scheduled firmware update will be performed
once; it is not periodical scheduling.
To create a scheduled firmware update, here are the steps:
1. Go to Firmware > Firmware Update

2. From the device table, select the FortiWAN devices to which the scheduled firmware update will be
performed (see Select FortiWAN devices to update firmware).
3. Click Update Device Firmware on Schedule to specify a firmware file and scheduling time to the update
(see Specify firmware file and schedule for firmware update).
4. The created schedule will be listed in Firmware > Firmware Schedule.
To manage and check the created scheduled firmware updates, go to Firmware > Firmware
Schedule.
Schedule Display the time on when the scheduled firmware update will be
performed
Device Name Display the FortiWAN devices that the scheduled firmware update will
be performed to.
Update Slave Display whether the scheduled firmware update will be performed to
the slave units paired with the master units listed in Device Name.
Firmware Name Display the firmware file that will be updated to the FortiWAN devices.
Status Display the status of the scheduled firmware update.
Pending: the time has not yet come to run the firmware update.
[Device Name:] + Complete: the scheduled task is performed
and the firmware is successfully updated to the FortiWAN device.
[Device Name:] + Failed: the scheduled task has been

performed, but it failed in the update.
[Device Name:] + Does Not Exist: the scheduled task has

been performed, but the target FortiWAN device is lost.
Action Click to edit the scheduled firmware update. You can remove the
devices from the task, change the firmware file to update and
enable/disable a slave update. The schedule time can not be changed,
and devices can not be added to the task.
Delete Check and click Delete Schedule (on the upper-left corner) to remove
the scheduled firmware update.
Back to home topic >Managing firmware update for FortiWAN

Managing the accounts of FortiWAN
FortiWAN maintains a common local authentication database for its Web UI, CLI and SSH login. These
login accounts are classified into two groups, Administrator and Monitor, with different permissions (see
FortiWAN Handbook). Login accounts of FortiWAN devices can be managed (added, updated and
removed) through FortiWAN Manager.
To manage accounts of a FortiWAN device, go to Device Manager > Account Control and select
the FortiWAN device from the table to perform account changing to it.
Device table
Device Name Device name of the FortiWAN. This is the field Device Name that you
set for adding this device to FortiWAN Manager. Click the field header to
sort the table by device name.
IP IP address(es) of the FortiWAN that FortiWAN Manager connects to. This

is the fields IP address and IP address (fail-over) that you set for
adding this device to FortiWAN Manager. Click the field header to sort the
table by IP address.
the table by group name.
Description Textual description of the FortiWAN. This the field Note Content that
you set for adding this device to FortiWAN Manager.
Change Account Check the check-box to select the FortiWAN devices that you want to
perform account changing to.
Status The status of changing account to the FortiWAN devices.
Change Account (button) Change Account is located in the left side below the device table. Click
the button to open Account Change panel for configuring the changes to
selected FortiWAN devices.
check the check-box in the field header Change Account (to select all the devices) on the table if you
would like to change an account to all the devices in the group.
Setting panel - Account Change

After selecting the FortiWAN device you want to perform the account change to and click Change
Account, a setting panel is displayed for specifying the account name, password and corresponding
operation. The operations are:
l Add a specified account to the specified account group on the selected devices.
l Update the specified account in the specified account group on the selected devices with the specified
password.
l Remove the specified account in the specified account group from the selected devices.
If multiple devices are selected, the management operation to the account will be applied to these
devices at the same time.
here. Configure the following settings to perform account adding,
updating or removing to the selected devices. You can unselect a device
here by clicking the cross symbol of the device. Note that the operation
specified below will be applied to all the devices here at the same time.
Account Type Select the account group that the account you want to operate on the
FortiWAN device belongs to. The options are Administrator and Monitor
(see FortiWAN Handbook).
Account Specify the account name you want to add, update or remove.
New Password Specify the password for the account you want to add or update. This is
not required for removing an account.
Password Verification Verify the password for the account you want to add or update. This is not
required for removing an account.
Add Account Click to add the specified account (and password) to the specified account
group on the selected FortiWAN devices. Instant status of the process
adding account is displayed in the field Status of the device table above.
Update Account Click to update the specified account in the specified account group on
the selected devices with the new password. Instant status of the process
updating account is displayed in the field Status of the device table
above.
Remove Account Click to remove the specified account in the specified account group from
the selected devices. Instant status of the process removing account is
displayed in the field Status of the device table above.
Operation to a device fails if the account you want to update or remove do not exist in the device, or the
account you want to add has already existed in the device. Operation failure happening to a device will
not abort the operations on the other devices.
Appendix A: License verification failure
After a FortiWAN Manager appliance boots up, system verifies the license file periodically, no matter
what type the license is (see the section "Licensing"). License verification fails if any of the following
conditions are true (see also "System information, resources and license"):
l The 15-day evaluation or 90-day trial is expired.

l The quantity of FortiWAN devices added to the FortiWAN Manager appliance for managing exceeds the
maximum that the license supports.
l The IP address registered for the license is not deployed to FortiWAN Manager's network interface.
FortiWAN Manager automatically reboots every 5 minutes if the license verification failed. During the 5
minutes, Web UI and CLI is accessible for administrators to take proper actions. To get the system
valid again, here are the correspondent solutions that you could take.
l Purchase a permanent license, and update your FortiWAN Manager with the new license.
l Remove the FortiWAN devices to decrease the quantity to match the maximum limitation of the license
(go to Device Manager > Device, delete the devices from device table), or upgrade your FortiWAN
Manager with upgrade license to support more FortiWAN devices (see "Licensing").
l Re-configure the FortiWAN Manager's network interface to use the registered IP address (see "Network
Settings"), or register a new IP address that your FortiWAN Manager is using for the license (see
"Appendix B: Changing a registered IP address").
Appendix B: Changing a registered IP address
As the descriptions in section License Installation Limitation of Licensing (see "Licensing"), an IP

address is required for the license file to verify a FortiWAN Manager appliance. However, in case that
you need to adjust the network topology and re-configure FortiWAN Manager with a different IP
address from the registered one, you can access Your Asset page on FortiCare and using your Serial
Number and a new IP address for FortiWAN Manager to generate a new License file.
Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their
respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results
may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General
Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will
be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant
hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current
version of the publication shall be applicable.

Fortiwan Manager v4.4.0 Handbook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortiwan Manager v4.4.0 Handbook

Uploaded by

Copyright:

Available Formats

FortiWAN Manager - Handbook

ENDUSER LICENSE AGREEMENT

May 12, 2017

FortiWAN Manager 4.4.0 HandbookRevision 1

Access the CLI and Web UI

Start using the FortiWAN Manager

The following features are new or changed since FortiWAN 4.2.0:

FortiWAN Manager 4.4.0

l Scheduled configuration backup - It can be scheduled for FortiWAN Manager to

FortiWAN Manager 4.2.0

l Unlimited-device extension license: allows FortiWAN Manager to manage unlimited

l Supports automatic login to Web UI of individual FortiWAN device. See "Adding a

l Supports account management (password changing, account creating and removing)

l Configuration management - Supports managing configuration files stored in FortiWAN

l Restore a configuration to FortiWAN devices from FortiWAN Manager

l Open a configuration in readable format

l Firmware management - Supports managing firmware files stored on FortiWAN Manager's

FortiWAN Manager is deployed in a virtual machine environment such as VMware vSphere. A

Deploying FortiWAN Manager in a private LAN

Here are the properties of deploying FortiWAN Manager in a private LAN:

15 days Unlimited Not support 1 2 GB 10 GB

90 days Unlimited Not support 1 2 GB 10 GB

License Installation Limitation

Back to home topic > Installation

FortiWAN Manager supports the following hypervisor versions:

l VMware vSphere ESXi 5.0/5.1

Back to home topic > Installation

Downloading software & registering with support

Back to home topic > Installation

Back to home topic > Installation

l Network setting for login

l CLI command branches

Network setting for login

Login to the Web UI

Overview to the Web UI

Back to home topic > Accessing to the Web UI and CLI

Network setting for login

Back to home topic > Access to Web UI

Login to the Web UI

Back to home topic > Access to Web UI

Navigation tree - Devices & Groups

The operations on the navigation tree are:

Paging for a table

It is available for tables in the following pages:

l Dashboard > Device Status

Automatic login to FortiWAN

Back to home topic > Access to Web UI

To connect to the CLI:

Back to home topic > Accessing to the Web UI and CLI

CLI command branches

end Return to the root FortiWAN Manager CLI prompt.

Use this command to view DNS configuration.

Use this command to view interface configuration.

Use this command to view default gateway configuration

Having an overview on FortiWAN Manager system

Organizing FortiWAN devices to FortiWAN Manager

Managing the devices

Managing configuration and firmware files on FortiWAN Manager

l Network Setting, see FortiWAN Manager Network Settings.

Back to home topic > System setting and summary

Authentication of Web UI and CLI

Local Authentication Database

Password Verification Verification confirm the new password.

Add Fortinet's Vender Specific Attribute (VSA) to /etc/raddb/dictionary: