TABLE OF CONTENTS

Introduction 7

Overview of FortiCloud 7

FortiCloud Sandbox 7

FortiDeploy 8

FortiCloud UserGuida 9

Home Page 9

Analysis Pages 10

FortiView: Summary 10

FortiView: Sections 12

Logs 13

Reports 14

Event Management 16

Management Pages 17

Config 17

Backup 18

Upgrade 18

Script 19

Sandbox Pages 20

Dashboard 20

Records / On-Demand 21

Setting 22

Frequently Asked Questions 23

General Questions 23

WhatisFortiCloud? 23

Whatfunctions does FortiCloud have? 23

How does FortiCloud work? 24

How does FortiCloud comparewith FortiPortal and FortiAnalyzer? 24

HowdoI confirm which version of FortiCloud is currently in use? 25

Which languages are supported by FortiCloud? 25

Is there any way for me to choose which Data Center my logs are stored in? 25

How can I provide feedback or request improvements to FortiCloud? 25

Is there a European FortiCloud instance? 25

If I am an existing customer in EMEA, will my data be transferred to the new Datacenter, or will it remain in its current location? 25

Is there an account designed for MSSP-scale operations? 26

What are the new features in Version 3.2? 26

Whatwas added in previous versions? 27

Licensing and Registration 27

Is there an easy way to test drive FortiCloud? 27

What is the price of FortiCloud? 27

Do I need a support contract to enable the service? 28

HowdoI subscribe to a FortiGate Analysis and Log Retention contract? 28

What features do I get access to for subscribing? 29

HowdoI subscribe to the Enterprise License? 29

What features do I get access to for subscribing to the Enterprise License? 29

What happens if I lose my password? 29

Can I useTwo-FactorAuthentication for FortiCloud? 29

How do you configure service once it is activated? 29

For how long are logs retained? 30

When a device subscription lapses, what happens to the year's worth of logs? 30

What if I wantto unsubscribe from the service and stop uploading logs? 30

Technical Questions 30

What security and redundancy has been built into the service? 30

How do I verify my networkis PCI compliant? 30

Does my FortiGate unit require a hard drive to use FortiCloud? 30

Does FortiCloud support devices from other vendors? 30

Which FortiGate and FortiWiFi models does FortiCloud support? 31

Which versions of FortiOS does FortiCloud support? 31

What port numbers are used by FortiGate devices connecting to FortiCloud? 31

When are scheduled reports sent to administrators? 31

Why can I not see any management functions? 31

Can I set up high availability (HA) logging with FortiCloud? 32

Do I need to purchase a subscription for each FortiGate in an HA pair? 32

FortiCloud Sandbox 32

How does Cloud Sandboxing and AV Submission work? 32

Why can I not see a function or tab for AV Submission/Sandboxing? 32

What is the turnaround time on Cloud Sandboxing and AV Submission? 32

Is there a service description for FortiCloud Sandbox? 32

AP Network 33

Whatisthe FortiCloudAP Networkfeature? 33

How can I register a FortiAP to my FortiCloud account? 33

What is the recommended FortiAP version to use with FortiCloud 3.2? 33

What port numbers are used by FortiAPs connecting to FortiCloud? 33

What happens if myAP loses connection with FortiCloud? 33

I have an older FortiAP that doesn't include a FortiCloud key. Is there some way I can add my device to a FortiCloud AP Network? 34

What FortiAP models are supported by FortiCloud AP Networks? 34

Does the FortiCloud AP Networkfeature support FortiWiFi? 34

Is there a minimum firmware version that I need to run on a FortiAP for the FortiCloud

AP Networkfeature towork? 34

Does my internal wireless/networking traffic get sent to FortiCloud? 34

Do I need to use a FortiGate in conjunction with a FortiCloud AP Network? 34

Is there different pricing/licensing forAP Networkfunctionality? 34

Can FortiAP devices be managed by FortiCloud and workwith FortiPresence? 34

Is there a maximum number of FortiAPs that can be managed via FortiCloud? 35

How does roaming workforaFortiCloud managedAP? 35

What is the admin password for myAP? 35

What is Social Media Captive Web Portal? 35

What is the NAT IP Subnet of my AP SSID Configuration? 35

What is Floorplan in Maps? 35

Whatare Folders? 35

How do DynamicVLANswork? 36

What is Bonjour Relay? 36

What is Blocking of Intra-SSIDTraffic? 36

Why do I need to change my Radio Rates in the Enterprise Management section? 36

IndicatorofCompromise (IOC) Service 36

Whatisthe FortiCloud IndicatorofCompromise Service? 36

What kind ofthreats can the IOC Service detect? 37

HowdoI get access to the IOC Service? 37

Does the IOC Service require a subscription? 37

How do I register my subscription code once IJve purchased one? 37

FortiDeploy 37

What is FortiDeploy? 37

What features does FortiDeploy provide? 38

How does FortiDeploywork? 38

HowdoI purchase FortiDeploy? 38

What is the price of FortiDeploy? 38

What happens if you forget to order FortiDeploy on the PO? 38

Will my FortiGuard and FortiCare services start automatically? 38

What are the devices supported by FortiDeploy? 38

Which versions of FortiOS does FortiDeploy support? 38

Are there any complications if IJve recently upgraded FortiOS? 39

What if I am connected to FortiCloud but the device is not cloud-managed? 39

What ifadevice is deployed behind a NAT device (such as a cable modem)? 39

FortiCloud Cookbook 40

BasicConfiguration 40

Basic FortiCloud Setup 40

Adding Standalone FortiAP to FortiCloud 40

FortiCloud SandboxSetup 40

FortiDeploySetup 41

IndicatorofCompromise (IOC) Setup 41

FortiCloud Device Configuration 41

Deploying Cloud Configuration to Devices 41

Device Configuration Backup to Cloud 41

Remote Device Firmware Upgrade 42

Remote Device Script Execution 42

Advanced Configuration 42

Adding MoreAdministrators/Users 42

Creating Custom FortiCloud Reports 42

Configuring FortiSandboxAlert Emails 43

FortiCloud Multi-TenancyConfiguration 43

Activating Multi-Tenancy Feature 43

Basic Multi-Tenancy Configuration 43

Introduction

This guide provides information about the FortiCloud service.

It is divided into three sections:

•The FortiCloud User Guide, a list of pages and features available in the FortiCloud web interface,

•the Frequently Asked Questions, a collection of general and specific information about the service,

•and the FortiCloud Cookbook, a series of short-form tutorials that teach how to perform tasks in FortiCloud, ranging from basic to complex.

Overview of FortiCloud

FortiCloud is a hosted security and wireless infrastructure management solution and log retention service for FortiGate, FortiWiFi, and FortiAPdevices.

It gives you centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware and software, with the following feature set:

•Simple provisioning of large scale security networks

•Configuration and device management from a single pane of glass

•Hosted log retention and cloud-based storage

•Built-in protection from APTswith FortiGuard sandboxing technology

•Instant security intelligence and analytics with FortiView

•Exceptional networkvisibilitywith FortiCloud reporting

•FortiCloud transport security and service availability

FortiCloud also integrates these other Fortinet services: FortiCloud Sandbox, and FortiDeploy.

FortiCloud Sandbox

FortiCloud Sandbox is a service that uploads and analyzes files marked as suspicious bythe FortiGate AntiVirus.

In a proxy-based antivirus profile on a FortiGate, the administratorselects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate unit to upload suspicious files to FortiGuard for analysis. Once uploaded, the file will be executed and the resulting behavior analyzed for risk. If the file exhibits risky behavioror is found to contain a virus, a newvirus signature is created and added to the FortiGuard antivirus signature database. The next time the FortiGate unit updates its antivirus database it will have the newsignature.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus (the behaviors that FortiCloud Analytics considers suspicious will change depending on the current threat climate and other factors).

The FortiCloud console enables administrators to view the status of any suspicious files uploaded: Pending, Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for forensic analysis. Sandboxing is available in both Free and Paid FortiCloud subscriptions.

FortiDeploy

FortiDeploy is a product built into FortiCloud as a feature, for one-touch provisioning when devices are deployed, locallyorremotely. FortiDeployprovides deployment forFortiAPsintoaCloudAP Network, and automatic connection of FortiGates to be managed by FortiCloud or a FortiManager unit.

At time of purchase, you can order a FortiDeploy SKU in addition to your FortiCloud subscription.

When you visit forticloud.com and enterthe Bulk FortiCloud Key, you will see a list of serial numbers from the order that contained the FortiDeploy SKU. Once you confirm that the devices are connected, you can perform basic configuration on the devices remotely, such as sending a FortiManagerIPto all remote FortiGate devices, so they can be managed remotely.

FortiDeploy Support startsthe moment you send an email to cs@fortinet.com, which can also be contacted if you have already purchased a FortiCloud subscription and would like to purchase FortiDeployto add to yourexisting subscription.

FortiCloud UserGuide

Home Page

You will see the Home page when you first open the FortiCloud interface.

On the Home page is a list of Fortinet devices connected to the FortiCloud service.

Newdevices can be added by selecting Add Device above the list, and entering a FortiCloud Key.

Each Device displays:

•theModel/SerialNumber

•the Fortinet Product (FortiGate, FortiAP, etc)

•if the device is connected through a ManagementTunnel

•the last compiled report and the last log uploaded

•what percentage of the FortiCloud Quota has been filled (and a Manage Quota button, that allows you to delete old logs and make space on the server)

•a yellowWarning symbol, or a green Checksymbol, to showsubscription status.

Next to some device iconswill be a gear icon, allowing you to delete/rename/configure devices. ClickonadeviceicontogototheFortiCloudDashboardforthat device.

Analysis Pages

The Analysis pages provide tools for monitoring and logging your device's traffic, providing you centralized oversight of traffic and security events.

FortiView: Summary

The default FortiView page is the Summary view, general overview of what is happening with your device, using manyWidgets.

Each Widget is a customizable box, showing certain information about the device.

•You can click on a Widget title and drag it to move it around.

•You can customize any Widget by selecting the Pencil icon.

•You can delete a Widget by selecting the X icon.

•You can set the refresh rate of Widgets by selecting the Refresh icon in the upper right. NewWidgets can be added by clicking the “Add Widget” button in the upper left.

Widget List

All of the Widgets are listed below.

Threats

•Top Threats displays which Threats are triggering the most detection events on the network. (One or more of the following must be configured on the device: IPS, AntiVirus, AntiSpam, DLP, Anomaly Detection.)

•Top Spam displays which Sources are sending the most Spam email into the network. (AntiSpam must be configured on the device.)

•Top Viruses countsthe viruses most frequentlyfound bythe device'sAntiVirus. (AntiVirus must be configured on the device.)

•Top Applications by Threat Score compares which Applications have the most traffic compared to their Threat Score, based on the device'sApplication Control settings. (Application Control must be configured on the device.)

•Top Attacks counts the attacks most frequently prevented by the device's I PS. (I PS must be configured on the device.)

•Top DLP By Rules counts the DLP events detected by the device, sorted by DLP rule. (DLP must be configured on the device.)

Traffic Analysis

•Top Applications compares which Applications are most frequently used, based on the device's Application Control settings. (Application Control must be configured on the device.)

•Top Application Categories compares which Application Categories are most frequently used, based on the device'sApplication Control settings. (Application Control must be configured on the device.)

•Top Sources displays which Sources have the most traffic from orto the device.

•Top Destinations displays which Destinations have the most traffic from or to the device.

•Top Protocols compares the traffic volume that has passed through a certain interface, based on which protocol it uses (http, https, dns, tcp, udp, other).

•Top Countries displays which Countries have the most traffic from or to the device.

•Traffic History is a chart that displaysthe volume of Incoming and Outgoing traffic overtime.

Websites

•Top Websites compares which websites are most frequently visited. You can click on a category to see which websites in that category are being visited. (Web Filtering must be configured on the device.)

•Top Web Categories compares which Web Filtering Categories are most frequently used, based on the device's Web Filtering settings. (Web Filtering must be configured on the device.)

•Top Users/IP by Browsing Time In Seconds compareswhich IPS are most frequentlyvisited bywhich users in the greatest ratio. You can clickon a userto see which IPsthey are visiting. (Web Filtering must be configured on the device.)

FortiView: Sections

The various FortiView subpages offer log information, reformatted into easily navigable charts, in a similarstyle asthe FortiGate's FortiView pages. Each page is styled differentlyto suit the information structure.

The belowscreenshot showsthe Interface subpage, showing Source Interfaces charted bytrafficvolume.

The menutothe right ofthesubpage list allowsyouto select atime periodtoview:

•Last 60 Minutes

•Last 24Hours

•Last 7 Days

•Last 30 Days

•Specified Time Period

You can set the refresh rate of the chart by selecting the Refresh icon to the right of the time period.

Byselecting Add Filter intheupperright, youcanfilterthechart byvariousfactors; individualchart entriesmay also allowyou to filter bythat entry's data by selecting a Filter icon on the right, ordrill down to see all related log data(e.g. all logdatathroughthat interface.)

Logs

The Log pages offer more detailed log information, accessto individual log data, and downloadable log files.

The belowscreenshot showsthe Traffic Logssubpage, showing traffic log data coNected bythe device.

You can select a Category of logs to view by selecting from the list on the left.

The menu to the right ofthe Categories allows you to select a time period to view:

•Last 60 Minutes

•Last 24Hours

•Last 7 Days

•Last 30 Days

•Specified Time Period

You can set the refresh rate of the chart by selecting the Refresh icon to the right of the time period.

Byselecting Add Filter intheupperright, youcanfiltertheloglist byvariousfactors. Selecting Column Setting will allowyou to customize the default log view.

By clicking on the “Log Files” text in the upper right, you can see the raw log data files, and manually download them.

The box in the lower right allows you to move through pages of log data by clicking the arrows or entering a page number.

Reports

The Reports page generates custom reports of specifictraffic data, and can email them to specified addresses.

Select a report on the left to see a list of collected reports of that type: there will be a pre- configuredSummary Report and a Web Activity Report by default. Double-clickon a report in the list to read it.

Youcan Add newreportsor Edit existingonesintheupperright. Bothof thesewillopenaneditinginterface, which will allowyou to edit the content of the report, adding or removing sections as you choose.

By selecting Schedule , you can set how often reports are run: Daily, Weekly or Monthly, and which email the reports are sent to. You can also choose to Run a report immediately.

Next to the Run button is Settings where you can upload a report logo, and set the report language.

Event Management

The Event Management page allows you to set up email alerts forspecific networkstructure emergencies, such as FortiCloud losing connection to the device, orthe device's powersupply failing.

The page will default to All Events in the left menu, which will list all past emergency events. Select Event Handlers to configure the alert settings.

You can enable events to track by checking them on the left. If you'd like to recieve an alert email when they occur, checkthe mark under Send Alert Email and enterthe email to send to.

Selecting the gear icon on the far right will allowyou to configure each Event Handler directly, setting logged Severity level, and notification frequency.

Management Pages

The Management pages allowyou to remotely manage FortiGate, FortiWiFi, and FortiAP devicesthat are connected to the FortiCloud service.

These pages may only appear if you have purchased a FortiCloud license, as FortiCloud Management is part of the subscription service and will not be available in the free version of FortiCloud from 3.2.1 onwards. It is available in 3.2 on a trial basis.

Config

The Config page gives you accessto a pared-down version of the remote device's management interface, allowing you to configure major features as if you were accessing the device itself.

The configuration you see in FortiCloud is not auto-refreshing; you must select Import from the upper right to upload the local device's config to the FortiCloud page. You can then make any changes you would like to reflect on the device, and select Deploy to push the configuration to the device.

Backup

The Backup page allows you to back up, track, and compare revisions of your remote device's configuration.

By selecting Backup Config in the upper right, you will save a backup to FortiCloud.

The icons on the right allowyou to Edit, View, Compare (to other revisions), Download, Restore (to device), and Delete revisions.

Upgrade

The Upgrade page allows you to see the current firmware version installed on the device, and update to newer stable versions with one click, if they are available.

Select the Upgrade arrow on the right to upgrade. You can schedule a time and date to perform the remote upgrade, allowing you to schedule it during downtime to minimize disruption.

Script

The Script page allowsyou to create and run script files on connected remote devices, allowing you to check device status or get bulkconfiguration information quickly.

You can clickthe Add Script button to upload a script file, orselect a Predefined script, and save it. Each script is a series of CLI commands, one command per line. You can then run it on the device selected in the upper left by selecting the Deploy icon on the right. You can also schedule deployment for a laterdate ortime.

The output of that script will then be recorded, and can be read by clicking the View Result icon on the right.

Last Deployment Result

Get System Status 2017-08-1018:57 Deployed

FortiWiFiSOE $ get system status

Version: FortiWiFi-60E v5.6.1,bui!dl484,170727(GA)

Virus-DB:50.00845(2017-08-1009:16)

Extended DB:50.00845(2017-08-1009:15)

IPS-DB: 6.00741(2015-12-0102:30)

IPS-ETDB: 12.00199(2017-08-0? 01:11)

APP-DB: 12.00199(2017-08-0901:11)

INDUSTRIAL-DB:6.00741(2015-12-0102:30) Serial-Number FWF60E4Q16004140 IPS Malicious URL Database: 1.00728(2017-08-1008:53) Botnet DB: 4.00023(2017-08-1010:00}

BIOS version: 0500000?

System Part-Number P16820-01

Log hard disk: Not available

Hostname: FortiWiFi-60E

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode. Pin TP mode

Sandbox Pages

The Sandbox pages collect information compiled by the FortiCloud Sandbox service, which submits files to FortiGuard forthreat analysis. They allowyou to configure your use of the service, and viewresults of analyzed files.

Dashboard

The Dashboard page givesyou an overviewof the FortiCloud Sandbox results.

The Dashboard contains the following widgets:

•The System Status widget givesyou a quickviewof the current state of the AntiVirus databases and load.

•The Top Targeted Hosts displays which hosts received the most threats.

•Scan Result shows the last 8 days of results and their risk levels (and you can toggle the display of Clean files in the chart by selecting the checkmarkin the lower right of the widget).

•File Types displays the most commonly analyzed file types in the last 24 hours of scanning.

Records / On-Demand

The Records page displays files that have been flagged as suspicious by your connected device's AntiVirus, which have been uploaded to FortiCloud, to be analyzed by FortiGuard services.

The On-Demand page allows you to manually upload files to FortiGuard services to be analyzed, and displays the analysis results.

These pages may not appear if you do not have the FortiCloud Sandbox service enabled on the connected device.

You can select an analysis level on the left, and click on the file names for more information.

The top right of the On-Demand page also has Export, which allows you to export a CSV or PDF of On-Demand results, and Upload File, where you can manually upload a file to be analyzed.

Maximum file size is 10Mb, and the processing time mayvary based on the size of the file.

Setting

The Setting page allows you to configure FortiCloud Sandbox settings.

Under Enable Alert Setting, you can enable Alert Emails, enter multiple emails (one per line) to receive alerts, and set which level of severitywill trigger alert emailsto be sent.

Under Log Retention, you can set the number of days to retain log data.

Under Malware Package Options, you can select the risk level of data that will be automatically submitted to FortiGuard to further anti-threat research.

Frequently Asked Questions

General Questions

What is FortiCloud?

FortiCloud is a hosted wireless and UTM infrastructure management solution and log retention service for FortiGate®, FortiWiFi®andFortiAP®devices.lt givesyoucentralizedconfigurationmanagement,location- based analytics and reporting, and log retention without the need for additional hardware and software. The feature set includes:

•One-touch provisioning of large scale security and wireless networks

•Configuration and device management from a single pane of glass

•Cloud-managed FortiAPs

•Hosted log retention and cloud-based storage

•Wireless health and oversight at your fingertips

•Cloud management of wireless guest access

•Social media account login for Guest WiFi

•Rogue access point detection and analytics

•Built-in protection from APTswith FortiGuard sandboxing technology

•Location-based analyticswith FortiPresence

•Instant security intelligence and analytics with FortiView

•Networkhealth and utilization-based analytics and reporting

•Wireless configuration including security profiles per SSI D for the Smart AP

What functions does FortiCloud have?

•Centralized Dashboard: system and log widgets plus real-time monitors

•FortiView Log Viewer: real-time log viewing with filters and download capability

•Drilldown Analysis: real-time location, user, and networkactivityanalysis

•Report Generator: create custom report templates, and schedule reports in different formats to display location- based analytics or illustrate network usage patterns

•Device Management: configuration backup and history, script management, and alert profiles for real-time monitors

•AV Submission: shows the status of suspicious files undergoing cloud-based sandbox analysis

•Wireless Health Monitoring: bandwidth, usage, clients, interference, failed login and rogueAPs

•Wireless Security Logs & Events: Authentication, Antivirus, IPS, Web Access, PCI compliance

•Wireless Configuration: SSIDs (including IPS, Antivirus and Web Filtering configuration), Authentication, Captive Portal, Platform Profiles, Tags and NetworkSettings

•Guest Management: ability to add guests and notify them if credentials via SMS or email

•Social Media Account Integration: abilityforgueststo connect to wireless accountsvia social media

How does FortiCloud work?

One or multiple FortiGate/FortiWiFi/FortiAP units are registered with FortiCloud under a single account. This is done via the licensing widget in the device dashboard or at www.forticloud.com. The logs from each device are periodically sent to FortiCloud and stored.

Logs are sent automatically to FortiCloud for storage and processing. You configure what to log, including just Traffic and Event logs or including security logs such asAntivirus, Application Control, IPS, etc.

From the recorded logs, reports can be generated to indicate trendswithin networktraffic, individual useractivity, and security threats across different applications. Drilldown capability and real-time alerting are also available.

FortiCloud also creates copies of FortiGate/FortiWiFi/FortiAP configurations that can be used for backup and restore orto provision newdevices. AVPN tunnel can be used to bring up the console of a device behind a firewall, allowing you to perform configuration orpolicy changes remotely.

How does FortiCloud compare with FortiPortal and FortiAnalyzer?

FortiCloud is an ideal solution for customers who do not want to implement a separate hardware solution such as the FortiAnalyzer 200D series. However, it does not have all the features of a FortiAnalyzer. A high-level comparison isshown below:

How do I confirm which version of FortiCloud is currently in use?

Clickon the FortiCloud name in the title bar, orthe About linkto see the build/version number.

Which languages are supported by FortiCloud?

FortiCloud currently supports two languages: English and Japanese. These can be selected via the web portal login page. Other languages may be available in other regions.

Is there any way for me to choose which Data Center my logs are stored in?

Yes. When you initially create your account in FortiCloud, it will offeryou a choice of data centerto use. Data and accounts cannot be transferred between data centers, so migrating will require a new account.

How can I provide feedback or request improvements to FortiCloud?

On the top right of everyscreen is an envelope icon, which will open a feedbacksubmission form. Feedbackis greatly appreciated, but Fortinet cannot guarantee individual responses to any requests.

Is there a European FortiCloud instance?

Yes. As of Q2 2016, the FortiCloud service has been available through our new Regional FortiCloud Datacenter, geographically aimed at our European customer base, and is completely isolated from the North American instance.

All analysis, reporting, management and storage capabilities are provided locally, with full access to our global threat intelligence databases, with the dual benefit of isolating intercontinental data and providing performance improvements and lower latency to the end device.

If I am an existing customer in EMEA, will my data be transferred to the new Datacenter, or will it remain in its current location?

Any existing units will remain logging to their original destinations. If you wish to change this, please contact our Customer Services. No existing logs will be moved as part of this process.

Is there an account designed for MSSP-scale operations?

FortiCloud has a premium account type, designed for Managed Security Service Providers: a Multi-Tenancy Account.

AMulti-TenancyAccount is a one-yearservice for an administratorto create and manage multiple sub-accounts. It also allows devicesto be moved between these accounts. Each of the sub accounts can be allocated

administrators, with full or read-only access, allowing you more control overthe provision of a managed service.

To activate a Multi-TenancyAccount, please request a quote forthe following SKU:

“FCLE-10-FCLD0-161-02-DD”

through your Fortinet Partner or Reseller.

What are the new features in Version 3.2?

The majorfeature in 3.2 is FortiGate Configuration Management, which allowsforsynching of connected FortiGate devices, uploading and downloading their config files and making in-FortiCloud changes that can then be reflected in the devices.

FortiGate Configuration Management is included as part of the FortiCloud Subscription service. In 3.2.0, it is available to all FortiCloud users as a trial, but as of 3.2.1 it will require a 1 Year Management, Log Retention and Analysis Contract. At that point, you will be able to view device configurations without a contract, but will no longer be able to edit them.

This feature advances FortiCloud as a universal cloud management platform, and many other small features have been added in 3.2 to support this concept:

•more visibility and detail from FortiView

•simpler Log viewing with a log data sidebar

•FortiGate Event Management (with alert emails forevents such as DeviceTunnel Down and Power Supply Failure)

•Config Deployment Scheduling, allowing you to schedule remote config uploading, firmware upgrades, and scripts

•On-Demand submission of files to FortiCloud Sandbox for analysis

AP Networkand MSSPfeatures have been updated in 3.2 aswell, with remote FortiPresence configuration, QoS Profiles, increased IPS capabilities, preliminarysupport for FAP-U models, AP Networkalert emails, and a new REST API forqueryingAP Networkinformation.

The API is currently only available on a limited basis. Contact Fortinet Support if you require access.

What was added in previous versions?

3.1

Two-Factor Authentication has been added to the management interface. FortiGate management remains as a public beta service in3.1, but has been expanded to allowimporting of the current configuration from a deployed FortiGate. Sandbox functionality has also been improved, showing the number of files waiting for processing.

A new Enterprise-level license is now available as a paid upgrade for connected APs, covering a number of advanced RF settings, and blocking of intra-SSI D traffic. This license includes support for the FAP-S series APs, with included FortiGuard subscription and Bonjour relaying support.

3.0

Location-based analytics with FortiPresence have been added. To support FortiPresence features, social media logins forGuest WiFi Accounts have been integrated into FortiCloud. Also newin 3.0 was enhanced FortiOS management, Fast Roaming between AP units, and enhanced AP configuration in NAT Mode.

2.5

Multi-tenancywas added; and a series of wireless-related features such as guest management, external captive portals, security per SSID (forthe Smart AP), AP location floor plan and AP radio adjustment. Also added were PCI compliance reports and integration with Advanced Threat Protection.

Licensing and Registration

Is there an easy way to test drive FortiCloud?

Yes, you can test drive FortiCloud byvisiting the FortiCloud portal, and selecting the Live Demo linkat the bottom of the FortiCloud login screen. Thiswill showa FortiCloud account with populated devices and logsto simulate a live environment.

What is the price of FortiCloud?

A no-charge service option is available with unlimited storage is available for one week.

Effective in FortiCloud 3.0, we are replacing the 200Gb-per-device service with a annual-subscription-based service, with one, two, orthree-yearservice terms.The newservice provides 1 year of history, regardless of size.

FortiCloud will be available for all FortiGate devices up to the FG3200D.

To activate FortiCloud after the free trial ends, you will need to acquire a subscription license based on the following SKUs, available with 1,2, and 3-year service terms:

Activation on device requires FortiOS 5.4.2 or newer. The Indicatorof Compromise (IOC) Service requires an existing FortiCloud subscription.

For pricing information, please contact your Fortinet partner or reseller.

Do I need a support contract to enable the service?

No, but you do need to register each FortiGate/FortiWiFi/FortiAP on the Service and Support Portal at https://support.fortinet.com. Ifsvery important to register each device in your network, orthe service (free or subscribed) cannot be enabled.

How do I subscribe to a FortiGate Analysis and Log Retention contract?

To upgrade to a subscription, you need to:

1.Obtain a license (Contract Number) from your Fortinet reseller.

2.Click on the Upgrade icon in the FortiGate/FortiWiFi dashboard licensing widget.

3.Followthe instructions presented. If you are running FortiOS 5.0 and higher, you have the option of receiving a scratch-off card/certificate from your Fortinet reseller.

4.Scratch the card to reveal the hidden activation code. Enter this directly into the FortiGate console in the Licensing widget.

5.Wait about 30 minutes forthe backend systemsto process the subscription.

6.Checkyour FortiGate/FortiWiFi Dashboard, and the subscription will have changed from Free to Subscribed.

What features do I get access to for subscribing?

Yes. When you upgrade to a subscription, you will no longer have a daily limit on uploads and will be able to create, schedule, and customize reports. You will also be able to subscribe to more advanced features, like the FortiCloud IOC (Indicator of Compromise) Service, FortiPresence Analytics, and FortiOS Management.

You also gain the ability to analyze more files per day with FortiCloud Sandboxing (the free version limits you to 100 files per day.) The actual daily limit of files is based on the model of FortiGate deployed.

How do I subscribe to the Enterprise License?

1.Place an order, and receive a Support Contract from yourselected partner.

2.Perthe Service Entitlement Summary on the contract, applythe Contract Registration Code on support.fortinet.com.

3.Select the applicable FortiAP (S) serial number.

4.Completethe registration process.

5.Product Entitlementswill now display Support Coverage for ‘FortiCloud FAP Management Service5 with a 1-year subscription.

What features do I get access to for subscribing to the Enterprise License?

FortiAP-C benefits from 8x5 support and 1-yearlog retention.

FortiAPand FortiAP-U also gain advancedwireless featureswhich grant control overtransmitted data rates.

FortiAP-S benefits from the additional capability of Bonjour relaying, a subscription to FortiGuard services, and intra-SSI D isolation of specific clients.

More subscriber-only features will be added in future releases of FortiCloud.

What happens if I lose my password?

You can reset your password on the FortiCloud portal at https://www.forticloud.com.

Can I use Two-Factor Authentication for FortiCloud?

Yes. As of 3.1, Two-FactorAuthentication is offered as part of the base free service, using the FortiToken app available on mobile devices. To enable two-factor authentication, ensure your entered email address is correct, as you will be sent an email withe setup instructions. Then enable ‘2-Factor5 in the ‘MyAccounf section.

How do you configure service once it is activated?

The configuration of the service is done via the web portal at https://www.forticloud.com. The logswill automatically start appearing in the logs and archives section.

Select the gear icon on any page to edit that page's settings.

Select the gear icon next to the administrator email in the top right to edit user settings.

For how long are logs retained?

FortiCloud will automatically delete logs olderthan the length of the support contract to make space fornew log data. Email and pop-up reminderswill be sent periodically (30 days, 14 days, 7 days, and 24 hours) before logs are deleted and before the contract term comes to an end.

When a device subscription lapses, what happens to the year’s worth of logs?

Any logsthat are associated with the licensed device olderthan 1 yearwill be automatically purged. Forthe free service, logs olderthan 7 dayswill be purged.

There is no grace period, so please ensure you are properly renewed so that your logs are retained.

What if I want to unsubscribe from the service and stop uploading logs?

You can disconnect your account from the dashboard in your FortiGate/FortiWiFi. Inthe Licensing and Information widget in the FortiGate interface, clickon the Log-out button. Thiswill detach the FortiGate/FortiWiFi from the account and stop the logs from uploading.

Technical Questions

What security and redundancy has been built into the service?

Logs are transferred between devices and the FortiCloud storage are transmitted via an encrypted link. All system elements are duplicated for redundancy.

How do I verify my network is PCI compliant?

FortiCloud makes it easy to deploy, monitor and verify PCI compliance. FortiCloud's security feature set addresses PCI Data Security Standards 3.0, helping customersto build and maintain a secure network, protect cardholderdata, maintain a vulnerability management program, implement strong control measures, and monitor network security.

Does my FortiGate unit require a hard drive to use FortiCloud?

The FortiGate does not require a hard drive if logs are being uploaded to FortiCloud in real-time, which can be enabled in the Log Setting page in the FortiGate interface. FortiCloud is a convenient alternative to a hard drive for devices too small to contain one, such as FortiWiFi units.

Does FortiCloud support devices from other vendors?

FortiCloud only supports FortiGate, FortiWiFi and FortiAP products. It does not currently support other company's products for log retention.

Which FortiGate and FortiWiFi models does FortiCloud support?

FortiGate

All 2U (3200D) and smaller FortiGates are supported bythe FortiCloud environment.

FortiWiFi

All FortiWiFi models 20 to 90 support FortiCloud natively through the dashboard Licensing widget.

FortiAP

All FortiAP, FortiAP-S, and FortiAP-C models are supported by FortiCloud. FortiAP-U will be supported by Q3 2017.

Which versions of FortiOS does FortiCloud support?

FortiCloud is available for all devices at FortiOSversion 4.3 or later, but forfull feature support, the most current available version should be deployed. Devices running FortiOS version 4.2 or earlier may not be able to access FortiCloud. Consult your device's documentation for more information.

What port numbers are used by FortiGate devices connecting to FortiCloud?

Please note that these should be required by outbound traffic only. On request, we can supplythe destination IP

When are scheduled reports sent to administrators?

Scheduled reports are sent to administrator email addresses between 2 AM and 6 AM if automatic report delivery (Daily/Weekly/Monthly) is enabled.

Why can I not see any management functions?

You must first enable the management tunnel on the FortiGate/FortiWiFi device. On the device, use the following commands in the CLI:

config system central-management set mode backup

set type fortiguard

end

end

Can I set up high availability (HA) logging with FortiCloud?

FortiCloud accepts inbound logs from each device independently, and has no means of detecting that connected devices are in an HA cluster. Though multiple HA clustered devices will theoretically send identical logs to FortiCloud, if one device stops logging or is unable to reach FortiCloud, the other devices will not send logs on its behalf.

Do I need to purchase a subscription for each FortiGate in an HA pair?

Yes. FortiCloud handles each device separately, regardless of configuration.

FortiCloud Sandbox

How does Cloud Sandboxing and AV Submission work?

In a proxy-based antivirus profile on a FortiGate, the administratorselects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate unit to upload suspicious files to FortiGuard for analysis. Once uploaded, the file will be executed and the resulting behavior analyzed for risk. If the file exhibits risky behavioror is found to contain a virus, a newvirus signature is created and added to the FortiGuard antivirus signature database. The next time the FortiGate unit updates its antivirus database it will have the newsignature.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus (the behaviors that FortiCloud Analytics considers suspicious will change depending on the current threat climate and other factors).

The FortiCloud console enables administrators to view the status of any suspicious files uploaded: Pending, Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for forensicanalysis.

Why can I not see a function or tab for AV Submission/Sandboxing?

You must first enable Cloud Sandboxing on the FortiGate device, and then submit a suspicious file to cause the tab to appear.

What is the turnaround time on Cloud Sandboxing and AV Submission?

It can be anywhere from 10 minutes (for automated sandbox detection) to upto10 hours (if FortiGuard Labs is involved).

Is there a service description for FortiCloud Sandbox?

Yes, a full current service description is available online here:

http://docs.fortinet.com/uploaded/files/3429/FortiSandbox-Cloud-Service-Description.pdf

AP Network

What is the FortiCloud AP Network feature?

This feature allows administrators to remotely configure APs, modify wireless management settings and visualize wireless-related events. Examples of configuration changes include AP name and SSIDconfiguration, power settings and rogue AP detection. Wireless management settings include RADIUS details, standard users/groups/guests and SSIDs/security. There are a robust set of visualizations including real-time and historical charting of traffic usage, AP client counts and client usage. Thinkof it as a comprehensive wayto manage your wireless infrastructure via the cloud.

How can I register a FortiAP to my FortiCloud account?

Supported FortiAP models include a sticker with a unique FortiCloud key affixed. This key must be entered into the FortiCloud interface to register the FortiAP to your FortiCloud account.

What is the recommended FortiAP version to use with FortiCloud 3.2?

We recommend FortiAPversion 5.6 or laterforuse with FortiCloud 3.2. It is always our recommendation that you run the latest GAfirmware on your FortiAPs.

What port numbers are used by FortiAPs connecting to FortiCloud?

Please note that these should be required by OUTBOUND traffic only. On request, we can supply the destination IPaddressesto add to an outbound policy, if required.

What happens if my AP loses connection with FortiCloud?

If yourAP loses connection to FortiCloud, or in the unlikely event that the FortiCloud service is unavailable, then all functionswhich are not hosted in FortiCloud will continue to workwithout interruption. The configuration is held locally on the AP, and will continue to function.

OnlySSID'swith authentication in FortiCloudwill be disrupted: FortiCloud-hosted CaptiveWeb Portals, and FortiCloud User Groups. Open, WPA2 PSK, and WPA2 802.1XRADIUS SSID'sthat are not using FortiCloud-

hosted authentication (such as ones using local RADI US server or Local Captive Portal) will continue to work uninterrupted.

I have an older FortiAP that doesn't include a FortiCloud key. Is there some way I can add my device to a FortiCloud AP Network?

Older FortiAPs that have shipped without a FortiCloud key can be added to FortiCloud. Open the FortiAP management interface, and in WTP-Configuration select FortiCloud. Enteryour FortiCloud credentials, and select Apply. Login to FortiCloud and select Inventory > Unused APs to see the list of FortiAPs. Select Deploy to AP Network > Existing AP Network.

What FortiAP models are supported by FortiCloud AP Networks?

The AP Network functionality within FortiCloud is supported by all FortiAP models.

Does the FortiCloud AP Network feature support FortiWiFi?

FortiWiFi models are not currentlysupported forwireless configuration.

Is there a minimum firmware version that I need to run on a FortiAP for the FortiCloud AP Network feature to work?

The FortiAP must be running FortiAP OS 5.2 at a minimum. It is recommended to run the latest software build on the FortiAP to guarantee FortiCloud functionality.

Does my internal wireless/networking traffic get sent to FortiCloud?

No. Fortinet uses an out of band management architecture, meaning that only management data flows through the FortiCloud infrastructure. No usertraffic passesthrough Fortinet's datacenters, and your data stays on your network.

Do I need to use a FortiGate in conjunction with a FortiCloud AP Network?

No. We recommend you registeryour FortiAP to be directly managed by FortiCloud. You do not need to use a FortiGate unit as a proxy to manage FortiAPs from FortiCloud.

Is there different pricing/licensing for AP Network functionality?

There are no additional fees or licensing required to manage FortiAPs from FortiCloud.

Can FortiAP devices be managed by FortiCloud and work with FortiPresence?

Yes, FortiPresence is supported by FortiAPs and managed by FortiCloud in version 3.1.

Forlocation analytics, the APswill use a Push API to talkto the FortiPresence cloud. You can configure this under AP Network > Configuration > Miscellaneous.

Is there a maximum number of FortiAPs that can be managed via FortiCloud?

There is no licensing limit for the number of FortiAPs that can be managed with FortiCloud.

How does roaming work for a FortiCloud managed AP?

Starting with FortiAP 5.4 and FortiCloud 3.0, APswhich are in the same management subnet will talkto each other using encrypted communications and share station and authentication information. This means that when a client connected via Captive Web Portal, 802.1Xor PSK moves from one access point to another, there is no re�authentication required and a session transition should happen once the client decides to roam.

What is the admin password for my AP?

When you add an AP Network, you are asked to define a password for it. This password is used as the admin password for all APs inside that AP Network. The password can be changed inside the AP Network under Configuration > Miscellaneous.

What is Social Media Captive Web Portal?

Social Media Captive Web Portal isthe functionalitythat creates a Captive Web portal where a user's social media login is used as authentication. This is hosted in FortiCloud, and currently supports Facebook, Google+, LinkedIn and Twitteraccounts. The Captive Web Portal can be customized with different colors and logos. We recommend a Terms of Use be added to the Captive Web Portal, matching with the legal requirements of your jurisdiction. Please see the disclaimer on the configuration page for more details.

What is the NAT IP Subnet of my AP SSID Configuration?

If you want each APto provide its own AP NAT boundary ratherthan bridge users directly onto the local network, you can now assign the Subnet forthe APsto use in the SSIDconfiguration.

Note: A known limitation is that the subnet will be assigned only on the 2.4Ghz radio. The 5Ghz radio will use a subnet 17 octets higher. For example, if the 2.4Ghz radio is set to use 10.10.10.1/24, the 5Ghz radio will use 10.10.17.1/24. This limitation will be addressed in a future software release.

What is Floorplan in Maps?

In FortiCloud 3.0, you can nowadd a Floorplan, and zoom into it to place yourAPs and see theirstatistics and RF information. Previously, you could use Google Maps integration to see a floorplan overlaid over a building, but now full zoom and positioning controlls have been added.

What are Folders?

Folders are a simple way to group AP's together for management purposes, and can be used to organize APs into groups, sites or any other organization you see fit. You can create subfolders and also assign new addresses and locationstoAPs.

How do Dynamic VLANs work?

RADIUSservers can be configured to pass class attributes backin response to a successful authentication. One of these attributes isthe VLAN to which the client should be assigned. With an Enterprise license and this feature enabled, it is possible to place different types of users connected to the same SSIDinto different VLANs, based on their user credentials.

What is Bonjour Relay?

Bonjour is a protocol where (typically Apple) devices broadcast their services. For example, an Apple TV sends a Bonjourbroadcast, so that an iPad knows it isthere and can connect to it.

The issue isthat these broadcasts are layer2- so if the iPad and the Apple TVare on different VLANs, then they will not be able to talk. Bonjour Relay is a simple mechanism to fixthis. The FAP-Sseries of APs can be set to operate with a service network(where the Apple TVis), and a client network(where the iPad is), allowing the FAP-S to re-transmit the Bonjour requests from the service network onto the client network, allowing the iPad to learn where the Apple TV is and create a session.

To set it up, enterone or more services as Service VLAN and Client VLAN, along with a definition of the service, e.g. you may chooseto onlysendthe information about theApple TVto a meeting room, and not the printerin reception. Once these services have been defined, simplyselect the APthat will perform the Bonjour Relay function.

What is Blocking of Intra-SSID Traffic?

This feature blocks all trafficfrom one client to another on the same SSID. This helps to avoid a common issue of clients sending data between themselves on the same SSID, without traversing and being protected bythe firewall.

Why do I need to change my Radio Rates in the Enterprise Management section?

Wireless operates at many different data rates based on the quality of the radio signal. For example, an 802.11n 2.4GHz client is capable of running at 450 Mbs on a 3x3 AP, but it is equally capable of running at 1 Mbps.

Inconsistent radio rates can lead to clients remaining connected to an AP long afterthey should have reconnected to a betterAP. Aclient running at 1 Mbps has great range, but its slowthroughputwill have a degrading effect on the networkperformance as a whole. The newdata rate control feature in 3.1 allowsyou to restrict which data rates are allowed, to ensure clients that are too far away are not slowing down the overall system.

Indicator of Compromise (IOC) Service

What is the FortiCloud Indicator of Compromise Service?

FortiCloud Indicator of Compromise (IOC) Service is a new service that alerts administrators about newly-found infections and threats to devices in their network. By analyzing UTM logging and activity, the service can provide a comprehensive overview of threats to the network.

What kind of threats can the IOC Service detect?

IOC can detect three types of threats, based on our evolving FortiGuard database:

•Malware 一 Malicious programs residing on infected endpoints.

•PUP— Potentially unwanted programs, such as Spyware, Adware, and toolbars.

•Unknown 一 Threats detected by signature but not associated with any known malware.

How do I get access to the IOC Service?

The free version of IOC is currently available on all accounts in the North america data center.

Non-Multi-Tenancy Account

In the FortiGate list, lookfor red 'Threats/Suspicious'text underneath the System Status, which will only appear if the FortiGate has detected anythreats. Clickon the text to open the IOC interface.

Multi-Tenancy Account

In the FortiGate list, lookto the far right. A'bomb' icon will be visible next to the other configuration icons, if your FortiGate has detected anythreats. Select the bomb icon to open the IOC interface.

Does the IOC Service require a subscription?

The basicform of the IOC is free, which will alert you to threats and automatically prepare a comprehensive threat report. Threats listed will only provide partial IPs of infected devices: serverand subnet.

You can purchase a subscription forthe complete IOC by opening the Howto Buy page in the FortiCloud IOC site, and completing the purchase process.

Asubscription grants you access to IPWhitelisting, which allowsyou to narrowyour malware search by excluding safe IPs and domains, and Alert Emails, which notifyyou directly of detected networkthreats. It will also allow you to view the full I Ps of infected devices, allowing you to better control their access to your network.

How do I register my subscription code once I've purchased one?

You will receive yoursubscription code by email. Visit the Fortinet Support portal at http://support.fortinet.com, and log into your customeraccount. On the Asset page, registerthe subscription code as if it were a product serial number, and then enterthe serial number of the FortiCloud-connected device that you want the service to monitor.

FortiDeploy

What is FortiDeploy?

FortiDeploy is a product built into FortiCloud as a feature, for one-touch provisioning when devices are deployed, locally or remotely. FortiDeploy provides deployment for FortiAPs into a Cloud AP Network, and automatic connection of FortiGates to be managed by FortiCloud or a FortiManager unit.

What features does FortiDeploy provide?

•One touch deployment for FortiAPs into a Cloud AP Network

•One touch deployment for FortiGates to be FortiCloud managed or mananged by a FortiManager IP

How does FortiDeploy work?

When you visit forticloud.com and enterthe Bulk FortiCloud Key, you will see a list of serial numbers from the order that contained the FortiDeploy SKU. Once you confirm that the devices are connected, you can perform some basic configuration on the devices remotely, such as sending a FortiManagerIPto all remote FortiGate devices, so they can be managed remotely.

How do I purchase FortiDeploy?

At time of purchase, order a FortiDeploy SKU in addition to your other purchases, and enter it in FortiCloud. Once the FortiGate's serial number is associated with your customer account, you have the option to deploy the devices in either FortiCloud or FortiManager. FortiDeploy can also push an IPto each FortiManager. Support starts the moment you send an email to cs@fortinet.com.

What is the price of FortiDeploy?

FortiDeploy must be purchased on every PO using FDP-SINGLE-USE SKU. The nominal fee is $100/PO.

What happens if you forget to order FortiDeploy on the PO?

If you forget to order FortiDeploy on the PO, please send an email to the Fortinet Customer Service and Support Team: cs@fortinet.com, and they can manually registeryourserial numbers and generate a Bulk FortiCloud Key.

Will my FortiGuard and FortiCare services start automatically?

No. FortiGuard and FortiCare serviceswill start onlyafteryou registeryourserial numbers. Bulkregistration of FortiGuard and FortiCare is available, but you will need to send a direct request after registration to cs@fortinet.com.

What are the devices supported by FortiDeploy?

•While FortiCloud supports all FortiGates up to the 3240C, FortiDeploy is only available up to the 200E, as we recommend that larger deployments be handled bytrained personnel.

•All FortiWiFi devices

•All FortiAPdevices

Which versions of FortiOS does FortiDeploy support?

FortiDeploy is available for FortiGate/FortiWiFi devices at FortiOSversion 5.2.2 or later, and FortiAP devices at version 5.0.9 orlater.

Are there any complications if I"ve recently upgraded FortiOS?

From FortiOS 5.2.3 onward, the CLI command auto-join-forticloud is enabled by default, and must be enabled for FortiDeployto function correctly.

But upgrading the FortiOSfirmware from 5.0.xto 5.2.2 or laterautomatically disables auto-join- forticloud, which will need to be re-enabled or FortiDeploywill not function.

You can re-enable it through the CLI or by factory resetting your device (but factory resetting will reset all firewall configuration).

config system fortiguard get

set auto-join-forticloud enable

end

end

After changing this setting, restart the device and ensure that traffic is being sent to FortiCloud to verify that it has been configured correctly.

What if I am connected to FortiCloud but the device is not cloud-managed?

Double-checkthat central management is set to FortiGuard.

In the CLI console:

config system central-management set type fortiguard end

Reboot the device, login to FortiCloud and try to manage the device.

What if a device is deployed behind a NAT device (such as a cable modem)?

AFortiGate's default “internal” IPisin the 192.168.1.0/24 subnet, and so IPconflicts can occurwith FortiDeploy-

managed devices. The solution is to unset the default IP for each of the devices in the CLI console:

config system interface edit internal unset ip end end

Or change the internal interface's IP in the web-based management interface.

FortiCloud Cookbook

This series of short 'recipe'tutorialswill showyou howto enable and set up various FortiCloud services and features. For more in-depth explanations of individual features and functions, consult the Frequently Asked Questions.

Basic Configuration

FortiCloud has many features available, depending on the size of your network and your interest in monitoring and management. First, devices must be added to the service.

Basic FortiCloud Setup

1.Registerthe FortiGate/FortiWiFi on the Service and Support Portal at support.fortinet.com.

2.Create a FortiCloud account in the FortiGate/FortiWiFi dashboard licensing widget.

3.Activate the FortiGate/FortiWiFi within the dashboard licensing widget.

4.Create a firewall policy with logging enabled. Configure log uploading, if necessary.

5.Log into the portal at https://www.forticloud.com.

Adding Standalone FortiAP to FortiCloud

1.Registerfora FortiCloud account at https://www.forticloud.com.

2.Clickthe “Add Device” linkand enterthe unique FortiCloud key located on your FortiAP device.

3.Deploythe FortiAPto an existingAPnetworkorcreate a newAPnetwork.

4.Associate your FortiAP with an SSI D.

5.Connect yourFortiAPto an internet connection, andwaitforit to self-configure.

6.Log into the portal at https://www.forticloud.com to configure it further.

FortiCloud Sandbox Setup

1.Registerthe FortiGate/FortiWiFi on the Service and Support Portal at support.fortinet.com.

2.Create and activate a FortiCloud account in the FortiGate/FortiWiFi dashboard licensing widget.

3.Go to System > Config > FortiSandbox, and under FortiSandbox Settings, select Enable Sandbox Inspection, and select 'FortiSandbox Cloud'. The associated FortiCloud Account should appear below.

4.In Security Profiles > AntiVirus, create a profile that has Send Files To FortiSandbox Cloud For Inspection enabled.

5.Create a firewall policywith logging enabled, that uses the FortiSandbox-enabled AntiVirus profile.

6.Once some files have been uploaded to the FortiCloud Sandbox, log into the portal at https://www.forticloud.com to seetheresults.

FortiDeploy Setup

1.Purchase a FortiDeploy SKU when you purchase your FortiCloud subscription, or by contacting cs@fortinet.com if you have already purchased a FortiCloud subscription.

2.Visit forticloud.com and enterthe Bulk FortiCloud Key, you will see a list of serial numbers from the orderthat contained the FortiDeploy SKU.

3.Send an email to FortiDeploy Support, at cs@fortinet.com to confirm your subscription and start the service.

4.Once you confirm that the devices are connected with FortiDeploy, you can deploy basic configurations to the devices remotely.

Indicator of Compromise (IOC) Setup

Note: The basicform of IOC is free, and functions for all of your FortiCloud-connected devices. In orderto purchasethecomplete form of IOC, followtheinstructions below.

1.Open the Plan page in the FortiCloud IOC site, and select Buy Online.

2.Complete the purchase process, and wait for the key to arrive by email.

3.Log intothe Fortinet Support portal at http://support.fortinet.com.

4.On the Asset page, register the code as if it were a new product's serial number, and then enter the serial number of the FortiCloud-connected device that you want the service to monitor.

5.The service will automatically take effect.

FortiCloud Device Configuration

Whether you are creating a FortiCloud AP Network, orjust monitoring multiple devices, you can use a variety of features to remotely manage and configure your networked devices.

Deploying Cloud Configuration to Devices

1.Goto Management > Config.

2.Before you edit any settings, select Import in the upper right to retrieve the most up-to-date configuration from the FortiCloud-connected device.

3.On this page, you have limited accessto an analogue of the FortiGate interface, allowing you to edit interfaces, routes, policies, etc. Edit the FortiGate configuration as needed.

4.When you are readyto push your updated configuration backto the device, select Deploy in the upper right.

5.Wait for the configuration to download to the device. When it completes, a Deployment Log will appear, showing you the changes as they appear in the CLI.

Device Configuration Backup to Cloud

1.Go to Management > Backup.

2.Select Backup Config in the upper right, and enter a name for the backup revision.

3.The new configuration will be added to the list. By selecting the icons on the right side, you can rename, view, compare, download, restore, and delete configuration files. The compare icon will only appear once you have multiple revisions available.

Remote Device Firmware Upgrade

1.Go to Management > Upgrade.

2.Verify your device's current firmware version in the upper left before continuing.

3.If you are concerned about the effects of upgrading or have not upgraded recently, please read the FortiOS Upgrade Path document, available at http://docs.fortinet.com.

4.We also recommend that you back up your device's configuration before upgrading, either in Management > Backup or in the device's management interface.

5.Select an Available Firmware from the list that you would like to upgrade the device to, and select Upgrade.

6.Waitforthe upgradetotake effect.

Remote Device Script Execution

The Script deployment functionality allows you to upload scripts and run them as needed on a schedule basis.

1.Go to Management > Script.

2.In the upperright, select Add Script.

3.Enter a name and a description, and the content of the CLI script that you want to run. Save the script.

4.On the right, select Schedule Deployment icon, and select a time that you'd like the script to be automatically deployed to the device.

5.If you need to cancel the scheduled run, select the blue arrownext to the scheduled time.

Advanced Configuration

Some features of FortiCloud are more useful forlarger/more distributed networks: more refined oversight, multipleadministrators, multipleregions, orothercomplexsetups.

Adding MoreAdministrators/Users

1.In the upperright of the FortiCloud interface, select the My Account icon.

2.Select Add User inthewindow.

3.Enterthe email address and name of the new user/admin.

4.Select whether they are an Admin (total control over the FortiCloud interface) or a User (limited control, monitoring only).

5.Select Submit. Theywill receive an email prompting them to set theiraccount password, and log in.

Creating Custom FortiCloud Reports

1.Goto Analysis > Reports.

2.Select Add in the upper right, and choose whether to create a new report, edit an existing template, or import an external template.

3.Select the gear icon on the right side to add Charts and Headersto the current section, or new 1-or2-column sections.

4.Edit charts by selecting the pencil icon in the upper right of each chart, and selecting a predefined chart style or setting the axis variables manually.

5.When you're finished, select Save in the upper right.

6.Select Run, and viewthe finished report.

Configuring FortiSandboxAlert Emails

1.Go to Sandbox > Setting.

2.Select Enable Alert Setting.

3.Enter emails into the list that should be contacted in the event of a FortiSandbox Alert.

4.Select the levels of severity that will trigger an Alert.

FortiCloud Multi-Tenancy Configuration

A Multi-Tenancy Account is a subscription account that allows you to create and manage multiple sub-accounts that are functionally isolated from each other. Dbeevices and be added to and moved between these sub�accounts, and each account can have its own administrators and users.

Activating Multi-Tenancy Feature

1.Contact your Fortinet Partner or Reseller, requesting the following SKU: “FCLE-10-FCLD0-161-02-DD”.

2.You will receive a Multi-TenancyActivation Code from them by email.

3.Open the FortiCloud interface, and select the My Account icon in the upper right.

4.Underthe admin/userlist, select Activate Multi-Tenancy Feature.

5.EntertheActivation Code, and Submit.

Basic Multi-Tenancy Configuration

Once Multi-Tenancy has been activated, the default FortiCloud Home page will be replaced with the Multi�Tenancy page, which has 'FortiGate', 'AP Network', and 'Inventory' at the top.

1.Open the Inventory page, and select Import Key from the upperright, either FGT, AP, or Bulk ifyou wantto add multiple FortiCloud licenses at once.

2.Import all the dev ices and/or licensesyou like. Theywill be listed under FortiGate Inventory, and AP Inventory.

3.On an Inventorysubpage, select a device, and select Deploy in the upperright to assign it a license. It will be automaticallymovedtothe Deployed FortiGates/APs subpage.

4.Select either FortiGate or AP Network from the top, and select a device to individually configure it further.