Vous êtes sur la page 1sur 398

DO NOT REPRINT

© FORTINET

FortiManager 5.4.2
Study Guide
for FortiManager 5.4.2
DO NOT REPRINT
© FORTINET

Table of Contents

1 Introduction and Initial Configuration ..............................................................................3

2 Administration and Management.....................................................................................41

3 Device Registration ........................................................................................................91

4 Device Level Configuration and Installation ....................................................................131

5 Policy and Objects ..........................................................................................................189

6 Manager Panes ..............................................................................................................248

7 Diagnostics and Troubleshooting ...................................................................................295

8 Advanced Configuration .................................................................................................342

Appendix A: Additional Resources......................................................................................398


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn the basics of FortiManager. This includes how FortiManager fits into your existing
network architecture.

FortiManager provides centralized policy provisioning, configuration, and update management for various
Fortinet security devices, such as FortiGate, FortiWiFi, FortiCarrier, and FortiSwitch devices.

FortiManager 5.4.2 Study Guide 3


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• Key Features
• Key Concepts
• Initial Configuration
Let’s begin by looking at the key features.

FortiManager 5.4.2 Study Guide 4


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the purpose of FortiManager
• Describe FortiManager key features
• Describe FortiMeter program and who should enroll
• Describe the purpose of administrative domains (ADOMs) and when you might use them
• Identify which devices are supported by FortiManager
By demonstrating competence in using FortiManager’s key features, you will be able to use the device
effectively in your own network.

FortiManager 5.4.2 Study Guide 5


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

When should you use FortiManager in your network?

In large enterprises and managed security service providers (MSSPs), the size of the network introduces
challenges that smaller networks don’t have: mass provisioning; scheduling rollout of configuration changes;
and maintaining, tracking, and auditing many changes.

Centralized management through FortiManager can help you to more easily manage many deployment types
with many devices, and to reduce cost of operation.

What can FortiManager do?

• Provision firewall policies across your network


• Act as a central repository for configuration revision control and security audits
• Deploy and manage complex mesh and star IPsec VPNs
• Act as a private FortiGuard distribution server (FDS) for your managed devices and FortiClient installations
• Script and automate device provisioning, policy changes, and more with JSON APIs

FortiManager 5.4.2 Study Guide 6


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager can help you to better organize and manage your network. Key features of FortiManager
include:

• Centralized management: Instead of logging in to hundreds of FortiGates individually, you can use
FortiManager to manage them all from a single console.
• Administrative domains (ADOMs): FortiManager can group devices into geographic or functional ADOMs,
ideal if you have a large team of network security administrators.
• Configuration revision control: Your FortiManager keeps a history of all configuration changes. You can
schedule FortiManager to deploy a new configuration or revert managed devices to a previous
configuration.
• Local FortiGuard service provisioning: To reduce network delays and minimize Internet bandwidth usage,
your managed devices can use FortiManager as a private FortiGuard Distribution Network (FDN) server.
• Firmware management: FortiManager can schedule firmware upgrades for managed devices.
• Scripting: FortiManager supports CLI-based and TCL-based scripts for configuration deployments.
• Pane Managers (VPN, FortiAP, and FortiClient): FortiManager management panes simplify the
deployment and administration of VPN, FortiAP, and FortiClient.
• Logging and reporting: Managed devices can store logs on FortiManager. From that log data, you can
generate SQL-based reports, because FortiManager has many of the same logging and reporting features
as FortiAnalyzer.
• Pay-as-you-go licensing: Fortinet VMs are now available through the Fortinet VM on-demand program.

FortiManager 5.4.2 Study Guide 7


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The Fortinet VM on-demand program is a new program designed to provide large MSSPs with a cost-effective
way of managing their client’s security needs. The program also helps MSSPs avoid the extra overhead of
perpetual licenses that may not be required all the time.
The metering module in FortiManager is used to register with the Fortinet VM on-demand program. The
FortiOS-VM is a separate standalone FortiGate VM designed to work with the FortiManager metering module.
The FortiManager metering module reports the traffic volume handled by the special FortiOS-VM to
FortiGuard or FortiCare, which manages the point calculations.

FortiManager 5.4.2 Study Guide 8


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Administrative domains (ADOMs) enable the admin administrator to create groupings of devices for
administrators to monitor and manage. For example, administrators can manage devices specific to their
geographic location or business division.

The purpose of ADOMs is to divide administration of devices by ADOM and to control (restrict) administrator
access. If virtual domains (VDOMs) are used, ADOMs can further restrict access to only data from a specific
device’s VDOM.

FortiManager 5.4.2 Study Guide 9


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

What devices does FortiManager support? You can configure FortiManager to work with many Fortinet
devices, such as FortiGate, FortiAnalyzer, and FortiMail.

Although FortiManager can support multiple Fortinet security products and different firmware versions of
these products, it is always good practice to check the Release Notes for specific details on product
integration and support.

Release notes are available at:


http://docs.fortinet.com/

FortiManager 5.4.2 Study Guide 10


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiManager’s key features.

Now, let’s explore FortiManager’s key concepts.

FortiManager 5.4.2 Study Guide 11


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Identify the commonalities between FortiManager and FortiAnalyzer
• Understand the management module framework
• Describe the management task cycle
By demonstrating competence of FortiManager’s key concepts, you will be able to more effectively use
FortiManager in your network.

FortiManager 5.4.2 Study Guide 12


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager and FortiAnalyzer have the same hardware and software platform. Like FortiAnalyzer,
FortiManager can also act as a logging and reporting device, but there are logging rate restrictions.

FortiManager can be used as a fully functional logging and reporting device for low volumes of logs, but it
needs to use some of its system resources for other features, such as configuration management.

If you have high log volumes, you should use a dedicated FortiAnalyzer.

FortiManager 5.4.2 Study Guide 13


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Inside FortiManager there are management layers that are represented as panes in the GUI. For example, the
device management module is represented by the Device Manager pane, which you use to perform revision
history and scripting.

Let’s look at the management layers in more detail.

FortiManager 5.4.2 Study Guide 14


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

To organize and efficiently manage a large scale network, FortiManager has multiple layers:

• The Global ADOM layer has two key pieces: the global object database, and all header and footer policy
packages. Header and footer policy packages envelop each ADOM’s policies. An example of where this
would be used is in a carrier environment, where the carrier allows customer traffic to pass through their
network, but would not allow the customer to have access to the carrier’s network infrastructure.
• The ADOM layer is where policy packages are created, managed, and installed on managed devices or
device groups. Multiple policy packages can be created here. The ADOM layer has one common object
database for each ADOM. The databases contains information such as addresses, services, and security
profiles.
• The Device Manager layer records information on devices that are centrally managed by the FortiManager
device, such as the name and type of device, the model, IP address, current firmware installed, revision
history, and real-time status.

Let’s look at how these layers are related.

FortiManager 5.4.2 Study Guide 15


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Understanding the layers of FortiManager’s device management model is important.

• In the Global ADOM layer, you create header and footer policy rules. These policy rules can be assigned to
multiple ADOMs. If multiple ADOM policy packages require the same policies and objects, you can create
them in this layer, so that you don’t have to maintain copies in each ADOM.
• In the ADOM layer, objects and policy packages in each ADOM share a common object database. Policy
packages can be created, or they can be imported from and installed on many managed devices at once.
• In the Device Manager layer, device settings can be configured and installed per device. If a configuration
change is detected — whether the change is made locally or on the FortiManager—then, FortiManager
compares the current configuration revision to the changed configuration, and creates a new configuration
revision on FortiManager. Whether the configuration change is big or small, FortiManager records it and
saves the new configuration. This can help administrators to audit configuration changes, and to revert to a
previous revision, if required.

FortiManager 5.4.2 Study Guide 16


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

When you use FortiManager to centrally manage your Fortinet devices, the workflow usually follows this
pattern:

1. Deployment: An administrator configures the Fortinet devices after initial network installation.
2. Monitoring: The administrator monitors the status and health of devices in the security infrastructure,
including resource monitoring and network usage. External threats to your network infrastructure can be
monitored and alerts generated to advise.
3. Maintenance: The administrator performs configuration updates as needed to keep devices up-to-date.
4. Upgrading: Virus definitions, attack and data leak prevention signatures, web and email filtering services,
and device firmware images are all kept current to provide continuous protection.

FortiManager can help reduce workload in each of these phases.

FortiManager 5.4.2 Study Guide 17


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiManager’s key concepts.

Now, let’s examine how to initially configure FortiManager.

FortiManager 5.4.2 Study Guide 18


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Identify TCP and UDP ports used by FortiManager
• Access your FortiManager
• Identify the tools you can use to configure FortiManager
• Configure FortiManager for your network
• Enable FortiAnalyzer features on FortiManager
• Identify FortiManager features panes to implement key features
By demonstrating competence of FortiManager’s initial configuration, you will be able to add FortiManager to
your network and perform basic administrative tasks.

FortiManager 5.4.2 Study Guide 19


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Often, your first consideration is, “Where should I put FortiManager in my network?”

Typically, you should deploy FortiManager behind a firewall, such as FortiGate. On the perimeter firewall,
allow only relevant ports in the firewall policy for FortiManager as a security consideration. If administrators or
remote FortiGates will make inbound connections to FortiManager from outside your administrative subnet,
such as from the Internet, create a virtual IP.

To safeguard against losing access if your network is down, connect your management computer directly to
FortiManager, or through a switch.

FortiManager 5.4.2 Study Guide 20


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager uses many TCP and UDP ports for its tasks. Only the most common default ports used by
FortiManager are listed in this table. In addition, FortiManager uses standard management ports such as:

HTTP Port 80 (TCP)


HTTPS Port 443 (TCP)
SSH Port 22 (TCP)
TELNET Port 23 (TCP)

Especially if your FortiManager is deployed behind a firewall, it is always good to know what ports are being
used. This can help you to analyze, diagnose, and resolve common network issues.

FortiManager 5.4.2 Study Guide 21


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Before reviewing the configuration settings, it is necessary to discuss the importance of security. Your
FortiManager manages all your Fortinet network security devices, so it is vital that data is properly protected.

Here are some security recommendations:

• Deploy your FortiManager in a protected and trusted private network. It should never be deployed directly
on the internet.
• Always use secure connection methods to do administration: HTTPS for Web-based management or SSH
for the CLI. Insecure methods (like HTTP or telnet) are plain text, so an attacker can use packet sniffing
tools to obtain information that can be used to breach your network.
• Use trusted hosts on your users and only allow logins from specific locations. If you do need to open
outside access to the device so that remote FortiGates or other devices can connect, only open the ports
necessary for this. Additional open ports increases your security risk. If you need to open direct login
access from the outside, be sure to set up special user accounts for this and only open protocols that are
secure. Secure passwords should also be used, as they are important if you start transmitting traffic over
connections where anyone could be listening (that is, the Internet).

FortiManager 5.4.2 Study Guide 22


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

It is important to know the factory default settings, such as the default user name and password, the port 1 IP
address, netmask, and default supported management access protocols, so that you can initially connect to
your management computer and configure FortiManager for your network.

You can find the default settings in your model-specific Quick Start Guide. Different FortiManager models
have different numbers of ports, but port 1 is the management port and will always have this default IP.

To log into the FortiManager GUI for the first time, open a browser enter the URL of https:// followed by
<the factory default IP address>. Once the login screen appears, use the factory default
administrator credentials to log in, which is admin (in lower case) and a blank password.

FortiManager 5.4.2 Study Guide 23


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Just like the FortiGate, the graphical user interface (GUI) and command line interface (CLI) are the two
configuration tools you can use to configure and manage FortiManager. You can use both tools locally, by
connecting directly to FortiManager, and remotely, based on your configured settings. (You can deny or
permit access based on IP address.) When you use the CLI, you can execute commands through the CLI
Console widget, available in the GUI dashboard, and through a terminal emulation application, such as
PuTTY. Using PuTTY requires a separate Telnet, SSH, or local console connection.

The FortiManager features available in the GUI and CLI depend on the administrator profile logged in, and
whether FortiAnalyzer features are enabled. When FortiAnalyzer features are disabled, the GUI doesn’t
include FortiView, Log View, Event Monitor, or Reports. Also, if you are logged in with the
Standard_User or Restricted_User administrator profile, full accesses privileges, like those granted to
the Super_User, are not available. The CLI also includes some settings that are not available through the
GUI.

Any configuration changes made using the GUI and CLI take effect immediately.

FortiManager 5.4.2 Study Guide 24


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Under the System Settings > Dashboard, you can see system resources and other widgets, which include:

• System Information, which displays basic information about the FortiManager system, such as up time
and firmware version. You can also enable or disable Administrative Domain and FortiAnalyzer
Features.
• System Resources displays the real-time and historical usage status of the CPU, memory, and hard disk.
• License Information displays the number of devices being managed by the FortiManager and the
maximum numbers of devices allowed. You can also manually upload a license for FortiManager VM
systems.
• Unit Operation displays status and connection information for the ports of the FortiManager device. It also
enables you to shut down and restart the FortiManager, or reformat a hard disk.
• CLI Console opens a terminal window that enables you to configure the FortiManager using CLI
commands, directly from the GUI.
• Alert Message Console displays log-based alert messages for both the FortiManager and connected
devices.

FortiManager 5.4.2 Study Guide 25


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Remember, the default login is publicly available knowledge. Never leave the default password blank! Your
network is only as secure as your FortiManager’s admin account. Before you connect your FortiManager to
your network, you should set a complex password. You should also restrict access, so that FortiManager
allows administrative connections from only your local console or management subnet.

FortiManager 5.4.2 Study Guide 26


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The initial configuration of FortiManager is very similar to FortiGate. In order to configure FortiManager for
your network, you must set the IP address and netmask, select supported administrative access protocols,
and specify a default gateway for routing packets. You can do all this from the Network page.

Port1, the management interface, has a default IP address and netmask: 192.168.1.99/24. If your
management subnet uses a different subnet, or uses IPv6, change these settings . The IP address must be a
unique static IP address. Relatedly, enter the IP of the next hop router in Default Gateway, and specify your
DNS servers. By default, FortiGuard DNS servers are configured in DNS server settings, to help guarantee
connectivity for FortiGuard downloads and queries. But, you can specify a local DNS server instead.

Service access allows you to enable FortiManager’s response to the requests from managed devices for
FortiGuard services on this interface. This includes FortiGate updates, and web filtering. By default, all
services to managed devices are enabled on port1, and disabled on other ports.

FortiManager 5.4.2 Study Guide 27


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Based on the your network, you can configure additional interfaces, and you can configure static routes (IPv4
or IPv6) to a different gateway, so that packets are delivered by a different route.

FortiManager 5.4.2 Study Guide 28


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The FortiManager features panes include:


• The Device Manager pane, where you can add, configure, and manage devices.
• The Policy & Objects pane, which contains all of your policy packages and objects that are applicable to
per ADOM.
• The AP Manager pane, where you can centrally manage FortiAP.
• The FortiClient Manager pane, where you can centrally manage FortiClient profiles for multiple FortiGate
devices, and monitor FortiClient endpoints connected to those FortiGate devices.
• The VPN Manager pane, where you can enable and use central VPN management.
• The FortiGuard pane, where you can set up your FortiManager as a private FortiGuard Distribution Server
(FDS). FortiManager synchronizes its local copy of packages with Fortinet’s global FortiGuard Distribution
Network (FDN), and then provides FortiGuard updates to your managed devices. Using a private FDS
provides a faster connection to your security infrastructure.
• The Systems Settings pane, where you can configure FortiManager system related configuration such as
network settings, ADOMs, administrators, and so on.

When the FortiAnalyzer feature set is enabled on FortiManager, you’ll also have these panes:

• The FortiView pane, which provides summaries of log data. For example, you can view top threats to your
network, top sources and destinations of network traffic to name a few.
• The Log view pane, which offers log messages from managed devices. You can view the traffic log, event
log, or security log information.
• The Event Monitor pane, where you can configure event handlers based on the log type and logging
filters, and specify whether to notify an email address, SNMP server, or Syslog server.
• The Reports pane, which provides reports based on logs from devices.

FortiManager 5.4.2 Study Guide 29


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

If you want to enable FortiManager to act as a logging and reporting device, you can do that on the
FortiManager dashboard or use the CLI. Remember that logging rate restrictions apply. Also, FortiManager
will require additional resources (CPU, memory, disk) to process logs and reports.

Determine your network’s maximum logging rate before enabling this feature in order to verify that no logs will
be dropped.

Your FortiManager will reboot to apply these changes. Then, the following tabs will appear:
• FortiView
• Log View
• Event Monitor
• Reports

FortiManager 5.4.2 Study Guide 30


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Similar to FortiOS, you can use the CLI commands shown on this slide to examine or troubleshoot general
issues on FortiManager. For example, you can view the general status, interface, and DNS settings of
FortiManager.

FortiManager 5.4.2 Study Guide 31


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

You can use this command to get basic FortiManager system information, which can be useful for
troubleshooting, such as:

• Version: Ensure the FortiManager firmware version is compatible with the device you are registering (see
the FortiManager Release Notes for supported firmware versions)
• Admin Domain Configuration: Ensure ADOMs are enabled if attempting to register a non-FortiGate device.
Also, it shows you how many ADOMs are supported on the FortiManager model.
• Current Time: Ensure your date and time is set according to your needs. For many features to work,
including scheduling, FortiManager-FortiGate tunnel negotiations, and logging features, the FortiManager
system time must be accurate. While you can manually set the date and time, you should synchronize with
a Network Time Protocol (NTP) server.
• License Status: Ensure you have a valid licence.

FortiManager 5.4.2 Study Guide 32


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand how to initially configure FortiManager.

Now, let’s examine some of the use cases for FortiManager, based on different organizations.

FortiManager 5.4.2 Study Guide 33


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Identify FortiManager use cases based on different requirements

By understanding FortiManager use cases, you will be able to see the different ways in which FortiManager is
commonly used in other organizations and, if warranted, employ some of these strategies.

FortiManager 5.4.2 Study Guide 34


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

One common FortiManager use case involves large retail customers or distributed enterprises, because they
tend to have many smaller customer premises equipment (CPE) devices in their branches, plus remote sites,
and several main sites. These customers benefit from centralized firewall provisioning and monitoring.

In large scale enterprise deployments, administrators usually prefer a basic initial configuration that the
installation technician loads through a USB, or copies and pastes into the console. This basic configuration
allows the FortiGate to contact a FortiManager, where the administrator can add it to the appropriate device
group and/or ADOM, then send the full configuration to that FortiGate.

FortiManager 5.4.2 Study Guide 35


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Another common use case involves managed security service providers (MSSPs).

Carriers often may have many powerful firewalls and require strict configuration control, which is achievable
by restricting configuration from the FortiManager. MSSPs may subdivide their firewalls into virtual firewalls
that they provide to customers, or they may manage devices on customer premises. In both cases, they need
to maintain configuration revisions for the customer, and, optionally, provide a portal where customers can
view or edit some of their settings.

Another important use case for MSSPs is being able to determine (or report) which firewall or configuration
objects are in use or not in use. Firewall policies change over time and associated objects are substituted for
other new objects. However, administrators often want to keep the old objects temporarily, in case they need
to revert changes. Eventually, unused objects clutter the FortiGate’s configuration, making it harder to
understand and troubleshoot. So, performing periodic clean-ups of these orphan configuration objects is
useful.

Now able to meet the demand for pay-as-you-go service models, FortiManager allows MSSPs to avoid the
overhead of perpetual licenses through the use of the Fortinet VM On-Demand Program.

FortiManager 5.4.2 Study Guide 36


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

As you can see, different organizations may use FortiManager’s ADOMs and policy packages differently. In a
retail organization, you may have a single ADOM with many FortiGates, or multiple ADOMs with one
FortiGate. In MSSPs, each customer’s FortiGate devices are placed in their ADOM.

We will cover these topics in detail so you can have the practical skills necessary to manage devices for
diverse organizations.

FortiManager 5.4.2 Study Guide 37


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

MSSPs often use APIs, too. There are three APIs available on FortiManager.

• SDK API – This API was originally designed to allow the creation of web portals, or to integrate a Web
portal into an existing system.
• JSON API – A new addition in FortiManager 5.0, this API allows you to do many of the same tasks as the
FortiManager GUI. It allows MSSP and large enterprises to create customized, branded Web portals for
policy and object administration.
• XML API – This API enables you to retrieve information about managed devices, execute scripts to
modify device configurations, and install the modified configurations on the devices. It is designed to allow
for quick provisioning of ADOMs, devices, and scripts on a FortiManager.

The Fortinet Developer Network (FNDN) provides access tools, sample code, documentation, and the Fortinet
developer community, when you subscribe.

FortiManager 5.4.2 Study Guide 38


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 39


 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

This lesson covered the following objectives:


• Identify key features of FortiManager
• Describe the purpose of ADOMs
• Describe the FortiMeter program and who should enroll
• Identify devices are supported by FortiManager
• Identify commonalities between FortiManager and FortiAnalyzer
• Describe the management module framework
• Access your FortiManager for the first time
• Identify the tools you can use to configure FortiManager
• Add FortiManager to your network
• Enable FortiAnalyzer features
• Identify FortiManager use cases
• Identify the APIs supported by FortiManager

FortiManager 5.4.2 Study Guide 40


 Administration and Management

DO NOT REPRINT
© FORTINET

In this lesson, we will show you how to set up and administer FortiManager. We will also show you how to use
features that are critical to day-to-day use, such as ADOMs, event monitoring, backup, and restore.

FortiManager 5.4.2 Study Guide 41


 Administration and Management

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• ADOMs
• Administrator accounts
• Concurrent administrators
• ADOM best practices and troubleshooting
• Backup and restore
• Monitoring events
Let’s begin by looking at the ADOMs.

FortiManager 5.4.2 Study Guide 42


 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the purpose of ADOMs
• Describe the differences between ADOM modes
• Identify the purpose of ADOM device modes and when you might use them
By demonstrating competence of ADOMs, you will be able to organize FortiGate devices effectively within
FortiManager.

FortiManager 5.4.2 Study Guide 43


 Administration and Management

DO NOT REPRINT
© FORTINET

ADOMs enable the admin administrator to create groupings of devices for administrators to monitor and
manage. For example, administrators can manage devices specific to their geographic location or business
division. The purpose of ADOMs is to divide administration of devices by ADOM, and to control (restrict)
administrator access.

ADOMs are not enabled by default and can only be enabled (or disabled) by the admin administrator or an
administrator with Super_User profile. Once you change the ADOM mode, you are logged out so the system
can reinitialize with the new settings. When you log in with ADOMs enabled, you must select the ADOM you
want to view from your list of configured ADOMs. You can easily switch between ADOMs by clicking on the
ADOM list in the top-right corner of the GUI.

Remember, the maximum number of ADOMs varies by FortiManager physical model or VM license.

FortiManager 5.4.2 Study Guide 44


 Administration and Management

DO NOT REPRINT
© FORTINET

When you configure ADOMs, you can choose between two modes: normal or backup.

In normal mode, you can make configuration changes to an ADOM and the managed devices.

The main purpose of backup mode is to back up the configuration changes made directly on the managed
device.

FortiManager 5.4.2 Study Guide 45


 Administration and Management

DO NOT REPRINT
© FORTINET

By default, ADOMs are in normal mode and all panes are available. The ADOM is in read-write which allows
you to make configuration changes to managed devices stored in the ADOM database and then install those
changes to managed devices.

What if you need to make configuration changes directly on the managed device?

You can make configuration changes directly to each managed device, through the FortiGate’s CLI or GUI.
This will trigger it to automatically update the FortiGate revision history on the FortiManager.

FortiManager 5.4.2 Study Guide 46


 Administration and Management

DO NOT REPRINT
© FORTINET

What if managed device configuration changes always need to be made directly on the device and you want
to use FortiManager for only revision control and tracking purposes?

In this case, you can configure the ADOM in backup mode.

When in backup mode, the ADOM is read-only, so the Device Manager pane is restricted. You can add and
delete devices, but the device-level settings are not available for configuration and installation. For the same
reason, other panes such as Policy & Objects, AP Manager, and VPN Manager are not available.

However, you can use the script feature on the FortiManager to make configuration changes to managed
devices. If changes are made directly on the managed device, those changes needs to meet specific
conditions in order to trigger the device to back up its configuration to FortiManager.

FortiManager 5.4.2 Study Guide 47


 Administration and Management

DO NOT REPRINT
© FORTINET

An ADOM has two device modes: normal, which is the default mode, and advanced. In normal mode, you
cannot assign different FortiGate virtual domains (VDOMs) to different FortiManager ADOMs.

What if you are an MSSP, you have FortiGate VDOMs for different customers, and want to separate those
VDOMs in different ADOMs?

In advanced mode, you can assign different VDOMs from the same FortiGate device to different ADOMs. This
setting is applied globally to all ADOMs. This results in more complicated management scenarios. It is
recommended for advanced users only.

FortiManager 5.4.2 Study Guide 48


 Administration and Management

DO NOT REPRINT
© FORTINET

Which devices should be in each ADOM?

Use a scheme that simplifies management. For example, you could organize your devices by:

• Firmware version: You can group all devices with the same firmware version in the same ADOM. For
example, if FortiGate devices are running firmware version 5.4, you can group these devices in version 5.4
ADOM.
• Geographic regions: You can group all devices for a specific geographic region into an ADOM, and devices
for a different region into another ADOM.
• Assigned administrators: You can group devices into separate ADOMs and assign them to specific
administrators.
• Customers: You can group all devices for one customer into an ADOM, and devices for another customer
into another ADOM.
• Device type: You can create a separate ADOM for each device type. Non-FortiGate devices are
automatically located in specific ADOMs for their device type. They cannot be moved to other ADOMs.
• Organizational needs: You can separate production and test network FortiGate devices into separate
ADOMs.

When organizing managed FortiGate devices, always group based on the FortiOS firmware version first. Valid
command syntax varies by firmware versions, which affects script compatibility and other features. For
example, if you are grouping based on geographic region and have FortiGate devices running FortiOS 5.2 and
5.4 firmware in the same region, you should create two ADOMs based on the firmware version for that
geographic region. Then, you would assign both ADOMs to the administrator for that region.

FortiManager 5.4.2 Study Guide 49


 Administration and Management

DO NOT REPRINT
© FORTINET

With ADOMs enabled, administrators with the Super_User profile have access to the All ADOMs page,
where all default ADOMs and custom ADOMs created by the administrator appear. Other administrators can
be restricted to only have access to one or more specific ADOMs.

FortiGate ADOMs are grouped together. If the default ADOMs do not fit your requirements, you can create
your own. While you can edit these default ADOMs, you cannot edit the device type or firmware version of the
device. This is because, internally, how the database is structured depends on what types of data that
FortiManager needs to store for that device type or firmware.

The ADOM type you create must match the device type you are adding. For example, if you want to create an
ADOM for a FortiGate, you must select FortiGate as the ADOM type. With FortiGate ADOMs specifically, you
must also select the firmware version of the FortiGate device.

Different firmware versions have different features, and therefore different CLI syntax. Your ADOM setting
must match the device’s firmware.

The default ADOM mode is Normal. Under Central Management, you can enable VPN to centrally manage
IPsec VPNs or you can enable WAN Link Load Balance, which allows you to monitor load-balancing
profiles of all managed devices in that ADOM.

The maximum number of ADOMs you can create varies by FortiManager model.

FortiManager 5.4.2 Study Guide 50


 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand ADOMs.

Now, lets examine administrator accounts in FortiManager.

FortiManager 5.4.2 Study Guide 51


 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Differentiate system administrators from restricted administrators
• Control or restrict administrative access using admin profiles, trusted hosts, and ADOMs
• Validate administrators using external servers
By demonstrating competence in using administrative access controls, you will be able to better safeguard the
administration and management of your FortiManager device and the managed devices.

FortiManager 5.4.2 Study Guide 52


 Administration and Management

DO NOT REPRINT
© FORTINET

In order to efficiently administer your system, FortiManager comes with four pre-installed default profiles that
you can assign to other administrative users. Administrator profiles define administrator permissions and are
required for each administrative account. The four default profiles are:

• Package User: provides read/write access to policy package and objects permissions, but read-only
access for system and other permissions
• Restricted_User: provides read-only access to device permissions, but not system permissions
• Standard_User: provides read and write access to device permissions, but no system permissions
• Super_User: provides access to all device and system permissions, like a FortiGate

You can assign the default profiles to administrative accounts, or you can modify the individual permissions
associated with each default profile. Alternatively, you can create your own custom profile.

FortiManager 5.4.2 Study Guide 53


 Administration and Management

DO NOT REPRINT
© FORTINET

You can customize both administrator profile types: system admin and restricted admin.

For the system admin type, you can modify one of the predefined profiles, or create a custom profile. Only
administrators with full system permissions can modify administrator profiles. Depending on the nature of the
administrator’s work, access level, or seniority, you can allow them to view and configure as much, or as little,
as required.

For restricted admin, you can create a new restricted administrator profile to allow the delegated administrator
to make changes to the web filtering profile, IPS sensor, and application sensor associated with their ADOM.

FortiManager 5.4.2 Study Guide 54


 Administration and Management

DO NOT REPRINT
© FORTINET

Depending on your deployment, you may want to divide FortiManager administrative tasks among multiple
employees by creating additional administrative accounts.
In order to protect your network, you can control and restrict administrative access using the following
methods:

• Administrative profiles
• ADOMs
• Trusted hosts

FortiManager 5.4.2 Study Guide 55


 Administration and Management

DO NOT REPRINT
© FORTINET

In addition to controlling administrative access through administrator profiles, you can further control access
by setting up trusted hosts for each administrative user. This restricts administrators to logins from specific IPs
or subnets only. You can even restrict an administrator to a single IP address if you define only one trusted
host IP address.

The trusted hosts you define apply to both the GUI and the CLI when accessed through SSH.

FortiManager 5.4.2 Study Guide 56


 Administration and Management

DO NOT REPRINT
© FORTINET

Another way you can control administrative access is through ADOMs. This makes device management more
effective, as administrators need to monitor and manage devices in only their assigned ADOM. It also makes
the network more secure, as administrators are restricted to only those devices to which they should have
access.

Administrators who have the Super_User profile have full access to all ADOMs, whereas administrators with
any other profile have access only to those to which they are assigned—this can be one or more.

FortiManager 5.4.2 Study Guide 57


 Administration and Management

DO NOT REPRINT
© FORTINET

Instead of creating local administrators, where logins are validated by FortiManager, you can configure
external servers to validate your administrator logins. RADIUS, LDAP, TACACS+, and PKI can all be used as
a means of verifying the administrator credentials.
To configure two-factor authentication, you also require FortiAuthenticator and FortiToken. See the
FortiManager Administration Guide for more details.

FortiManager 5.4.2 Study Guide 58


 Administration and Management

DO NOT REPRINT
© FORTINET

To track administrator user sessions, including who is currently logged in and through what trusted host,
select System Settings > Admin > Administrator. Only the default admin administrator or administrator
with Super_User profile can see the complete administrator’s list.

FortiManager 5.4.2 Study Guide 59


 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand administrator accounts.

Now, lets examine concurrent administrators in FortiManager.

FortiManager 5.4.2 Study Guide 60


 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Identify the potential issues that can be caused by concurrent ADOM access
• Describe the purpose of ADOM locking and when to use it
By demonstrating competence in using ADOM locking, you will be able to better safeguard the administration
and management of your FortiManager device and the managed devices.

FortiManager 5.4.2 Study Guide 61


 Administration and Management

DO NOT REPRINT
© FORTINET

By default, multiple administrators can access the same ADOM concurrently as workspace-mode is set to
disabled.

Usually, this is OK, especially if you’ve used administrator profiles with non-overlapping permissions. The
probability of two people changing the same setting in a network with hundreds of complex devices is small,
but it is still possible.

FortiManager 5.4.2 Study Guide 62


 Administration and Management

DO NOT REPRINT
© FORTINET

What if multiple administrators try to change the same devices, at the same time, but make different changes?

This can cause conflicts: one administrator’s changes will be overwritten by the other administrator’s changes.
If conflicts are likely to occur for you, you can use the CLI to enable workspace mode and prevent concurrent
ADOM access.

This allows administrators to lock their ADOM. Furthermore, only a single administrator has read/write access
to the ADOM, while all other administrators have read-only access.

FortiManager 5.4.2 Study Guide 63


 Administration and Management

DO NOT REPRINT
© FORTINET

When workspace is enabled, how do you use it?

1. Prior to making changes, Admin A locks the ADOM. A green lock icon appears. Admin A now has read-
write access and can make changes to the managed devices in that ADOM.
2. During this time, Admin B sees a red lock icon on the ADOM. Admin B has read-only access to that
ADOM, and cannot make changes.
3. When admin A finishes making changes, they saved the changes and then unlock the ADOM. The icon
changes to a grey unlocked icon. Admin B sees that the ADOM is now available for use.
4. Now Admin B locks the ADOM, and again the lock icon changes to green. Admin B now has read-write
access, and can safely make changes without risk of conflicts.

FortiManager 5.4.2 Study Guide 64


 Administration and Management

DO NOT REPRINT
© FORTINET

When workspace is enabled, the ADOM is initially read only. To enable read-write permission, and be able to
make changes to the ADOM, you must lock the ADOM.

You can lock the ADOM from the top-right corner of the GUI. Once you lock the ADOM, you can safely make
changes to the managed device’s settings, in that ADOM, without worrying about conflicts. If you make
changes to the managed device configuration or policy packages, changes must be saved prior to attempting
to install them. Other administrators can’t make changes to the ADOM because as they have read-only
permissions.

There are three lock status icons:

• Grey Lock icon: The ADOM is currently unlocked. To make changes, you must first lock the ADOM.
• Green Lock icon: The ADOM is locked by you. You can make changes in that ADOM.
• Red Lock icon: The ADOM is locked by another administrator. You must wait for them to finish and unlock
the ADOM.

FortiManager 5.4.2 Study Guide 65


 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand concurrent administrators.

Now, lets examine ADOM best practices and troubleshooting.

FortiManager 5.4.2 Study Guide 66


 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Identify concurrent firmware supported by an ADOM, and its use case
• Identify when to upgrade ADOMs
• Troubleshoot ADOM upgrade issues
• Identify best practices after upgrades to ADOMs, or devices, or both
By demonstrating competence of ADOM best practices and troubleshooting, you will be able to organize and
manage your FortiGate device more effectively within FortiManager.

FortiManager 5.4.2 Study Guide 67


 Administration and Management

DO NOT REPRINT
© FORTINET

In FortiManager’s database, each ADOM is associated with a specific FortiGate firmware version, based on
the firmware version of the devices that are in that ADOM. The firmware version determines the appropriate
database schema.

What if you created an ADOM using version 5.2, added FortiGate devices running FortiOS 5.2, but then
needed to upgrade the FortiGate devices to FortiOS 5.4? An ADOM can concurrently manage FortiGate
devices running two FortiGate firmware versions; for example, FortiOS 5.2 and 5.4. Therefore, the devices
running firmware versions 5.2 and 5.4 can share a common FortiManager database.

Although multiple FortiOS versions can exist in the same ADOM, some of the features of the newer firmware
version may be restricted if you are using an older ADOM version. This is because the CLI command syntax
for the newer firmware version might have changed due to new features and is, therefore, configured
differently. It is very important to make sure the FortiGate device is added to an ADOM that is based on its
FortiOS firmware version.

It is recommended that this feature be used only to facilitate upgrading to new firmware, and that ADOMs are
not usually run with mixed firmware. In that case, use separate ADOMs instead.

FortiManager 5.4.2 Study Guide 68


 Administration and Management

DO NOT REPRINT
© FORTINET

Multiple FortiOS versions can exist in the same ADOM, but you can only upgrade the ADOM after you have
upgraded all the devices contained in it.

Note: If there are many ADOM revisions, FortiManager requires more system resources and the ADOM
upgrade can take more time to complete.

FortiManager 5.4.2 Study Guide 69


 Administration and Management

DO NOT REPRINT
© FORTINET

If all the devices in an ADOM are not upgraded, you will get warning message and won’t be allowed to
upgrade the ADOM version. You must upgrade all devices in an ADOM prior to upgrading the ADOM version.

You can upgrade the ADOM from the System Settings > All ADOMs.

If the ADOM has already been upgraded to the latest version, this option will not be available.

FortiManager 5.4.2 Study Guide 70


 Administration and Management

DO NOT REPRINT
© FORTINET

You can perform real-time ADOM upgrade debugging using the CLI commands shown on this slide. When the
ADOM is upgraded, an event log is generated stating that the ADOM upgrade was successful. Task Monitor
also generates an entry for the ADOM upgrade.

FortiManager 5.4.2 Study Guide 71


 Administration and Management

DO NOT REPRINT
© FORTINET

What if you need to upgrade a few FortiGate devices, but not all of them are contained in the same ADOM?

Another way to handle mixed FortiGate versions in the ADOMs is to first upgrade the devices in the original
ADOM, then move them to the new ADOM using a matching firmware version.

If a device is moved from one ADOM to another, policies and objects are not imported into the ADOM
database. You must run the Import Policy wizard to import policies and objects into the ADOM database.

FortiManager 5.4.2 Study Guide 72


 Administration and Management

DO NOT REPRINT
© FORTINET

You can move devices between ADOMs after registration on the All ADOMs page. You can move devices
between ADOMs by editing the custom ADOM to which you want to add the device, and then selecting the
device to add to it.

FortiManager 5.4.2 Study Guide 73


 Administration and Management

DO NOT REPRINT
© FORTINET

Once you have upgraded the devices and the ADOM, it is recommended that you perform a manual retrieval
of the FortiGate configuration and then reimport the policy package of the device. This often allows you to
solve conflicts between the FortiGate and the FortiManager. You can choose to allow either the FortiGate or
the FortiManager settings to take precedence.

If you are using a shared policy package, there are two different approaches that you can take to resolve the
problem:
• ADOM upgraded: Try to perform an install preview for the policy package. Fix issues using a CLI script or
correct individual objects.
• Device migrated to different ADOM: The shared policy package and objects don’t move to the new ADOM.
Perform a retrieve function to retrieve the full configuration in the new ADOM, and then run an import
policy wizard to import policies and objects.

FortiManager 5.4.2 Study Guide 74


 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand ADOM best practices and troubleshooting.

Now, lets examine backup and restore on FortiManager.

FortiManager 5.4.2 Study Guide 75


 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Understand how to back up, restore, and make a system checkpoint
• Understand the purpose of offline mode
• Reset FortiManager to factory defaults
By demonstrating competence in backup and restore, you will be able to ensure that, if there is a severe
hardware failure, you can quickly restore FortiManager to its original state without affecting the network. This
is, after all, your central network management system, and you will probably be investing considerable time
and resources in building and maintaining your firewall policies. So, let’s learn how to keep the data safe.

FortiManager 5.4.2 Study Guide 76


 Administration and Management

DO NOT REPRINT
© FORTINET

At any time, you can back up FortiManager configuration from the System Information widget in the GUI.
When you use the GUI for backups, encryption is enabled by default. If you use encryption, you must set a
password that is used to encrypt the backup file. The backup file can’t be restored unless you provide the
same password.

The backup contains everything except the logs, FortiGuard cache, and firmware images saved on
FortiManager.

You can also use the CLI to schedule backups at regular intervals.

If changes are made to FortiManager that end up negatively affecting your network, you can restore the
configuration from any of the backups you performed.

FortiManager 5.4.2 Study Guide 77


 Administration and Management

DO NOT REPRINT
© FORTINET

You can restore the FortiManager configuration from the GUI or CLI. When you preform a restore, the
FortiManager reboots and the changes take effect. When you are restoring a backup file, make sure the
FortiManager’s firmware version and model matches the backup file.

There are few other options in the Restore System pop-up that are worth discussing:

• Overwrite current IP, routing, and HA settings: By default, this option is enabled. If FortiManager has an
existing configuration, restoring a backup will overwrite everything, including the current IP, routing, and
HA settings. If you disable this option, FortiManager will still restore the configurations related to device
information and global database information, but will preserve the basic HA and network settings.
• Restore in Offline Mode: By default, this is enabled and grayed out – you cannot disable it. While
restoring, FortiManager temporarily disables the communication channel between FortiManager and all
managed devices. This is a safety measure in case any devices are being managed by another
FortiManager.

FortiManager 5.4.2 Study Guide 78


 Administration and Management

DO NOT REPRINT
© FORTINET

You can back up the configuration on one FortiManager model and restore this configuration on a different
FortiManager model. This can useful for:
• troubleshooting purposes, by restoring configuration into a different FortiManager model
• upgrading the FortiManager to a bigger model, as it will preserve your already configured devices

The steps required to migrate a configuration are simple. You need to back up the configuration on one
FortiManager model, and then run the CLI migrate command on the second FortiManager.

FortiManager supports FTP, SCP, and SFTP protocols to migrate configuration from one FortiManager model
to another FortiManager model.

FortiManager 5.4.2 Study Guide 79


 Administration and Management

DO NOT REPRINT
© FORTINET

The system checkpoints are, in essence, snapshots of your FortiManager managed network system. This
type of backup provides a history in which the FortiManager and FortiGate devices are completely in sync.

You can make a system checkpoint manually using the dashboard’s System Information widget. All system
checkpoints are saved in the system checkpoint table. This table provide details, such as when the system
checkpoint was made, who the administrator was, and comments made by that administrator. It also provides
an option to revert to a previous checkpoint. When reverting to a system checkpoint, FortiManager needs to
reboot.

You can make a system checkpoint backup before installing new firmware on devices, or making major
configuration changes to the network. If the installation or changes don’t work as expected, you can revert
FortiManager and your devices to the last known functional state.

System checkpoints are not widely used because they revert the configuration of all managed devices to their
previous states, making many changes at once to the entire system. Many administrators prefer to roll back
firewalls on a per-device basis, when necessary. Moreover, all system checkpoints are saved locally on
FortiManager and cannot be used for disaster recovery. For this reason, you should perform backups at
regular intervals, or configure scheduled backups.

FortiManager 5.4.2 Study Guide 80


 Administration and Management

DO NOT REPRINT
© FORTINET

By default, offline mode is disabled, allowing FortiManager to manage the devices. When configuration
restore is performed, the FortiManager disables the FGFM protocol. This protocol uses TCP port 541 for
communication between FortiManager and FortiGate devices. It can be manually enabled or disabled from
System Settings > Advanced > Advanced Settings.

When should you enable offline mode?


You can enable offline mode to troubleshoot problems. Offline mode allows you to change FortiManager
device settings without affecting managed devices, or to load a backup on a second FortiManager for testing.
That way, the second FortiManager cannot automatically connect to your FortiGates and start managing
them.

FortiManager 5.4.2 Study Guide 81


 Administration and Management

DO NOT REPRINT
© FORTINET

Connect to FortiManager using the console port, if you need to factory reset the FortiManager.
The reset all settings command returns the FortiManager to its factory default settings and reboots the
FortiManager.
The format disk command erases all device settings and images, FortiGuard databases, and log data on
FortiManager’s hard drive.

To completely erase all configuration databases, reset all settings, then format the disk using the CLI.

Even if you format your disks, this only destroys the file system tables. Files remain, and attackers could use
forensic tools to recover the data. Failure to overwrite your configuration databases jeopardizes the security of
your entire network. So, if you will be selling your FortiManager or replacing the hard disk, it’s strongly
recommended to use a secure (deep-erase) disk reformat, to overwrite the hard disk with random data.

FortiManager 5.4.2 Study Guide 82


 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand backup and restore.

Now, lets examine monitoring events.

FortiManager 5.4.2 Study Guide 83


 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this lesson, you should be able to:


• Interpret event logs
• Track and take actions on the tasks in the task monitor
• Understand the Web Service Definition Language (WSDL) file
By demonstrating competence in monitoring FortiManager events, you will be able to diagnose and
troubleshoot issues related to FortiManager and managed devices.

FortiManager 5.4.2 Study Guide 84


 Administration and Management

DO NOT REPRINT
© FORTINET

To monitor the status of all tasks, such as imports and system checkpoints, go to System Settings > Task
Monitor. You can filter a task category from the View drop-down list, or leave the default All.

For example, you can filter on running, pending, cancelling, or aborting tasks, and can identify if they have
been in that stuck state for long time. You can cancel or delete the tasks which are stuck for a long time and
have stopped progressing, as they might prevent other pending tasks from being processed.

FortiManager 5.4.2 Study Guide 85


 Administration and Management

DO NOT REPRINT
© FORTINET

Logs provide important troubleshooting information about events that happen on FortiManager.
You can view logs, download, view logs in raw format, or view historical logs from System Settings > Event
Log.

By default, event log severity is set to information level. You can change the level (increase or decrease)
using the CLI. Information-level log severity provides enough details about the log messages to investigate an
issue. If you need to work with Fortinet Technical Support, you can increase it to debug level to get more
details on the event logs.

Depending upon number of the FortiGates managed, and type, and amount of daily activity, it is
recommended to monitor disk (i/o wait states) and CPU activity after increasing it to debug level to ensure that
there are no significant increases in CPU or disk usage.

FortiManager 5.4.2 Study Guide 86


 Administration and Management

DO NOT REPRINT
© FORTINET

If you need to focus on specific types of log messages, use filters. For example, you can filter on level,
administrator, subtype, and messages. To apply a filter, click Add Filter, then select which parameter you
would like to refine.

Next, pick a level and if required, select an event subtype. NOT and OR operators are also available in the
dynamic list. You can use Add Filter to add and combine additional filters.

Event logging for FortiManager has several subtypes. For additional details, please refer to the FortiManager
Log Message Reference Guide.

FortiManager 5.4.2 Study Guide 87


 Administration and Management

DO NOT REPRINT
© FORTINET

If you want to use APIs to monitor your system, or to set or get data using 3rd party devices, you can use the
JSON, XML, and SDK APIs. The FortiManager APIs are a very powerful tool that offers administrative web
portals to customers, automated deployment, and provisioning systems.

If you want to use web services to do this, you can download the WSDL interface definition from FortiManager
in Advanced Settings.

Web services is a standards-based, platform-independent access method. The file itself defines the format of
commands the FortiManager will accept, as well as the response to expect.

FortiManager 5.4.2 Study Guide 88


 Administration and Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 89


 Administration and Management

DO NOT REPRINT
© FORTINET

This lesson covered the following objectives:


• Identify purpose of ADOM
• ADOM modes
• Configuring ADOMs
• Creating administrator accounts and permissions
• Impact of Concurrent Access
• When and how to use workspace
• When to upgrade ADOM and how to troubleshoot
• Backing up, restoring, and making a system checkpoint
• Using offline mode for testing
• Reading event logs
• Monitoring tasks

FortiManager 5.4.2 Study Guide 90


 Device Registration

DO NOT REPRINT
© FORTINET

In this lesson, we will examine the major functions of the device manager pane, and how to manage a
FortiGate from the FortiManager.

FortiManager 5.4.2 Study Guide 91


 Device Registration

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• Provisioning common settings
• Registration methods
• Device discovery troubleshooting
Let’s begin by looking at the provisioning common settings.

FortiManager 5.4.2 Study Guide 92


 Device Registration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the use of provisioning templates
• Configure provisioning templates
• Copy the system template profile from one ADOM to another ADOM
By demonstrating competence in provisioning common settings, you will be able to use FortiManager to
configure common settings for many FortiGates.

FortiManager 5.4.2 Study Guide 93


 Device Registration

DO NOT REPRINT
© FORTINET

Provisioning Templates allow you to create profiles that contain device-level settings. These templates
facilitate identical device-level settings across many devices. They can edited and reapplied.

There are three types of templates based on common device settings:

• System templates: Allow you to create and manage common system-level settings for the managed device
• Threat weight templates: Allow you to create threat weights, which can provide information by tracking
client behavior and reporting on activities that you determine risky or otherwise worth tracking
• Certificate templates: Allow you to create certification authority (CA) certificate templates, add devices to
them, and generate certificates for selected devices. Once the CA certificates are generated and signed,
you can install them using the install wizard.

Note that the provisioning templates are based on specific ADOM versions, so some settings may not be
available.

FortiManager 5.4.2 Study Guide 94


 Device Registration

DO NOT REPRINT
© FORTINET

The System Template page contains one generic profile named default, which is a subset of model device
configurations and contains the widgets such as DNS, Alert Email, Admin Settings, and others.

You can create a new device profile and configure the settings in the widgets in that profile. The Create From
Device profile is used to import the settings from a specific managed device which inherits the system level
settings of that managed device.
The Assigned Devices associates devices to a profile or to view the list of devices already assigned to a
profile.

These configured profiles can be applied to multiple devices within same ADOM, which facilitates identical
device level settings across many devices.

We will be applying default profile in System Templates when adding FortiGate to FortiManager in the next
section of this presentation.

FortiManager 5.4.2 Study Guide 95


 Device Registration

DO NOT REPRINT
© FORTINET

What if you need to apply the same system-level settings to many FortiGate devices in different ADOMs?

Remember, each ADOM has its own unique object database which also includes the templates. You can,
however, export and import system templates from one ADOM to another ADOM. The ADOMs must be
running the same firmware version. First, you need to export the system template from the original ADOM to
the FortiManager file system, then you can import that profile into the other ADOM.

FortiManager 5.4.2 Study Guide 96


 Device Registration

DO NOT REPRINT
© FORTINET

Good job! You now understand provisioning common settings.

Now, let's examine registration methods.

FortiManager 5.4.2 Study Guide 97


 Device Registration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe FortiManager main wizards
• Describe 2 methods for device registration
• Understand import report
• Provision FortiGate for zero touch installation
• Add multiple devices simultaneously from FortiManager
• Add chassis into FortiManager
By demonstrating competence in device registration, you will be able to add devices into FortiManager for
managing and administering these devices from FortiManager.

FortiManager 5.4.2 Study Guide 98


 Device Registration

DO NOT REPRINT
© FORTINET

The Device Manager provides device and installation wizards to aid you in various administrative and
maintenance tasks. Using these tools can help you shorten the amount of time it takes to do many common
tasks.

There are four main wizards:

• Add Device is used to add devices to central management and import their configurations.
• Install Wizard is used to install configuration changes from Device Manager or Policies & Objects to the
managed devices. It allows you to preview the changes and, if the administrator doesn’t agree with the
changes, cancel and modify them.
• Import Policy is used to import interface mapping, policy database, and objects associated with the
managed devices into a policy package under the Policy & Object pane. You can run it with the Add
Device wizard and may be run at any time from the managed device list.
• Re-install Policy is used to perform a quick install of the policy package. It also provide the ability to
preview the changes that will be installed to the managed device.

Both the Import policy and Re-install Policy wizards can be called by right-clicking your managed device in
the Device Manager.

FortiManager 5.4.2 Study Guide 99


 Device Registration

DO NOT REPRINT
© FORTINET

There are two ways you can register a device with FortiManager:

The first method involves the FortiManager device registration wizard. If the device is supported and all the
details of the device are correct, the device becomes registered.

The second method involves a request for registration from a supported device. When the FortiManager
administrator receives that request, the request is accepted (though it can be denied).

FortiManager 5.4.2 Study Guide 100


 Device Registration

DO NOT REPRINT
© FORTINET

Through the Add Device wizard, you can add a FortiGate device with an existing configuration (which
includes its firewall policies) or add a new FortiGate device. The FortiGate device is usually provisioned with a
call home configuration, which is the minimum configuration needed to reach FortiManager (the central
management server). Such configurations are typically installed by a technician and the actual firewall
configuration is done by the administrator in the security/network operations center where the FortiManager
resides.

When a device with an existing configuration is imported, its firewall policies are imported into a new policy
package (which can be renamed). Objects share the common object database per ADOM and are saved in
the ADOM database, which can be shared or used among different managed FortiGate devices in the same
ADOM. It also checks for duplicate or conflicting objects.

FortiManager 5.4.2 Study Guide 101


 Device Registration

DO NOT REPRINT
© FORTINET

The first registration method is using the device registration wizard on FortiManager. Here, it is the
FortiManager administrator that proactively initiates, and ultimately performs, the registration. With this
method, the administrator must have specific details about the device that is to be registered.

You can launch the wizard from the Device Manager pane by clicking Add Device from the menu bar. If you
have enabled ADOMs and want to add the device to a specific ADOM, select the ADOM from the ADOM list
before clicking Add Device.

FortiManager 5.4.2 Study Guide 102


 Device Registration

DO NOT REPRINT
© FORTINET

Within the wizard there are two options for adding a device: Discover and Add Model Device.

The Discover option is used to add an existing device. Here, you must enter the FortiGate device’s login
credentials – IP address, user name, and password.

In order to fully discover the device and add the full configuration, login credentials entered here must have
full read-write access on the FortiGate. This also allows FortiManager to install the configuration to the
managed FortiGate.

The Add Model Device option is used to provision a new device that is not yet online. We’ll look at that in this
lesson.

FortiManager 5.4.2 Study Guide 103


 Device Registration

DO NOT REPRINT
© FORTINET

In this step, FortiManager determines whether the FortiGate device is reachable and also discovers basic
information about the device, including – IP address, administrative user name, device model, firmware
version (build), serial number, and high availability mode.

You can also run the following CLI command on FortiManager to obtain a real-time status of the FortiGate
device being added.

Note that the output of this command is very verbose and shows the output from other managed devices too.

FortiManager 5.4.2 Study Guide 104


 Device Registration

DO NOT REPRINT
© FORTINET

The next step allows you to configure the device settings of a device that was just discovered such as device
logging permissions, FortiClient management and applying system templates.

Administrators can configure the system template in advance and apply them to new devices as they are
being added to the FortiManager. Templates save time by removing the need to repeat common configuration
settings multiple times.

By default, FortiGate device has full permissions for logging.

FortiManager 5.4.2 Study Guide 105


 Device Registration

DO NOT REPRINT
© FORTINET

In the next step, FortiManager checks the addition of the FortiGate device and creates the initial configuration
file in the revision history. This is the full configuration that contains all used and orphaned objects along with
the firewall policies on the FortiGate. It also checks the support contract, which is useful in the event
FortiManager is used as the local FortiGuard server for the managed FortiGate.

There are two options regarding importing policies and objects:

• Clicking Import Now will add the policies in the policy package and objects in the common shared ADOM
database. These objects can be used by multiple FortiGate devices in the same ADOM.
• Clicking Import Later will only add the device level settings to the device database, but the firewall policy
and objects are not imported into Policy & Objects. This can be imported later using the Import policy
wizard.

In this example, the Import Now option is selected.

FortiManager 5.4.2 Study Guide 106


 Device Registration

DO NOT REPRINT
© FORTINET

If virtual domains (VDOMs) are configured, you are prompted to select the VDOMs you want to import. The
majority of a firewall configuration is specific to the VDOM, therefore each VDOM counts as one managed
device.

FortiManager probes the FortiGate and creates an interface mapping in the ADOM database. You can also
rename the ADOM interface mapping. The FortiGate device has interfaces port1 and port3 which are
renamed to WAN and LAN respectively. This mapping is local to the FortiManager database and policies can
be viewed on FortiManager as from LAN and WAN interfaces. These local ADOM interface mappings can be
used for multiple FortiGates.

This is useful in large deployments, where administrators can use a common name for ADOM interface(s).
You can also use the same name for FortiGate device interface(s) at the ADOM level. It also helps
administrators view and track firewall policies easily on FortiManager.

Add mappings for all unused device interfaces is enabled by default. This creates automatic mapping for the
new interface. As such, the FortiManager administrator does not need to create manual mapping.

FortiManager 5.4.2 Study Guide 107


 Device Registration

DO NOT REPRINT
© FORTINET

The wizard searches for all policies to import into FortiManager’s database. Here, policies are imported into a
new policy package under the Policy & Objects pane.

At this point, you can choose whether to import all policies or selected policies, and whether to import only
referenced objects or all objects. The Import All and Import only policy dependent objects options are
selected by default when adding a device.

FortiManager 5.4.2 Study Guide 108


 Device Registration

DO NOT REPRINT
© FORTINET

Next, it searches the FortiGate device for objects to import and if any conflicts exist, they appear here. You
can view additional details, as well as download the conflicts in HTML format.

If you select FortiGate from the Use Value from column, the FortiManager database gets updated with that
value. If you select FortiManager, the next time you install the configuration from FortiManager to FortiGate it
makes those changes to the FortiGate firewall. By default FortiGate is selected.

FortiManager 5.4.2 Study Guide 109


 Device Registration

DO NOT REPRINT
© FORTINET

Once the object conflicts are noted/resolved, the wizard searches for the objects to import. The FortiManager
adds new objects and updates the existing FortiManager objects. The FortiManager does not import duplicate
entries in the ADOM database, as those objects already exist in the database.

FortiManager 5.4.2 Study Guide 110


 Device Registration

DO NOT REPRINT
© FORTINET

The final step in the wizard is Import Summary. Here the firewall policies and objects are imported into
FortiManager.

You can also download the import report, which is only available on this page. As a best practice, it is
recommended that you download the report. The next slide shows the downloaded import report.

FortiManager 5.4.2 Study Guide 111


 Device Registration

DO NOT REPRINT
© FORTINET

The import report provides important information, such as which device is imported into which ADOM, as well
as the name of the policy package created along with objects imported. These objects and policies are
created in the Policy & Objects pane for that ADOM.

The FortiManager imports new objects, duplicate objects are skipped as the FortiManager does not import
duplicate entries in the ADOM database. If a conflict is detected, the FortiManager updates the object of the
device you selected on the Objects Conflict step of the wizard and in the import report it is referred as
update previous object.

Dynamic objects can also be created, whereby a single object name has different values depending on which
device it is installed.

FortiManager 5.4.2 Study Guide 112


 Device Registration

DO NOT REPRINT
© FORTINET

As we renamed port3 to LAN and port1 to WAN on the interface mapping step of the wizard, you can see that
on the FortiManager the policy is imported as from LAN and WAN interfaces. However, on FortiGate it shows
port1 and port3. This is called dynamic mapping: firewall policies created in policy packages refer to these
mappings. When the policy packages are installed, the interface mapping is translated to the local interfaces
on the managed device.

This is useful when installing the same policy package to multiple managed FortiGate devices where interface
mapping is translated to the local interfaces on the managed device.

FortiManager 5.4.2 Study Guide 113


 Device Registration

DO NOT REPRINT
© FORTINET

The second option in the Add Device wizard is to Add Model Device, which allows you to add a device that
is not yet online. Using this option, you can create the configuration in advance.
You can link to the real device by two methods:
• FortiGate serial number, which is mandatory when adding FortiGate as model device
• Preshared key, a unique pre-shared key if adding multiple model devices

FortiManager 5.4.2 Study Guide 114


 Device Registration

DO NOT REPRINT
© FORTINET

On the FortiGate side, you need to configure FortiGate to point it to FortiManager.

If you are using a serial number to add a FortiGate as a model device, you need to configure the
FortiManager IP address on FortiGate under central management configuration.

If you are using a preshared key to add a model device, you need to configure central management
configuration, plus you need to run a register device command from the FortiGate CLI.
This command requires a FortiManager serial number, along with a preshared key to use when adding a
model device.

The FortiGate device is automatically promoted as a registered device once the FortiGate is deployed with its
basic IP and routing configuration to reach FortiManager. You can then install the preconfigured configuration
from FortiManager to the FortiGate device.

FortiManager 5.4.2 Study Guide 115


 Device Registration

DO NOT REPRINT
© FORTINET

The FortiGate administrator must configure the FortiManager IP address and send a request to
FortiManager. A pop-up window appears stating that the management request has been sent to
FortiManager. Clicking OK logs you out of FortiGate.

FortiManager 5.4.2 Study Guide 116


 Device Registration

DO NOT REPRINT
© FORTINET

So how does FortiGate move from an unregistered device to a registered device?


This happens on the FortiManager side. Once the request is made from the supported device, the request
appears under Device Manager > Unregistered Devices in the FortiManager GUI.

The FortiManager administrator should review the details of the unregistered device and, if satisfied, add the
device. If you add an unregistered device, then you need to run the Import Policy wizard to import the
device’s firewall policy into a new policy package.

If ADOMs are enabled, the device appears in the root ADOM, which is the management ADOM of
FortiManager. The root ADOM is based on the FortiGate ADOM type, so you can add only FortiGates to the
root ADOM. Alternatively, if you’ve created a custom ADOM based on the FortiGate ADOM type, you can add
the FortiGate to the custom ADOM instead.

From the FortiManager CLI, you can enable automatic registration of unregistered devices. But you still need
to run the Import Policy wizard to import the device’s firewall policy into a new policy package.

FortiManager 5.4.2 Study Guide 117


 Device Registration

DO NOT REPRINT
© FORTINET

What if you need to add multiple FortiGate devices simultaneously?

You can enable Show Add Multiple Button under Admin Settings, which enables the option for adding
multiple devices under Device Manager. You can click the plus sign (+) icon and enter the FortiGate’s IP
address, user name, and password.

Similar to adding an unregistered device, policy packages are not automatically created. You must run the
Import Policy wizard to import the device’s firewall policy to a new policy package.

FortiManager 5.4.2 Study Guide 118


 Device Registration

DO NOT REPRINT
© FORTINET

Once you register FortiGate devices, they appear on the Device Manager in the ADOM to which they were
added.

FortiManager 5.4.2 Study Guide 119


 Device Registration

DO NOT REPRINT
© FORTINET

Some FortiManager devices can work with the shelf manager to manage the FortiGate 5000 series chassis.
First, you need to enable chassis management in the System Settings pane. Once enabled, you can add the
chassis in the default chassis ADOM.

The dashboard for chassis provides the information related to slot number, slot information, current state of
blade, and various other parameters. From the dashboard, information related to blades, PEM, fan tray, shelf
manager, and SAP can be configured or viewed.

FortiManager 5.4.2 Study Guide 120


 Device Registration

DO NOT REPRINT
© FORTINET

FortiManager physical devices or virtual machine (VM) licenses support a limited number of devices,
depending on the device size or license type. A FortiGate high availability (HA) cluster counts as a single
device as does a virtual domain (VDOM). This is because the bulk of the configuration relates to the firewall
policies and objects, and a device that is in a cluster will not increase the size of that configuration, as devices
in the cluster are running the same configuration. The use of VDOMs increases the size of the configuration.

For example, if there are two FortiGates in an HA cluster (active-active or active-passive), both FortiGates
have the same configuration and are counted as one device. However, enabling a VDOM increases the size
of the configuration, as each VDOM is logically a separate firewall.

FortiManager 5.4.2 Study Guide 121


 Device Registration

DO NOT REPRINT
© FORTINET

A FortiGate HA cluster is managed as a single device from FortiManager, and has a unique ID. You can use
diagnose dvm device list in the CLI to view the device members. FortiManager is unaware of—and
will not verify—FortiGate HA synchronization status. The optional, dedicated HA per device management
interface is for SNMP monitoring only and must not be used for FGFM management.

FortiGate HA configuration on FortiManager is read-only. It is retrievable and visible, but cannot be modified.
Nor will it be applied to the FortiGate during installs. This is to avoid overwriting HA configuration, if FortiGate
HA roles have changed; however, you can force an HA failover from FortiManager. FortiGate configuration
changes concerning HA parameters will not modify the checksum (get system mgmt-csum) and will not
cause an out-of-sync situation.

FortiManager 5.4.2 Study Guide 122


 Device Registration

DO NOT REPRINT
© FORTINET

Good job! You now understand registration methods.

Now, let's examine common device discovery issues and how to resolve them.

FortiManager 5.4.2 Study Guide 123


 Device Registration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Identify the steps involved in device discovery and adding a device
• Check and verify configurations that can cause discovery failure
By demonstrating competence in device discovery troubleshooting, you will be able to diagnose and resolve
issues related to device discovery.

FortiManager 5.4.2 Study Guide 124


 Device Registration

DO NOT REPRINT
© FORTINET

The management protocol FGFM runs on both FortiGate (fgfmd) and FortiManager (fgfmsd). The
FortiManager and FortiGate create a secure tunnel on port TCP 541. Being TCP-based, the connection works
with port-based NAT, which allows both the FortiGate and the FortiManager to be behind a NAT device. On
the FortiGate side, FMG-Access is enabled per interface and is enabled for the interface facing the
FortiManager.

Once the management tunnel is configured, it can be established in either direction—by FortiManager or the
managed FortiGate device. FortiManager reserves link-level addressing using the 169.254.0.0/16 subnet. The
169.254.0.1 IP address is reserved for FortiManager and managed devices are allocated to other IP
addresses in the 169.254.0.0/16 range.

A keep-alive message is sent from the FortiGate device. The keep-alive message includes the checksum of
the FortiGate configuration, which calculates the synchronization status.

FortiGate login credentials are required when discovering the device the first time or reclaiming the tunnel.
The login credentials are to set the serial number. Once the login credentials have been entered, the serial
number becomes the basis of authentication.

FortiManager 5.4.2 Study Guide 125


 Device Registration

DO NOT REPRINT
© FORTINET

There are two steps involved when FortiGate is registering with the FortiManager:
• Discovery: In this step, FortiManager sends a CLI command to obtain the minimum information for the
FortiGate.
• Adding: During this step, complete configuration details of FortiGate are obtained by FortiManager and
FortiGate configuration is stored in the revision history.

There are two methods to register FortiGate to FortiManager. The secure FGFM tunnel can be initiated by
either device: FortiGate or FortiManager.

If the tunnel is initiated by FortiGate, the device is added to FortiManager’s unregistered device list in the root
ADOM. At this point, it has not been discovered. The complete discovery and add process starts once the
device is promoted to being a registered device.

FortiManager 5.4.2 Study Guide 126


 Device Registration

DO NOT REPRINT
© FORTINET

When FortiManager is discovering and adding a FortiGate, it sends commands to FortiGate to get complete
information on FortiGate.

You can also run the following CLI command on FortiGate, while discovering and adding it.
diagnose debug cli 8
diagnose debug enable

FortiManager 5.4.2 Study Guide 127


 Device Registration

DO NOT REPRINT
© FORTINET

If you are experiencing communication issues between FortiGate and FortiManager, first ensure that the two
devices can reach each other. Use the execute ping CLI command from either device to verify that the
devices are capable of routing to each other. (Ping must be enabled and allowed by all intermediate firewalls.)

If you are having issues with discovering the FortiGate from FortiManager, check the following:

• FortiManager has sufficient administrator privileges. Sufficient privileges are required to add a FortiGate.
• Offline is disabled (disabled by default). Enabling offline mode disables the FGFM protocol (TCP port 541)
used to communicate with managed devices.
• Packets from FortiGate are reaching FortiManager and packets from FortiManager are reaching FortiGate.
Run sniffers on both devices to confirm.
• FortiGate credentials are correct in add device wizard.
• FGFM access is enabled on the FortiGate interface facing FortiManager.
• FortiGate is in unregistered device list. You can check from the root ADOM in the GUI or from CLI
diagnose dvm device list.
• The date and time are synchronized between FortiManager and FortiGate.

FortiManager 5.4.2 Study Guide 128


 Device Registration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 129


 Device Registration

DO NOT REPRINT
© FORTINET

This lesson covered the following objectives:


• Configure and apply provisioning profiles to your managed devices
• Add FortiGate to FortiManager
• Understand import report
• Add multiple FortiGate devices simultaneously into FortiManager
• Add chassis into the FortiManager
• Manage FortiGate HA cluster from FortiManager
• Troubleshoot device discovery issues

FortiManager 5.4.2 Study Guide 130


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

In this lesson, we will show examine how to configure device level changes, understand the status of a
managed FortiGate on FortiManager, and install changes to the managed FortiGates. We will also look at how
to use the revision history for troubleshooting, and the capabilities of scripts and device groups.

FortiManager 5.4.2 Study Guide 131


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• Configuring device-level settings
• Managed device status
• Installing configuration changes
• Revision history
• Scripts
• Device groups
Let’s begin by looking at configuring device level settings for a managed FortiGate.

FortiManager 5.4.2 Study Guide 132


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to


• Plan and make configuration changes related to device-level settings
By demonstrating competence in configuring a managed device, you will be able to use FortiManager more
effectively and efficiently.

FortiManager 5.4.2 Study Guide 133


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Similar to the FortiGate GUI, not all options are visible by default on FortiManager’s GUI.

The Global Display Options page allows you to customize the device tabs at the ADOM level. You can
enable or disable the features that you would like to be visible in the FortiManager GUI for managed devices.

Instead of enabling each feature individually, you can enable all features in a category or reset them all to their
default settings. You can also enable all features by clicking Check All or reset to then all to default by
clicking Reset to Default.

The options available on the dashboard toolbar vary from device to device, depending on the feature set the
device supports.

You can also customize the device tabs at device level, which provides the option to inherit the configured
display options from the ADOM level, or you can customize based on your specific device needs.

FortiManager 5.4.2 Study Guide 134


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can click on a managed FortiGate device to view the System Dashboard for that device. It provides
information such as serial number, HA status, firmware version, and the VM license information. It also allows
you to view session information, database configuration, and connection summary.

It consists of four widgets that cannot be removed or added.

FortiManager 5.4.2 Study Guide 135


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

To configure registered devices, select the device or VDOM in the Device Manager. In this example, we
have selected the FortiGate named Local-FortiGate.

The device-level settings of the managed FortiGate can be viewed and configured from the toolbar at the top
such as Dashboard which allows to view or configure interfaces, HA, DNS to name a few. To configure or
view routes select Router tab.

In this example, a new static route is created.

Most of these settings have a one-to-one correlation with the device configuration that you would see if you
logged in locally using the FortiGate GUI or CLI.

Note that there are only few options in the toolbar (Dashboard and Router). You can click Display Options
to customize device tabs at the device level.

FortiManager 5.4.2 Study Guide 136


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The CLI-Only Objects menu allows you to configure device settings that are normally available and
configured only through FortiGate’s CLI.

Note that the options available vary according to device, supported features, and firmware version.

The CLI-Only Objects menu is available in the Device Manager and Policy & Objects panes.

FortiManager 5.4.2 Study Guide 137


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can add a VDOM to the managed device from the Device Manager pane. Adding a VDOM is a
configuration change, so you need to install these changes on the managed device.

FortiManager 5.4.2 Study Guide 138


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand how to make configuration changes to the device-level settings of managed
device.

Now, lets examine the status of a managed device on FortiManager.

FortiManager 5.4.2 Study Guide 139


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Understand FortiManager and FortiGate configuration status
• Understand the sync and device settings status of a managed FortiGate
• Preview configuration changes made from FortiManager to a managed FortiGate
• Describe the refresh command
• Filter devices based on status
By demonstrating competence in understanding FortiGate configuration status and synchronization behavior,
you will be able to diagnose and take actions based on the status of FortiGate.

FortiManager 5.4.2 Study Guide 140


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

This diagram shows the status of a managed FortiGate. FortiManager keeps FortiGate configurations in the
revision history. The latest revision history is compared with the FortiGate configuration to provide the sync
statuses. The latest revision history is also compared with the device-level database (device setting status) of
the FortiGate, which indicates if FortiGate configuration has changed on the FortiManager.

Knowing the overall configuration status of a managed device helps the administrator identify issues and take
appropriate actions from the FortiManager:
• Synchronized / Not modified / Auto-Update: The latest revision history configuration entry (whether an
install, retrieve, or auto-update) is aligned with the configuration on the FortiGate.
• Pending / Modified: The FortiGate configuration different from FortiManager and is pending an install
operation in order to return to an unmodified state. The install operation will create new revision history.
• Out-of-sync: The latest revision history configuration entry does not match the configuration on the
FortiGate due to configuration changes made locally on FortiGate, or a previous partial install failure. It is
recommended that you perform a retrieve from the FortiManager.
• Conflict: If the changes are made locally on the FortiGate and are not retrieved, but changes are also
made from FortiManager, the status goes in conflict state. Depending on the configuration changes, you
can either retrieve the configuration or install the changes from FortiManager.
• Unknown: The FortiManager is unable to determine the synchronization status because the FortiGate is
not reachable, or due to a partial install failure. It is recommended that you perform a retrieve from the
FortiManager.

FortiManager 5.4.2 Study Guide 141


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Under the Device Manager pane, click a managed FortiGate to view its dashboard. You can see the Sync
Status field under the Configuration and Installation Status widget.
The Sync Status compares the running device configuration with the current version in the revision history.
There are three sync statuses:
• Synchronized: The current revision history configuration entry (whether an install or retrieve) is
synchronized with the running configuration on the FortiGate.
• Out-of-sync: The current revision history configuration entry does not match the running configuration on
the FortiGate. It can be caused by failed installation or direct changes made on FortiGate which were not
auto updated.
• Unknown: The FortiManager system is unable to detect which revision (in the revision history) is currently
running on the device.

FortiManager 5.4.2 Study Guide 142


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The Device Settings Status field can be found under the Configuration and Installation Status widget.
The Device Settings Status indicates the status of the device settings on the FortiManager. There are three
device setting statuses:
• Unmodified: The FortiGate configuration in the device-level database is in sync with the current revision in
the revision history. This means that there are no changes to the device database and nothing to install.
• Modified: If the device is configured from the Device Manager, the device database is changed and the
device settings status is tagged as Modified, because it doesn’t match the revision history for that device.
If changes are installed, it puts the device back into the unmodified state.
• Auto-Updated: The configuration changes are made directly on the FortiGate and have automatically
updated the device database.

FortiManager 5.4.2 Study Guide 143


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Under the Configuration and Installation Status widget, click Preview to view the changes made to the
device database on FortiManager. These are the exact commands that will be installed on this FortiGate
when next install is performed.

Previously, we configured a new static route. That is why the Device Settings Status is tagged as Modified.
In this example, the static route configuration will be pushed to FortiGate on the next install.

FortiManager 5.4.2 Study Guide 144


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The diagnose dvm device list provides the list of all devices or VDOMs for managed and
unregistered devices. It also provide information, such as serial number, connecting IP, firmware, HA mode,
and statuses for device level and policy package.

FortiManager 5.4.2 Study Guide 145


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

This example shows that FortiGate configuration is in sync with the latest running revision history. However,
changes have been made to device-level settings. That is why the CLI output is showing db:modified and
the cond is showing as pending. Once the changes are installed on the FortiGate, it will show
db:unmodified and cond:OK.

You can also check whether the FGFM tunnel between FortiGate and FortiManager is up or down.

FortiManager 5.4.2 Study Guide 146


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can filter devices based on current status. This can be very helpful when you are managing large number
of devices in the same ADOM.
You can filter statuses based on:
• Connection
• Device Config (Device database status)
• Policy Package (ADOM database status)

For example, click the Device Config menu and select Modified. The content pane displays only devices
with modified device-level configuration files.

FortiManager 5.4.2 Study Guide 147


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can use the diagnose fgfm session-list command to verify the FGFM tunnel uptime between
FortiManager and FortiGate devices, display the connecting IP addresses of all managed devices, and show
the link-level addresses assigned by FortiManager to FortiGate devices for management traffic.

FortiManager 5.4.2 Study Guide 148


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

When you refresh a device you attempt to establish the connection between the selected device and
FortiManager. This operation retrieves basic information about the managed device, such as serial number,
firmware version, support contracts, and FortiGate HA cluster member information.

You can refresh the connection by clicking the Refresh icon in the Connection Summary widget, or by
selecting the device in the Device Manager and then selecting Refresh Device from the More drop-down
menu.

FortiManager 5.4.2 Study Guide 149


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand the status of the managed device on FortiManager.

Now, lets examine how to install configuration changes from the FortiManager.

FortiManager 5.4.2 Study Guide 150


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the install types available in the Install Wizard
• Install device-level changes to the FortiGate using the Install Wizard
• Describe the purpose of the Install Config option
By demonstrating competence in installing configuration changes you will successfully make changes to
managed device through the FortiManager.

FortiManager 5.4.2 Study Guide 151


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

This diagram illustrates the installation process that pushes changes from the Device Manager pane to a
device. For completeness, the Policy & Objects pane is also included in this illustration.

When a new configuration is installed, FortiManager compares the latest revision history running on the
device with the changes made on FortiManager. FortiManager then creates a new revision in the revision
history and installs these changes on the managed device.

FortiManager 5.4.2 Study Guide 152


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The installation process involves FortiManager’s Install Wizard. Configuration changes made from the
Device Manager do not take immediate effect—they have to be installed. Until they are installed, the Device
Setting Status remains as Modified.

During installation, you are asked to choose between two different installation types.

If you choose Install Device Setting (only), the wizard will install only device-level configuration changes
made from FortiManager. If you have made changes to the device-level configuration and policies in the
policy packages, you can choose Install Policy Package & Device Settings which will install policy package
changes and any device-specific settings.

The next few slides look at the stages when installing device settings only.

FortiManager 5.4.2 Study Guide 153


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

To launch the install wizard, click Install Wizard on the toolbar, or click Install and choose Install Wizard.

When the Install Wizard opens, you need to choose which option you want to use to install your settings. In
this example, we select Install Device Settings (only). This option installs only the configuration changes
that are related to device-level settings. Because we previously added a new route to the managed FortiGate,
the Config Status is showing as Modified. During this installation process, the device configuration items are
installed on the managed device. Once complete, the FortiManager and FortiGate are in sync, and the
Config Status changes from Modified to Synchronized.

FortiManager 5.4.2 Study Guide 154


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

In the next step you need to select the device on which you want to install the changes. If you’ve made
device-level changes to multiple devices under the Device Manager, you can select multiple devices on
which to install those changes.

FortiManager 5.4.2 Study Guide 155


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The next step is validation. The Install Wizard checks the device settings and compares them with the latest
running revision history.

Click Preview to view the configuration changes that will be installed on the managed FortiGate. You can
download the preview by clicking Download. The file is saved in a .txt format.

As a best practice, you should always preview and verify the changes that will be committed to FortiGate. In
the case of a conflict, you can cancel the installation. Then, you can review and correct the conflicting
configuration under Device Manager and re-launch the Install Wizard.

In this example, we’ve added a new static route.

FortiManager 5.4.2 Study Guide 156


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The final step performed in the Install Wizard is the installation. After the installation is complete, you can
view the Install Log to see the list of the devices on which the configuration changes were installed.

The log also shows any errors or warnings that occurred during the install process. Click Install Log to view
the configuration changes installed on the managed FortiGate. If the installation fails, the install log provides
an indication of the stage where the failure occurred.

In this example, the installation was successful and FortiManager created a new revision history for the install.

FortiManager 5.4.2 Study Guide 157


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The Install Config option allows you to perform a quick installation of device-level settings without launching
the Install Wizard. When you use this option, you cannot preview the changes prior to committing.
Administrators should be certain of the changes before using this install option, because the install can’t be
cancelled after the process is initiated.

If unsure about the changes, administrators are encouraged to use the Install Wizard, so that they can
preview the changes before committing.

FortiManager 5.4.2 Study Guide 158


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand the steps involved in installing device-level configuration changes.
Now, lets examine the revision history repository for the managed FortiGate on the FortiManager.

FortiManager 5.4.2 Study Guide 159


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Understand when a new revision history is created
• Troubleshoot managed device configuration issues using revision history features:
• Identify which action created the revision history
• Compare revision histories to find differences
• View the install log
• Use retrieve feature to update the FortiGate configuration in the revision history
• Understand how an auto update happens
• Revert FortiGate configuration to a previous revision
By demonstrating competence in using revision history features, you will be able to diagnose and troubleshoot
common issues related to FortiGate configuration changes.

FortiManager 5.4.2 Study Guide 160


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

A revision history is created by many different operations, such as adding device, installing changes,
retrieving a configuration, or the occurrence of an auto-update.

FortiManager 5.4.2 Study Guide 161


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

FortiManager maintains a repository of the configuration revisions made to managed devices.

This allows the FortiManager administrator to view and download the configuration revisions for a managed
device, inspect configuration changes between configuration revisions, view installation history, and view
which administrator or process created the new configuration revision.

FortiManager 5.4.2 Study Guide 162


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

If the managed FortiGate device configuration is modified directly from the FortiGate, FortiManager compares
the checksum with the latest revision history to the running configuration on the FortiGate, and creates a new
revision history in its repository. It then updates the FortiManager database, which includes device-level
settings only. The policy and objects are updated using the Import Policy wizard.

If the changes are made from FortiManager to the managed device, when performing the install, it will
compare the checksum with the latest revision history to the FortiManager database and create a new
revision history.

So, when a change in the configuration is detected, FortiManager creates a new revision history and tags it
with a version/ID number. Select the device, and in Configuration and Installation widget, you can view,
download, or compare the differences between revisions. Revision history also allows you to view the
installation performed from the FortiManager.

FortiManager 5.4.2 Study Guide 163


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The Revision History repository stores all configuration revisions for the devices, and tags each revision with
a version/ID number. The Installation and Created by columns provide details about the action, process, or
administrator that created the revision.

You can select revision ID to view or download the configuration revision. This is the complete configuration of
managed device including device level, policies, and object configuration.

After every retrieve and install operation, the FortiManager stores the FortiGate’s configuration checksum
output with the revision history. This is how the out-of-sync condition is calculated.

You can also compare the differences between the revision histories by clicking Revision Diff. You can
compare the revision history to a previous version, select a specific version, or can compare to the factory
default configuration. In terms of the output, you can choose to show the full configuration with differences,
only differences, or you can capture the differences to a script.

FortiManager 5.4.2 Study Guide 164


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

When the installation is done from FortiManager, the installation log shows the name of the administrator who
made the change. When an install is performed, the Installation column is automatically filled with Installed
entry. These are the revisions for which you can view install logs.

You can view the commands sent for that revision ID by selecting the revision ID and clicking View Install
Log. If an installation fails because there is no rollback, this history is useful because it shows what
commands were sent to, and accepted by the device, as well as the commands that were not accepted.

You can also click Download to download this file in .txt format.

FortiManager 5.4.2 Study Guide 165


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

If you are not satisfied with the running configuration there are multiple ways to resolve the configuration
issues. You can:
• Modify the configuration on FortiManager and then install it to the managed device
• Modify the configuration directly on the managed device
• Retrieve the configuration
• Revert to a previous configuration
• Import the FortiGate configuration from a local computer.
Note that FortiManager supports importing only configuration files that are downloaded from FortiManager.

FortiManager 5.4.2 Study Guide 166


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The revision history also allows you to create a new revision from the device’s running configuration. Click
Retrieve Config. FortiManager checks and compares the configuration on the managed device and current
revision history on FortiManager. If there is a difference, FortiManager creates a new revision history with a
new ID number.

This option can be used to resync the FortiGate device with the FortiManager device database. However,
when retrieving a configuration, firewall policy changes need to be imported to the Policy & Objects pane.

The Comments column automatically generates a comment if a retrieve operation is performed.

FortiManager 5.4.2 Study Guide 167


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

By default, all changes made directly on the FortiGate are automatically updated (retrieved) by FortiManager,
and reflected in Revision History and Config Status for that device in the Device Manager.

You can disable the auto-update behavior, which allows the FortiManager administrator a choice to accept or
refuse the automatic update.

If an automatic update occurs, it is no longer possible for FortiManager to be sure the selected policy package
is the same as the running firewall policy. As such, Policy Package Status returns an Out of Sync error.

You must run the Import Policy wizard on FortiManager to sync the policy package.

FortiManager 5.4.2 Study Guide 168


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The green checkmark in the revision history indicates which revision history configuration corresponds to the
device manager database configuration. It is usually the top entry, which is synchronized with the FortiGate
configuration.

A revert operation within revision history will change the device database configuration to a previous
configuration state. You must install these reverted changes to the FortiGate, which will create a new revision
entry. This new revision will be a copy of the reverted one, and in synch with the FortiGate configuration.

You can revert to any previous revision by right clicking that entry and then clicking Revert. The selected
previous entry for revert will auto update Installation column to Revision Revert. FortiManager also updates
the Comments column stating from which revision it is reverted and install is required.

FortiManager 5.4.2 Study Guide 169


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand the purpose of revision history and how it can be used.

Now, let’s examine scripts.

FortiManager 5.4.2 Study Guide 170


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Understand the capabilities of scripts
• Identify the types of scripts supported by FortiManager
By demonstrating competence in using scripts, you will be able to use scripts to make many changes to
managed FortiGates.

FortiManager 5.4.2 Study Guide 171


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Scripts can make many changes to a managed device and are useful for bulk configuration changes and
consistency across multiple managed devices.

FortiManager supports two types of scripts:


• Command Line Interface (CLI): CLI scripts include only FortiOS CLI commands as they are entered at the
command line prompt on a FortiGate device.
• Tool Command Language (TCL): TCL is a dynamic scripting language that extends the functionality of CLI
scripting. In FortiManager TCL scripts, the first line of the script is number sign (#) plus exclamation mark
(!) #!, which is for standard TCL scripts. Do not include the exit command that normally ends TCL scripts;
it will prevent the script from running. You must be familiar with the TCL language and regular
expressions. For more information about TCL scripts, see the official TCL website: http://www.tcl.tk

In FortiManager’s GUI, scripts are enabled under Admin Settings and configured from Device Manager. For
TCL scripts, you also need to enable show command for TCL scripts from the FortiManager CLI.

In this lesson, we will be covering only CLI scripts.

FortiManager 5.4.2 Study Guide 172


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

When creating CLI scripts, follow these best practices:

• Use complete FortiOS CLI commands. Partial syntax can be used; however, it may cause the script to fail.
• A comment line starts with the number sign (#) will not execute.
• In the FortiGate CLI, ensure the console output is set to standard. Otherwise, scripts and other output
longer than a screen in length will not execute or display correctly.

FortiManager 5.4.2 Study Guide 173


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Scripts can be run in three different ways:


• Device database: By default, a script is executed on the device database. It is recommend you run the
changes on the device database (default setting), as this allows you to check what configuration changes
you will send to the managed device. Once scripts are run on the device database, you can then install the
changes on a managed device using the installation wizard.
• Policy package, ADOM database: If a script contains changes related to ADOM level objects and policies,
you can change the default selection to run on Policy Package, ADOM database and can then be installed
using the installation wizard.
• Remote FortiGate directly (through the CLI): A script can be executed directly on the device and you don’t
need to install the changes using the installation wizard. As the changes are directly installed on the
managed device, no option is provided to verify and check the configuration changes through FortiManager
prior to executing it.

You can also apply options in Advanced Device Filters, which you can use to restrict the scripts to running
on managed devices only if the device matches the set criteria.

FortiManager 5.4.2 Study Guide 174


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

This diagram shows FortiManager-FortiGate interactions. As you can see in this slide, when an install is
performed from the FortiManager to FortiGate, it creates a new revision history.

If a script is run on a device database or on a policy package, an install must be performed from
FortiManager.

If a script is run directly on a remote device, an auto update occurs and creates new revision, and updates the
device-level database.

If a retrieve is performed from the FortiManager or an auto update occurs, FortiManager creates new revision
history. If the changes are related to policy or objects, you must run the Import Policy wizard to import
policies and objects in the ADOM database.

FortiManager 5.4.2 Study Guide 175


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Once you’ve configured the script, you can browse the ADOM script list for the ADOM that contains the script
you would like to run.
To run the script now, select the script and click Run Scripts Now.
You can also schedule the script to run at specific time, for example, outside of business hours. This is useful
when you don’t want to interfere with the production network in the business hours. To open the window
where you can schedule the script to run, right click the script and click Schedule Scripts.

The right-click menu also provides other options, such as create new script, edit, clone, and delete the
existing script. You can also export the script by clicking Export. The exported script can be saved on your
local computer in .txt format. Scripts can also be imported as text files from your local computer by clicking
Import.

FortiManager 5.4.2 Study Guide 176


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

To view the script history, go to the device dashboard. Under the Configuration and Installation Status
widget, click View History to open the Script Execution History table. This table provides additional
information such as name, type, execution time, and status of the script. Click the Browse icon to open the
Script History dialog box and confirm that the script ran.

The Script Execution History table also allows you to re-run the script. Click the Run Script Now icon in the
far right column of the table to re-run the script.

FortiManager 5.4.2 Study Guide 177


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can also use scripts to get information from the FortiGate device. These types of scripts are usually one
line scripts that use show commands and should be chosen to run on Remote FortiGate Directly (via CLI).
Running on device or ADOM database will not provide any useful information.

FortiManager supports dynamic mapping of interfaces and objects so that they can be used with multiple
policy packages. You can configure these dynamic mappings from the FortiManager GUI under the Policy &
Object pane.

But what if you need to configure dynamic mapping for hundreds of FortiGates for an address object or
interface?
You can use scripts which requires special CLI syntax which is applicable to FortiManager internally and is
used for creating dynamic mapping. It is two part script:
• The top part is the regular FortiOS CLI syntax defining the object
• The bottom part is special FortiManager CLI syntax to create dynamic mapping for the object or interface
defined in top part

FortiManager 5.4.2 Study Guide 178


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can also run a real-time debug on the FortiManager when executing scripts which shows the request
performed and the outcome of the request.

FortiManager 5.4.2 Study Guide 179


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

These are the common errors and common causes for the scripts to fail. You can use these to diagnose and
troubleshoot script failure issues and can use common solutions to fix the issue.

The common errors and common causes for the scripts to fail are:
• command parse error: It was not possible to parse this line of your script into a valid FortiGate CLI
command and usually caused by misspelled keywords or an incorrect command format.
• unknown action: Generally this message indicates the previous line of the script was not executed
causing the following CLI commands to fail to execute properly.
• Device <name> failed-1: This usually means there is a problem with the end of the script. The
<name> is the name of the FortiGate on which the script is executed. If a script has no end statement or
that line has an error in it you may see this error message. You may also see this message if the FortiGate
unit has not been synchronized by deploying its current configuration.

To resolve the script failure issues, use the script history which shows what CLI commands are executed and
on which CLI commands it is failing to execute.

FortiManager 5.4.2 Study Guide 180


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

When troubleshooting scripts, you can check the Script History to see details about the script. The task
monitor also provides the same information along with other tasks performed. You can also change the
logging level to debug for event logs which creates the log for the actions performed.

FortiManager 5.4.2 Study Guide 181


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can use execute fmscript command tree on the FortiManager for scripts

The execute fmscript command tree on the FortiManager provided various commands for scripts, such
as deleting scheduled scripts, copying scripts between ADOMs, importing scripts, listing all the configured
scripts in a ADOM, or showing the script log for a device.

FortiManager 5.4.2 Study Guide 182


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

To summarize, this slide shows the ways you can use to make configuration changes to the device level
settings for the managed FortiGate.

FortiManager 5.4.2 Study Guide 183


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand purpose and use of scripts.

Now, let’s examine device groups.

FortiManager 5.4.2 Study Guide 184


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Understand the use of device groups
• Configure device groups
By demonstrating competence in device groups, you will be able to administer and manage FortiGates more
effectively and efficiently.

FortiManager 5.4.2 Study Guide 185


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Device groups can be created in an ADOM. These can be used to simplify a management action by providing
a target that represents multiple devices for scripts, and configuration changes.

You can create new device group by clicking Device Group > Add and selecting the devices to be added in
this group.

Note that to delete a device group, you must delete all devices from it first. Similarly, to delete an ADOM, you
must delete all device groups from it first.

FortiManager 5.4.2 Study Guide 186


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 187


 Device Level Configuration and Installation

DO NOT REPRINT
© FORTINET

To review, these are the objectives that we covered in this lesson:


• Configure device-level settings
• Understand FortiGate configuration status and synchronization behavior
• Push configuration changes to a FortiGate
• Use revision history for diagnosing and troubleshooting
• Configure and install scripts on managed devices
• Use device groups for simplifying management of FortiGates

FortiManager 5.4.2 Study Guide 188


 Policy & Objects

DO NOT REPRINT
© FORTINET

In this lesson, we will examine how to manage policy and objects on FortiManager for FortiGate. You will
configure policy and objects on FortiManager, and then install them on FortiGate.

FortiManager 5.4.2 Study Guide 189


 Policy & Objects

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• Policies and Objects Management
• Import and Install Wizards
• ADOM Revision and Database Versions
• Policy Locking and Workflow Mode
• Global ADOM

FortiManager 5.4.2 Study Guide 190


 Policy & Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe policy workflow
• Create policy packages and objects
• Create installation targets for policies and policy packages
• Configure dynamic objects
• Use the policy check feature
• Clone a policy package

Before FortiManager can manage policies and objects for managed security devices, you must understand
the features of the Policy & Objects pane, which you use to customize policies in an organization. Typically,
administrators may want to customize access and policies based on factors such as geography, or security or
legal requirements.

Let's explore the Policy & Objects pane on FortiManager.

FortiManager 5.4.2 Study Guide 191


 Policy & Objects

DO NOT REPRINT
© FORTINET

You can create multiple policy packages in a single ADOM. FortiManager allows you to customize policy
packages for each device or VDOM in a specific ADOM. You can point these policy packages at a single
device, multiple devices, all devices, a single VDOM, multiple VDOMs, or all devices in a single ADOM.
FortiManager helps simplify provisioning of new devices, ADOMs, or VDOMs by allowing you to copy or clone
existing policy packages. You can also create the ADOM revision, which allows you to maintain a revision of
the policy packages and objects settings in an ADOM.

FortiManager 5.4.2 Study Guide 192


 Policy & Objects

DO NOT REPRINT
© FORTINET

Policy packages simplify centralized firewall policy management by providing a useful container for your
firewall rule set. Policy packages contain firewall policies which, in turn, link to the objects you define on the
Object Configuration pane. Objects share the common object database for each ADOM. You can share
objects among multiple policy packages in the ADOM.

You can manage a common policy package for many devices in an ADOM, or have a separate policy
package for each device. Policy packages allow you to maintain multiple versions of the rule set. For example,
you can clone a policy package before you make changes, which allows you to preserve the previous rule set.

A word of caution: While policy packages allow for multiple versions of a firewall policy rule set, the objects
referenced in those packages do not have multiple versions—they use only a current value.

For example, let’s say you clone a policy package, add a new rule, and then change the value of a shared
object. If you return to a previous version of the policy package, you will back out of the rule that you added,
but not the modification to the shared object. The only way to return to a previous version of the policy
package, including backing out of the rule that you added and the modification to the shared object, is to use
ADOM revisions, which takes a snapshot of the Policy & Objects database for that ADOM.

FortiManager 5.4.2 Study Guide 193


 Policy & Objects

DO NOT REPRINT
© FORTINET

In a single ADOM, administrators can create multiple policy packages. FortiManager allows you to customize
the policy packages for each device or VDOM in a specific ADOM, or apply a single policy package for
multiple devices in an ADOM. By defining the scope of a policy package, an administrator can modify or edit
the policies in that package, without changing other policy packages.

FortiManager 5.4.2 Study Guide 194


 Policy & Objects

DO NOT REPRINT
© FORTINET

All objects in an ADOM are managed by a single database that is unique to that ADOM. Objects inside the
database include firewall objects, security profiles, users, and devices.
Objects are shared in the ADOM and can be used among multiple policy packages. This simplifies the job of
the administrator. For example, you can create a security profile once and attach it to multiple policy packages
for installation on multiple FortiGate devices.

To create or edit the existing object, in Object Configurations, select the object type from the menu on the
left side of the screen.

FortiManager 5.4.2 Study Guide 195


 Policy & Objects

DO NOT REPRINT
© FORTINET

The Display Options feature allows you to display specific features in the GUI. The available display options
depend on the ADOM version and varies from one ADOM to another.

By default, when you open Display Options, the check boxes for the most common options are selected. You
can show or hide a feature in Display Options by selecting or clearing the check box beside the feature. You
can show all of the options in a category by selecting the check box beside the category name, or show all of
the categories by selecting Check All at the bottom of the Display Options window.

You can also enable additional firewall policy types such as NAT64, IPv6, and interface policies in Display
Options.

FortiManager 5.4.2 Study Guide 196


 Policy & Objects

DO NOT REPRINT
© FORTINET

Policy folders help you manage your policy packages. You can customize policies based on organization,
geography, security requirements, or legal requirements, and organize policies in specific policy folders.

To create a new policy folder, click Policy Package > New Folder. You can also create sub-folders in policy
folders to help you better organize your policy packages.

FortiManager 5.4.2 Study Guide 197


 Policy & Objects

DO NOT REPRINT
© FORTINET

To create or edit a policy, in a policy package, select the IPv4 Policy. You can create a new policy or edit an
existing policy. Right-click the sequence number of an existing policy to view more options such as clone, cut,
paste, move, and so on.

FortiManager 5.4.2 Study Guide 198


 Policy & Objects

DO NOT REPRINT
© FORTINET

To add objects to, or remove objects from, the firewall policy, click the Object Selection column. The
currently used object is highlighted in yellow. When you select other objects in the list, they will be highlighted
in yellow.

FortiManager 5.4.2 Study Guide 199


 Policy & Objects

DO NOT REPRINT
© FORTINET

In a policy package, you can search or filter policies. There are two types of searches available:
• Simple search: This option is selected by default and highlights text that matches the string you enter in
the search box.
• Column filter: You can switch to column filter in the drop-down list. It allows you to search for the firewall
by column. You can add multiple filters, and apply Or or Not conditions to the search.

FortiManager 5.4.2 Study Guide 200


 Policy & Objects

DO NOT REPRINT
© FORTINET

A policy package has an installation target on one or more devices or VDOMs. Policy packages can share the
same installation target, however, only one policy package can be active on a device or VDOM. The active
policy package is listed on the Device Manager pane.

To add, edit, or delete an installation target, click Policy Package > Installation Targets.

After you add an installation target, it appears in the list of Installation Targets. When you install a newly-
assigned policy package on a target, the installation wizard displays a warning message that contains the
name of the previously-assigned policy package.

After you install the new policy package, it appears as the active policy package for these devices or VDOMs
on the Device Manager pane, in the Policy Package Status column.

FortiManager 5.4.2 Study Guide 201


 Policy & Objects

DO NOT REPRINT
© FORTINET

What if you need to share a policy package among many devices with the exception of only a few policies for
specific FortiGate devices?

You can perform granular installation targets per rule in the actual policy by clicking the Install On column.
This allows you to target devices to add, remove, or set to defaults.

So, by using an installation target, you can share a policy package among multiple devices, and define rules
per device in the policy. Shared policy packages are helpful in environments where many devices need to
share common policies (with the exception of a few policies that you can target per device), and eliminate the
need for multiple policy packages.

FortiManager 5.4.2 Study Guide 202


 Policy & Objects

DO NOT REPRINT
© FORTINET

All objects in an ADOM are managed by a single database unique to the ADOM. Many objects now include
the option to enable dynamic mapping. You can use dynamic objects to map a single logical object to a
unique definition per device. You can dynamically map common features such as addresses, interfaces,
virtual IPs, and IP pools.
A common example is a firewall address. You may have a common name for an address object, but have a
different value depending on the device it is installed on.

In the example shown on this slide, the dynamic address object LocalLan refers to the internal network
address of the managed firewalls. The object has a default value of 192.168.1.0/24. The mapping rules
are defined per device. For the Remote-FortiGate, the address object LocalLan refers to 10.10.11.0/24,
whereas for the Local-FortiGate device the same object refers to 10.10.10.0/24. The devices in the ADOM
that do not have dynamic mapping for LocalLan have a default value of 192.168.1.0/24.

To add devices for dynamic mapping, turn on the Per-Device Mapping switch, and then, in the Per-Device
Mapping section, click Add. In the pop-up window that appears, select the device and set the IP
range/subnet.

FortiManager 5.4.2 Study Guide 203


 Policy & Objects

DO NOT REPRINT
© FORTINET

Interface mapping on the Policy & Objects pane dynamically maps to interfaces on the managed device.
Firewall policies created in policy packages refer to these mappings. After you install the policy packages, the
interface mapping is translated to the local interfaces on the managed device.

Interface mappings that you define in Zone/Interface have two types: zone and interface. The type defines
how the rule is translated to the device. When you select Dynamic Interface, it becomes the interface type,
and the interface name maps one-to-one to an interface configured on the managed device. If you select
Zone, then that zone is created locally on the FortiGate.

In the example shown on this slide, External is mapped to wan2. When you install a policy package on
FortiGate, External is translated to wan2 locally on FortiGate.
TrustedZone is mapped to dmz1 and dmz2. When you install a policy package on FortiGate, it creates the
TrustedZone locally on the FortiGate device that contains the dmz1 and dmz2 interfaces.

You can use these dynamic interfaces or zones to map multiple FortiGates that have different interfaces in the
same ADOM.

FortiManager 5.4.2 Study Guide 204


 Policy & Objects

DO NOT REPRINT
© FORTINET

As per the previous slide, External is mapped to wan2 on the managed FortiGate. Therefore, after a firewall
policy is installed on the managed FortiGate, the External interface will appear as wan2.

TrustedZone, however, remains untouched, because you installed it on the device as a zone and the dmz1
and dmz2 interfaces are part of it.

FortiManager 5.4.2 Study Guide 205


 Policy & Objects

DO NOT REPRINT
© FORTINET

On FortiManager, it is possible to delete a used object. FortiManager will display a warning message stating
that the object is currently used by other firewall policies or objects. To view the references of this object, click
Where Used. However, if you delete a used object, FortiManager will replace it with a none object. The none
object is equal to null, which means any traffic that meets that firewall policy will be blocked. Unless, there is a
more broad policy that still meets the traffic requirement or a policy defined to allow all traffic (catch all).

It is highly recommended to double check all reference to objects before deleting them to avoid unintended
firewall policy behavior.

FortiManager 5.4.2 Study Guide 206


 Policy & Objects

DO NOT REPRINT
© FORTINET

Find Unused Objects is a built-in GUI tool available to administrators to help you locate all unused firewall
objects in the FortiManager ADOM object database. Find Unused Objects searches all types of firewall
objects and displays the results in a pop-up window. Unused objects can be deleted directly from Unused
Objects pop-up window. This removes the selected address object from FortiManager’s ADOM objects
database.

FortiManager 5.4.2 Study Guide 207


 Policy & Objects

DO NOT REPRINT
© FORTINET

Similar to Find Unused Objects, the Find Duplicate Objects tool searches FortiManager’s firewall object
database and displays all objects that have duplicate values assigned to them. In the example shown on this
slide, the tool found that the address objects LAN and localLAN have the same subnet. After duplicate
objects are found, administrators can used the same wizard to merge objects, if needed.

FortiManager 5.4.2 Study Guide 208


 Policy & Objects

DO NOT REPRINT
© FORTINET

Policy check provides recommendations only on what improvements can be made—it does not perform any
changes. It uses an algorithm to evaluate policy objects, based on:
• Source and destination interface policy objects
• Source and destination address policy objects
• Service and schedule policy objects

Policy check checks for:


• Duplication, where two objects have identical definitions
• Shadowing, where one object completely shadows another object of the same type
• Overlap, where one object partially overlaps another object of the same type
• Orphaning, where an object has been defined, but has not been used anywhere

To perform a policy check, select a policy package, and then, in the Policy Package drop-down list, click
Policy Check. In the Policy Consistency Check dialog box, you can select one of two options:
• Perform Policy Consistency Check: This performs a policy check for consistency and provides any
conflicts that may prevent your devices from passing traffic
• View Last Policy Consistency Check Result: This allows you to view the results of the most recent
consistency check.

In the example shown on this slide, policy ID 2 and 1 have the same source and destination in terms of
interface and objects, but have different services. You can combine these two policies by adding the services
to one policy.

It is important to note that the policy check only provides recommendations on what improvements can be
made—it does not actually make any changes.

FortiManager 5.4.2 Study Guide 209


 Policy & Objects

DO NOT REPRINT
© FORTINET

To clone a policy package, select the policy package, and then, in the Policy Package drop-down list, click
Clone Package. Because the policy package is a clone, it will have the same installation target as the original
policy package, but you can edit this.

In the example shown on this slide, the existing policy package Local-FortiGate is cloned and named
Clone_of_Local-FortiGate. The newly-created policy package has the same installation target devices as
Local-FortiGate.

Warning: You should not point more than one policy package at a target because that increases the chance
of user error.

FortiManager 5.4.2 Study Guide 210


 Policy & Objects

DO NOT REPRINT
© FORTINET

Good job! You now understand policies and object management.

Now, let's examine import and install wizards.

FortiManager 5.4.2 Study Guide 211


 Policy & Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Interpret the status of a device on FortiManager
• Use the Import Policy wizard
• Use the Install wizard
• Use the Re-install wizard

Now that you understand the options for configuring and managing firewall policies on the Policies & Objects
pane, let’s examine the Import Policy wizard and the Install wizard, which you can use to manage devices
on FortiManager.

FortiManager 5.4.2 Study Guide 212


 Policy & Objects

DO NOT REPRINT
© FORTINET

After every retrieve, auto-update, and installation operation, FortiManager stores the FortiGate configuration in
the revision history.

The illustration on this slide shows the status of the policy package:
• Imported: Indicates that a policy package was successfully imported for a managed device
• Installed: Indicates that a policy package was installed on a managed device
• Never Installed: Policy package was never created, hence it was never imported for a managed device
• Modified: Policy package configuration is changed on FortiManager and changes have not yet pushed to
the managed device
• Out-of-sync: The latest policy package does not match the policies and object configuration on the latest
revision history because of configuration changes made locally on FortiGate or a previous partial
installation failure. You should perform a retrieve, and then import policies from FortiManager.
• Conflict: If you make policy configuration changes locally on FortiGate and don’t import the changes into
the policy package, and you also made the changes on FortiManager, the status enters conflict state.
Depending on the configuration changes, you can either import a policy package or install the changes
from FortiManager.
• Unknown: FortiManager is unable to determine the policy package status.

You can resolve most policy status issues by importing a policy package or installing a policy package.

FortiManager 5.4.2 Study Guide 213


 Policy & Objects

DO NOT REPRINT
© FORTINET

The screen capture at the top of the slide shows the output of the diagnose dvm device list, in which
the policy package is modified while the config status is in sync. This indicates that only the policy
package is modified, not the device level settings. The same information is also available in the GUI, as
shown in the screen capture at the bottom of the slide.

FortiManager 5.4.2 Study Guide 214


 Policy & Objects

DO NOT REPRINT
© FORTINET

It is common for FortiGate to have a running configuration already . The Import Policy wizard guides you
through importing policies and objects into FortiManager. When you import a device, you create a new policy
package that does not interfere with other packages. However, objects you import will add to, or update,
existing objects. You may want to create a new ADOM revision before performing an import.

If you add an unregistered device to FortiManager, you must run the Import Policy wizard after promoting the
device.

The next few slides explore the stages that the wizard guides you through.

FortiManager 5.4.2 Study Guide 215


 Policy & Objects

DO NOT REPRINT
© FORTINET

The first step in the wizard is the Interface Map. Interface mappings are created for interfaces configured on
the firewall. This allows the device interfaces to be referenced in policy packages. You can rename the ADOM
interface mapping in the wizard. In the example shown on this slide, we are renaming port1 to External
and port3 to Internal. Policies on the Local-FortiGate are on port1 and port3, but on the
FortiManager they will be referenced locally as External and Internal. Note: By default, the Add
mappings for all unused device interfaces check box is selected and creates an automatic mapping for the
new interface.

The next step in the wizard is the Policy Package. In this step, the wizard performs a policy search to find all
policies in preparation for import into FortiManager’s database. You may chose to import all firewall policies,
or select specific policies to import. If you choose to import only specific policies into the policy package and
later install policy changes, the policies that were not imported will be deleted locally on the FortiGate. This is
because FortiManager does not have those policies in the policy package.

Also, you can chose whether to import all configured objects, or only the objects referenced by the current
firewall policies. Regardless of whether you choose to import only policy-dependent objects or all objects, the
orphan (unused) objects that are not tied to policies locally on FortiGate will be deleted in the next installation.
But if you choose to import all objects, then all used and unused objects in the FortiManager ADOM object
database are imported and can be used later by referencing the policies on FortiManager and installing them
on the managed devices.

By default, Import All and Import only policy dependent objects are selected when you run the Import
Policy wizard. As a word of caution, if you are managing many devices in an ADOM and select Import all
objects for all devices, the object database will become too full of unused objects, which can be
overwhelming for an administrator.

FortiManager 5.4.2 Study Guide 216


 Policy & Objects

DO NOT REPRINT
© FORTINET

After the import is complete, the wizard provides the Import Summary and the Download Import Report.
You can download the import report, which is only available on the Import Device page. You can view the
report using any text editor.

As a best practice, you should download the report.

The import report provides information about FortiGate, the ADOM name on FortiManager, and the policy
package name. The report also provides additional information, such as the objects that have been added as
new objects. Existing objects that have the same values locally on FortiGate and FortiManager are referred to
as DUPLICATE. If the value of an existing object is changed, FortiManager updates that in its database and
shows update previous object in the import report.

FortiManager 5.4.2 Study Guide 217


 Policy & Objects

DO NOT REPRINT
© FORTINET

After you make configuration changes to the policy package, the Policy Package Status is flagged as
Modified on the Device Manager pane. There are multiple ways to launch the installation wizard: on the
Device Manager pane as well as on the Policy & Objects pane. If you are using ADOMs, make sure you
select the ADOM from the ADOM drop-down list first.

Now, let’s go through the process of installing policy configuration changes using the Install wizard. During
this process, the policy and device configuration items are installed on the managed device. After the
installation is complete, FortiManager and FortiGate are in sync and the Policy Package Status changes
from Modified to Installed (Synchronized).

FortiManager 5.4.2 Study Guide 218


 Policy & Objects

DO NOT REPRINT
© FORTINET

When you select Install Policy Package & Device Settings , it installs the policy package and any pending
device-level changes.

The policy package you select is displayed and you have the option to create a new ADOM revision for this
installation. Note that an ADOM revision is a snapshot of the entire ADOM and not the changes specific to this
policy package.

You can also enable Schedule Install, which allows you to specify the date and time to install the latest policy
package changes.

Will show the devices which are pending changes to be installed.

The next step is Device Selection. In this step, the wizard displays the devices selected in the installation
target for the specific policy package.

FortiManager 5.4.2 Study Guide 219


 Policy & Objects

DO NOT REPRINT
© FORTINET

The next step in the wizard is validation. In this step, the wizard checks that the policy package selected is
suitable for the installation targets selected, such as whether the interface mapping reference in the policy
package is configured on the installation targets. If the validation fails, the installation will stop.

Before performing the installation, as a best practice, always preview and verify the changes that will be
committed to FortiGate. If this is the first installation, you may see many changes, because objects may have
been renamed during the import process and unused objects removed from the device configuration. If you
don’t want to proceed with the installation, you can cancel the installation at this step in the wizard.

The last step is Install, which is the actual installation. The wizard lists the devices on which configuration
changes were installed. Any errors or warnings that occur during installation appear here as well. If the
installation fails, the installation history indicates the stage at which the installation failed. You can also check
the installation history for the successful installation too.

In the example shown on this slide, the wizard indicates that the configuration changes were successfully
installed on FortiGate, and that FortiManager has created a new revision history for this installation.

FortiManager 5.4.2 Study Guide 220


 Policy & Objects

DO NOT REPRINT
© FORTINET

FortiManager also provides a Re-install Policy option. A re-installation is the same as an installation except
there are no prompts and it provides the ability to preview the changes that will be installed on the managed
device. The Re-install Policy will create a new revision history and apply it to all selected installation targets.

FortiManager 5.4.2 Study Guide 221


 Policy & Objects

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiManager policies and objects management, as well as import and install
wizards.

Now, let's examine ADOM revision and database versions.

FortiManager 5.4.2 Study Guide 222


 Policy & Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the purpose of ADOM revisions
• Identify the database version of an ADOM and understand how it affects the Policy & Objects
configurations

Now that we have gone over import and install wizards, let’s take a look at ADOM revisions and its affect on
Policy & Objects configurations.

FortiManager 5.4.2 Study Guide 223


 Policy & Objects

DO NOT REPRINT
© FORTINET

ADOM revision saves the policy package and objects locally on FortiManager.

You can create a new ADOM revision, view differences between revisions, or revert to a specific ADOM
revision. As a word of caution, if you choose to revert to a specific ADOM revision, you will revert all the policy
packages and objects based on that revision.

Warning: Keep in mind that ADOM revisions can significantly increase the size of the configuration backup.

You can delete revisions automatically based on given variables, and you can lock individual revisions to
prevent them from being automatically deleted. Click Settings for access to the auto-deletion settings.

FortiManager 5.4.2 Study Guide 224


 Policy & Objects

DO NOT REPRINT
© FORTINET

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that
are managed in that ADOM. The selected version determines the CLI syntax that is used to configure the
devices. Select this version when you create a new ADOM.
You must update all of the FortiGate devices in a ADOM to the latest FortiOS firmware version before you can
upgrade the ADOM version.

FortiManager 5.4.2 Study Guide 225


 Policy & Objects

DO NOT REPRINT
© FORTINET

The example on this slide shows there are fewer security profiles available in FortiOS 5.2.

In version 5.4, the CLI command syntax has changed because more security profiles were added, which
changed the configuration. So, it is very important to make sure you add FortiGate to an ADOM based on its
specific FortiOS firmware version.

FortiManager 5.4.2 Study Guide 226


 Policy & Objects

DO NOT REPRINT
© FORTINET

When you move a device from one ADOM to another, policies and objects (used and unused) don’t move to
the new ADOM.

If you need to move a device from one ADOM to another, make sure you retrieve the configuration after
moving the device to new ADOM, and then run the import policy wizard to import the policy package into the
new ADOM.

What if you need to use unused objects from a previous ADOM in the new ADOM? You can copy objects from
one ADOM to another using the FortiManager CLI.

FortiManager 5.4.2 Study Guide 227


 Policy & Objects

DO NOT REPRINT
© FORTINET

Good job! You now understand ADOM revision and database versions.

Next, let’s examine policy locking and workflow mode.

FortiManager 5.4.2 Study Guide 228


 Policy & Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the purpose of, and understand when to use; policy locking and workflow mode.

Let’s go over the purpose and use of policy locking and workflow mode on the FortiManager.

FortiManager 5.4.2 Study Guide 229


 Policy & Objects

DO NOT REPRINT
© FORTINET

Policy locking is available in workspace normal mode only. Policy locking allows administrators to work on,
and lock, a single policy package instead of locking the whole ADOM. In order to use policy locking, you must
set workspace-mode to normal. You can lock either the whole ADOM or a specific policy package. Policy
locking is an extension of ADOM locking, which allows multiple administrators to work on separate policy
packages on the same ADOM at the same time. The policy lock is automatically released at administrator
timeout, or if the administrator closes a session gracefully without unlocking the policy package.

FortiManager 5.4.2 Study Guide 230


 Policy & Objects

DO NOT REPRINT
© FORTINET

Instead of workspaces, you can use workflow mode. Before enabling workflow mode, notify other
administrators logged in to FortiManager to save their work: it will terminate all management sessions. You
can use workflow mode to control the creation, configuration, and installation of firewall policies and objects.
Approval is required before changes can be installed on a device. All the modifications made in a workflow
mode session must be discarded or submitted for approval at the end of the session. Sessions that are
rejected can be repaired and resubmitted for approval as new sessions. All sessions must be approved in the
same order in which they were created to prevent any conflicts.

In workflow mode, panes related to FortiGate configuration are read-only at first. To create a new workflow
mode session, you must lock the ADOM first, similar to workspaces. You must enable workflow mode in the
CLI. Enabling workflow mode will log out all administrators.

FortiManager 5.4.2 Study Guide 231


 Policy & Objects

DO NOT REPRINT
© FORTINET

This illustration on this slide shows how to use workflow mode.

When Admin A locks the ADOM, a green lock icon appears. Admin A has read-write access and creates a
new session on the Policy & Objects pane in the ADOM. Admin A makes configuration changes to the
managed devices and submits the request for approval to Admin B. This approval submission automatically
unlocks the ADOM.

Admin B must have Read/Write permission for Workflow Approve. Admin B then locks the ADOM and has
read-write access. Admin B opens the session list and has the option to approve, reject, discard, or view
differences in the changes submitted by Admin A.

FortiManager 5.4.2 Study Guide 232


 Policy & Objects

DO NOT REPRINT
© FORTINET

An administrator must be part of a approval group, and have rights over the ADOM in which the session was
created, in order to approve a session. Being part of the Super_Admin profile is not enough to approve a
session.
Go to System Settings > Admin > Workflow Approval and configure the workflow approval matrix using
the following values:
• ADOM: Select the ADOM you want to apply workflow mode to
• Approval Group #1: Add the administrators who will approve the changes in the ADOM
• Send email notification to: Send administrators email notifications when another administrator makes
changes and submits the changes for approval
• Mail server: Select the email server that FortiManager will use to send its notifications. To configure mail
settings, click System Settings > Advanced > Mail Server

FortiManager 5.4.2 Study Guide 233


 Policy & Objects

DO NOT REPRINT
© FORTINET

The administrator must lock the ADOM before they are allowed to create a new session. Once the ADOM is
locked, the administrator has the option to create a new session and start making changes to the policy
package. It is important to note that no changes to policy packages can be made until a session is created.

FortiManager 5.4.2 Study Guide 234


 Policy & Objects

DO NOT REPRINT
© FORTINET

After you edit firewall policies or objects, click Save to save your session, then submit your changes.
Alternatively, you can click Submit, which saves and submits the changes automatically.

After you submit your changes for approval or have discarded them, the ADOM automatically returns to the
unlocked state.

FortiManager 5.4.2 Study Guide 235


 Policy & Objects

DO NOT REPRINT
© FORTINET

After the workflow request is submitted, administrators with the appropriate permissions can approve or reject
the pending request.

The approval administrator must lock the ADOM during the decision process. After the ADOM is locked, they
can open the session list. The session list shows the administrator who submitted the request and other
information such as date of submission, total requests, and comments by the submitting administrator.

The approver administrator has four options:


• Approve: The session is waiting to be reviewed and approved. If the session is approved, no further action
is required.
• Reject: If the session is rejected, the system sends a notification to the administrator who submitted the
session. The approver administrator has the option to repair the changes. A session that is rejected must
be fixed before the next session can be approved.
• Discard: The approval administrator doesn’t agree with the changes and discards them. No further action
is required.
• View Diff: The approval administrator can view the differences between the original policy package and
changes made by the submitting administrator.

FortiManager 5.4.2 Study Guide 236


 Policy & Objects

DO NOT REPRINT
© FORTINET

If a connection to FortiManager unexpectedly closes (PC crashed or browser closed) while an ADOM is
locked, it will remain locked until the administrator session times out or the session is deleted. Administrator
sessions can be deleted in the GUI or CLI. After the previous session is deleted, ADOM will be unlocked
immediately.

FortiManager 5.4.2 Study Guide 237


 Policy & Objects

DO NOT REPRINT
© FORTINET

Good job! You now understand policy locking and workflow mode.

Now, let’s examine global ADOM.

FortiManager 5.4.2 Study Guide 238


 Policy & Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Understand shared global policies and objects
• Describe how to use the global ADOM
• Configure a global policy

Let’s take a look at global ADOM and its feature sets.

FortiManager 5.4.2 Study Guide 239


 Policy & Objects

DO NOT REPRINT
© FORTINET

Global policies and objects allow administrators to push firewall policies universally, to all ADOMs. Global
policies packages must be explicitly assigned to specific ADOMs on which administrators want to install
similar policies.

The illustration on this slide shows that different ADOMs can use separate global policies. When you create a
global policy package, you can choose ADOMs that you want to apply specific policies to. Furthermore, you
can even pick specific policy packages in individual ADOMs that you want to apply the global policies to.

You can create global policy packages based on the type of network environment that you are managing, and
apply header or footer policies to meet the security requirements.

FortiManager 5.4.2 Study Guide 240


 Policy & Objects

DO NOT REPRINT
© FORTINET

You can use header and footer policies to wrap policies in each individual ADOM. An example of where this
would be used is in a carrier environment, where the carrier would allow customer traffic to pass through their
network, but would not allow the customer to have access to the carrier’s network assets.

The illustration on this slide shows how global policies and objects are assigned to ADOM policy packages.

In this section, you’ll learn how to apply a global header policy in order to deny all TELNET traffic to a public
IP address, and then assigned it to an ADOM.

FortiManager 5.4.2 Study Guide 241


 Policy & Objects

DO NOT REPRINT
© FORTINET

Enter the Global Database ADOM to access the global policy database. Header policies are the policies
located at the top of the policy package in the individual ADOM. Footer policies are the policies located at the
bottom of the policy package in the individual ADOM.

FortiManager 5.4.2 Study Guide 242


 Policy & Objects

DO NOT REPRINT
© FORTINET

In the example shown on this slide, we have created a header policy to block TELNET traffic from passing
through the managed firewalls. The next step is to assign this policy to one policy package in an individual
ADOM.

FortiManager 5.4.2 Study Guide 243


 Policy & Objects

DO NOT REPRINT
© FORTINET

Select the global policy package that you would like to assign to the individual ADOM policy package, and
then click Assignment > Add ADOM. You can specify the targeted policy package on the individual ADOM.

In the example shown on this slide, the default global policy package is added to the Local-FortiGate and
Remote-FortiGate policy package in the MyADOM1 ADOM. After the global policy package is added, the
status appears as Pending changes, because it is not assigned to the individual ADOM policy package. The
ADOM Policy Packages column shows only two policy packages selected out of four packages available in
the MyADOM1 ADOM. To assign the global policy package to the individual ADOM policy package, click
Assign or Assign Selected.

The Assign option commits the global policy package and used objects to the individual ADOM policy
package.

Assign Selected, on the other hand, provides more advanced options, including:
• Assign used objects only
• Assign all objects
• Automatically install policies on ADOM devices

After installation, the status changes to Up to date.

FortiManager 5.4.2 Study Guide 244


 Policy & Objects

DO NOT REPRINT
© FORTINET

After the global ADOM objects are assigned, they will appear on the Policy & Objects pane for that ADOM.
All global objects start with "g" and are edited or deleted in the global ADOM only.

In the example shown on this slide, the header policy is added to the Local-FortiGate. Only one global policy
package can be assigned to an individual ADOM policy package. Assigning an additional global policy
package to the same individual ADOM policy package removes previously assigned policies. Also, the header
and footer policies can’t be edited and moved between the rules in an individual ADOM policy package.

Policy packages must be installed on the managed devices for the new rules to work. A header policy is
installed at the top of the list of firewall rules on the target device.

FortiManager 5.4.2 Study Guide 245


 Policy & Objects

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 246


 Policy & Objects

DO NOT REPRINT
© FORTINET

This lesson covered the following topics:


• Configuring firewall policies and objects
• Installation targets
• Dynamic objects
• Interface and zone mappings
• Importing firewall policies and objects
• Differences between the Install and Re-install wizards
• Policy check
• ADOM configuration revisions and database version
• Identifying, configuring, and assigning global ADOM policies

FortiManager 5.4.2 Study Guide 247


 Manager Panes

DO NOT REPRINT
© FORTINET

In this lesson, we will examine how FortiManager enables you to manage your Fortinet devices centrally using
manager panes.

FortiManager 5.4.2 Study Guide 248


 Manager Panes

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• VPN Manager
• AP Manager
• FortiClient Manager

FortiManager 5.4.2 Study Guide 249


 Manager Panes

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to describe two ways to configure IPsec VPNs.

FortiManager 5.4.2 Study Guide 250


 Manager Panes

DO NOT REPRINT
© FORTINET

By default, FortiManager runs in Per Device IPsec configuration mode. You must configure IPsec Phase 1
and 2 for each managed device on the Device Manager pane. You must configure the firewall policies for
each managed device in the policy packages.

By default, VPN options are hidden in FortiManager. In order to configure IPsec Phase 1 and 2, you must
enable VPN options on the Device Manager pane. After you enable the required display options, you can
configure IPsec Phase 1 and 2 for the selected FortiGate.

FortiManager 5.4.2 Study Guide 251


 Manager Panes

DO NOT REPRINT
© FORTINET

On the Device Manager pane, you can configure IPsec phase 1 and 2 in the same way you would configure
them locally on FortiGate. After you configure IPsec phase 1 and 2, and the routes, you can configure the
firewall policies for IPsec VPN on the Policy & Objects pane, in the policy package.

This approach works well for small organizations that do not manage or contain a lot of devices. This
approach is not scalable, because it is required on per device basis. For large networks, you should use VPN
Manager because you can create IPsec phase 1 and 2, and install them on hundreds of managed FortiGates
devices at once.

FortiManager 5.4.2 Study Guide 252


 Manager Panes

DO NOT REPRINT
© FORTINET

On the VPN manager pane, you can configure IPsec VPN settings that you can install on multiple devices.
The settings are stored as objects in the objects database. You push the IPsec VPN settings to one or more
devices by installing a policy package. Enabling VPN Manager for an ADOM overrides existing VPN
configurations for managed devices in that ADOM.

To configure IPsec VPNs on the VPN manager, do the following:


1. Create a VPN community.
2. Add gateways (members) to the community.
3. Install the VPN community and gateways configuration.
4. Add the firewall policies.
5. Install the firewall policies.

FortiManager 5.4.2 Study Guide 253


 Manager Panes

DO NOT REPRINT
© FORTINET

To create the VPN community, click VPN Manager > IPsec VPN > VPN Communities, and then click Create
New.

Depending on the VPN topology you want install, there are three types of communities:
• Full Meshed: Each gateway has a tunnel to every other gateway
• Star: Each gateway has one tunnel to a central hub gateway. Each FortiGate is defined as either a hub or
spoke.
• Dial up: Some gateways, often for mobile users, have dynamic IP addresses and contact the main
gateway to establish a tunnel. Similar to Star topology, a VPN gateway is defined as either a hub or a
spoke. Peer options are configured similar to the way a dial-up tunnel is configured directly on FortiGate.

FortiManager 5.4.2 Study Guide 254


 Manager Panes

DO NOT REPRINT
© FORTINET

The first step in creating IPsec VPN using VPN Manager, is to define create a VPN community. A VPN
community contains all the settings that will be used by all gateways that are part of the same VPN
community. The VPN community contains the IPsec phase 1 and 2 settings that are common to all the
gateways with the VPN community. New gateways can easily be added to community settings at any time.

FortiManager 5.4.2 Study Guide 255


 Manager Panes

DO NOT REPRINT
© FORTINET

The next step is to add gateways to the community. There are two types of gateways:
• Managed gateways are FortiGate devices managed by FortiManager
• External gateways are VPN gateways that are not managed by FortiManager, such as devices made by
other vendors or it can be managed FortiGates in another ADOMs

In VPN gateways, you configure the node type (hub, spoke, and so on), depending on the VPN topology you
select. For example, hub and spoke options are only available in star and dial-up topologies.
For each gateway, you can also configure the protected subnet, interfaces, and some advanced settings.

The protected subnets are the subnets behind the device that you want to allow access to over the IPsec
VPN.

FortiManager 5.4.2 Study Guide 256


 Manager Panes

DO NOT REPRINT
© FORTINET

When you configure VPNs using the VPN manager, you can’t create the firewall policies for IPsec using
FortiManager until after you install the IPsec community and gateways configuration on the device first. VPN
manager creates zones by default and automatically assigns VPN interfaces to the zones. Administrators can
disable the option to create VPN zones automatically in the VPN community settings, and manually create
their own VPN zones to map logical VPN interfaces. Otherwise, the IPsec interfaces won’t have been created
yet (the VPN manager always creates interface-based VPNs). After you push the IPsec configuration,
FortiGate and FortiManager display the IPsec interfaces that you need to create the firewall policies.

FortiManager 5.4.2 Study Guide 257


 Manager Panes

DO NOT REPRINT
© FORTINET

Good job! You now understand the VPN manager.

Now, lets examine the AP Manager.

FortiManager 5.4.2 Study Guide 258


 Manager Panes

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe AP Manager features
• Configure a wireless network using Wi-Fi templates
• Monitor wireless clients
• Troubleshoot common AP-related issues

FortiManager 5.4.2 Study Guide 259


 Manager Panes

DO NOT REPRINT
© FORTINET

AP Manager panel allows administrators to:


• Centrally manage FortiAPs
• Use Wi-Fi templates to easily manage and distribute AP profiles, SSIDs, and WIDS profiles
• Group APs for easy deployment and monitoring
• Discover, authorize, and upgrade APs
• Detect rogue APs
• Monitor wireless clients
• Centrally monitor AP’s health
• Show APs in a geographical map view using Google Earth

FortiManager 5.4.2 Study Guide 260


 Manager Panes

DO NOT REPRINT
© FORTINET

In a wireless solution featuring FortiAP devices, FortiManager centrally manages FortiAPs by providing a
centralized configuration location, which you can then use to push AP profiles and device settings to the
connected FortiGate devices. The FortiGate devices, in turn, apply device settings and policies to the FortiAP
devices in your networks.

FortiManager 5.4.2 Study Guide 261


 Manager Panes

DO NOT REPRINT
© FORTINET

AP Manager allows administrators to easily deploy and manage wireless networks using FortiManager’s AP
Manager pane. All changes related to the configuration of wireless networks or APs are considered device
level. There changes need to be pushed to managed devices. FortiGates install these changes to FortiAPs
after receiving them from FortiManager.

All changes made directly on FortiGates are auto updated to the device-level database. However, changes
made directly on the AP don’t synchronize back to FortiGate, therefore FortiManager will remain unaware of
those changes.

Any changes related to wireless firewall policies need to be imported back to the ADOM-level database, if
they are made directly on FortiGate.

FortiManager 5.4.2 Study Guide 262


 Manager Panes

DO NOT REPRINT
© FORTINET

You can view quickly the status of devices on the AP Manager pane, which features Managed APs, Online,
Offline, Unauthorized APs, number of clients connected, and rogue APs detected.

The Managed AP pane displays the APs in a list that contains the AP’s name, IP address, configured SSIDs,
used radio channels, number of clients for each radio, OS versions, and assigned AP profile.
In the menu on the left side of the pane, FortiManager lists all APs, and groups them by the FortiGate they are
connected to and whether AP groups are configured.

FortiManager 5.4.2 Study Guide 263


 Manager Panes

DO NOT REPRINT
© FORTINET

On the quick status bar, you can click the Rogue APs icon to view the list of detected rogue APs. You can
also use this interface to filter the table, and then select APs to perform available action on them.

Clicking on the Client Connected icon in the quick status bar displays the client monitor dialog, allowing you
to view connected clients at a glance. This table displays the SSID, and the AP to which the wireless client is
connected. The table also displays the client’s IP address, MAC address, used channel, and current
bandwidth consumption.

Finally, you can view the signal strength and strength-to-noise ratio, client, and association time. You can also
use the search box to filter the list of wireless clients.

FortiManager 5.4.2 Study Guide 264


 Manager Panes

DO NOT REPRINT
© FORTINET

Before you can manage an AP using FortiManager, you must authorize the AP first. You can authorize or
deauthorize detected APs on the Managed APs pane in the AP Manager pane. To do this, first select the AP
you want to authorize or deauthorize, and then right-click to display the menu of possible actions for that AP.
Then, select Authorize or Deauthorize.

Note: Changes to APs’ state (authorize or deauthorize) do not require installations. These changes will take
place spontaneously.

FortiManager 5.4.2 Study Guide 265


 Manager Panes

DO NOT REPRINT
© FORTINET

To configure APs using FortiManager, first, create the required SSIDs and WIDS profiles, and use them when
creating your AP profiles. Then, assign the AP profiles to the desired FortiAP devices. Ensure the correct
platform is selected that matches FortiAPs model. Finally, install the FortiAP profiles on the devices.

FortiManager 5.4.2 Study Guide 266


 Manager Panes

DO NOT REPRINT
© FORTINET

You must define and apply SSIDs in the AP profile so that the selected APs can broadcast wireless networks.
To save time, you can also clone SSIDs, or import SSIDs from a connected FortiGate.

FortiManager 5.4.2 Study Guide 267


 Manager Panes

DO NOT REPRINT
© FORTINET

Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by
detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records
a log message. WIDS profiles can be selected in AP profiles. You can clone WIDS profiles, import them from
a connected FortiGate device or use one of the predefined WIDS profiles and modify the options that you
need. WIDS profile is also used for Rogue AP detection.

FortiManager 5.4.2 Study Guide 268


 Manager Panes

DO NOT REPRINT
© FORTINET

An AP Profile defines the radio settings, such as band (802.11g for example) and channel selection. The
AP Profile names the SSIDs to which the radio settings apply. Managed APs can use automatic profile
settings, or you can create AP profiles. There are many default AP profiles available for administrators to work
with in configuring their FortiAP devices. Profiles may also be imported from a connected FortiGate device by
clicking Import. You can even Clone an existing profile in order to take advantage of the default settings for
that AP platform and customize it further. It is a best practice to leave all default profiles intact, and clone them
in order to customize them further.

FortiManager 5.4.2 Study Guide 269


 Manager Panes

DO NOT REPRINT
© FORTINET

By default, when creating or editing an AP Profile, Advanced Options are collapsed and not visible. To
display Advanced Options, in the AP Profile, click Advanced Options.

FortiManager 5.4.2 Study Guide 270


 Manager Panes

DO NOT REPRINT
© FORTINET

After you create your AP profiles, you can assign them to FortiAP devices on the Managed AP pane in the
AP Manager pane. A dialog provides a list of profiles compatible with that platform that you can select from.
You can configure each AP with a different profile if you like.

FortiManager 5.4.2 Study Guide 271


 Manager Panes

DO NOT REPRINT
© FORTINET

After you assign the AP profiles to the FortiAP devices, you can use the Install Wizard on the Managed APs
pane to propagate the settings through the FortiGate devices that your APs connect with. The install wizard
allows you to preview the settings, and also select which FortiGate devices you want to install those settings
on.

FortiManager 5.4.2 Study Guide 272


 Manager Panes

DO NOT REPRINT
© FORTINET

After you configure the APs, the focus of the administrator often shifts to monitoring the solution. You can
monitor connected wireless clients on the Monitor pane.

FortiManager 5.4.2 Study Guide 273


 Manager Panes

DO NOT REPRINT
© FORTINET

You can also monitor the health of connected FortiAP devices. The Health Monitor provides five different
widgets:
• AP Status displays a bar graph showing the number of FortiAPs that have an uptime greater than 24
hours, have rebooted in the last 24 hours, or are down
• Client Count Over Time displays a graph of the number of connected clients over the specified time
period, which is 1 hour, 1 day, or 30 days
• Top Client Count per AP (2.4 GHz or 5 GHz Band) lists the number of clients in the 2.4 GHz and 5GHz
band for each AP
• Top Wireless Interference (2.4 GHz or 5 GHz Band) lists the number of interfering APs in the 2.4GHz
and 5GHz band for each FortiAP
• Login Failures Information lists the time of a logon failure, the SSID involved, the Host Name/MAC
address, and the username

You can move a widget by clicking and dragging its title bar to another location on the screen. You can refresh
the information in a widget by clicking the Refresh icon in the widget title bar. You can sort tables in widgets
by any column by clicking the column name.

FortiManager 5.4.2 Study Guide 274


 Manager Panes

DO NOT REPRINT
© FORTINET

The Map View pane shows all of the FortiGate controllers on an interactive world map provided by Google
Earth. Each FortiGate is designated by a map pin in its geographic location on the map. The number of APs
connected to the FortiGate is listed on the pin.

Clicking on a map pin opens a list of the APs connected to that FortiGate. Clicking on the name of an AP in
the list zooms in on that location on the map and provides further information about the AP, including the
serial number, IP address, number of clients, usage, and the last time the AP was seen if it is offline.

Click the number of clients to open the View WiFi Clients window. To edit the AP settings, click the AP serial
number to open the Config FortiAP window.

FortiManager 5.4.2 Study Guide 275


 Manager Panes

DO NOT REPRINT
© FORTINET

You can configure each AP to override the settings provided by the selected AP profile. To do this, you must
first edit the AP, then enable Override Settings. Then, you will have the option to configure that AP differently
from its Assigned Profile. It is important to note that Override Settings does not provide access to all of the
settings available in the AP Profile.

FortiManager 5.4.2 Study Guide 276


 Manager Panes

DO NOT REPRINT
© FORTINET

You can also use FortiManager to upgrade your FortiAP device firmware. To do so, right-click the AP, and
select Upgrade. This displays a list of available firmware for that device. Click Upgrade Now to trigger the
FortiAP firmware upgrade. This process may take several minutes, including a device reboot. A pop-up
confirmation will appear to inform you that the firmware successfully uploaded to the FortiAP device.

FortiManager 5.4.2 Study Guide 277


 Manager Panes

DO NOT REPRINT
© FORTINET

You can use the AP Manager to group FortiAPs based on their platform and the FortiGate they are connected
to. A group can only contain FortiAP devices from one platform, and an AP can only belong to one group.
After you create the AP group, APs are listed in a tree menu under the FortiGate they are connected to.

You can create AP groups under Managed AP. Click FortiAP Group > Create New. The Create New
FortiAP Group wizard opens. Give the groups a Name, select FortiGate, select the Platform and, finally,
select the APs you want to add to this group.

FortiManager 5.4.2 Study Guide 278


 Manager Panes

DO NOT REPRINT
© FORTINET

Troubleshooting FortiAPs common issues:


Issue 1: Unable to authenticate a FortiAP
• Ensure that connectivity between FortiGate and FortiAP is stable
• Check connectivity between FortiManager and FortiGate
• Ensure that FortiGate’s configuration is in sync with FortiManager
Issue 2: FortiAP does not show up on FortiManager
• Check CAPWAP access is enabled on the FortiGate port the AP is connected to
• Check whether FortiAP model profile exists on the FortiGate
• Verify that FortiGate GUI shows the AP
• Test connectivity between FortiManager and FortiGate
• Ensure AP has correct IP assigned or DHCP is enabled on the FortiGate interface the AP is connected to
Issue 3: FortiAP does not broadcast SSID
• Check the revision history on FortiManager to ensure that all required configuration is installed on device
• Verify that SSID was pushed to proper AP(s)

FortiManager 5.4.2 Study Guide 279


 Manager Panes

DO NOT REPRINT
© FORTINET

Good job! You now understand the AP Manager.

Now, let’s examine FortiClient Manager.

FortiManager 5.4.2 Study Guide 280


 Manager Panes

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe FortiClient manager features
• Describe how FortiManager fits into endpoint compliance
• Deploy endpoint control
• Monitor endpoint clients

FortiManager 5.4.2 Study Guide 281


 Manager Panes

DO NOT REPRINT
© FORTINET

The FortiClient Manager panel allows an administrator to centrally manage FortiClient profile(s) for multiple
FortiGate devices. It allows you to create one or more FortiClient profiles that you can assign to multiple
FortiGate devices, so they meet security requirements. You can also use endpoint control to enforce the use
of FortiClient on end devices that connect to FortiGate.

FortiManager 5.4.2 Study Guide 282


 Manager Panes

DO NOT REPRINT
© FORTINET

The FortiClient settings available in FortiManager are intended to complement the FortiClient support that is
available with FortiClient EMS and FortiGate. Each product performs specific functions:

• FortiManager is used to to manage the FortiClient compliance and quarantine


• FortiClient EMS is used to manage the entire FortiClient profile including SSL/IPsec VPN
• FortiGate devices provide compliance rules for network access control. They also enforce network
compliance for connected FortiClient endpoints, and communicate between FortiClient endpoints and
FortiManager.

FortiManager 5.4.2 Study Guide 283


 Manager Panes

DO NOT REPRINT
© FORTINET

To configure FortiClient Manager, you begin by enabling FortiTelemetry and endpoint control on the required
FortiGate device interfaces. Then, you can create FortiClient profiles and profile packages, and assign those
profile packages to the device interfaces. Finally, you install the configuration changes on the desired
FortiGate devices.

FortiManager 5.4.2 Study Guide 284


 Manager Panes

DO NOT REPRINT
© FORTINET

On the FortiTelemetry pane, you can add FortiGate interface(s), which will enable FortiTelemetry access to
the interface(s). You also configure the Enforce FortiClient option on this pane. This will force devices
connecting to FortiGate to enforce FortiClient use. You also select the FortiClient profiles that will be pushed
to FortiGate devices on the FortiTelemetry pane.

FortiManager 5.4.2 Study Guide 285


 Manager Panes

DO NOT REPRINT
© FORTINET

After you configure FortiTelemetry on the interfaces and enable endpoint control, you can create FortiClient
profile packages. In a FortiClient profile package, you can create a new FortiClient profile or use the default
package. FortiClient profile packages can contain one or more FortiClient profiles.

FortiManager 5.4.2 Study Guide 286


 Manager Panes

DO NOT REPRINT
© FORTINET

You can create, edit, delete, and import a FortiClient Profile from managed devices. The FortiClient profile
has many different settings to provide administrators with the capability to highly customize their FortiClient
deployments as well as FortiClient behaviour. The profile assignment target uses FortiGate device groups,
user groups, users, and addresses, which allows for granular profiles.

FortiManager 5.4.2 Study Guide 287


 Manager Panes

DO NOT REPRINT
© FORTINET

FortiGate performs the compliance actions if it detects a client that does not comply with endpoint control.
Administrators can configure the following actions:
• Select Block to provide the compliance rules but no configuration information to FortiClient endpoints.
When FortiClient endpoints fail to comply with the compliance rules, endpoint access to the network is
blocked.
• Select Warning to provide the compliance rules but no configuration information to FortiClient endpoints.
When FortiClient endpoints fail to comply with the compliance rules, endpoint users are warned but are
allowed to continue accessing the network.

For Block and Warning actions, non-compliance information is displayed in the FortiClient console. The
administrator or endpoint user is responsible for reading the noncompliance information and updating
FortiClient software on the endpoints to adhere to the compliance rules.

• Select Auto-update to provide the compliance rules and configuration information from FortiGate. The
configuration information provided by FortiGate helps FortiClient endpoints remain compliant. Non-
compliance information is displayed in the FortiClient console.

Endpoint Vulnerability Scan on Client allows an administrator to select the level of vulnerability that would
trigger placing the device in Quarantine. Critical, High, Medium, and Low levels are available. Enabling
System compliance allows the Minimum FortiClient Version and FortiAnalyzer log upload settings to be
included in the profile.

FortiManager 5.4.2 Study Guide 288


 Manager Panes

DO NOT REPRINT
© FORTINET

After you have configured everything else, the FortiClient profile allows you to turn on or turn off antivirus
Realtime Protection and signature updates, including FortiSandbox scanning. It is important to note that the
profile can also verify that a third-party antivirus product is installed on the Windows endpoint. However, this
option is only available if you disable Realtime Protection. You can also enable default or custom-created
web filters and application control sensors. You can configure the custom web filters and application control
sensors in the Policy & Objects pane.

FortiManager 5.4.2 Study Guide 289


 Manager Panes

DO NOT REPRINT
© FORTINET

After you create the FortiClient profile package, you can assign the profile package to the managed
FortiGates of your choice. You can assign the FortiClient profile package to all the managed devices as long
as the devices are part of the same ADOM. You can also import the FortiClient profile package from one
FortiGate and assign it to another FortiGate.

FortiManager 5.4.2 Study Guide 290


 Manager Panes

DO NOT REPRINT
© FORTINET

Now that the profile package is assigned to the devices, you must use the Install Wizard to push the new
settings to your FortiGate devices. The wizard also allows you to preview and download the detailed changes
made to the devices. Make sure to preview the configuration changes before you install them.

FortiManager 5.4.2 Study Guide 291


 Manager Panes

DO NOT REPRINT
© FORTINET

After you install the changes on the managed FortiGate devices, devices will automatically register with their
respective FortiGate devices after FortiClient is installed. You can monitor the endpoints on the Monitor pane.
Selecting a managed FortiGate in the list allows you to monitor its endpoints. The list of endpoints updates
automatically when new endpoints register with FortiGate. The configured Non-compliance option in the
profile applies to the FortiClient device if its profile is not compliant. You can block or unblock individual
devices. You can also quarantine and release devices from Quarantine. Placing a device in Quarantine
forbids all connections other than port TCP 8013 connections to FortiGate. TCP 8013 is used for
communication between FortiGate and managed FortiClient. Unregistering a device, however, discontinues
endpoint compliance enforcement for that device. You can even exempt an individual device, or exempt all
devices of that type if you want to make an exception to the configured compliance rules.

FortiManager 5.4.2 Study Guide 292


 Manager Panes

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 293


 Manager Panes

DO NOT REPRINT
© FORTINET

This lesson covered the following topics:


• Central VPN console
• Configuring IPsec VPNs using the Policy & Device VPN mode
• AP Manager features
• Configuring SSID, WIDS, and AP Profiles using AP Manager
• Monitoring wireless networks using AP Manager
• Troubleshooting common FortiAP issues
• FortiClient features
• Enabling endpoint control using FortiClient Manager
• Configuring FortiClient Profile Packages
• Monitoring endpoints

FortiManager 5.4.2 Study Guide 294


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, we will examine how to diagnose and troubleshoot issues related to FortiManager and
managed devices.

FortiManager 5.4.2 Study Guide 295


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• Deployment scenarios
• Diagnostics and troubleshooting
• Troubleshooting device and ADOM databases
• Import and install issues

FortiManager 5.4.2 Study Guide 296


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the various deployment scenarios that can exist between FortiManager and FortiGate
• Describe the purpose of keep-alive messages
• Replace a managed FortiGate

FortiManager 5.4.2 Study Guide 297


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this scenario, FortiManager is operating behind the NAT device. By default, only FortiManager can discover
new device. If the FGFM tunnel is torn down, only FortiManager will try to re-establish the FGFM tunnel. This
is because, by default, the NATed FortiManager IP address is not configured on FortiGate central
management.

How can FortiGate announce itself to the NATed FortiManager, or try to re-establish the FGFM tunnel if it is
torn down?
You can configure the FortiManager NATed IP address on FortiGate under central management
configuration. This allows FortiGate to announce itself to FortiManager and try to re-establish the FGFM
tunnel, if it is torn down. Configuring FortiManager NATed IP address on FortiGate allows both FortiManager
and FortiGate to re-establish FGFM tunnel.

FortiManager 5.4.2 Study Guide 298


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this scenario, FortiGate is operating behind a NAT device. FortiManager can discover FortiGate through the
FortiGate NATed IP address. FortiGate can also announce itself to FortiManager. What if the FGFM tunnel is
interrupted? If the FGFM tunnel is torn down, only FortiGate will attempt to re-establish connection.
FortiManager treats the NATed FortiGate as an unreachable device and doesn’t attempt to re-establish the
FGFM tunnel. However, you can force a one-time connection attempt from FortiManager by clicking the
Refresh icon in the Connection Summary widget for the managed device in Device Manager.

FortiManager 5.4.2 Study Guide 299


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

What if both devices–FortiManager and FortiGate–are behind a NAT device? Then, the FortiGate device is
discovered by FortiManager through the FortiGate NATed IP address. Just like it was in the NATed
FortiManager scenario, the FortiManager NATed IP address in this scenario is not configured under FortiGate
central management configuration. FortiManager will not attempt to re-establish the FGFM tunnel to the
FortiGate NATed IP address, if the FGFM tunnel is interrupted. If the FortiManager NATed IP address is
configured on FortiGate under central management configuration, the FortiGate will try to re-establish the
FGFM tunnel, if it is torn down.

FortiManager 5.4.2 Study Guide 300


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The keepalive messages, including the configuration checksums, are sent from FortiGate at configured
intervals. The keepalive message include:
• fgfm-sock-timeout: The maximum FortiManager/FortiGate communication socket idle time, in seconds
• fgfm_keepalive_itvl: The interval at which the FortiManager will send a keepalive signal to a
FortiGate device to keep the FortiManager/FortiGate communication protocol active

If there are no responses to the keepalive messages for the duration of the sock timeout value, the tunnel is
torn down and both ends will attempt to re-established it.

FortiManager 5.4.2 Study Guide 301


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When an install is performed from FortiManager to FortiGate, FortiManager always tries to ensure
connectivity with the managed FortiGate. If the connection fails, FortiManager tries to recover the FGFM
tunnel by unsetting the command that caused the tunnel to go down.

For each install, FortiManager sends the following commands to the managed FortiGate device:
• Set commands, needed to apply the configuration changes
• Unset commands, to recover the configuration changes

When applying changes, FortiGate:


• Applies the set commands, using memory only, nothing written to a configuration file
• Tests the FGFM connection to the FortiManager

If the connection fails to re-establish, FortiGate applies the unset command after 15 minutes (not configurable
and not based on sock timeout values). If the connection remains down, and rollback-allow-reboot is
enabled on the FortiManager, FortiGate reboots to recover the previous configuration from its configuration
file.

FortiManager 5.4.2 Study Guide 302


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiManager saves the configuration revisions of a managed device, but what happens if you need to replace
the managed device because of hardware failure or RMA?

You can replace the faulty device by manually changing the serial number of the faulty device to the serial
number of the replacement device on FortiManager. Then, you redeploy the configuration. The serial number
is verified before each management connection because the licenses are attached to the FortiGate serial
number.

Note: The replacement FortiGate should not contact FortiManager before the execute device replace
sn <devname> <serialnum> command is run. If it does, you will have deleted the unregistered device
entry prior to rerunning the command.

To replace the faulty device with the new device:


1. Note the device name of the original FortiGate. If the replacement device is already listed as unregistered,
then you will need to delete it from the unregistered device list in the root ADOM.
2. Add the serial number of the replacement FortiGate. After the replace command is executed,
FortiManager updates the serial number in its database.
3. Verify that the new device serial number is associated with the faulty device in FortiManager. You can do
this using the CLI or the System Information widget of FortiGate.
4. Send a request from the replacement device to register it with FortiManager.
If connectivity fails after you update the serial number, you might need to reclaim the management tunnel. The
device name is optional. If you run the command without the device name, FortiManager will try to reclaim
tunnels from all managed devices.
Optionally, you can change the device password that was used when adding the device by running execute
device replace pw <device_name> <password>.

FortiManager 5.4.2 Study Guide 303


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand deployment scenarios.

Now, lets use some diagnostics commands to troubleshoot issues with FortiManager connectivity and
performance.

FortiManager 5.4.2 Study Guide 304


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Use CLI commands to examine and troubleshoot common connectivity, process statuses, an the restart
process
• Diagnose registration, import , and install issues between FortiManager and FortiGate
• Identify the best practices for database integrity
• Identify which commands can be used to check and recover database integrity

FortiManager 5.4.2 Study Guide 305


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows some CLI commands that you can use for troubleshooting FortiManager connectivity and
resource issues.

These commands are similar to the FortiGate commands that you can use to diagnose and troubleshoot
common issues. For example, to view the top running processes you can run execute top. You can use the
execute iotop command to identify system processes with high i/o usage (usually the disk activity). You
can view the crash log entries. If FortiManager is dropping packets or not receiving packets, you can run a
packet capture (sniffer) to help diagnose the reason. You can also test the device reachability and can confirm
the status of the FGFM tunnel.

FortiManager 5.4.2 Study Guide 306


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The get system performance command provides information about system resource usage and
displays the output by resource type:
• CPU: provides an over view of CPU usage information on the system. It will show what type of processes
are using what percentage of the CPU
• Memory: provides total memory available to the unit and how much memory is currently in use
• Hard Disk: provides hard disk usage information, including total disk space available and how much is
in use
• Flash Disk: provides flash disk usage information

Always check the Used column to check resource usage. If the resources usage is high, you may experience
issues managing devices from FortiManager. For example, adding devices or installing changes may take a
long time.

FortiManager 5.4.2 Study Guide 307


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The execute top command displays real-time system statistics that are very useful for system monitoring.
The statistics are displayed in rows, as follows:
Row 1 – current time, uptime, users sessions, average system load (last minute, five minutes and 15 mins)
Row 2 – total number of processes running, processes actively running, processes sleeping, stopped, in
zombie state
Row 3 – CPU usage for: user processes, system processes, priority processes, CPU idle, processes waiting
for I/O, hardware irq, software irq and steal time.
Row 4 and Row 5 – memory usage
Row 6 – process ID, user, priority process, nice value of the process, virtual memory usage is a swap file,
memory usage is RAM, CPU usage, memory usage percentage, total activity time, state of the process, and
name of the process

When you are troubleshooting issues with high CPU or memory usage, check the overall system resources.
Then check individual processes for high CPU or memory usage.

FortiManager 5.4.2 Study Guide 308


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiManager displays the individual processes that are responsible for high i/o wait state when you use the
command execute iotop. You can use this command to identify the process that is causing high i/o usage
when you are troubleshooting performance issues related to heavy i/o usage.

FortiManager 5.4.2 Study Guide 309


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Another area you may want to monitor, purely for diagnostics, are the crash logs. The crash logs are available
through the CLI. The most recent crash log will be listed at the bottom of the output. In this example, process
cmdbsvr was restarted with signal 11, and crash information was logged in the crash log file. The crash log
displays the firmware information in the first line, followed by process name, and signal information.

Most of the logs in the crash log are normal. Some logs in the crash log might indicate problems. For that
reason, crash logs may be requested by Fortinet Technical Support for troubleshooting purposes.

FortiManager 5.4.2 Study Guide 310


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The packet sniffer command is useful for troubleshooting connectivity and traffic-related issues. The packet
sniffer command shown in the slide is set up to capture packets from host 192.168.1.99 on port 541 and to
display the packet header only (verbose 1) for five packets and the local timestamp.

For example, if you are experiencing a connectivity issue between FortiManager and FortiGate, you can sniff
for management traffic on TCP port 541 to see if there is any communication between the two devices.

FortiManager 5.4.2 Study Guide 311


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The diagnose systeme print df command displays disk partition information on the FortiManager. It
shows the filesystem, size, usage, available disk space, usage in percentage, and mount point. This
command can be useful when troubleshooting disk-related issues. It can be helpful to know what each of
these partitions are used for on FortiManager:
• /dev/shm is used as shared memory
• /tmp is a temporary file storage filesystem
• /data is the pointer to flash disk partition
• /var is used for FortiManager database storage
• /drive0 is used as FortiAnalyzer archives and postgres database
• /Storage is used for FortiAnalyzer log and report storage

FortiManager 5.4.2 Study Guide 312


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

On FortiManager, processes lock and unlock the database, but they should not remain stuck in the locked
state. There should be no locks on an idle system.
What if FortiManager is taking too long to complete a task? You can use the proc list command can be
used to identify any process or task that is stuck. A stuck task may prevent other subsequent tasks from being
processed. If a task is taking too long to process, it will be listed here. You can cancel or delete the pending
(stuck) task from Task Monitor under the System Settings pane.

FortiManager 5.4.2 Study Guide 313


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use these debug commands to troubleshoot various issues between FortiManager and FortiGate
such as adding, deleting, refreshing, auto-updates, and installing issues.

Before you run any debugs commands, check if any other debug commands are enabled. Running a debug
will show the output from all other enabled debugs, if they are not disabled or reset. Always reset the debug
level before enabling any new debugs.

FortiManager 5.4.2 Study Guide 314


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

An ungraceful shutdown on FortiManager can cause corruption to the file system and internal database. This
applies to both hardware and virtual machines. As a best practice, you should check the Alert Message
Console and event logs for important messages.

If the FortiManager has lost power, a message on the console connection will advise you to repair the file
system. Remember, always back up the FortiManager, prior to repairing the file system. It is also highly
recommended that you connect the FortiManager to an uninterruptible power supply (UPS) to prevent an
unexpected shut down.

FortiManager 5.4.2 Study Guide 315


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

To ensure database integrity on FortiManager, you should follow these best practices:
• Always gracefully shut down FortiManager. Using an ungraceful shutdown can damage the internal
databases.
• If multiple administrators are performing operations on FortiManager, enable ADOM locking to avoid
configuration conflicts.
• Always follow the proper upgrade path. If you don’t, it may cause inconsistencies in the database.
• Make sure all administrators are logged off, and perform database integrity checks before performing a
firmware upgrade.

If you cannot resolve a data integrity issue, you can perform a factory reset on FortiManager, and then
restore the configuration using a good backup configuration.

FortiManager 5.4.2 Study Guide 316


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

If you are experiencing unusual behavior on the FortiManager, check for issues with database integrity.
Database integrity commands modify any database errors that are found. It is recommended that you perform
a backup before executing database integrity commands. Having a backup is helpful when you don’t want to
keep changes that were made were by the integrity commands and you need to restore FortiManager
configuration.

If you need to execute database integrity commands, make sure that all ADOMs are unlocked and that there
are no active operations being performed.

As a best practice, configure a scheduled backup of FortiManager. FortiManager automatically runs database
integrity commands prior to a schedule backup, and creates logs. If there are any issues with database
integrity, you need to re-run the commands to fix the problem.

FortiManager 5.4.2 Study Guide 317


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide lists commands that you can use to verify and maintain database integrity. If you execute a
database integrity command that makes a change or correction to the database, it is advised that you then re-
run the command to verify that any changes or corrections were made properly.

FortiManager 5.4.2 Study Guide 318


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows an example of a database integrity check:


1. FortiManager verifies the database schema in all objects.
2. FortiManager finds issues and informs the administrator.
3. The administrator accepts the changes that will be made to correct the issues by pressing Y.
4. FortiManager fixes the object database.
5. FortiManager records all changes in the event logs.

In the second example, FortiManager finds no issues with the device manager databases.

FortiManager 5.4.2 Study Guide 319


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand how to diagnose and troubleshoot various issues with FortiManager.

Now, lets examine troubleshooting device and ADOM databases.

FortiManager 5.4.2 Study Guide 320


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Use CLI commands to troubleshoot device-level and ADOM-level databases issues

FortiManager 5.4.2 Study Guide 321


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The FortiManager stores the FortiGate configuration details in two distinct databases. The device-level
database includes configuration details related to device-level settings, such as interfaces, DNS, routing, and
more. The ADOM-level database includes configuration details related to firewall policies, objects, and
security profiles.

FortiManager 5.4.2 Study Guide 322


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

If you need to verify which templates are applied to which FortiGate device, you can check from the
Provisioning Templates widget, or from the individual device(s) Configuration and Installation Status
widget.

In this example, the default system template is applied to Local-FortiGate and Remote-FortiGate for DNS
settings.

FortiManager 5.4.2 Study Guide 323


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use this command to view to the CLI configuration of templates. You can see which CLI commands
will be pushed to FortiGate.
Tip: Use ? for help. In this example, the default system template is configured with primary and secondary
DNS entries. Remember that the default system template is applied to Local-FortiGate and Remote-FortiGate,
as shown in the previous slide.

FortiManager 5.4.2 Study Guide 324


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use CLI commands to view the whole configuration of the managed device, or view individual object
configuration.

The execute fmpolicy print-device-database command displays the device configuration,


including device-level changes made from the FortiManager. It does not display the changes caused by
applying the system template. Also, ADOM-level configuration changes made from FortiManager, such as
firewall policies and objects, are not displayed. These changes are applied (copied) to the device-level
database at the install.

If you perform an installation preview from the Configuration and Installation Status widget for a managed
device, it will display the device-level configuration changes with the following exceptions:
• System templates
• ADOM-level configuration changes

FortiManager 5.4.2 Study Guide 325


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows an example of DNS settings for Local-FortiGate. The Local-FortiGate is configured locally,
using the DNS configuration shown here. The DNS entries used in this example are not the same as those
used in the default system template. When installing the device-level configuration to Local-FortiGate, the
installation will skip the primary DNS entry and install only the secondary DNS entry. This is because the
primary DNS entry is the same, based on the applied default system template and Local-FortiGate.

FortiManager 5.4.2 Study Guide 326


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In the previous slides, we demonstrated how to view configurations related to a specific managed device. You
can also view the policies and objects at the ADOM level, using the commands shown in this slide.

FortiManager 5.4.2 Study Guide 327


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows an example of viewing a policy or policies in a particular policy package. In this example, the
Local-FortiGate policy package initially has only one policy named Ping_Access. The FortiManager
administrator has configured a new policy named Full_Access in the Local-FortiGate policy package. When
viewing the policy from the ADOM level, it shows both policies – the existing policy and new policy, which
needs to be installed.

If you view the policies for the Local-FortiGate at the device level, will the newly configured firewall policy be
shown? At the device level, ADOM-level (firewall policy and related objects) configuration changes that have
been made from FortiManager are not displayed until after the Policy & Objects install is performed.
The next slide shows the Local-FortiGate policy at the device level.

FortiManager 5.4.2 Study Guide 328


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This is an example of viewing a policy or policies for a particular device at the device level. In this example,
Local-FortiGate policy(s) are viewed at the device level. As mentioned in a previous example, ADOM-level
configuration changes are not displayed until the Policies & Object install is performed.

FortiManager 5.4.2 Study Guide 329


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand how to diagnose and troubleshoot device and ADOM database issues on the
FortiManager.

Now, lets examine troubleshooting import and install issues.

FortiManager 5.4.2 Study Guide 330


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you be able to:


• Identify and troubleshoot import and install issues

FortiManager 5.4.2 Study Guide 331


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this example, the configuration is correctly retrieved and saved in the revision history; however, the
problem occurs when updating the device database. Usually, issues like this are caused by inconsistent or
corrupt FortiGate configurations.
You can troubleshoot reload failures to see at what stage configuration is failing to load into the device-level
database.
When you execute the reload failure command, FortiManager connects to the FortiGate and downloads its
configuration file. Then, FortiManager performs a reload operation on the device database.
There can be two possible outcomes:
• If there are no errors in the FortiGate configuration, the reload is successful, and the device-level database
is updated with the FortiGate configuration. However, note that a new revision history entry is not created.
• If there are errors in the FortiGate configuration, the output of the reload command indicates the point in
the configuration at which the device-level database failed to update.

You can also check the event logs to see if they contain details about the cause of the failure.

FortiManager 5.4.2 Study Guide 332


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When you add a FortiGate using the Add Device Wizard or import policies using the Import Policy Wizard,
always make sure that the policies and objects have successfully imported.

In this example, the FortiManager ADOM database has a firewall address object named Test_PC which is
associated with the interface any.

The second FortiGate also has a firewall address object named Test_PC and it’s associated with the
interface port6. This firewall address object is referenced in the firewall policy on the second FortiGate.

When a policy package was added or imported to the second FortiGate, it failed to import the firewall address
object Test_PC, as well as associated firewall policies. The FortiManager Download Import Report provides
the reason for failed object or policy imports.

FortiManager can create a dynamic mapping for an address object, if the address object name is the same,
but contains a different value locally. However, there is one restriction – the associated interface cannot be
different. This is because, at ADOM level, this address object might be used by other policy packages, which
might not have same interfaces.

What will the impact of the partial policy package import be?

FortiManager 5.4.2 Study Guide 333


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After configuration changes are made from the FortiManager to the partial imported policy package, and
attempts are made to install it using the install wizard for Policy & Objects, the FortiManager will delete the
failed objects and policies. This is because the policy package is not aware of missing or failed policies and
objects.
There are two ways to fix the problem:
• You can remove the interface binding to make it same as the FortiManager ADOM object
• If there is a need to keep the interface binding for the FortiGate that is having issues with a partial policy
import, you can rename the address object to a unique name that is not part of the ADOM database
To use either of these methods, you can run a script from the FortiManager using the Remote FortiGate
Directly (Via CLI) option, or you can locally log in to the FortiGate to make the configuration change.

FortiManager 5.4.2 Study Guide 334


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When you perform a policy package install, the copy operation is the first operation that is performed, before
the actual install. It is the operation in which FortiManager tries to copy the ADOM-level object or policy to the
device database. It is the opposite of the import operation.
Copy failure issues are usually caused by having incorrect or missing object dependencies when copying
from ADOM database to device database. The incorrect or missing object dependencies are caused by
corruption or inconsistencies in the FortiManager database.
The copy failure log will help you to identify the failing CLI syntax or point you in the right direction.

When a copy failure happens, the device database is restored to its original state, prior to the copy attempt.

FortiManager 5.4.2 Study Guide 335


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Always check the View Install Log to see which CLI commands were not executed or accepted by FortiGate.
It is usually caused by:
• An ADOM and FortiGate mismatch version, which created an object using incorrect CLI syntax
• An ADOM upgrade, which modifies existing objects incorrectly, due to database corruption

FortiManager 5.4.2 Study Guide 336


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This is the install log for the failed installation. In this example, a new object named mydevice was not
added (failed) due to an incorrect MAC address. Next, the FortiGate rejected the add of the mydevice object
to the firewall policy.

FortiManager 5.4.2 Study Guide 337


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The verification report shows the differences between the configuration that was expected to be installed and
what was installed on the FortiGate.
Because the mydevice object was not created, the firewall policy was installed on FortiGate without the
source device mydevice.

FortiManager 5.4.2 Study Guide 338


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

There are multiple ways to fix installation failure issues.


First, verify that the FortiGate version is the same as or supported by the ADOM.
If the version is not the same or not supported, then:
1. Recreate the object or policy from the FortiManager GUI ( if supported), or use scripts to fix the issue.
2. Perform the install again.

If ADOM version is correct or ADOM upgrade was performed, then:


1. Retrieve the FortiGate configuration so that FortiManager updates the device database with correct
syntax.
2. Make a small device-level change and install it to ensure that there is not a device-database issue.
• If the install is unsuccessful, check and fix the device-level settings
• If the install is successful, check and, if needed, recreate the object or policy.
3. Perform the install again.

As a last resort to isolate and fix the install failure issues, you can:
1. Create a new ADOM with matching firmware on FortiGate.
2. Move the FortiGate to the new ADOM.
3. Retrieve the configuration and import policy packages.
4. Recreate the object or policy from the FortiManager GUI (if supported), or using a script, and perform
install.

FortiManager 5.4.2 Study Guide 339


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 340


 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

To review, these are the objectives that were covered in this lesson:
• Describe various deployment scenarios
• Understand FMFM keep-alive messages
• Replace a managed device
• Use CLI commands to troubleshoot general connectivity and resource issues
• Verify FortiManager database integrity
• Diagnose and troubleshoot device and ADOM database issues
• Troubleshoot issues related to import and install

FortiManager 5.4.2 Study Guide 341


 Advanced Configuration

DO NOT REPRINT
© FORTINET

In this lesson, we will examine how to set up a FortiManager high availability (HA) cluster, use FortiManager
as a local FortiGuard server for your devices, and purpose of FortiMeter.

FortiManager 5.4.2 Study Guide 342


 Advanced Configuration

DO NOT REPRINT
© FORTINET

In this lesson, we will explore the following topics:


• High Availability (HA)
• FortiGuard Services
• FortiMeter

FortiManager 5.4.2 Study Guide 343


 Advanced Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Implement and configure FortiManager in an HA cluster
• Troubleshoot FortiManager HA

By demonstrating competence in implementing and configuring FortiManager in an HA cluster, you will be


able to use this FortiManager solution to enhance fault tolerance and reliability in your network.

FortiManager 5.4.2 Study Guide 344


 Advanced Configuration

DO NOT REPRINT
© FORTINET

A FortiManager HA cluster consists of up five FortiManager devices of the same FortiManager model and
firmware. One of the devices in the cluster operates as the primary device and the other devices—up to four—
operate as secondary devices. The HA heartbeat packets use TCP port 5199. FortiManager HA can provides
geographic redundancy and each FortiManager has its own IP address.

When performing a firmware upgrade on the cluster, always schedule a maintenance window because
upgrading the firmware on the primary FortiManager will also upgrade the firmware on all the secondary
devices, and reboot all the devices in the cluster.

FortiManager 5.4.2 Study Guide 345


 Advanced Configuration

DO NOT REPRINT
© FORTINET

All changes to the FortiManager database are saved on the primary FortiManager, and then these changes
are synchronized with the secondary FortiManager devices. The configuration, and device and policy
databases, of the primary device are also synchronized with the secondary devices.

There are a few configuration settings, FortiGuard databases, and logs that are not synchronized between the
primary and secondary devices. The FortiGuard databases and packages are downloaded separately, and
each device can provide FortiGuard services to managed devices.

The cluster functions as an active-passive cluster; however, you can configure the cluster members to act as
independent active local FortiGuard server(s).

FortiManager 5.4.2 Study Guide 346


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiManager HA doesn’t support IP takeover where an HA state transition is transparent to administrators. If


a failure of the primary occurs, the administrator must take corrective action to resolve the problem that may
include invoking the state transition. If the primary device fails, the administrator must do the following in order
to return the FortiManager HA to a working state:

1. Manually reconfigure one of the secondary devices to become the primary device.
2. Reconfigure all other secondary devices to point to the new primary device.

You don’t need to reboot devices that you promote from secondary to primary.

If the secondary FortiManager device fails, the administrator can reconfigure the primary device to remove the
secondary configuration. Alternatively, the administrator can keep the secondary configuration in the HA
settings and, after the secondary device comes online, it will resynchronize with the primary device.

FortiManager 5.4.2 Study Guide 347


 Advanced Configuration

DO NOT REPRINT
© FORTINET

To configure HA, click System Settings >HA. You can select Master as the role for one cluster member, and
then add up to four secondary devices to the cluster.

There are a few other settings that are worth mentioning that you can configure only on the primary
FortiManager, including:

• Heart Beat Interval: The time in seconds that a cluster member waits between sending heartbeat packets
and expecting to receive a heartbeat packet from the other cluster member. By default, the heartbeat
interval is 5 seconds.
• Failover Threshold: The maximum number of heartbeat intervals that can occur without response before
FortiManager assumes that the other cluster members have failed. By default, the failover threshold is 3.
Based on the default settings, the failure detection time is 15 seconds (5 second heartbeat interval x 3
failovers).

After you configure the HA cluster, it shows the roles of cluster members.

FortiManager 5.4.2 Study Guide 348


 Advanced Configuration

DO NOT REPRINT
© FORTINET

After you configure the FortiManager cluster, you can view the System Information widget on the dashboard,
HA settings, or CLI for the current status of the HA cluster.

You can also check the logs in the Event Log or Alert Message Console widget on the dashboard.

After you configure a FortiManager cluster, a pop-up dialog box appears on the secondary FortiManager. It
states that you can’t make any device configuration changes on the secondary device. It also states that you
can make changes to the configuration database only on the primary FortiManager, which will synchronize its
changes with all secondary devices.

FortiManager 5.4.2 Study Guide 349


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The managed FortiGate devices are updated by the primary FortiManager with the serial numbers of all
cluster members. Similarly, if you remove a secondary member from the HA configuration, the primary
FortiManager removes the secondary serial number from the central management configuration of FortiGate,
and updates the managed FortiGate devices immediately.

FortiManager 5.4.2 Study Guide 350


 Advanced Configuration

DO NOT REPRINT
© FORTINET

If you experience issues with the FortiManager HA, you can check the following:

• The HA heartbeat packets use TCP port 5199. Run sniffers on TCP port 5199 to ensure clusters members
are able to send and receive HA heartbeat packets.
• Check event and alert message console for messages related to HA
• Run real-time debugs to verify HA synchronization
• Check HA status to confirm HA is fully synchronized

To resolve HA issues you can force a resync from the primary FortiManager, which will resync its database
with all secondary devices. If you run the command to resync on a secondary FortiManager, only that
secondary FortiManager will resync with the primary FortiManager.

FortiManager 5.4.2 Study Guide 351


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The first thing you should look at in the HA cluster is whether there is any pending data that needs to be
synced between the cluster members. A value in the Pending Module Data field means there are updates
that must be synced on secondary devices. The value should be 0, which indicates synchronization is working
fine.

To troubleshoot, you can run real-time debugs on HA daemons on all cluster members.

FortiManager 5.4.2 Study Guide 352


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can use the real-time debug commands to check sync issues and for keep alive massages.

In the example shown on this slide, a new secondary FortiManager is configured and sending a request to the
primary FortiManager to join the cluster. The primary FortiManager accepts the request and sends the
databases to the secondary FortiManager. Then, the secondary FortiManager saves these databases and
updates the primary FortiManager. After the primary and secondary devices are fully synced, cluster
members exchange keepalive messages, which confirms the cluster is up and running.

The failure is detected after you configure the heartbeat interval multiplied by the failover threshold in the HA
settings on the primary FortiManager.

FortiManager 5.4.2 Study Guide 353


 Advanced Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand high availability.

Now, let’s examine FortiGuard services.

FortiManager 5.4.2 Study Guide 354


 Advanced Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Configure and use FortiManager as your local FortiGuard for antivirus, intrusion prevention service (IPS),
web filtering, and antispam
• Describe the purpose of server override mode
• Describe the purpose of override server address
• Upgrade FortiGate firmware using FortiManager
• Configure FortiGate to use FortiManager as local FortiGuard Distribution Server (FDS)
• Diagnose and troubleshoot FortiGuard issues

By demonstrating competence in using FortiGuard services on FortiManager, you will be able to use your
FortiManager effectively as a local FDS server.

FortiManager 5.4.2 Study Guide 355


 Advanced Configuration

DO NOT REPRINT
© FORTINET

A FortiManager that is acting as a local FortiGuard synchronizes the FortiGuard updates and packages with
the public FortiGuard Distribution Network (FDN), then provides the updates to your private network’s
supported Fortinet devices. The local FortiGuard provides a faster connection, which reduces the Internet
connection load and the time required to apply updates, such as IPS signatures, to many devices.

FortiManager 5.4.2 Study Guide 356


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiManager can function as a local FortiGuard Distribution Server (FDS). It continuously connects to the
public FortiGuard Distribution Network (FDN) servers to obtain managed device license information and check
firmware availability updates (unless configured for closed-network operations).

FortiManager can provide antivirus, IPS signature updates, web filtering, and anti-spam services to supported
devices.

FortiGuard information is not synchronized across a FortiManager cluster. In a cluster, each device
individually downloads and can provide these services independently.

FortiManager supports requests from registered (managed) and unregistered (unmanaged) devices.

Use of FortiGuard services on FortiManager may be resource intensive and, moreover, you may dedicate a
FortiManager to this task.

FortiManager 5.4.2 Study Guide 357


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiGuard services represent the antivirus, IPS, web-filtering and anti-spam update services.

Historically, the antivirus and IPS service has been referred to as the FDS service, and the web filter and
email filter service as the FortiGuard service.

Currently, the term “FortiGuard” covers all services, however, specific FortiManager GUI or CLI configuration
sections still continue to refer to them using the terminology shown on this slide.

FortiManager 5.4.2 Study Guide 358


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiManager requires Internet access using TCP port 443 in order to download packages and databases,
and validate FortiGate service licenses, from public FDN servers.

FortiManager uses four main FortiGuard services to create a replica of public FDN servers for FortiGate and
FortiClient.

FortiManager 5.4.2 Study Guide 359


 Advanced Configuration

DO NOT REPRINT
© FORTINET

In order to enable the built-in FDS, you must enable the service access setting on the FortiManager interface
and the FortiGuard services.

You must configure the Service Access settings on FortiManager per interface. This is useful when different
FortiGate devices are communicating with FortiManager on different interfaces. FortiGuard services are used
by FortiGate devices to query and obtain updates from FortiManager. The FortiGate Updates service is for
antivirus, IPS, and license validation. The Web Filtering service is for web filter and antispam.

The second configuration step is to enable services on FortiManager. By default, communication to the public
FDN is enabled, which allows FortiManager to continuously connect to FDN servers to obtain managed
device information and sync packages. However, you must enable services such as antivirus and IPS, web
filter, and email filter so that FortiManager can download updates for these services from the public FDN.

When you use FortiManager in a closed network, disable communication with FortiGuard. When
communication is disabled, you must upload antivirus, IPS, license packages, web filter, and email filter
databases manually because they are no longer automatically retrieved from the public FDN server(s).

During the first-time setup, FortiManager is still receiving updates from the public FDN, you should disable
service access at the interface level. This is because FortiManager is still downloading updates and may not
be able to provide accurate ratings or updates to FortiGate. You can enable service access after
FortiManager has downloaded the packages and databases.

FortiManager 5.4.2 Study Guide 360


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The antivirus and IPS services are enabled together and use TCP port 443 to obtain the updates from public
FDN. You can enable updates for the supported products by enabling the firmware version that you want to
download the updates for.

By default, FortiManager will first attempt to connect to the public FDS server fds1.fortinet.com through
TCP port 443, to download the list of secondary FDS servers that it will download AV/IPS packages from.

FortiManager 5.4.2 Study Guide 361


 Advanced Configuration

DO NOT REPRINT
© FORTINET

Keeping the built-in FDS up-to-date is important to provide current FDS update packages. By enabling
Schedule Regular Updates, you are guaranteed to have a relatively recent version of signature and package
updates. A FortiManager system acting as an FDS synchronizes its local copies of FortiGuard update
packages with the FDN when:
• It is scheduled to poll or update its local copies of update packages
• If push updates are enabled (it receives an update notification from the FDN)

If the network is interrupted when FortiManager is downloading a large file, FortiManager downloads all files
again when the network resumes. You can configure scheduled updates on an hourly, daily, or weekly
schedule.

By default, FortiManager schedules updates every hour because antivirus updates occur frequently.

What if there are important IPS updates available on the public FortiGuard, how can you ensure FortiManager
to always receive new updates?

FortiManager 5.4.2 Study Guide 362


 Advanced Configuration

DO NOT REPRINT
© FORTINET

If you enable Allow Push Update, the FDN can push update notifications to FortiManager’s built-in FDS as
soon as new signature updates are released publicly by FortiGuard. FortiManager then downloads the
updates immediately.

Usually, when push updates are enabled, FortiManager sends its IP address to the FDN; this IP address is
used by the FDN as the destination for push messages.

What if FortiManager is behind a NAT device?

If FortiManager is behind a NAT device, sending its IP address for push updates will cause push updates to
fail as this is a non-routable IP address from the FDN. You must configure the following:

1. On FortiManager, configure the NAT device IP address and port used for push updates. By default, the
port for push updates is UDP 9443, but you can configure a different port number.
2. On the NAT device, configure the virtual IP and port that forwards to FortiManager. FortiManager may not
receive push updates if the external IP address of the NAT device changes.

The built-in FDS may not receive push updates if the external IP address of any intermediary NAT device is
dynamic (such as an IP address from PPPoE or DHCP). When the NAT device’s external IP address
changes, FortiManager’s push IP address configuration becomes out-of-date.

FortiManager 5.4.2 Study Guide 363


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The Receive Status displays the package received, latest version, size, to be deployed version, and update
history for the antivirus and IPS signature packages received from FortiGuard.

The Update History shows the update times, the events that occurred, the status of the updates, and the
versions downloaded.

You can also change the version you want to deploy.

FortiManager 5.4.2 Study Guide 364


 Advanced Configuration

DO NOT REPRINT
© FORTINET

There are five main statuses for FortiGate devices configured to receive updates from the FortiManager:

• Up to Date: The latest package has been received by the FortiGate device
• Never Updated: The device has never requested or received the package
• Pending: The FortiGate device has an older version of the package because of an acceptable reason
(such as the scheduled update time is pending)
• Problem: The FortiGate device missed the scheduled query, or did not correctly receive the latest package
• Unknown: The FortiGate device’s status is not currently known

You can also push pending updates to the devices, either individually or all at the same time.

FortiManager 5.4.2 Study Guide 365


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You must enable the web filter and email filter services individually. By default, FortiManager first attempts to
connect to the public FGD server over TCP port 443 to download the list of secondary FGD servers from
which it will then download web and antispam packages. By default, FortiManager is scheduled to check for
updates every 10 minutes.

FortiManager 5.4.2 Study Guide 366


 Advanced Configuration

DO NOT REPRINT
© FORTINET

When you enable web and anti spam services for the first time, it may take several hours to download and
merge the databases. During this time, you will notice higher I/O wait times and a spike in CPU usage related
to web and email processes on FortiManager.

FortiManager 5.4.2 Study Guide 367


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The web and antispam databases received from FortiGuard are listed under Receive Status. Receive Status
displays the date and time updates are received from the server, the update version, the size of the update,
and the update history. You can click Update History to see more information about individual packages
downloaded.

The Query Status shows the number of queries made from all managed devices to the FortiManager device
that is acting as a local FDS.

FortiManager 5.4.2 Study Guide 368


 Advanced Configuration

DO NOT REPRINT
© FORTINET

By default, Server Override Mode is set to Loose and is the recommended mode. This setting allows
FortiManager to fall back to the other FDN servers if FortiManager is not able to communicate with one of the
configured servers in the override server address list.

You can change the Server Override Mode to Strict, which prevents the fallback from occurring. This setting
allows FortiManager to communicate only with the servers configured in the override server address list.

FortiManager 5.4.2 Study Guide 369


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can configure an override server address, which allows FortiManager to communicate to the servers
listed in the override servers. You can configure the override server addresses for antivirus, IPS, web filter,
and email filter for FortiGate, FortiMail, and FortiClient.

An example of a good situation in which to configure an override server address is if you have a dedicated
upstream FortiManager that you use to download antivirus and IPS updates. In this case, you can configure
your downstream FortiManager to get the updates from the dedicated upstream FortiManager by configuring
the IP address and port used by the upstream FortiManager.

FortiManager 5.4.2 Study Guide 370


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiManager tries to obtain updates from the servers configured in the Use Override Server Address for
FortiGate/FortiMail. Depending upon the Server Override Mode configuration, you can restrict
FortiManager to get updates from the configured override servers list, or allow fallback to other public FDS
servers, if FortiManager is not able to communicate to get updates from the configured server list.

In the example shown on this slide, two override server addresses are configured. When Server Override
Mode is set to Strict, FortiManager gets updates only from these two servers. There is no fallback to other
public servers, if these two configured servers are not available.

If you set Server Override Mode to Loose, FortiManager will first try to get updates from the configured
server list, and, if they are unavailable, FortiManager will fall back to other public FDS servers to get updates.

FortiManager 5.4.2 Study Guide 371


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can configure logging of FortiGuard events, such as FortiManager built-in FDS updates, and FortiGate
devices using FortiManager as an FDS.

You can view the logs in Event Logs, which can be helpful in diagnosing or troubleshooting issues related to
FortiGuard updates.

FortiManager 5.4.2 Study Guide 372


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiManager includes a licensing overview page that allows you to view license information for all managed
FortiGate devices by clicking FortiGuard > Licensing Status. You can quickly verify if the FortiGate license
has expired or not.

If you have access to your ADOM only, the administrator can view the license information of FortiGate
devices in their ADOM by clicking Device Manager > License. If you are managing many FortiGate devices
in an ADOM, you can use filters to check the statuses. For example, you can check service licenses for the
FortiGate devices expiring in the next 30 days. This helps you to take proactive steps to renew the licenses.

FortiManager 5.4.2 Study Guide 373


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiManager can download images from the Fortinet Distribution Network (FDN), or you can upload firmware
images from your management computer. If the latest firmware doesn’t suit your needs, you can change the
latest firmware or you can import firmware images from your management computer. This allows you to
change the device firmware using your FortiManager device.

You can view the available firmware based on the supported product type, and filter for all devices or only
managed devices.

FortiManager 5.4.2 Study Guide 374


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can upgrade the FortiGate firmware in two ways:

• Per Device: In System Information widget


• Multiple Devices: You can upgrade the firmware version of all the FortiGate devices, selected FortiGate
devices, or FortiGate devices in a group, on the Firmware tab in an ADOM.

FortiManager allows you to upgrade the firmware now, or you can schedule the upgrade. You can also
configure FortiManager to retry in case the first attempt to upgrade the firmware is unsuccessful (which can
be caused by network interruptions or FortiGate being unable to communicate with FortiManager).

FortiManager 5.4.2 Study Guide 375


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can also configure unmanaged FortiGate devices to use FortiManager as a local FDS. You must
configure the server-list in the central-management settings of FortiGate, which includes:
• IP address of FortiManager used as local FDS for FortiGate devices
• Server type, which includes:
• update — used for antivirus, IPS updates, and FortiGate license verification
• rating — used for web filter or anti-spam rating

By default, include-default-servers is enabled, which allows a FortiGate to communicate with the


public FortiGuard servers if a private server (configured in the server-list) is unavailable. You can
enable or disable inclusion of public FortiGuard servers in the override server list.

FortiManager 5.4.2 Study Guide 376


 Advanced Configuration

DO NOT REPRINT
© FORTINET

By default, when a FortiGate is managed by FortiManager, it uses public FortiGuard servers. This is because
not every organization uses FortiManager for local FDS.
There are multiple ways to configure FortiGate to use FortiManager as a local FDS. You can:

• Configure FortiGuard settings in the Provisioning Templates > System Templates > FortiGuard
widget, which you can assign to and install on managed devices. The decision to override the default FDS
server and use FortiManager is a device level setting. Remember to enable service access settings on the
FortiManager interface.
• Configure and install script for central management server-list

FortiManager 5.4.2 Study Guide 377


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The first step you should perform when troubleshooting FortiGuard issues is to check and verify the
configuration on FortiManager. You should check if:
• You are able to resolve the public FDN servers by domain name. For example, check if you are able to
ping fds1.fortinet.com for antivirus and IPS for FortiGate or FortiMail.
• Communication to public network and services are enabled on FortiManager
• Scheduled updates for antivirus and IPS are enabled. By default, a polling interval for web and antispam is
enabled and can’t be disabled. Check the interval to make sure FortiManager is polling for updates at the
scheduled time.

FortiManager 5.4.2 Study Guide 378


 Advanced Configuration

DO NOT REPRINT
© FORTINET

After you verify the configuration, check if FortiManager is communicating with the upstream FortiGuard
server(s).

If FortiManager is unable to connect to the public FDN servers, only primary FDN servers will display in the
server list. This can be caused by unreachability or disabled services on FortiManager.

After FortiManager connects to the public FDN servers, it will download the list of secondary FDN servers
from which it downloads the updates and packages.

FortiManager 5.4.2 Study Guide 379


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can also check the status of the connection to the public FDN. If FortiManager is not able to connect to
the public FDN, or service is disabled, the UpullStat for current status will be empty and there will be no
information on the date, time, download size, and package.

After FortiManager is able to communicate with the public FDN, FortiManager will display the download size,
package, and IP address of the FDN server that FortiManager is communicating with to download the
updates.

The UpullStat has four main statuses:


• Connected: The FortiManager connection to FDN initially succeeds, but a synchronization connection has
not yet occurred.
• Syncing: The built-in FDS is enabled, and FortiManager is downloading and syncing packages available on
the FDN
• Synced: The built-in FDS is enabled and the FDN packages download successfully
• Out-of-sync: The initial FDN connection succeeds, but the built-in FDS is disabled

FortiManager 5.4.2 Study Guide 380


 Advanced Configuration

DO NOT REPRINT
© FORTINET

FortiGate devices must have valid and active service contracts to receive updates from FortiManager.

You can check the contract information of all FortiGate devices in the FortiManager CLI. An expired or trial
FortiGate license shows as 99, which means FortiGate is unable to receive the updates from FortiManager.

FortiManager 5.4.2 Study Guide 381


 Advanced Configuration

DO NOT REPRINT
© FORTINET

In the FortiGate CLI, you can check the version, when it was last updated, and contract information for
FortiGate.

You can also run a real-time debug along with the update command, which will try to download the latest
definitions and packages from the FDS server (or configured local FDS server in the central management
configuration.)

FortiManager 5.4.2 Study Guide 382


 Advanced Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiGuard services.

Now, let’s examine the FortiMeter feature on FortiManager.

FortiManager 5.4.2 Study Guide 383


 Advanced Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to:


• Describe the purpose of FortiMeter
• Understand who should use FortiMeter
• Configure and use FortiMeter to deploy FortiOS-VM on demand

By demonstrating competence in using FortiMeter services on FortiManager, you will be able to use your
FortiManager effectively as a local FDS server.

FortiManager 5.4.2 Study Guide 384


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The Fortinet VM On-Demand Program is a new program designed to provide large MSSP’s with a cost-
effective way to manage their clients’ security needs, and eliminates the extra overhead of perpetual licenses
that may not be required all the time. Consisting of several interoperable components, the Fortinet VM On-
Demand Program is designed to use consumable points purchased from Fortinet. Points will be consumed by
the traffic volume handled by the FortiOS-VM.

FortiManager 5.4.2 Study Guide 385


 Advanced Configuration

DO NOT REPRINT
© FORTINET

This program consists of a program membership, with yearly renewal and point packages. The program
membership is very similar to a license add on but it differs in that there is no .lic file to download.

There is order in which you have to register the program in FortiCare in order to get everything set up and
working properly.
1. Register your FortiManager.
2. Register your Fortinet VM On-Demand Program license (this creates your FortiMeter group on the
support portal).
3. Add your FortiManager to the VM Meter group.
4. Add a VM Meter Points Pack license.

FortiManager 5.4.2 Study Guide 386


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can check your Fortinet VM On-Demand Program status in the License Information widget on the
FortiManager GUI.

The VM Meter Service indicates the status of the VM Meter service point, which includes:

• OK – Positive point balance


• W### – The balance is negative and ### is the number of days before the FortiMeter status will be
changed to Frozen
• FREZ – The balance is negative and the grace period is expired. The FortiMeter group is frozen and no
further traffic can be passed.

FortiManager 5.4.2 Study Guide 387


 Advanced Configuration

DO NOT REPRINT
© FORTINET

When provisioning a FortiOS-VM in trial mode, be aware that the FortiOS-VM will not show up in the
FortiCare reports. You can provision only two units as a trial. You can use a trial license for up to 30 days.

For standard license mode, the point calculations are based on traffic passing through the FortiOS-VM
interfaces. Points are used per terabyte of traffic and there is an increased point cost as you increase the
FortiGuard service options in use.

There are three service options you can choose from when provisioning a FortiOS-VM, and they all include
24x7 support. Each service option consumes points at a different rate.

Firewall (FW) only provides all the features of FortiOS except for security profile features. Firewall only mode
consumes four points per terabyte of traffic.

In firewall plus web filtering mode, all features of firewall only are available, in addition to web filtering
services. Firewall plus URL mode consumes 10 points per terabyte of traffic. Finally, full unified threat
management mode includes all the features of FortiOS.
You can change service levels at any time using the GUI or CLI.

Point packs are consumable units that will eventually run out. You can purchase them on the FortiMeter
product information page on FortiCare. With that in mind, the system provides a 15-day grace period in which
points are allowed to go into a negative balance. After the grace period has passed, the VM group will be
frozen until you add more points.
If you have a negative balance, say -1000 points, and you purchase a new 5000-point pack, you will have a
balance of 4000 points after you apply the new point pack and the past due balance of points is subtracted.

FortiManager 5.4.2 Study Guide 388


 Advanced Configuration

DO NOT REPRINT
© FORTINET

During installation of the FortiOS-VM, the administrator is required to specify the FortiManager’s IP address or
resolvable DNS name. This value will be injected into the installation so that the FortiOS-VM will register with
the FortiManager the first time it’s turned on.

The FortiOS-VM is a special standalone VM designed to work with FortiMeter.

Additional FortiOS-VM details:


• Fortinet sets no limit for the vCPU and RAM values
• FortiOS-VM has standard table size limits on vCPU and RAM values (VM-08 values)
• Support for only a single VDOM
• Two ports are metered by Metering Module (Port1, Port2)
• MGMT port is only for FortiManager to FortiOS communication and FortiOS to FortiManager
communication

FortiManager 5.4.2 Study Guide 389


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The FortiOS-VM will generate a unique serial number when you turn it on. This number will be passed to
FortiManager during registration.

Note: This serial number can’t be registered in FortiCare.

The FortiOS-VM will cache its own uptime in case it disconnects from FortiManager. If the FortiOS-VM
disconnects, it will sync its stats with the FortiManager database after it reconnects. This provides consistency
and accuracy for proper reporting. There is a set period of time 7 days from first disconnection from
FortiManager to invalidate the FortiOS-VM instance.

In order for the VM Meter service to function properly, you must ensure the service access options
are enabled on the FortiManager interface.

FortiManager 5.4.2 Study Guide 390


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The FortiOS-VM is required to send the following information every 5 minutes to FortiManager:
• Serial Number/UUID
• FortiGuard features enabled
• IP address
• Hostname
• # of CPUs
• Amount of RAM
• Traffic Volume

On the VM Meter tab, you can authorize your FortiOS-VM either by clicking Authorize, or by double-clicking
the VM in the list. When authorizing the instances, you can choose the license type and services for the
FortiOS-VM.

FortiManager 5.4.2 Study Guide 391


 Advanced Configuration

DO NOT REPRINT
© FORTINET

You can check current traffic information on the FortiOS-VM by going to the firewall interface, or by using the
CLI in the FortiOS-VM.

FortiManager 5.4.2 Study Guide 392


 Advanced Configuration

DO NOT REPRINT
© FORTINET

To view historical traffic information, in FortiManager, select the VM Meter tab, and then click Historical Info.

FortiManager 5.4.2 Study Guide 393


 Advanced Configuration

DO NOT REPRINT
© FORTINET

To check point usage details, you can visit the support portal at https://support.fortinet.com, and then, in the
Asset menu, click FortiMeter Usage Report.

This link opens a page that shows the VM Meter Groups. You can view the program type available points,
number of virtual instances running, and the number of FortiManager devices assigned to the group. Several
FortiManager devices can meter VMs and consume points under a single VM On-Demand Program license.

FortiManager 5.4.2 Study Guide 394


 Advanced Configuration

DO NOT REPRINT
© FORTINET

The first screen capture on this slide shows an example of a usage report obtained by clicking a VM Meter
service group.

In the report, you can see the individual serial numbers for the FortiOS VMs, which packages they were using
(FW, FW+URL or UTM), how much traffic they passed, and how many points they consumed. Note that the
breakdown is by monthly periods with a “total” section at the end. The total displays information from the
moment the VM was launched and authorized.

When you select the FortiManager tab, you can see which units are in the group.

FortiManager 5.4.2 Study Guide 395


 Advanced Configuration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

FortiManager 5.4.2 Study Guide 396


 Advanced Configuration

DO NOT REPRINT
© FORTINET

This lesson covered the following topics:


• Deploying FortiManager in an HA cluster
• What is synchronized between HA cluster members
• Steps to recover failed device
• Configuring FortiGuard settings on FortiManager
• Purpose and use of server override mode and override server address
• Configuring FortiGate devices to use FortiManager as a local FortiGuard server
• Troubleshooting FortiGuard issues
• Using FortiMeter to deploy FortiOS-VM on demand

FortiManager 5.4.2 Study Guide 397


DO NOT REPRINT  Appendix A: Additional Resources
© FORTINET

Appendix A: Additional Resources


Technical Training Courses http://www.fortinet.com/training

Technical Documentation http://docs.fortinet.com

Knowledge Base http://kb.fortinet.com

Forums https://forum.fortinet.com/

Customer Service & Support https://support.fortinet.com

FortiGuard Threat Research & Response http://www.fortiguard.com

Network Security Expert Program (NSE) https://www.fortinet.com/support-and-


training/training/network-security-expert-
program.html

FortiManager 5.4.2 Study Guide 398