Subido por hlechhb

FortiManager Lab Guide

Anuncio
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
FortiManager 5.4.2
Lab Guide
for FortiManager 5.4.2
FortiManager Lab Guide
1
DO NOT REPRINT
© FORTINET
FortiManager Lab Guide
for FortiManager 5.4.2
Last Updated: 4 May 2017
We would like to acknowledge the following major contributors: Simon Cao and Claudio Capone
®
®
®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
© FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................9
Network Topology ...................................................................................................................9
Lab Environment .....................................................................................................................9
System Checker ......................................................................................................................10
Logging In ...............................................................................................................................11
Disconnections/Timeouts ........................................................................................................15
Transferring Files to the VM....................................................................................................15
Screen Resolution ...................................................................................................................15
International Keyboards ..........................................................................................................16
Student Tools: View Broadcast and Raise Hand....................................................................16
Troubleshooting Tips ..............................................................................................................17
LAB 1—INITIAL CONFIGURATION .................................................................19
Objectives ...............................................................................................................................19
Time to Complete ....................................................................................................................19
Prerequisites ...........................................................................................................................19
1 Examining Initial Configuration ............................................................................................22
Examine Initial Configuration Through the CLI .......................................................................22
Examine Initial Configuration Through the GUI ......................................................................25
2 Enabling FortiAnalyzer Features on FortiManager..............................................................28
LAB 2—ADMINISTRATION AND MANAGEMENT ..............................................30
Objectives ...............................................................................................................................30
DO NOT REPRINT
© FORTINET
Time to Complete ....................................................................................................................30
1 Configure Administrative Domain (ADOMs) ........................................................................31
Enabling ADOMs.....................................................................................................................31
Viewing ADOM Information.....................................................................................................32
Configuring ADOM ..................................................................................................................33
2 Creating and Assigning Administrators ...............................................................................36
Testing Administrator Privileges .............................................................................................37
Restricting Administrator Access Using Trusted Host ............................................................38
Testing the Restricted Administrator Access ..........................................................................39
3 ADOM Locking (Workspace Mode) .....................................................................................41
ADOM Locking (Workspace Mode) ........................................................................................41
4 Backup and Restore ............................................................................................................43
Backing up FortiManager Configuration .................................................................................43
Restore FortiManager Configuration ......................................................................................44
5 Monitoring Alerts and Event Logs ........................................................................................46
Offline Mode ............................................................................................................................46
Viewing Alerts and Event Logs ...............................................................................................47
LAB 3—DEVICE REGISTRATION ...................................................................50
Objectives ...............................................................................................................................50
Time to Complete ....................................................................................................................50
1 Configuring System Templates ............................................................................................51
Configuring System Templates ...............................................................................................51
Disabling ADOM Locking (Workspace Mode) ........................................................................53
2 Registering a Device to FortiManager .................................................................................55
Reviewing Central Management Configuration on Local-FortiGate .......................................55
Enabling Real-Time Debug .....................................................................................................56
DO NOT REPRINT
© FORTINET
Adding Local-FortiGate Using the Add Device Wizard ...........................................................56
Viewing the Local-FortiGate Policy Package..........................................................................60
Importing System Template Settings From FortiGate ............................................................62
Adding Remote-FortiGate Using the Add Device Wizard.......................................................64
LAB 4—DEVICE LEVEL CONFIGURATION AND INSTALLATION ........................67
Objectives ...............................................................................................................................67
Time to Complete ....................................................................................................................67
1 Understanding Managed Device Status ..............................................................................68
2 Install System Template Changes to Managed Devices .....................................................73
Installing System Templates ...................................................................................................73
Checking Managed Device Status..........................................................................................75
Viewing Pushed Configuration on the FortiGate ....................................................................77
3 Auto Update and Revision History .......................................................................................79
Making Direct Changes on Local-FortiGate ...........................................................................79
Making Direct Changes on Remote-FortiGate .......................................................................80
Viewing Auto Update and Revision History ............................................................................80
Viewing the Install Log ............................................................................................................82
Viewing Auto Update, Revision History, and Install Log for Remote-FortiGate (Optional) ....83
Log View..................................................................................................................................83
Task Manager .........................................................................................................................84
4 Configuring Device Level Changes .....................................................................................87
Changing Managed FortiGate Interface Settings ...................................................................87
Filtering Devices Based on Their Statuses .............................................................................89
Configuring the Administrator Account ...................................................................................90
5 Installing Configuration Changes .........................................................................................93
Viewing the Install Preview .....................................................................................................93
DO NOT REPRINT
© FORTINET
Install Wizard...........................................................................................................................94
Revision Diff ............................................................................................................................96
6 Scripts ..................................................................................................................................100
Enabling the Script Feature ....................................................................................................100
Configuring Scripts ..................................................................................................................101
Running and Installing Scripts ................................................................................................102
LAB 5—POLICY & OBJECTS ........................................................................106
Objectives ...............................................................................................................................106
Time to Complete ....................................................................................................................106
1 Import Policy and ADOM Revisions.....................................................................................107
Import Policy ...........................................................................................................................107
Creating ADOM Revisions ......................................................................................................109
2 Workflow Mode ....................................................................................................................111
3 Creating and Assigning Header Policies in the Global ADOM ............................................121
4 Creating a Common Policy for Multiple Devices .................................................................126
Dynamic Mappings - Address Objects....................................................................................126
Dynamic Mappings - Interfaces and Zones ............................................................................128
Creating a Common Policy Package ......................................................................................132
Configuring an Installation Target and Install On ...................................................................136
LAB 6—VPN ..............................................................................................142
Objectives ...............................................................................................................................142
Time to Complete ....................................................................................................................142
1 Configuring IPsec VPN ........................................................................................................143
Configuring IPsec Phase I and Phase II .................................................................................143
Configuring Static Route .........................................................................................................146
DO NOT REPRINT
© FORTINET
Configuring IPsec Phase I and Phase II .................................................................................146
Configuring Static Route .........................................................................................................148
Installing device-level configuration changes .........................................................................149
Creating firewall policies for IPsec VPN .................................................................................151
Installing Training Policy Package ..........................................................................................153
Testing IPsec VPN ..................................................................................................................153
LAB 7—DIAGNOSTICS AND TROUBLESHOOTING ...........................................155
Objectives ...............................................................................................................................155
Time to Complete ....................................................................................................................155
Prerequisites ...........................................................................................................................155
1 Diagnose and Troubleshoot Install Issues...........................................................................159
Viewing the Installation Preview .............................................................................................159
Viewing the DNS Configuration ..............................................................................................161
Installing Device-Level Configuration Changes ......................................................................163
2 Troubleshoot Policy Import Issues.......................................................................................167
Viewing the Policy Package and Objects ...............................................................................167
Reviewing Policies and Objects Locally on the Remote-FortiGate ........................................168
Importing a Policy Package ....................................................................................................168
Check the Impact of Partial Policy Import (Optional) ..............................................................171
Fixing a Partial Policy Import Issue.........................................................................................173
LAB 8—ADVANCED CONFIGURATION ...........................................................177
Objectives ...............................................................................................................................177
Time to Complete ....................................................................................................................177
1 FortiGuard Management ......................................................................................................178
Diagnosing FortiGuard Issues ................................................................................................179
DO NOT REPRINT
© FORTINET
2 Upgrading FortiGate Firmware Using FortiManager ...........................................................181
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student to
have their own training lab environment or PoD - point of deliveries.
FortiManager Lab Guide
9
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
System Checker
Before starting any class, check if your computer can successfully connect to the remote datacenters.
The System Checker fully verifies if your network connection and your web browser are reliable to
connect to the virtual lab.
You do not have to be logged into the lab portal in order to perform the System Checker.
To run the System Checker
1. Click the URL for your location:
Region
System Checker
AMER - North and South
America
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAMWest
EMEA - Europe, Middle
East and Africa
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
APAC - Asia and Pacific
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If your computer successfully connects to the virtual lab, the Browser Check and Network
Connection Check each display a check mark icon. You can then proceed to log in.
If any of the tests fail:


Browser Check: This affects your ability to access the virtual lab environment.
Network Connection Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link or ask your trainer.
FortiManager Lab Guide
10
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
Logging In
Once you confirm your system can successfully run the labs through System Checker, you can
proceed to log in.
To log in to the remote lab
1. With the user name and password provided by your trainer, you can either:


Log in from the Login access at the bottom of the System Checker's result.
Log into the URL for the virtual lab provided by your trainer:
https://remotelabs.training.fortinet.com/
FortiManager Lab Guide
11
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
https://virtual.mclabs.com/
2. If prompted, select the time zone for your location, and then click Update.
This ensures that your class schedule is accurate.
3. Click Enter Lab.
FortiManager Lab Guide
12
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
Your system dashboard will appear, listing the virtual machines in accordance with your lab
topology.
4. From this page, open a connection to any virtual appliance by doing one of the following:

Click the device’s square (thumbnail)

Select Open from the System drop-down list associated to the VM you want to access.
FortiManager Lab Guide
13
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, granting you access to the virtual device. When you open a VM,
your browser uses HTML5 to connect to it.
Depending on the virtual machine you select, the web browser provides access to either a textbased CLI or the GUI.
FortiManager Lab Guide
14
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
Connections to the Local-Windows VM use a Remote Desktop-like GUI. The web-based connection
should automatically log in and then display the Windows desktop.
For most lab exercises, you will connect to this Local-Windows VM.
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out, or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If that does not succeed, see the Troubleshooting Tips section of this guide.
Transferring Files to the VM
If you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to
download them to your Local-Windows VM.
From there, if required, you can use a web browser to upload them to Fortinet VMs' GUI.
When connecting to a VM, your browser should then open a display in a new applet window.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
To configure screen resolution in the HTML 5 client, open the System menu.
FortiManager Lab Guide
15
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to
display an on-screen keyboard.
Student Tools: View Broadcast and Raise Hand
Your instructor is able to broadcast his lab systems in order to allow students to see any on-going task
in real-time. When an instructor begins a broadcast, you will receive an alert at the top of all open lab
pages.
To accept and view the broadcast, you may either click on the notification message or click View
Broadcast on the left side panel.
If you have any question or issue, use the Raise Hand tool, your instructor will be notified and will
assist you.
FortiManager Lab Guide
16
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
Troubleshooting Tips

Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other lowbandwidth or high-latency connections.
For best performance, use a stable broadband connection such as a LAN.

Prepare your computer's settings by disabling screen savers and changing the power saving
scheme, so that your computer is always on, and does not go to sleep or hibernate.

If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.

If you can't connect to a VM, on the VM's icon, you can force the VM to start up by clicking
System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the
VM to its initial state by System > Revert to Initial State.
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions
first.
FortiManager Lab Guide
17
DO NOT REPRINT
© FORTINET
 Virtual Lab Basics

If during the labs, particularly when reloading configuration files, you see a license message
similar to the below exhibit, the VM is waiting for a response to the authentication server.
To retry immediately, go to the console and enter the CLI command:
exec update-now
FortiManager Lab Guide
18
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
LAB 1—Initial Configuration
In this lab, you will examine the network settings of FortiManager from the CLI and GUI.
You will also enable the FortiAnalyzer feature set on FortiManager, which can be used for logging and
reporting.
Objectives

Examine initial system settings, including network and time settings

Enable FortiAnalyzer features on FortiManager
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must update the firmware and initial configurations on the LocalFortiGate and Remote-FortiGate.
This lab environment is also used for FortiGate 5.4.1 training and initializes in a different state than is
required for FortiManager 5.4.2 training.
To update the FortiGate firmware on both FortiGates
1. From the Local-Windows VM, open a browser and log in as admin (blank password) to the LocalFortiGate GUI at 10.0.1.254.
2. Go to the Dashboard, and from the System Information widget click Update.
FortiManager Lab Guide
19
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
3. Click Upload Firmware.
4. Browse to Desktop > Resources > FortiManager > Introduction and select FGT_VM64-v5build1100-FORTINET.out.
5. Click Upgrade.
The system reboots.
6. Once rebooted, log in as admin and ensure the firmware version in the System Information
widget displays v5.4.2, build1100 (GA).
7. Open another browser tab and log in as admin (blank password) to the Remote-FortiGate GUI at
10.200.3.1.
8. Repeat the procedure to update the firmware for Remote-FortiGate.
To restore the FortiGate configuration file on both FortiGates
1. Return to the Local-FortiGate GUI at 10.0.1.254.
2. Go to the Dashboard, and from the System Information widget click Restore.
FortiManager Lab Guide
20
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiManager > Introduction and select local-initial5.4.2.conf.
5. Click OK.
6. Click OK.
The system reboots.
7. Once rebooted (you must wait until Local-FortiGate reboots), return to the Remote-FortiGate GUI
at 10.200.3.1.
8. Repeat the same procedure to restore the system configuration for Remote-FortiGate, but select
remote-initial-5.4.2.conf from the Introduction folder.
9. Once rebooted, close the browser for both FortiGates.
FortiManager Lab Guide
21
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
1 Examining Initial Configuration
FortiManager is preconfigured with the initial network settings.
In this exercise, you will explore the FortiManager basic configuration settings from the GUI and CLI.
Examine Initial Configuration Through the CLI
You will start by accessing a FortiManager using the CLI to examine initial configuration.
To examine the initial configuration through the CLI
1. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following command to display basic status information about FortiManager:
CLI Command
# get system status
Data
Result
What is the firmware version?
Knowing your FortiManager firmware
version is important, as it determines
what Fortinet products and their
firmware versions are supported.
What is the administrative domain
configuration?
By default, administrative domains
(ADOMs) are disabled.
What is the time zone?
It is important that the system time on
FortiManager and all registered
devices are synced for tunnel
negotiations and logging (if
FortiAnalyzer feature is used).
What is the license status?
To ensure FortiManager continues to
manage devices, a valid license is
required.
FortiManager Lab Guide
22
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
4. Enter the following command to display information about the FortiManager interface
configuration:
CLI Command
# show system interface
Diagnostic
Result
What is the IP for port1?
Port 1 is the management port
and is the IP of FortiManager.
What administrative access
protocols are configured for
port1?
This will help troubleshoot any
access issues you may
experience. For example, this
PuTTY session would not be
able to connect without the
SSH protocol enabled.
What is configured for the
service access?
If devices are configured to use
FortiManager as the local FDS
server, service access allows
FortiManager to respond to
FortiGuard queries made by
devices.
What is the IP for port2?
According to the network
topology diagram, port2 is how
traffic is routed between
Remote-FortiGate and
FortiManager. RemoteFortiGate, therefore, will
connect to FortiManager with
this port2 IP address.
What administrative access
protocols are configured for
port2?
5. Enter the following command to display DNS setting information:
CLI Command
# show system dns
Diagnostic
Result
What are the primary and
secondary DNS settings?
By default, FortiManager uses
FortiGuard DNS servers.
FortiManager Lab Guide
23
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
6. Enter the following commands to display NTP setting information:
CLI Command
# get system ntp
Diagnostic
Result
Is NTP enabled?
NTP is recommended on
FortiManager and all registered
devices for proper FortiGateFortiManager tunnel
establishment.
How often does FortiManager
synchronize its time with the NTP
server?
# show system ntp
What server is configured for
NTP?
By default, Fortinet servers are
configured.
7. Enter the following command to display information about the FortiManager routing configuration:
CLI Command
# show system route
Diagnostic
Result
What is the gateway route
associated with port2?
According to the network
topology diagram, this IP address
is the default route to the
Internet.
8. To test basic network connectivity, and to ensure the default route to the Internet is working, enter
the following command to ping IP 8.8.8.8 (public IP that is highly available):
execute ping 8.8.8.8
Packets should transmit successfully.
9. Close your PuTTY session.
FortiManager Lab Guide
24
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
Examine Initial Configuration Through the GUI
You will now log in to the FortiManager device using the GUI to examine initial configuration.
To examine the initial configuration through the GUI
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
Accept the self-signed certificate or security exemption, if a security alert appears.
Note: All the lab exercises were tested running Mozilla Firefox in Local-Windows VM and
Remote-Windows VM. To get consistent results, we recommend using Firefox in this
virtual environment.
2. Click System Settings.
The dashboard shows the FortiManager widgets that display information such as System
Information, License Information, System Resources, and more.
3. Examine the System Information and License Information widgets to display the information
shown below.
This displays the same information available from the CLI command get system status.




Firmware version
Administrative Domain status
System time and time zone
License status (VM)
4. From the System Information widget, edit the System Time to view the NTP information.
FortiManager Lab Guide
25
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
This displays the same information available from the CLI commands get system ntp and
show system ntp.
Note: You will be managing Local-FortiGate and Remote-FortiGate from FortiManager,
which are configured with the same time zone and NTP server.
5. From the left menu, click Network.
This page displays information about the port1 management interface, including the IP address,
administrative access protocols, service access, and DNS information. This displays the same
information available from the CLI commands show system interface and show system
dns.
FortiManager Lab Guide
26
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
Note: The fgtupdates, fclupdates in the CLI is equivalent to FortiGate Updates in
the GUI. The webfilter-antispam in the CLI is equivalent to Web Filtering in the GUI.
6. Click All Interfaces to view the configuration of all interfaces.
7. On the left menu, click Network, and from the main window, click Routing Table.
This page displays the network gateway and associated interface. This displays the same
information available from the CLI command show system route.
FortiManager Lab Guide
27
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 2 Enabling FortiAnalyzer Features on FortiManager
2 Enabling FortiAnalyzer Features on
FortiManager
FortiManager can be used as a logging and reporting device by enabling FortiAnalyzer features on
FortiManager. Remember that FortiManager has logging rate restrictions compared to FortiAnalyzer.
In this exercise, you will enable FortiAnalyzer features on FortiManager, so that FortiManager can be
used for logging and reporting once the FortiGate devices are added.
To enable FortiAnalyzer features on FortiManager
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
Notice the default panes available on FortiManager. It doesn’t have panes related to FortiAnalyzer
features.
2. Click System Settings.
3. Under the System Information widget, turn on FortiAnalyzer Features.
4. Click OK.
FortiManager will reboot to initialize the FortiAnalyzer features and apply the changes.
5. Wait for FortiManager to reboot and then log in as admin to the FortiManager GUI at
10.0.1.241.
FortiManager Lab Guide
28
DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 2 Enabling FortiAnalyzer Features on FortiManager
You will notice that after enabling FortiAnalyzer features, there are more panes related to logging
and reporting — FortiView, Log View, Event Management, and Reports.
FortiManager Lab Guide
29
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management
LAB 2—Administration and Management
In this lab, you will configure administrative domains (ADOMs) and an administrator. You will also
restrict administrator access based on administrator profile, trusted hosts, and ADOMs.
Then, you will enable ADOM locking, which disables concurrent access to the same ADOM.
Additionally, the lab will guide you through how to properly backup and restore FortiManager
configuration, view alert messages in the Alert Message Console, and view event logs.
Objectives

Enable ADOMs and configure a new ADOM

Configure an administrator and restrict access to a newly created ADOM

Enable ADOM locking

Backup FortiManager, restore the backup and disable offline mode

Read entries in the alert message console and view event logs
Time to Complete
Estimated: 45 minutes
FortiManager Lab Guide
30
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs)
1 Configure Administrative Domain (ADOMs)
ADOMs group devices for administrators to monitor and manage. The purpose of ADOMs is to divide
the administration of devices and control (restrict) access.
In this exercise, you will enable and configure ADOMs.
Enabling ADOMs
ADOMs are not enabled by default and can only be enabled by the admin administrator, or an
administrator with the Super_User access profile.
You will now enable ADOMs on FortiManager.
To enable ADOMs
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Click System Settings.
Notice there is no All ADOM tab below Dashboard, prior to enabling Administrative Domain.
3. Under the System Information widget, turn on Administrative Domain.
4. Click OK.
You will be logged out from FortiManager.
FortiManager Lab Guide
31
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs)
Viewing ADOM Information
Before creating new ADOMs, you should be aware of what ADOM types are available to you. You will
view ADOM information through both the GUI and the CLI.
To view ADOM information
1. Log back in as admin to the FortiManager GUI at 10.0.1.241.
2. Select the root ADOM.
3. Click System Settings.
4. From the left menu, click All ADOMs.
Note that this page is only available when ADOMs are enabled. This page lists all available
ADOMs and lists any devices added to those ADOMs.
5. Still working from the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER
saved session (connect over SSH).
6. Log in as admin and execute the following command to view what ADOMs are currently enabled
on FortiManager and the type of device you can register to each ADOM:
Note: The CLI output formatting is easier to read if you maximize your PuTTY window. If
you've already executed the command, once the window is maximized, press the up arrow
to show the last command you entered and click Enter to re-run.
# diagnose dvm adom list
FortiManager Lab Guide
32
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs)
As you can see, there are 13 ADOMs that FortiManager supports, each associated with different
devices along with their supported firmware versions.
7. Close your PuTTY session.
Configuring ADOM
When ADOMs are enabled, by default, the FortiManager will create ADOMs based on supported
device types. The root ADOM is based on the FortiGate ADOM type.
When creating a new ADOM, you must match the device type. For example, if you want to create an
ADOM for a FortiGate, you must select FortiGate as the ADOM type. With FortiGate ADOMs
specifically, you must also select the firmware version of the FortiGate device. Different firmware
versions have different features, and therefore different CLI syntax. Your ADOM setting must match
the device’s firmware.
You will now create and configure a new ADOM.
To configure ADOMs
1. Still logged in the FortiManager GUI, click All ADOMs.
2. Click Create New.
3. Configure the following:
Field
FortiManager Lab Guide
Value
33
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs)
Name
My_ADOM
Type
FortiGate and 5.4
You configuration should look like this:
4. Click Select Device.
If you had any devices registered to FortiManager, you could select your device and add it to the
ADOM at this time. However, in this lab, you have not yet registered any devices, so the list is
empty.
5. Leave other settings at their defaults and click OK.
You should observe a list of predefined ADOMs, including your new ADOM.
Tip: You can switch between ADOMs within the GUI. You do not have to log out and log
back in. To switch within the GUI, click ADOM in the top right of the GUI. Your
FortiManager Lab Guide
34
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs)
administrator privileges determine which ADOMs you have access.
FortiManager Lab Guide
35
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 2 Creating and Assigning Administrators
2 Creating and Assigning Administrators
In this lab, you will create an administrative user with restricted access permissions.
In an active deployment scenario, having more than one administrative user makes administering the
network easier, especially if users are delegated specific administrative roles, or confined to specific
areas within the network. In a multi-administrator environment, you also want to ensure every
administrator has only those permissions necessary to do their particular job.
To create and assign administrators
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Click root.
3. Click System Settings.
4. Click Admin > Administrators.
5. Click Create New.
6. Configure the following:
Field
Value
User Name
student
Admin Type
LOCAL
New Password
fortinet
Confirm Password
fortinet
Admin Profile
Standard_User
Administrative Domain
Specify
Click to Select ADOMs…
My_ADOM
You configuration should look like this:
FortiManager Lab Guide
36
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 2 Creating and Assigning Administrators
Note: FortiManager comes preinstalled with four default profiles that you can assign to
other administrative users. Alternatively, you can create your own custom profile.
In this lab, we have assigned a preconfigured Standard_User profile to the newly
created student administrator. The Standard_User profile provides read and write
access for all devices privileges, but not to the system privileges.
7. Leave other settings at their defaults and click OK.
8. Click admin.
9. Click Log Out.
Testing Administrator Privileges
You will now log in to FortiManager with the newly created administrator (student) and test the
administrator privileges.
To test administrator privileges
1. Log in to the FortiManager GUI at 10.0.1.241 with username student and password
fortinet.
You will be limited to the My_ADOM administrative domain.
Also, there are no System Setting and FortiGuard tabs.
FortiManager Lab Guide
37
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 2 Creating and Assigning Administrators
This shows how you can control or restrict administrator access based on administrative profiles
and ADOMs.
Restricting Administrator Access Using Trusted Host
You will now restrict access to FortiManager by configuring a trusted host for the administrator
accounts. Only administrators connecting from a trusted subnet will be able to access the
FortiManager.
To restrict administrator access
1. In the FortiManager GUI, log out of the student account's GUI session.
2. Log in as admin.
3. Click root.
4. Click System Settings.
5. Go to Admin > Administrators.
6. Edit the student account.
FortiManager Lab Guide
38
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 2 Creating and Assigning Administrators
7. Turn ON Trusted Hosts.
8. Set Trusted IPv4 Host 1 to 10.0.1.0/24.
9.
Click OK at the bottom to save the changes.
Testing the Restricted Administrator Access
In this procedure, you will confirm that administrators outside the subnet 10.0.1.0/24 cannot access
FortiManager.
To test the restricted administrator access
1. From the Remote-Windows VM, open a browser and go to https://10.200.1.241.
2. Try to log with username student and password fortinet to the FortiManager GUI.
What is the result?
Because you are trying to connect from the 10.0.2.10 IP address, your login authentication
will fail. This is because you restricted logins to only the source IP addresses in the list of
trusted hosts.
FortiManager Lab Guide
39
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 2 Creating and Assigning Administrators
Note: The IP address specified in the URL here is not the same as the one used
previously, because now the FortiManager is being accessed from a device that is in a
different part of the network (see Network Topology). As such, we are now connecting to
the port2 interface of the FortiManager device.
3. Go back to the Local-Windows.
4. You should still be logged in as admin to the FortiManager GUI and edit the student account.
5. Toggle Trusted Host to OFF.
6. Click OK.
This allows the administrative user to log in from any IP and subnet.
7. Next, switch back to Remote-Windows and attempt to log in to the FortiManager GUI again with
username student and password fortinet.
This time, you should gain access because we just turned off the requirement to log in from a
trusted host.
8. Logout from FortiManager.
FortiManager Lab Guide
40
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 3 ADOM Locking (Workspace Mode)
3 ADOM Locking (Workspace Mode)
By default, multiple administrators can log in to the same ADOM at the same time which allows
concurrent access. This can cause conflicts, however, if two or more administrators try to make
changes in the same ADOM at same time.
You will be enabling ADOM locking which allows:




Disabling concurrent ADOM access
ADOM locking
Single administrator with read/write access to the ADOM
All other administrators have read-only access to that ADOM
ADOM Locking (Workspace Mode)
ADOM locking is configured from the FortiManager CLI only.
Before enabling ADOM locking, ensure all FortiManager administrators are notified and asked to save
their work on FortiManager because enabling ADOM locking will terminate all management sessions.
You will now be enabling ADOM locking from the FortiManager CLI.
To enable ADOM locking (Workspace Mode)
1. In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following commands:
config system global
set workspace-mode normal
end
4. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
5. Click Lock on the top.
You will notice the lock status changed from unlocked to a green locked state.
6. From the Remote-Windows VM, open a browser and go to https://10.200.1.241.
7. Log in as admin to the FortiManager GUI.
You will notice the lock status is red for My_ADOM.
Hover your mouse over the red lock icon. It will tell you the name of the admin who locked this
ADOM, along with the date and time.
8. Click on My_ADOM.
FortiManager Lab Guide
41
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 3 ADOM Locking (Workspace Mode)
9. Click Log Out.
10. Go back to the Local-Windows and log out as student from FortiManager.
Note: If an administrator has locked one or more ADOMs and then logged out of
FortiManager, all those ADOMs will be unlocked.
In this example, when student administrator locked My_ADOM and then logged out,
FortiManager unlocked My_ADOM.
Caution: Always log out gracefully from FortiManager, when ADOM locking is enabled.
If a session is not closed gracefully (due to a PC crash or closed browser window),
FortiManager will not close the admin session until it times out or the session is deleted.
Until this time, the ADOM will remain in a locked state.
If this situation arises and you cannot wait for the admin session to time out, then delete
the session manually through the GUI or the CLI.
From the GUI, click the System Information widget, and then click Current
Administrators > Admin Session List.
From CLI:
FortiManager Lab Guide
42
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 4 Backup and Restore
4 Backup and Restore
In this exercise, you will back up the FortiManager configuration.
In an active deployment scenario, it is a best practice to back up the device configuration prior to
making any configuration changes. If the new configuration does not perform as expected, you can
revert to the last sane configuration. Likewise, during these labs, it is beneficial to have a backup of
the initial configuration, should you need to roll back for any reason.
Note: FortiManager configuration files are not stored in plain text like FortiGate configuration files. It is
stored as .dat file. It can be uncompressed and viewed offline with archive tools such as WinRar & tar.
Backing up FortiManager Configuration
You will now back up the FortiManager configuration from the GUI.
To back up FortiManager
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select root.
3. Click Lock on the top.
4. Click System Settings.
5. Go to System Information widget > System Configuration, and then click the backup icon.
6. Deselect Encryption.
7. Click OK.
8. Select Save.
9. Click OK.
FortiManager Lab Guide
43
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 4 Backup and Restore
10. Note the location of the backup file and rename this file to: lab2.dat.
11. While still on the FortiManager GUI, go to Admin > Administrator.
12. Right click student and click Delete.
13. Click OK.
Restore FortiManager Configuration
There are a few options when restoring a FortiManager configuration:

Overwrite current IP, routing, and HA settings: By default, this option is enabled. If
FortiManager has an existing configuration, restoring a backup will overwrite everything, including
the current IP, routing, and HA settings. If you disable this option, FortiManager will still restore the
configurations related to device information and global database information, but will preserve the
basic HA and network settings.

Restore in Offline Mode: By default, this is enabled and grayed out – you cannot disable it. While
restoring, FortiManager temporarily disables the communication channel between FortiManager
and all managed devices. This is a safety measure in case any of the devices are being managed
by another FortiManager. To re-enable the communication, disable Offline Mode.
To restore FortiManager configuration
1. Still logged in the FortiManager GUI, click Dashboard.
2. Go to System Information widget > System Configuration, and then click the restore icon.
FortiManager Lab Guide
44
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 4 Backup and Restore
3. Click Browse.
4. Select your backup file lab2.dat.
There is no password to enter because the file was not encrypted.
5. Leave Overwrite current IP, routing and HA settings enabled.
6. Click OK.
It will reboot FortiManager.
7. Wait for FortiManager to reboot, and then log in as admin to the FortiManager GUI at
10.0.1.241.
8. Select root.
9. Click Lock on the top.
10. Click System Settings.
11. Go to Admin > Administrator.
The student administrator account will show there.
12. Log out from FortiManager.
FortiManager Lab Guide
45
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs
5 Monitoring Alerts and Event Logs
In this exercise, you will view the alerts from the alert console widget and view the event logs. You will
also configure filter options to locate specific logs.
First, you will disable offline mode, which is enabled by default when FortiManager backup is restored.
Offline Mode
You will disable offline mode on FortiManager.
To disable offline mode
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select root.
3. Click Lock on the top.
On the top bar you should observe that FortiManager is in Offline Mode.
4. Click System Settings.
5. Go to Advanced > Advanced Settings.
6. Select Disable for Offline Mode.
7.
Click Apply.
FortiManager Lab Guide
46
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs
You will notice that the Offline Mode message disappears. At this point, FortiManager can
establish a management connection with the managed devices.
Viewing Alerts and Event Logs
You will now view the alerts on the Alert Message Console and logs under Event Logs.
To view alerts and event logs
1. Still logged in the FortiManager GUI, click Dashboard.
2. Go to the Alert Message Console widget.
You should observe that Offline mode is disabled and see Restore all settings messages,
along with other alert messages.
3. Click Event Log on the left-hand menu.
FortiManager Lab Guide
47
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs
4. Click Add Filter.
5. Click Sub Type.
6. Click System manager event.
7. Click Go.
Now you will have the filtered system manager events only.
8. You can download and/or view them in raw format.
FortiManager Lab Guide
48
DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs
9. Log out of FortiManager.
FortiManager Lab Guide
49
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration
LAB 3—Device Registration
In this lab, you will explore the common operations performed using the device manager. You will use
the Device Manager pane to add FortiGate devices.
Objectives

Create and apply system templates to your managed devices

Review central management settings on the FortiGate device

Add a device using the add device wizard
Time to Complete
Estimated: 30 minutes
FortiManager Lab Guide
50
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 1 Configuring System Templates
1 Configuring System Templates
The system templates on FortiManager can be configured in advance, which can be used to provision
common system-level settings to FortiGate devices when adding them into FortiManager, or to the
already managed FortiGate devices.
Configuring System Templates
You will be configuring and applying system templates to the FortiGate device, when adding it to
FortiManager.
To configure system templates
1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Provisioning Templates.
You will notice that you have read only access.
This is because when ADOM locking is enabled; you must lock the ADOM prior to making
configuration changes.
4. Click Lock on the top to lock My_ADOM.
5. Under System Templates, click default.
FortiManager Lab Guide
51
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 1 Configuring System Templates
6. Go to the Log Settings widget and enable Send Logs to FortiAnalyzer/FortiManager.
7. Configure the following:
Field
Specify IP Address
Value
Select and type 10.200.1.241
(Note: This is the port2 IP address of
FortiManager. Refer to the network
topology for details.)
Upload Options
Realtime
Encrypt Log Transmission
Turn ON this option
Your configuration should look like this:
8. Click Apply.
9. Close all other widgets by clicking X and then the checkmark symbol.
FortiManager Lab Guide
52
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 1 Configuring System Templates
Your configuration should look like this:
10. Click Save.
Note: When ADOM locking is enabled, you must save the changes, in order for them to be
copied to the FortiManager database.
11. Click Unlock on the top to unlock My_ADOM.
Disabling ADOM Locking (Workspace Mode)
You will now disable ADOM locking because, in this practical lab, every student has dedicated
ADOMs to work on.
FortiManager Lab Guide
53
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 1 Configuring System Templates
Prior to disabling workspace mode, inform all the administrators logged into FortiManager to save their
work.
To disable ADOM locking (workspace mode)
1. In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following commands.
config system global
set workspace-mode disabled
y
end
It will log out administrators from FortiManager, to save the changes.
FortiManager Lab Guide
54
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
2 Registering a Device to FortiManager
There are multiple ways to add FortiGate devices to FortiManager. These include:

Use the Add Device wizard

Send a request from FortiGate to FortiManager, and then accept the request from FortiManager

Add multiple devices from the device manager
You will add the FortiGate devices using the Add Device wizard.
Note: The FMG-Access on the both FortiGate devices is enabled on the interface facing
FortiManager. It is the communication protocol used between FortiManager and the managed
FortiGate devices.
Reviewing Central Management Configuration on
Local-FortiGate
Before adding FortiGate to FortiManager, you will review the central management configuration on
Local-FortiGate.
To review central management configuration on Local-FortiGate
1. In the Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following command:
get system central-management
You should observe the following output:
Note: The serial-number is the FortiManager serial number, which is non-configurable
from the FortiGate device. This setting is set by FortiManager, which is managing this
device. In this case, it is empty because we have not yet added the device to
FortiManager.
4. Close the PuTTY session.
FortiManager Lab Guide
55
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
Enabling Real-Time Debug
You will now enable real-time debug on FortiManager to view the real-time status when adding
FortiGate to FortiManager.
To enable real-time debug
1. In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
2. At the login prompt, enter the username admin (all lower case).
diagnose debug reset
diagnose debug disable
diagnose debug application depmanager 0
diagnose debug application depmanager 255
diagnose debug enable
It is recommended to place this putty session and the FortiManager GUI side-by-side, so that you
can view the real-time debugs while adding FortiGate from the FortiManager GUI.
Note the output is very verbose and you might have to scroll up or down to review the information.
Alternatively, you can save the log file on your desktop and open it using a text editor, such as
Notepad++.
Adding Local-FortiGate Using the Add Device
Wizard
Now, you will add Local-FortiGate to FortiManager in My_ADOM using the Add Device wizard, and
you will apply the System Template created earlier.
To add the Local-FortiGate using the Add Device wizard
1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Add Device.
FortiManager Lab Guide
56
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
4. In the Add Device wizard, make sure the Discover radio button is selected and configure the
following:
Field
IP Address
Value
10.200.1.1
(This is the port1 IP address of FortiGate)
Username
admin
5. Leave other settings at their default values, and click Next.
6. Review the discovered device information and compare it with the output from the FortiManager
PuTTy session.
7. You should observe the following:
8. Hit the up arrow on your keyboard and select these commands to disable the debug.
Alternatively, you can enter these commands manually.
diagnose debug application depmanager 0
FortiManager Lab Guide
57
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
diagnose debug disable
diagnose debug reset
9. Close the PuTTY session.
10. Go back to FortiManager GUI and click Next.
11. Ensure the Name is set to Local-FortiGate.
12. Select default from the drop down for System Template.
13. Click Next.
14. Click Import Now.
15. Click Next.
FortiManager Lab Guide
58
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
16. In the policy package import page, complete the following:
A. Make sure the policy package name is configured as Local-FortiGate.
B. Accept the policy and object import defaults.
C. Click Next.
17. On the conflict page, click View Conflict.
This will show you the details of configuration difference between FortiGate and FortiManager.
18. Leave the default setting of FortiGate in the Use Value From column.
19. Click Next.
Note the objects identified. These should be identified as duplicates, new, or updating exiting
FortiManager.
20. Click Next.
21. Click Download Import Report.
22. Open the import report in text editor such as Notepad ++.
Note: The download import report is only available on this page. As a best practice, it is
recommended that you download the report and review the important information, such as
which device is imported into which ADOM, as well as the name of the policy package
created along with objects imported.
FortiManager imports new objects, and updates existing objects based on the option
chosen on the conflict page. The duplicate objects are skipped as FortiManager does not
import duplicate entries into the ADOM database.
FortiManager Lab Guide
59
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
23. Close the text editor.
24. Click Finish.
The Local-FortiGate device should be now listed in Device Manager.
25. In Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect
over SSH).
26. At the login prompt, enter the username admin (all lower case).
27. Enter the following command:
get system central-management
You should observe the following output:
Note: The serial-number is the serial number of FortiManager, which is non-configurable from
FortiGate. This has been set by FortiManager, which is managing this device. Also, the
FortiManager IP address is set.
28. Close PuTTY session.
Viewing the Local-FortiGate Policy Package
As you have imported policy and dependent objects for Local-FortiGate, you will be viewing the
policy package created for Local-FortiGate.
FortiManager Lab Guide
60
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
To view the Local-FortiGate policy package
1. Still in the FortiManager GUI, click Device Manager and select Policy & Objects.
2. You will notice that a policy package named Local-FortiGate was created when you imported
firewall policies from your Local-FortiGate.
3. Click Object Configurations at the top.
4. Click Interface.
FortiManager Lab Guide
61
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
5. Click on the expand arrow for any interface to view the ADOM Interface mapping to device-level
mappings, which got created when the device was added. These interfaces are used in policy
packages to map firewall policies to interfaces on the firewall.
Importing System Template Settings From FortiGate
As Local-FortiGate is now added to FortiManager, you will import NTP server settings from LocalFortiGate. These server settings can be used by multiple FortiGate devices using this system
template.
To import System Template settings from FortiGate
1. Still in the FortiManager GUI, click Policy & Objects and select Device Manager.
2. Click Provisioning Templates.
FortiManager Lab Guide
62
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
3. Click default.
4. Click Toggle Widgets and click NTP Server.
5. Click the import icon.
FortiManager Lab Guide
63
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
6. In the Import NTP Server window, select Local-FortiGate.
7. Click OK.
Adding Remote-FortiGate Using the Add Device
Wizard
You will now add Remote-FortiGate to FortiManager in My_ADOM using the Add Device Wizard.
You will apply the System Template to Remote-FortiGate.
Also, you will import the policies and objects for Remote-FortiGate later in the training.
To add Remote-FortiGate using the Add Device wizard
1. Still logged in FortiManager GUI, click Device & Groups.
FortiManager Lab Guide
64
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
2. Click Add Device.
3. In the Add Device wizard, make sure the Discover radio button is selected, and configure the
following:
Field
IP Address
Value
10.200.3.1
(This is the port4 IP address of FortiGate)
Username
admin
4. Leave other settings at default and click Next.
5. Click Next.
6. Select default from the System Template drop-down menu.
7. Click Next.
8. Click Import Later.
FortiManager Lab Guide
65
DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
The Remote-FortiGate device should be now listed in Device Manager.
Stop and Think
Why is the FortiGate Policy Package Status showing Never Installed?
Discussion
When Import Later is chosen in the Add Device wizard, or an unregistered device is
added into FortiManager, the policy package status will show Never Installed because
there is still no policy package created for the newly added FortiGate.
You will run the Import Policy wizard later in training.
If you add an unregistered device, then you need to run the Import Policy wizard to
import the device’s firewall policy into a new policy package.
FortiManager Lab Guide
66
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation
LAB 4—Device Level Configuration and
Installation
In this lab, you will explore the common operations performed using the device manager, such as
configuring device-level changes, checking managed device statuses, installing configuration
changes, and keeping the managed device in sync with the device database on FortiManager.
Objectives

Understand managed device statuses on FortiManager

Use the status information in the Configuration and Installation Status widget

Make and install configuration changes from Device Manager

Make configuration changes locally on FortiGate and verify that they are retrieved automatically by
FortiManager

Identify entries in the Revision History and the management action that created the new revision

Install a large number of managed device changes using scripts
Time to Complete
Estimated: 70 minutes
FortiManager Lab Guide
67
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status
1 Understanding Managed Device Status
In this exercise, you will check and learn about the status of FortiGate devices on FortiManager.
Depending upon the configuration changes, a FortiGate device can have a different Sync Status and
Device Settings Status.
 The Sync Status indicates whether the FortiGate configuration matches the latest
revision history or not.
 The Device Settings Status indicates whether the FortiGate configuration stored at
device level database matches with latest running revision history or not.
To check managed device status
1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
Stop and Think
Why does Config Status for the FortiGate devices show the status Modified?
Discussion
In the last exercise, you applied System Templates to both FortiGate devices. The
configuration running on the FortiManager device-level database is different from the latest
revision history. This changes the Config Status to Modified. The provisioning templates
changes need to be installed to the FortiGate devices to return the devices to the
synchronized state.
3. Click on the Local-FortiGate on the left-hand menu.
FortiManager Lab Guide
68
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status
4. Under the Configuration and Installation Status widget, check Device Settings Status; it
should appear as Modified.
Stop and Think
If the Device Settings Status is Modified, why is the FortiGate Sync Status still showing
as Synchronized?
FortiManager Lab Guide
69
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status
Discussion
The Device Setting Status is the status between the device-level database configuration
and the latest revision history. Applying System Templates changes the device level
database configuration, so it goes to the Modified state.
The Sync Status is the status between the latest revision history and the actual FortiGate
configuration. As the latest revision history is same as the FortiGate configuration, the
Sync Status is in Synchronized state.
5. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
6. At the login prompt, enter the username admin (all lower case).
7. Enter the following command to display the device statuses through the CLI.
diagnose dvm device list
The output will show the serial number of the device, the connecting IP address of the device, the
FortiManager Lab Guide
70
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status
firmware version, the name of the device on FortiManager, and the ADOM in which the device is
added.
Note: You will see FortiAnalyzer as an unregistered device because FortiAnalyzer is configured to
query FortiManager for the threat intelligence database (a feature on the FortiAnalyzer). This is
configured for the FortiAnalyzer labs, which use the same lab environment.
8. Examine the STATUS row of the diagnose dvm device list output for Local-FortiGate and
Remote-FortiGate.
Data
db:
Modified
What that means?
Device-level configuration changes made from
FortiManager.
Actions to take
The FortiManager
administrator can install
configuration changes to
the managed device to
return it to the unmodified
state.
.
conf: in
sync
Latest revision history is in sync with the
FortiGate configuration.
cond:
pending
Configuration changes need to be installed.
FortiManager Lab Guide
The FortiManager
administrator can install
configuration changes to
the managed device to
return it to the unmodified
state.
71
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status
conn: up
The FGFM tunnel between FortiManager and
FortiGate is up
9. Close the PuTTY session.
FortiManager Lab Guide
72
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to
Managed Devices
2 Install System Template Changes to
Managed Devices
In the previous lab, you have added FortiGate devices into the FortiManager and applied System
Templates.
In this exercise, you will install System Templates changes to both FortiGate devices and then view
those changes locally login to each FortiGate.
Installing System Templates
You will now install the default system template changes to Local-FortiGate and Remote-FortiGate
using the Install Wizard.
To install System Template
1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Install > Install Wizard.
4. In the Install Wizard, make sure Install Device Settings (only) is selected and click Next.
FortiManager Lab Guide
73
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to
Managed Devices
5. On the Device Settings page, ensure both FortiGate devices are selected.
6. Click Next.
7. Click Preview for the Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device.
8. Click Cancel on the Install Preview page.
Optionally, you can also select Preview for Remote-FortiGate.
9. Make sure both FortiGate devices are selected.
10. Click Install.
11. Once the installation is successful, click the View Log icon.
FortiManager Lab Guide
74
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to
Managed Devices
This is the install log that shows what exactly is installed on the managed device.
Here is an example provided for Local-FortiGate.
12. Click Close.
13. Click Finish.
Checking Managed Device Status
You will check the managed device status after the install.
To check managed device status
1. Still in the FortiManager GUI, check the Config Status.
It should now appear as Synchronized.
2. Click Local-FortiGate from the left-hand menu.
FortiManager Lab Guide
75
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to
Managed Devices
3. Under Configuration and Installation Status, you should observe that Device Settings Status
is in the Unmodified state.
This means that FortiGate's device-level database configuration is the same as the latest revision
history.
4. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
5. At the login prompt, enter the username admin (all lower case).
6. Enter the following command to display device statuses through the CLI.
diagnose dvm device list
You should observe the following in the output for Local-FortiGate and Remote-FortiGate.
The db status is not modified which means that FortiGate's device level database
configuration matches with the latest running revision history. The dm: installed field
means that the install was performed from FortiManager.
7. Enter the following command to display the FGFM tunnel statuses.
FortiManager Lab Guide
76
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to
Managed Devices
diagnose fgfm session-list
This command can be used to view the connecting IP of managed devices, the link-level address
assigned by FortiManager, and the uptime of the FGFM tunnel between FortiGate and
FortiManager.
8. Close the PuTTY session.
Viewing Pushed Configuration on the FortiGate
From FortiManager, you have installed the System Templates configuration on both FortiGate
devices.
You will now log in to the Local-FortiGate and Remote-FortiGate GUIs to view the configuration
installed from FortiManager.
To view a pushed configuration from the Local-FortiGate GUI
1. In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Click Login Read-Only.
Note: When you connect locally to a device managed by FortiManager, you will be
presented with a warning message because the device is centrally managed. Only when it
is absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make configuration
changes and install to manage FortiGate devices.
3. Go to Log & Report > Log Settings.
You will notice the Remote Logging and Archiving settings are the same as the default system
template entries.
4. Logout from FortiGate.
To view a pushed configuration through the Remote-FortiGate GUI
1. In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI
at 10.200.3.1.
FortiManager Lab Guide
77
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to
Managed Devices
2. Click Login Read-Only.
3. Go to Log & Report > Log Settings.
You will notice that the Remote Logging and Archiving settings are the same as the default
system template entries.
4. Log out of FortiGate.
FortiManager Lab Guide
78
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
3 Auto Update and Revision History
By default, configuration changes made directly on FortiGate are automatically updated (retrieved) by
FortiManager, which is reflected in the Revision History. If required, the automatic update behavior
can be disabled from the FortiManager CLI under config system admin settings. This allows
the FortiManager administrator to accept or refuse the configuration changes.
In this lab, you will make configuration changes directly on the FortiGate devices, and verify that the
configuration changes are retrieved automatically by FortiManager.
You will also review the configuration revision histories of FortiGate devices, created by auto update
and by other actions.
Making Direct Changes on Local-FortiGate
You will now make direct changes on Local-FortiGate.
To make direct changes on Local-FortiGate
1. In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Click Login Read-Write.
Note: When you connect locally to a device managed by FortiManager, you will be
presented with a warning message because the device is centrally managed. Only when it
is absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make configuration
changes and install to manage FortiGate devices.
3. Click Yes.
4. Go to Log & Report > Log Settings.
5. Under Local Log settings, disable Enable Local Reports.
6. Click Apply.
7. Logout of the FortiGate.
FortiManager Lab Guide
79
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
Making Direct Changes on Remote-FortiGate
You will now make direct changes on Remote-FortiGate. You will repeat the same steps for RemoteFortiGate as you did it for Local-FortiGate.
To make direct changes on the Remote-FortiGate
1. In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI at
10.200.3.1.
2. Click Login Read-Write.
3. Click Yes.
4. Go to Log & Report > Log Settings.
5. Under Local Log settings, disable Enable Local Reports.
6. Click Apply.
7. Log out of FortiGate.
Viewing Auto Update and Revision History
As you make the configuration changes locally on both the FortiGate devices, you will now view the
auto update status on FortiManager, and view the configuration revision histories created by
FortiManager.
To view auto update
1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. You will notice that Config Status is now in the Auto-Update state for both FortiGate devices.
This confirms that the changes made locally were backed up to FortiManager.
To view Revision History
1. Click Local-FortiGate.
FortiManager Lab Guide
80
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
2. In the Configuration and Installation Status widget, click the Revision History icon.
You should observe three configurations, though you may have more if you have made further
changes:
 Your first Installation status should display as Retrieved, indicating that this configuration
was taken from the device’s running configuration, when it was added to FortiManager.
 Your second Installation status should display as Installed, indicating that these changes
were made by FortiManager to the managed device.
 Your third Installation status should display as Auto Updated, indicating that these
changes were made locally on FortiGate and got automatically updated in FortiManager.
FortiManager Lab Guide
81
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
Viewing the Install Log
When the installation is done from FortiManager, the install log will show the name of the administrator
who made this change along with the commands sent by FortiManager. If an installation fails, the
install log is useful because it shows what commands were sent to, and accepted by, the managed
device as well as the commands that were not accepted.
To view the install log
1. Still on the Configuration Revision History page, select ID 2 and then click View Install Log.
You should see the CLI commands sent by FortiManager (which are identical to the installation
previewed earlier) and the FortiGate response.
FortiManager Lab Guide
82
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
2. Click Close.
Viewing Auto Update, Revision History, and Install
Log for Remote-FortiGate (Optional)
Optionally, you can also view changes made to Remote-FortiGate by following the steps from Viewing
Auto Update and Revision History.
To view auto update, revision history, and the install log for Remote-FortiGate
(Optional)
1. Still logged in to the FortiManager GUI, click Remote-FortiGate and follow the steps from Viewing
Auto Update and Revision History.
For Remote-FortiGate, you will see the NTP settings pushed by FortiManager based on the
imported NTP settings in the default system template from Local-FortiGate.
Log View
As FortiAnalyzer features are enabled on FortiManager, and both FortiGate devices are configured
to send logs to FortiManager, you will be viewing the logs for the managed devices under the Log
View pane.
FortiManager Lab Guide
83
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
To view logs for Local-FortiGate
1. Still logged into the FortiManager GUI, click Device Manager and select Log View.
You should see the traffic logs generated by the FortiGate device.
Task Manager
Task Manager provides the status of the task you have performed and can be used for
troubleshooting various types of issues such as adding, importing, and/or installing changes from
FortiManager.
You will now check the entries in Task Manager.
To check Task Manager entries
1. Log out from the FortiManager GUI and log back into the FortiManager GUI as admin.
2. Click root.
3. Click System Settings.
4. Click Task Monitor on the left-hand menu.
FortiManager Lab Guide
84
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
This shows the tasks performed by all the users.
5. Click on the dropdown menu for the Install Device entry and click on the View Installation
Log icon for Local-FortiGate or Remote-FortiGate.
FortiManager Lab Guide
85
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
This will show the installation log corresponds to the installation that you performed earlier.
6. Click Close.
FortiManager Lab Guide
86
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes
4 Configuring Device Level Changes
The device-level settings of the managed FortiGate can be viewed and configured from the Device
Manager pane. Most of these settings have a one-to-one correlation with the device configuration that
you would see if you logged in locally, on each FortiGate’s GUI or CLI.
You will now make configuration changes for the managed FortiGate from the Device Manager pane.
Changing Managed FortiGate Interface Settings
If you try to change the managed FortiGate interface used for communicating with FortiManager, it will
warn you that this may break the communication between FortiManager and FortiGate. If there is a
communication disruption between FortiManager and FortiGate during an install, FortiManager will
attempt to recover the connection, but this will revert the installation changes.
You will now change the Remote-FortiGate port4 interface Administrative Access setting that is
used by Remote-FortiGate to communicate with the FortiManager.
To change managed FortiGate interface settings
1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Remote-FortiGate.
4. Click System : Dashboard and then click Interface.
FortiManager Lab Guide
87
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes
5. Right click port4 and click Edit.
6. Under Administrative Access, uncheck TELNET.
7. Click OK.
When you edit the interface with the IP address that is used by FortiManager to reach the
managed device(s), FortiManager provides this warning message:
8. Click OK.
9. Click Managed FortiGates.
Stop and Think
Why is Config Status showing the Modified (recent auto-updated) state for RemoteFortiGate?
Discussion
The Modified status means that the device-level database change has been made to
Remote-FortiGate. You changed the interface configuration.
The status recent auto-updated in parenthesis means that the previous configuration
FortiManager Lab Guide
88
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes
changes were locally made on FortiGate and were auto updated on FortiManager. You
made changes to logging settings locally in the previous lab.
Filtering Devices Based on Their Statuses
FortiManager allows you to filter devices based on their current status. This is very helpful when you
are managing a large number of devices in the same ADOM. Based on the status, FortiManager
administrator can take appropriate action.
You can filter device statuses based on:



Connection
Device Config (Device database status)
Policy Package (ADOM database status)
You will now filter devices based on their device config and policy package status.
To filter devices based on their status
1. Still logged in to the FortiManager GUI, click on Managed FortiGates.
2. Click the drop-down arrow on Devices (Device Config Modified) and click Modified.
It will show only Remote-FortiGate in the Managed FortiGates list.
3. Click the drop-down arrow on Devices (Policy Package Modified) and click Imported.
FortiManager Lab Guide
89
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes
This time it will show only Local-FortiGate in the Managed FortiGates list.
Configuring the Administrator Account
You will now create a new administrator account for Local-FortiGate on FortiManager.
To configure the administrator account
1. Still in the FortiManager GUI, click on Local-FortiGate.
2. Click Display Options.
3. Click Customize
4. In the System category, click Administrators.
FortiManager Lab Guide
90
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes
5. Click OK.
6. Click System : Dashboard and then click Administrators.
7. Click Create New.
8. Configure the following:
Field
Value
Administrator
training
Type
Regular
Password
fortinet
Confirm Password
fortinet
FortiManager Lab Guide
91
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes
Admin Profile
prof_admin
You configuration should look like this:
9. Leave all other settings at their default values and click OK.
10. Click Managed FortiGates.
You will notice that Config Status has changed to Modified for Local-FortiGate.
This is because you made a device-level configuration change for Local-FortiGate by configuring
the administrator account.
FortiManager Lab Guide
92
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
5 Installing Configuration Changes
Now, you have made configuration changes to the managed device(s) from FortiManager.

For Remote-FortiGate, you have changed administrative access on port4

For Local-FortiGate, you have configured a new administrator
You will now install these changes to the managed device using the Install wizard, and view the
installation history. You will also compare the differences in the revision history configurations using
the Revision Diff feature.
Viewing the Install Preview
You will first preview the install changes from the Configuration and Installation Status widget.
To view install Preview
1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Remote-FortiGate.
4. Under the Configuration and Installation Status widget, click Preview.
FortiManager Lab Guide
93
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
This shows the device-level configuration changes that will be installed on the managed device
when FortiManager performs the device-level install.
Note: The install Preview under the Configuration and Installation Status widget only
shows the preview for the device-level changes, not the changes related to policies and
objects.
5. Click OK.
Optionally, you can follow this same procedure to view the install Preview for Local-FortiGate.
Install Wizard
You will install these changes to the managed devices using the Install wizard.
To install configuration changes to FortiGates using the Install Wizard
1. Still logged into the FortiManager GUI, click Install Wizard.
2. Select Install Device Settings (only).
3. Click Next.
4. On the Device Settings page, ensure both FortiGate devices are selected.
FortiManager Lab Guide
94
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
5. Click Next.
6. Click Preview for Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device.
7. Click Cancel on the Install Preview page.
Optionally, you can also check the Preview for Remote-FortiGate.
8. Make sure both FortiGate devices are selected.
9. Click Install.
10. Once the install is successful, click the View Log icon.
FortiManager Lab Guide
95
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
This is the install log which shows what exactly is installed on the managed device.
11. Click Close on the Install Log page.
12. Click Finish.
13. Click Managed FortiGates.
The Config Status should now be in the Synchronized state.
Revision Diff
After every retrieve, auto update, and install operation, FortiManager stores the FortiGate’s
configuration checksum output with the revision history. This is how the out-of-sync condition is
calculated.
The Revision Diff is a useful feature that can be used to compare the differences between previous
revisions, a specific revision, or the factory default configuration. In terms of the output, you can
choose to show full configuration with differences, only differences, or you can capture the differences
to a script.
You will now compare the differences between the latest revision and the previous revision.
To view Revision Diff
1. Still logged into the FortiManager GUI, click Local-FortiGate.
FortiManager Lab Guide
96
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
2. Under the Configuration and Installation Status widget, click the Revision History icon.
3. Click ID 4 and click Revision Diff.
4. Select Show Diff Only.
FortiManager Lab Guide
97
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
5. Click Apply.
It shows the difference in configuration between the previous version and the current running version.
Remember, you configured the administrator account for Local-FortiGate.
6. Click Close.
7. Click ID 4 again and click Revision Diff.
8. Select Capture Diff to a Script.
9. Click Apply.
10. Select Save File.
11. Click OK.
Note the folder where is it downloaded.
FortiManager Lab Guide
98
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
12. Click Close.
13. Click Close.
14. Click the download icon on Firefox.
15. Right-click on the file name and click Open Containing Folder.
16. Open the file using Notepad++.
This will show you the exact CLI syntax of the changes. This script can be used to configure other
FortiGate devices if they require the same settings using script feature on FortiManager.
17. Close the Notepad++.
Caution: This is to demonstrate capturing diff in the form of scripts. Make sure the script
captured is valid for other FortiGate devices, before using them for other FortiGate
devices. If required, you can edit the script before applying it to other FortiGate devices.
For example, if you have configured a static route along with the administrator setting, the
static route settings might be not valid for other FortiGate devices.
FortiManager Lab Guide
99
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 6 Scripts
6 Scripts
A script can make many changes to a managed device and is useful for bulk configuration changes
and consistency across multiple managed devices. You can configure and install scripts from
FortiManager to managed devices.
Scripts can be run on:



Device Database (default)
Policy Package, ADOM Database
Remote FortiGate Directly (via CLI)
An install must be performed if a script is run on a device database or Policy Package, ADOM
database.
In this exercise, you will make many configuration changes by using the script feature and installing
them on the managed devices.
Enabling the Script Feature
Scripts are disabled by default, and can be enabled from Display Options in Admin Setting and
configured from Device Manager.
To enable the Script feature
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select root.
3. Select System Settings.
4. Go to Admin > Admin Settings.
5. Click the dropdown menu for Display Options on GUI and enable Show Scripts.
6. Click Apply.
7. Log out of FortiManager.
FortiManager Lab Guide
100
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 6 Scripts
Configuring Scripts
You will now configure scripts for the managed devices.
To configure scripts
1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Scripts.
4. Click More and click Import.
5. In the Script Name field enter Local.
6. Click Browse.
7. Browse to Desktop > Resources > FortiManager > Device-Config and select LocalScript.
8. Click the dropdown menu for Advanced Filters.
9. Click Device and select Local-FortiGate from the dropdown menu.
FortiManager Lab Guide
101
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 6 Scripts
10. Click OK.
11. Click More and click Import.
12. In the Script Name field enter Remote.
13. Click Browse.
14. Browse to Desktop > Resources > FortiManager > Device-Config and select Remote-Script.
15. Click on the dropdown menu for Advanced Filters.
16. Click Device and select Remote-FortiGate from the dropdown menu.
17. Click OK.
Running and Installing Scripts
As the scripts are targeting the device database, you will first run the scripts against the device
database and then install these scripts on the managed devices.
To run scripts
1. Still logged in to the FortiManager GUI, right-click the Local and click Run Script Now.
FortiManager Lab Guide
102
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 6 Scripts
2. Select Local-FortiGate and click Run Now at the bottom.
3. Click View Details and then click the View Script Execution History icon.
Scroll to the bottom of the script execution window to check that the script ran successfully on the
device database.
Note: If needed, you can also view the script execution history later from the
Configuration and Installation Status widget or from the Task Monitor.
FortiManager Lab Guide
103
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 6 Scripts
4. Click Close.
5. Click Close.
6. Right-click on Remote and click Run Script Now.
7. Select Remote-FortiGate and click Run Now at the bottom of the page.
8. Click Close.
To install scripts
1. Still logged in to the FortiManager GUI, click Device & Groups.
Stop and Think
Why is the Config Status showing Modified for both FortiGate devices?
Why is the Policy Package Status for Local-FortiGate showing Out of Sync, but the
Policy Package Status for Remote-FortiGate remains unchanged as Never Installed?
Discussion
The scripts contain configuration changes related to device-level settings and policies.
The Config Status is Modified for both FortiGate devices because of device-level
changes.
As the Local-FortiGate policy package was imported when you added FortiGate,
FortiManager detects policy-level changes and marks the Local-FortiGate Policy Package
Status as Out of Sync.
For Remote-FortiGate, the policy package was never imported; hence FortiManager
cannot compare the differences in the policies.
2. Select Local-FortiGate and Remote-FortiGate and click Install, and then click Install Config.
3. Click OK.
FortiManager Lab Guide
104
DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 6 Scripts
The installation will be successful on both FortiGate devices.
Note: The Install Config option does not provide an option for install preview and install
log. It should be used only if you are absolutely sure about the changes you are trying to
install.
If needed, you can view the installation history later from the Configuration and
Installation Status widget or from the Task Monitor.
4. Click Finish.
FortiManager Lab Guide
105
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects
LAB 5—Policy & Objects
In this lab, you will explore the common operations of the Policy & Objects pane in order to centrally
manage FortiGate firewall policies, and to manage shared and dynamic objects.
Objectives

Import firewall polices and objects from a managed device and review the imported policy
packages

Create ADOM revisions

Use workflow mode to configure and send changes for approval

Find duplicate objects and merge them, and delete used objects

Create and assign header policies to policy packages in an ADOM

Create a policy package shared across multiple devices

Create shared objects and dynamic objects with mapping rules

Identify the different policy and object interface mapping types and configure zones mappings

Install a policy package and device settings from the Policy & Objects pane
Time to Complete
Estimated: 70 minutes
FortiManager Lab Guide
106
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions
1 Import Policy and ADOM Revisions
In the previous lab, you installed scripts that contain device-level and policy configuration changes.
Because the scripts were run on a device database that created the revision history containing these
changes, the policy packages are not automatically updated and need to be imported manually.
In this exercise, you will import the policies using the Import Policy wizard in order to reflect and
update the policy packages.
Additionally you will create an ADOM revision, which is a snapshot of all the policy and objects
configurations for an ADOM.
Import Policy
You will now import policies and objects for both managed FortiGate devices.
To import policies
1. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Right-click the Local-FortiGate and click Import Policy.
4. Click Next.
5. Rename Policy Package Name to Local-FortiGate-1.
6. Select Import All Objects.
7. Click Next.
FortiManager Lab Guide
107
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions
8. Click Next on the conflict page.
Review the objects to be imported.
9. Click Next.
10. Click Download Import Report.
11. Select Open with and click OK to review the download import report.
12. Review the download import report and close the notepad.
13. Click Finish.
Note: Download Import Report is available only on this page; make
sure to download the import report before clicking finish.
14. Right-click the Remote-FortiGate and click Import Policy.
15. Click Next until you reach the Finish page.
16. Click Finish.
17. Click Device Manager and click Policy & Objects.
18. Compare the policies in the Local-FortiGate and Local-FortiGate-1 policy packages by clicking
IPv4 Policy on each policy package.
Policy package: Local-FortiGate
Policy package: Local-FortiGate-1
FortiManager Lab Guide
108
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions
Creating ADOM Revisions
An ADOM revision creates a snapshot of the policy and objects configuration for the ADOM. Now that
we have imported policies and objects from both FortiGate devices, we will be creating ADOM
revisions which are stored locally on the FortiManager and are useful for comparing the differences
between two revisions, or reverting to a previous revision.
To create an ADOM Revision
1. Still logged into the FortiManager GUI, click ADOM Revisions.
2. Click Create New and name the revision: Initial revision.
3. Enable Lock this revision from auto-deletion.
4. Click OK.
You will notice the lock icon, name of the administrator who created it, and the date and time.
FortiManager Lab Guide
109
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions
5. Click Close.
FortiManager Lab Guide
110
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
2 Workflow Mode
Workflow mode is used to control the creation, configuration, and installation of policies and objects. It
helps to ensure that all changes are reviewed and approved before they are applied.
Workflow mode is similar to ADOM locking (workspace mode), but it also allows the administrators to
submit their configuration changes for approval. The configuration changes are not committed to the
FortiManager database until the approval administrator approves those configuration changes. Once
approved, then only these configuration changes can be installed on the managed device.
In this exercise, you will enable workflow mode and then make configuration changes related to
policies and objects. You will send it for approval and once approved you will install these changes.
To enable workflow mode and configure approval permissions
1. On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session
(connect over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following command to enable workspace mode:
config system global
set workspace-mode workflow
end
Note: Before enabling workflow mode, ensure all FortiManager administrators are notified
to save their changes and work on the FortiManager.
This is because enabling workflow mode will terminate all management sessions.
4. Enter the following commands to configure approval permissions.
You are now configuring admin administrator as approver for the My_ADOM.
config system workflow approval-matrix
edit My_ADOM
config approver
edit 1
set member admin
next
end
end
5. Close the PuTTY session.
FortiManager Lab Guide
111
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
To configure policy and objects and send them for approval
1. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Lock at the top to lock the ADOM.
3. Click Policy & Objects.
4. Click Sessions > Session List.
5. Click Create New.
6. In the Session Name field, type Training.
7. Click OK.
8. Click Object Configurations on the top.
9. Click Tools > Find Duplicate Objects.
10. Click Firewall Address.
You will notice that LAN and LOCAL_SUBNET have the same configuration. It will also show
you other objects that have the same values.
FortiManager Lab Guide
112
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
11. Click Merge for the LAN and LOCAL_SUBNET firewall address.
12. In the Merge all to drop-down list, select LOCAL_SUBNET.
13. Click Merge.
14. Click Close.
Note: By merging the duplicate objects, you can reduce the object database, which
sometimes can overwhelm the FortiManager administrator with a large number of objects
FortiManager Lab Guide
113
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
from different FortiGate devices in the same ADOM. You can also delete the unused
objects in the same Tools menu, if they will be not used in the future.
15. Click Firewall Objects > Addresses.
16. Right-click the LINUX address object and click Delete.
17. Click OK.
18. Click Where Used icon.
This will show you where the object is referenced.
It is referenced in the Local-FortiGate-1 policy package in the firewall policy 1 as destination
address.
19. Click Close.
20. Click Delete Anyway.
Caution: FortiManager allows you to delete a used object. Be careful before deleting used
object as it will be replaced by the none address 0.0.0.0/255.255.255.225.
This means any traffic meeting that specific firewall policy will be blocked if there is no
catch all or shadowed policy below it. In this case, the destination address of firewall
policy 1 in the Local-FortiGate-1 policy package is replaced by none after the LINUX
address object is deleted.
FortiManager Lab Guide
114
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
You will test this later in this exercise.
21. Click Save.
22. Click Sessions and click Submit.
23. Click OK.
The ADOM will unlock itself after submitting the changes.
Note: Your changes are still not saved in the FortiManager database because they must
be approved by the approval administrator.
To approve the changes
1. Log out of FortiManager and log back in as admin.
2. Click My_ADOM.
3. Click Lock.
4. Click Policy & Objects.
5. Click Sessions > Session List.
FortiManager Lab Guide
115
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
Note: The session list will show you the name of the request made, user, date, and
approval status.
The approver administrator can approve, reject, discard, or view the differences between
two revisions. The approver administrator can also create a session that can be sent to
different approval administrator, or can self-approve based on the workflow approval
matrix.
6. Select ID 1 and click Approve.
7. Click OK.
8. Click Continue Without Session.
9. Click Unlock.
10. Log out of FortiManager.
FortiManager Lab Guide
116
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
Note: If an administrator has locked ADOMs and logs out of FortiManager, the lock
releases and unlocks all locked ADOMs locked by that administrator.
Caution: Always log out of FortiManager gracefully, when ADOM locking (workspace or
workflow) is enabled.
If a session is not closed gracefully (PC crash or closed browser window), FortiManager
will not close the administrator session until the administrator session timeout or the
session is deleted. The locked ADOM will remain in locked state.
The session will have to be deleted manually through the GUI or the CLI.
In the GUI: System Settings > System Information widget > Current Administrators >
Admin Session List.
In the CLI:
To install configuration changes after approval
1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Lock at the top.
3. Click Policy & Objects.
4. Click Local-FortiGate-1 > IPv4 Policy.
You will notice LINUX is replaced by none.
5. On the Local-Windows VM, open a command prompt in Windows and run a continuous ping to
the LINUX address object.
ping 10.200.1.254 -t
FortiManager Lab Guide
117
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
You will notice the request timed out because the firewall policy has the destination as LINUX and
the action as DENY locally on the Local-FortiGate.
Screenshot from the Local-FortiGate.
6. Return to the FortiManager GUI and click Install > Install Wizard.
7. Make sure the following are selected:


Install Policy Package and Device Settings
Policy Package : Local-FortiGate-1
8. Click Next.
9. Click Next.
10. Click Preview.
11. Press Ctrl+F and search for the following:


config firewall policy
LINUX
You will notice FortiManager is replacing the destination address of firewall policy 1 with none and
deleting the LINUX address object.
FortiManager will also delete any other unused objects. This is normal because when you install a
policy package for the first time FortiManager will delete all unused objects.
FortiManager Lab Guide
118
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
12. Click Cancel in the Install Preview pop-up window.
13. Click Install.
14. After the install is successful, click View Log to view the installation history.
15. Click Close.
16. Click Finish.
17. Go back to the command prompt where you initiated the ping to LINUX.
You will get replies because there was catch all policy below the BLOCK_LINUX policy. As after
installation, LINUX is replaced by none, and the traffic starts processing by the seq#2 firewall
policy.
18. Close the command prompt.
To disable workflow mode
1. On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session
(connect over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following commands.
config system global
set workspace-mode disabled
y
FortiManager Lab Guide
119
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
end
All administrators will be logged out of the FortiManager GUI to save the changes. So prior to
disabling workspace-mode inform all the administrators logged into FortiManager to save their
work.
FortiManager Lab Guide
120
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM
3 Creating and Assigning Header Policies in
the Global ADOM
Header and footer policies are used to envelop the policies in each individual ADOM. The header and
footer policies can be created once on the Global ADOM and assigned to multiple policy packages in
the different ADOMs.
In this exercise, you will create the header policy in the global ADOM and assign the header policy to
the managed devices in My_ADOM. Then you will install the header policy to the managed devices.
To create a header policy
1. On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select Global Database.
3. Click IPv4 Header Policy.
4. Click Create New.
5. Configure the following:
Field
Value
Name
Global_Policy
Incoming Interface
any
Outgoing Interface
any
Source Address
gall
Destination Address
gall
Service
gPING
Schedule
galways
Action
Deny
FortiManager Lab Guide
121
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM
You configuration should look like this:
6. Click OK.
To assign a header policy
1. Click Assignment.
2. Click Add ADOM.
3. Choose the following:
Field
Value
ADOMs
My_ADOM
Specify ADOM to policy package to
exclude:
Check the box and select the following:
default
Local-FortiGate
FortiManager Lab Guide
122
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM
4. Click OK.
5. Click Assign.
The header policy is assigned to the Local-FortiGate-1 and Remote-FortiGate policy packages.
To install a header policy
1. Still logged into the FortiManager GUI, click ADOM: Global Database.
2. Click My_ADOM.
3. Click Local-FortiGate-1 > IPv4 Header Policy to view the assigned header policy.
Optionally, you can perform the previous step to view the header policy in the Remote-FortiGate
policy package.
4. Click Local-FortiGate-1 policy package.
5. Click Install > Re-install Policy.
FortiManager Lab Guide
123
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM
6. Click Preview.
The configuration changes that will be installed on FortiGate will display. In this case, the header
policy and related objects will be installed.
7. Click Cancel in the Install Preview pop-up window.
8. Click Next.
9. Click Finish.
10. Click the Remote-FortiGate policy package.
11. Click Install > Re-install Policy.
FortiManager Lab Guide
124
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM
12. Click Next.
13. Click Finish.
14. Log in to the Local-FortiGate (https://10.0.1.254) and Remote-FortiGate (https://10.200.3.1) with
the username of admin.
15. Click Login Read-Only.
16. Go to Policy & Objects > IPv4 Policy.
You should observe the header policy at the top.
17. Log out of both FortiGate devices.
18. On the Local-Windows VM, open a command prompt and try to ping an external host (example
4.2.2.2). You should observe that the ping fails, because the header policy was configured to
block the ping.
19. Close the command prompt.
FortiManager Lab Guide
125
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
4 Creating a Common Policy for Multiple
Devices
You will create a single policy package that can be shared by multiple devices, as opposed to having a
policy package per device which is the current configuration. You will use the installation target setting
in a firewall policy to target specific policies to specific FortiGate devices.
Dynamic Mappings - Address Objects
First, you will configure dynamic mapping for objects that are used to map a single logical object to a
unique definition per device.
To create dynamic mappings for address objects
1. On the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Policy & Objects.
3. Click Object Configuration.
4. Click Firewall Objects > Addresses.
5. Click Create New > Address.
6. Configure the following:
Field
Value
Address Name
Internal
Type
IP/Netmask
IP/Netmask
10.0.0.0/8
7. For the Per-Device Mapping, configure the following:


Turn on Per-Device Mapping.
Click Add.
FortiManager Lab Guide
126
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices



Select Local-FortiGate for the Mapped Device.
Type 10.0.1.0/24 for IP/NetMask.
Click OK.

Click Add again.
FortiManager Lab Guide
127
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices



Select Remote-FortiGate for the Mapped Device.
Type 10.0.2.0/24 for IP/NetMask.
Click OK.
Your configuration should look like this:
8. Click OK.
Dynamic Mappings - Interfaces and Zones
You will be now creating dynamic mappings for interfaces and zones.
To create dynamic mappings for interfaces and zones
1. Still in the FortiManager GUI, click Zone/Interfaces > Interface.
FortiManager Lab Guide
128
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
2. Click Create New > Dynamic Interface.
3. In the Name field type Inside.
4. Turn ON the Per-Device Mapping switch and click Add.
5. Configure the following:



Select Local-FortiGate for the Mapped Device.
Select port3 for the Device Interface.
Click OK.
Note: You will get the following warning message “The new mapping will delete the old
mapping, are you sure you want to continue”. This is because interfaces were dynamically
mapped when the devices were added to the FortiManager. Now, FortiManager will delete
FortiManager Lab Guide
129
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
the old mapping and add these interfaces to map to this newly created interface.






Click OK in the warning pop-up window.
Click Add again.
Select Remote-FortiGate for the Mapped Device.
Select port6 for the Device Interface.
Click OK.
Click OK on the warning message.
Your configuration should look like this:
6. Click OK.
7. Still in the FortiManager GUI, click Create New > Zone.
8. In the Name field type Outside.
9. Turn ON the Per-Device Mapping switch and click Add.
10. Configure the following:




Select Local-FortiGate for the Mapped Device.
Select port1, port2 for the Device Interface.
Enable Block intra-zone traffic.
Click OK.
FortiManager Lab Guide
130
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices






Click OK in the warning pop-up window.
Click Add again.
Select Remote-FortiGate for the Mapped Device.
Select port4, port5 for the Device Interface.
Enable Block intra-zone traffic.
Click OK.

Click OK in the warning message.
Your configuration should look like this:
11. Click OK.
You have now created a dynamic interface and zone.
FortiManager Lab Guide
131
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
Creating a Common Policy Package
FortiManager can be used to target a common policy package to multiple devices.
So far you have created the dynamic mapping for objects and interfaces, now you will be creating a
common policy package to target the Local-FortiGate and Remote-FortiGate.
To create a common policy package
1. Still in the FortiManager GUI, click Policy Package.
2. Click Policy Package > New Package.
FortiManager Lab Guide
132
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
3. Name the new policy package as Training and click OK.
4. Click Training > IPv4 Header Policy.
You will notice that it automatically got assigned global Header Policy. This is because in the
previous exercise we assigned My_ADOM for the global policy assignment and, by default, when
a new policy package is created it assigns the global policies to the new package.
5. Log out and log in again with the admin user in FortiManager.
6. Click Global Database.
7. Click Assignment.
8. Select My_ADOM and click Edit ADOM.
9. Add Training to the policy package exclude list.
FortiManager Lab Guide
133
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
10. Click OK.
11. Click Assign.
12. Log out of the FortiManager GUI, and log in again with username student and password
fortinet.
13. Click Policy & Objects.
14. Click Training.
You will notice that the Training policy package no longer has a header policy.
15. Click IPv4 Policy and click Create New.
FortiManager Lab Guide
134
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
16. Configure the following:
Field
Value
Name
For_Local
Incoming Interface
Inside
Outgoing Interface
Outside
Source Address
Internal
Source User
student
Destination Address
all
Service
HTTP, HTTPS, ALL_ICMP
Schedule
always
Action
Accept
NAT
Enable the checkbox
Security Profiles
Enable
Use Standard Security Profiles
AntiVirus Profile
default
17. Click OK.
18. Click Create New to create a second policy and configure the following:
Field
Name
FortiManager Lab Guide
Value
For_All
135
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
Incoming Interface
Inside
Outgoing Interface
Outside
Source Address
Internal
Destination Address
all
Service
SSH, DNS
Schedule
always
Action
Accept
NAT
Enable the checkbox
19. Click OK.
Your configuration should look like this:
Configuring an Installation Target and Install On
A policy package can be targeted to multiple devices. When you configure an installation target, by
default, all policies in the policy package are targeted to all selected FortiGate devices. You can further
restrict the policies in the policy package to be targeted to specific FortiGate devices by using the
Install On feature, which targets specific policies in the policy package to specific selected FortiGate
devices in the Install On column.
To configure an installation target and install on
1. Still logged in to the FortiManager GUI, click Installation Targets for the Training policy package.
2. Click Add.
FortiManager Lab Guide
136
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
3. Select Local-FortiGate, Remote-FortiGate and click OK.
The Policy Package Status column shows the name of the currently active policy packages for
these FortiGate devices.
4. Click IPv4 Policy for the Training policy package.
5. Click Column Settings and click Install On.
Once added, you can drag the Install On column to where you want it positioned in the column
list.
6. For the For_Local policy, click Installation Targets.
7. Select Local-FortiGate.
8. Click OK.
FortiManager Lab Guide
137
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
Your policies should look similar to as below.
To install a policy package
1. Click Install > Install Wizard.
2. Make sure the following are selected:


Install Policy package & Device Settings
Policy Package : Training
3. Enable Create Revision and name the revision Common Package.
FortiManager Lab Guide
138
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
4. Click Next.
5. Make sure both FortiGate devices are selected and click Next.
6. Select both FortiGate devices.
If you hover your cursor over the Status column of the FortiGate devices, it will show you the
name of the previous policy package.
Optionally, you can preview the changes before the installation attempt.
7. Make sure both FortiGate devices are selected and click Install.
8. Once the installation is successful, you can click on View Log to see the installation history for
each FortiGate.
FortiManager Lab Guide
139
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
9. Click Close in the Install Log window.
10. Click Finish.
To view configuration changes locally on FortiGate
1. Log into the Local-FortiGate (https://10.0.1.254) with the username of admin.
2. Click Login Read-Only.
3. Go to Policy & Objects > IPv4 Policy.
You should observe the following:
 There are two firewall policies based on the Training policy package
 The Inside interface is translated to port3 locally on FortiGate and Outside zone is
created locally on FortiGate as per the dynamic mapping of interfaces and zones.
4. Click Addresses.
The Internal is translated to 10.0.1.0/24 as per the dynamic mapping of address objects.
5. Click Network > Interfaces.
An Outside zone is created with interfaces port1, port2 as per interfaces and zones dynamic
mappings.
6. Log out of FortiGate.
7. Try to log into Remote-FortiGate (https://10.200.3.1).
Why you are getting an authentication page?
This is because of the identity policy on the Local-FortiGate. You will need to authenticate all
outgoing http and https traffic on the Local-FortiGate device.
8. When prompted for firewall authentication, enter the username student and the password
fortinet.
9. Once authenticated, log in into the Remote-FortiGate using admin as the username and no
password.
FortiManager Lab Guide
140
DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
10. Click Login read-only.
11. Go to Policy & Objects > IPv4 Policy.
12. You should observe the following:
 There is only one firewall policy based on the Training policy package Install On targets.
 The Inside interface is translated to port6 locally on the FortiGate and Outside zone is
created locally on the FortiGate as per the dynamic mapping of interfaces and zones.
Optionally, you can check the interface and zone under Network, and Internal address object
under Addresses.
To review ADOM revisions
1. Return to the FortiManager GUI and under Policy & Objects, click ADOM revisions.
2. Right-click Common Package and click Lock.
3. Right-click Initial revision and click Delete.
4. Click OK.
5. Click Close.
You can use this revision to revert changes made to your policy packages and objects in your
ADOM. Remember this does not revert Device Manager level settings.
FortiManager Lab Guide
141
DO NOT REPRINT
© FORTINET
 LAB 6—VPN
LAB 6—VPN
In this lab, you will configure a site-to-site IPsec VPN between Local-FortiGate and Remote-FortiGate
using Device Manager.
Objectives

Create an IPsec VPN using Device Manager.
Time to Complete
Estimated: 20 minutes
FortiManager Lab Guide
142
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
1 Configuring IPsec VPN
In this exercise, you will configure a site-to-site IPsec VPN between the managed FortiGate devices.
Configuring IPsec Phase I and Phase II
Now, you will configure IPsec phase I and phase II for Local-FortiGate.
To configure IPsec Phase I and Phase II for Local-FortiGate
1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Tools > Global Display Options.
4. Select the following check boxes:



IPsec Phase 1
IPsec Phase 2
IPsec VPN
5. Click OK.
6. Click Local-FortiGate.
FortiManager Lab Guide
143
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
7. Click Display Options.
8. Select Inherit From ADOM.
9. Click OK.
10. Click VPN > IPsec Phase 1.
11. Click Create New.
12. Configure the following values:
Field
Value
Name
To_Remote
Remote Gateway
Static IP Address
FortiManager Lab Guide
144
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
IP Address
10.200.3.1
Local Interface
port1
Mode
Main
Authentication Method
Pre-shared Key
Pre-shared Key
fortinet
(Tip: delete all dots before typing preshared key
Peer Options
Any peer id
13. Click Advanced …(XATUH, NAT-traversal, DPD).
14. Configure the following values:
Field
Value
P1 Proposal


Encryption
Authentication
AES128
SHA256
(Delete all other entries)
Diffie-Hellman Groups
5
Dead Peer Detection
On Idle
15. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
16. Click VPN > IPsec Phase 2.
17. Click Create New.
18. Configure the following values:
Field
Value
Tunnel Name
To_Rem_P2
Phase 1
To_Remote
FortiManager Lab Guide
145
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
19. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
Configuring Static Route
Now, you will now configure the static route for IPsec VPN.
To configure Static Route on Local-FortiGate
1. In the FortiManager GUI, click Router > Static Route.
2. Click Create New > Static Route.
3. Configure the following values:
Field
Destination
Value
Subnet
10.0.2.0/24
Device
To_Remote
4. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
Configuring IPsec Phase I and Phase II
Now, you will configure IPsec phase I and phase II for Remote-FortiGate.
To configure IPsec Phase I and Phase II for Remote-FortiGate
1. In the FortiManager GUI, click Remote-FortiGate.
FortiManager Lab Guide
146
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
2. Click VPN > IPsec Phase 1.
3. Click Create New.
4. Configure the following values:
Field
Value
Name
To_Local
Remote Gateway
Static IP Address
IP Address
10.200.1.1
Local Interface
port4
Mode
Main
Authentication Method
Pre-shared Key
Pre-shared Key
fortinet
(Tip: delete all dots before typing preshared key
Peer Options
Any peer id
5. Click Advanced …(XATUH, NAT-traversal, DPD).
FortiManager Lab Guide
147
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
6. Configure the following values:
Field
Value
P1 Proposal


Encryption
Authentication
AES128
SHA256
(Delete all other entries)
Diffie-Hellman Groups
5
Dead Peer Detection
On Idle
7. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
8. Click VPN > IPsec Phase 2.
9. Click Create New.
10. Configure the following values:
Field
Value
Tunnel Name
To_Local_P2
Phase 1
To_Local
11. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
Configuring Static Route
Now, you will configure the static route for IPsec VPN.
To configure Static Route on Remote-FortiGate
1. In the FortiManager GUI, click Router > Static Route.
2. Click Create New > Static Route.
3. Configure the following values:
Field
Destination
FortiManager Lab Guide
Value
Subnet
148
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
10.0.1.0/24
Device
To_Local
4. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
Installing device-level configuration changes
Now, you have configured IPsec phase 1, phase 2, and static routes on both FortiGate devices.
Now, you will install these device-level configuration changes on both FortiGate devices.
To install device level configuration changes
1. In the FortiManager GUI, click Install Wizard.
2. Select Install Device Settings (only), and then click Next.
3. Make sure both devices are selected, and then click Next.
4. Make sure both devices are selected in Preview window, and then click Install.
5. Optionally, after the installation is successful, you can view Install Log.
6. Click Finish.
Creating Dynamic Interface Mapping
Now, you will create dynamic interface mapping for virtual IPsec VPN interfaces, so that you can
create IPsec firewall policies.
FortiManager Lab Guide
149
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
To create dynamic interface mapping
1. In the FortiManager GUI, click Device Manager > Policy & Objects.
2. Click Object Configuration.
3. Click Zone/Interface > Interface.
4. Click Create New > Dynamic Interface.
5. In the Name field, type VPN.
6. Turn on the Per-Device Mapping switch, and then click Add.
7. Configure the following:



In the Mapped Device drop-down list, select Local-FortiGate.
In the Device Interface drop-down list, select To_Remote.
Click OK.


Click Add.
In the Mapped Device drop-down list, select Remote-FortiGate.
FortiManager Lab Guide
150
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN


In the Device Interface drop-down list, select To_Local.
Click OK.
Your configuration should look like the following example:
8. Click OK.
Creating firewall policies for IPsec VPN
Now, you will create IPsec VPN firewall policies.
To create firewall policies for IPsec VPN
1. In the FortiManager GUI, click Policy Packages.
2. For the Training policy package, click IPv4 Policy.
3. Click Create New to create a new firewall policy.
4. Configure the following values:
FortiManager Lab Guide
151
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
Field
Value
Name
To_IPsec
Incoming Interface
Inside
Outgoing Interface
VPN
Source Address
Internal
Destination Address
all
Service
ALL
Schedule
always
Action
Accept
5. Leave all other settings at their default values, and then click OK.
6. Click Create New to create a second new firewall policy.
7. Configure the following values:
Field
Value
Name
From_IPsec
Incoming Interface
VPN
Outgoing Interface
Inside
Source Address
all
Destination Address
Internal
Service
ALL
Schedule
always
Action
Accept
8. Leave all other settings at their default values, and then click OK.
Your configuration should look like the following example:
FortiManager Lab Guide
152
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
Installing Training Policy Package
You have configured IPsec firewall policies in the Training policy package.
Now, you will install the Training policy package on the managed FortiGate devices.
To install the Training policy package
1. In the FortiManager GUI, for the Training policy package, click IPv4 Policy.
2. Click Install > Re-install Policy.
3. Click Next.
4. After the installation is successful, click Finish.
Testing IPsec VPN
Now, you will test the IPsec VPN by pinging the remote subnet IP address from Local-Windows.
To test IPsec VPN
1. On the Local-Windows VM, open a command prompt and ping the remote host 10.0.2.10.
ping 10.0.2.10
2. In the FortiManager GUI, click Policy & Objects > Device Manager.
3. Click Local-FortiGate.
FortiManager Lab Guide
153
DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
4. Click Query > IPsec VPN.
You will see the IPsec tunnel is up between the FortiGate devices.
FortiManager Lab Guide
154
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting
LAB 7—Diagnostics and Troubleshooting
In this lab, you will perform diagnostics and troubleshooting when installing device-level settings and
importing firewall policies.
Objectives

Diagnose and troubleshoot issues when installing System Templates

Diagnose and troubleshoot issues when importing policy packages
Time to Complete
Estimated: 30 minutes
Prerequisites
Before beginning this lab, you must restore the configuration files to the Local-FortiGate, RemoteFortiGate, and FortiManager.
To restore the FortiGate configuration file on both FortiGate devices
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254
with the username admin.
2. Click Login Read-Write.
3. Click Yes.
4. Go to Dashboard, and then, in the System Information widget, click Restore.
5. Select the option to restore from Local PC, and then click Upload.
FortiManager Lab Guide
155
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting
6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select Localdiag.conf.
7. Click OK.
8. Click OK.
The system reboots.
9. After the reboot finishes (you must wait until Local-FortiGate reboots), open a new browser and
log in as admin to the Remote-FortiGate GUI at 10.200.3.1.
10. Repeat the same procedure to restore the system configuration for the Remote-FortiGate but, in
the Troubleshooting folder, select Remote-diag.conf.
11. After the reboot finishes, close both browser tabs.
To restore the FortiManager configuration
1. On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select root.
3. Select System Settings.
4. In the System Information widget, in the System Configuration field, click the Restore icon.
FortiManager Lab Guide
156
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting
5. Click Browse.
6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select FMGdiag.dat
There is no password to enter because the file was not encrypted.
7. Leave the Overwrite current IP, routing and HA settings check box selected.
8. Click OK.
FortiManager reboots.
9. Wait for the FortiManager to reboot, and then log in as admin to the FortiManager GUI at
10.0.1.241.
10. Click root.
11. Click System Settings.
12. Go to Advanced > Advanced Settings.
FortiManager Lab Guide
157
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting
13. For Offline Mode, select Disable.
14. Click Apply.
You will see that the Offline Mode message disappears. At this point, FortiManager can establish
a management connection with the managed devices.
15. Log out of FortiManager.
FortiManager Lab Guide
158
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
1 Diagnose and Troubleshoot Install Issues
FortiManager is preconfigured as follows:






ADOMs are enabled
ADOM1 is configured for FortiGate firmware version 5.4
Local-FortiGate and Remote-FortiGate are managed by FortiManager in ADOM1. The
Remote-FortiGate policy package is not imported.
The default system template is configured with only the DNS widget
The default system template is applied to the Local-FortiGate and Remote-FortiGate
In this exercise, you will diagnose and troubleshoot issues that occur when installing configuration
changes to Local-FortiGate and Remote-FortiGate.
Viewing the Installation Preview
Now, you will view the installation preview to learn what device-level configuration changes will be
installed on the FortiGate devices. The objective of this exercise is to verify and troubleshoot to make
sure the correct configuration settings will be installed on the FortiGate devices.
To view the installation preview for Local-FortiGate
1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at
10.0.1.241 with username student and password fortinet.
2. Click Device Manager.
3. Click Local-FortiGate.
FortiManager Lab Guide
159
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
4. In the Configuration and Installation Status widget, click Preview.
Notice that default is listed as the System Template, which is pre-assigned to Local-FortiGate.
The installation preview generates.
5. Write down the DNS settings that will be installed on the Local-FortiGate.
Primary:
______________________
Secondary:
______________________
6. Click OK.
To view the installation preview for Remote-FortiGate
1. In the FortiManager GUI, click Remote-FortiGate.
FortiManager Lab Guide
160
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
2. In the Configuration and Installation Status widget, click Preview.
3. Write down the DNS settings that will be installed on the Remote-FortiGate.
Primary:
______________________
Secondary:
______________________
4. Click OK.
Stop and Think
The system template was configured with two entries. Why did the Local-FortiGate show
only one DNS entry, but the Remote-FortiGate showed two entries?
Discussion
The Local-FortiGate device was preconfigured with the primary DNS entry
208.91.112.53.When the Local-FortiGate was added to FortiManager, it automatically
updated to the device-level database. To verify, check the current revision history and
search for config system dns.
If you are not able to figure it out, follow the procedure below to view the system template
and DNS settings in the CLI.
Viewing the DNS Configuration
Now, you will view the DNS configuration for the configured system template and compare it with the
device-level database settings for DNS (for both Local-FortiGate and Remote-FortiGate). You will view
the configuration in the CLI.
To view the system template configuration in the CLI
1. On the Local-Windows VM, open PuTTY, and then connect to the FORTIMANAGER saved
session (connect over SSH).
2. Log in as admin and run the following command to view the CLI configuration for the system
template configuration:
# execute fmpolicy print-prov-templates ADOM1 5 1020 15
The output should appear as follows:
Dump all objects for category [system dns] in adom [ADOM1] package
[1020]:
--------------config system dns
set primary 208.91.112.53
FortiManager Lab Guide
161
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
set secondary 208.91.112.52
end
Note: The execute fmpolicy print- command tree allows you to view the CLI
configuration for provisioning templates, ADOM, and the device database on
FortiManager.
The syntax for provisioning templates is:
# execute fmpolicy print-prov-templates <adom> <prov> <package>
<category>|all [<key>|all|list]
You can use the help feature by typing ? to open the command tree syntax.
To view the DNS settings for FortiGates (CLI)
1. In the FORTIMANAGER PuTTY session, run the following command to view the Local-FortiGate
DNS settings in the FortiManager device-level database.
# execute fmpolicy print-device-object ADOM1 Local-FortiGate root 15
The output should appear as follows:
Dump all objects for category [system dns] in device [LocalFortiGate] vdom[root]:
--------------config system dns
set primary 208.91.112.53
set secondary 4.2.2.2
end
Note: The syntax for the device object is:
execute fmpolicy print-device-object <adom> <devname> <vdom>
<category>|all [<key>|all|list]
2. Execute the following command to view the Remote-FortiGate DNS settings in the
FortiManager device-level database.
# execute fmpolicy print-device-object ADOM1 Remote-FortiGate root
15
The output should appear as follows:
Dump all objects for category [system dns] in device [RemoteFortiGate] vdom[root]:
---------------
FortiManager Lab Guide
162
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
config system dns
set primary 4.2.2.2
set secondary 8.8.8.8
end
Compare the FortiManager system template entries with each FortiGate device. The LocalFortiGate primary DNS entry matches the default system template primary DNS entry. Because
of that, FortiManager skips the primary DNS entry for the Local-FortiGate, because LocalFortiGate has already been configured with the same entry.
3. Close the PuTTY session.
Installing Device-Level Configuration Changes
Now, you will install device-level configuration changes (system templates) on the managed FortiGate
devices.
To install device-level changes (system templates)
1. In the FortiManager GUI, click Managed FortiGates.
2. Select Local-FortiGate and Remote-FortiGate.
3. In the drop-down list, click Install > Install Wizard.
4. Select Install Device Settings (only), and then click Next.
FortiManager Lab Guide
163
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
5. Make sure both devices are selected, and then click Next.
6. For Local-FortiGate, click Preview.
The preview generates.
Optionally, you can download the preview setting.
7. Click Cancel.
8. For Remote-FortiGate, click Preview.
The preview generates.
FortiManager Lab Guide
164
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
9. Click Cancel.
10. Make sure both FortiGate devices are selected, and then click Install.
The installation begins.
11. After the installation finishes, click the View Log icon to view and verify what is being installed on
each device.
12. In the Install Log pop-up window, click Close.
13. Click Finish.
The Config Status for both FortiGate devices should be Synchronized.
FortiManager Lab Guide
165
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
FortiManager Lab Guide
166
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
2 Troubleshoot Policy Import Issues
First, you will view the policies and objects imported into the ADOM database. The objects share the
common object database for each ADOM and are saved in the ADOM database, which can be shared
or used among different managed FortiGate devices in the same ADOM.
In this exercise, you will diagnose and troubleshoot issues that occur while importing the RemoteFortiGate policy package.
Viewing the Policy Package and Objects
Now, because the Local-FortiGate policy package is imported into ADOM1, you will view the LocalFortiGate policy package and objects imported into the ADOM1 database.
To view the policy package and objects for the Local-FortiGate
1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
with the username student and password fortinet.
2. Click Policy & Objects.
3. On the left side of the window, expand Local-FortiGate, and then click IPv4 Policy.
You will see the two policies for the Local-FortiGate.
Notice the source address of Test_PC for the Ping_Test firewall policy.
4. On the menu bar, click Object Configurations.
5. On the left side of the window, expand Firewall Objects, and then click Addresses.
FortiManager Lab Guide
167
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
6. Review the configuration for the Test_PC firewall address. In the ADOM database, it is set to any
interface based on the configuration imported from the Local-FortiGate.
Reviewing Policies and Objects Locally on the
Remote-FortiGate
You need to import the policies and objects from the Remote-FortiGate. But before importing policies
and objects, you will review the policies and objects locally on the Remote-FortiGate.
To review policies and objects locally on the Remote-FortiGate
1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at
10.200.3.1 with the username admin.
2. Click Login Read-Only.
3. Go to Policy & Objects > IPv4 Policy.
4. Hover the mouse over the Test_PC object in the Source column of the Seq.# 1 firewall policy.
You will see that the Test_PC address object is bound to the port6 interface.
5.
Remember, the Test_PC address object is bound to any interface in the ADOM database.
6. Log out of Remote-FortiGate.
Importing a Policy Package
Now, you will import the policies and objects for the Remote-FortiGate into the policy package, and
troubleshoot issues with the policy import.
FortiManager Lab Guide
168
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
To import the policy package
1. Return to the FortiManager GUI, click Policy & Objects > Device Manager.
2. Right-click Remote-FortiGate, and then click Import Policy.
3. Click Next.
4. Make sure the policy package name is Remote-FortiGate.
5. Leave all other settings at their default values, and then click Next.
6. Click Next.
7. Click Next.
Did you notice it skipped one firewall policy out of two policies?
8. Click Download Import Report to view the reason for skipping a firewall policy.
FortiManager Lab Guide
169
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
9. Open the file (or you can save it for future reference).
Did you notice it failed when importing firewall policy ID # 2(SEQ# 1)?
Stop and Think
The output provides the reason for this policy import failure.
reason=interface(interface binding contradiction. detail: any<port6) binding fail)"
What does this error mean? What is the impact? How can you fix this partial policy import
issue?
Discussion
Remember, in the ADOM1 database, the Test_PC firewall address is bound to the any
interface, based on the configuration imported from the Local-FortiGate. On the RemoteFortiGate, policy ID 2 is using the Test_PC firewall address bound to port6 as the source
address.
This is the expected behavior on FortiManager because it doesn’t allow the same address
object name to bind to different interfaces.
Because FortiManager imported partial policies in the policy package, if you try to make a
change to the policy package and try to install, it will delete the skipped policies and
objects associated with those policies, along with all unused objects.
You must change the Test_PC firewall address binding to the any interface by locally
logging in to the Remote-FortiGate.
10. Close the import report, and then click Finish.
FortiManager Lab Guide
170
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
Check the Impact of Partial Policy Import (Optional)
The two procedures below show the impact of making changes to the FortiManager policy package
Remote-FortiGate and then try to install the policy package. It will try to delete policy ID 2 and the
Test_PC address object on the Remote-FortiGate. FortiManager will also try to delete any unused
objects.
If you are now familiar with the behavior, you can skip the following procedures:


To make configuration changes to the Remote-FortiGate Policy Package (Optional)
To preview the installation changes (Optional)
To make configuration changes to the Remote-FortiGate Policy Package (Optional)
1. In the FortiManager GUI, click Device Manager > Policy & Objects.
2. On the left side of the window, click Remote-FortiGate, and then click IPv4 Policy.
You will see that the firewall policy with Test_PC as the source address is not imported.
3. Double click the Seq# 1 firewall policy.
4. In the Description field, type Training, and then click OK.
To preview the installation changes (Optional)
1. Ensure IPv4 Policy is selected for the Remote-FortiGate policy package, and then click
Install > Re-install Policy.
FortiManager Lab Guide
171
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
2. Click Preview.
3. Notice that it is trying to delete the firewall policy with ID=2 and the Test_PC address object.
Note: When installing a policy package for the first time, FortiManager also deletes all unused
objects.
This is the firewall policy with Test_PC as the source address.
FortiManager Lab Guide
172
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
4. In the Install Preview window, click Cancel.
5. Click Cancel.
Fixing a Partial Policy Import Issue
You must change the Test_PC firewall address binding to the any interface by locally logging in to the
Remote-FortiGate.
Then, on FortiManager you will be able to import the policy package for the Remote-FortiGate.
To make local changes on Remote-FortiGate
1. On the Local-Windows VM, open a new browser tab, and then log in to the Remote-FortiGate
GUI at 10.200.3.1 as admin
2. Click Login Read-Write.
3. In the warning window, click Yes.
4. Click Policy & Objects > Addresses.
FortiManager Lab Guide
173
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
5. Right-click Test_PC, and then select Edit in CLI.
6. Enter the following command in the CLI window:
unset associated-interface
end
7. Close the CLI Console window.
8. Refresh the page.
FortiManager Lab Guide
174
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
Your configuration should look like the following example:
9. Log out of Remote-FortiGate.
To import the policy package again
1. Return to the FortiManager GUI, click Policy & Objects > Device Manager.
2. On the left side of the window, click Managed FortiGates.
3. Right-click Remote-FortiGate, and then select Import Policy.
4. Click Next.
5. Select the Overwrite check box.
6. Leave all other settings at their default values, and then click Next.
Did you notice that Test_PC appeared as Dynamic Mapping?
FortiManager Lab Guide
175
DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
FortiManager automatically creates a dynamic mapping of the object with same values. The
interface must has to be the same as the ADOM database.
7. Click Next.
8. You will see both firewall policies are imported this time.
9. Click Finish.
FortiManager Lab Guide
176
DO NOT REPRINT
© FORTINET
 LAB 8—Advanced Configuration
LAB 8—Advanced Configuration
The learning goals for this lab are to understand the troubleshooting commands used for FortiGuard
Management, and to learn how to use FortiManager to upgrade the firmware on managed FortiGate
devices.
Objectives

Review the central management configuration on both FortiGate devices

Understand and run FortiGuard debug commands

Import the firmware image for FortiGate devices and upgrade from FortiManager
Time to Complete
Estimated: 15 minutes
FortiManager Lab Guide
177
DO NOT REPRINT
© FORTINET
 LAB 8—Advanced Configuration
1 FortiGuard Management
In this exercise, you will review the central management settings on the FortiGate devices. Then, you
will run the CLI commands related to FortiGuard diagnostics on FortiManager to understand
FortiGuard settings on FortiManager.
To review central management settings on both FortiGate devices
1. On the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE and REMOTEFORTIGATE saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following command:
show system central-management
Your output for the Local-FortiGate and Remote-FortiGate devices should look similar to the
following examples:
Local-FortiGate:
Remote FortiGate:
You will see that server-list is configured on the FortiGate devices with the FortiManager
IP address, and the include-default–servers is disabled. This means FortiGate devices
FortiManager Lab Guide
178
DO NOT REPRINT
© FORTINET
 LAB 8—Advanced Configuration
are pointed to FortiManager for its FortiGuard services and access to public FortiGuard servers is
disabled.
Diagnosing FortiGuard Issues
Now, you will run CLI commands on FortiManager to verify the FortiGuard configuration in order to
troubleshoot FortiGuard issues.
To diagnose FortiGuard issues
1. On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session
(connect over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Run the following commands:
diagnose fmupdate view-serverlist fds
You should see that there is only one default server in the list. FortiManager is unable to connect
to the public FDN servers because of unreachability or disabled service. In this lab environment,
communication with the public FortiGuard servers is disabled.
diagnose fmupdate view-serverlist fds
You should see that there is no information on Upullstat, UpullServer, because
FortiManager is not connected to the public FDS, which would provide that information.
diagnose fmupdate dbcontract
FortiManager Lab Guide
179
DO NOT REPRINT
© FORTINET
 LAB 8—Advanced Configuration
FortiManager is operating in a closed network environment and license contracts are uploaded
manually on FortiManager. You should see the contract information, which includes the types of
contracts that the device currently has along with the expiry dates.
Note: The same information can be viewed in the FortiGate GUI in the License Information
widget.
You will also see FortiAnalyzer contract information, which is uploaded manually on FortiManager.
The FortiAnalyzer labs use FortiManager as the local FDS in order to use the IOC features on
FortiAnalyzer.
FortiManager Lab Guide
180
DO NOT REPRINT
© FORTINET
 LAB 8—Advanced Configuration
2 Upgrading FortiGate Firmware Using
FortiManager
You can use FortiManager as your local firmware cache and to upgrade firmware on supported
devices.
In this exercise, you will import the firmware image for FortiGate and then upgrade both FortiGate
devices using FortiManager.
To import and upgrade firmware
1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click FortiGuard.
3. Click Firmware Images > Import Images.
4. Click Import, and then click Browse.
5. Browse to Desktop > Resources > FortiManager > Advanced-Configuration, and then select
FGT_VM64-v5-build7605-FORTINET.out.
6. Click OK.
You will see that the firmware image has been saved on FortiManager.
7. Click FortiGuard > Device Manager.
8. Click Firmware.
9. Select both FortiGate devices and click Upgrade.
FortiManager Lab Guide
181
DO NOT REPRINT
© FORTINET
 LAB 8—Advanced Configuration
10. In the Upgrade to drop-down list, select FGT_VM64-v5-build7605-FORTINET.out.
11. Click OK.
You should see successful firmware upgrades for both FortiGate devices.
12. Click Close.
13. Optionally, you can open the console connection for the Local-FortiGate and Remote-FortiGate
to see the firmware upgrades.
FortiManager Lab Guide
182
Descargar