DO NOT REPRINT © FORTINET Virtual Lab Basics FortiManager 5.4.2 Lab Guide for FortiManager 5.4.2 FortiManager Lab Guide 1 DO NOT REPRINT © FORTINET FortiManager Lab Guide for FortiManager 5.4.2 Last Updated: 4 May 2017 We would like to acknowledge the following major contributors: Simon Cao and Claudio Capone ® ® ® Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976. DO NOT REPRINT © FORTINET Table of Contents VIRTUAL LAB BASICS ...................................................................................9 Network Topology ...................................................................................................................9 Lab Environment .....................................................................................................................9 System Checker ......................................................................................................................10 Logging In ...............................................................................................................................11 Disconnections/Timeouts ........................................................................................................15 Transferring Files to the VM....................................................................................................15 Screen Resolution ...................................................................................................................15 International Keyboards ..........................................................................................................16 Student Tools: View Broadcast and Raise Hand....................................................................16 Troubleshooting Tips ..............................................................................................................17 LAB 1—INITIAL CONFIGURATION .................................................................19 Objectives ...............................................................................................................................19 Time to Complete ....................................................................................................................19 Prerequisites ...........................................................................................................................19 1 Examining Initial Configuration ............................................................................................22 Examine Initial Configuration Through the CLI .......................................................................22 Examine Initial Configuration Through the GUI ......................................................................25 2 Enabling FortiAnalyzer Features on FortiManager..............................................................28 LAB 2—ADMINISTRATION AND MANAGEMENT ..............................................30 Objectives ...............................................................................................................................30 DO NOT REPRINT © FORTINET Time to Complete ....................................................................................................................30 1 Configure Administrative Domain (ADOMs) ........................................................................31 Enabling ADOMs.....................................................................................................................31 Viewing ADOM Information.....................................................................................................32 Configuring ADOM ..................................................................................................................33 2 Creating and Assigning Administrators ...............................................................................36 Testing Administrator Privileges .............................................................................................37 Restricting Administrator Access Using Trusted Host ............................................................38 Testing the Restricted Administrator Access ..........................................................................39 3 ADOM Locking (Workspace Mode) .....................................................................................41 ADOM Locking (Workspace Mode) ........................................................................................41 4 Backup and Restore ............................................................................................................43 Backing up FortiManager Configuration .................................................................................43 Restore FortiManager Configuration ......................................................................................44 5 Monitoring Alerts and Event Logs ........................................................................................46 Offline Mode ............................................................................................................................46 Viewing Alerts and Event Logs ...............................................................................................47 LAB 3—DEVICE REGISTRATION ...................................................................50 Objectives ...............................................................................................................................50 Time to Complete ....................................................................................................................50 1 Configuring System Templates ............................................................................................51 Configuring System Templates ...............................................................................................51 Disabling ADOM Locking (Workspace Mode) ........................................................................53 2 Registering a Device to FortiManager .................................................................................55 Reviewing Central Management Configuration on Local-FortiGate .......................................55 Enabling Real-Time Debug .....................................................................................................56 DO NOT REPRINT © FORTINET Adding Local-FortiGate Using the Add Device Wizard ...........................................................56 Viewing the Local-FortiGate Policy Package..........................................................................60 Importing System Template Settings From FortiGate ............................................................62 Adding Remote-FortiGate Using the Add Device Wizard.......................................................64 LAB 4—DEVICE LEVEL CONFIGURATION AND INSTALLATION ........................67 Objectives ...............................................................................................................................67 Time to Complete ....................................................................................................................67 1 Understanding Managed Device Status ..............................................................................68 2 Install System Template Changes to Managed Devices .....................................................73 Installing System Templates ...................................................................................................73 Checking Managed Device Status..........................................................................................75 Viewing Pushed Configuration on the FortiGate ....................................................................77 3 Auto Update and Revision History .......................................................................................79 Making Direct Changes on Local-FortiGate ...........................................................................79 Making Direct Changes on Remote-FortiGate .......................................................................80 Viewing Auto Update and Revision History ............................................................................80 Viewing the Install Log ............................................................................................................82 Viewing Auto Update, Revision History, and Install Log for Remote-FortiGate (Optional) ....83 Log View..................................................................................................................................83 Task Manager .........................................................................................................................84 4 Configuring Device Level Changes .....................................................................................87 Changing Managed FortiGate Interface Settings ...................................................................87 Filtering Devices Based on Their Statuses .............................................................................89 Configuring the Administrator Account ...................................................................................90 5 Installing Configuration Changes .........................................................................................93 Viewing the Install Preview .....................................................................................................93 DO NOT REPRINT © FORTINET Install Wizard...........................................................................................................................94 Revision Diff ............................................................................................................................96 6 Scripts ..................................................................................................................................100 Enabling the Script Feature ....................................................................................................100 Configuring Scripts ..................................................................................................................101 Running and Installing Scripts ................................................................................................102 LAB 5—POLICY & OBJECTS ........................................................................106 Objectives ...............................................................................................................................106 Time to Complete ....................................................................................................................106 1 Import Policy and ADOM Revisions.....................................................................................107 Import Policy ...........................................................................................................................107 Creating ADOM Revisions ......................................................................................................109 2 Workflow Mode ....................................................................................................................111 3 Creating and Assigning Header Policies in the Global ADOM ............................................121 4 Creating a Common Policy for Multiple Devices .................................................................126 Dynamic Mappings - Address Objects....................................................................................126 Dynamic Mappings - Interfaces and Zones ............................................................................128 Creating a Common Policy Package ......................................................................................132 Configuring an Installation Target and Install On ...................................................................136 LAB 6—VPN ..............................................................................................142 Objectives ...............................................................................................................................142 Time to Complete ....................................................................................................................142 1 Configuring IPsec VPN ........................................................................................................143 Configuring IPsec Phase I and Phase II .................................................................................143 Configuring Static Route .........................................................................................................146 DO NOT REPRINT © FORTINET Configuring IPsec Phase I and Phase II .................................................................................146 Configuring Static Route .........................................................................................................148 Installing device-level configuration changes .........................................................................149 Creating firewall policies for IPsec VPN .................................................................................151 Installing Training Policy Package ..........................................................................................153 Testing IPsec VPN ..................................................................................................................153 LAB 7—DIAGNOSTICS AND TROUBLESHOOTING ...........................................155 Objectives ...............................................................................................................................155 Time to Complete ....................................................................................................................155 Prerequisites ...........................................................................................................................155 1 Diagnose and Troubleshoot Install Issues...........................................................................159 Viewing the Installation Preview .............................................................................................159 Viewing the DNS Configuration ..............................................................................................161 Installing Device-Level Configuration Changes ......................................................................163 2 Troubleshoot Policy Import Issues.......................................................................................167 Viewing the Policy Package and Objects ...............................................................................167 Reviewing Policies and Objects Locally on the Remote-FortiGate ........................................168 Importing a Policy Package ....................................................................................................168 Check the Impact of Partial Policy Import (Optional) ..............................................................171 Fixing a Partial Policy Import Issue.........................................................................................173 LAB 8—ADVANCED CONFIGURATION ...........................................................177 Objectives ...............................................................................................................................177 Time to Complete ....................................................................................................................177 1 FortiGuard Management ......................................................................................................178 Diagnosing FortiGuard Issues ................................................................................................179 DO NOT REPRINT © FORTINET 2 Upgrading FortiGate Firmware Using FortiManager ...........................................................181 DO NOT REPRINT © FORTINET Virtual Lab Basics Virtual Lab Basics In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: If your trainer asks you to use a different lab, such as devices physically located in your classroom, please ignore this section. This applies only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer. Network Topology Lab Environment Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student to have their own training lab environment or PoD - point of deliveries. FortiManager Lab Guide 9 DO NOT REPRINT © FORTINET Virtual Lab Basics System Checker Before starting any class, check if your computer can successfully connect to the remote datacenters. The System Checker fully verifies if your network connection and your web browser are reliable to connect to the virtual lab. You do not have to be logged into the lab portal in order to perform the System Checker. To run the System Checker 1. Click the URL for your location: Region System Checker AMER - North and South America https://remotelabs.training.fortinet.com/training/syscheck/?location=NAMWest EMEA - Europe, Middle East and Africa https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe APAC - Asia and Pacific https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC If your computer successfully connects to the virtual lab, the Browser Check and Network Connection Check each display a check mark icon. You can then proceed to log in. If any of the tests fail: Browser Check: This affects your ability to access the virtual lab environment. Network Connection Check: This affects the usability of the virtual lab environment. For solutions, click the Support Knowledge Base link or ask your trainer. FortiManager Lab Guide 10 DO NOT REPRINT © FORTINET Virtual Lab Basics Logging In Once you confirm your system can successfully run the labs through System Checker, you can proceed to log in. To log in to the remote lab 1. With the user name and password provided by your trainer, you can either: Log in from the Login access at the bottom of the System Checker's result. Log into the URL for the virtual lab provided by your trainer: https://remotelabs.training.fortinet.com/ FortiManager Lab Guide 11 DO NOT REPRINT © FORTINET Virtual Lab Basics https://virtual.mclabs.com/ 2. If prompted, select the time zone for your location, and then click Update. This ensures that your class schedule is accurate. 3. Click Enter Lab. FortiManager Lab Guide 12 DO NOT REPRINT © FORTINET Virtual Lab Basics Your system dashboard will appear, listing the virtual machines in accordance with your lab topology. 4. From this page, open a connection to any virtual appliance by doing one of the following: Click the device’s square (thumbnail) Select Open from the System drop-down list associated to the VM you want to access. FortiManager Lab Guide 13 DO NOT REPRINT © FORTINET Virtual Lab Basics Note: Follow the same procedure to access any of your virtual devices. A new web browser tab opens, granting you access to the virtual device. When you open a VM, your browser uses HTML5 to connect to it. Depending on the virtual machine you select, the web browser provides access to either a textbased CLI or the GUI. FortiManager Lab Guide 14 DO NOT REPRINT © FORTINET Virtual Lab Basics Connections to the Local-Windows VM use a Remote Desktop-like GUI. The web-based connection should automatically log in and then display the Windows desktop. For most lab exercises, you will connect to this Local-Windows VM. Disconnections/Timeouts If your computer’s connection with the virtual machine times out, or if you are accidentally disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs and open the VM again. If that does not succeed, see the Troubleshooting Tips section of this guide. Transferring Files to the VM If you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to download them to your Local-Windows VM. From there, if required, you can use a web browser to upload them to Fortinet VMs' GUI. When connecting to a VM, your browser should then open a display in a new applet window. Screen Resolution Some Fortinet devices' user interfaces require a minimum screen size. To configure screen resolution in the HTML 5 client, open the System menu. FortiManager Lab Guide 15 DO NOT REPRINT © FORTINET Virtual Lab Basics International Keyboards If characters in your language don’t display correctly, keyboard mappings may not be correct. To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to display an on-screen keyboard. Student Tools: View Broadcast and Raise Hand Your instructor is able to broadcast his lab systems in order to allow students to see any on-going task in real-time. When an instructor begins a broadcast, you will receive an alert at the top of all open lab pages. To accept and view the broadcast, you may either click on the notification message or click View Broadcast on the left side panel. If you have any question or issue, use the Raise Hand tool, your instructor will be notified and will assist you. FortiManager Lab Guide 16 DO NOT REPRINT © FORTINET Virtual Lab Basics Troubleshooting Tips Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other lowbandwidth or high-latency connections. For best performance, use a stable broadband connection such as a LAN. Prepare your computer's settings by disabling screen savers and changing the power saving scheme, so that your computer is always on, and does not go to sleep or hibernate. If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor. If you can't connect to a VM, on the VM's icon, you can force the VM to start up by clicking System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the VM to its initial state by System > Revert to Initial State. Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions first. FortiManager Lab Guide 17 DO NOT REPRINT © FORTINET Virtual Lab Basics If during the labs, particularly when reloading configuration files, you see a license message similar to the below exhibit, the VM is waiting for a response to the authentication server. To retry immediately, go to the console and enter the CLI command: exec update-now FortiManager Lab Guide 18 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration LAB 1—Initial Configuration In this lab, you will examine the network settings of FortiManager from the CLI and GUI. You will also enable the FortiAnalyzer feature set on FortiManager, which can be used for logging and reporting. Objectives Examine initial system settings, including network and time settings Enable FortiAnalyzer features on FortiManager Time to Complete Estimated: 20 minutes Prerequisites Before beginning this lab, you must update the firmware and initial configurations on the LocalFortiGate and Remote-FortiGate. This lab environment is also used for FortiGate 5.4.1 training and initializes in a different state than is required for FortiManager 5.4.2 training. To update the FortiGate firmware on both FortiGates 1. From the Local-Windows VM, open a browser and log in as admin (blank password) to the LocalFortiGate GUI at 10.0.1.254. 2. Go to the Dashboard, and from the System Information widget click Update. FortiManager Lab Guide 19 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration 3. Click Upload Firmware. 4. Browse to Desktop > Resources > FortiManager > Introduction and select FGT_VM64-v5build1100-FORTINET.out. 5. Click Upgrade. The system reboots. 6. Once rebooted, log in as admin and ensure the firmware version in the System Information widget displays v5.4.2, build1100 (GA). 7. Open another browser tab and log in as admin (blank password) to the Remote-FortiGate GUI at 10.200.3.1. 8. Repeat the procedure to update the firmware for Remote-FortiGate. To restore the FortiGate configuration file on both FortiGates 1. Return to the Local-FortiGate GUI at 10.0.1.254. 2. Go to the Dashboard, and from the System Information widget click Restore. FortiManager Lab Guide 20 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration 3. Select to restore from Local PC and click Upload. 4. Browse to Desktop > Resources > FortiManager > Introduction and select local-initial5.4.2.conf. 5. Click OK. 6. Click OK. The system reboots. 7. Once rebooted (you must wait until Local-FortiGate reboots), return to the Remote-FortiGate GUI at 10.200.3.1. 8. Repeat the same procedure to restore the system configuration for Remote-FortiGate, but select remote-initial-5.4.2.conf from the Introduction folder. 9. Once rebooted, close the browser for both FortiGates. FortiManager Lab Guide 21 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration 1 Examining Initial Configuration FortiManager is preconfigured with the initial network settings. In this exercise, you will explore the FortiManager basic configuration settings from the GUI and CLI. Examine Initial Configuration Through the CLI You will start by accessing a FortiManager using the CLI to examine initial configuration. To examine the initial configuration through the CLI 1. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Enter the following command to display basic status information about FortiManager: CLI Command # get system status Data Result What is the firmware version? Knowing your FortiManager firmware version is important, as it determines what Fortinet products and their firmware versions are supported. What is the administrative domain configuration? By default, administrative domains (ADOMs) are disabled. What is the time zone? It is important that the system time on FortiManager and all registered devices are synced for tunnel negotiations and logging (if FortiAnalyzer feature is used). What is the license status? To ensure FortiManager continues to manage devices, a valid license is required. FortiManager Lab Guide 22 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration 4. Enter the following command to display information about the FortiManager interface configuration: CLI Command # show system interface Diagnostic Result What is the IP for port1? Port 1 is the management port and is the IP of FortiManager. What administrative access protocols are configured for port1? This will help troubleshoot any access issues you may experience. For example, this PuTTY session would not be able to connect without the SSH protocol enabled. What is configured for the service access? If devices are configured to use FortiManager as the local FDS server, service access allows FortiManager to respond to FortiGuard queries made by devices. What is the IP for port2? According to the network topology diagram, port2 is how traffic is routed between Remote-FortiGate and FortiManager. RemoteFortiGate, therefore, will connect to FortiManager with this port2 IP address. What administrative access protocols are configured for port2? 5. Enter the following command to display DNS setting information: CLI Command # show system dns Diagnostic Result What are the primary and secondary DNS settings? By default, FortiManager uses FortiGuard DNS servers. FortiManager Lab Guide 23 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration 6. Enter the following commands to display NTP setting information: CLI Command # get system ntp Diagnostic Result Is NTP enabled? NTP is recommended on FortiManager and all registered devices for proper FortiGateFortiManager tunnel establishment. How often does FortiManager synchronize its time with the NTP server? # show system ntp What server is configured for NTP? By default, Fortinet servers are configured. 7. Enter the following command to display information about the FortiManager routing configuration: CLI Command # show system route Diagnostic Result What is the gateway route associated with port2? According to the network topology diagram, this IP address is the default route to the Internet. 8. To test basic network connectivity, and to ensure the default route to the Internet is working, enter the following command to ping IP 8.8.8.8 (public IP that is highly available): execute ping 8.8.8.8 Packets should transmit successfully. 9. Close your PuTTY session. FortiManager Lab Guide 24 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration Examine Initial Configuration Through the GUI You will now log in to the FortiManager device using the GUI to examine initial configuration. To examine the initial configuration through the GUI 1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. Accept the self-signed certificate or security exemption, if a security alert appears. Note: All the lab exercises were tested running Mozilla Firefox in Local-Windows VM and Remote-Windows VM. To get consistent results, we recommend using Firefox in this virtual environment. 2. Click System Settings. The dashboard shows the FortiManager widgets that display information such as System Information, License Information, System Resources, and more. 3. Examine the System Information and License Information widgets to display the information shown below. This displays the same information available from the CLI command get system status. Firmware version Administrative Domain status System time and time zone License status (VM) 4. From the System Information widget, edit the System Time to view the NTP information. FortiManager Lab Guide 25 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration This displays the same information available from the CLI commands get system ntp and show system ntp. Note: You will be managing Local-FortiGate and Remote-FortiGate from FortiManager, which are configured with the same time zone and NTP server. 5. From the left menu, click Network. This page displays information about the port1 management interface, including the IP address, administrative access protocols, service access, and DNS information. This displays the same information available from the CLI commands show system interface and show system dns. FortiManager Lab Guide 26 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 1 Examining Initial Configuration Note: The fgtupdates, fclupdates in the CLI is equivalent to FortiGate Updates in the GUI. The webfilter-antispam in the CLI is equivalent to Web Filtering in the GUI. 6. Click All Interfaces to view the configuration of all interfaces. 7. On the left menu, click Network, and from the main window, click Routing Table. This page displays the network gateway and associated interface. This displays the same information available from the CLI command show system route. FortiManager Lab Guide 27 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 2 Enabling FortiAnalyzer Features on FortiManager 2 Enabling FortiAnalyzer Features on FortiManager FortiManager can be used as a logging and reporting device by enabling FortiAnalyzer features on FortiManager. Remember that FortiManager has logging rate restrictions compared to FortiAnalyzer. In this exercise, you will enable FortiAnalyzer features on FortiManager, so that FortiManager can be used for logging and reporting once the FortiGate devices are added. To enable FortiAnalyzer features on FortiManager 1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. Notice the default panes available on FortiManager. It doesn’t have panes related to FortiAnalyzer features. 2. Click System Settings. 3. Under the System Information widget, turn on FortiAnalyzer Features. 4. Click OK. FortiManager will reboot to initialize the FortiAnalyzer features and apply the changes. 5. Wait for FortiManager to reboot and then log in as admin to the FortiManager GUI at 10.0.1.241. FortiManager Lab Guide 28 DO NOT REPRINT © FORTINET LAB 1—Initial Configuration 2 Enabling FortiAnalyzer Features on FortiManager You will notice that after enabling FortiAnalyzer features, there are more panes related to logging and reporting — FortiView, Log View, Event Management, and Reports. FortiManager Lab Guide 29 DO NOT REPRINT © FORTINET LAB 2—Administration and Management LAB 2—Administration and Management In this lab, you will configure administrative domains (ADOMs) and an administrator. You will also restrict administrator access based on administrator profile, trusted hosts, and ADOMs. Then, you will enable ADOM locking, which disables concurrent access to the same ADOM. Additionally, the lab will guide you through how to properly backup and restore FortiManager configuration, view alert messages in the Alert Message Console, and view event logs. Objectives Enable ADOMs and configure a new ADOM Configure an administrator and restrict access to a newly created ADOM Enable ADOM locking Backup FortiManager, restore the backup and disable offline mode Read entries in the alert message console and view event logs Time to Complete Estimated: 45 minutes FortiManager Lab Guide 30 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs) 1 Configure Administrative Domain (ADOMs) ADOMs group devices for administrators to monitor and manage. The purpose of ADOMs is to divide the administration of devices and control (restrict) access. In this exercise, you will enable and configure ADOMs. Enabling ADOMs ADOMs are not enabled by default and can only be enabled by the admin administrator, or an administrator with the Super_User access profile. You will now enable ADOMs on FortiManager. To enable ADOMs 1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. 2. Click System Settings. Notice there is no All ADOM tab below Dashboard, prior to enabling Administrative Domain. 3. Under the System Information widget, turn on Administrative Domain. 4. Click OK. You will be logged out from FortiManager. FortiManager Lab Guide 31 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs) Viewing ADOM Information Before creating new ADOMs, you should be aware of what ADOM types are available to you. You will view ADOM information through both the GUI and the CLI. To view ADOM information 1. Log back in as admin to the FortiManager GUI at 10.0.1.241. 2. Select the root ADOM. 3. Click System Settings. 4. From the left menu, click All ADOMs. Note that this page is only available when ADOMs are enabled. This page lists all available ADOMs and lists any devices added to those ADOMs. 5. Still working from the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 6. Log in as admin and execute the following command to view what ADOMs are currently enabled on FortiManager and the type of device you can register to each ADOM: Note: The CLI output formatting is easier to read if you maximize your PuTTY window. If you've already executed the command, once the window is maximized, press the up arrow to show the last command you entered and click Enter to re-run. # diagnose dvm adom list FortiManager Lab Guide 32 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs) As you can see, there are 13 ADOMs that FortiManager supports, each associated with different devices along with their supported firmware versions. 7. Close your PuTTY session. Configuring ADOM When ADOMs are enabled, by default, the FortiManager will create ADOMs based on supported device types. The root ADOM is based on the FortiGate ADOM type. When creating a new ADOM, you must match the device type. For example, if you want to create an ADOM for a FortiGate, you must select FortiGate as the ADOM type. With FortiGate ADOMs specifically, you must also select the firmware version of the FortiGate device. Different firmware versions have different features, and therefore different CLI syntax. Your ADOM setting must match the device’s firmware. You will now create and configure a new ADOM. To configure ADOMs 1. Still logged in the FortiManager GUI, click All ADOMs. 2. Click Create New. 3. Configure the following: Field FortiManager Lab Guide Value 33 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs) Name My_ADOM Type FortiGate and 5.4 You configuration should look like this: 4. Click Select Device. If you had any devices registered to FortiManager, you could select your device and add it to the ADOM at this time. However, in this lab, you have not yet registered any devices, so the list is empty. 5. Leave other settings at their defaults and click OK. You should observe a list of predefined ADOMs, including your new ADOM. Tip: You can switch between ADOMs within the GUI. You do not have to log out and log back in. To switch within the GUI, click ADOM in the top right of the GUI. Your FortiManager Lab Guide 34 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs) administrator privileges determine which ADOMs you have access. FortiManager Lab Guide 35 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 2 Creating and Assigning Administrators 2 Creating and Assigning Administrators In this lab, you will create an administrative user with restricted access permissions. In an active deployment scenario, having more than one administrative user makes administering the network easier, especially if users are delegated specific administrative roles, or confined to specific areas within the network. In a multi-administrator environment, you also want to ensure every administrator has only those permissions necessary to do their particular job. To create and assign administrators 1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. 2. Click root. 3. Click System Settings. 4. Click Admin > Administrators. 5. Click Create New. 6. Configure the following: Field Value User Name student Admin Type LOCAL New Password fortinet Confirm Password fortinet Admin Profile Standard_User Administrative Domain Specify Click to Select ADOMs… My_ADOM You configuration should look like this: FortiManager Lab Guide 36 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 2 Creating and Assigning Administrators Note: FortiManager comes preinstalled with four default profiles that you can assign to other administrative users. Alternatively, you can create your own custom profile. In this lab, we have assigned a preconfigured Standard_User profile to the newly created student administrator. The Standard_User profile provides read and write access for all devices privileges, but not to the system privileges. 7. Leave other settings at their defaults and click OK. 8. Click admin. 9. Click Log Out. Testing Administrator Privileges You will now log in to FortiManager with the newly created administrator (student) and test the administrator privileges. To test administrator privileges 1. Log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. You will be limited to the My_ADOM administrative domain. Also, there are no System Setting and FortiGuard tabs. FortiManager Lab Guide 37 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 2 Creating and Assigning Administrators This shows how you can control or restrict administrator access based on administrative profiles and ADOMs. Restricting Administrator Access Using Trusted Host You will now restrict access to FortiManager by configuring a trusted host for the administrator accounts. Only administrators connecting from a trusted subnet will be able to access the FortiManager. To restrict administrator access 1. In the FortiManager GUI, log out of the student account's GUI session. 2. Log in as admin. 3. Click root. 4. Click System Settings. 5. Go to Admin > Administrators. 6. Edit the student account. FortiManager Lab Guide 38 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 2 Creating and Assigning Administrators 7. Turn ON Trusted Hosts. 8. Set Trusted IPv4 Host 1 to 10.0.1.0/24. 9. Click OK at the bottom to save the changes. Testing the Restricted Administrator Access In this procedure, you will confirm that administrators outside the subnet 10.0.1.0/24 cannot access FortiManager. To test the restricted administrator access 1. From the Remote-Windows VM, open a browser and go to https://10.200.1.241. 2. Try to log with username student and password fortinet to the FortiManager GUI. What is the result? Because you are trying to connect from the 10.0.2.10 IP address, your login authentication will fail. This is because you restricted logins to only the source IP addresses in the list of trusted hosts. FortiManager Lab Guide 39 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 2 Creating and Assigning Administrators Note: The IP address specified in the URL here is not the same as the one used previously, because now the FortiManager is being accessed from a device that is in a different part of the network (see Network Topology). As such, we are now connecting to the port2 interface of the FortiManager device. 3. Go back to the Local-Windows. 4. You should still be logged in as admin to the FortiManager GUI and edit the student account. 5. Toggle Trusted Host to OFF. 6. Click OK. This allows the administrative user to log in from any IP and subnet. 7. Next, switch back to Remote-Windows and attempt to log in to the FortiManager GUI again with username student and password fortinet. This time, you should gain access because we just turned off the requirement to log in from a trusted host. 8. Logout from FortiManager. FortiManager Lab Guide 40 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 3 ADOM Locking (Workspace Mode) 3 ADOM Locking (Workspace Mode) By default, multiple administrators can log in to the same ADOM at the same time which allows concurrent access. This can cause conflicts, however, if two or more administrators try to make changes in the same ADOM at same time. You will be enabling ADOM locking which allows: Disabling concurrent ADOM access ADOM locking Single administrator with read/write access to the ADOM All other administrators have read-only access to that ADOM ADOM Locking (Workspace Mode) ADOM locking is configured from the FortiManager CLI only. Before enabling ADOM locking, ensure all FortiManager administrators are notified and asked to save their work on FortiManager because enabling ADOM locking will terminate all management sessions. You will now be enabling ADOM locking from the FortiManager CLI. To enable ADOM locking (Workspace Mode) 1. In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Enter the following commands: config system global set workspace-mode normal end 4. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 5. Click Lock on the top. You will notice the lock status changed from unlocked to a green locked state. 6. From the Remote-Windows VM, open a browser and go to https://10.200.1.241. 7. Log in as admin to the FortiManager GUI. You will notice the lock status is red for My_ADOM. Hover your mouse over the red lock icon. It will tell you the name of the admin who locked this ADOM, along with the date and time. 8. Click on My_ADOM. FortiManager Lab Guide 41 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 3 ADOM Locking (Workspace Mode) 9. Click Log Out. 10. Go back to the Local-Windows and log out as student from FortiManager. Note: If an administrator has locked one or more ADOMs and then logged out of FortiManager, all those ADOMs will be unlocked. In this example, when student administrator locked My_ADOM and then logged out, FortiManager unlocked My_ADOM. Caution: Always log out gracefully from FortiManager, when ADOM locking is enabled. If a session is not closed gracefully (due to a PC crash or closed browser window), FortiManager will not close the admin session until it times out or the session is deleted. Until this time, the ADOM will remain in a locked state. If this situation arises and you cannot wait for the admin session to time out, then delete the session manually through the GUI or the CLI. From the GUI, click the System Information widget, and then click Current Administrators > Admin Session List. From CLI: FortiManager Lab Guide 42 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 4 Backup and Restore 4 Backup and Restore In this exercise, you will back up the FortiManager configuration. In an active deployment scenario, it is a best practice to back up the device configuration prior to making any configuration changes. If the new configuration does not perform as expected, you can revert to the last sane configuration. Likewise, during these labs, it is beneficial to have a backup of the initial configuration, should you need to roll back for any reason. Note: FortiManager configuration files are not stored in plain text like FortiGate configuration files. It is stored as .dat file. It can be uncompressed and viewed offline with archive tools such as WinRar & tar. Backing up FortiManager Configuration You will now back up the FortiManager configuration from the GUI. To back up FortiManager 1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. 2. Select root. 3. Click Lock on the top. 4. Click System Settings. 5. Go to System Information widget > System Configuration, and then click the backup icon. 6. Deselect Encryption. 7. Click OK. 8. Select Save. 9. Click OK. FortiManager Lab Guide 43 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 4 Backup and Restore 10. Note the location of the backup file and rename this file to: lab2.dat. 11. While still on the FortiManager GUI, go to Admin > Administrator. 12. Right click student and click Delete. 13. Click OK. Restore FortiManager Configuration There are a few options when restoring a FortiManager configuration: Overwrite current IP, routing, and HA settings: By default, this option is enabled. If FortiManager has an existing configuration, restoring a backup will overwrite everything, including the current IP, routing, and HA settings. If you disable this option, FortiManager will still restore the configurations related to device information and global database information, but will preserve the basic HA and network settings. Restore in Offline Mode: By default, this is enabled and grayed out – you cannot disable it. While restoring, FortiManager temporarily disables the communication channel between FortiManager and all managed devices. This is a safety measure in case any of the devices are being managed by another FortiManager. To re-enable the communication, disable Offline Mode. To restore FortiManager configuration 1. Still logged in the FortiManager GUI, click Dashboard. 2. Go to System Information widget > System Configuration, and then click the restore icon. FortiManager Lab Guide 44 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 4 Backup and Restore 3. Click Browse. 4. Select your backup file lab2.dat. There is no password to enter because the file was not encrypted. 5. Leave Overwrite current IP, routing and HA settings enabled. 6. Click OK. It will reboot FortiManager. 7. Wait for FortiManager to reboot, and then log in as admin to the FortiManager GUI at 10.0.1.241. 8. Select root. 9. Click Lock on the top. 10. Click System Settings. 11. Go to Admin > Administrator. The student administrator account will show there. 12. Log out from FortiManager. FortiManager Lab Guide 45 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs 5 Monitoring Alerts and Event Logs In this exercise, you will view the alerts from the alert console widget and view the event logs. You will also configure filter options to locate specific logs. First, you will disable offline mode, which is enabled by default when FortiManager backup is restored. Offline Mode You will disable offline mode on FortiManager. To disable offline mode 1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. 2. Select root. 3. Click Lock on the top. On the top bar you should observe that FortiManager is in Offline Mode. 4. Click System Settings. 5. Go to Advanced > Advanced Settings. 6. Select Disable for Offline Mode. 7. Click Apply. FortiManager Lab Guide 46 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs You will notice that the Offline Mode message disappears. At this point, FortiManager can establish a management connection with the managed devices. Viewing Alerts and Event Logs You will now view the alerts on the Alert Message Console and logs under Event Logs. To view alerts and event logs 1. Still logged in the FortiManager GUI, click Dashboard. 2. Go to the Alert Message Console widget. You should observe that Offline mode is disabled and see Restore all settings messages, along with other alert messages. 3. Click Event Log on the left-hand menu. FortiManager Lab Guide 47 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs 4. Click Add Filter. 5. Click Sub Type. 6. Click System manager event. 7. Click Go. Now you will have the filtered system manager events only. 8. You can download and/or view them in raw format. FortiManager Lab Guide 48 DO NOT REPRINT © FORTINET LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs 9. Log out of FortiManager. FortiManager Lab Guide 49 DO NOT REPRINT © FORTINET LAB 3—Device Registration LAB 3—Device Registration In this lab, you will explore the common operations performed using the device manager. You will use the Device Manager pane to add FortiGate devices. Objectives Create and apply system templates to your managed devices Review central management settings on the FortiGate device Add a device using the add device wizard Time to Complete Estimated: 30 minutes FortiManager Lab Guide 50 DO NOT REPRINT © FORTINET LAB 3—Device Registration 1 Configuring System Templates 1 Configuring System Templates The system templates on FortiManager can be configured in advance, which can be used to provision common system-level settings to FortiGate devices when adding them into FortiManager, or to the already managed FortiGate devices. Configuring System Templates You will be configuring and applying system templates to the FortiGate device, when adding it to FortiManager. To configure system templates 1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Provisioning Templates. You will notice that you have read only access. This is because when ADOM locking is enabled; you must lock the ADOM prior to making configuration changes. 4. Click Lock on the top to lock My_ADOM. 5. Under System Templates, click default. FortiManager Lab Guide 51 DO NOT REPRINT © FORTINET LAB 3—Device Registration 1 Configuring System Templates 6. Go to the Log Settings widget and enable Send Logs to FortiAnalyzer/FortiManager. 7. Configure the following: Field Specify IP Address Value Select and type 10.200.1.241 (Note: This is the port2 IP address of FortiManager. Refer to the network topology for details.) Upload Options Realtime Encrypt Log Transmission Turn ON this option Your configuration should look like this: 8. Click Apply. 9. Close all other widgets by clicking X and then the checkmark symbol. FortiManager Lab Guide 52 DO NOT REPRINT © FORTINET LAB 3—Device Registration 1 Configuring System Templates Your configuration should look like this: 10. Click Save. Note: When ADOM locking is enabled, you must save the changes, in order for them to be copied to the FortiManager database. 11. Click Unlock on the top to unlock My_ADOM. Disabling ADOM Locking (Workspace Mode) You will now disable ADOM locking because, in this practical lab, every student has dedicated ADOMs to work on. FortiManager Lab Guide 53 DO NOT REPRINT © FORTINET LAB 3—Device Registration 1 Configuring System Templates Prior to disabling workspace mode, inform all the administrators logged into FortiManager to save their work. To disable ADOM locking (workspace mode) 1. In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Enter the following commands. config system global set workspace-mode disabled y end It will log out administrators from FortiManager, to save the changes. FortiManager Lab Guide 54 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 2 Registering a Device to FortiManager There are multiple ways to add FortiGate devices to FortiManager. These include: Use the Add Device wizard Send a request from FortiGate to FortiManager, and then accept the request from FortiManager Add multiple devices from the device manager You will add the FortiGate devices using the Add Device wizard. Note: The FMG-Access on the both FortiGate devices is enabled on the interface facing FortiManager. It is the communication protocol used between FortiManager and the managed FortiGate devices. Reviewing Central Management Configuration on Local-FortiGate Before adding FortiGate to FortiManager, you will review the central management configuration on Local-FortiGate. To review central management configuration on Local-FortiGate 1. In the Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Enter the following command: get system central-management You should observe the following output: Note: The serial-number is the FortiManager serial number, which is non-configurable from the FortiGate device. This setting is set by FortiManager, which is managing this device. In this case, it is empty because we have not yet added the device to FortiManager. 4. Close the PuTTY session. FortiManager Lab Guide 55 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager Enabling Real-Time Debug You will now enable real-time debug on FortiManager to view the real-time status when adding FortiGate to FortiManager. To enable real-time debug 1. In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). diagnose debug reset diagnose debug disable diagnose debug application depmanager 0 diagnose debug application depmanager 255 diagnose debug enable It is recommended to place this putty session and the FortiManager GUI side-by-side, so that you can view the real-time debugs while adding FortiGate from the FortiManager GUI. Note the output is very verbose and you might have to scroll up or down to review the information. Alternatively, you can save the log file on your desktop and open it using a text editor, such as Notepad++. Adding Local-FortiGate Using the Add Device Wizard Now, you will add Local-FortiGate to FortiManager in My_ADOM using the Add Device wizard, and you will apply the System Template created earlier. To add the Local-FortiGate using the Add Device wizard 1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Add Device. FortiManager Lab Guide 56 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 4. In the Add Device wizard, make sure the Discover radio button is selected and configure the following: Field IP Address Value 10.200.1.1 (This is the port1 IP address of FortiGate) Username admin 5. Leave other settings at their default values, and click Next. 6. Review the discovered device information and compare it with the output from the FortiManager PuTTy session. 7. You should observe the following: 8. Hit the up arrow on your keyboard and select these commands to disable the debug. Alternatively, you can enter these commands manually. diagnose debug application depmanager 0 FortiManager Lab Guide 57 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager diagnose debug disable diagnose debug reset 9. Close the PuTTY session. 10. Go back to FortiManager GUI and click Next. 11. Ensure the Name is set to Local-FortiGate. 12. Select default from the drop down for System Template. 13. Click Next. 14. Click Import Now. 15. Click Next. FortiManager Lab Guide 58 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 16. In the policy package import page, complete the following: A. Make sure the policy package name is configured as Local-FortiGate. B. Accept the policy and object import defaults. C. Click Next. 17. On the conflict page, click View Conflict. This will show you the details of configuration difference between FortiGate and FortiManager. 18. Leave the default setting of FortiGate in the Use Value From column. 19. Click Next. Note the objects identified. These should be identified as duplicates, new, or updating exiting FortiManager. 20. Click Next. 21. Click Download Import Report. 22. Open the import report in text editor such as Notepad ++. Note: The download import report is only available on this page. As a best practice, it is recommended that you download the report and review the important information, such as which device is imported into which ADOM, as well as the name of the policy package created along with objects imported. FortiManager imports new objects, and updates existing objects based on the option chosen on the conflict page. The duplicate objects are skipped as FortiManager does not import duplicate entries into the ADOM database. FortiManager Lab Guide 59 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 23. Close the text editor. 24. Click Finish. The Local-FortiGate device should be now listed in Device Manager. 25. In Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect over SSH). 26. At the login prompt, enter the username admin (all lower case). 27. Enter the following command: get system central-management You should observe the following output: Note: The serial-number is the serial number of FortiManager, which is non-configurable from FortiGate. This has been set by FortiManager, which is managing this device. Also, the FortiManager IP address is set. 28. Close PuTTY session. Viewing the Local-FortiGate Policy Package As you have imported policy and dependent objects for Local-FortiGate, you will be viewing the policy package created for Local-FortiGate. FortiManager Lab Guide 60 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager To view the Local-FortiGate policy package 1. Still in the FortiManager GUI, click Device Manager and select Policy & Objects. 2. You will notice that a policy package named Local-FortiGate was created when you imported firewall policies from your Local-FortiGate. 3. Click Object Configurations at the top. 4. Click Interface. FortiManager Lab Guide 61 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 5. Click on the expand arrow for any interface to view the ADOM Interface mapping to device-level mappings, which got created when the device was added. These interfaces are used in policy packages to map firewall policies to interfaces on the firewall. Importing System Template Settings From FortiGate As Local-FortiGate is now added to FortiManager, you will import NTP server settings from LocalFortiGate. These server settings can be used by multiple FortiGate devices using this system template. To import System Template settings from FortiGate 1. Still in the FortiManager GUI, click Policy & Objects and select Device Manager. 2. Click Provisioning Templates. FortiManager Lab Guide 62 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 3. Click default. 4. Click Toggle Widgets and click NTP Server. 5. Click the import icon. FortiManager Lab Guide 63 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 6. In the Import NTP Server window, select Local-FortiGate. 7. Click OK. Adding Remote-FortiGate Using the Add Device Wizard You will now add Remote-FortiGate to FortiManager in My_ADOM using the Add Device Wizard. You will apply the System Template to Remote-FortiGate. Also, you will import the policies and objects for Remote-FortiGate later in the training. To add Remote-FortiGate using the Add Device wizard 1. Still logged in FortiManager GUI, click Device & Groups. FortiManager Lab Guide 64 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager 2. Click Add Device. 3. In the Add Device wizard, make sure the Discover radio button is selected, and configure the following: Field IP Address Value 10.200.3.1 (This is the port4 IP address of FortiGate) Username admin 4. Leave other settings at default and click Next. 5. Click Next. 6. Select default from the System Template drop-down menu. 7. Click Next. 8. Click Import Later. FortiManager Lab Guide 65 DO NOT REPRINT © FORTINET LAB 3—Device Registration 2 Registering a Device to FortiManager The Remote-FortiGate device should be now listed in Device Manager. Stop and Think Why is the FortiGate Policy Package Status showing Never Installed? Discussion When Import Later is chosen in the Add Device wizard, or an unregistered device is added into FortiManager, the policy package status will show Never Installed because there is still no policy package created for the newly added FortiGate. You will run the Import Policy wizard later in training. If you add an unregistered device, then you need to run the Import Policy wizard to import the device’s firewall policy into a new policy package. FortiManager Lab Guide 66 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation LAB 4—Device Level Configuration and Installation In this lab, you will explore the common operations performed using the device manager, such as configuring device-level changes, checking managed device statuses, installing configuration changes, and keeping the managed device in sync with the device database on FortiManager. Objectives Understand managed device statuses on FortiManager Use the status information in the Configuration and Installation Status widget Make and install configuration changes from Device Manager Make configuration changes locally on FortiGate and verify that they are retrieved automatically by FortiManager Identify entries in the Revision History and the management action that created the new revision Install a large number of managed device changes using scripts Time to Complete Estimated: 70 minutes FortiManager Lab Guide 67 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status 1 Understanding Managed Device Status In this exercise, you will check and learn about the status of FortiGate devices on FortiManager. Depending upon the configuration changes, a FortiGate device can have a different Sync Status and Device Settings Status. The Sync Status indicates whether the FortiGate configuration matches the latest revision history or not. The Device Settings Status indicates whether the FortiGate configuration stored at device level database matches with latest running revision history or not. To check managed device status 1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. Stop and Think Why does Config Status for the FortiGate devices show the status Modified? Discussion In the last exercise, you applied System Templates to both FortiGate devices. The configuration running on the FortiManager device-level database is different from the latest revision history. This changes the Config Status to Modified. The provisioning templates changes need to be installed to the FortiGate devices to return the devices to the synchronized state. 3. Click on the Local-FortiGate on the left-hand menu. FortiManager Lab Guide 68 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status 4. Under the Configuration and Installation Status widget, check Device Settings Status; it should appear as Modified. Stop and Think If the Device Settings Status is Modified, why is the FortiGate Sync Status still showing as Synchronized? FortiManager Lab Guide 69 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status Discussion The Device Setting Status is the status between the device-level database configuration and the latest revision history. Applying System Templates changes the device level database configuration, so it goes to the Modified state. The Sync Status is the status between the latest revision history and the actual FortiGate configuration. As the latest revision history is same as the FortiGate configuration, the Sync Status is in Synchronized state. 5. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 6. At the login prompt, enter the username admin (all lower case). 7. Enter the following command to display the device statuses through the CLI. diagnose dvm device list The output will show the serial number of the device, the connecting IP address of the device, the FortiManager Lab Guide 70 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status firmware version, the name of the device on FortiManager, and the ADOM in which the device is added. Note: You will see FortiAnalyzer as an unregistered device because FortiAnalyzer is configured to query FortiManager for the threat intelligence database (a feature on the FortiAnalyzer). This is configured for the FortiAnalyzer labs, which use the same lab environment. 8. Examine the STATUS row of the diagnose dvm device list output for Local-FortiGate and Remote-FortiGate. Data db: Modified What that means? Device-level configuration changes made from FortiManager. Actions to take The FortiManager administrator can install configuration changes to the managed device to return it to the unmodified state. . conf: in sync Latest revision history is in sync with the FortiGate configuration. cond: pending Configuration changes need to be installed. FortiManager Lab Guide The FortiManager administrator can install configuration changes to the managed device to return it to the unmodified state. 71 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status conn: up The FGFM tunnel between FortiManager and FortiGate is up 9. Close the PuTTY session. FortiManager Lab Guide 72 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to Managed Devices 2 Install System Template Changes to Managed Devices In the previous lab, you have added FortiGate devices into the FortiManager and applied System Templates. In this exercise, you will install System Templates changes to both FortiGate devices and then view those changes locally login to each FortiGate. Installing System Templates You will now install the default system template changes to Local-FortiGate and Remote-FortiGate using the Install Wizard. To install System Template 1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Install > Install Wizard. 4. In the Install Wizard, make sure Install Device Settings (only) is selected and click Next. FortiManager Lab Guide 73 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to Managed Devices 5. On the Device Settings page, ensure both FortiGate devices are selected. 6. Click Next. 7. Click Preview for the Local-FortiGate. This will show you the changes that will be installed (applied) to the FortiGate device. 8. Click Cancel on the Install Preview page. Optionally, you can also select Preview for Remote-FortiGate. 9. Make sure both FortiGate devices are selected. 10. Click Install. 11. Once the installation is successful, click the View Log icon. FortiManager Lab Guide 74 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to Managed Devices This is the install log that shows what exactly is installed on the managed device. Here is an example provided for Local-FortiGate. 12. Click Close. 13. Click Finish. Checking Managed Device Status You will check the managed device status after the install. To check managed device status 1. Still in the FortiManager GUI, check the Config Status. It should now appear as Synchronized. 2. Click Local-FortiGate from the left-hand menu. FortiManager Lab Guide 75 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to Managed Devices 3. Under Configuration and Installation Status, you should observe that Device Settings Status is in the Unmodified state. This means that FortiGate's device-level database configuration is the same as the latest revision history. 4. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 5. At the login prompt, enter the username admin (all lower case). 6. Enter the following command to display device statuses through the CLI. diagnose dvm device list You should observe the following in the output for Local-FortiGate and Remote-FortiGate. The db status is not modified which means that FortiGate's device level database configuration matches with the latest running revision history. The dm: installed field means that the install was performed from FortiManager. 7. Enter the following command to display the FGFM tunnel statuses. FortiManager Lab Guide 76 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to Managed Devices diagnose fgfm session-list This command can be used to view the connecting IP of managed devices, the link-level address assigned by FortiManager, and the uptime of the FGFM tunnel between FortiGate and FortiManager. 8. Close the PuTTY session. Viewing Pushed Configuration on the FortiGate From FortiManager, you have installed the System Templates configuration on both FortiGate devices. You will now log in to the Local-FortiGate and Remote-FortiGate GUIs to view the configuration installed from FortiManager. To view a pushed configuration from the Local-FortiGate GUI 1. In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI at 10.0.1.254. 2. Click Login Read-Only. Note: When you connect locally to a device managed by FortiManager, you will be presented with a warning message because the device is centrally managed. Only when it is absolutely necessary should you use the read-write option locally on FortiGate. An example might be that a FortiManager administrator is unavailable to make configuration changes and install to manage FortiGate devices. 3. Go to Log & Report > Log Settings. You will notice the Remote Logging and Archiving settings are the same as the default system template entries. 4. Logout from FortiGate. To view a pushed configuration through the Remote-FortiGate GUI 1. In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI at 10.200.3.1. FortiManager Lab Guide 77 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to Managed Devices 2. Click Login Read-Only. 3. Go to Log & Report > Log Settings. You will notice that the Remote Logging and Archiving settings are the same as the default system template entries. 4. Log out of FortiGate. FortiManager Lab Guide 78 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History 3 Auto Update and Revision History By default, configuration changes made directly on FortiGate are automatically updated (retrieved) by FortiManager, which is reflected in the Revision History. If required, the automatic update behavior can be disabled from the FortiManager CLI under config system admin settings. This allows the FortiManager administrator to accept or refuse the configuration changes. In this lab, you will make configuration changes directly on the FortiGate devices, and verify that the configuration changes are retrieved automatically by FortiManager. You will also review the configuration revision histories of FortiGate devices, created by auto update and by other actions. Making Direct Changes on Local-FortiGate You will now make direct changes on Local-FortiGate. To make direct changes on Local-FortiGate 1. In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI at 10.0.1.254. 2. Click Login Read-Write. Note: When you connect locally to a device managed by FortiManager, you will be presented with a warning message because the device is centrally managed. Only when it is absolutely necessary should you use the read-write option locally on FortiGate. An example might be that a FortiManager administrator is unavailable to make configuration changes and install to manage FortiGate devices. 3. Click Yes. 4. Go to Log & Report > Log Settings. 5. Under Local Log settings, disable Enable Local Reports. 6. Click Apply. 7. Logout of the FortiGate. FortiManager Lab Guide 79 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History Making Direct Changes on Remote-FortiGate You will now make direct changes on Remote-FortiGate. You will repeat the same steps for RemoteFortiGate as you did it for Local-FortiGate. To make direct changes on the Remote-FortiGate 1. In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI at 10.200.3.1. 2. Click Login Read-Write. 3. Click Yes. 4. Go to Log & Report > Log Settings. 5. Under Local Log settings, disable Enable Local Reports. 6. Click Apply. 7. Log out of FortiGate. Viewing Auto Update and Revision History As you make the configuration changes locally on both the FortiGate devices, you will now view the auto update status on FortiManager, and view the configuration revision histories created by FortiManager. To view auto update 1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. You will notice that Config Status is now in the Auto-Update state for both FortiGate devices. This confirms that the changes made locally were backed up to FortiManager. To view Revision History 1. Click Local-FortiGate. FortiManager Lab Guide 80 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History 2. In the Configuration and Installation Status widget, click the Revision History icon. You should observe three configurations, though you may have more if you have made further changes: Your first Installation status should display as Retrieved, indicating that this configuration was taken from the device’s running configuration, when it was added to FortiManager. Your second Installation status should display as Installed, indicating that these changes were made by FortiManager to the managed device. Your third Installation status should display as Auto Updated, indicating that these changes were made locally on FortiGate and got automatically updated in FortiManager. FortiManager Lab Guide 81 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History Viewing the Install Log When the installation is done from FortiManager, the install log will show the name of the administrator who made this change along with the commands sent by FortiManager. If an installation fails, the install log is useful because it shows what commands were sent to, and accepted by, the managed device as well as the commands that were not accepted. To view the install log 1. Still on the Configuration Revision History page, select ID 2 and then click View Install Log. You should see the CLI commands sent by FortiManager (which are identical to the installation previewed earlier) and the FortiGate response. FortiManager Lab Guide 82 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History 2. Click Close. Viewing Auto Update, Revision History, and Install Log for Remote-FortiGate (Optional) Optionally, you can also view changes made to Remote-FortiGate by following the steps from Viewing Auto Update and Revision History. To view auto update, revision history, and the install log for Remote-FortiGate (Optional) 1. Still logged in to the FortiManager GUI, click Remote-FortiGate and follow the steps from Viewing Auto Update and Revision History. For Remote-FortiGate, you will see the NTP settings pushed by FortiManager based on the imported NTP settings in the default system template from Local-FortiGate. Log View As FortiAnalyzer features are enabled on FortiManager, and both FortiGate devices are configured to send logs to FortiManager, you will be viewing the logs for the managed devices under the Log View pane. FortiManager Lab Guide 83 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History To view logs for Local-FortiGate 1. Still logged into the FortiManager GUI, click Device Manager and select Log View. You should see the traffic logs generated by the FortiGate device. Task Manager Task Manager provides the status of the task you have performed and can be used for troubleshooting various types of issues such as adding, importing, and/or installing changes from FortiManager. You will now check the entries in Task Manager. To check Task Manager entries 1. Log out from the FortiManager GUI and log back into the FortiManager GUI as admin. 2. Click root. 3. Click System Settings. 4. Click Task Monitor on the left-hand menu. FortiManager Lab Guide 84 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History This shows the tasks performed by all the users. 5. Click on the dropdown menu for the Install Device entry and click on the View Installation Log icon for Local-FortiGate or Remote-FortiGate. FortiManager Lab Guide 85 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History This will show the installation log corresponds to the installation that you performed earlier. 6. Click Close. FortiManager Lab Guide 86 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes 4 Configuring Device Level Changes The device-level settings of the managed FortiGate can be viewed and configured from the Device Manager pane. Most of these settings have a one-to-one correlation with the device configuration that you would see if you logged in locally, on each FortiGate’s GUI or CLI. You will now make configuration changes for the managed FortiGate from the Device Manager pane. Changing Managed FortiGate Interface Settings If you try to change the managed FortiGate interface used for communicating with FortiManager, it will warn you that this may break the communication between FortiManager and FortiGate. If there is a communication disruption between FortiManager and FortiGate during an install, FortiManager will attempt to recover the connection, but this will revert the installation changes. You will now change the Remote-FortiGate port4 interface Administrative Access setting that is used by Remote-FortiGate to communicate with the FortiManager. To change managed FortiGate interface settings 1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Remote-FortiGate. 4. Click System : Dashboard and then click Interface. FortiManager Lab Guide 87 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes 5. Right click port4 and click Edit. 6. Under Administrative Access, uncheck TELNET. 7. Click OK. When you edit the interface with the IP address that is used by FortiManager to reach the managed device(s), FortiManager provides this warning message: 8. Click OK. 9. Click Managed FortiGates. Stop and Think Why is Config Status showing the Modified (recent auto-updated) state for RemoteFortiGate? Discussion The Modified status means that the device-level database change has been made to Remote-FortiGate. You changed the interface configuration. The status recent auto-updated in parenthesis means that the previous configuration FortiManager Lab Guide 88 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes changes were locally made on FortiGate and were auto updated on FortiManager. You made changes to logging settings locally in the previous lab. Filtering Devices Based on Their Statuses FortiManager allows you to filter devices based on their current status. This is very helpful when you are managing a large number of devices in the same ADOM. Based on the status, FortiManager administrator can take appropriate action. You can filter device statuses based on: Connection Device Config (Device database status) Policy Package (ADOM database status) You will now filter devices based on their device config and policy package status. To filter devices based on their status 1. Still logged in to the FortiManager GUI, click on Managed FortiGates. 2. Click the drop-down arrow on Devices (Device Config Modified) and click Modified. It will show only Remote-FortiGate in the Managed FortiGates list. 3. Click the drop-down arrow on Devices (Policy Package Modified) and click Imported. FortiManager Lab Guide 89 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes This time it will show only Local-FortiGate in the Managed FortiGates list. Configuring the Administrator Account You will now create a new administrator account for Local-FortiGate on FortiManager. To configure the administrator account 1. Still in the FortiManager GUI, click on Local-FortiGate. 2. Click Display Options. 3. Click Customize 4. In the System category, click Administrators. FortiManager Lab Guide 90 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes 5. Click OK. 6. Click System : Dashboard and then click Administrators. 7. Click Create New. 8. Configure the following: Field Value Administrator training Type Regular Password fortinet Confirm Password fortinet FortiManager Lab Guide 91 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes Admin Profile prof_admin You configuration should look like this: 9. Leave all other settings at their default values and click OK. 10. Click Managed FortiGates. You will notice that Config Status has changed to Modified for Local-FortiGate. This is because you made a device-level configuration change for Local-FortiGate by configuring the administrator account. FortiManager Lab Guide 92 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes 5 Installing Configuration Changes Now, you have made configuration changes to the managed device(s) from FortiManager. For Remote-FortiGate, you have changed administrative access on port4 For Local-FortiGate, you have configured a new administrator You will now install these changes to the managed device using the Install wizard, and view the installation history. You will also compare the differences in the revision history configurations using the Revision Diff feature. Viewing the Install Preview You will first preview the install changes from the Configuration and Installation Status widget. To view install Preview 1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Remote-FortiGate. 4. Under the Configuration and Installation Status widget, click Preview. FortiManager Lab Guide 93 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes This shows the device-level configuration changes that will be installed on the managed device when FortiManager performs the device-level install. Note: The install Preview under the Configuration and Installation Status widget only shows the preview for the device-level changes, not the changes related to policies and objects. 5. Click OK. Optionally, you can follow this same procedure to view the install Preview for Local-FortiGate. Install Wizard You will install these changes to the managed devices using the Install wizard. To install configuration changes to FortiGates using the Install Wizard 1. Still logged into the FortiManager GUI, click Install Wizard. 2. Select Install Device Settings (only). 3. Click Next. 4. On the Device Settings page, ensure both FortiGate devices are selected. FortiManager Lab Guide 94 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes 5. Click Next. 6. Click Preview for Local-FortiGate. This will show you the changes that will be installed (applied) to the FortiGate device. 7. Click Cancel on the Install Preview page. Optionally, you can also check the Preview for Remote-FortiGate. 8. Make sure both FortiGate devices are selected. 9. Click Install. 10. Once the install is successful, click the View Log icon. FortiManager Lab Guide 95 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes This is the install log which shows what exactly is installed on the managed device. 11. Click Close on the Install Log page. 12. Click Finish. 13. Click Managed FortiGates. The Config Status should now be in the Synchronized state. Revision Diff After every retrieve, auto update, and install operation, FortiManager stores the FortiGate’s configuration checksum output with the revision history. This is how the out-of-sync condition is calculated. The Revision Diff is a useful feature that can be used to compare the differences between previous revisions, a specific revision, or the factory default configuration. In terms of the output, you can choose to show full configuration with differences, only differences, or you can capture the differences to a script. You will now compare the differences between the latest revision and the previous revision. To view Revision Diff 1. Still logged into the FortiManager GUI, click Local-FortiGate. FortiManager Lab Guide 96 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes 2. Under the Configuration and Installation Status widget, click the Revision History icon. 3. Click ID 4 and click Revision Diff. 4. Select Show Diff Only. FortiManager Lab Guide 97 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes 5. Click Apply. It shows the difference in configuration between the previous version and the current running version. Remember, you configured the administrator account for Local-FortiGate. 6. Click Close. 7. Click ID 4 again and click Revision Diff. 8. Select Capture Diff to a Script. 9. Click Apply. 10. Select Save File. 11. Click OK. Note the folder where is it downloaded. FortiManager Lab Guide 98 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes 12. Click Close. 13. Click Close. 14. Click the download icon on Firefox. 15. Right-click on the file name and click Open Containing Folder. 16. Open the file using Notepad++. This will show you the exact CLI syntax of the changes. This script can be used to configure other FortiGate devices if they require the same settings using script feature on FortiManager. 17. Close the Notepad++. Caution: This is to demonstrate capturing diff in the form of scripts. Make sure the script captured is valid for other FortiGate devices, before using them for other FortiGate devices. If required, you can edit the script before applying it to other FortiGate devices. For example, if you have configured a static route along with the administrator setting, the static route settings might be not valid for other FortiGate devices. FortiManager Lab Guide 99 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 6 Scripts 6 Scripts A script can make many changes to a managed device and is useful for bulk configuration changes and consistency across multiple managed devices. You can configure and install scripts from FortiManager to managed devices. Scripts can be run on: Device Database (default) Policy Package, ADOM Database Remote FortiGate Directly (via CLI) An install must be performed if a script is run on a device database or Policy Package, ADOM database. In this exercise, you will make many configuration changes by using the script feature and installing them on the managed devices. Enabling the Script Feature Scripts are disabled by default, and can be enabled from Display Options in Admin Setting and configured from Device Manager. To enable the Script feature 1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. 2. Select root. 3. Select System Settings. 4. Go to Admin > Admin Settings. 5. Click the dropdown menu for Display Options on GUI and enable Show Scripts. 6. Click Apply. 7. Log out of FortiManager. FortiManager Lab Guide 100 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 6 Scripts Configuring Scripts You will now configure scripts for the managed devices. To configure scripts 1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Scripts. 4. Click More and click Import. 5. In the Script Name field enter Local. 6. Click Browse. 7. Browse to Desktop > Resources > FortiManager > Device-Config and select LocalScript. 8. Click the dropdown menu for Advanced Filters. 9. Click Device and select Local-FortiGate from the dropdown menu. FortiManager Lab Guide 101 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 6 Scripts 10. Click OK. 11. Click More and click Import. 12. In the Script Name field enter Remote. 13. Click Browse. 14. Browse to Desktop > Resources > FortiManager > Device-Config and select Remote-Script. 15. Click on the dropdown menu for Advanced Filters. 16. Click Device and select Remote-FortiGate from the dropdown menu. 17. Click OK. Running and Installing Scripts As the scripts are targeting the device database, you will first run the scripts against the device database and then install these scripts on the managed devices. To run scripts 1. Still logged in to the FortiManager GUI, right-click the Local and click Run Script Now. FortiManager Lab Guide 102 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 6 Scripts 2. Select Local-FortiGate and click Run Now at the bottom. 3. Click View Details and then click the View Script Execution History icon. Scroll to the bottom of the script execution window to check that the script ran successfully on the device database. Note: If needed, you can also view the script execution history later from the Configuration and Installation Status widget or from the Task Monitor. FortiManager Lab Guide 103 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 6 Scripts 4. Click Close. 5. Click Close. 6. Right-click on Remote and click Run Script Now. 7. Select Remote-FortiGate and click Run Now at the bottom of the page. 8. Click Close. To install scripts 1. Still logged in to the FortiManager GUI, click Device & Groups. Stop and Think Why is the Config Status showing Modified for both FortiGate devices? Why is the Policy Package Status for Local-FortiGate showing Out of Sync, but the Policy Package Status for Remote-FortiGate remains unchanged as Never Installed? Discussion The scripts contain configuration changes related to device-level settings and policies. The Config Status is Modified for both FortiGate devices because of device-level changes. As the Local-FortiGate policy package was imported when you added FortiGate, FortiManager detects policy-level changes and marks the Local-FortiGate Policy Package Status as Out of Sync. For Remote-FortiGate, the policy package was never imported; hence FortiManager cannot compare the differences in the policies. 2. Select Local-FortiGate and Remote-FortiGate and click Install, and then click Install Config. 3. Click OK. FortiManager Lab Guide 104 DO NOT REPRINT © FORTINET LAB 4—Device Level Configuration and Installation 6 Scripts The installation will be successful on both FortiGate devices. Note: The Install Config option does not provide an option for install preview and install log. It should be used only if you are absolutely sure about the changes you are trying to install. If needed, you can view the installation history later from the Configuration and Installation Status widget or from the Task Monitor. 4. Click Finish. FortiManager Lab Guide 105 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects LAB 5—Policy & Objects In this lab, you will explore the common operations of the Policy & Objects pane in order to centrally manage FortiGate firewall policies, and to manage shared and dynamic objects. Objectives Import firewall polices and objects from a managed device and review the imported policy packages Create ADOM revisions Use workflow mode to configure and send changes for approval Find duplicate objects and merge them, and delete used objects Create and assign header policies to policy packages in an ADOM Create a policy package shared across multiple devices Create shared objects and dynamic objects with mapping rules Identify the different policy and object interface mapping types and configure zones mappings Install a policy package and device settings from the Policy & Objects pane Time to Complete Estimated: 70 minutes FortiManager Lab Guide 106 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions 1 Import Policy and ADOM Revisions In the previous lab, you installed scripts that contain device-level and policy configuration changes. Because the scripts were run on a device database that created the revision history containing these changes, the policy packages are not automatically updated and need to be imported manually. In this exercise, you will import the policies using the Import Policy wizard in order to reflect and update the policy packages. Additionally you will create an ADOM revision, which is a snapshot of all the policy and objects configurations for an ADOM. Import Policy You will now import policies and objects for both managed FortiGate devices. To import policies 1. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Right-click the Local-FortiGate and click Import Policy. 4. Click Next. 5. Rename Policy Package Name to Local-FortiGate-1. 6. Select Import All Objects. 7. Click Next. FortiManager Lab Guide 107 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions 8. Click Next on the conflict page. Review the objects to be imported. 9. Click Next. 10. Click Download Import Report. 11. Select Open with and click OK to review the download import report. 12. Review the download import report and close the notepad. 13. Click Finish. Note: Download Import Report is available only on this page; make sure to download the import report before clicking finish. 14. Right-click the Remote-FortiGate and click Import Policy. 15. Click Next until you reach the Finish page. 16. Click Finish. 17. Click Device Manager and click Policy & Objects. 18. Compare the policies in the Local-FortiGate and Local-FortiGate-1 policy packages by clicking IPv4 Policy on each policy package. Policy package: Local-FortiGate Policy package: Local-FortiGate-1 FortiManager Lab Guide 108 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions Creating ADOM Revisions An ADOM revision creates a snapshot of the policy and objects configuration for the ADOM. Now that we have imported policies and objects from both FortiGate devices, we will be creating ADOM revisions which are stored locally on the FortiManager and are useful for comparing the differences between two revisions, or reverting to a previous revision. To create an ADOM Revision 1. Still logged into the FortiManager GUI, click ADOM Revisions. 2. Click Create New and name the revision: Initial revision. 3. Enable Lock this revision from auto-deletion. 4. Click OK. You will notice the lock icon, name of the administrator who created it, and the date and time. FortiManager Lab Guide 109 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions 5. Click Close. FortiManager Lab Guide 110 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode 2 Workflow Mode Workflow mode is used to control the creation, configuration, and installation of policies and objects. It helps to ensure that all changes are reviewed and approved before they are applied. Workflow mode is similar to ADOM locking (workspace mode), but it also allows the administrators to submit their configuration changes for approval. The configuration changes are not committed to the FortiManager database until the approval administrator approves those configuration changes. Once approved, then only these configuration changes can be installed on the managed device. In this exercise, you will enable workflow mode and then make configuration changes related to policies and objects. You will send it for approval and once approved you will install these changes. To enable workflow mode and configure approval permissions 1. On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Enter the following command to enable workspace mode: config system global set workspace-mode workflow end Note: Before enabling workflow mode, ensure all FortiManager administrators are notified to save their changes and work on the FortiManager. This is because enabling workflow mode will terminate all management sessions. 4. Enter the following commands to configure approval permissions. You are now configuring admin administrator as approver for the My_ADOM. config system workflow approval-matrix edit My_ADOM config approver edit 1 set member admin next end end 5. Close the PuTTY session. FortiManager Lab Guide 111 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode To configure policy and objects and send them for approval 1. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Lock at the top to lock the ADOM. 3. Click Policy & Objects. 4. Click Sessions > Session List. 5. Click Create New. 6. In the Session Name field, type Training. 7. Click OK. 8. Click Object Configurations on the top. 9. Click Tools > Find Duplicate Objects. 10. Click Firewall Address. You will notice that LAN and LOCAL_SUBNET have the same configuration. It will also show you other objects that have the same values. FortiManager Lab Guide 112 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode 11. Click Merge for the LAN and LOCAL_SUBNET firewall address. 12. In the Merge all to drop-down list, select LOCAL_SUBNET. 13. Click Merge. 14. Click Close. Note: By merging the duplicate objects, you can reduce the object database, which sometimes can overwhelm the FortiManager administrator with a large number of objects FortiManager Lab Guide 113 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode from different FortiGate devices in the same ADOM. You can also delete the unused objects in the same Tools menu, if they will be not used in the future. 15. Click Firewall Objects > Addresses. 16. Right-click the LINUX address object and click Delete. 17. Click OK. 18. Click Where Used icon. This will show you where the object is referenced. It is referenced in the Local-FortiGate-1 policy package in the firewall policy 1 as destination address. 19. Click Close. 20. Click Delete Anyway. Caution: FortiManager allows you to delete a used object. Be careful before deleting used object as it will be replaced by the none address 0.0.0.0/255.255.255.225. This means any traffic meeting that specific firewall policy will be blocked if there is no catch all or shadowed policy below it. In this case, the destination address of firewall policy 1 in the Local-FortiGate-1 policy package is replaced by none after the LINUX address object is deleted. FortiManager Lab Guide 114 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode You will test this later in this exercise. 21. Click Save. 22. Click Sessions and click Submit. 23. Click OK. The ADOM will unlock itself after submitting the changes. Note: Your changes are still not saved in the FortiManager database because they must be approved by the approval administrator. To approve the changes 1. Log out of FortiManager and log back in as admin. 2. Click My_ADOM. 3. Click Lock. 4. Click Policy & Objects. 5. Click Sessions > Session List. FortiManager Lab Guide 115 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode Note: The session list will show you the name of the request made, user, date, and approval status. The approver administrator can approve, reject, discard, or view the differences between two revisions. The approver administrator can also create a session that can be sent to different approval administrator, or can self-approve based on the workflow approval matrix. 6. Select ID 1 and click Approve. 7. Click OK. 8. Click Continue Without Session. 9. Click Unlock. 10. Log out of FortiManager. FortiManager Lab Guide 116 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode Note: If an administrator has locked ADOMs and logs out of FortiManager, the lock releases and unlocks all locked ADOMs locked by that administrator. Caution: Always log out of FortiManager gracefully, when ADOM locking (workspace or workflow) is enabled. If a session is not closed gracefully (PC crash or closed browser window), FortiManager will not close the administrator session until the administrator session timeout or the session is deleted. The locked ADOM will remain in locked state. The session will have to be deleted manually through the GUI or the CLI. In the GUI: System Settings > System Information widget > Current Administrators > Admin Session List. In the CLI: To install configuration changes after approval 1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Lock at the top. 3. Click Policy & Objects. 4. Click Local-FortiGate-1 > IPv4 Policy. You will notice LINUX is replaced by none. 5. On the Local-Windows VM, open a command prompt in Windows and run a continuous ping to the LINUX address object. ping 10.200.1.254 -t FortiManager Lab Guide 117 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode You will notice the request timed out because the firewall policy has the destination as LINUX and the action as DENY locally on the Local-FortiGate. Screenshot from the Local-FortiGate. 6. Return to the FortiManager GUI and click Install > Install Wizard. 7. Make sure the following are selected: Install Policy Package and Device Settings Policy Package : Local-FortiGate-1 8. Click Next. 9. Click Next. 10. Click Preview. 11. Press Ctrl+F and search for the following: config firewall policy LINUX You will notice FortiManager is replacing the destination address of firewall policy 1 with none and deleting the LINUX address object. FortiManager will also delete any other unused objects. This is normal because when you install a policy package for the first time FortiManager will delete all unused objects. FortiManager Lab Guide 118 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode 12. Click Cancel in the Install Preview pop-up window. 13. Click Install. 14. After the install is successful, click View Log to view the installation history. 15. Click Close. 16. Click Finish. 17. Go back to the command prompt where you initiated the ping to LINUX. You will get replies because there was catch all policy below the BLOCK_LINUX policy. As after installation, LINUX is replaced by none, and the traffic starts processing by the seq#2 firewall policy. 18. Close the command prompt. To disable workflow mode 1. On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Enter the following commands. config system global set workspace-mode disabled y FortiManager Lab Guide 119 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 2 Workflow Mode end All administrators will be logged out of the FortiManager GUI to save the changes. So prior to disabling workspace-mode inform all the administrators logged into FortiManager to save their work. FortiManager Lab Guide 120 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 3 Creating and Assigning Header Policies in the Global ADOM Header and footer policies are used to envelop the policies in each individual ADOM. The header and footer policies can be created once on the Global ADOM and assigned to multiple policy packages in the different ADOMs. In this exercise, you will create the header policy in the global ADOM and assign the header policy to the managed devices in My_ADOM. Then you will install the header policy to the managed devices. To create a header policy 1. On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. 2. Select Global Database. 3. Click IPv4 Header Policy. 4. Click Create New. 5. Configure the following: Field Value Name Global_Policy Incoming Interface any Outgoing Interface any Source Address gall Destination Address gall Service gPING Schedule galways Action Deny FortiManager Lab Guide 121 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM You configuration should look like this: 6. Click OK. To assign a header policy 1. Click Assignment. 2. Click Add ADOM. 3. Choose the following: Field Value ADOMs My_ADOM Specify ADOM to policy package to exclude: Check the box and select the following: default Local-FortiGate FortiManager Lab Guide 122 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 4. Click OK. 5. Click Assign. The header policy is assigned to the Local-FortiGate-1 and Remote-FortiGate policy packages. To install a header policy 1. Still logged into the FortiManager GUI, click ADOM: Global Database. 2. Click My_ADOM. 3. Click Local-FortiGate-1 > IPv4 Header Policy to view the assigned header policy. Optionally, you can perform the previous step to view the header policy in the Remote-FortiGate policy package. 4. Click Local-FortiGate-1 policy package. 5. Click Install > Re-install Policy. FortiManager Lab Guide 123 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 6. Click Preview. The configuration changes that will be installed on FortiGate will display. In this case, the header policy and related objects will be installed. 7. Click Cancel in the Install Preview pop-up window. 8. Click Next. 9. Click Finish. 10. Click the Remote-FortiGate policy package. 11. Click Install > Re-install Policy. FortiManager Lab Guide 124 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 12. Click Next. 13. Click Finish. 14. Log in to the Local-FortiGate (https://10.0.1.254) and Remote-FortiGate (https://10.200.3.1) with the username of admin. 15. Click Login Read-Only. 16. Go to Policy & Objects > IPv4 Policy. You should observe the header policy at the top. 17. Log out of both FortiGate devices. 18. On the Local-Windows VM, open a command prompt and try to ping an external host (example 4.2.2.2). You should observe that the ping fails, because the header policy was configured to block the ping. 19. Close the command prompt. FortiManager Lab Guide 125 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 4 Creating a Common Policy for Multiple Devices You will create a single policy package that can be shared by multiple devices, as opposed to having a policy package per device which is the current configuration. You will use the installation target setting in a firewall policy to target specific policies to specific FortiGate devices. Dynamic Mappings - Address Objects First, you will configure dynamic mapping for objects that are used to map a single logical object to a unique definition per device. To create dynamic mappings for address objects 1. On the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Policy & Objects. 3. Click Object Configuration. 4. Click Firewall Objects > Addresses. 5. Click Create New > Address. 6. Configure the following: Field Value Address Name Internal Type IP/Netmask IP/Netmask 10.0.0.0/8 7. For the Per-Device Mapping, configure the following: Turn on Per-Device Mapping. Click Add. FortiManager Lab Guide 126 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices Select Local-FortiGate for the Mapped Device. Type 10.0.1.0/24 for IP/NetMask. Click OK. Click Add again. FortiManager Lab Guide 127 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices Select Remote-FortiGate for the Mapped Device. Type 10.0.2.0/24 for IP/NetMask. Click OK. Your configuration should look like this: 8. Click OK. Dynamic Mappings - Interfaces and Zones You will be now creating dynamic mappings for interfaces and zones. To create dynamic mappings for interfaces and zones 1. Still in the FortiManager GUI, click Zone/Interfaces > Interface. FortiManager Lab Guide 128 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 2. Click Create New > Dynamic Interface. 3. In the Name field type Inside. 4. Turn ON the Per-Device Mapping switch and click Add. 5. Configure the following: Select Local-FortiGate for the Mapped Device. Select port3 for the Device Interface. Click OK. Note: You will get the following warning message “The new mapping will delete the old mapping, are you sure you want to continue”. This is because interfaces were dynamically mapped when the devices were added to the FortiManager. Now, FortiManager will delete FortiManager Lab Guide 129 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices the old mapping and add these interfaces to map to this newly created interface. Click OK in the warning pop-up window. Click Add again. Select Remote-FortiGate for the Mapped Device. Select port6 for the Device Interface. Click OK. Click OK on the warning message. Your configuration should look like this: 6. Click OK. 7. Still in the FortiManager GUI, click Create New > Zone. 8. In the Name field type Outside. 9. Turn ON the Per-Device Mapping switch and click Add. 10. Configure the following: Select Local-FortiGate for the Mapped Device. Select port1, port2 for the Device Interface. Enable Block intra-zone traffic. Click OK. FortiManager Lab Guide 130 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices Click OK in the warning pop-up window. Click Add again. Select Remote-FortiGate for the Mapped Device. Select port4, port5 for the Device Interface. Enable Block intra-zone traffic. Click OK. Click OK in the warning message. Your configuration should look like this: 11. Click OK. You have now created a dynamic interface and zone. FortiManager Lab Guide 131 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices Creating a Common Policy Package FortiManager can be used to target a common policy package to multiple devices. So far you have created the dynamic mapping for objects and interfaces, now you will be creating a common policy package to target the Local-FortiGate and Remote-FortiGate. To create a common policy package 1. Still in the FortiManager GUI, click Policy Package. 2. Click Policy Package > New Package. FortiManager Lab Guide 132 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 3. Name the new policy package as Training and click OK. 4. Click Training > IPv4 Header Policy. You will notice that it automatically got assigned global Header Policy. This is because in the previous exercise we assigned My_ADOM for the global policy assignment and, by default, when a new policy package is created it assigns the global policies to the new package. 5. Log out and log in again with the admin user in FortiManager. 6. Click Global Database. 7. Click Assignment. 8. Select My_ADOM and click Edit ADOM. 9. Add Training to the policy package exclude list. FortiManager Lab Guide 133 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 10. Click OK. 11. Click Assign. 12. Log out of the FortiManager GUI, and log in again with username student and password fortinet. 13. Click Policy & Objects. 14. Click Training. You will notice that the Training policy package no longer has a header policy. 15. Click IPv4 Policy and click Create New. FortiManager Lab Guide 134 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 16. Configure the following: Field Value Name For_Local Incoming Interface Inside Outgoing Interface Outside Source Address Internal Source User student Destination Address all Service HTTP, HTTPS, ALL_ICMP Schedule always Action Accept NAT Enable the checkbox Security Profiles Enable Use Standard Security Profiles AntiVirus Profile default 17. Click OK. 18. Click Create New to create a second policy and configure the following: Field Name FortiManager Lab Guide Value For_All 135 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices Incoming Interface Inside Outgoing Interface Outside Source Address Internal Destination Address all Service SSH, DNS Schedule always Action Accept NAT Enable the checkbox 19. Click OK. Your configuration should look like this: Configuring an Installation Target and Install On A policy package can be targeted to multiple devices. When you configure an installation target, by default, all policies in the policy package are targeted to all selected FortiGate devices. You can further restrict the policies in the policy package to be targeted to specific FortiGate devices by using the Install On feature, which targets specific policies in the policy package to specific selected FortiGate devices in the Install On column. To configure an installation target and install on 1. Still logged in to the FortiManager GUI, click Installation Targets for the Training policy package. 2. Click Add. FortiManager Lab Guide 136 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 3. Select Local-FortiGate, Remote-FortiGate and click OK. The Policy Package Status column shows the name of the currently active policy packages for these FortiGate devices. 4. Click IPv4 Policy for the Training policy package. 5. Click Column Settings and click Install On. Once added, you can drag the Install On column to where you want it positioned in the column list. 6. For the For_Local policy, click Installation Targets. 7. Select Local-FortiGate. 8. Click OK. FortiManager Lab Guide 137 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices Your policies should look similar to as below. To install a policy package 1. Click Install > Install Wizard. 2. Make sure the following are selected: Install Policy package & Device Settings Policy Package : Training 3. Enable Create Revision and name the revision Common Package. FortiManager Lab Guide 138 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 4. Click Next. 5. Make sure both FortiGate devices are selected and click Next. 6. Select both FortiGate devices. If you hover your cursor over the Status column of the FortiGate devices, it will show you the name of the previous policy package. Optionally, you can preview the changes before the installation attempt. 7. Make sure both FortiGate devices are selected and click Install. 8. Once the installation is successful, you can click on View Log to see the installation history for each FortiGate. FortiManager Lab Guide 139 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 9. Click Close in the Install Log window. 10. Click Finish. To view configuration changes locally on FortiGate 1. Log into the Local-FortiGate (https://10.0.1.254) with the username of admin. 2. Click Login Read-Only. 3. Go to Policy & Objects > IPv4 Policy. You should observe the following: There are two firewall policies based on the Training policy package The Inside interface is translated to port3 locally on FortiGate and Outside zone is created locally on FortiGate as per the dynamic mapping of interfaces and zones. 4. Click Addresses. The Internal is translated to 10.0.1.0/24 as per the dynamic mapping of address objects. 5. Click Network > Interfaces. An Outside zone is created with interfaces port1, port2 as per interfaces and zones dynamic mappings. 6. Log out of FortiGate. 7. Try to log into Remote-FortiGate (https://10.200.3.1). Why you are getting an authentication page? This is because of the identity policy on the Local-FortiGate. You will need to authenticate all outgoing http and https traffic on the Local-FortiGate device. 8. When prompted for firewall authentication, enter the username student and the password fortinet. 9. Once authenticated, log in into the Remote-FortiGate using admin as the username and no password. FortiManager Lab Guide 140 DO NOT REPRINT © FORTINET LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 10. Click Login read-only. 11. Go to Policy & Objects > IPv4 Policy. 12. You should observe the following: There is only one firewall policy based on the Training policy package Install On targets. The Inside interface is translated to port6 locally on the FortiGate and Outside zone is created locally on the FortiGate as per the dynamic mapping of interfaces and zones. Optionally, you can check the interface and zone under Network, and Internal address object under Addresses. To review ADOM revisions 1. Return to the FortiManager GUI and under Policy & Objects, click ADOM revisions. 2. Right-click Common Package and click Lock. 3. Right-click Initial revision and click Delete. 4. Click OK. 5. Click Close. You can use this revision to revert changes made to your policy packages and objects in your ADOM. Remember this does not revert Device Manager level settings. FortiManager Lab Guide 141 DO NOT REPRINT © FORTINET LAB 6—VPN LAB 6—VPN In this lab, you will configure a site-to-site IPsec VPN between Local-FortiGate and Remote-FortiGate using Device Manager. Objectives Create an IPsec VPN using Device Manager. Time to Complete Estimated: 20 minutes FortiManager Lab Guide 142 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN 1 Configuring IPsec VPN In this exercise, you will configure a site-to-site IPsec VPN between the managed FortiGate devices. Configuring IPsec Phase I and Phase II Now, you will configure IPsec phase I and phase II for Local-FortiGate. To configure IPsec Phase I and Phase II for Local-FortiGate 1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Tools > Global Display Options. 4. Select the following check boxes: IPsec Phase 1 IPsec Phase 2 IPsec VPN 5. Click OK. 6. Click Local-FortiGate. FortiManager Lab Guide 143 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN 7. Click Display Options. 8. Select Inherit From ADOM. 9. Click OK. 10. Click VPN > IPsec Phase 1. 11. Click Create New. 12. Configure the following values: Field Value Name To_Remote Remote Gateway Static IP Address FortiManager Lab Guide 144 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN IP Address 10.200.3.1 Local Interface port1 Mode Main Authentication Method Pre-shared Key Pre-shared Key fortinet (Tip: delete all dots before typing preshared key Peer Options Any peer id 13. Click Advanced …(XATUH, NAT-traversal, DPD). 14. Configure the following values: Field Value P1 Proposal Encryption Authentication AES128 SHA256 (Delete all other entries) Diffie-Hellman Groups 5 Dead Peer Detection On Idle 15. Leave all other settings at their default values, and then, at the bottom of the page, click OK. 16. Click VPN > IPsec Phase 2. 17. Click Create New. 18. Configure the following values: Field Value Tunnel Name To_Rem_P2 Phase 1 To_Remote FortiManager Lab Guide 145 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN 19. Leave all other settings at their default values, and then, at the bottom of the page, click OK. Configuring Static Route Now, you will now configure the static route for IPsec VPN. To configure Static Route on Local-FortiGate 1. In the FortiManager GUI, click Router > Static Route. 2. Click Create New > Static Route. 3. Configure the following values: Field Destination Value Subnet 10.0.2.0/24 Device To_Remote 4. Leave all other settings at their default values, and then, at the bottom of the page, click OK. Configuring IPsec Phase I and Phase II Now, you will configure IPsec phase I and phase II for Remote-FortiGate. To configure IPsec Phase I and Phase II for Remote-FortiGate 1. In the FortiManager GUI, click Remote-FortiGate. FortiManager Lab Guide 146 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN 2. Click VPN > IPsec Phase 1. 3. Click Create New. 4. Configure the following values: Field Value Name To_Local Remote Gateway Static IP Address IP Address 10.200.1.1 Local Interface port4 Mode Main Authentication Method Pre-shared Key Pre-shared Key fortinet (Tip: delete all dots before typing preshared key Peer Options Any peer id 5. Click Advanced …(XATUH, NAT-traversal, DPD). FortiManager Lab Guide 147 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN 6. Configure the following values: Field Value P1 Proposal Encryption Authentication AES128 SHA256 (Delete all other entries) Diffie-Hellman Groups 5 Dead Peer Detection On Idle 7. Leave all other settings at their default values, and then, at the bottom of the page, click OK. 8. Click VPN > IPsec Phase 2. 9. Click Create New. 10. Configure the following values: Field Value Tunnel Name To_Local_P2 Phase 1 To_Local 11. Leave all other settings at their default values, and then, at the bottom of the page, click OK. Configuring Static Route Now, you will configure the static route for IPsec VPN. To configure Static Route on Remote-FortiGate 1. In the FortiManager GUI, click Router > Static Route. 2. Click Create New > Static Route. 3. Configure the following values: Field Destination FortiManager Lab Guide Value Subnet 148 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN 10.0.1.0/24 Device To_Local 4. Leave all other settings at their default values, and then, at the bottom of the page, click OK. Installing device-level configuration changes Now, you have configured IPsec phase 1, phase 2, and static routes on both FortiGate devices. Now, you will install these device-level configuration changes on both FortiGate devices. To install device level configuration changes 1. In the FortiManager GUI, click Install Wizard. 2. Select Install Device Settings (only), and then click Next. 3. Make sure both devices are selected, and then click Next. 4. Make sure both devices are selected in Preview window, and then click Install. 5. Optionally, after the installation is successful, you can view Install Log. 6. Click Finish. Creating Dynamic Interface Mapping Now, you will create dynamic interface mapping for virtual IPsec VPN interfaces, so that you can create IPsec firewall policies. FortiManager Lab Guide 149 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN To create dynamic interface mapping 1. In the FortiManager GUI, click Device Manager > Policy & Objects. 2. Click Object Configuration. 3. Click Zone/Interface > Interface. 4. Click Create New > Dynamic Interface. 5. In the Name field, type VPN. 6. Turn on the Per-Device Mapping switch, and then click Add. 7. Configure the following: In the Mapped Device drop-down list, select Local-FortiGate. In the Device Interface drop-down list, select To_Remote. Click OK. Click Add. In the Mapped Device drop-down list, select Remote-FortiGate. FortiManager Lab Guide 150 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN In the Device Interface drop-down list, select To_Local. Click OK. Your configuration should look like the following example: 8. Click OK. Creating firewall policies for IPsec VPN Now, you will create IPsec VPN firewall policies. To create firewall policies for IPsec VPN 1. In the FortiManager GUI, click Policy Packages. 2. For the Training policy package, click IPv4 Policy. 3. Click Create New to create a new firewall policy. 4. Configure the following values: FortiManager Lab Guide 151 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN Field Value Name To_IPsec Incoming Interface Inside Outgoing Interface VPN Source Address Internal Destination Address all Service ALL Schedule always Action Accept 5. Leave all other settings at their default values, and then click OK. 6. Click Create New to create a second new firewall policy. 7. Configure the following values: Field Value Name From_IPsec Incoming Interface VPN Outgoing Interface Inside Source Address all Destination Address Internal Service ALL Schedule always Action Accept 8. Leave all other settings at their default values, and then click OK. Your configuration should look like the following example: FortiManager Lab Guide 152 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN Installing Training Policy Package You have configured IPsec firewall policies in the Training policy package. Now, you will install the Training policy package on the managed FortiGate devices. To install the Training policy package 1. In the FortiManager GUI, for the Training policy package, click IPv4 Policy. 2. Click Install > Re-install Policy. 3. Click Next. 4. After the installation is successful, click Finish. Testing IPsec VPN Now, you will test the IPsec VPN by pinging the remote subnet IP address from Local-Windows. To test IPsec VPN 1. On the Local-Windows VM, open a command prompt and ping the remote host 10.0.2.10. ping 10.0.2.10 2. In the FortiManager GUI, click Policy & Objects > Device Manager. 3. Click Local-FortiGate. FortiManager Lab Guide 153 DO NOT REPRINT © FORTINET LAB 6—VPN 1 Configuring IPsec VPN 4. Click Query > IPsec VPN. You will see the IPsec tunnel is up between the FortiGate devices. FortiManager Lab Guide 154 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting LAB 7—Diagnostics and Troubleshooting In this lab, you will perform diagnostics and troubleshooting when installing device-level settings and importing firewall policies. Objectives Diagnose and troubleshoot issues when installing System Templates Diagnose and troubleshoot issues when importing policy packages Time to Complete Estimated: 30 minutes Prerequisites Before beginning this lab, you must restore the configuration files to the Local-FortiGate, RemoteFortiGate, and FortiManager. To restore the FortiGate configuration file on both FortiGate devices 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the username admin. 2. Click Login Read-Write. 3. Click Yes. 4. Go to Dashboard, and then, in the System Information widget, click Restore. 5. Select the option to restore from Local PC, and then click Upload. FortiManager Lab Guide 155 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select Localdiag.conf. 7. Click OK. 8. Click OK. The system reboots. 9. After the reboot finishes (you must wait until Local-FortiGate reboots), open a new browser and log in as admin to the Remote-FortiGate GUI at 10.200.3.1. 10. Repeat the same procedure to restore the system configuration for the Remote-FortiGate but, in the Troubleshooting folder, select Remote-diag.conf. 11. After the reboot finishes, close both browser tabs. To restore the FortiManager configuration 1. On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. 2. Select root. 3. Select System Settings. 4. In the System Information widget, in the System Configuration field, click the Restore icon. FortiManager Lab Guide 156 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 5. Click Browse. 6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select FMGdiag.dat There is no password to enter because the file was not encrypted. 7. Leave the Overwrite current IP, routing and HA settings check box selected. 8. Click OK. FortiManager reboots. 9. Wait for the FortiManager to reboot, and then log in as admin to the FortiManager GUI at 10.0.1.241. 10. Click root. 11. Click System Settings. 12. Go to Advanced > Advanced Settings. FortiManager Lab Guide 157 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 13. For Offline Mode, select Disable. 14. Click Apply. You will see that the Offline Mode message disappears. At this point, FortiManager can establish a management connection with the managed devices. 15. Log out of FortiManager. FortiManager Lab Guide 158 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 1 Diagnose and Troubleshoot Install Issues FortiManager is preconfigured as follows: ADOMs are enabled ADOM1 is configured for FortiGate firmware version 5.4 Local-FortiGate and Remote-FortiGate are managed by FortiManager in ADOM1. The Remote-FortiGate policy package is not imported. The default system template is configured with only the DNS widget The default system template is applied to the Local-FortiGate and Remote-FortiGate In this exercise, you will diagnose and troubleshoot issues that occur when installing configuration changes to Local-FortiGate and Remote-FortiGate. Viewing the Installation Preview Now, you will view the installation preview to learn what device-level configuration changes will be installed on the FortiGate devices. The objective of this exercise is to verify and troubleshoot to make sure the correct configuration settings will be installed on the FortiGate devices. To view the installation preview for Local-FortiGate 1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click Device Manager. 3. Click Local-FortiGate. FortiManager Lab Guide 159 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 4. In the Configuration and Installation Status widget, click Preview. Notice that default is listed as the System Template, which is pre-assigned to Local-FortiGate. The installation preview generates. 5. Write down the DNS settings that will be installed on the Local-FortiGate. Primary: ______________________ Secondary: ______________________ 6. Click OK. To view the installation preview for Remote-FortiGate 1. In the FortiManager GUI, click Remote-FortiGate. FortiManager Lab Guide 160 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 2. In the Configuration and Installation Status widget, click Preview. 3. Write down the DNS settings that will be installed on the Remote-FortiGate. Primary: ______________________ Secondary: ______________________ 4. Click OK. Stop and Think The system template was configured with two entries. Why did the Local-FortiGate show only one DNS entry, but the Remote-FortiGate showed two entries? Discussion The Local-FortiGate device was preconfigured with the primary DNS entry 208.91.112.53.When the Local-FortiGate was added to FortiManager, it automatically updated to the device-level database. To verify, check the current revision history and search for config system dns. If you are not able to figure it out, follow the procedure below to view the system template and DNS settings in the CLI. Viewing the DNS Configuration Now, you will view the DNS configuration for the configured system template and compare it with the device-level database settings for DNS (for both Local-FortiGate and Remote-FortiGate). You will view the configuration in the CLI. To view the system template configuration in the CLI 1. On the Local-Windows VM, open PuTTY, and then connect to the FORTIMANAGER saved session (connect over SSH). 2. Log in as admin and run the following command to view the CLI configuration for the system template configuration: # execute fmpolicy print-prov-templates ADOM1 5 1020 15 The output should appear as follows: Dump all objects for category [system dns] in adom [ADOM1] package [1020]: --------------config system dns set primary 208.91.112.53 FortiManager Lab Guide 161 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues set secondary 208.91.112.52 end Note: The execute fmpolicy print- command tree allows you to view the CLI configuration for provisioning templates, ADOM, and the device database on FortiManager. The syntax for provisioning templates is: # execute fmpolicy print-prov-templates <adom> <prov> <package> <category>|all [<key>|all|list] You can use the help feature by typing ? to open the command tree syntax. To view the DNS settings for FortiGates (CLI) 1. In the FORTIMANAGER PuTTY session, run the following command to view the Local-FortiGate DNS settings in the FortiManager device-level database. # execute fmpolicy print-device-object ADOM1 Local-FortiGate root 15 The output should appear as follows: Dump all objects for category [system dns] in device [LocalFortiGate] vdom[root]: --------------config system dns set primary 208.91.112.53 set secondary 4.2.2.2 end Note: The syntax for the device object is: execute fmpolicy print-device-object <adom> <devname> <vdom> <category>|all [<key>|all|list] 2. Execute the following command to view the Remote-FortiGate DNS settings in the FortiManager device-level database. # execute fmpolicy print-device-object ADOM1 Remote-FortiGate root 15 The output should appear as follows: Dump all objects for category [system dns] in device [RemoteFortiGate] vdom[root]: --------------- FortiManager Lab Guide 162 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues config system dns set primary 4.2.2.2 set secondary 8.8.8.8 end Compare the FortiManager system template entries with each FortiGate device. The LocalFortiGate primary DNS entry matches the default system template primary DNS entry. Because of that, FortiManager skips the primary DNS entry for the Local-FortiGate, because LocalFortiGate has already been configured with the same entry. 3. Close the PuTTY session. Installing Device-Level Configuration Changes Now, you will install device-level configuration changes (system templates) on the managed FortiGate devices. To install device-level changes (system templates) 1. In the FortiManager GUI, click Managed FortiGates. 2. Select Local-FortiGate and Remote-FortiGate. 3. In the drop-down list, click Install > Install Wizard. 4. Select Install Device Settings (only), and then click Next. FortiManager Lab Guide 163 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 5. Make sure both devices are selected, and then click Next. 6. For Local-FortiGate, click Preview. The preview generates. Optionally, you can download the preview setting. 7. Click Cancel. 8. For Remote-FortiGate, click Preview. The preview generates. FortiManager Lab Guide 164 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 9. Click Cancel. 10. Make sure both FortiGate devices are selected, and then click Install. The installation begins. 11. After the installation finishes, click the View Log icon to view and verify what is being installed on each device. 12. In the Install Log pop-up window, click Close. 13. Click Finish. The Config Status for both FortiGate devices should be Synchronized. FortiManager Lab Guide 165 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues FortiManager Lab Guide 166 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 2 Troubleshoot Policy Import Issues First, you will view the policies and objects imported into the ADOM database. The objects share the common object database for each ADOM and are saved in the ADOM database, which can be shared or used among different managed FortiGate devices in the same ADOM. In this exercise, you will diagnose and troubleshoot issues that occur while importing the RemoteFortiGate policy package. Viewing the Policy Package and Objects Now, because the Local-FortiGate policy package is imported into ADOM1, you will view the LocalFortiGate policy package and objects imported into the ADOM1 database. To view the policy package and objects for the Local-FortiGate 1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with the username student and password fortinet. 2. Click Policy & Objects. 3. On the left side of the window, expand Local-FortiGate, and then click IPv4 Policy. You will see the two policies for the Local-FortiGate. Notice the source address of Test_PC for the Ping_Test firewall policy. 4. On the menu bar, click Object Configurations. 5. On the left side of the window, expand Firewall Objects, and then click Addresses. FortiManager Lab Guide 167 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 6. Review the configuration for the Test_PC firewall address. In the ADOM database, it is set to any interface based on the configuration imported from the Local-FortiGate. Reviewing Policies and Objects Locally on the Remote-FortiGate You need to import the policies and objects from the Remote-FortiGate. But before importing policies and objects, you will review the policies and objects locally on the Remote-FortiGate. To review policies and objects locally on the Remote-FortiGate 1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the username admin. 2. Click Login Read-Only. 3. Go to Policy & Objects > IPv4 Policy. 4. Hover the mouse over the Test_PC object in the Source column of the Seq.# 1 firewall policy. You will see that the Test_PC address object is bound to the port6 interface. 5. Remember, the Test_PC address object is bound to any interface in the ADOM database. 6. Log out of Remote-FortiGate. Importing a Policy Package Now, you will import the policies and objects for the Remote-FortiGate into the policy package, and troubleshoot issues with the policy import. FortiManager Lab Guide 168 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues To import the policy package 1. Return to the FortiManager GUI, click Policy & Objects > Device Manager. 2. Right-click Remote-FortiGate, and then click Import Policy. 3. Click Next. 4. Make sure the policy package name is Remote-FortiGate. 5. Leave all other settings at their default values, and then click Next. 6. Click Next. 7. Click Next. Did you notice it skipped one firewall policy out of two policies? 8. Click Download Import Report to view the reason for skipping a firewall policy. FortiManager Lab Guide 169 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 9. Open the file (or you can save it for future reference). Did you notice it failed when importing firewall policy ID # 2(SEQ# 1)? Stop and Think The output provides the reason for this policy import failure. reason=interface(interface binding contradiction. detail: any<port6) binding fail)" What does this error mean? What is the impact? How can you fix this partial policy import issue? Discussion Remember, in the ADOM1 database, the Test_PC firewall address is bound to the any interface, based on the configuration imported from the Local-FortiGate. On the RemoteFortiGate, policy ID 2 is using the Test_PC firewall address bound to port6 as the source address. This is the expected behavior on FortiManager because it doesn’t allow the same address object name to bind to different interfaces. Because FortiManager imported partial policies in the policy package, if you try to make a change to the policy package and try to install, it will delete the skipped policies and objects associated with those policies, along with all unused objects. You must change the Test_PC firewall address binding to the any interface by locally logging in to the Remote-FortiGate. 10. Close the import report, and then click Finish. FortiManager Lab Guide 170 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues Check the Impact of Partial Policy Import (Optional) The two procedures below show the impact of making changes to the FortiManager policy package Remote-FortiGate and then try to install the policy package. It will try to delete policy ID 2 and the Test_PC address object on the Remote-FortiGate. FortiManager will also try to delete any unused objects. If you are now familiar with the behavior, you can skip the following procedures: To make configuration changes to the Remote-FortiGate Policy Package (Optional) To preview the installation changes (Optional) To make configuration changes to the Remote-FortiGate Policy Package (Optional) 1. In the FortiManager GUI, click Device Manager > Policy & Objects. 2. On the left side of the window, click Remote-FortiGate, and then click IPv4 Policy. You will see that the firewall policy with Test_PC as the source address is not imported. 3. Double click the Seq# 1 firewall policy. 4. In the Description field, type Training, and then click OK. To preview the installation changes (Optional) 1. Ensure IPv4 Policy is selected for the Remote-FortiGate policy package, and then click Install > Re-install Policy. FortiManager Lab Guide 171 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 2. Click Preview. 3. Notice that it is trying to delete the firewall policy with ID=2 and the Test_PC address object. Note: When installing a policy package for the first time, FortiManager also deletes all unused objects. This is the firewall policy with Test_PC as the source address. FortiManager Lab Guide 172 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 4. In the Install Preview window, click Cancel. 5. Click Cancel. Fixing a Partial Policy Import Issue You must change the Test_PC firewall address binding to the any interface by locally logging in to the Remote-FortiGate. Then, on FortiManager you will be able to import the policy package for the Remote-FortiGate. To make local changes on Remote-FortiGate 1. On the Local-Windows VM, open a new browser tab, and then log in to the Remote-FortiGate GUI at 10.200.3.1 as admin 2. Click Login Read-Write. 3. In the warning window, click Yes. 4. Click Policy & Objects > Addresses. FortiManager Lab Guide 173 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 5. Right-click Test_PC, and then select Edit in CLI. 6. Enter the following command in the CLI window: unset associated-interface end 7. Close the CLI Console window. 8. Refresh the page. FortiManager Lab Guide 174 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues Your configuration should look like the following example: 9. Log out of Remote-FortiGate. To import the policy package again 1. Return to the FortiManager GUI, click Policy & Objects > Device Manager. 2. On the left side of the window, click Managed FortiGates. 3. Right-click Remote-FortiGate, and then select Import Policy. 4. Click Next. 5. Select the Overwrite check box. 6. Leave all other settings at their default values, and then click Next. Did you notice that Test_PC appeared as Dynamic Mapping? FortiManager Lab Guide 175 DO NOT REPRINT © FORTINET LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues FortiManager automatically creates a dynamic mapping of the object with same values. The interface must has to be the same as the ADOM database. 7. Click Next. 8. You will see both firewall policies are imported this time. 9. Click Finish. FortiManager Lab Guide 176 DO NOT REPRINT © FORTINET LAB 8—Advanced Configuration LAB 8—Advanced Configuration The learning goals for this lab are to understand the troubleshooting commands used for FortiGuard Management, and to learn how to use FortiManager to upgrade the firmware on managed FortiGate devices. Objectives Review the central management configuration on both FortiGate devices Understand and run FortiGuard debug commands Import the firmware image for FortiGate devices and upgrade from FortiManager Time to Complete Estimated: 15 minutes FortiManager Lab Guide 177 DO NOT REPRINT © FORTINET LAB 8—Advanced Configuration 1 FortiGuard Management In this exercise, you will review the central management settings on the FortiGate devices. Then, you will run the CLI commands related to FortiGuard diagnostics on FortiManager to understand FortiGuard settings on FortiManager. To review central management settings on both FortiGate devices 1. On the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE and REMOTEFORTIGATE saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Enter the following command: show system central-management Your output for the Local-FortiGate and Remote-FortiGate devices should look similar to the following examples: Local-FortiGate: Remote FortiGate: You will see that server-list is configured on the FortiGate devices with the FortiManager IP address, and the include-default–servers is disabled. This means FortiGate devices FortiManager Lab Guide 178 DO NOT REPRINT © FORTINET LAB 8—Advanced Configuration are pointed to FortiManager for its FortiGuard services and access to public FortiGuard servers is disabled. Diagnosing FortiGuard Issues Now, you will run CLI commands on FortiManager to verify the FortiGuard configuration in order to troubleshoot FortiGuard issues. To diagnose FortiGuard issues 1. On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH). 2. At the login prompt, enter the username admin (all lower case). 3. Run the following commands: diagnose fmupdate view-serverlist fds You should see that there is only one default server in the list. FortiManager is unable to connect to the public FDN servers because of unreachability or disabled service. In this lab environment, communication with the public FortiGuard servers is disabled. diagnose fmupdate view-serverlist fds You should see that there is no information on Upullstat, UpullServer, because FortiManager is not connected to the public FDS, which would provide that information. diagnose fmupdate dbcontract FortiManager Lab Guide 179 DO NOT REPRINT © FORTINET LAB 8—Advanced Configuration FortiManager is operating in a closed network environment and license contracts are uploaded manually on FortiManager. You should see the contract information, which includes the types of contracts that the device currently has along with the expiry dates. Note: The same information can be viewed in the FortiGate GUI in the License Information widget. You will also see FortiAnalyzer contract information, which is uploaded manually on FortiManager. The FortiAnalyzer labs use FortiManager as the local FDS in order to use the IOC features on FortiAnalyzer. FortiManager Lab Guide 180 DO NOT REPRINT © FORTINET LAB 8—Advanced Configuration 2 Upgrading FortiGate Firmware Using FortiManager You can use FortiManager as your local firmware cache and to upgrade firmware on supported devices. In this exercise, you will import the firmware image for FortiGate and then upgrade both FortiGate devices using FortiManager. To import and upgrade firmware 1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. 2. Click FortiGuard. 3. Click Firmware Images > Import Images. 4. Click Import, and then click Browse. 5. Browse to Desktop > Resources > FortiManager > Advanced-Configuration, and then select FGT_VM64-v5-build7605-FORTINET.out. 6. Click OK. You will see that the firmware image has been saved on FortiManager. 7. Click FortiGuard > Device Manager. 8. Click Firmware. 9. Select both FortiGate devices and click Upgrade. FortiManager Lab Guide 181 DO NOT REPRINT © FORTINET LAB 8—Advanced Configuration 10. In the Upgrade to drop-down list, select FGT_VM64-v5-build7605-FORTINET.out. 11. Click OK. You should see successful firmware upgrades for both FortiGate devices. 12. Click Close. 13. Optionally, you can open the console connection for the Local-FortiGate and Remote-FortiGate to see the firmware upgrades. FortiManager Lab Guide 182