Ebin - Pub Fortinet Fortimanager Lab Guide For Fortimanager 72
Ebin - Pub Fortinet Fortimanager Lab Guide For Fortimanager 72
© FORTINET
FortiManager
Lab Guide
for FortiManager 7.2
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library
https://training.fortinet.com
https://docs.fortinet.com
https://kb.fortinet.com
https://fusecommunity.fortinet.com/home
Fortinet Forums
https://forum.fortinet.com
https://support.fortinet.com
FortiGuard Labs
https://www.fortiguard.com
https://www.fortinet.com/nse-training
https://home.pearsonvue.com/fortinet
https://helpdesk.training.fortinet.com/support/home
1/10/2023
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Network Topology 6
Lab 1: Initial Configuration 7
Exercise 1: Examining the Initial Configuration 10
Examine the Initial Configuration Using the CLI 10
Examine the Initial Configuration Using the GUI 12
Exercise 2: Configuring ADOMs 16
Enable ADOMs 16
View ADOM Information 16
Configure ADOMs 18
Exercise 3: Adding FortiAnalyzer to FortiManager 21
Lab 2: Administration and Management 24
Exercise 1: Creating and Assigning Administrators 25
Test Administrator Privileges 26
Restrict Administrator Access Using a Trusted Host 27
Test the Restricted Administrator Access 28
Exercise 2: Enabling ADOM Locking (Workspace Mode) 30
Enable ADOM Locking (Workspace Mode) 30
Exercise 3: Backing Up and Restoring FortiManager 32
Back Up the FortiManager Configuration 32
Restore the FortiManager Configuration 33
Exercise 4: Monitoring Alerts and Event Logs 35
Disable Offline Mode 35
View Alerts and Event Logs 36
Lab 3: Device Registration 38
Exercise 1: Configuring System Templates 39
Configure System Templates 39
Disable ADOM Locking (Workspace Mode) 42
Exercise 2: Registering a Device on FortiManager 44
Review the Central Management Configuration on Local-FortiGate 44
Enable Real-Time Debug 45
Add Local-FortiGate Using the Add Device Wizard 45
View the Local-FortiGate Policy Package 50
Import System Template Settings From FortiGate 51
DO NOT REPRINT
© FORTINET
Add Remote-FortiGate Using the Add Device Wizard 54
Assign the System Template to Local-FortiGate and Remote-FortiGate 55
Lab 4: Device-Level Configuration and Installation 58
Exercise 1: Understanding the Statuses of Managed Devices 59
Exercise 2: Installing System Template Changes on Managed Devices 62
Install System Templates 62
Check the Status of the Managed Device 64
View the Pushed Configuration on FortiGate 66
Exercise 3: Viewing the Auto Update Status and Revision History 68
Make Direct Changes on Local-FortiGate 68
Make Direct Changes on Remote-FortiGate 69
View the Auto Update Status and Revision History 69
View the Installation Log 71
View the Auto Update Status, Revision History, and Installation Log for Remote-
FortiGate (Optional) 72
Check the Task Monitor 72
Exercise 4: Configuring Device-Level Changes 74
Change the Interface Settings of the Managed FortiGate 74
Filter Devices Based on Status 76
Configure the Administrator Account 76
Exercise 5: Installing Configuration Changes 80
Use the Install Wizard 80
View the Revision Differences 83
Exercise 6: Using Scripts 86
Configure Scripts 86
Run and Install Scripts 88
Generate Traffic With FIT 91
Lab 5: Policies and Objects 92
Exercise 1: Importing Policies 93
Import Policies 93
Create ADOM Revisions 96
Exercise 2: Enabling Workflow Mode 98
Exercise 3: Creating a Common Policy for Multiple Devices 109
Create Dynamic Mappings for Address Objects 109
Create Dynamic Mappings for Interfaces and Device Zones 112
Import and Install a CLI Script to Delete Policies 115
Run and Install the Scripts 116
Create a Common Policy Package, an Installation Target, and Use Install On 121
Exercise 4: Running a FortiAnalyzer Report 130
View Logs 130
Run a FortiAnalyzer Report 131
DO NOT REPRINT
© FORTINET
Lab 6: Global ADOM Policy Configuration 134
Exercise 1: Creating and Assigning Header Policies in the Global ADOM 135
Lab 7: Diagnostics and Troubleshooting 140
Exercise 1: Diagnosing and Troubleshooting Installation Issues 143
View the Installation Preview 143
View the DNS Configuration 145
Install Device-Level Configuration Changes 147
Exercise 2: Troubleshooting Policy Import Issues 151
View the Policy Package and Objects 151
Review Policies and Objects Locally on Remote-FortiGate 152
Import a Policy Package 153
Check the Impact of a Partial Policy Import (Optional) 156
Fix a Partial Policy Import Issue 158
Retrieve the New Configuration From FortiManager 160
Lab 8: Additional Configuration 163
Exercise 1: Examining FortiGuard Management 164
Diagnose FortiGuard Issues 165
Exercise 2: Upgrading FortiGate Firmware Using FortiManager 167
DO Network
NOTTopology
REPRINT
© FORTINET
Network Topology
In this lab, you will examine network settings on the FortiManager CLI and GUI. You will also add FortiAnalyzer to
FortiManager, for logging and reporting.
Objectives
l Examine initial system settings, including network and time settings
l Add FortiAnalyzer to FortiManager
Time to Complete
Estimated: 40 minutes
Prerequisites
This lab environment is also used for FortiGate Security 7.2 and FortiGate Infrastructure 7.2 training and initializes
in a different state than is required for FortiManager 7.2.1 training.
Before you begin this lab, you must update the firmware and initial configuration on the Local-FortiGate and
Remote-FortiGate VMs.
2. Click System > Fabric Management, select Remote-FortiGate, and then click Upgrade.
3. In the Select Firmware section, click the File Upload tab, and then click Browse.
© FORTINET
4. Browse to Desktop > Resources > FortiManager > FGT-firmware, select FGT_upgrade_build1254.out,
and then click Open to load the file.
5. Click Confirm and Backup Config, and then in the warning window, click Continue to initiate the upgrade.
The system reboots. Click Cancel so that the configuration backup file is not saved.
6. Open another browser tab, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the username admin
and password password.
7. Repeat the procedure to update the firmware for the Local-FortiGate VM.
This procedure can take up to 10 minutes to upgrade.
© FORTINET
3. Click Local PC, and then click Upload.
4. Click Desktop > Resources > FortiManager > Introduction, select remote-Initial.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.
In this exercise, you will explore the basic configuration settings on the FortiManager CLI and GUI.
You will start by accessing FortiManager, using the CLI, to examine the initial configuration.
3. Enter the following command to display information about the configuration of the FortiManager interface:
© FORTINET
CLI command Diagnostic Result
# show system What are the primary and secondary DNS settings?
dns
By default, FortiManager uses FortiGuard DNS
servers.
© FORTINET
CLI command Diagnostic Result
6. Enter the following command to display information about the FortiManager routing configuration:
7. To test basic network connectivity, and to ensure the default route to the internet is working, enter the following
command to ping IP address 8.8.8.8 (a public IP address that is highly available):
execute ping 8.8.8.8
You will now log in to FortiManager, using the GUI, to examine the initial configuration.
All lab exercises were tested running Mozilla Firefox on the Local-Client VM and
Remote-Client VM. To get consistent results, we recommend using Firefox in this
virtual environment.
© FORTINET
The dashboard shows the FortiManager widgets that display information, such as System Information,
License Information, System Resources, and more.
3. In the System Information and License Information widgets, locate the following information:
l Firmware version
l Administrative domain status
l System time and time zone
l License status (VM)
These widgets display the same information as the get system status CLI command.
4. In the System Information widget, in the System Time field, click the edit icon to view the NTP information.
This displays the same information as the get system ntp and show system ntp CLI commands.
© FORTINET
You will manage Local-FortiGate and Remote-FortiGate using FortiManager—they are
configured with the same time zone and NTP server.
© FORTINET
Administrative domains (ADOMs) group devices for administrators to monitor and manage. The purpose of
ADOMs is to divide the administration of devices and control (restrict) access.
Enable ADOMs
ADOMs are not enabled by default, and can be enabled only by the admin administrator, or an administrator with
the Super_User access profile.
To enable ADOMs
1. Log in to the FortiManager GUI with the username admin and password password.
2. Click System Settings.
3. In the System Information widget, enable Administrative Domain.
4. Click OK.
FortiManager logs you out.
Before you create new ADOMs, you should be aware of the types of ADOMs that are available to you. You will
view ADOM information using both the GUI and CLI.
© FORTINET
3. Click System Settings.
4. Click All ADOMs.
5. Log in to the FortiManager CLI with the username admin and password password.
6. Enter the following command to view the ADOMs that are currently enabled on FortiManager and the type of
device you can register to each ADOM:
The CLI output formatting is easier to read if you maximize your PuTTY window. If you
already executed the command, once the window is maximized, press the up arrow to
show the last command that you entered, and then press Enter to run the command
again.
As you can see, FortiManager supports 19 ADOMs, each associated with different devices. The CLI also
displays the supported firmware versions.
© FORTINET
Configure ADOMs
By default, when you enable ADOMs, FortiManager creates ADOMs based on supported device types. The root
ADOM is based on the FortiGate ADOM type.
When you create a new ADOM, you must match the device type. For example, if you want to create an ADOM for
FortiGate, you must select FortiGate as the ADOM type. With FortiGate ADOMs specifically, you must also select
the firmware version of the FortiGate. Different firmware versions have different features, and therefore different
CLI syntax. Your ADOM settings must match the device firmware.
To configure ADOMs
1. Continuing on the FortiManager GUI, click System Settings > All ADOMs.
Field Value
Name My_ADOM
© FORTINET
5. Click Cancel.
6. Keep the default values for all other settings, and then click OK.
You should see a list of predefined ADOMs, including your new ADOM.
© FORTINET
You can switch between ADOMs on the GUI. You do not have to log out and log back
in. To switch between ADOMs on the GUI, in the upper-right corner, click ADOM.
Your administrator privileges determine which ADOMs you can access.
You can manage FortiAnalyzer from FortiManager. Adding a FortiAnalyzer to FortiManager gives FortiManager
visibility into the logs on FortiAnalyzer, providing a single pane of glass on FortiManager. It also enables
FortiAnalyzer features, such as FortiView and Log View.
You can also use FortiManager as a logging and reporting device by enabling FortiAnalyzer features on
FortiManager. Remember that, unlike FortiAnalyzer, FortiManager has logging rate restrictions.
In this exercise, you will add FortiAnalyzer to FortiManager, so that you can manage FortiAnalyzer from
FortiManager for logging and reporting.
Field Value
IP Address 10.0.1.210
Username admin
Password password
© FORTINET
If the FortiManager ADOM does not exist on the FortiAnalyzer, a warning appears. You
can add the ADOM and devices to FortiAnalyzer by clicking Synchronize ADOM and
Devices.
© FORTINET
Now that you have added FortiAnalyzer to FortiManager, you will notice that more panes related to logging
and reporting appear—FortiView, Log View, FortiSoC, and Reports.
In this lab, you will configure an administrator user. You will also restrict administrator access based on
administrator profile, trusted hosts, and ADOMs. Then, you will enable ADOM locking, which disables concurrent
access to the same ADOM.
Additionally, this lab will guide you through how to correctly back up and restore a FortiManager configuration,
view alert messages in the Alert Message Console, and view event logs.
Objectives
l Configure an administrator and restrict access to a newly created ADOM
l Enable ADOM locking
l Back up FortiManager, restore the backup, and disable offline mode
l Read entries in the alert message console and view event logs
Time to Complete
Estimated: 45 minutes
In this exercise, you will create an administrative user with restricted access permissions.
In an active deployment scenario, having more than one administrative user makes administering the network
easier, especially if users are delegated specific administrative roles, or confined to specific areas within the
network. In an environment with multiple administrators, you should ensure that every administrator has only the
permissions necessary to do their specific job.
Field Value
© FORTINET
FortiManager comes with five default profiles preinstalled that you can assign to other
administrative users. Alternatively, you can create your own custom profiles.
7. Keep the default values for all other settings, and then click OK.
8. In the upper-right corner, click admin.
9. Click Log Out.
You will log in to FortiManager with the administrator account (student) that you just created, and then test the
administrator privileges.
© FORTINET
To test administrator privileges
1. Log in to the FortiManager GUI with the username student and password fortinet.
You are limited to the My_ADOM administrative domain.
The preceding image shows how you can control or restrict administrator access based on administrative
profiles and ADOMs.
You will restrict access to FortiManager by configuring a trusted host for the administrator accounts. Only
administrators connecting from a trusted subnet can access FortiManager.
© FORTINET
7. Enable Trusted Hosts.
8. In the Trusted IPv4 Host 1 field, type 10.0.1.0/24.
You will confirm that administrators outside the subnet 10.0.1.0/24 cannot access FortiManager.
Because you are trying to connect from the 10.0.2.10 IP address, your login authentication fails. This is
because you restricted logins to only the source IP addresses in the list of trusted hosts.
The IP address specified in the URL here is not the same as the one you used
previously, because now FortiManager is being accessed from a device that is in a
different part of the network (see Network Topology on page 6). Now, you are
connecting to the port2 interface of the FortiManager device.
© FORTINET
7. Return to the Remote-Client VM, and then try to log in to the FortiManager GUI again with the username student
and password fortinet.
This time, you should gain access because you just turned off the requirement to log in from a trusted host.
By default, multiple administrators can log in to the same ADOM at the same time, which allows concurrent
access. This can cause conflicts, however, if two or more administrators try to make changes in the same ADOM
at the same time.
Before you enable ADOM locking, ensure that all FortiManager administrators are notified and asked to save their
work on FortiManager, because enabling ADOM locking terminates all management sessions.
6. Log in to the FortiManager GUI with the username student and password fortinet.
7. At the top of the screen, click the lock icon.
© FORTINET
If an administrator locked one or more ADOMs, and then logged out of FortiManager,
all of those ADOMs are unlocked.
In this example, when the student administrator locked My_ADOM, and then logged
out, FortiManager unlocked My_ADOM.
Always log out gracefully from FortiManager when ADOM locking is enabled.
If this situation arises and you cannot wait for the administrator session to time out,
delete the session manually using the GUI or CLI.
On the GUI, on the System Settings pane, go to the System Information widget,
and then click Current Administrators > Current Session List.
In an active deployment scenario, it is a best practice to back up the device configuration before making any
configuration changes. If the new configuration does not perform as expected, you can revert to the last working
configuration. During these labs, it is beneficial for you to have a backup of the initial configuration, in case you
must revert the configuration.
FortiManager configuration files are not stored in plaintext like FortiGate configuration
files. They are stored as DAT files. You can uncompress them, and then view them
offline using archive tools, such as WinRAR and tar.
To back up FortiManager
1. On the Local-Client VM, open a browser, and then log in to the FortiManager GUI with the username admin and
password password.
2. Select root.
3. At the top of the screen, click the lock icon to lock it.
4. Click System Settings.
5. In the System Information widget, click System Configuration, and then click the backup icon.
© FORTINET
11. Continuing on the FortiManager GUI, click Admin > Administrators.
12. Right-click student, and then click Delete.
13. Click OK.
You can use the following options when you restore a FortiManager configuration:
l Overwrite current IP, routing and HA settings: By default, this option is enabled. If FortiManager has an existing
configuration, restoring a backup will overwrite everything, including the current IP address, routing, and HA
settings. If you disable this option, FortiManager will still restore the configuration settings that are related to the
device information and global database information, but it will preserve the basic HA and network settings.
l Restore in Offline Mode: By default, this option is enabled and grayed out–you cannot disable it. While restoring,
FortiManager temporarily disables the communication channel between FortiManager and all managed devices.
This is a safety measure in case any of the devices are being managed by another FortiManager device. To re-
enable the communication, disable Offline Mode.
To restore FortiManager
1. Continuing on the FortiManager GUI, click Dashboard.
2. In the System Information widget, click System Configuration, and then click the restore icon.
© FORTINET
3. Click Browse.
4. Select the lab2.dat backup file.
You do not have to enter a password because the file is not encrypted.
6. Click OK.
FortiManager reboots.
7. Wait for FortiManager to reboot, and then log in to the FortiManager GUI with the username admin and password
password.
8. Close the FortiManager setup page and then select root.
9. At the top of the screen, click the lock icon to lock it.
10. Click System Settings.
11. Click Admin > Administrators.
The student administrator account was restored from the backup file.
In this exercise, you will view the alerts in the alert console widget and view the event logs. You will also configure
filter options to locate specific logs. First, you will disable offline mode, which is enabled by default when the
FortiManager backup configuration is restored.
© FORTINET
7. Click Apply.
You will notice that the Offline Mode message disappears. At this point, FortiManager can establish a
management connection with the managed devices.
You will view the alerts on the Alert Message Console and logs under Event Logs.
© FORTINET
In this lab, you will explore the common operations performed using the device manager. You will use the Device
Manager pane to add FortiGate devices.
Objectives
l Create and apply system templates to your managed devices
l Review central management settings on FortiGate
l Add a device using the Add Device wizard
Time to Complete
Estimated: 30 minutes
You can configure system templates on FortiManager to provision common system-level settings on FortiGate
devices. You can configure the templates in advance, and then apply them either to FortiGate devices when they
are first added to FortiManager or to FortiGate devices that FortiManager is currently managing.
6. Click OK.
7. Log out of the FortiManager admin account.
8. Log in to the FortiManager GUI with the username student and password fortinet.
9. Click My_ADOM.
10. Click Device Manager.
11. Click Provisioning Templates.
© FORTINET
This is because when ADOM locking is enabled, you must lock the ADOM before making configuration
changes.
12. At the top of the screen, click the lock icon to lock My_ADOM.
13. Under System Templates, select the default checkbox, and then click Edit.
14. In the Log Settings widget, select the Send Logs to FortiAnalyzer/FortiManager checkbox.
15. Select Managed FortiAnalyzer, and then select the managed FortiAnalyzer in the drop-down list.
16. In the Upload Option field, select Real-time.
17. Enable Reliable Logging to FortiAnalyzer.
Your configuration should look like the following example:
© FORTINET
© FORTINET
When ADOM locking is enabled, you must save the changes to copy them to the
FortiManager database.
21. At the top of the screen, click the lock icon to unlock My_ADOM.
22. Log out of the FortiManager student account.
You will disable ADOM locking because, in this lab, each student has a dedicated ADOM to work on.
Before disabling workspace mode, ensure that all the administrators logged in to FortiManager save their work.
© FORTINET
To disable ADOM locking (workspace mode)
1. Log in to the FortiManager GUI with the username admin and password password.
2. Click root.
3. Click System Settings.
4. Click Admin > Workspace.
5. Click Disable, click Apply, and then click OK.
Disabling workspace mode logs administrators out of FortiManager and saves the changes.
Before you add FortiGate to FortiManager, you will review the central management configuration on Local-
FortiGate.
The serial-number is the FortiManager serial number, which you cannot configure
on FortiGate. FortiManager populates this setting, because it is managing this device.
In this case, the serial-number field is blank because you have not yet added the
device to FortiManager.
© FORTINET
4. Close the PuTTY session.
You will enable real-time debug on FortiManager to view the real-time status when you add FortiGate to
FortiManager.
You should place this PuTTY session and the FortiManager GUI side-by-side so that you can view the real-
time debugs while you add FortiGate to the FortiManager GUI.
The output is verbose and you might have to scroll up or down to review the
information. Alternatively, you can save the log file on your desktop, and then open it
using a text editor, such as Notepad++.
You will add Local-FortiGate to FortiManager in My_ADOM using the Add Device wizard, and then you will apply
the System Template that you created earlier.
© FORTINET
5. In the Add Device wizard, select Discover Device, and then configure the following settings:
Field Value
IP Address 10.200.1.1
Username admin
Password password
6. Click Next.
7. Review the discovered device information, and then compare it with the output from the FortiManager PuTTY
session.
8. You should observe the following:
9. Press the up arrow on your keyboard, and then select the following commands to disable the debug—alternatively,
you can enter these commands manually:
diagnose debug application depmanager 0
diagnose debug disable
diagnose debug reset
© FORTINET
10. Close the PuTTY session.
11. Return to the FortiManager GUI.
12. Ensure that Name is set to Local-FortiGate.
© FORTINET
l Make sure the policy package name is configured as Local-FortiGate_root.
l Accept the policy and object import defaults.
l Change Mapping Type to Per-Device.
20. In the Use Value From column, keep the default setting of FortiGate.
© FORTINET
The option to download the import report is available only on this page. As a best
practice, you should download the report and review the important information, such
as which device is imported into which ADOM, as well as the name of the policy
package created, along with the objects imported.
FortiManager imports new objects and updates existing objects based on the option
that you choose on the conflict page. The duplicate objects are skipped because
FortiManager does not import duplicate entries into the ADOM database.
27. On the Local-Client VM, open PuTTY, and then connect over SSH to the Local-FortiGate saved session.
28. Log in with the username admin and password password.
29. Enter the following command:
get system central-management
© FORTINET
View the Local-FortiGate Policy Package
Now that you have imported policy and dependent objects for Local-FortiGate, you will view the policy package
created for Local-FortiGate.
You will notice that a policy package named Local-FortiGate_root was created when you imported firewall
policies from your Local-FortiGate.
© FORTINET
7. Click Cancel.
8. Clear the port1 from the search box.
9. Repeat the previous steps to view the port3 interface mapping.
Now that you have added Local-FortiGate to FortiManager, you will import NTP server settings from Local-
FortiGate. These server settings can be used by multiple FortiGate devices using this system template.
© FORTINET
5. Click Toggle Widgets, and then select the NTP Server checkbox.
© FORTINET
6. Click Import.
8. Click OK.
9. Click Apply.
© FORTINET
Add Remote-FortiGate Using the Add Device Wizard
You will add Remote-FortiGate to FortiManager in My_ADOM using the Add Device Wizard. You will import the
policies and objects for Remote-FortiGate later.
3. In the Add Device wizard, select Discover Device, and then configure the following settings:
Field Value
IP Address 10.200.3.1
Username admin
Password password
4. Click Next.
5. Click Next.
6. Click Import Later.
© FORTINET
The Remote-FortiGate device should now be listed on the Device Manager page.
You will assign the default system template to Local-FortiGate and Remote-FortiGate to apply system settings.
© FORTINET
4. In the Assign Provisioning Templates window, in the System Template field, select default.
© FORTINET
5. Click OK.
You should see the following configuration:
When you select Import Later in the Add Device wizard, or add an unregistered device to FortiManager,
the policy package status is Never Installed because there is still no policy package created for the newly
added FortiGate.
If you add an unregistered device, you must run the Import Policy wizard to import the device’s firewall
policy into a new policy package.
In this lab, you will explore common operations that you can perform using the device manager, such as
configuring device-level changes, checking the statuses of managed devices, installing configuration changes,
and keeping the managed devices in sync with the device database on FortiManager.
Objectives
l Understand the statuses of managed devices on FortiManager
l Use the status information in the Configuration and Installation Status widget
l Make and install configuration changes using the device manager
l Make configuration changes locally on FortiGate, and then verify that FortiManager automatically retrieved the
changes
l Identify entries in the revision history and the management actions that created the new revisions
l Install a large number of managed device changes using scripts
Time to Complete
Estimated: 70 minutes
In this exercise, you will check and learn about the statuses of FortiGate devices on FortiManager. Depending on
the configuration changes, a FortiGate can have a different Sync Status and Device Settings Status.
l The Sync Status indicates whether the FortiGate configuration matches the latest revision history.
l The Device Settings Status indicates whether the FortiGate configuration stored in the device-level database
matches the latest running revision history.
Why does the Config Status field for the FortiGate devices show the status Modified?
In the previous exercise, you applied system templates to both FortiGate devices. The configuration running
on the FortiManager device-level database is different from the latest revision history. This changes the
Config Status to Modified. The provisioning template changes must be installed on the FortiGate devices
to return the devices to the synchronized state.
4. Click Local-FortiGate.
5. In the Configuration and Installation widget, check the Config Status field—it should be Modified.
© FORTINET
6. On the Local-Client VM, open PuTTY, and then connect over SSH to the FortiManager saved session.
7. Log in with the username admin and password password.
8. Enter the following command to display the device statuses on the CLI:
diagnose dvm device list
If the Config Status is Modified, why is the FortiGate conf still showing as in sync?
The Device Settings Status is the status between the device-level database configuration and the latest
revision history. Applying system templates changes the device-level database configuration, so it enters
the Modified state. You can see these details when you run the diagnose dvm device list
command.
The conf field on the CLI shows the status between the latest revision history and the actual FortiGate
configuration. Because the latest revision history is the same as the FortiGate configuration, the conf field
shows the in sync state.
The output also shows the serial number of the device, the connecting IP address of the device, the firmware
version, the name of the device on FortiManager, and the ADOM that the device is added to.
9. Examine the STATUS row of the diagnose dvm device list output for Local-FortiGate and Remote-
FortiGate.
© FORTINET
In the previous lab, you added FortiGate devices to FortiManager and applied system templates.
In this exercise, you will install system template changes on both FortiGate devices, and then view those changes
locally, by logging in to each FortiGate.
You will install the default system template changes to Local-FortiGate and Remote-FortiGate using the Install
Wizard.
5. In the Install Wizard, make sure Install Device Settings (only) is selected, and then click Next.
© FORTINET
6. On the Device Settings page, ensure that both FortiGate devices are selected.
7. Click Next.
8. Click Install Preview.
This shows you the changes that will be applied to all selected FortiGate devices.
© FORTINET
This is the installation log that shows exactly what is installed on the managed device.
You will check the status of the managed device after the installation.
© FORTINET
To check the status of the managed device
1. Continuing on the FortiManager GUI, review the Config Status.
It should now appear as Synchronized.
2. Click Local-FortiGate.
3. Under Configuration and Installation status, you should see that the Config Status is in the Synchronized
state.
4. Open PuTTY, and then connect over SSH to the FortiManager saved session.
5. Log in with the username admin and password password.
6. Enter the following command to display device statuses on the CLI:
diagnose dvm device list
You should see the following in the output for Local-FortiGate and Remote-FortiGate:
© FORTINET
The dev-db status is not modified, which means that the FortiGate device-level database
configuration matches the latest running revision history. The dm: installed field means that the
installation was performed on FortiManager.
You can use this command to view the connecting IP address of managed devices, the link-level address that
FortiManager assigns, and the uptime of the FGFM tunnel between FortiGate and FortiManager.
Using FortiManager, you installed the system template configuration on both FortiGate devices. Now, you will log
in to the Local-FortiGate and Remote-FortiGate GUIs to view the configuration that was installed using
FortiManager.
© FORTINET
By default, configuration changes made directly on FortiGate are automatically updated (retrieved) by
FortiManager, and are reflected in the revision history. If required, you can disable the automatic update behavior
on the FortiManager CLI under config system admin settings. This allows the FortiManager
administrator to accept or reject the configuration changes.
In this exercise, you will make configuration changes directly on the FortiGate devices, and then verify that
FortiManager automatically retrieved the configuration changes.
You will also review the configuration revision history of each FortiGate, which is created by auto update and other
actions.
3. Click Yes.
4. Click Log & Report > Log Settings.
5. Disable Enable Local Reports.
6. Click Apply.
7. Log out of the Local-FortiGate GUI.
© FORTINET
Make Direct Changes on Remote-FortiGate
You will make direct changes on Remote-FortiGate. You will repeat the same steps for Remote-FortiGate that you
did for Local-FortiGate.
Now that you have made the configuration changes locally on both FortiGate devices, you will view the auto
update status on FortiManager, and view the configuration revision history entries that FortiManager created.
This confirms that the changes you made locally were backed up to FortiManager.
© FORTINET
2. In the Configuration and Installation widget, click the Revision History icon.
You should see three configurations (you may have more configurations if you made further changes):
l The first Installation status should be Auto Updated, indicating that these changes were made locally on
FortiGate and were automatically updated on FortiManager.
l The second Installation status should be Installed, indicating that these changes were made by FortiManager
on the managed device.
l The third Installation status should be Retrieved, indicating that this configuration was taken from the device
running configuration, when it was added to FortiManager.
© FORTINET
When the installation is done using FortiManager, the installation log shows the name of the administrator who
made the changes, along with the commands that FortiManager sent. If an installation fails, the installation log is
useful because it shows the commands that the managed device received and accepted, as well as the
commands that the managed device did not accept.
You should see the CLI commands that FortiManager sent (which are identical to the installation that you
previewed earlier) and the FortiGate response.
© FORTINET
View the Auto Update Status, Revision History, and Installation Log for
Remote-FortiGate (Optional)
To view the auto update status, revision history, and installation log for Remote-FortiGate
(optional)
1. Continuing on the FortiManager GUI, click Remote-FortiGate, and then follow the steps in View the Auto Update
Status and Revision History on page 69.
For Remote-FortiGate, you will see the NTP settings that FortiManager pushed based on the imported NTP
settings in the default system template from Local-FortiGate.
The task monitor provides the status of the task you performed. You can use it for troubleshooting various types of
issues, such as adding, importing, and installing changes from FortiManager.
© FORTINET
To check task monitor entries
1. Log out of the FortiManager GUI, and then log back in to the FortiManager GUI with the username admin and
password password.
2. Click root.
3. Click System Settings.
4. Click Task Monitor.
This shows the installation log that corresponds to the installation that you performed earlier.
You can view and configure the device-level settings of the managed FortiGate in the Device Manager pane.
Most of these settings have a one-to-one correlation with the device configuration that you would see if you logged
in locally on the GUI or CLI of each FortiGate.
In this exercise, you will make configuration changes for the managed FortiGate in the Device Manager pane.
If you try to change the managed FortiGate interface that is used for communicating with FortiManager, you
receive a warning that this may disrupt the communication between FortiManager and FortiGate. If there is a
communication disruption between FortiManager and FortiGate during an installation, FortiManager attempts to
recover the connection, but this reverts the installation changes.
You will change the Administrative Access setting of the Remote-FortiGate port4 interface that is used by
Remote-FortiGate to communicate with FortiManager.
© FORTINET
Why is the Config Status showing the Modified (recent auto-updated) status for Remote-FortiGate?
The Modified status means that the device-level database change was made to Remote-FortiGate. You
changed the interface configuration.
The status recent auto-updated in parentheses means that the previous configuration changes were made
locally on FortiGate, and then automatically updated on FortiManager. You made changes to logging
settings locally in the previous lab.
© FORTINET
Filter Devices Based on Status
FortiManager allows you to filter devices based on their current status. This is very helpful when you are managing
a large number of devices in the same ADOM. Based on the status, the FortiManager administrator can take
appropriate action.
© FORTINET
To configure the administrator account
1. Continuing on the FortiManager GUI, click Local-FortiGate.
3. Click Customize.
4. In the System category, select the Administrators checkbox.
5. Click OK.
6. Click System > Administrators.
© FORTINET
Field Value
Admin training
Password fortinet
9. Keep the default values for all other settings, and then click OK.
10. Click Managed FortiGate.
© FORTINET
You will notice that the Config Status for Local-FortiGate has changed to Modified.
This is because you made a device-level configuration change for Local-FortiGate by configuring the
administrator account.
The Install Preview in the Configuration and Installation Status widget shows only
the preview for the device-level changes, not the changes related to policies and
objects.
You will install these changes on the managed devices using the Install Wizard.
© FORTINET
3. Click Next.
4. On the Device Settings page, make sure that both FortiGate devices are selected.
5. Click Next.
6. Click Install Preview.
This shows you the changes that will be applied to the FortiGate devices.
© FORTINET
7. On the Install Preview of Selected Devices page, click Close.
Optionally, you can also check the Install Preview for Remote-FortiGate.
9. Click Install.
10. Once the installation has completed successfully, select Local-FortiGate, and then click View Installation Log.
This is the installation log that shows exactly what is installed on the managed device.
© FORTINET
After every retrieve, auto update, and installation operation, FortiManager stores the FortiGate configuration
checksum output with the revision history. This is how the out-of-sync condition is calculated.
The Revision Diff is a useful feature that you can use to compare the differences between previous revisions, a
specific revision, or the factory default configuration. In terms of the output, you can choose to show full
configuration with differences, only the differences, or you can capture the differences to a script.
You will compare the differences between the latest revision and previous revision.
2. In the Configuration and Installation widget, click the Revision History icon.
© FORTINET
5. Click Apply.
This shows the difference in configuration between the previous version and the current running version.
Remember, you configured the FortiAnalyzer settings for both FortiGate devices.
6. Click Close.
7. In the ID column, click 4 again, and then click Revision Diff.
8. Select Capture Diff to a Script.
9. Click Apply.
10. Click Close.
© FORTINET
This shows you the exact CLI syntax of the changes. You can use this script to configure other FortiGate
devices if they require the same settings using the script feature on FortiManager.
This demonstrates capturing differences in the form of scripts. Make sure that the
script captured is valid for other FortiGate devices before using it for other FortiGate
devices. If required, you can edit the script before applying it to other FortiGate
devices.
For example, if you configured a static route along with the administrator setting, the
static route settings might not be valid for other FortiGate devices.
A script can make many changes to a managed device and is useful for making bulk configuration changes and
ensuring consistency across multiple managed devices. You can configure and install scripts from FortiManager
to managed devices.
In this exercise, you will make configuration changes using the script feature, and then install the changes on the
managed devices.
Configure Scripts
To configure scripts
1. Log in to the FortiManager GUI with the username student and password fortinet.
2. Click My_ADOM.
3. Click Device Manager.
4. Click Scripts.
© FORTINET
7. Click Desktop > Resources > FortiManager > Device-Config, and then select Local-Script.
8. Click Open, keep the default values for all other settings, and then click Import.
9. Click Close.
10. Click Import CLI Script again.
© FORTINET
Run and Install Scripts
Because the scripts target the device database, you will first run the scripts against the device database, and then
install the scripts on the managed devices.
To run scripts
1. Continuing on the FortiManager GUI, select the Local-Script checkbox, and then click Run Script.
© FORTINET
If required, you can also view the script execution history later in the Configuration
and Installation Status widget or in the Task Monitor.
6. Click Close.
7. Click Close.
8. Clear the Local-Script checkbox, select the Remote-Script checkbox, and then click Run Script.
9. Select and add Remote-FortiGate to the Selected Entries list.
10. Click Run Now.
11. Click OK.
12. Click Close.
To install scripts
1. Continuing on the FortiManager GUI, click Device & Groups > Managed FortiGate.
© FORTINET
Stop and think!
Why is the Config Status showing Modified for both FortiGate devices? If you do not see the Modified
status, refresh the page a few times.
Why is the Policy Package Status for Local-FortiGate showing Out of Sync, but the Policy Package
Status for Remote-FortiGate remains unchanged as Never Installed?
The scripts contain configuration changes related to device-level settings and policies.
The Config Status is Modified for both FortiGate devices because of device-level changes.
Because the Local-FortiGate policy package was imported when you added FortiGate, FortiManager
detects policy-level changes, and marks the Local-FortiGate Policy Package Status as Out of Sync.
For Remote-FortiGate, the policy package was never imported, and therefore FortiManager cannot
compare the differences in the policies.
2. Select Local-FortiGate and Remote-FortiGate, click Install, and then click Quick Install.
3. Click OK.
The installation is successful on both FortiGate devices.
© FORTINET
The Quick Install option does not provide an option for installation preview and
installation log. You should use it only if you are absolutely sure about the changes you
are trying to install.
4. Click Finish.
The firewall inspection tester (FIT) VM generates web browsing traffic, application control, botnet IP hits, malware
URLs, and malware downloads.
You will direct FIT-generated traffic through the Local-FortiGate firewall policy. This traffic will be used to run
FortiAnalyzer reports later in the labs.
7. Leave the PuTTY session open (you can minimize it) so traffic continues to generate.
This will run throughout the remainder of the labs.
Do not close the FIT PuTTY session or traffic will stop generating.
In this lab, you will explore the common operations of the Policy & Objects pane, which you can use to centrally
manage FortiGate firewall policies and manage shared and dynamic objects.
Objectives
l Import firewall policies and objects from a managed device, and then review the imported policy packages
l Create ADOM revisions
l Use workflow mode to configure and send changes for approval
l Find duplicate objects and merge them, and delete used objects
l Create a policy package that is shared across multiple devices
l Create shared objects and dynamic objects with mapping rules
l Identify the different policy and object interface mapping types, and configure zone mappings
l Install a policy package and device settings on the Policy & Objects pane
l Run a FortiAnalyzer report
Time to Complete
Estimated: 70 minutes
In the previous lab, you installed scripts that contained device-level and policy configuration changes. Because
you ran the scripts on a device database that created the revision history containing these changes, the policy
packages are not automatically updated, and you must import them manually.
In this exercise, you will import the policies using the Import Policy wizard, which will update the policy packages
to reflect the configuration changes.
Additionally, you will create an ADOM revision, which is a snapshot of all the policy and object configurations for
an ADOM.
Import Policies
You will import policies and objects for both of the managed FortiGate devices.
To import policies
1. Log in to the FortiManager GUI with the username student and password fortinet.
2. Click My_ADOM.
3. Click Device Manager.
4. Right-click Local-FortiGate, and then click Import Configuration.
© FORTINET
8. In the Object Selection field, select Import all objects.
9. In the port2 row, select Per-Device, and then ensure that the other two ports are also set to Per-Device.
Download Import Report is available only on this page—make sure that you
download the import report before you click Finish.
© FORTINET
© FORTINET
An ADOM revision creates a snapshot of the policy and object configuration for the ADOM. Now that you have
imported policies and objects from both FortiGate devices, you will create ADOM revisions that are stored locally
on FortiManager, and are useful for comparing the differences between two revisions or reverting to a previous
revision.
2. Click Create New, and then in the Name field, type Initial revision.
3. Select Lock this revision from auto deletion.
© FORTINET
4. Click OK.
You can see the lock icon, the name of the administrator who created the revision, and the date and time.
5. Click Close.
You can use workflow mode to control the creation, configuration, and installation of policies and objects. It helps
to ensure that all changes are reviewed and approved before they are applied.
Workflow mode is similar to ADOM locking (workspace mode), but it also allows administrators to submit their
configuration changes for approval. Configuration changes are not committed to the FortiManager database until
the approval administrator approves the changes. Only approved configuration changes can be installed on the
managed device.
In this exercise, you will enable workflow mode, and then make configuration changes related to policies and
objects. You will send configuration changes for approval and, once they are approved, you will install the
changes.
5. Click Workflow.
6. Click Create New.
7. In the ADOM field, select My_ADOM.
8. In the Approval Group # 1 field, select admin.
© FORTINET
9. Click OK.
10. Click OK.
11. Click Apply.
Before you enable workflow mode, ensure that all FortiManager administrators are
notified to save their work on FortiManager. This is because enabling workflow mode
terminates all management sessions.
© FORTINET
11. Expand Firewall Address, and then in the LOCAL_SUBNET row, click Merge.
© FORTINET
You can see that both the LAN and LOCAL_SUBNET firewall addresses are displayed as duplicate objects
because both have the same values. Other objects that have the same values are also displayed.
By merging the duplicate objects, you can reduce the object database, which may help
to avoid overwhelming the FortiManager administrator with a large number of objects
from different FortiGate devices in the same ADOM. You can also delete the unused
objects in the same Tools menu if they will not be used in the future.
© FORTINET
The object is referenced in the Local-FortiGate-1 policy package in firewall policy 1 as the destination
address.
© FORTINET
FortiManager allows you to delete a used object. Be careful about deleting a used
object because it will be replaced by the none address 0.0.0.0/255.255.255.255.
This means that any traffic that meets this specific firewall policy is blocked if there is
no catch all or shadowed policy below it. In this case, the destination address of
firewall policy 1 in the Local-FortiGate-1 policy package is replaced by none after the
LINUX address object is deleted.
Your changes are still not saved in the FortiManager database because they must first
be approved by the approval administrator.
© FORTINET
3. Click the lock icon to lock the ADOM.
4. Click Policy & Objects.
5. Click Sessions > Session List.
The session list shows you the name of the request made, user, date, and approval
status.
The approval administrator can approve, reject, discard, or view the differences
between two revisions. The approval administrator can also create a session that can
be sent to a different approval administrator, or can self-approve based on the
workflow approval matrix.
7. Click OK.
8. Click Continue Without Session.
If an administrator locks ADOMs, and then logs out of the FortiManager GUI, the locks
release for all the ADOMs that the administrator locked.
© FORTINET
Always log out of the FortiManager GUI gracefully when ADOM locking (workspace or
workflow) is enabled.
On the GUI (System Settings > System Information widget > Current
Administrators > Admin Session List) :
On the CLI:
6. On the Local-Client VM, open a terminal window, and then run a ping to the LINUX address object.
ping 10.200.1.254
You can see that the request timed out because the firewall policy has the destination set to LINUX and the
action set to DENY locally on Local-FortiGate.
© FORTINET
You can see that FortiManager is replacing the destination address of firewall policy 1 with none, and deleting
the LINUX address object.
© FORTINET
FortiManager also deletes any other unused objects. This is expected because when you install a policy
package for the first time, FortiManager deletes all unused objects.
© FORTINET
You will create a single policy package that can be shared by multiple devices, as opposed to having a policy
package for each device, which is the current configuration. You will use the installation target setting in a firewall
policy to target specific policies to specific FortiGate devices.
You will configure dynamic mappings for objects that are used to map a single logical object to a unique definition
for each device.
Field Value
Name Internal
Type Subnet
IP/Netmask 10.0.0.0/8
© FORTINET
8. In the Per-Device Mapping section, configure the following settings:
a. Expand Per-Device Mapping.
b. Click Create New.
© FORTINET
© FORTINET
You will create dynamic mappings for interfaces and device zones.
© FORTINET
2. In the search field, type port3.
4. In the Per-Device Mapping section, in the Mapped Device column, select Local-FortiGate(root), and then click
Delete.
5. In the Change Note field, type some text.
6. Click OK.
7. In the search field, type port6.
8. Right-click port6, and then select Edit.
9. In the Per-Device Mapping section, in the Mapped Device column, select Remote-FortiGate(root), and then
click Delete.
You must delete the Per-Device Mapping. This is because interfaces were
dynamically mapped when the devices were added to FortiManager. After deleting the
previous mapping, you can then add these interfaces to map to newly created
normalized interfaces.
© FORTINET
a. In the Mapped Device field, select Local-FortiGate.
b. In the Mapped Interface Name field, select port3.
c. Click OK.
© FORTINET
Import and Install a CLI Script to Delete Policies
You will import and install a script on the policy package to delete policies.
5. Click Desktop > Resources > FortiManager > Policy, and then select Local-Policy-Script.
6. Click Open, and then in the Run Script on field, select Policy Package or ADOM Database.
7. Click Import.
© FORTINET
8. Click Close.
9. Click Import CLI Script again.
Because the scripts are targeting the policy package, you will first run the scripts against the policy package, and
then install the scripts on the managed devices.
© FORTINET
If needed, you can also view the script execution history later in the Configuration
and Installation Status widget or in the Task Monitor.
6. Click Close.
7. Click Close.
8. Clear the Local-Policy-Script checkbox, select the Remote-Policy-Script checkbox, and then click Run Script.
9. In the Run script on policy package field, select Remote-FortiGate.
© FORTINET
To install configuration
1. Continuing on the FortiManager GUI, click Device & Groups > Managed FortiGate.
2. Click Install, and then click Install Wizard.
3. Select Install Policy Package & Device Settings, and then in the Policy Package field, select Local-FortiGate-
1.
4. Click Next.
5. Make sure that Local-FortiGate is selected, and then click Next.
6. Select Local-FortiGate, and then click Install.
7. Click Finish.
8. Click Install, and then click Install Wizard.
9. Select Install Policy Package & Device Settings, and then in the Policy Package field, select Remote-
FortiGate.
10. Click Next.
11. Make sure that Remote-FortiGate is selected, and then click Next.
12. Select Remote-FortiGate, and then click Install.
13. Click Finish.
© FORTINET
3. Click Policy & Objects > Firewall Policy.
You should see only the Implicit Deny policy.
This is because external ports in the configuration were already being used by the policies. You cannot add
interfaces to the zone that are already being used by the policies on the FortiGate.
You must update the policy packages on the devices before you add interfaces to the device zone.
When you create a device zone, map the zone to a physical interface. To use the zone
in a policy, you must also map the zone to a normalized interface.
© FORTINET
a. In the Interface Member field, select port1 and port2.
b. Enable Block intra-zone traffic.
c. Click OK.
6. Click Remote-FortiGate.
7. Click System > Interface.
8. Click Create New > Device Zone again.
9. In the Zone Name field, type Outside.
10. Configure the following:
a. In the Interface Member field, select port4 and port5.
b. Enable Block intra-zone traffic.
c. Click OK.
© FORTINET
c. Click OK.
Your configuration should look like the following example:
You can use FortiManager to target a common policy package to multiple devices. When you configure an
installation target, by default, all policies in the policy package are targeted to all selected FortiGate devices. You
can further restrict the policies in the policy package to be targeted to specific FortiGate devices by using the
Install On feature, which targets specific policies in the policy package to selected FortiGate devices in the Install
On column.
© FORTINET
2. Name the new policy package Training, and then click OK.
© FORTINET
3. Select Local-FortiGate and Remote-FortiGate, and then add them to the Selected Entries section.
4. Click OK.
The Policy Package Status column shows the name of the currently active policy packages for these
FortiGate devices.
© FORTINET
Field Value
Name For_Local
Schedule always
Action Accept
8. Click OK.
9. Click Create New to create a second policy, and then configure the following settings:
When you create the second policy, if you do not see all of the interfaces, make sure
that you clear the interface filter when you select the interfaces.
© FORTINET
Field Value
Name For_All
Schedule always
Action Accept
11. Click the column settings icon, and then make sure that the Install On checkbox is selected. You need to scroll to
the right to find Install On column.
© FORTINET
Once the Install On column is added, you can drag the column to where you want it positioned in the column
list.
© FORTINET
4. Click Next.
5. Select both of the FortiGate devices.
6. Click Next.
If you hover over the Status column of the FortiGate devices, the name of the previous policy package is
displayed.
Optionally, you can preview the changes before you install them.
7. Make sure that both of the FortiGate devices are selected, and then click Install.
8. After the installation is successful, you can click View Installation Log to see the installation history for each
FortiGate.
© FORTINET
4. Click Addresses.
Internal is translated to 10.0.1.0/24, according to the dynamic mapping of address objects.
© FORTINET
Optionally, you can check the interface and zone under Network, and the Internal address object under
Addresses.
You can use this revision to revert changes made to your policy packages and objects
in your ADOM. Remember, this does not revert settings at the Device Manager level.
When FortiManager manages a FortiAnalyzer, all configuration and data is stored on the FortiAnalyzer to support
the following FortiAnalyzer features:
l FortiView
l Log view
l Incidents and events
l Reports
You will create a single FortiAnalyzer report using FortiManager.
View Logs
When a FortiManager manages a FortiAnalyzer, you can view the logs that the FortiAnalyzer receives. Now that
FortiAnalyzer is added on FortiManager, and both FortiGate devices are configured to send logs to FortiAnalyzer,
you will view the logs.
To view logs
1. Log in to the FortiManager GUI with the username student and password fortinet.
2. Click My_ADOM.
3. Click Log View.
4. Click the time period drop-down list, and then select Custom.
© FORTINET
© FORTINET
4. Depending on the class format, do one of the following:
l Instructor-led class instructions: Click the Settings tab, and then in the Time Period field, select Today.
If you did not do the previous labs the same day you are doing this one, adjust the
Time Period accordingly to avoid a report with little or no data.
l Self-paced class instructions: Click the Settings tab, in the Time Period field, select Custom, and then specify
the time range shown in the following image:
Selecting the specified time period ensures that the resulting report is not empty
because some traffic was generated on those dates.
5. Click Apply.
6. Click the Generated Reports tab, and then click Run Report to run the report on demand.
© FORTINET
In this lab, you will enable and configure a global header policy.
Header and footer policies are used to envelop policies within each ADOM. These are typically invisible to users
and devices in the ADOM layer. An example of where this is used is in a carrier environment, where the carrier
allows customer traffic to pass through their network but does not allow the customer to have access to the
carrier’s network assets.
Objectives
l Create a global header policy
l Assign the policy to an ADOM
l Install the policy on devices
Time to Complete
Estimated: 15 minutes
Header and footer policies are used to envelop the policies in each ADOM. You can create the header and footer
policies once in the global ADOM, and then assign them to multiple policy packages in other ADOMs.
In this exercise, you will create the header policy in the global ADOM, and then assign the header policy to the
managed devices in My_ADOM. Next, you will install the header policy on the managed devices.
Field Value
Name Global_Policy
© FORTINET
Field Value
Service gPING
Schedule galways
Action Deny
6. Click OK.
© FORTINET
To assign a header policy
1. Click Assignment.
2. Click Add ADOM.
Field Value
ADOMs My_ADOM
Specify Policy Packages To Select the checkbox, and then select default.
Exclude
4. Click OK.
5. Select My_ADOM, and then click Assign.
FortiManager assigns the header policy to the Local-FortiGate and Remote-FortiGate_root policy packages.
© FORTINET
2. Click My_ADOM.
3. Click Training > Firewall Header Policy to view the assigned header policy.
5. Click OK.
6. Click Install Preview.
The configuration changes that FortiManager will install on FortiGate appear—in this case, the header policy
and related objects.
© FORTINET
11. Click Login Read-Only.
12. Click Policy & Objects > Firewall Policy.
You should see the header policy at the top.
You can also promote ADOM objects to global objects. To do this, right-click any of the
ADOM objects, and then select Promote to Global. You can use promoted objects in
the global ADOM.
In this lab, you will perform diagnostics and troubleshooting when installing device-level settings and importing
firewall policies.
Objectives
l Diagnose and troubleshoot issues when you install system templates
l Diagnose and troubleshoot issues when you import policy packages
Time to Complete
Estimated: 30 minutes
Prerequisites
Before beginning this lab, you must restore the configuration files to Remote-FortiGate, Local-FortiGate, and
FortiManager.
© FORTINET
To restore the FortiManager configuration
1. On the Local-Client VM, open a browser, and then log in to the FortiManager GUI with the username admin and
password password.
2. Click root.
3. Click System Settings.
4. In the System Information widget, in the System Configuration field, click the Restore icon.
5. Click Browse.
6. Browse to Desktop > Resources > FortiManager > Troubleshooting, and then select FMG-diag.dat.
You do not have to enter a password because the file is not encrypted.
7. Leave the Overwrite current IP, routing and HA settings checkbox selected.
8. Click OK.
FortiManager reboots.
9. Wait for FortiManager to reboot, and then log in to the FortiManager GUI as the admin user.
10. Click root.
11. Click System Settings.
12. Click Advanced > Advanced Settings.
© FORTINET
In this exercise, you will diagnose and troubleshoot issues that occur when you install configuration changes on
Local-FortiGate and Remote-FortiGate.
You will view the installation preview to learn which device-level configuration changes FortiManager will install on
the FortiGate devices. The objective of this task is to verify and troubleshoot to make sure FortiManager installs
the correct configuration settingson the FortiGate devices.
© FORTINET
3. Click Device Manager.
4. Click Local-FortiGate.
6. Write down the DNS settings that FortiManager will install on Local-FortiGate.
Primary:
Secondary:
7. Click Close.
© FORTINET
To view the installation preview for Remote-FortiGate
1. On the FortiManager GUI, click Remote-FortiGate.
2. In the Configuration and Installation widget, click Install Preview.
1. Write down the DNS settings that FortiManager will install on Remote-FortiGate.
Primary:
Secondary:
4. Click Close.
The system template was configured with two entries. Why does Local-FortiGate show only one DNS entry,
but Remote-FortiGate shows two entries?
Local-FortiGate was preconfigured with the primary DNS entry 208.91.112.53. When Local-FortiGate
was added to FortiManager, it automatically updated in the device-level database. To verify this, check the
current revision history and search for config system dns.
You can use the following procedure to view the system template and DNS settings on the CLI.
You will view the DNS configuration for the configured system template and compare it to the device-level
database settings for DNS (for both Local-FortiGate and Remote-FortiGate). You will view the configuration on the
CLI.
© FORTINET
The execute fmpolicy print- command tree allows you to view the CLI
configuration for provisioning templates, ADOMs, and the device database on
FortiManager.
You can use the help feature by typing ? to open the command tree syntax.
2. Enter the following command to view the Remote-FortiGate DNS settings in the FortiManager device-level
database:
execute fmpolicy print-device-object ADOM1 Remote-FortiGate root 15
© FORTINET
3. Compare the FortiManager system template entries with each FortiGate.
The primary DNS entry for Local-FortiGate matches the primary DNS entry in the default system template.
Because of this, FortiManager skips the primary DNS entry for Local-FortiGate—Local-FortiGate has already
been configured with the same entry.
You will install device-level configuration changes (system templates) on the managed FortiGate devices.
5. Make sure both devices are selected, and then click Next.
© FORTINET
6. Click Install Preview, and then view the install preview for Local-FortiGate.
© FORTINET
8. Click Close.
9. Make sure both FortiGate devices are selected, and then click Install.
The installation begins.
10. After the installation finishes, select any of the FortiGate devices, and then click the View Installation Log icon to
view and verify what is being installed on each device.
© FORTINET
Stop and think!
Why does FortiManager show two progress bars when installing changes on a FortiGate?
As you learned in previous lessons, when you perform an installation, the copy operation is the first
operation that FortiManager performs, before the actual installation.
You may need to enable the Config Status column in the column settings to check the status.
In this exercise, you will view the policies and objects imported into the ADOM database. The objects share the
common object database for each ADOM and are saved in the ADOM database, which can be shared or used
among different managed FortiGate devices in the same ADOM.
You will also diagnose and troubleshoot issues that occur while you import the Remote-FortiGate policy package.
Because the Local-FortiGate policy package is imported into ADOM1, you will view the Local-FortiGate policy
package and objects imported into the ADOM1 database.
Notice the source address of Test_PC for the Ping_Test firewall policy.
© FORTINET
5. Click Object Configurations.
6. Expand Firewall Objects, and then click Addresses.
7. Review the configuration for the Test_PC firewall address.
In the ADOM database, Test_PC is set to the any interface based on the configuration imported from Local-
FortiGate.
You must import the policies and objects from Remote-FortiGate. But first, you will review the policies and objects
locally on Remote-FortiGate.
Remember, the Test_PC address object is bound to the any interface in the ADOM database.
© FORTINET
Import a Policy Package
You will import the policies and objects for Remote-FortiGate into the policy package, and then troubleshoot
issues with the policy import.
© FORTINET
7. Keep the default values for all other settings, and then click Next.
8. Click Next.
Did you notice that the policy import skipped one firewall policy and a firewall address object?
9. Click Download Import Report to view the reason that the policy import skipped a firewall policy.
10. Open the file (or save it for future reference).
© FORTINET
Did you notice that the policy import failed when importing firewall policy 2 and the Test_PC address object?
The following output provides the reason for the policy import failure:
reason=interface(interface binding contradiction. detail: any<-port6) binding
fail)"
What does this error mean? What is the impact? How can you fix this partial policy import issue?
Remember, in the ADOM1 database, the Test_PC firewall address is bound to the any interface, based on
the configuration imported from Local-FortiGate. On Remote-FortiGate, policy ID 2 is using the Test_PC
firewall address bound to port6 as the source address.
This is the expected behavior on FortiManager because it doesn’t allow the same address object name to
bind to different interfaces.
Because FortiManager imported partial policies in the policy package, if you try to make a change to the
policy package and install it, FortiManager deletes the skipped policies and objects associated with those
policies, along with all unused objects.
You must change the Test_PC firewall address binding to the any interface by locally logging in to Remote-
FortiGate.
© FORTINET
Check the Impact of a Partial Policy Import (Optional)
The following two procedures show the impact of making changes to the FortiManager policy package Remote-
FortiGate, and then trying to install the policy package. FortiManager tries to delete policy ID 2 and the Test_PC
address object on Remote-FortiGate. FortiManager also tries to delete any unused objects.
If you are now familiar with the behavior, you can skip the following procedures:
l To make configuration changes to the Remote-FortiGate policy package (optional)
l To preview the installation changes (optional)
2. Click the Remote-FortiGate policy package, and then click Firewall Policy.
You can see that the firewall policy with Test_PC as the source address is not imported.
© FORTINET
To preview the installation changes (optional)
1. Ensure that Firewall Policy is selected for the Remote-FortiGate policy package, click the down arrow beside
Install Wizard, and then select Re-install Policy.
2. Click OK.
3. Click Install Preview.
4. Notice that FortiManager is trying to delete the firewall policy with ID=2 and the Test_PC address object.
When installing a policy package for the first time, FortiManager also deletes all
unused objects.
© FORTINET
You must change the Test_PC firewall address binding to the any interface by locally logging in to Remote-
FortiGate, and then retrieving the configuration to FortiManager.
Then, on FortiManager, you can import the policy package for Remote-FortiGate.
© FORTINET
© FORTINET
9. Click Cancel.
10. Log out of Remote-FortiGate.
You will retrieve the change made to the Remote-FortiGate configuration on FortiManager.
3. In the Configuration and Installation widget, click the Revision History icon.
© FORTINET
© FORTINET
6. Click Next.
7. Keep the default values for all other settings, and then click Next.
Did you notice that Test_PC appears as Dynamic Mappings?
FortiManager automatically creates a dynamic mapping of the object with the same values. The interface
must be the same as the ADOM database.
8. Click Next.
You can see that FortiManager imported both firewall policies this time.
9. Click Finish.
In this lab, you will learn about the troubleshooting commands used for FortiGuard management, and how to use
FortiManager to upgrade the firmware on managed FortiGate devices.
Objectives
l Review the central management configuration on both FortiGate devices
l Understand and run FortiGuard debug commands
l Import the firmware image for FortiGate devices and upgrade the devices using FortiManager
Time to Complete
Estimated: 15 minutes
In this exercise, you will review the central management settings on FortiGate. Then, you will run CLI commands
related to FortiGuard diagnostics on FortiManager to understand FortiGuard settings on FortiManager.
The outputs for Local-FortiGate and Remote-FortiGate should look similar to the following examples:
Local-FortiGate:
Remote FortiGate:
© FORTINET
You can see that server-list is configured on the FortiGate devices with the FortiManager IP address,
and include-default–servers is disabled. This means the FortiGate devices are pointed to
FortiManager for FortiGuard services, and access to public FortiGuard servers is disabled.
You will run CLI commands on FortiManager to verify the FortiGuard configuration in order to troubleshoot
FortiGuard issues.
FortiManager is unable to connect to the public FDN servers because of unreachability or disabled service. In
this lab environment, communication with the public FortiGuard servers is disabled.
diagnose fmupdate update-status fds
© FORTINET
You should see that there is no information on UpullStat and UpullServer, because FortiManager is not
connected to the public FDS, which would provide that information.
diagnose fmupdate dbcontract
FortiManager is operating in a closed network environment and license contracts are uploaded manually on
FortiManager. You should see the contract information, which includes the types of contracts the device
currently has, along with the expiry dates.
You can view the same information on the FortiGate GUI, in the License Information
widget.
You can use FortiManager as your local firmware cache, and to upgrade firmware on supported devices.
In this exercise, you will import the firmware image for FortiGate, and then upgrade both FortiGate devices using
FortiManager.
Make sure that you open a new private browser window. If you don't, your image will
not appear in step 10 of this procedure.
2. Click ADOM1.
3. Click FortiGuard > Firmware Images > Local Images.
7. Click Close.
You can see that the firmware image has been saved on FortiManager.
© FORTINET
8. Click FortiGuard > Device Manager.
9. Select both FortiGate devices.
10. Click More, and then select Firmware Upgrade.
11. In the Upgrade to drop-down list, select Local Images > 7.2.2-b1255.
12. Click OK.
13. In the Confirm Firmware Upgrade window, click Continue.
14. Leave the Upgrade Firmware Task window open until the progress bar reaches 100%.
After a few minutes, you should see successful firmware upgrades for both FortiGate devices.
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.