100% found this document useful (1 vote)

378 views206 pages

FortiManager Training

sedrftgyhujik

Uploaded by

javed.rafik.1

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

378 views206 pages

FortiManager Training

sedrftgyhujik

Uploaded by

javed.rafik.1

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 206

FortiManager:

FortiManager Security Management appliances allow you to centrally manage any number of
Fortinet Network Security devices, from several to thousands, including FortiGate firewalls.
FortiManager provides easy centralized configuration, policy-based provisioning, update
management and end-to-end network monitoring for your Fortinet installation.

Centralized management through FortiManager can help you to more easily manage many
deployment types with many devices, and to reduce cost of operation. Provision firewall
policies across your network. Deploy and manage complex mesh and star IPsec VPNs.

FortiManager can help you to better organize and manage your network. Instead of logging in
to hundreds of FortiGates devices individually, you can use FortiManager to manage them all
from a single console.

FortiManager can group devices into geographic or functional ADOMs, ideal if you have a large
team of network security administrators. FortiManager keeps a history of all configuration
changes. You can schedule FortiManager to deploy a new configuration or revert managed
devices to a previous configuration. To reduce network delays and minimize internet bandwidth
usage, your managed devices can use FortiManager as a private FDN server.

FortiManager can schedule firmware upgrades for managed devices. FortiManager supports
CLI-based and TCL-based scripts for configuration deployments. Managed devices can store logs
on FortiManager. FortiManager has many of the same logging and reporting features as
FortiAnalyzer.

Creating and managing firewall policies for multiple FortiGates firewalls from a single console.
FortiManager allows you to Quickly create and modify policies/objects with an easy graphical
user interface.
Upload IOL Switches in EVE-NG:
Open WinSCP, once you connected to WinSCP type the IP address of EVE-NG in host name
choose the File Protocol: SFTP, Port number: 22, User names: root and Password: eve.

The column on the left represent file on local machine and the column on the right represent
files and folder on remote machine.
Download Router and Switches Images from below Link:
https://drive.google.com/drive/u/2/folders/1BXlAGxgTpcqxMHntGga48h8Ohf3H9JY9

Unzip Switches.rar with any unzip software such as 7zip.

Go to the path opt->unetlab->addons->iol/bin/ on the remote machine and copy all the
Switches images with license file named iourc from local machine to EVE NG remote machine
location. Once the process completed the file will be available immediately.
Save the configuration by fixing the permissions using the following command on EVE-NG.
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Open the EVE-NG in the browser then ‘Add an Object’ go to Cisco IOL and select the Node.

Now, Cisco IOL IOU Switches and Routers are available for use in the labs.
Upload Other Lab Images:
Download other Lab Images such as Pfsense, Slax Linux, Fortinet Firewall, Fortinet
FortiManager, Fortinet FortiAnalyzer etc. from below Link:
https://drive.google.com/drive/folders/1zRwDmFz55yQeWFbaJlnhUlTvhUiowz04?usp=sharing

Unzip them all, afterward just drag them to /opt/unetlab/addons/qemu folder.

Save the configuration by fixing the permissions using the following command on EVE-NG.
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Upload FortiGate Firewall in EVE-NG:
Register and Download the FortiGate image at the following link.
https://support.fortinet.com/Download/VMImages.aspx
Once at the site, Click on Download > VM Images. Select Product: FortiGate. Select Platform:
KVM. Downloading the Latest Version (7.0.9). Be sure to click Download under the New
deployment of FortiGate for KVM FGT_VM64_KVM-v7.0.9.M-build0444-ORTINET.out.kvm.zip
(71.47 MB) if this is a new installation.

After download use any zip application to unzip it here I use free 7-Zip software.
Open WinSCP, once you connected to WinSCP type the IP address of EVE-NG in host name
choose the File Protocol: SFTP, Port number: 22, User names: root and Password: eve.

The column on the left represent file on local machine and the column on the right represent
files and folder on remote machine.
Go to the path opt->unetlab->addons->qemu on the remote machine.

Create a directory in remote location /opt/unetlab/addons/qemu using the folder name:

fortinet-FGT-v7.0.9-build0444
Drag the file (forties.qcow2) downloaded to fortinet-FGT-v7.0.9-build0444 folder rename
fortios.qcow2>> virtioa.qcow2 the name must be: virtioa.qcow2

Save the configuration by fixing the permissions using the following command on EVE-NG.
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Open the EVE-NG in the browser then ‘Add an Object’ and select the Node.
Add an object’ and select the Network make Type Management(Cloud0) and press Save button.

Connect Network Object to Fortinet Port1.

At the login prompt type admin and press Enter. The password area is blank by default.
It may prompt to immediately change the password. Provide the password twice.

It will get the IP address from DHCP server if available or you can set static IP address. Type the
command to see IP Address: FortiGate-VM64-KVM#Diagnose ip address list
Now can manage the PA-VM node via GUI, Use the computer that connected to management
network; then use web browser to navigate http://192.168.122.134/ Login using admin/123

You will be prompted to complete the setup of FortiGate. For this I have chosen to do so Later.

Once logged in, the Dashboard status appears. FortiGate gives you 14-day trial access to VM.
Upload FortiManager in EVE-NG:
Open WinSCP, once you connected to WinSCP type the IP address of EVE-NG in host name
choose the File Protocol: SFTP, Port number: 22, User names: root and Password: eve.

The column on the left represent file on local machine and the column on the right represent
files and folder on remote machine.
Go to the path opt->unetlab->addons->qemu on the remote machine.

Download FortiManager KVM image from Fortinet support website below link
https://support.fortinet.com/Download/VMImages.aspx
Create a directory using the name: fortinet-FMG-v7.2.0-build1124

Copy the file downloaded from Fortinet support website to folder fortinet-FMG-v7.2.0-
build1124 rename fmg.qcow2>> virtioa.qcow2 the name must be: virtioa.qcow2

From the EVE CLI, go to newly created image folder.

cd /opt/unetlab/addons/qemu/fortinet-FMG-v7.2.0- build1124/

Create second HDD 100Gb drive virtiob.qcow2

/opt/qemu/bin/qemu-img create -f qcow2 virtiob.qcow2 100G
When you go back to the same folder now another HDD has been created.

Save the configuration by fixing the permissions using the following command on EVE-NG.
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Open the EVE-NG in the browser then ‘Add an Object’ and select the Node. Increase the RAM.
Add an object’ and select the Network make Type Management(Cloud0) and press Save button.

Connect Network Object to Fortinet Port1.

config system interface

set ip 192.168.114.200 255.255.255.0
end
config system route
edit 1
set device port1
set dst 0.0.0.0/0
set gateway 192.168.114.2
end
config system dns
set primary 8.8.8.8
end
config system global
set enc-algorithm low
set fgfm-ssl-protocol tlsv1.0
set usg enable
end
Type the Management IP address in the browser to open.
FortiManager Lab Setup:
Images Description
Fortigate Firewall FGT_VM64_KVM-v7.0.9-build0444
FortiManager FMG_VM64_KVM-v7.2.0-build1124
Cisco Switches i86bi_linux_l2-ipbasek9-ms.high_iron_aug9_2017b.bin
Windows 7 Win-7-x86-IPCC
Multiple WAN Pfsense-2.6.0
Clients Linux-slax-9.11.0
Internet Link NAT Cloud or Management Cloud0

Export and Import Labs in EVE-NG:

Exporting EVE-NG Lab File:
You can share your EVE-NG lab files with others, exporting is also made simple as importing
EVE-NG lab files. Select the EVE-NG lab you would like to export and then click on export icon as
shown below: Upon export it will be save as zip, so that others or you can re-use with import.
First close the open lab, navigate to left menu click on Close lab.

Tick the lab you want to export click on Export icon and save the zip lab file in your system.
Import Labs in EVE-NG:
Once you have the Topology in your system, open EVE-NG session and follow the below steps.
Close the lab on your left side menu down Close lab.

Click on the Import button. Choose the zip file which contains the EVE-NG lab.
File must be in .zip format, do not unzip the file.

Click on the Upload Button.

Once your lab is imported, you can close the upload session and click on topology to open.
FortiManager Configuration Lab:
Change Hostname
FMG-VM64-KVM # config system global
(global)# set hostname FMG
(global)# end
Configure Interfaces
FMG # config system interface
(interface)# edit port1
(port1)# set ip 192.168.114.210/24
(port1)# next
(interface)# edit port2
(port2)# set allowaccess ping
(port2)# set ip 10.0.1.253/24
(port2)# end

Configure Route
FMG # config system route
(route)# edit 1
(1)# set device port2
(1)# set gateway 10.0.1.254
(1)# end

Testing
FMG # execute ping 10.0.1.254

Extra
config system global
set ssl-low-encryption enable
set oftp-ssl-protocol tlsv1.0
set enc-algorithm low
set fgfm-ssl-protocol tlsv1.0
end
First Time Login:
Once you have configured a port's IP address and network mask, launch a web browser and
enter the IP address you configured for the port management interface. The GUI will open with
an Evaluation License dialog box. Let’s activate a trial license for the VM. Select Free Trial, and
click Login with FortiCloud. Use your FortiCloud account credentials to log in, or create a new
account. FortiManager connects to FortiCloud to get the trial license. The system will restart to
apply the trial license.
Read and accept the license agreement.
After restart login with your default username admin and the password set first time.

When actions are complete, a green checkmark displays beside them in the wizard, and the
wizard no longer displays after you log in to FortiManager. Click Begin to start the setup process
now. Alternately, click Later to postpone the setup tasks.
When prompted, set the time zone. From the list, select the time zone. Clear the Automatically
adjust clock for daylight savings changes checkbox if desired. Click Next.

When prompted, specify the hostname. In the Hostname box, type a hostname. Click Next.

When prompted, complete the setup by clicking Finish.

You are logged in to FortiManager. When you log into the FortiManager GUI, the following
home page of tiles is displayed. Add and manage devices and VDOMs. Create and assign scripts
and provisioning templates. You can also access the SD-WAN monitor and VPN monitor.

Configure policy packages and objects. The Policy & Objects pane enables you to centrally
manage and configure the devices that are managed by the FortiManager unit.
Command Line Interface (CLI):
The Command Line Interface (CLI) is an alternative configuration tool to the web-based
manager. While the configuration of the web-based manager uses a point-and-click method,
the CLI requires typing commands or uploading batches of commands from a text file. Most
features are available on both the GUI and CLI, but there are a few exceptions. Reports cannot
be viewed on the CLI. On the other side advanced settings and diagnostic commands for super
users are usually not available on the GUI.

Default Setting:
Port1, the management interface, has a default IP address and netmask: 192.168.1.99/24. The
default credentials are user name admin and a blank password. PING, HTTP, HTTPS, and SSH
protocols are enabled for management access. The initial configuration of FortiManager is very
similar to FortiGate. In order to configure FortiManager for your network, you must set the IP
address and netmask, select supported administrative access protocols, and specify a default
gateway for routing packets. Port1, the management interface, if your management subnet
uses a different subnet, change these settings.

Commands:
When entering a command, the Command Line Interface (CLI) requires that you use valid
syntax and conform to expected input constraints. It will reject invalid commands.
Commands for Tables
clone <table> Clone (or make a copy of) a table from the current object. Clone may not be
available for all tables.
delete <table> Remove a table from the current object. Delete is only available within
objects containing tables.
edit <table> Create or edit a table in the current object. Edit is an interactive sub-
command: further sub-commands are available from within edit. Edit
changes the prompt to reflect the table you are currently editing. Edit is
only available within objects containing tables.
end Save the changes to the current object and exit the config command. This
returns you to the top-level command prompt.
get List the configuration of the current object or table.
purge Remove all tables in the current object.
rename Rename a table. Rename is only available within objects containing tables.
show Display changes to the default configuration. Changes are listed in the form
of configuration commands.

Commands for Fields

abort Exit both the edit and/or config commands without saving the fields.
append Add an option to an existing list.
end Save the changes made to the current table or object fields and exit the
config command. (To exit without saving, use abort instead.)
get List the configuration of the current object or table.
move Move an object within a list, when list order is important.
next Save the changes you have made in the current table’s fields and exit the edit
command to the object prompt.
select Clear all options except for those specified.
set <field> Set a field’s value.
<value>
show Display changes to the default configuration. Changes are listed in the form
of configuration commands.
unselect Remove an option from an existing list.
unset <field> Reset the table or object’s fields to default values.
CLI Command Branches:
Config:
The config commands configure objects of FortiManager functionality. Top-level objects are not
configurable; they are containers for more specific lower level objects.
Get:
Use get to display settings. You can use get within a config shell to display the settings for that
shell, or you can use get with a full path to display the settings for the specified shell.
Show:
Use show to display the FortiManager unit configuration. Only changes to the default
configuration are displayed. You can use show within a config shell to display the configuration
of that shell, or you can use show with a full path to display the configuration of the specified
shell.
Execute:
Use execute to run static commands, to reset the FortiManager unit to factory defaults, or to
back up or restore the FortiManager configuration. The execute commands are available only
from the root prompt.
Diagnose:
Commands in the diagnose branch are used for debugging the operation of the FortiManager
unit and to set parameters for displaying different levels of diagnostic information.

Shortcuts Key:
Action Keys
List valid word completions or subsequent words. If multiple ?
words could complete your entry, display all possible completions
with helpful descriptions of each.
Complete the word with the next available match. Press the key Tab
multiple times to cycle through available matches.
Recall the previous command. Limited to the current session. Up arrow, or Ctrl + P
Recall the next command. Down arrow, or Ctrl + N
Move the cursor left or right within the command line. Left or Right arrow
Move the cursor to the beginning of the command line. Ctrl + A
Move the cursor to the end of the command line. Ctrl + E
Move the cursor backwards one word. Ctrl + B
Move the cursor forwards one word. Ctrl + F
Delete the current character. Ctrl + D
Abort current interactive commands, such as when entering Ctrl + C
multiple lines. If you are not currently within an interactive
command such as config or edit, this closes the CLI connection.
TAB Key & Question Mark:
In addition to TAB to complete commands, you can use the? mark to see available commands.
Using after an edit such as in "config sys int" or "config firewall rule" will list the names of
existing interfaces, rules, objects, etc. It's a great way to see what is configured or possible to
configure.

Get Command:
When editing a specific object (interface, vpn tunnel, rule) you can use the get command. Show
only displays the configured object, which is typically what you'll use. Get displays all settings
though, including default values. It's another great command to see what is configurable and
find default values you might not realize.
Diagnose & Debug CLI Option:
What I typically recommend is to watch the CLI commands that are being used when you
are using the FortiGate WebGUI. You can do this by doing open up putty (SSH) use the
following commands:
Turn On Debug Session
HQ-FW # diagnose debug cli 8
HQ-FW # diagnose debug enable
Turn Off Debug Session
HQ-FW # diagnose debug reset
HQ-FW # diagnose debug disable

Fortinet CLI Reference:

https://docs.fortinet.com/document/fortimanager/7.2.0/cli-reference/23811/introduction
# get system status

# show system interface

# show system dns

# show system ntp
# get system ntp

# show system route

# execute ping
GUI Overview:
When you log into the FortiManager GUI, the following home page of tiles is displayed.

Device Manager Add and manage devices and VDOMs. Create and assign scripts and
provisioning templates. Also access SD-WAN and VPN monitor.
Policy & Objects Configure policy packages and objects.
AP Manager Configure and manage FortiAP access points.
VPN Manager Configure and manage VPN connections. You can create VPN
topologies and managed/external gateways.
Fabric View Configure fabric connectors and view Security Fabric Ratings.
FortiGuard Manage communication between devices and
the FortiManager using the FortiGuard protocol.
FortiSwitch Manager Configure and manage FortiSwitch devices.
Extender Manager Configure and manage FortiExtenders.
Management Enable and use management extension applications that are
Extensions released and signed by Fortinet.
Log View View logs for managed devices. You can display, download, import,
and delete logs on this page. You can also define custom views and
create log groups. This pane is only available when FortiAnalyzer
features are enabled.
Reports Generate reports. You can also configure report templates,
schedules, and output profiles, and manage charts and datasets. This
pane is only available when FortiAnalyzer features are enabled.
System Settings Configure system settings such as network interfaces,
administrators, system time, server settings, and others. You can
also perform maintenance and firmware operations.
Incidents & Events Configure and view events for logging devices. This pane is only
available when FortiAnalyzer features are enabled.
FortiManager Options:
Go to Policy & Objects>Tools >Display Options.

Turn on all of the options in a category by click on Check All after that click OK.
Navigate to Policy & Objects >Object Configuration >CLI Only Objects >CLI Only Objects. In the
search box type ca. Tick, the CA and click Delete.

Go to Policy & Objects> Managed FortiGate choose the Firewall Display Options Check All
Backup FortiManager:
Go to System Settings > Dashboard. In the System Information widget, click the backup button
next to System Configuration. The Backup System dialog box opens. If you want to encrypt the
backup file, select the Encryption box, then type and confirm the password you want to use.
The password can be a maximum of 63 characters. Select OK

The Backup will start to save on your management Computer.

Administrator Accounts:
Administrator accounts are used to control access to the FortiManager unit. Local and remote
authentication is supported, as well as two-factor authentication. Other administrative
accounts can be created as needed full or read-only access. To create a new administrator
account, you must be logged in to an account with sufficient privileges, or as a super user
administrator. Only administrators with the Super_User profile can see the complete
administrators list. If you do not have certain viewing permissions, you will not see the
administrator list. When ADOMs are enabled, administrators can only access the ADOMs they
have permission to access.

Admin Authentication:
Instead of creating local administrators, where logins are validated by FortiManager, you can
configure external servers to validate your administrator logins. You can use RADIUS, LDAP,
TACACS+, and PKI as means of verifying the administrator credentials. The FortiManager system
supports authentication of administrators locally, remotely with RADIUS, LDAP, or TACACS+
servers, and using PKI. Remote authentication servers can also be added to authentication
groups that administrators can use for authentication.
To use remote authentication servers, you must configure the appropriate server entries in the
FortiManager unit for each authentication server in your network. New LDAP remote
authentication servers can be added and linked to all ADOMs or specific ADOMs.
Administrator Profiles:
In order to efficiently administer your system, FortiManager comes with five pre-installed
default profiles that you can assign to other administrative users. Administrator profiles define
administrator permissions and are required for each administrative account. Administrator
profiles define different types of administrators and the level of access they have to the
FortiManager unit, as well as the devices registered to it. Administrator profiles are used to
control administrator access privileges to devices or system features. Profiles are assigned to
administrator accounts when an administrator is created. The profile controls access to both
the FortiManager GUI and CLI.
You can assign the default profiles to administrative accounts, or you can modify the individual
permissions associated with each default profile. Alternatively, you can create your own custom
profile. These profiles cannot be deleted, but standard and restricted profiles can be edited.
New profiles can also be created as required. Only super user administrators can manage
administrator profiles.
Package_User Provides read and write access to policy package & objects
permissions, but read-only access for system and other permissions.
Restricted_User Provides read-only access to device permissions, but not system
permissions.
Standard_User Provides read and write access to device permissions, but no system
permissions.
Super_User Provides access to all device & system permissions, such as FortiGate.
No_Permission_User No system or device privileges enabled.

Go to System Settings > Admin > Profile to view and manage administrator profiles.
Type of Administrator Profiles:
Restricted Administrators:
Restricted administrator accounts are used to delegate management of Web Filter, IPS, and
Application Control profiles, and then install those objects to their assigned ADOM. For the
Restricted Admin type, you can create a new restricted administrator profile to allow the
delegated administrator to make changes to the web filtering profile, IPS sensor, and
application sensor associated with their ADOM. Restricted administrators cannot be used when
workflow mode is enabled.

System Admin:
For the System Admin type, you can modify one of the predefined profiles, or create a custom
profile. Only administrators with full system permissions can modify administrator profiles.
Depending on the nature of the administrator’s work, access level, or seniority, you can allow
them to view and configure as much, or as little, as required.
Trusted Hosts:
Setting trusted hosts for all of your administrators increases the security of your network by
further restricting administrative permissions. In addition to knowing the password, an
administrator must connect only through the subnet or subnets you specify. In addition to
controlling administrative access through administrator profiles, you can further control access
by setting up trusted hosts for each administrative user. This restricts administrators to logins
from specific IP addresses or subnets only. You can even restrict an administrator to a single IP
address if you define only one trusted host IP address.
When you set trusted hosts for all administrators, the FortiManager unit does not respond to
administrative access attempts from any other hosts. This provides the highest security. If you
leave even one administrator unrestricted, the unit accepts administrative access attempts on
any interface that has administrative access enabled, potentially exposing the unit to attempts
to gain unauthorized access. The trusted hosts you define apply to both the GUI and to the CLI
when accessed through SSH. CLI access through the console connector is not affected.
Administrator Accounts Lab:
To create a new administrator account, you must be logged in to an account with sufficient
privileges, or as a super user administrator.

Creating Administrator:
Go to System Settings > Admin > Administrators. In the toolbar, click Create New to display the
New Administrator pane.

Configure the following settings, and then click OK to create the new administrator.
Edit Administrator:
Go to System Settings > Admin > Administrators. Double-click on an administrator, right-click on
an administrator and then select Edit from the menu, or select the administrator then click Edit
in the toolbar. The Edit Administrator pane opens. Edit the settings as required, and then select
OK to apply the changes.

Delete Administrator:
Go to System Settings > Admin > Administrators. Select the administrator or administrators you
need to delete. Click Delete in the toolbar, or right-click and select Delete. Select OK in the
confirmation box to delete the administrator or administrators.
Change Administrator Password:
Go to System Settings > Admin > Administrators. Right-click on an administrator and select
Change Password from the menu.

The Change Password dialog box opens. Enter the new password for the administrator in the
New Password and Confirm Password fields. Select OK to change the administrator's password.
Global Administration Settings:
The administration settings page provides options for configuring global settings for
administrator access to the FortiManager device. Go to System Settings > Admin > Admin
Settings. Configure the following settings as needed, then click Apply to save your changes to all
administrator accounts.

Password Policy:
Go to System Settings > Admin > Admin Settings. Click to enable Password Policy. Configure the
following settings, then click Apply to apply to password policy.
Password Lockout and Retry Attempts:
By default, the number password retry attempts is set to three, allowing the administrator a
maximum of three attempts at logging in to their account before they are locked out for a set
amount of time by default, 60 seconds. The number of attempts and the default wait time
before the administrator can try to enter a password again can be customized. Both settings
can be configured using the CLI.
To set the lockout threshold to one attempt and set a five-minute duration before the
administrator can try to log in again, enter the following CLI commands:
Commands
FMG # config system global
global)# set admin-lockout-duration 300
(global)# set admin-lockout-threshold 1
(global)# end

Monitor Administrators:
Go to System Settings > Dashboard. In the System Information widget, in the Current
Administrators field, click the Current Session List button. The Admin Session List opens in the
widget.

Go to System Settings > Admin > Administrators. Green tick mark the user is login.
Administrator Profiles Lab:
To create a new administrator profile you must be logged in to an account with sufficient
privileges, or as a super user administrator.

Create Administrator Profile:

Go to System Settings > Admin > Profile. Click Create New in the toolbar. The New Profile pane
is displayed. Click OK to create the new administrator profile.
Create Restricted Profile:
Go to System Settings > Admin > Profile. Click Create New in the toolbar. The New Profile pane
is displayed. Set the Type to Restricted Admin and the required permissions selected. In this
case Web Filter, Application Control and Intrusion Prevention.

Assign Admin Profile:

Go to System Settings > Administrators. Create a new administrator or edit an existing
administrator. The Edit Administrator pane is displayed. From the Admin Profile list, select a
profile to assign to administrator.
Restricted Administrator:
When a restricted administrator’s logs in to the FortiManager, they enter the Restricted Admin
Mode. This mode consists of a simplified GUI where they can make changes to the profiles that
they have access to, and then install those changes using the Install command in the toolbar, to
their designated ADOM.

Clone Administrator Profiles:

Go to System Settings > Admin > Profile. Right-click on a profile and select Clone from the
menu, or select the profile then click Clone in the toolbar. The Clone Profile pane opens. Edit
the settings as required, and then select OK to apply the changes.
Delete Administrator Profiles:
Go to System Settings > Admin > Profile. Select the profile or profiles you need to delete. Click
Delete in the toolbar, or right-click and select Delete. Select OK in the confirmation box to
delete the profile or profiles.
ADOM (Administrative Domain)
ADOMs enable the admin administrator to create groupings of devices for administrators to
monitor and manage. A FortiManager Administrative Domain (ADOM) is analogous to the
Virtual Domain concept within the FortiGates. The use of ADOMs allows us to create separate
logical environments in which we can maintain separate sets of devices. The ADOMs feature
must be enabled before ADOMs can be created or configured. ADOMs enable the admin
administrator to create groupings of devices for administrators to monitor and manage. The
purpose of ADOMs is to divide administration of devices by ADOM and to control (Restrict)
administrator access.

The maximum number of ADOMs that can be created depends on the FortiManager Model.
You must use an administrator account that is assigned the Super_User administrative profile.
You can add a device to only one ADOM. You cannot add a device to multiple ADOMs. You
cannot add FortiGate and FortiCarrier devices to the same ADOM. FortiCarrier devices are
added to a specific, default FortiCarrier ADOM. When FortiAnalyzer features are enabled, you
can configure how an ADOM handles log files from its devices. For example, you can configure
how much disk space an ADOM can use for logs, and then monitor how much of the allotted
disk space is used. Super user administrators can create other administrators and either assign
ADOMs to their account or exclude them from specific ADOMs, constraining them to
configurations and data that apply only to devices in the ADOMs they can access.
Normal Mode ADOMs:
When creating an ADOM in Normal Mode, the ADOM is considered Read/Write, where you are
able to make changes to the ADOM and managed devices from the FortiManager. FortiGate
units in the ADOM will query their own configuration every 5 seconds. If there has been a
configuration change, the FortiGate unit will send a diff revision on the change to the
FortiManager using the FGFM protocol. In Normal mode, you can make configuration changes
to an ADOM and the managed devices. By default, ADOMs run in Normal mode and all panes
are available. The ADOM is read-write, which allows you to make configuration changes to
managed devices stored in the ADOM database and then install those changes on managed
devices.

Backup Mode ADOMs:

When creating an ADOM in Backup Mode, the ADOM is consider Read Only, where you are not
able to make changes to the ADOM and managed devices from the FortiManager. Changes are
made via scripts which are run on the managed device, or through the device’s GUI or CLI
directly. Backup mode enables you to configure an ADOM where all the devices that are added
to the ADOM will only have their configuration backed up. Configuration changes cannot be
made to the devices in backup ADOM. You can push any existing revisions to managed devices.
You can still monitor and review the revision history for these devices, and scripting is still
allowed for pushing scripts directly to FortiGate units. The main purpose of Backup mode is to
back up the configuration changes made directly on the managed device.
What if managed device configuration changes always need to be made directly on the device
and you want to use FortiManager only for revision control and tracking purposes in this case,
you can configure the ADOM in Backup mode. When in Backup mode, the ADOM is read-only,
so the Device Manager pane is restricted. You can add and delete devices, but the device-level
settings are not available for configuration and installation. In Backup mode, you can import
firewall address and service objects into FortiManager, and FortiManager stores the objects in
the Device Manager database.

Global ADOM:
Policy packages can include header policies and footer policies. You can create header and
footer policies by using the global ADOM. The global ADOM allows you to create header and
footer policies once, and then assign the header and footer policies to multiple policy packages
in one or more ADOMs. The global ADOM layer contains two key pieces: the global object
database and all header and footer policies.

Header and footer policies are used to envelop policies within each individual ADOM. These are
typically invisible to users and devices in the ADOM layer. An example of where this would be
used is in a carrier environment, where the carrier would allow customer traffic to pass through
their network but would not allow the customer to have access to the carrier’s network assets.
Root ADOM:
The root ADOM type is FortiGate. When ADOMs are disabled, only the root ADOM is visible.
When ADOMs are enabled, other default ADOMs are visible too. Unauthorized devices display
in the root ADOM.

Default Device Type ADOMs:

When ADOMs are enabled, FortiManager includes default ADOMs for specific types of devices.
When you add one or more of these devices to FortiManager, the devices are automatically
added to the appropriate ADOM, and the ADOM becomes selectable. When a default ADOM
contains no devices, the ADOM is not selectable. You can view all of the ADOMs, including
default ADOMs without devices, on the System Settings > All ADOMs pane.
ADOM Lab:
ADOMs must be enabled, and you must be logged in as a super user administrator to create a
new ADOM. Select the version of the devices in the ADOM. The ADOM version cannot be
edited. Select Normal Mode if you want to manage and configure the connected devices from
the FortiManager GUI. Select Backup mode if you want to backup the configurations to the
FortiManager, but configure each device locally. Select the VPN checkbox to enable central VPN
management. Automatically push policy package updates to currently offline managed devices
when the devices come back online.

Enable ADOM:
To enable ADOMs, Go to System Settings>Dashboard. In the System Information widget, go to
Administrative Domain, and toggle On.

It will log you out login back.

Create Normal ADOMs:
Go to System Settings > All ADOMs. Click Create New in the toolbar. The Create New ADOM
pane is displayed.

Configure the following settings, then click OK to create the ADOM. Type a name that allows
you to distinguish this ADOM from your other ADOMs. Select the type FortiGate. Select the
version of the devices in the ADOM. Select Normal mode. Select the VPN checkbox to enable
central VPN management. If you want unchecked FortiAP and FortiSwitch.
From top right corner change the root ADOM to recently created ADOM FG-7-0-9

Go to System Settings > All ADOMs. Double-click on an ADOM, right-click on an ADOM and then
select the Edit from the menu, or select the ADOM then click Edit in the toolbar. The Edit ADOM
pane opens. Click Select Device. The Select Device list opens on the right side of the screen.
Select the devices that you want to add to the ADOM. Only devices with the same version as
the ADOM can be added. The selected devices are displayed in the Devices list. When done
selecting devices, click Close to close the Select Device list. Click OK. The selected devices are
removed from their previous ADOM and added to this one.
From top right corner change the root ADOM to recently created ADOM FG-7-0-9

Navigate to Device Manager > Device & Groups, and click Add Device.

Follow Add Device wizard, to add a new device to recently created normal ADOM FG-7-0-9
Assigning Administrators to ADOM:
Log in as super user administrator. Other types of administrators can’t configure administrator
accounts when ADOMs are enabled. Go to System Settings > Admin > Administrator.

Double-click on an administrator, right-click on an administrator and then select the Edit from
the menu, or select the administrator then click Edit in the toolbar. The Edit Administrator pane
opens. Edit the Administrative Domain field as required, either assigning or excluding specific
ADOMs. Select OK to apply your changes.
Edit ADOM:
Go to System Settings > All ADOMs. Double-click on an ADOM, right-click on an ADOM and then
select Edit from the menu, or select the ADOM then click Edit in the toolbar. The Edit ADOM
pane opens. Edit the settings as required, and then select OK to apply the changes.

Delete ADOMs:
All devices must be removed from the ADOM. Devices can be moved to another ADOM, or to
the root ADOM. Go to System Settings > All ADOMs. Ensure that the ADOM or ADOMs being
deleted have no devices in them. Select the ADOM or ADOMs you need to delete. Click Delete
in the toolbar, or right-click and select Delete. Click OK in the confirmation box to delete the
ADOM or ADOMs.
Upgrade ADOM:
Go to System Settings > All ADOMs. Select an ADOM, and then select More > Upgrade from the
toolbar. If the ADOM has already been upgraded to the latest version, this option will not be
available.

Select OK in the confirmation dialog box to upgrade the device. If all of the devices within the
ADOM are not already upgraded, the upgrade will be aborted and an error message will be
shown.
Backup ADOM Lab:

Enable ADOM:
Log in to the FortiManager as a super user administrator. Go to System Settings > Dashboard.
In the System Information widget, toggle the Administrative Domain switch to ON. You will be
automatically logged out of the FortiManager and returned to the log in screen.

Create Backup ADOM:

Go to System Settings > All ADOMs, and click Create New. Set the following options, type a
name for the ADOM, Select the type of device and ADOM version. Select the mode Backup and
click OK.
You can use the Add Device wizard to add FortiGate devices to an ADOM in backup mode. The
wizard also lets you import Firewall address and service objects. Policies are not imported. Go
to Device Manager > Device & Groups, and click Add Device. Follow the Add Device wizard.

Finally, the device is added read-only where you can see configuration revision history.

Login to HQ-FW Firewall without read-only access prompt.

Navigate to Security Fabric >Fabric Connectors > Other Fortinet Products >FortiManager double
click to open as you can see the Mode is Backup also on the top it shows the device is in
Configuration backup mode.

Let’s create a test Address Object in HQ-FW and click OK.

Navigate to Device Manager >Device & Groups >Managed FortiGate >HQ-FW Retrieve Config

Click on Revision Diff select the Pervious old version and choose Show Diff Only

The Address Object recently created in HQ-FW firewall in green color.

ADOM Health Check Lab:
Go to System Settings > All ADOMs. From the More menu, select ADOM Health Check.

The ADOM Health Check dialog box is displayed.

In the Health Check Criteria section, select what items to check, and click Check Now. The
results of the check are displayed. Following, Warning ADOMs <number> is selected, and the
list of ADOMs with warnings are displayed. The Backup ADOM has a warning.
Under Warning ADOMs <number>, click the ADOM name to display the Device Manager pane,
and view details about the warning. The Device Manager pane is displayed for the ADOM with
the warning. The ADOM Health Check button remains at the bottom of the pane.

At the bottom-right of the Device Manager pane, click the ADOM Health Check button to return
to the ADOM Health Check dialog box, and continue checking ADOMs. The ADOM Health Check
dialog box is displayed. Click All ADOMs <number>. A summary of all ADOMs is displayed.

Click the x on the top-right corner to close the dialog box.

Device Registration:
There are two ways you can register a device using FortiManager. You can add devices to the
FortiManager unit by using the Add Device wizard. You can use the wizard to Discover Devices
or Add Model Devices to your FortiManager unit.

Device Discover Mode:

The first registration method device registration wizard on FortiManager. You can launch the
wizard from the Device Manager pane by clicking Add Device on the menu bar. If you have
enabled ADOMs and want to add the device to a specific ADOM, select the ADOM from the
ADOM list before clicking Add Device. You can add an online device to FortiManager using the
Add Device wizard and discover mode. You type in the IP address of the FortiGate management
port keep the Use legacy device login setting at the default OFF position, and then click Next to
continue. A browser popup window opens to let you log in to FortiGate as part of the
authorization process. When FortiManager connects to FortiGate, it retrieves the FortiOS
management IP address and management port. As an alternate to specifying the accessible
management IP and port for FortiOS, you can use the legacy login for the Add Device wizard
with Discover mode. In order to fully discover the device and add the full configuration, the
login credentials that you enter when you use the Discover Device option must have full read-
write access on FortiGate. Use the Discover option for devices that are currently online and
discoverable on your network. When wizard completes, the devices is added to FortiManager
and authorized.
Add Model Device:
The second option in the Add Device wizard is Add Model Device, which allows you to add a
device that is not yet online. Using this option, you can create the configuration in advance.
FortiGate serial number, which is mandatory when adding FortiGate as a model device. Pre-
shared key, a unique pre-shared key if adding multiple model devices. On the FortiGate side,
you need to configure FortiGate to point to FortiManager. If you are using a serial number to
add FortiGate as a model device, you must configure the FortiManager IP address on FortiGate
under the central management configuration. If you are using a pre-shared key to add a model
device, you must perform the central management configuration, plus you must run a register
device command on the FortiGate CLI. This command requires a FortiManager serial number,
along with a pre-shared key to use when adding a model device. The FortiGate device is
automatically promoted as a registered device after FortiGate is deployed with its basic IP
address and routing configuration to reach FortiManager. You can then install the
preconfigured configuration from FortiManager to FortiGate.

The method by which the device will be added, either Serial Number or Pre-Shared Key.
The serial number should be used if it is known. A pre-shared key can be used if the serial
number is not known when the model device is added. If using a pre-shared key, each device
must have a unique pre-shared key. If using a pre-shared key execute central-mgmt register-
device <fmg-serial-number> <preshared-key>
Add HA Cluster:
Adding an operating FortiGate HA cluster to the Device Manager pane is similar to adding a
standalone device. Specify the IP address of the primary device. FortiManager handles a cluster
as a single managed device.

Unauthorized Device:
The FortiGate administrator must configure the FortiManager IP address and apply the settings.
A pop-up window opens stating that the management request has been sent to FortiManager.
Click OK to open the FortiManager Status window, and then you can authorize the FortiGate
device. Also, you must ensure that FMG-Access is enabled on the FortiGate interface that is
facing the FortiManager device. After the request is made from the supported device, the
request appears under Device Manager > Unauthorized Devices on the FortiManager GUI. The
FortiManager administrator should review the details of the unauthorized device and, if
satisfied, authorize the device. On the FortiManager CLI, you can enable automatic
authorization of unauthorized devices.
Add Multiple Device:
You can enable Show Add Multiple Button under Admin Settings, which enables the option for
adding multiple devices under Device Manager. You can click Add and enter the FortiGate IP
address, user name, and password. Adding devices using the Add Device wizard gives you more
configuration options than using Add Multiple devices.

Import Model Devices CSV File:

Model devices can be imported using a CSV file. This can be used to import large numbers of
model devices into FortiManager. When importing model devices from a CSV file, a device
blueprint is used to configure the initial settings. Configure your local CSV file for the devices
that you want to import. CSV files must contain the following columns: sn, device blueprint, and
name, with the respective data listed in the cells. Drag and drop the CSV file into the Upload
area, or select the CSV file location on your computer.
Add FortiGate Discover Device:

First enabled FMG-Access on the connecting interface in FortiGate device to FortiManager. Go

to Network > Interfaces, and edit port 3. Configure Administrative Access to allow FMG-Access.
Add FortiGate:
From top right corner change the root ADOM select the ADOM to which you want to add the
device in this case let’s choose recently created ADOM FG-7-0-9

To add a device with Discover mode, Go to Device Manager > Device & Groups.

In the toolbar, click Add Device. The Add Device window opens. Select Discover, and then
follow the prompts to configure the device settings. In the box, type the management port IP
address for the device, and also type the username and password for the device in the wizard
click Next.
After the device discovery process completes, the following page of information is displayed.
Configure the following settings, and click Next.
More information about the device is checked. After the wizard completes the checks, you are
asked to choose whether to import policies and objects for the device now or later. Click Finish
to finish adding the device and close the wizard.
Synch Device:
This wizard allows you to import interface maps, policy databases, and objects. Select Import
Policy Package, and click Next.

Specify what policies and objects to import. Specify mapping types for enabled FortiGate
interfaces. When finished mapping device interfaces, click Next.
The next page displays any object conflicts between the device and FortiManager. If object
conflicts are detected, choose whether to use the value from FortiGate or FortiManager, and
click Next. You can click Download Conflict File to save a file of the conflicts to your hard drive.

Click Next to start the import process. When the import process completes, a summary page is
displayed.
Click Finish to close the wizard.

Finally, the device is added successfully

Add FortiGate Model Device (Serial Number):

Add FortiGate:
If ADOMs are enabled, select the ADOM to which you want to add the device. From top right
corner change the root ADOM select the ADOM to which you want to add the device in this
case let’s choose recently created ADOM FG-7-0-9
To add a device with Discover mode, Go to Device Manager > Device & Groups.

Go to Device Manager > Device & Groups. Click Add Device. The Add Device wizard displays.
Click Add Model Device and enter the information.

Enter the name of the Device type the Serial Number and Device Model Click Next. The device
is created in the FortiManager database.
FortiManager is creating device database.

Finally, the device is added successfully, Click Finish to exit the wizard.
Finally, the Device is added successfully.

In FortiGate Firewall Navigate to Security Fabric >Fabric Connectors>FortiManager Make the

status Enabled, Type On-Premises, Mode Normal and type the IP Address of FortiManger.

It will show the Confirm message click OK FortiGate Firewall will log out.
Through CLI
HQ-FW # config system central-management
HQ-FW (central-management) # set type fortimanager
HQ-FW (central-management) # set fmg 10.0.1.253
HQ-FW (central-management) # set fmg-source-ip 10.0.1.254
HQ-FW (central-management) # end
Add FortiGate Model Device (Pre-Shared Key):

Go to Device Manager > Device & Groups. Click Add Device. The Add Device wizard displays.
Click Add Model Device and enter the information.

Enter the name of the Device type the Pre-Shared Key, Device Model and port Provisioning Click
Next. The device is created in the FortiManager database.
FortiManager is creating device database. Finally, the device is added successfully, Click Finish
to exit the wizard.

Finally, the Device is added successfully.

In FortiGate Firewall Navigate to Security Fabric >Fabric Connectors>FortiManager Make the
status Enabled, Type On-Premises, Mode Normal and type the IP Address of FortiManger.

It will show the Confirm message click OK FortiGate Firewall will log out.

In FortiOS, use the following command to link the model device to the real device, and to install
configurations to the real device. After the command is executed, FortiManager automatically
links the model device to the real device, and installs configurations to the device.
HQ-FW # execute central-mgmt register-device FMG-VMTM22016522 123456
Through CLI
HQ-FW # config system central-management
HQ-FW (central-management) # set type fortimanager
HQ-FW (central-management) # set fmg 10.0.1.253
HQ-FW (central-management) # set fmg-source-ip 10.0.1.254
HQ-FW (central-management) # end
FortiManager Serial No & Pre-Shared Key
HQ-FW # execute central-mgmt register-device FMG-VMTM22016522 123456

The Device is added successfully.

FortiManager Through Security Fabric:
On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the
FortiManager card.

For Status, click Enable.

For Type, click On-Premise. Enter the IP/Domain Name of the FortiManager. Click OK.

The Confirm pane appears Review the serial number, and click OK.
After completing the steps in FortiOS, go to FortiManager to authorize the FortiGate, which
completes the process. On FortiManager, go to Device Manager and find the FortiGate in the
Unauthorized Devices list. The unauthorized device list is located in the root ADOM.

Select the FortiGate device or devices, and click Authorize in the toolbar.

In the Authorize Device pop-up, adjust the device names as needed, select the appropriate
ADOM if applicable, and click OK.
The device has been successfully Authorized Click Close.

Let’s switchover to FG-7.0.9 ADOM from the top right corner to verify the device.

To add a FortiManager to the Security Fabric using the CLI. Provide below FortiManager
connection information.
CLI Method
HQ-FW # config system central-management
HQ-FW (central-management) # set type fortimanager
HQ-FW (central-management) # set fmg 192.168.114.210
HQ-FW (central-management) # end

When configuring the FortiManager connection from the CLI, no prompt is available to approve
the returned FortiManager serial number. Therefore, you must provide the following
command. execute central-mgmt register-device <fmg-serial-no> <PSK>, If you have not
previously configured a model device in FortiManager. you can enter any character for the PSK
field in this case type 123456.
CLI Method
HQ-FW # execute central-mgmt register-device FMG-VMTM22015653 123456
Add FortiGates to FortiManager:

Creating ADOM:
Enable ADOMs, Go to System Settings>Dashboard. In the System Information widget, go to
Administrative Domain, and toggle On. It will log you out login back.
Go to System Settings > All ADOMs. Click Create New in the toolbar. The Create New ADOM
pane is displayed.

Add HQ-FW FortiGate:

To add a device with Discover mode, Go to Device Manager > Device & Groups.

More information about the device is checked. After the wizard completes the checks, you are
asked to choose whether to import policies and objects for the device now or later. Click Finish
to finish adding the device and close the wizard.
Synch Device:
This wizard allows you to import interface maps, policy databases, and objects. Select Import
Policy Package, and click Next.
Specify what policies and objects to import. Specify mapping types for enabled FortiGate
interfaces. When finished mapping device interfaces, click Next.

The next page displays any object conflicts between the device and FortiManager. If object
conflicts are detected, choose whether to use the value from FortiGate or FortiManager, and
click Next. You can click Download Conflict File to save a file of the conflicts to your hard drive.
Click Next to start the import process. When the import process completes, a summary page is
displayed.

Click Finish to close the wizard.

Finally, the device is added successfully

Add DC-FW FortiGate:
To add a device with Discover mode, Go to Device Manager > Device & Groups.

More information about the device is checked. After the wizard completes the checks, you are
asked to choose whether to import policies and objects for the device now or later. Click Finish
to finish adding the device and close the wizard.
Synch Device:
This wizard allows you to import interface maps, policy databases, and objects. Select Import
Policy Package, and click Next. Specify what policies and objects to import. Specify mapping
types for enabled FortiGate interfaces. When finished mapping device interfaces, click Next.
Add BR-FW FortiGate:
To add a device with Discover mode, Go to Device Manager > Device & Groups.

More information about the device is checked. After the wizard completes the checks, you are
asked to choose whether to import policies and objects for the device now or later. Click Finish
to finish adding the device and close the wizard.
Synch Device:
This wizard allows you to import interface maps, policy databases, and objects. Select Import
Policy Package, and click Next. Specify what policies and objects to import. Specify mapping
types for enabled FortiGate interfaces. When finished mapping device interfaces, click Next.

Finally, all three devices are added successfully

Upgrading FortiManager Firmware:
Downloaded FortiManager Firmware from the Customer Service & Support portal. Firmware
images follow a specific naming convention, and each firmware image is specific to the VM
environment. All firmware images for VM upgrades have filenames that end with .out. For
example, FMG_VM64_KVM-v7.2.1-build1215-FORTINET.out image is specific to upgrade for the
KVM platform.

In System Settings > Advanced > Advanced Settings, enable Offline Mode. Offline mode stops
automatic firmware updates during the upgrade.
Go to System Settings > Dashboard. In the System Information widget, go to the Firmware
Version field, and click the Upgrade Firmware icon.

Before upgrading your firmware, you can choose to enable or disable Backup Configuration.
When this setting is enabled, you will automatically download a backup copy of your
FortiManager configuration when performing a firmware upgrade. If you want to encrypt the
backup file, enable Encryption, then type and confirm the password you want to use.
In the Firmware Upload dialog box, click Browse to locate the firmware package (.out file) that
you downloaded from the Customer Service & Support portal, and click Open.

Click OK to start Firmware Upgrade process.

The firmware image is uploaded. The upgrade will start shortly message display.

After reboot and upgrade process finished let’s verify the FortiManager Firmware Version has
been upgraded to the new version v7.2.1-build1215

In System Settings > Advanced > Advanced Settings, disable Offline Mode.
Backup FortiManager:
back up your FortiManager configuration to your management computer on a regular basis to
ensure that, should the system fail, you can quickly get the system back to its original state with
minimal effect to the network. You should also back up your configuration after making any
changes to the FortiManager configuration or settings that affect connected devices. you can
back up the FortiManager configuration in the System Information widget on the GUI. By
default, encryption is enabled when you use the GUI for backups. If you use encryption, you
must set a password that is used to encrypt the backup file. The backup file can’t be restored
unless you provide the same password. The backup contains everything except the logs,
FortiGuard cache, and firmware images saved on FortiManager. If changes are made to
FortiManager that end up negatively affecting your network, you can restore the
configuration from any of the backups you performed.

Restore FortiManager:
The restore operation will temporarily disable the communication channel between
FortiManager and all managed devices. This is a safety measure; in case any devices are being
managed by another FortiManager. To re-enable the communication, please go to System
Settings >Advanced >Advanced Settings and disable Offline Mode. You can restore the
FortiManager configuration using the GUI or CLI. When you perform a restore, FortiManager
reboots and the changes take effect. When you are restoring a backup file, make sure the
FortiManager firmware version and model matches the backup file.

Offline Mode:
By default, offline mode is disabled, allowing FortiManager to manage the devices. When you
perform a configuration restore, FortiManager disables the FGFM protocol. This protocol uses
TCP port 541 for communication between FortiManager and FortiGate devices. You can
manually enable or disable in System Settings > Advanced > Advanced Settings.
Go to System Settings > Dashboard. In the System Information widget, click the backup button
next to System Configuration. The Backup System dialog box opens. If you want to encrypt the
backup file, select the Encryption box, then type and confirm the password you want to use.
The password can be a maximum of 63 characters. Select OK and save the backup file on your
management computer.
Go to System Settings > Dashboard. In the System Information widget, click the restore button
next to System Configuration. The Restore System dialog box opens. Configure the following
settings then select OK.

Migrating FortiManager Configuration:

You can back up the configuration on one FortiManager model and restore this configuration
on a different FortiManager model. The steps required to migrate a configuration are simple.
You need to back up the configuration on one FortiManager model, and then run the CLI
migrate command on the second FortiManager. FortiManager supports FTP, SCP, and SFTP
protocols to migrate a configuration from one FortiManager model to another FortiManager
model. If you encrypted the FortiManager configuration file when you created it, you need the
password to decrypt the configuration file when you migrate the file to another FortiManager
model. In the CLI Console widget, type the following command:
execute migrate all-settings <ftp | scp | sftp> <server> <filepath> <user> <password>
[cryptpasswd]

Reset Setting:
If you need to factory reset FortiManager, connect using the console port. The reset all-settings
command returns FortiManager to its factory default settings and reboots FortiManager. The
format disk command erases all device settings and images, FortiGuard databases, and log data
on the FortiManager hard drive. To completely erase all configuration databases, reset all
settings, then format the disk using the CLI.
FortiManager Backup & Restore Lab:
Backup:
Go to System Settings > Dashboard. In the System Information widget, click the backup button
next to System Configuration. The Backup System dialog box opens. If you want to encrypt the
backup file, select the Encryption box, then type and confirm the password you want to use.
The password can be a maximum of 63 characters. Select OK and save the backup file on your
management computer.

The backup process is started, it will take some time depend on your configuration and the file
will download to your management computer.
Restore:
Go to System Settings > Dashboard. In the System Information widget, click the restore button
next to System Configuration. The Restore System dialog box opens. Configure the following
settings then select OK.
Migrating FortiManager Configuration:
Take FortiManager configuration backup. Go to System Settings > Dashboard. In the System
Information widget, click the backup button next to System Configuration. The Backup System
dialog box opens. Select OK and save the backup file on your management computer.

Or backup FortiManager configuration from CLI using the below command.

FMG# execute backup all-settings ftp 192.168.114.1 / admin 123456

In this Lab, 3CDaemon FTP has been used to take backup and for Migration. FortiManager
backup has been saved in 3CDaemon FTP directory.
In the new FortiManager execute below command to Migrate the setting from old to new.
FMG# execute migrate all-settings ftp 192.168.114.1 /fmg_clibackup.dat admin 123456

After Configuration transferred successfully from FTP to new FortiManager, after that it will
reboot and backup configuration will appear in the FortiManager.
Provisioning Templates:
Provisioning templates allow you to create profiles that contain device-level settings. These
templates facilitate identical device-level settings across many devices. You can edit & reapply
the templates. Few types of templates are based on common device settings. provisioning
templates are based on specific ADOM versions, so some settings may not be available.

System Templates:
Allow you to create and manage common system-level settings for the managed device. System
Templates pane allows you to create and manage device profiles. A system template is a subset
of a model device configuration. Each device or device group can be linked with a system
template. When linked, the selected settings come from the template and not from the Device
Manager database. By default, there is one generic profile defined. System templates are
managed in a similar manner to policy packages. The System Template page contains one
generic profile named default, which is a subset of the model device configurations and
contains the widgets such as DNS, Alert Email, Admin Settings, and others. You can create a
new device profile and configure the settings in the widgets in that profile. You can use the
Import icon or Import Template to import the settings from a specific managed device, which
inherits the system-level settings and CLI settings of that managed device. You can use the
Assign to Device tab to associate devices with a profile, or to view the list of devices already
assigned to a profile.
IPsec Tunnel Templates:
You can provision IPsec tunnels to FortiGate branch devices using an IPsec template. You can
save an IPsec VPN configuration, apply it to one or more FortiGates, or reuse the same
configuration over and over again. You can provision IPsec tunnels to FortiGate branch devices
using an IPsec template.

Static Route Templates:

You can provision static routes to FortiGate devices by using a static route template.

SD-WAN Templates:
allow you to configure SD-WAN for one or more devices. You can use SD-WAN templates to
configure SD-WAN for one or more devices. When you assign SD-WAN templates to a device,
you are using SD-WAN central management.

SD-WAN Overlay Templates:

Most SD-WAN deployments require complex overlay configurations for datacenter or cloud
connectivity. The SD-WAN overlay template includes a wizard to automate and simplify the
process using Fortinet's recommended IPsec and BGP templates. When the SD-WAN overlay
template has been configured, it generates the necessary IPsec, BGP and CLI provisioning
templates that are required for the creation of your SD-WAN overlays. These provisioning
templates are automatically assigned to the SD-WAN branch and hub devices identified in the
template's wizard. Provisioning templates created by the SD-WAN overlay template are also
automatically organized into template groups for each hub and branch configuration.

CLI Templates:
CLI templates allow you to create CLI script templates or CLI script template groups that you
can assign to managed devices. CLI templates can be put into groups so that multiple templates
may be assigned to managed devices at the same time.

BGP Templates:
FortiManager includes Border Gateway Protocol (BGP) templates allowing you to provision BGP
settings across multiple FortiGate devices.

Template Groups:
The Device Manager > Provisioning Templates > Template Group pane allows you to create a
template group, and add templates to the group. Then you can assign the template group to
one or more devices or VDOMs or to a device group rather than assigning individual templates
to devices or VDOMs.
System Templates Lab:
Go to the Device Manager > Provisioning Templates > System Templates > default pane to
configure system templates. After making changes in a widget, click Apply to save your changes.

To close a widget, click the Close icon in the widget’s top right.

To select which widgets to display, click Toggle Widgets and select which widgets to display.
To import settings from another device, click the Import icon in the widget’s top right and select
the device from which to import.

You can create, edit, or delete templates. Select System Templates in the tree to display the
Create New, Edit, Delete, and Import options in the content pane. You can also select the
devices or device groups to be associated with the template by selecting Assign to
Devices/Groups.

You can also select the devices or device groups to be associated with the template by selecting
Assign to Devices/Groups.
New Blank System Template:
Go to Device Manager > Provisioning Templates > System Templates. Click Create New >Blank
Template. It will open a new window.

Type the name of the System Template in this case SYS-Temp and click OK.

Double click to open the newly create Template with the name SYS-Temp. Click on Toggle
Widgets click DNS to add.
Type Primary DNS Server, Secondary DNS Server and Local Domain Name and click Apply.

Navigate to Device Manager > Provisioning Templates > System Templates. Select and tick the
System template to Assign to Device/Group. Select the device from available Entries and add.
Finally, The System Template has been assigned to all three Firewalls.

Select all three firewalls and Let’s push the configuration to all of them.

Login to all three firewall and verify the new DNS template has been assigned.
Scripts:
Scripts allow to create, execute, and view the results of scripts executed on FortiGate devices.
The ability to use a script reduces administrative overhead because it allows redundant use of
commands across all devices & saves time. Scripts can make many changes to a managed
device and are useful for bulk configuration changes and consistency across multiple managed
FortiGate Firewalls devices.

CLI Script:
The ability to use CLI scripts from the FortiManager provides a massive benefit when dealing
with the configuration and deployment of firewalls on a large scale. Most script syntax is the
same as that used by FortiOS. CLI scripts include only FortiOS CLI commands as they are entered
at the command line prompt on a FortiGate device. At least one FortiGate device must be
configured in the FortiManager system before you can use scripts. CLI scripts can be grouped
together, allowing multiple scripts to be run on a target at the same time. CLI scripts can be put
into groups so that multiple scripts can be run on a target at the same time. CLI scripts are
useful for specific tasks such as configuring a routing table, adding new firewall policies, or
getting system information.
Before using scripts, ensure the console-output function has been set to standard in the
FortiGate CLI. Otherwise, scripts and other output longer than a screen in length will not
execute or display correctly.
Device Database:
By default, a script is executed on the device database. It is recommended that you run the
changes on the device database (default setting), because this allows you to check what
configuration changes you will send to the managed device. Once scripts are run on the device
database, you can then install the changes on a managed device using the installation wizard.

Policy Package or ADOM Database:

If a script contains changes related to ADOM-level objects and policies, you can change the
default selection to run on Policy Package, ADOM Database and can then install the changes
using the installation wizard.

Remote FortiGate Directly (via CLI):

A script can be executed directly on the device and you don’t need to install the changes using
the installation wizard. As the changes are directly installed on the managed device, no option
is provided to verify and check the configuration changes through FortiManager prior to
executing it. When scripts are executed directly to the FortiGate devices, there is a limitation
with this methodology. That is FortiGate device and FortiManager device database won’t be
synchronized with each other.

TCL Script:
TCL is a dynamic scripting language that extends the functionality of CLI scripting. TCL Scripts
use SSH to tunnel through FGFM and they require SSH authentication to do so. If FortiManager
does not use the correct administrative credentials in Device Manager, the TCL script will fail. In
FortiManager TCL scripts, the first line of the script is a number sign (#) plus an exclamation
mark (!), which are for standard TCL scripts. By default, TCL Script is not enable you need to
enable it from FortiManager CLI.
TCL Script Enable
FMG # config system admin setting
(setting)# set show_tcl_script enable
(setting)# end
CLI Script Lab:
Go to System Settings > Admin > Admin Settings. In the Display Options on GUI section, select
Show Scripts. administration settings. Select Apply to apply your changes.

To configure go to Device Manager > Scripts Click Create New > Script.

When select New from the menu. The Create Script dialog box. Enter the required information.
Type a unique name for the script. Run Script on Device Database, then select OK to create.

Let’s Create one more script go to Device Manager > Scripts Click Create New > Script.
When select New from the menu. The Create Script dialog box. Enter the required information.
Type a unique name of script. Run Script on Remote FortiGate Directly (via CLI), then select OK.

Let’s create one more script go to Device Manager > Scripts Click Create New > Script.

When the Create Script dialog box. Enter the required information. Type a unique name for the
script. Run Script on Device Database then select OK.
Script Group:
Let’s Create Script Group go to Device Manager > Scripts Click Create New > Script Group.

Enter a name for the script group. Use the directional arrows to move available scripts to
member scripts. Select the member scripts and Click OK.

Go to Device Manager > Scripts. Select Import CLI Script from the toolbar. The Import CLI Script
window opens.
Drag and drop the script file onto the dialog box, or click Add Files and locate the file to be
imported on your local computer. Click Import to import the script.

Finally, we have different target CLI Scripts also, one Script Group as well.

Go to Device Manager > Scripts. Select a script then click Run Script in the toolbar, or right-click
on a script and select Run Script.
The Run Script dialog box will open. This dialog box will vary depending on the script target. You
will either be able to select a device or devices. Select a device group or devices. Click Run Now
to run the script.

The Script started to run on the Devices.

The Script has Run Completed Successfully without any error.

Let’s verify the Theme has been changed in all three Firewalls, HQ-FW, DC-FW and BR-FW.
Go to Device Manager > Scripts. Select a script then click Run Script in the toolbar, or right-click
on a script and select Run Script.

The Run Script dialog box will open. This dialog box will vary depending on the script target. You
will either be able to select a device or devices. Select a device group or devices. Click Run Now
to run the script.
Because it was Device Database type script, the database is updated when need to push the
configuration to Firewalls to reflect the changes.
Revision History:
The Revision History repository stores all configuration revisions for a device. You can view the
version history, view configuration settings and changes, import files from a local computer,
compare different revisions, revert to a previous revision, and download configuration files to a
local computer.

A Revision History is created by many different operations, such as adding a device, installing
changes, retrieving a configuration, or the occurrence of an automatic update. FortiManager
maintains a repository of the configuration revisions made to managed devices. This allows the
FortiManager administrator to view and download the configuration revisions for a managed
device, inspect configuration changes between configuration revisions, view installation history,
and view which administrator or process created the new configuration revision.

If the managed FortiGate device configuration is modified directly from the FortiGate,
FortiManager compares the checksum with the latest revision history to the running
configuration on the FortiGate, and creates a new revision history in its repository. It then
updates the FortiManager database, which includes device-level settings only. The policy and
objects are updated using the Import Policy wizard.

If the changes are made from FortiManager to the managed device, when performing the
install, it will compare the checksum with the latest revision history to the FortiManager
database and create a new revision history. So, when a change in the configuration is detected,
FortiManager creates a new revision history and tags it with a version or ID number.
Revision History Window:
The Revision History repository stores all configuration revisions for the devices and tags each
revision with a version or ID number. The Installation and Created by columns provide details
about the action, process, or administrator that created the revision. The green checkmark in
the revision history indicates which revision history configuration corresponds to the device
manager database configuration. It is usually the top entry, which is synchronized with the
FortiGate configuration.

Revert Revision:
A revert operation within the revision history changes the device database configuration to a
previous configuration state. You must install these reverted changes on FortiGate, which then
creates a new revision entry. This new revision is a copy of the reverted one and in sync with
the FortiGate configuration. Revert followed by installation would only revert device-level
changes. Keep in mind that revert does not revert policy packages; you will need to import
policies and objects. You can revert to any previous revision by right-clicking that entry and
then clicking Revert. The selected previous entry for revert will automatically updates the
Installation column to Revision Revert.

Retrieve Config:
The revision history also allows you to create a new revision from the device’s running
configuration. Click Retrieve Config. FortiManager checks and compares the configuration on
the managed device and current revision history on FortiManager. If there is a difference,
FortiManager creates a new revision history with a new ID number. This option can be used to
resync the FortiGate device with the FortiManager device database. However, when retrieving
a configuration, firewall policy changes need to be imported to the Policy & Objects pane. The
Comments column automatically generates a comment if a retrieve operation is performed.

View Install Log:

You can view the commands sent for that revision ID by selecting the revision ID and clicking
View Install Log. If an installation fails because there is no rollback, this history is useful because
it shows which commands were sent to and accepted by the device, as well as the commands
that were not accepted. You can also click Download to download this file in .txt format.

Revision Diff:
You can also compare the differences between the revision histories by clicking Revision Diff.
You can compare the revision history to a previous version, select a specific version, or compare
it to the factory default configuration. In terms of the output, you can choose to show the full
configuration with differences, differences only, or you can capture the differences to a script.
Revision History Lab:
Go to Device Manager > Device & Groups, and select a device group. In the tree menu, select a
device. The content pane displays the device dashboard. In the dashboard, locate the
Configuration and Installation Status widget.

Locate the Configuration and Installation widget.

In the Total Revisions row, click the Revision History button. The Configuration Revision History
dialog box is displayed.

Select the revision, and click View Config. The View Configuration pane is displayed. To
download the configuration settings, click Download.
Go to Device Manager > Device & Groups, and select a device group. In the tree menu, select a
device. The content pane displays the device dashboard. In the dashboard, locate the
Configuration and Installation Status widget. In the Total Revisions row, click Revision History.
In the Configuration Revision History dialog box, click Revision Diff.

If only want to see the difference, click on Show Diff Only.

Here is the Device Revision Difference only in this case DNS Configuration green color added.
Go to Device Manager > Device & Groups, and select a device group. In the tree menu, select a
device. The content pane displays the device dashboard. In the dashboard, locate the
Configuration and Installation Status widget. In the Total Revisions row, click Revision History.
In the Configuration Revision History dialog box, click View Install Log.

Go to Device Manager > Device & Groups, and select a device group. In the tree menu, select a
device. The content pane displays the device dashboard. In the dashboard, locate the
Configuration and Installation Status widget. In the Total Revisions row, click Revision History.
In the Configuration Revision History dialog box, click Retrieve Config.
Go to Device Manager > Device & Groups, and select a device group. In the tree menu, select a
device. The content pane displays the device dashboard. In the dashboard, locate the
Configuration and Installation Status widget. In the Total Revisions row, click Revision History.
In the Configuration Revision History dialog box, click More to Download Factory Default
configuration or Import Revision from your system.

Go to Device Manager > Device & Groups, and select a device group. In the tree menu, select a
device. The content pane displays the device dashboard. In the dashboard, locate the
Configuration and Installation Status widget. In the Total Revisions row, click Revision History.
In the Configuration Revision History dialog box, click More to Revert the selected Revision or
Delete the selected Revision, Rename the selected Revision and to download the selected
Revision.
Go to Device Manager > Device & Groups, and select a device group. In the tree menu, select a
device. The content pane displays the device dashboard. In the dashboard, locate the
Configuration and Installation Status widget. Device Configuration DB. Click View Full Config to
display the database configuration file of the FortiGate unit.

Click View Diff to display the Device Revision Diff dialog box.
Device-Level Settings:
The Device-Level Settings of a managed FortiGate can be viewed and configured from the
toolbar at the top of the Dashboard. You can view or configure interfaces, HA, DNS, and so on.
To configure or view routes, select the Router tab. Most of the settings have a one-to-one
correlation with the device configuration that you would see if you logged in locally using the
FortiGate GUI or CLI. You can click Display Options to customize device tabs at the device level.
Device Level Changes Lab:
Navigate to Device Manager > Device & Groups > Managed FortiGate in the tree menu, select
the device group. The list of devices in the group are displayed. In the left tree menu, click a
device. Click on HQ-FW. The device database is displayed. By default, the Dashboard >
Summary pane is displayed.

Navigate to Device Manager > Device & Groups > Managed FortiGate in the tree menu, select
the device group. The list of devices in the group are displayed. In the left tree menu, click a
device. Click on HQ-FW. System > Interface. The Interface pane is displayed.
In the device database, go to System > SD-WAN. The SD-WAN pane opens. You can use the SD-
WAN pane to configure SD-WAN for a device. When you use the device database to configure
SD-WAN, you are using SD-WAN per-device management.

In the device database, go to System > DHCP Server.

In the device database, go to System > DNS. Here you can change selected Device DNS. Let’s
remove Local Domain Name and apply the changes.

Similarly, we can do changes such as Administrators, Admin Profiles, Log Settings, Router,
Dynamic Routing, Policy Route, Security Profiles, VPN, CLI etc. per device like we login to the
device locally.
CLI Configurations:
The CLI-Only Objects menu allows you to configure device settings that are normally available
and configured only through the FortiGate CLI. available options vary according to device,
supported features, and firmware version. Hidden by default, this menu can be enabled in
Display Options. The CLI-Only Objects menu is available in the Device Manager and Policy &
Objects panes.
Managed Device Status:
The FortiManager can indicate whether the FortiGate's configuration file has been modified
and is no longer synchronized with the FortiManager device configuration. It can also indicate
other various conditions. Knowing the overall configuration status of a managed device helps
the administrator identify issues and take appropriate actions from FortiManager.
d

Synchronized:
The latest Revision History configuration entry whether an Install or Retrieve is aligned with the
configuration on the FortiGate. The latest revision is confirmed as running on the device.

Modified:
Configurations are modified on FortiManager and not synchronized between FortiManager and
the managed device.

Out-of-Sync:
The latest Revision History configuration entry whether an Install or Retrieve does not match
the configuration on the FortiGate. There was either a change done directly on the FortiGate
which has not been Retrieved, or a previous Install which resulted in a verify failure, with
certain configuration settings that were not properly set. The configuration file on the device is
not synchronized with the FortiManager system.

Auto-Updated:
The configuration changes are made directly on FortiGate and the device database is updated
automatically.
Conflict:
If the changes are made locally on the FortiGate and are not retrieved, but changes are also
made from FortiManager, the status goes in conflict state. Depending on the configuration
changes, you can either retrieve the configuration or install the changes from FortiManager.
The Conflict status can also indicate a failed installation.

Unknown:
The FortiManager is unable to determine the synchronization status, because the FortiGate is
not reachable, or due to an Install Verification Failure. If the Connectivity status is DOWN, the
indicated Sync Status might be incorrect. The FortiManager system is unable to detect which
revision in revision history is currently running on the device. It is recommended that you
perform a retrieve from the FortiManager.

Device Settings Status:

Unmodified:
Nothing changed on device DB and nothing to install.

Modified:
Configuration has changed on device DB and is pending an Install or Retrieve to put it back in
Unmodified status. If Installed, a new Revision History entry will be created.

Auto-Updated:
Configuration was changed directly on the FortiGate, and the changes were automatically
Retrieved to the device DB.

Unknown:
A Device model or Unregistered device is Unknown, since there is no Device DB configuration
stored yet.
Policy and Objects Management:
You can create multiple policy packages in a single ADOM. FortiManager allows you to
customize policy packages for each device or VDOM in a specific ADOM. You can point these
policy packages to a single device, multiple devices, all devices, a single VDOM, multiple
VDOMs, or all devices in a single ADOM. FortiManager helps simplify provisioning of new
devices, ADOMs, or VDOMs by allowing you to copy or clone existing policy packages. By
defining the scope of a policy package, an administrator can modify or edit the policies in that
package, without changing other policy packages.

Policy Package:
Policy Packages simplify centralized firewall policy management by providing a useful container
for your Firewall rule set. Policy packages contain Firewall policies which, in turn, link to the
objects you define on the Object Configuration pane. Objects share the common object
database for each ADOM. You can share objects among multiple policy packages in the ADOM.
You can manage a common policy package for many devices in an ADOM, or have a separate
policy package for each device. Policy packages allow you to maintain multiple versions of the
rule set. You can clone a policy package before you make changes, which allows you to preserve
the previous rule set.

Objects:
All objects in an ADOM are managed by a single database that is unique to that ADOM. Objects
inside the database include firewall objects, security profiles, users, and devices. Objects are
shared in the ADOM and can be used among multiple policy packages. This simplifies the job of
the administrator. you can create a security profile once and attach it to multiple policy
packages for installation on multiple FortiGate devices. To create or edit the existing object, in
Object Configurations, select the object type from the menu on the left side of the screen.

Policy Folder:
Policy Folders help you manage your policy packages. You can customize policies based on
organization, geography, security requirements, or legal requirements, and organize policies in
specific policy folders. You can create new policy sub-folders in policy folders to help you better
organize your policy packages.

Installation Targets:
A policy package has an installation target on one or more devices or VDOMs. Policy packages
can share the same installation target, however, only one policy package can be active on a
device or VDOM. The active policy package is listed on the Device Manager pane. You can add,
edit, or delete an installation target on the Installation Targets pane. So, by using an installation
target, can share a policy package among multiple devices, & define rules per device in policy.
Installation Target Per Policy:
If you need to share a policy package among many devices, with the exception of only a few
policies for specific FortiGate devices. You can perform granular installation targets per rule in
the actual policy by clicking the Install On column. This allows you to target devices to add,
remove, or set to defaults.

Dynamic Objects:
All objects in an ADOM are managed by a single database unique to the ADOM. Many objects
now include the option to enable dynamic mapping. You can use dynamic objects to map a
single logical object to a unique definition per device. You can dynamically map common
features such as addresses, interfaces, virtual IPs, and IP pools. A common example is a firewall
address. You may have a common name for an address object, but have a different value
depending on the device it is installed on.

Normalized Interface:
Normalized interfaces enable you to reference different interfaces on a per-device or per
platform basis. The goal is to be able to share objects, such as firewall policies, across multiple
devices with different interface configurations. When FortiManager installs objects that
reference a normalize interface, it reads the configured mapping rules, and then assigns the
mapped interface to the pushed configuration of each target device. Default normalized
interfaces are created when ADOMs are created. Default normalized interfaces contain a
number of per-platform mapping rules for all FortiGate models. You can map normalized
interface names to different physical interface names on different FortiGate models.

Used Objects:
On FortiManager, it is possible to delete a used object. FortiManager will display a warning
message stating that the object is currently used by other firewall policies or objects. To view
the references of this object, click Where Used. However, if you delete a used object,
FortiManager will replace it with a none object. The none object is equal to null, which means
any traffic that meets that firewall policy will be blocked. Unless, there is a broader policy that
still meets the traffic requirement or a policy defined to allow all traffic (catch all). You should
double-check all references to objects before deleting them, to avoid unintended firewall policy
behavior.

Unused Objects:
Find Unused Objects is a built-in GUI tool available to administrators to help you locate all
unused firewall objects in the FortiManager ADOM object database. Find Unused Objects
searches all types of firewall objects and displays the results in a pop-up window. You can
delete unused objects directly in the Unused Objects pop-up window. This removes selected
object from the FortiManager ADOM objects database.
Policy Check:
The policy check tool allows you to check all policy packages within an ADOM to ensure
consistency and eliminate conflicts that may prevent your devices from passing traffic. This
allows you to optimize your policy sets and potentially reduce the size of your databases. Run a
Policy Check on policy package in FortiManager which identifies polices which are shadowed
and therefore are redundant and will never match traffic. Helps you to optimize firewall rules to
potentially reduce the size of policy package database. The Policy Check will verify Object
Duplication, Object Shadowing, Object Overlap & Orphan.
1. Object Duplication: Two objects that have identical definitions.
2. Object Shadowing: Higher priority object completely covers another object of the same type.
3. Object Overlap: One object partially overlaps another object of the same type.
4. Object Orphaning: An object has been defined but has not been used anywhere.

Clone Policy Package:

To clone a policy package, select the policy package, and then, in the Policy Package drop-down
list, click Clone Package. Because the policy package is a clone, it will have the same installation
target as the original policy package, but you can edit this. Also you can copy a policy from one
policy package to another policy package within the same ADOM. You should not point more
than one policy package at a target because that increases the chance of user error.
Dynamic Object & Interface Lab:
Choose the right ADOM, after that Navigate to Policy & Objects

Click on Object Configurations >Firewall Objects >Address Click Create New > Address

Set Address name, color etc. Set IP/Netmask to 10.0.0.0/8, Toggle on the Per-Device Mapping
When toggle on the Per-Device Mapping Click Create New, Select HQ-FW from the drop-down
in the Mapped Device field, set IP/Netmask 10.0.1.0/24 Click OK.

Click Create New, Select DC-FW from drop-down in the Mapped Device field, set IP/Netmask
10.0.2.0/24 Click OK.

Click Create New, Select BR-FW from the drop-down in Mapped Device field, set IP/Netmask
10.0.3.0/24 Click OK.
The icon of the LAN-Subnet object has changed to indicate it is now a dynamic object and a per-
device Mapping has been set with the object.

Choose the right ADOM, after that Navigate to Policy & Objects

Click on Object Configurations >Normalized Interface >Normalized Interface Click Create New
Fill in the name with LAN change the Color if want.

Toggle on Per-Device Mapping and Click Create New

In the Per-Device Mapping dialog box, Select Mapped Device HQ-FW from the drop-down,
select port3 from the Mapped Interface Name and Click OK.
In the Per-Device Mapping dialog box, Select Mapped Device DC-FW from the drop-down,
select port3 from the Mapped Interface Name and Click OK.

In the Per-Device Mapping dialog box, Select Mapped Device BR-FW from the drop-down,
select port2 from the Mapped Interface Name and Click OK.

Finally, Dynamic Normalized Interface has been created with different port mapping.
Similarly create WAN1 and WAN2 dynamic Normalized Interfaces.
Shared Policy Lab:
Choose the right ADOM, after that Navigate to Policy & Objects

Click on the top Menu Policy Package choose New

Provide the name in this case Dynamic-Policy and click OK.

Finally, our Dynamic-Policy Package has been created showing on left side tree menu.

Expand the Policy Package Click on Firewall Policy Click Create New.

Create a firewall rule which reference dynamic Interfaces in the Incoming and Outgoing
interfaces, it also references dynamic Firewall Address Objects in the Source Address
Navigate to Policy & Objects >Policy Packages locate the policy package Dynamic-Policy Select
Installation Targets Click Edit in the Edit Installation Targets Select the FortiGates to Assign
All three FortiGate Firewalls are assigned to our Dynamic-Policy Package, now let’s apply policy
Package to Fortigate Firewalls, from the Policy & Objects >Policy Packages page click Install the
install Wizard will start.

In the Install Wizard dialog box Select Install Policy Package and Device Settings choose the
correct policy package from the drop-down and Click Next.

In the Install Wizard-Policy Package dialog box ensure all applicable FortiGate are selected and
finally Click Next.
In the Install Wizard-Policy Package dialog box make sure there are no errors in the policy check
and that the applicable Fortigate are selected Click Install.

In the Install Wizard-Policy Package dialog box, check that the policy was applied successfully
with no errors Click Finish. At this point the same Policy Package has been applied to all three
Fortigate Firewalls from the FortiManager.
Policy and Objects Other Options:

Clone Policy Package:

Create New Folder:
Move Policy Packages:

Edit Policy Packages:

Delate Policy Packages:
Policy Check:
Run Script:

Unused Objects:
Duplicate Objects:
Unused Policies:

Refresh Hit Counts:

Display Options:
ADOM Revision:
ADOM Revision saves the policy package and objects locally on FortiManager. ADOM revision
history allows you to maintain a revision of the policy packages, objects, and VPN console
settings in an ADOM. An ADOM revision basically, creates a snapshot of the policy and objects
configuration for the ADOM. You can create a new ADOM revision, view differences between
revisions, or revert to a specific ADOM revision. If you choose to revert to a specific ADOM
revision, you will revert all the policy packages and objects based on that revision. ADOM
revisions can significantly increase the size of the configuration backup. Each ADOM is
associated with a specific FortiOS version, based on the firmware version of the devices that are
managed in that ADOM. You must update all of the FortiGate devices in an ADOM to the latest
FortiOS firmware version before you can upgrade the ADOM version. When FortiGate devices
are upgraded, it is best to keep them in the same ADOM and use the ADOM upgrade.
Create ADOM Revision:
Go to Policy & Objects, and click ADOM Revisions. The ADOM Revision dialog box opens.

Click Create New. The Create New Revision dialog box opens. Type a name for the revisions in
the Name field. Optionally, type a description of the revision in the Comment field. To prevent
the revision from being automatically deleted, select Lock this revision from auto deletion. Click
OK to create the new ADOM revision.
Configure Automatic Deletion:
Open ADOM Revisions dialog box, and click Settings.

Select Auto delete revision to enable to automatic deletion of revisions. Select one of the two
available options for automatic deletion of revisions.
Keep last x revisions: Only keep the entered numbered of revisions, deleting the oldest revision
when a new revision is created.
Delete revisions older than x days: Delete all revisions that are older than the entered number
of days. Click OK to apply the changes.
Restore ADOM Revision:
Before restore let’s do a small changes enable Logs for Implicitly Deny rule BR-FW.

Open the ADOM Revisions window. Select a revision, and click Restore.

A dialog box will appear. It will ask to create a New ADOM Revision before Restore Click OK.
Click OK to continue. The Restore Revision dialog box opens. Restoring a revision will revert
policy packages, objects and VPN console to the selected version. Click OK to continue.

The changes have been reverting back, as we enable logs on Implicit Deny rule.
Edit, Delete, Lock, Unlock & Revision Diff:
To edit an ADOM revision Open the ADOM Revisions dialog box. Select a revision, and click Edit.
Edit Revision dialog box opens. Edit revision details as required, click OK to apply your changes.

To delete ADOM revisions. Open the ADOM Revisions dialog box. Select a revision, and click
Delete. You can select multiple revisions by selecting the checkbox beside each revision. Click
OK in the confirmation dialog box to delete the selected revision or revisions.
To lock or unlock an ADOM revision. Open the ADOM Revisions window. Select a revision, and
select Lock or Unlock from the More menu. Edit the revision, and select or clear the Lock this
revision from auto deletion checkbox in the Edit ADOM Revision dialog box.

To view ADOM revision diff. Open the ADOM Revisions window. Select a revision, and click
View Revision Diff. The Revision Diffs Between dialog box opens.
VPN Manager:
VPN Manager pane on FortiManager is more convenient when you want deploy a complex VPN
topology, such as a hub and spoke topology, that involves multiple FortiGate devices. The
configured IPsec tunnels can then be used as overlay links in SD-WAN. VPN Manager reduces
the administrative overhead, while ensuring that phase 1 and phase 2 settings match across
multiple devices for proper tunnel operation. VPN Manager is disabled by default, and you
must enable it on a per-ADOM basis. When you use the VPN Manager, the settings are stored
as objects in the objects database. You then push the IPsec VPN settings to one or more devices
by installing a policy package.

VPN Community:
The first step to configure a VPN topology using VPN Manager is to create a VPN community. A
VPN community is a group of IPsec gateways that share the same phase 1 and phase 2 settings.
The goal is to simplify configuration and avoid configuration mismatch when the devices in the
community try to establish tunnels among them. When you configure a VPN community, you
must define the common phase 1 and phase 2 settings to use by all devices in the community.
For SD-WAN, you must disable the VPN Zone setting. Otherwise, FortiManager places the IPsec
tunnels inside interface zones. Because SD-WAN does not support the use of interface zones as
members, you cannot use the IPsec tunnels as overlays if you keep VPN Zone enabled.
FortiManager supports three types of communities. IPsec VPN communities are also sometimes
called VPN topologies.
Full Meshed:
Each gateway has a tunnel to every other gateway. Type of site-to-site WAN topology in which
each network device is connected to every other device through a dedicated link.

Star:
Each gateway has one tunnel to a central hub gateway. Each FortiGate is defined as either a
hub or spoke. Hub and Spoke refers to a one-to-multi-point topology variation. All clients
connect through a central hub. As the name implies, any traffic from a branch office to another
branch office must transit through the hub.

Dial up:
Like the star topology, except that tunnels are always initiated from the dial-up clients to the
dialup servers. A dial-up client is a FortiGate device that has a dynamic IP address. The dial-up
server, is assigned with a fixed and fully reachable IP address. The tunnel must be initiated from
the remote device.

Gateway:
The next step is to add gateways to the community. There are two types of gateways. A VPN
gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets, decrypts the
encapsulated data packets, then passes the data packets to the local network. It also encrypts,
encapsulates, and sends the IPsec data packets to the gateway at the other end of the VPN
tunnel. The IP address of a VPN gateway is usually the IP address of the network interface that
connects to the Internet.

Managed Gateway:
Managed gateways are FortiGate devices in the current ADOM. FortiManager can push the
settings to all the managed gateways during installation. When you create a new managed
gateway, FortiManager displays a wizard that walks you through the managed gateway
configuration.

External Gateway:
External gateways are VPN gateways that are third-party devices or FortiGate devices in a
different ADOM. The administrator must manually apply the VPN configuration for external
gateways.
VPN Security Policies:
An IPsec security policy enables the transmission and reception of encrypted packets, specifies
the permitted direction of VPN traffic, and selects the VPN tunnel. In most cases, only a single
policy is needed to control both inbound and outbound IP traffic through a VPN tunnel.
For a route-based VPN, you create two security policies between the virtual IPsec interface and
the interface that connects to the private network. In one policy, the virtual interface is the
source. In the other policy, the virtual interface is the destination. The Action for both policies is
Accept. This creates bidirectional policies that ensure traffic will flow in both directions over the
VPN.
For a policy-based VPN, one security policy enables communication in both directions. You
must select IPSEC as the Action and then select the VPN tunnel dynamic object you have
mapped to the phase 1 settings. You can then enable inbound and outbound traffic as needed
within that policy, or create multiple policies of this type to handle different types of traffic
differently.

Map View:
Displays a world map showing IPsec VPN tunnels. The Map View pane shows IPsec VPN
connections on an interactive world map (Google Maps). Select a specific community from the
tree menu to show only that community's tunnels. Hovering the cursor over a connection will
highlight the connection and show the gateway, ADOM, and city names for each end of the
tunnel.

Monitor:
Displays a list of IPsec VPN tunnels, and allows you to bring the tunnels up or down. Go to VPN
Manager > Monitor to view the list of IPsec VPN tunnels. You can also bring the tunnels up or
down on this pane. Select a specific community from the tree menu to show only that
community's tunnels.

SSL-VPN:
Create, monitor, and manage SSL-VPN settings. You can also create, edit, and delete portal
profiles for SSL-VPN settings. You can use the VPN Manager > SSL-VPN pane to create and
monitor Secure Sockets Layer (SSL) VPNs. You can also create and manage SSL VPN portal
profiles.
VPN Setup:
Create VPN Community:
You may create Full-Meshed, Star, and Dial-Up IPsec VPN Communities. IPsec VPN Communities
are also sometimes called VPN topologies. We create a Star Topology with a hub and a spoke:
Go to VPN Manager > IPsec VPN.

In the toolbar, click Create New. The VPN Topology Setup Wizard dialog appears. Enter a name
for the topology, In the Choose VPN topology field, Select Star Click Next.
Configure Phase 1 and Phase 2 according to your requirements.
Finally, Phase 1 and Phase 2 details are configured click OK.
Create IPSEC VPN Gateways:
A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets,
decrypts the encapsulated data packets, then passes the data packets to the local network. It
also encrypts, encapsulates, and sends the IPsec data packets to the gateway at the other end
of the VPN tunnel. The IP address of a VPN gateway is usually the IP address of the network
interface that connects to the Internet. Go to VPN Manager > IPsec VPN. In the tree menu,
IPsec, In the toolbar, click Create New > Managed Gateway.

The VPN Gateway Setup Wizard – IPsec dialog appears. Select a Protected Subnet, and click OK.
If you don’t have object already created click on plus icon to create.

Let’s create HQ Subnet 10.0.1.0/24 Object.

Let’s create DC Subnet 10.0.2.0/24 Object.

Let’s create BR Subnet 10.0.3.0/24 Object.

Select a Protected Subnet, and click OK.

Set the Role field to Hub and click Next.

Default VPN interface usually the internet-facing interface in this case port1 click Next.

Set the local Gateway the public IP Address of Internet facing Interface 192.168.1.1.
In Routing choose the Automatic Option and Click OK.

Create SPOKE-1 DC-FW:

The VPN Gateway Setup Wizard – IPsec dialog appears. Select a Protected Subnet, and click OK.
Set the Role field to Spoke this time and from dropdown choose DC-FW click Next.

Default VPN interface usually the internet-facing interface in this case port1 click Next.
Set the Local Gateway the public IP Address of Internet facing Interface 192.168.3.1.

In Routing choose the Automatic Option and Click OK.

Create SPOKE-2 BR-FW:
The VPN Gateway Setup Wizard – IPsec dialog appears. Select a Protected Subnet, and click OK.

Set the Role field to Spoke this time and from dropdown choose BR-FW click Next.
Default VPN interface usually the internet-facing interface in this case port1 click Next.

Set the Local Gateway the public IP Address of Internet facing Interface 192.168.5.1.
In Routing choose the Automatic Option and Click OK.

Finally, one Hub and two Spokes are created.

Apply VPN Configuration:
Install the VPN Configuration using Install Wizard on Hub and Spokes one by one. Fallow the
Wizard choose Install Policy Package & Device Settings from dropdown choose HQ-FW Click
Next to continue.

Click Next to Continue.

Click Install to push the changes from FortiManager to FortiGate.

Similarly, install Wizard on Spoke-1 DC-FW and Spoke-2 BR-FW
Normalized Interface:
Go to Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface.
Click Create New. The Create New Normalized Interface pane is displayed. Complete the Name
in this case IPSEC. Add a per-device mapping. Click Create New. The Create new Per-Device
Mapping dialog box is displayed.

Go to Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface.
Click Create New. The Create New Normalized Interface pane is displayed. Complete the Name
in this case IPSEC-TO-DC. Add a per-device mapping. Click Create New. The Create new Per-
Device Mapping dialog box is displayed.
Go to Policy & Objects > Object Configurations > Normalized Interface > Normalized Interface.
Click Create New. The Create New Normalized Interface pane is displayed. Complete the Name
in this case IPSEC-TO-BR. Add a per-device mapping. Click Create New. The Create new Per-
Device Mapping dialog box is displayed.
VPN Firewall Policies:
Go to Policy & Objects > Policy Packages. Click on BR-FW Firewall Policy Click Create New.
Create three policies LAN to VPN, VPN to LAN and LAN to Internet.

Go to Policy & Objects > Policy Packages. Click on DC-FW Firewall Policy Click Create New.
Create three policies LAN to VPN, VPN to LAN and LAN to Internet.

Go to Policy & Objects > Policy Packages. Click on HQ-FW Firewall Policy Click Create New.
Create Four policies.
Install Policies:
Go to Device Manager > Device & Groups. In the toolbar, click Install Wizard. Follow the steps in
the install wizard to install the policy package. Go to Device Manager > Device & Groups.
In the tree menu, click Managed Devices. In the Policy Package Status column, a check mark
appears next to the package you installed.
Monitoring and Verification:
To monitor the devices, navigate to Device Manager>Device & Groups Managed FortiGate. First
one by one right click on each device click Edit.

Type the Location in the Map and Click OK.

Repeat the same tasks for other two firewalls HQ-FW and BR-FW.
VPN Monitor:
Go to Device Manager > Monitors > VPN Monitor. The map view of traffic for all communities is
displayed.

In the toolbar, select Show Table. A table of information is displayed under the map.
Also, can monitor from VPN Manager >IPsec VPN >VPN Communities >MAP View

Let’s login read-only to all three firewall one by one to verify the configuration has been
pushed. In this case HQ-FW navigate to Policy & Objects >Firewall Policy

Navigate to VPN >IPsec Tunnels to verify the tunnel configuration has been applied.
Navigate to Network > Static Routes the routes have been created and have been pushed from
FortiManager.

Also, can verify VPN Logs to navigate to Log & Report > Events >VP

53 SD WAN Through FortiManager
No ratings yet
53 SD WAN Through FortiManager
265 pages
Cisco To Ruckus Command v1
100% (1)
Cisco To Ruckus Command v1
3 pages
FortiOS 7.4.3 Administration Guide
No ratings yet
FortiOS 7.4.3 Administration Guide
3,620 pages
Firewall Policies
100% (1)
Firewall Policies
3,195 pages
FortiManager-7 6 1-Administration - Guide
No ratings yet
FortiManager-7 6 1-Administration - Guide
1,066 pages
FortiOS 7.0.1 Administration Guide
No ratings yet
FortiOS 7.0.1 Administration Guide
2,150 pages
Upload Fortigate Firewall in Eve-Ng:: Download VM Images. Fortigate KVM 7.0.5 Download
No ratings yet
Upload Fortigate Firewall in Eve-Ng:: Download VM Images. Fortigate KVM 7.0.5 Download
6 pages
FortiProxy 7.0 Administration Guide
No ratings yet
FortiProxy 7.0 Administration Guide
507 pages
Lab Guide - FortiClientEMS+FortiEDR
No ratings yet
Lab Guide - FortiClientEMS+FortiEDR
101 pages
Fortinet Security Fabric Fortigate 60F
No ratings yet
Fortinet Security Fabric Fortigate 60F
11 pages
FORTIGATE Firewall Policies-2
No ratings yet
FORTIGATE Firewall Policies-2
42 pages
Untitled
100% (1)
Untitled
526 pages
Quickstart Guide: Forticlient Ems 7.0.3
No ratings yet
Quickstart Guide: Forticlient Ems 7.0.3
54 pages
Fortinet Fortiedr Lab Guide For Fortiedr 50
No ratings yet
Fortinet Fortiedr Lab Guide For Fortiedr 50
104 pages
FortiGate III Student Guide-Online V8
100% (1)
FortiGate III Student Guide-Online V8
521 pages
Nse4 Infraestructura 1-50
No ratings yet
Nse4 Infraestructura 1-50
50 pages
CLI Commands For Troubleshooting FortiGate Firewalls
No ratings yet
CLI Commands For Troubleshooting FortiGate Firewalls
6 pages
ASA Firewalldesign
No ratings yet
ASA Firewalldesign
118 pages
Fortigate Labs
No ratings yet
Fortigate Labs
7 pages
Cisco SD-Access Workbook
No ratings yet
Cisco SD-Access Workbook
29 pages
Fortigate Fortiwifi and Fortiap Configuration Guide 56
No ratings yet
Fortigate Fortiwifi and Fortiap Configuration Guide 56
205 pages
Fortinet Vdom Lecture
No ratings yet
Fortinet Vdom Lecture
24 pages
Advanced Firepower IPS Deployment
No ratings yet
Advanced Firepower IPS Deployment
219 pages
FortiAnalyzer 6.0 Lab Guide-Online
No ratings yet
FortiAnalyzer 6.0 Lab Guide-Online
85 pages
Computer Software
No ratings yet
Computer Software
24 pages
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
140 pages
FortiGate I Student Guide-Online 5-2-1
No ratings yet
FortiGate I Student Guide-Online 5-2-1
478 pages
Fortigate VDOM
No ratings yet
Fortigate VDOM
120 pages
04-Upload FortiManager in EVE
No ratings yet
04-Upload FortiManager in EVE
6 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
Fortianalyzer Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortianalyzer Lab Guide: Do Not Reprint © Fortinet
90 pages
NSE 8 Certification Public Handbook
0% (1)
NSE 8 Certification Public Handbook
26 pages
Credit Card Fraud Analysis Project Documentation
No ratings yet
Credit Card Fraud Analysis Project Documentation
101 pages
How To Setup FortiGate Firewall To Access Manual
100% (1)
How To Setup FortiGate Firewall To Access Manual
15 pages
BAPI VS BADI in SAP
No ratings yet
BAPI VS BADI in SAP
8 pages
Install Fortigate Firewall On Eve-Ng:: Winscp
No ratings yet
Install Fortigate Firewall On Eve-Ng:: Winscp
5 pages
FortiManager Best Practices Guide
No ratings yet
FortiManager Best Practices Guide
21 pages
NSE 7 Network Security Architect-Enterprise Firewall: Exam Description
No ratings yet
NSE 7 Network Security Architect-Enterprise Firewall: Exam Description
3 pages
Fortinet Network Router 500A
No ratings yet
Fortinet Network Router 500A
54 pages
Fortigate Traffic Shaping 40 mr2 PDF
No ratings yet
Fortigate Traffic Shaping 40 mr2 PDF
56 pages
Install Guide FirePower Module On Cisco ASA v1.1
100% (1)
Install Guide FirePower Module On Cisco ASA v1.1
22 pages
NSE Partner Guide 102015
No ratings yet
NSE Partner Guide 102015
13 pages
Fortimanager - Vmware Esxi Cookbook
No ratings yet
Fortimanager - Vmware Esxi Cookbook
35 pages
Training Curriculum: TIA Portal Module 010
No ratings yet
Training Curriculum: TIA Portal Module 010
29 pages
FortiADC GLB Deployment Guide
No ratings yet
FortiADC GLB Deployment Guide
23 pages
Installing The FortiGate Unit
100% (1)
Installing The FortiGate Unit
17 pages
Fortinet Cli
No ratings yet
Fortinet Cli
18 pages
Implementacion Firewall Fortinet
No ratings yet
Implementacion Firewall Fortinet
63 pages
Install and Configure FortiGate Default Certificate
100% (1)
Install and Configure FortiGate Default Certificate
3 pages
CLD1
No ratings yet
CLD1
39 pages
FortiClient 5.2 Cookbook
No ratings yet
FortiClient 5.2 Cookbook
16 pages
Installing A FortiGate in Transparent Mode PDF
No ratings yet
Installing A FortiGate in Transparent Mode PDF
5 pages
Implementation Manual Festo IO - Link
No ratings yet
Implementation Manual Festo IO - Link
71 pages
Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans
No ratings yet
Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans
35 pages
FGT2 12 Virtual Domains
No ratings yet
FGT2 12 Virtual Domains
31 pages
F5 LTM Lab Setup in Vmware Workstation:: Vmnet0 Vmnet8 Vmnet1
No ratings yet
F5 LTM Lab Setup in Vmware Workstation:: Vmnet0 Vmnet8 Vmnet1
3 pages
FCX Certification
No ratings yet
FCX Certification
6 pages
FortiAnalyzer Best Practices Guide
No ratings yet
FortiAnalyzer Best Practices Guide
18 pages
CheatSheet FortiOS 7.0 v1.0
No ratings yet
CheatSheet FortiOS 7.0 v1.0
4 pages
Disomat Weighing Terminal
0% (1)
Disomat Weighing Terminal
4 pages
LAB 8 - Application Control
No ratings yet
LAB 8 - Application Control
4 pages
Configuring A FortiGate Unit As An L2TP IPsec Server
No ratings yet
Configuring A FortiGate Unit As An L2TP IPsec Server
8 pages
Context Free Grammars
No ratings yet
Context Free Grammars
122 pages
Troubleshooting Tool - Using The FortiOS Built-In Packet Sniffer
No ratings yet
Troubleshooting Tool - Using The FortiOS Built-In Packet Sniffer
4 pages
FortiDDoS Admin Guide
No ratings yet
FortiDDoS Admin Guide
24 pages
NSE8 812 Demo
No ratings yet
NSE8 812 Demo
7 pages
Python While Loop
No ratings yet
Python While Loop
5 pages
Log
No ratings yet
Log
467 pages
Issue Tracker
No ratings yet
Issue Tracker
8 pages
Types of Laziness
No ratings yet
Types of Laziness
9 pages
Data Structures Through C in Depth 2nd Revised and Updated Edition by Srivastava, Deepali Srivastava ISBN 8176567418 9788176567411 Download
No ratings yet
Data Structures Through C in Depth 2nd Revised and Updated Edition by Srivastava, Deepali Srivastava ISBN 8176567418 9788176567411 Download
80 pages
Internet Security Awareness of Filipinos: A Survey Paper
No ratings yet
Internet Security Awareness of Filipinos: A Survey Paper
13 pages
Forti - NAC Juniper SW Backup
No ratings yet
Forti - NAC Juniper SW Backup
12 pages
Lecture 3.1.4 (Amdahl's Law)
No ratings yet
Lecture 3.1.4 (Amdahl's Law)
4 pages
Console Output CLI Console
No ratings yet
Console Output CLI Console
8 pages
C++ Infosystems 2
No ratings yet
C++ Infosystems 2
303 pages
3 +Data+Link+Layer
No ratings yet
3 +Data+Link+Layer
110 pages
Sample
No ratings yet
Sample
4 pages
Qryptonic Inc. Warns "Q-Day" Could Arrive by 2027, Launches Quantum-Resistant Encryption Solutions To Protect Businesses
No ratings yet
Qryptonic Inc. Warns "Q-Day" Could Arrive by 2027, Launches Quantum-Resistant Encryption Solutions To Protect Businesses
4 pages
Pre Dac Paper
No ratings yet
Pre Dac Paper
3 pages
Saml User Log
No ratings yet
Saml User Log
2 pages
Total Pages: 2: Answer All Questions, Each Carries 3 Marks
No ratings yet
Total Pages: 2: Answer All Questions, Each Carries 3 Marks
2 pages
Console Output CLI Console
No ratings yet
Console Output CLI Console
7 pages
3 Hours / 70 Marks: Seat No
No ratings yet
3 Hours / 70 Marks: Seat No
2 pages
Console Output CLI Console
No ratings yet
Console Output CLI Console
4 pages
DBMS Unit-1
No ratings yet
DBMS Unit-1
21 pages
BGP Summary
No ratings yet
BGP Summary
1 page
MSFVenom - CheatSheet - HackTricks
No ratings yet
MSFVenom - CheatSheet - HackTricks
5 pages
25LCXXX 8K 256K SPI Serial EEPROM High Temp Family Data Sheet 20002131E
No ratings yet
25LCXXX 8K 256K SPI Serial EEPROM High Temp Family Data Sheet 20002131E
25 pages
Chapter 5: Process Synchronization: Silberschatz, Galvin and Gagne ©2013 Operating System Concepts - 9 Edition
No ratings yet
Chapter 5: Process Synchronization: Silberschatz, Galvin and Gagne ©2013 Operating System Concepts - 9 Edition
61 pages
Classifying Images For Categorization and Search - Apple Developer Documentation
No ratings yet
Classifying Images For Categorization and Search - Apple Developer Documentation
6 pages
Btech Cs 6 Sem Software Engineering Ncs 602 2019
No ratings yet
Btech Cs 6 Sem Software Engineering Ncs 602 2019
2 pages
Test2 DDWD2713
No ratings yet
Test2 DDWD2713
10 pages
SRS Document-1
No ratings yet
SRS Document-1
8 pages
NOTES - Chap 1 Smartbooks
No ratings yet
NOTES - Chap 1 Smartbooks
2 pages
CVG DVG
No ratings yet
CVG DVG
1 page
Arduino Curriculum Grid - Student - Kit
No ratings yet
Arduino Curriculum Grid - Student - Kit
2 pages
Implementing NetScaler VPX™ - Second Edition
From Everand
Implementing NetScaler VPX™ - Second Edition
Sandbu Marius
No ratings yet
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassoulii
No ratings yet
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
Getting Started with FortiGate
From Everand
Getting Started with FortiGate
Fabrizio Volpe
No ratings yet
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
From Everand
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
Mamta Devi
No ratings yet

FortiManager Training

Uploaded by

FortiManager Training

Uploaded by

FortiManager:

Unzip Switches.rar with any unzip software such as 7zip.

Unzip them all, afterward just drag them to /opt/unetlab/addons/qemu folder.

Create a directory in remote location /opt/unetlab/addons/qemu using the folder name:

Connect Network Object to Fortinet Port1.

From the EVE CLI, go to newly created image folder.

Create second HDD 100Gb drive virtiob.qcow2

Connect Network Object to Fortinet Port1.

config system interface

Export and Import Labs in EVE-NG:

Click on the Upload Button.

When prompted, complete the setup by clicking Finish.

Commands for Fields

Fortinet CLI Reference:

# show system interface

# show system dns

# show system route

The Backup will start to save on your management Computer.

Create Administrator Profile:

Assign Admin Profile:

Clone Administrator Profiles:

Backup Mode ADOMs:

Default Device Type ADOMs:

It will log you out login back.

Create Backup ADOM:

Login to HQ-FW Firewall without read-only access prompt.

Let’s create a test Address Object in HQ-FW and click OK.

The Address Object recently created in HQ-FW firewall in green color.

The ADOM Health Check dialog box is displayed.

Click the x on the top-right corner to close the dialog box.

Device Discover Mode:

Import Model Devices CSV File:

First enabled FMG-Access on the connecting interface in FortiGate device to FortiManager. Go

Finally, the device is added successfully

In FortiGate Firewall Navigate to Security Fabric >Fabric Connectors>FortiManager Make the

Finally, the Device is added successfully.

The Device is added successfully.

For Status, click Enable.

Add HQ-FW FortiGate:

Click Finish to close the wizard.

Finally, the device is added successfully

Finally, all three devices are added successfully

Click OK to start Firmware Upgrade process.

Migrating FortiManager Configuration:

Or backup FortiManager configuration from CLI using the below command.

Static Route Templates:

SD-WAN Overlay Templates:

Policy Package or ADOM Database:

Remote FortiGate Directly (via CLI):

The Script started to run on the Devices.

View Install Log:

Locate the Configuration and Installation widget.

If only want to see the difference, click on Show Diff Only.

In the device database, go to System > DHCP Server.

Device Settings Status:

Clone Policy Package:

Toggle on Per-Device Mapping and Click Create New

Click on the top Menu Policy Package choose New

Provide the name in this case Dynamic-Policy and click OK.

Clone Policy Package:

Edit Policy Packages:

Refresh Hit Counts:

Let’s create HQ Subnet 10.0.1.0/24 Object.

Let’s create BR Subnet 10.0.3.0/24 Object.

Set the Role field to Hub and click Next.

Create SPOKE-1 DC-FW:

In Routing choose the Automatic Option and Click OK.

Finally, one Hub and two Spokes are created.

Click Next to Continue.

Click Install to push the changes from FortiManager to FortiGate.

Type the Location in the Map and Click OK.

You might also like