Академический Документы
Профессиональный Документы
Культура Документы
© FORTINET
Virtual Lab Basics
FortiManager 5.4.2
Lab Guide
for FortiManager 5.4.2
We would like to acknowledge the following major contributors: Simon Cao and Claudio Capone
® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
© FORTINET
Table of Contents
Logging In ...............................................................................................................................11
Disconnections/Timeouts ........................................................................................................15
Objectives ...............................................................................................................................19
Prerequisites ...........................................................................................................................19
Objectives ...............................................................................................................................30
DO NOT REPRINT
© FORTINET
Enabling ADOMs.....................................................................................................................31
Objectives ...............................................................................................................................50
Objectives ...............................................................................................................................67
Viewing Auto Update, Revision History, and Install Log for Remote-FortiGate (Optional) ....83
Log View..................................................................................................................................83
Install Wizard...........................................................................................................................94
6 Scripts ..................................................................................................................................100
Objectives ...............................................................................................................................106
Objectives ...............................................................................................................................142
Objectives ...............................................................................................................................155
Prerequisites ...........................................................................................................................155
Objectives ...............................................................................................................................177
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student to
have their own training lab environment or PoD - point of deliveries.
System Checker
Before starting any class, check if your computer can successfully connect to the remote datacenters.
The System Checker fully verifies if your network connection and your web browser are reliable to
connect to the virtual lab.
You do not have to be logged into the lab portal in order to perform the System Checker.
If your computer successfully connects to the virtual lab, the Browser Check and Network
Connection Check each display a check mark icon. You can then proceed to log in.
If any of the tests fail:
Browser Check: This affects your ability to access the virtual lab environment.
Network Connection Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link or ask your trainer.
Logging In
Once you confirm your system can successfully run the labs through System Checker, you can
proceed to log in.
https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
2. If prompted, select the time zone for your location, and then click Update.
This ensures that your class schedule is accurate.
3. Click Enter Lab.
Your system dashboard will appear, listing the virtual machines in accordance with your lab
topology.
4. From this page, open a connection to any virtual appliance by doing one of the following:
Click the device’s square (thumbnail)
Select Open from the System drop-down list associated to the VM you want to access.
Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, granting you access to the virtual device. When you open a VM,
your browser uses HTML5 to connect to it.
Depending on the virtual machine you select, the web browser provides access to either a text-
based CLI or the GUI.
Connections to the Local-Windows VM use a Remote Desktop-like GUI. The web-based connection
should automatically log in and then display the Windows desktop.
For most lab exercises, you will connect to this Local-Windows VM.
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out, or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If that does not succeed, see the Troubleshooting Tips section of this guide.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
To configure screen resolution in the HTML 5 client, open the System menu.
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to
display an on-screen keyboard.
Troubleshooting Tips
Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-
bandwidth or high-latency connections.
For best performance, use a stable broadband connection such as a LAN.
Prepare your computer's settings by disabling screen savers and changing the power saving
scheme, so that your computer is always on, and does not go to sleep or hibernate.
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If you can't connect to a VM, on the VM's icon, you can force the VM to start up by clicking
System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the
VM to its initial state by System > Revert to Initial State.
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions
first.
If during the labs, particularly when reloading configuration files, you see a license message
similar to the below exhibit, the VM is waiting for a response to the authentication server.
exec update-now
Objectives
Examine initial system settings, including network and time settings
Enable FortiAnalyzer features on FortiManager
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must update the firmware and initial configurations on the Local-
FortiGate and Remote-FortiGate.
This lab environment is also used for FortiGate 5.4.1 training and initializes in a different state than is
required for FortiManager 5.4.2 training.
4. Browse to Desktop > Resources > FortiManager > Introduction and select FGT_VM64-v5-
build1100-FORTINET.out.
5. Click Upgrade.
4. Enter the following command to display information about the FortiManager interface
configuration:
7. Enter the following command to display information about the FortiManager routing configuration:
8. To test basic network connectivity, and to ensure the default route to the Internet is working, enter
the following command to ping IP 8.8.8.8 (public IP that is highly available):
Note: All the lab exercises were tested running Mozilla Firefox in Local-Windows VM and
Remote-Windows VM. To get consistent results, we recommend using Firefox in this
virtual environment.
The dashboard shows the FortiManager widgets that display information such as System
Information, License Information, System Resources, and more.
3. Examine the System Information and License Information widgets to display the information
shown below.
This displays the same information available from the CLI command get system status.
Firmware version
Administrative Domain status
System time and time zone
License status (VM)
4. From the System Information widget, edit the System Time to view the NTP information.
This displays the same information available from the CLI commands get system ntp and
show system ntp.
4. Click OK.
FortiManager will reboot to initialize the FortiAnalyzer features and apply the changes.
5. Wait for FortiManager to reboot and then log in as admin to the FortiManager GUI at
10.0.1.241.
You will notice that after enabling FortiAnalyzer features, there are more panes related to logging
and reporting — FortiView, Log View, Event Management, and Reports.
Objectives
Enable ADOMs and configure a new ADOM
Configure an administrator and restrict access to a newly created ADOM
Enable ADOM locking
Backup FortiManager, restore the backup and disable offline mode
Read entries in the alert message console and view event logs
Time to Complete
Estimated: 45 minutes
Enabling ADOMs
ADOMs are not enabled by default and can only be enabled by the admin administrator, or an
administrator with the Super_User access profile.
You will now enable ADOMs on FortiManager.
To enable ADOMs
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Click System Settings.
Notice there is no All ADOM tab below Dashboard, prior to enabling Administrative Domain.
3. Under the System Information widget, turn on Administrative Domain.
4. Click OK.
You will be logged out from FortiManager.
5. Still working from the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER
saved session (connect over SSH).
6. Log in as admin and execute the following command to view what ADOMs are currently enabled
on FortiManager and the type of device you can register to each ADOM:
Note: The CLI output formatting is easier to read if you maximize your PuTTY window. If
you've already executed the command, once the window is maximized, press the up arrow
to show the last command you entered and click Enter to re-run.
As you can see, there are 13 ADOMs that FortiManager supports, each associated with different
devices along with their supported firmware versions.
7. Close your PuTTY session.
Configuring ADOM
When ADOMs are enabled, by default, the FortiManager will create ADOMs based on supported
device types. The root ADOM is based on the FortiGate ADOM type.
When creating a new ADOM, you must match the device type. For example, if you want to create an
ADOM for a FortiGate, you must select FortiGate as the ADOM type. With FortiGate ADOMs
specifically, you must also select the firmware version of the FortiGate device. Different firmware
versions have different features, and therefore different CLI syntax. Your ADOM setting must match
the device’s firmware.
You will now create and configure a new ADOM.
To configure ADOMs
1. Still logged in the FortiManager GUI, click All ADOMs.
Field Value
Name My_ADOM
Tip: You can switch between ADOMs within the GUI. You do not have to log out and log
back in. To switch within the GUI, click ADOM in the top right of the GUI. Your
Field Value
Note: FortiManager comes preinstalled with four default profiles that you can assign to
other administrative users. Alternatively, you can create your own custom profile.
In this lab, we have assigned a preconfigured Standard_User profile to the newly
created student administrator. The Standard_User profile provides read and write
access for all devices privileges, but not to the system privileges.
This shows how you can control or restrict administrator access based on administrative profiles
and ADOMs.
Note: The IP address specified in the URL here is not the same as the one used
previously, because now the FortiManager is being accessed from a device that is in a
different part of the network (see Network Topology). As such, we are now connecting to
the port2 interface of the FortiManager device.
end
4. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
5. Click Lock on the top.
You will notice the lock status changed from unlocked to a green locked state.
6. From the Remote-Windows VM, open a browser and go to https://10.200.1.241.
7. Log in as admin to the FortiManager GUI.
You will notice the lock status is red for My_ADOM.
Hover your mouse over the red lock icon. It will tell you the name of the admin who locked this
ADOM, along with the date and time.
8. Click on My_ADOM.
10. Go back to the Local-Windows and log out as student from FortiManager.
Note: If an administrator has locked one or more ADOMs and then logged out of
FortiManager, all those ADOMs will be unlocked.
In this example, when student administrator locked My_ADOM and then logged out,
FortiManager unlocked My_ADOM.
Caution: Always log out gracefully from FortiManager, when ADOM locking is enabled.
If a session is not closed gracefully (due to a PC crash or closed browser window),
FortiManager will not close the admin session until it times out or the session is deleted.
Until this time, the ADOM will remain in a locked state.
If this situation arises and you cannot wait for the admin session to time out, then delete
the session manually through the GUI or the CLI.
From the GUI, click the System Information widget, and then click Current
Administrators > Admin Session List.
From CLI:
To back up FortiManager
1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select root.
3. Click Lock on the top.
4. Click System Settings.
5. Go to System Information widget > System Configuration, and then click the backup icon.
6. Deselect Encryption.
7. Click OK.
8. Select Save.
9. Click OK.
10. Note the location of the backup file and rename this file to: lab2.dat.
11. While still on the FortiManager GUI, go to Admin > Administrator.
12. Right click student and click Delete.
13. Click OK.
2. Go to System Information widget > System Configuration, and then click the restore icon.
3. Click Browse.
4. Select your backup file lab2.dat.
There is no password to enter because the file was not encrypted.
5. Leave Overwrite current IP, routing and HA settings enabled.
6. Click OK.
It will reboot FortiManager.
7. Wait for FortiManager to reboot, and then log in as admin to the FortiManager GUI at
10.0.1.241.
8. Select root.
9. Click Lock on the top.
10. Click System Settings.
11. Go to Admin > Administrator.
The student administrator account will show there.
12. Log out from FortiManager.
Offline Mode
You will disable offline mode on FortiManager.
7. Click Apply.
You will notice that the Offline Mode message disappears. At this point, FortiManager can
establish a management connection with the managed devices.
Now you will have the filtered system manager events only.
8. You can download and/or view them in raw format.
Objectives
Create and apply system templates to your managed devices
Review central management settings on the FortiGate device
Add a device using the add device wizard
Time to Complete
Estimated: 30 minutes
This is because when ADOM locking is enabled; you must lock the ADOM prior to making
configuration changes.
4. Click Lock on the top to lock My_ADOM.
Field Value
8. Click Apply.
9. Close all other widgets by clicking X and then the checkmark symbol.
Note: When ADOM locking is enabled, you must save the changes, in order for them to be
copied to the FortiManager database.
Prior to disabling workspace mode, inform all the administrators logged into FortiManager to save their
work.
end
It will log out administrators from FortiManager, to save the changes.
It is recommended to place this putty session and the FortiManager GUI side-by-side, so that you
can view the real-time debugs while adding FortiGate from the FortiManager GUI.
Note the output is very verbose and you might have to scroll up or down to review the information.
Alternatively, you can save the log file on your desktop and open it using a text editor, such as
Notepad++.
4. In the Add Device wizard, make sure the Discover radio button is selected and configure the
following:
Field Value
IP Address 10.200.1.1
(This is the port1 IP address of FortiGate)
Username admin
8. Hit the up arrow on your keyboard and select these commands to disable the debug.
Alternatively, you can enter these commands manually.
C. Click Next.
17. On the conflict page, click View Conflict.
This will show you the details of configuration difference between FortiGate and FortiManager.
18. Leave the default setting of FortiGate in the Use Value From column.
Note: The download import report is only available on this page. As a best practice, it is
recommended that you download the report and review the important information, such as
which device is imported into which ADOM, as well as the name of the policy package
created along with objects imported.
FortiManager imports new objects, and updates existing objects based on the option
chosen on the conflict page. The duplicate objects are skipped as FortiManager does not
import duplicate entries into the ADOM database.
25. In Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect
over SSH).
26. At the login prompt, enter the username admin (all lower case).
27. Enter the following command:
Note: The serial-number is the serial number of FortiManager, which is non-configurable from
FortiGate. This has been set by FortiManager, which is managing this device. Also, the
FortiManager IP address is set.
28. Close PuTTY session.
2. You will notice that a policy package named Local-FortiGate was created when you imported
firewall policies from your Local-FortiGate.
4. Click Interface.
5. Click on the expand arrow for any interface to view the ADOM Interface mapping to device-level
mappings, which got created when the device was added. These interfaces are used in policy
packages to map firewall policies to interfaces on the firewall.
3. Click default.
7. Click OK.
3. In the Add Device wizard, make sure the Discover radio button is selected, and configure the
following:
Field Value
IP Address 10.200.3.1
(This is the port4 IP address of FortiGate)
Username admin
7. Click Next.
8. Click Import Later.
Discussion
When Import Later is chosen in the Add Device wizard, or an unregistered device is
added into FortiManager, the policy package status will show Never Installed because
there is still no policy package created for the newly added FortiGate.
You will run the Import Policy wizard later in training.
If you add an unregistered device, then you need to run the Import Policy wizard to
import the device’s firewall policy into a new policy package.
Objectives
Understand managed device statuses on FortiManager
Use the status information in the Configuration and Installation Status widget
Make and install configuration changes from Device Manager
Make configuration changes locally on FortiGate and verify that they are retrieved automatically by
FortiManager
Identify entries in the Revision History and the management action that created the new revision
Install a large number of managed device changes using scripts
Time to Complete
Estimated: 70 minutes
Discussion
In the last exercise, you applied System Templates to both FortiGate devices. The
configuration running on the FortiManager device-level database is different from the latest
revision history. This changes the Config Status to Modified. The provisioning templates
changes need to be installed to the FortiGate devices to return the devices to the
synchronized state.
4. Under the Configuration and Installation Status widget, check Device Settings Status; it
should appear as Modified.
Discussion
The Device Setting Status is the status between the device-level database configuration
and the latest revision history. Applying System Templates changes the device level
database configuration, so it goes to the Modified state.
The Sync Status is the status between the latest revision history and the actual FortiGate
configuration. As the latest revision history is same as the FortiGate configuration, the
Sync Status is in Synchronized state.
5. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
6. At the login prompt, enter the username admin (all lower case).
7. Enter the following command to display the device statuses through the CLI.
The output will show the serial number of the device, the connecting IP address of the device, the
firmware version, the name of the device on FortiManager, and the ADOM in which the device is
added.
Note: You will see FortiAnalyzer as an unregistered device because FortiAnalyzer is configured to
query FortiManager for the threat intelligence database (a feature on the FortiAnalyzer). This is
configured for the FortiAnalyzer labs, which use the same lab environment.
8. Examine the STATUS row of the diagnose dvm device list output for Local-FortiGate and
Remote-FortiGate.
4. In the Install Wizard, make sure Install Device Settings (only) is selected and click Next.
5. On the Device Settings page, ensure both FortiGate devices are selected.
6. Click Next.
7. Click Preview for the Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device.
8. Click Cancel on the Install Preview page.
Optionally, you can also select Preview for Remote-FortiGate.
9. Make sure both FortiGate devices are selected.
This is the install log that shows what exactly is installed on the managed device.
Here is an example provided for Local-FortiGate.
3. Under Configuration and Installation Status, you should observe that Device Settings Status
is in the Unmodified state.
This means that FortiGate's device-level database configuration is the same as the latest revision
history.
4. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
5. At the login prompt, enter the username admin (all lower case).
6. Enter the following command to display device statuses through the CLI.
The db status is not modified which means that FortiGate's device level database
configuration matches with the latest running revision history. The dm: installed field
means that the install was performed from FortiManager.
7. Enter the following command to display the FGFM tunnel statuses.
This command can be used to view the connecting IP of managed devices, the link-level address
assigned by FortiManager, and the uptime of the FGFM tunnel between FortiGate and
FortiManager.
8. Close the PuTTY session.
Note: When you connect locally to a device managed by FortiManager, you will be
presented with a warning message because the device is centrally managed. Only when it
is absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make configuration
changes and install to manage FortiGate devices.
Note: When you connect locally to a device managed by FortiManager, you will be
presented with a warning message because the device is centrally managed. Only when it
is absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make configuration
changes and install to manage FortiGate devices.
3. Click Yes.
4. Go to Log & Report > Log Settings.
5. Under Local Log settings, disable Enable Local Reports.
6. Click Apply.
7. Logout of the FortiGate.
2. In the Configuration and Installation Status widget, click the Revision History icon.
You should observe three configurations, though you may have more if you have made further
changes:
Your first Installation status should display as Retrieved, indicating that this configuration
was taken from the device’s running configuration, when it was added to FortiManager.
Your second Installation status should display as Installed, indicating that these changes
were made by FortiManager to the managed device.
Your third Installation status should display as Auto Updated, indicating that these
changes were made locally on FortiGate and got automatically updated in FortiManager.
You should see the CLI commands sent by FortiManager (which are identical to the installation
previewed earlier) and the FortiGate response.
2. Click Close.
To view auto update, revision history, and the install log for Remote-FortiGate
(Optional)
1. Still logged in to the FortiManager GUI, click Remote-FortiGate and follow the steps from Viewing
Auto Update and Revision History.
For Remote-FortiGate, you will see the NTP settings pushed by FortiManager based on the
imported NTP settings in the default system template from Local-FortiGate.
Log View
As FortiAnalyzer features are enabled on FortiManager, and both FortiGate devices are configured
to send logs to FortiManager, you will be viewing the logs for the managed devices under the Log
View pane.
You should see the traffic logs generated by the FortiGate device.
Task Manager
Task Manager provides the status of the task you have performed and can be used for
troubleshooting various types of issues such as adding, importing, and/or installing changes from
FortiManager.
You will now check the entries in Task Manager.
5. Click on the dropdown menu for the Install Device entry and click on the View Installation
Log icon for Local-FortiGate or Remote-FortiGate.
This will show the installation log corresponds to the installation that you performed earlier.
6. Click Close.
8. Click OK.
9. Click Managed FortiGates.
Discussion
The Modified status means that the device-level database change has been made to
Remote-FortiGate. You changed the interface configuration.
The status recent auto-updated in parenthesis means that the previous configuration
changes were locally made on FortiGate and were auto updated on FortiManager. You
made changes to logging settings locally in the previous lab.
2. Click the drop-down arrow on Devices (Device Config Modified) and click Modified.
This time it will show only Local-FortiGate in the Managed FortiGates list.
3. Click Customize
4. In the System category, click Administrators.
5. Click OK.
6. Click System : Dashboard and then click Administrators.
Field Value
Administrator training
Type Regular
Password fortinet
9. Leave all other settings at their default values and click OK.
10. Click Managed FortiGates.
You will notice that Config Status has changed to Modified for Local-FortiGate.
This is because you made a device-level configuration change for Local-FortiGate by configuring
the administrator account.
This shows the device-level configuration changes that will be installed on the managed device
when FortiManager performs the device-level install.
Note: The install Preview under the Configuration and Installation Status widget only
shows the preview for the device-level changes, not the changes related to policies and
objects.
5. Click OK.
Optionally, you can follow this same procedure to view the install Preview for Local-FortiGate.
Install Wizard
You will install these changes to the managed devices using the Install wizard.
3. Click Next.
4. On the Device Settings page, ensure both FortiGate devices are selected.
5. Click Next.
6. Click Preview for Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device.
7. Click Cancel on the Install Preview page.
Optionally, you can also check the Preview for Remote-FortiGate.
8. Make sure both FortiGate devices are selected.
9. Click Install.
10. Once the install is successful, click the View Log icon.
This is the install log which shows what exactly is installed on the managed device.
11. Click Close on the Install Log page.
12. Click Finish.
13. Click Managed FortiGates.
Revision Diff
After every retrieve, auto update, and install operation, FortiManager stores the FortiGate’s
configuration checksum output with the revision history. This is how the out-of-sync condition is
calculated.
The Revision Diff is a useful feature that can be used to compare the differences between previous
revisions, a specific revision, or the factory default configuration. In terms of the output, you can
choose to show full configuration with differences, only differences, or you can capture the differences
to a script.
You will now compare the differences between the latest revision and the previous revision.
2. Under the Configuration and Installation Status widget, click the Revision History icon.
5. Click Apply.
It shows the difference in configuration between the previous version and the current running version.
Remember, you configured the administrator account for Local-FortiGate.
6. Click Close.
7. Click ID 4 again and click Revision Diff.
8. Select Capture Diff to a Script.
9. Click Apply.
10. Select Save File.
11. Click OK.
Note the folder where is it downloaded.
This will show you the exact CLI syntax of the changes. This script can be used to configure other
FortiGate devices if they require the same settings using script feature on FortiManager.
17. Close the Notepad++.
Caution: This is to demonstrate capturing diff in the form of scripts. Make sure the script
captured is valid for other FortiGate devices, before using them for other FortiGate
devices. If required, you can edit the script before applying it to other FortiGate devices.
For example, if you have configured a static route along with the administrator setting, the
static route settings might be not valid for other FortiGate devices.
6 Scripts
A script can make many changes to a managed device and is useful for bulk configuration changes
and consistency across multiple managed devices. You can configure and install scripts from
FortiManager to managed devices.
Scripts can be run on:
Device Database (default)
Policy Package, ADOM Database
Remote FortiGate Directly (via CLI)
An install must be performed if a script is run on a device database or Policy Package, ADOM
database.
In this exercise, you will make many configuration changes by using the script feature and installing
them on the managed devices.
6. Click Apply.
7. Log out of FortiManager.
Configuring Scripts
You will now configure scripts for the managed devices.
To configure scripts
1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Click Scripts.
7. Browse to Desktop > Resources > FortiManager > Device-Config and select Local-
Script.
8. Click the dropdown menu for Advanced Filters.
9. Click Device and select Local-FortiGate from the dropdown menu.
To run scripts
1. Still logged in to the FortiManager GUI, right-click the Local and click Run Script Now.
Note: If needed, you can also view the script execution history later from the
Configuration and Installation Status widget or from the Task Monitor.
4. Click Close.
5. Click Close.
6. Right-click on Remote and click Run Script Now.
7. Select Remote-FortiGate and click Run Now at the bottom of the page.
8. Click Close.
To install scripts
1. Still logged in to the FortiManager GUI, click Device & Groups.
Discussion
The scripts contain configuration changes related to device-level settings and policies.
The Config Status is Modified for both FortiGate devices because of device-level
changes.
As the Local-FortiGate policy package was imported when you added FortiGate,
FortiManager detects policy-level changes and marks the Local-FortiGate Policy Package
Status as Out of Sync.
For Remote-FortiGate, the policy package was never imported; hence FortiManager
cannot compare the differences in the policies.
2. Select Local-FortiGate and Remote-FortiGate and click Install, and then click Install Config.
3. Click OK.
Note: The Install Config option does not provide an option for install preview and install
log. It should be used only if you are absolutely sure about the changes you are trying to
install.
If needed, you can view the installation history later from the Configuration and
Installation Status widget or from the Task Monitor.
4. Click Finish.
Objectives
Import firewall polices and objects from a managed device and review the imported policy
packages
Create ADOM revisions
Use workflow mode to configure and send changes for approval
Find duplicate objects and merge them, and delete used objects
Create and assign header policies to policy packages in an ADOM
Create a policy package shared across multiple devices
Create shared objects and dynamic objects with mapping rules
Identify the different policy and object interface mapping types and configure zones mappings
Install a policy package and device settings from the Policy & Objects pane
Time to Complete
Estimated: 70 minutes
Import Policy
You will now import policies and objects for both managed FortiGate devices.
To import policies
1. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
2. Click Device Manager.
3. Right-click the Local-FortiGate and click Import Policy.
4. Click Next.
5. Rename Policy Package Name to Local-FortiGate-1.
6. Select Import All Objects.
7. Click Next.
18. Compare the policies in the Local-FortiGate and Local-FortiGate-1 policy packages by clicking
IPv4 Policy on each policy package.
Policy package: Local-FortiGate
4. Click OK.
You will notice the lock icon, name of the administrator who created it, and the date and time.
5. Click Close.
2 Workflow Mode
Workflow mode is used to control the creation, configuration, and installation of policies and objects. It
helps to ensure that all changes are reviewed and approved before they are applied.
Workflow mode is similar to ADOM locking (workspace mode), but it also allows the administrators to
submit their configuration changes for approval. The configuration changes are not committed to the
FortiManager database until the approval administrator approves those configuration changes. Once
approved, then only these configuration changes can be installed on the managed device.
In this exercise, you will enable workflow mode and then make configuration changes related to
policies and objects. You will send it for approval and once approved you will install these changes.
end
Note: Before enabling workflow mode, ensure all FortiManager administrators are notified
to save their changes and work on the FortiManager.
This is because enabling workflow mode will terminate all management sessions.
edit My_ADOM
config approver
edit 1
next
end
end
5. Close the PuTTY session.
11. Click Merge for the LAN and LOCAL_SUBNET firewall address.
Note: By merging the duplicate objects, you can reduce the object database, which
sometimes can overwhelm the FortiManager administrator with a large number of objects
from different FortiGate devices in the same ADOM. You can also delete the unused
objects in the same Tools menu, if they will be not used in the future.
Caution: FortiManager allows you to delete a used object. Be careful before deleting used
object as it will be replaced by the none address 0.0.0.0/255.255.255.225.
This means any traffic meeting that specific firewall policy will be blocked if there is no
catch all or shadowed policy below it. In this case, the destination address of firewall
policy 1 in the Local-FortiGate-1 policy package is replaced by none after the LINUX
address object is deleted.
Note: Your changes are still not saved in the FortiManager database because they must
be approved by the approval administrator.
Note: The session list will show you the name of the request made, user, date, and
approval status.
The approver administrator can approve, reject, discard, or view the differences between
two revisions. The approver administrator can also create a session that can be sent to
different approval administrator, or can self-approve based on the workflow approval
matrix.
7. Click OK.
8. Click Continue Without Session.
9. Click Unlock.
Note: If an administrator has locked ADOMs and logs out of FortiManager, the lock
releases and unlocks all locked ADOMs locked by that administrator.
Caution: Always log out of FortiManager gracefully, when ADOM locking (workspace or
workflow) is enabled.
If a session is not closed gracefully (PC crash or closed browser window), FortiManager
will not close the administrator session until the administrator session timeout or the
session is deleted. The locked ADOM will remain in locked state.
The session will have to be deleted manually through the GUI or the CLI.
In the GUI: System Settings > System Information widget > Current Administrators >
Admin Session List.
In the CLI:
ping 10.200.1.254 -t
You will notice the request timed out because the firewall policy has the destination as LINUX and
the action as DENY locally on the Local-FortiGate.
Screenshot from the Local-FortiGate.
6. Return to the FortiManager GUI and click Install > Install Wizard.
end
All administrators will be logged out of the FortiManager GUI to save the changes. So prior to
disabling workspace-mode inform all the administrators logged into FortiManager to save their
work.
Field Value
Name Global_Policy
Service gPING
Schedule galways
Action Deny
6. Click OK.
Field Value
ADOMs My_ADOM
Specify ADOM to policy package to Check the box and select the following:
exclude:
default
Local-FortiGate
4. Click OK.
5. Click Assign.
The header policy is assigned to the Local-FortiGate-1 and Remote-FortiGate policy packages.
2. Click My_ADOM.
3. Click Local-FortiGate-1 > IPv4 Header Policy to view the assigned header policy.
Optionally, you can perform the previous step to view the header policy in the Remote-FortiGate
policy package.
4. Click Local-FortiGate-1 policy package.
5. Click Install > Re-install Policy.
6. Click Preview.
The configuration changes that will be installed on FortiGate will display. In this case, the header
policy and related objects will be installed.
9. Click Finish.
10. Click the Remote-FortiGate policy package.
11. Click Install > Re-install Policy.
Field Value
Type IP/Netmask
IP/Netmask 10.0.0.0/8
8. Click OK.
Note: You will get the following warning message “The new mapping will delete the old
mapping, are you sure you want to continue”. This is because interfaces were dynamically
mapped when the devices were added to the FortiManager. Now, FortiManager will delete
the old mapping and add these interfaces to map to this newly created interface.
6. Click OK.
7. Still in the FortiManager GUI, click Create New > Zone.
5. Log out and log in again with the admin user in FortiManager.
6. Click Global Database.
7. Click Assignment.
8. Select My_ADOM and click Edit ADOM.
12. Log out of the FortiManager GUI, and log in again with username student and password
fortinet.
13. Click Policy & Objects.
14. Click Training.
You will notice that the Training policy package no longer has a header policy.
15. Click IPv4 Policy and click Create New.
Field Value
Name For_Local
Schedule always
Action Accept
Field Value
Name For_All
Schedule always
Action Accept
Once added, you can drag the Install On column to where you want it positioned in the column
list.
6. For the For_Local policy, click Installation Targets.
7. Select Local-FortiGate.
8. Click OK.
4. Click Next.
5. Make sure both FortiGate devices are selected and click Next.
6. Select both FortiGate devices.
If you hover your cursor over the Status column of the FortiGate devices, it will show you the
name of the previous policy package.
Optionally, you can preview the changes before the installation attempt.
7. Make sure both FortiGate devices are selected and click Install.
8. Once the installation is successful, you can click on View Log to see the installation history for
each FortiGate.
4. Click Addresses.
The Internal is translated to 10.0.1.0/24 as per the dynamic mapping of address objects.
5. Click Network > Interfaces.
An Outside zone is created with interfaces port1, port2 as per interfaces and zones dynamic
mappings.
6. Log out of FortiGate.
7. Try to log into Remote-FortiGate (https://10.200.3.1).
Why you are getting an authentication page?
This is because of the identity policy on the Local-FortiGate. You will need to authenticate all
outgoing http and https traffic on the Local-FortiGate device.
8. When prompted for firewall authentication, enter the username student and the password
fortinet.
9. Once authenticated, log in into the Remote-FortiGate using admin as the username and no
password.
LAB 6—VPN
In this lab, you will configure a site-to-site IPsec VPN between Local-FortiGate and Remote-FortiGate
using Device Manager.
Objectives
Create an IPsec VPN using Device Manager.
Time to Complete
Estimated: 20 minutes
5. Click OK.
6. Click Local-FortiGate.
9. Click OK.
10. Click VPN > IPsec Phase 1.
Field Value
Name To_Remote
IP Address 10.200.3.1
Mode Main
Field Value
P1 Proposal
Encryption AES128
Authentication SHA256
(Delete all other entries)
Diffie-Hellman Groups 5
15. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
16. Click VPN > IPsec Phase 2.
Field Value
Phase 1 To_Remote
19. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
Field Value
Destination Subnet
10.0.2.0/24
Device To_Remote
4. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
Field Value
Name To_Local
IP Address 10.200.1.1
Mode Main
Field Value
P1 Proposal
Encryption AES128
Authentication SHA256
(Delete all other entries)
Diffie-Hellman Groups 5
7. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
8. Click VPN > IPsec Phase 2.
Field Value
Phase 1 To_Local
11. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
Field Value
Destination Subnet
10.0.1.0/24
Device To_Local
4. Leave all other settings at their default values, and then, at the bottom of the page, click OK.
6. Click Finish.
Click Add.
In the Mapped Device drop-down list, select Remote-FortiGate.
8. Click OK.
Field Value
Name To_IPsec
Service ALL
Schedule always
Action Accept
5. Leave all other settings at their default values, and then click OK.
6. Click Create New to create a second new firewall policy.
7. Configure the following values:
Field Value
Name From_IPsec
Service ALL
Schedule always
Action Accept
8. Leave all other settings at their default values, and then click OK.
Your configuration should look like the following example:
3. Click Next.
4. After the installation is successful, click Finish.
ping 10.0.2.10
2. In the FortiManager GUI, click Policy & Objects > Device Manager.
3. Click Local-FortiGate.
You will see the IPsec tunnel is up between the FortiGate devices.
Objectives
Diagnose and troubleshoot issues when installing System Templates
Diagnose and troubleshoot issues when importing policy packages
Time to Complete
Estimated: 30 minutes
Prerequisites
Before beginning this lab, you must restore the configuration files to the Local-FortiGate, Remote-
FortiGate, and FortiManager.
5. Select the option to restore from Local PC, and then click Upload.
6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select Local-
diag.conf.
7. Click OK.
8. Click OK.
The system reboots.
9. After the reboot finishes (you must wait until Local-FortiGate reboots), open a new browser and
log in as admin to the Remote-FortiGate GUI at 10.200.3.1.
10. Repeat the same procedure to restore the system configuration for the Remote-FortiGate but, in
the Troubleshooting folder, select Remote-diag.conf.
5. Click Browse.
6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select FMG-
diag.dat
There is no password to enter because the file was not encrypted.
7. Leave the Overwrite current IP, routing and HA settings check box selected.
8. Click OK.
FortiManager reboots.
9. Wait for the FortiManager to reboot, and then log in as admin to the FortiManager GUI at
10.0.1.241.
10. Click root.
11. Click System Settings.
12. Go to Advanced > Advanced Settings.
In this exercise, you will diagnose and troubleshoot issues that occur when installing configuration
changes to Local-FortiGate and Remote-FortiGate.
5. Write down the DNS settings that will be installed on the Local-FortiGate.
Primary: ______________________
Secondary: ______________________
6. Click OK.
Primary: ______________________
Secondary: ______________________
4. Click OK.
Discussion
The Local-FortiGate device was preconfigured with the primary DNS entry
208.91.112.53.When the Local-FortiGate was added to FortiManager, it automatically
updated to the device-level database. To verify, check the current revision history and
search for config system dns.
If you are not able to figure it out, follow the procedure below to view the system template
and DNS settings in the CLI.
Dump all objects for category [system dns] in adom [ADOM1] package
[1020]:
---------------
end
Note: The execute fmpolicy print- command tree allows you to view the CLI
configuration for provisioning templates, ADOM, and the device database on
FortiManager.
The syntax for provisioning templates is:
# execute fmpolicy print-prov-templates <adom> <prov> <package>
<category>|all [<key>|all|list]
You can use the help feature by typing ? to open the command tree syntax.
---------------
end
2. Execute the following command to view the Remote-FortiGate DNS settings in the
FortiManager device-level database.
---------------
end
Compare the FortiManager system template entries with each FortiGate device. The Local-
FortiGate primary DNS entry matches the default system template primary DNS entry. Because
of that, FortiManager skips the primary DNS entry for the Local-FortiGate, because Local-
FortiGate has already been configured with the same entry.
3. Close the PuTTY session.
5. Make sure both devices are selected, and then click Next.
9. Click Cancel.
10. Make sure both FortiGate devices are selected, and then click Install.
The installation begins.
11. After the installation finishes, click the View Log icon to view and verify what is being installed on
each device.
5. On the left side of the window, expand Firewall Objects, and then click Addresses.
6. Review the configuration for the Test_PC firewall address. In the ADOM database, it is set to any
interface based on the configuration imported from the Local-FortiGate.
5.
Remember, the Test_PC address object is bound to any interface in the ADOM database.
6. Log out of Remote-FortiGate.
3. Click Next.
4. Make sure the policy package name is Remote-FortiGate.
5. Leave all other settings at their default values, and then click Next.
6. Click Next.
7. Click Next.
Did you notice it skipped one firewall policy out of two policies?
8. Click Download Import Report to view the reason for skipping a firewall policy.
9. Open the file (or you can save it for future reference).
Did you notice it failed when importing firewall policy ID # 2(SEQ# 1)?
Discussion
Remember, in the ADOM1 database, the Test_PC firewall address is bound to the any
interface, based on the configuration imported from the Local-FortiGate. On the Remote-
FortiGate, policy ID 2 is using the Test_PC firewall address bound to port6 as the source
address.
This is the expected behavior on FortiManager because it doesn’t allow the same address
object name to bind to different interfaces.
Because FortiManager imported partial policies in the policy package, if you try to make a
change to the policy package and try to install, it will delete the skipped policies and
objects associated with those policies, along with all unused objects.
You must change the Test_PC firewall address binding to the any interface by locally
logging in to the Remote-FortiGate.
2. On the left side of the window, click Remote-FortiGate, and then click IPv4 Policy.
You will see that the firewall policy with Test_PC as the source address is not imported.
3. Double click the Seq# 1 firewall policy.
4. In the Description field, type Training, and then click OK.
2. Click Preview.
3. Notice that it is trying to delete the firewall policy with ID=2 and the Test_PC address object.
Note: When installing a policy package for the first time, FortiManager also deletes all unused
objects.
This is the firewall policy with Test_PC as the source address.
4. Click Next.
5. Select the Overwrite check box.
6. Leave all other settings at their default values, and then click Next.
Did you notice that Test_PC appeared as Dynamic Mapping?
FortiManager automatically creates a dynamic mapping of the object with same values. The
interface must has to be the same as the ADOM database.
7. Click Next.
8. You will see both firewall policies are imported this time.
9. Click Finish.
Objectives
Review the central management configuration on both FortiGate devices
Understand and run FortiGuard debug commands
Import the firmware image for FortiGate devices and upgrade from FortiManager
Time to Complete
Estimated: 15 minutes
1 FortiGuard Management
In this exercise, you will review the central management settings on the FortiGate devices. Then, you
will run the CLI commands related to FortiGuard diagnostics on FortiManager to understand
FortiGuard settings on FortiManager.
Remote FortiGate:
You will see that server-list is configured on the FortiGate devices with the FortiManager
IP address, and the include-default–servers is disabled. This means FortiGate devices
are pointed to FortiManager for its FortiGuard services and access to public FortiGuard servers is
disabled.
You should see that there is only one default server in the list. FortiManager is unable to connect
to the public FDN servers because of unreachability or disabled service. In this lab environment,
communication with the public FortiGuard servers is disabled.
FortiManager is operating in a closed network environment and license contracts are uploaded
manually on FortiManager. You should see the contract information, which includes the types of
contracts that the device currently has along with the expiry dates.
Note: The same information can be viewed in the FortiGate GUI in the License Information
widget.
You will also see FortiAnalyzer contract information, which is uploaded manually on FortiManager.
The FortiAnalyzer labs use FortiManager as the local FDS in order to use the IOC features on
FortiAnalyzer.