FortiManager Lab Guide-Online

DO NOT REPRINT
© FORTINET
 Virtual Lab Basics
FortiManager 5.4.2
Lab Guide
for FortiManager 5.4.2
FortiManager Lab Guide 1

DO NOT REPRINT
© FORTINET
FortiManager Lab Guide

for FortiManager 5.4.2
Last Updated: 4 May 2017
We would like to acknowledge the following major contributors: Simon Cao and Claudio Capone
® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
© FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................9
Network Topology ...................................................................................................................9
Lab Environment .....................................................................................................................9
System Checker ......................................................................................................................10
Logging In ...............................................................................................................................11
Disconnections/Timeouts ........................................................................................................15
Transferring Files to the VM....................................................................................................15
Screen Resolution ...................................................................................................................15
International Keyboards ..........................................................................................................16
Student Tools: View Broadcast and Raise Hand....................................................................16
Troubleshooting Tips ..............................................................................................................17
LAB 1—INITIAL CONFIGURATION .................................................................19
Objectives ...............................................................................................................................19
Time to Complete ....................................................................................................................19
Prerequisites ...........................................................................................................................19
1 Examining Initial Configuration ............................................................................................22
Examine Initial Configuration Through the CLI .......................................................................22
Examine Initial Configuration Through the GUI ......................................................................25
2 Enabling FortiAnalyzer Features on FortiManager..............................................................28
LAB 2—ADMINISTRATION AND MANAGEMENT ..............................................30
Objectives ...............................................................................................................................30
DO NOT REPRINT
© FORTINET
Time to Complete ....................................................................................................................30
1 Configure Administrative Domain (ADOMs) ........................................................................31
Enabling ADOMs.....................................................................................................................31
Viewing ADOM Information.....................................................................................................32
Configuring ADOM ..................................................................................................................33
2 Creating and Assigning Administrators ...............................................................................36
Testing Administrator Privileges .............................................................................................37
Restricting Administrator Access Using Trusted Host ............................................................38
Testing the Restricted Administrator Access ..........................................................................39
3 ADOM Locking (Workspace Mode) .....................................................................................41
ADOM Locking (Workspace Mode) ........................................................................................41
4 Backup and Restore ............................................................................................................43
Backing up FortiManager Configuration .................................................................................43
Restore FortiManager Configuration ......................................................................................44
5 Monitoring Alerts and Event Logs ........................................................................................46
Offline Mode ............................................................................................................................46
Viewing Alerts and Event Logs ...............................................................................................47
LAB 3—DEVICE REGISTRATION ...................................................................50
Objectives ...............................................................................................................................50
Time to Complete ....................................................................................................................50
1 Configuring System Templates ............................................................................................51
Configuring System Templates ...............................................................................................51
Disabling ADOM Locking (Workspace Mode) ........................................................................53
2 Registering a Device to FortiManager .................................................................................55
Reviewing Central Management Configuration on Local-FortiGate .......................................55
Enabling Real-Time Debug .....................................................................................................56

DO NOT REPRINT
© FORTINET
Adding Local-FortiGate Using the Add Device Wizard ...........................................................56
Viewing the Local-FortiGate Policy Package..........................................................................60
Importing System Template Settings From FortiGate ............................................................62
Adding Remote-FortiGate Using the Add Device Wizard.......................................................64
LAB 4—DEVICE LEVEL CONFIGURATION AND INSTALLATION ........................67
Objectives ...............................................................................................................................67
Time to Complete ....................................................................................................................67
1 Understanding Managed Device Status ..............................................................................68
2 Install System Template Changes to Managed Devices .....................................................73
Installing System Templates ...................................................................................................73
Checking Managed Device Status..........................................................................................75
Viewing Pushed Configuration on the FortiGate ....................................................................77
3 Auto Update and Revision History .......................................................................................79
Making Direct Changes on Local-FortiGate ...........................................................................79
Making Direct Changes on Remote-FortiGate .......................................................................80
Viewing Auto Update and Revision History ............................................................................80
Viewing the Install Log ............................................................................................................82
Viewing Auto Update, Revision History, and Install Log for Remote-FortiGate (Optional) ....83
Log View..................................................................................................................................83
Task Manager .........................................................................................................................84
4 Configuring Device Level Changes .....................................................................................87
Changing Managed FortiGate Interface Settings ...................................................................87
Filtering Devices Based on Their Statuses .............................................................................89
Configuring the Administrator Account ...................................................................................90
5 Installing Configuration Changes .........................................................................................93
Viewing the Install Preview .....................................................................................................93

DO NOT REPRINT
© FORTINET
Install Wizard...........................................................................................................................94
Revision Diff ............................................................................................................................96
6 Scripts ..................................................................................................................................100
Enabling the Script Feature ....................................................................................................100
Configuring Scripts ..................................................................................................................101
Running and Installing Scripts ................................................................................................102
LAB 5—POLICY & OBJECTS ........................................................................106
Objectives ...............................................................................................................................106
Time to Complete ....................................................................................................................106
1 Import Policy and ADOM Revisions.....................................................................................107
Import Policy ...........................................................................................................................107
Creating ADOM Revisions ......................................................................................................109
2 Workflow Mode ....................................................................................................................111
3 Creating and Assigning Header Policies in the Global ADOM ............................................121
4 Creating a Common Policy for Multiple Devices .................................................................126
Dynamic Mappings - Address Objects....................................................................................126
Dynamic Mappings - Interfaces and Zones ............................................................................128
Creating a Common Policy Package ......................................................................................132
Configuring an Installation Target and Install On ...................................................................136
LAB 6—VPN ..............................................................................................142
Objectives ...............................................................................................................................142
Time to Complete ....................................................................................................................142
1 Configuring IPsec VPN ........................................................................................................143
Configuring IPsec Phase I and Phase II .................................................................................143
Configuring Static Route .........................................................................................................146

DO NOT REPRINT
© FORTINET
Configuring IPsec Phase I and Phase II .................................................................................146
Configuring Static Route .........................................................................................................148
Installing device-level configuration changes .........................................................................149
Creating firewall policies for IPsec VPN .................................................................................151
Installing Training Policy Package ..........................................................................................153
Testing IPsec VPN ..................................................................................................................153
LAB 7—DIAGNOSTICS AND TROUBLESHOOTING ...........................................155
Objectives ...............................................................................................................................155
Time to Complete ....................................................................................................................155
Prerequisites ...........................................................................................................................155
1 Diagnose and Troubleshoot Install Issues...........................................................................159
Viewing the Installation Preview .............................................................................................159
Viewing the DNS Configuration ..............................................................................................161
Installing Device-Level Configuration Changes ......................................................................163
2 Troubleshoot Policy Import Issues.......................................................................................167
Viewing the Policy Package and Objects ...............................................................................167
Reviewing Policies and Objects Locally on the Remote-FortiGate ........................................168
Importing a Policy Package ....................................................................................................168
Check the Impact of Partial Policy Import (Optional) ..............................................................171
Fixing a Partial Policy Import Issue.........................................................................................173
LAB 8—ADVANCED CONFIGURATION ...........................................................177
Objectives ...............................................................................................................................177
Time to Complete ....................................................................................................................177
1 FortiGuard Management ......................................................................................................178
Diagnosing FortiGuard Issues ................................................................................................179

DO NOT REPRINT
© FORTINET
2 Upgrading FortiGate Firmware Using FortiManager ...........................................................181

DO NOT REPRINT
© FORTINET
Virtual Lab Basics

In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student to
have their own training lab environment or PoD - point of deliveries.

DO NOT REPRINT
© FORTINET
System Checker
Before starting any class, check if your computer can successfully connect to the remote datacenters.
The System Checker fully verifies if your network connection and your web browser are reliable to
connect to the virtual lab.
You do not have to be logged into the lab portal in order to perform the System Checker.
To run the System Checker

1. Click the URL for your location:
Region System Checker
AMER - North and South https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-

America West
EMEA - Europe, Middle https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe

East and Africa
APAC - Asia and Pacific https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If your computer successfully connects to the virtual lab, the Browser Check and Network
Connection Check each display a check mark icon. You can then proceed to log in.
If any of the tests fail:
 Browser Check: This affects your ability to access the virtual lab environment.
 Network Connection Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link or ask your trainer.

DO NOT REPRINT
© FORTINET
Logging In
Once you confirm your system can successfully run the labs through System Checker, you can
proceed to log in.
To log in to the remote lab

1. With the user name and password provided by your trainer, you can either:
 Log in from the Login access at the bottom of the System Checker's result.
 Log into the URL for the virtual lab provided by your trainer:
https://remotelabs.training.fortinet.com/

DO NOT REPRINT
© FORTINET
https://virtual.mclabs.com/
2. If prompted, select the time zone for your location, and then click Update.
This ensures that your class schedule is accurate.
3. Click Enter Lab.

DO NOT REPRINT
© FORTINET
Your system dashboard will appear, listing the virtual machines in accordance with your lab
topology.
4. From this page, open a connection to any virtual appliance by doing one of the following:
 Click the device’s square (thumbnail)
 Select Open from the System drop-down list associated to the VM you want to access.

DO NOT REPRINT
© FORTINET
Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, granting you access to the virtual device. When you open a VM,
your browser uses HTML5 to connect to it.
Depending on the virtual machine you select, the web browser provides access to either a text-
based CLI or the GUI.

DO NOT REPRINT
© FORTINET
Connections to the Local-Windows VM use a Remote Desktop-like GUI. The web-based connection
should automatically log in and then display the Windows desktop.
For most lab exercises, you will connect to this Local-Windows VM.
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out, or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If that does not succeed, see the Troubleshooting Tips section of this guide.
Transferring Files to the VM

If you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to
download them to your Local-Windows VM.
From there, if required, you can use a web browser to upload them to Fortinet VMs' GUI.
When connecting to a VM, your browser should then open a display in a new applet window.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
To configure screen resolution in the HTML 5 client, open the System menu.

DO NOT REPRINT
© FORTINET
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this, open the Keyboard menu at the top of the tab of any GUI-based VM, and choose to
display an on-screen keyboard.
Student Tools: View Broadcast and Raise Hand

Your instructor is able to broadcast his lab systems in order to allow students to see any on-going task
in real-time. When an instructor begins a broadcast, you will receive an alert at the top of all open lab
pages.
To accept and view the broadcast, you may either click on the notification message or click View
Broadcast on the left side panel.
If you have any question or issue, use the Raise Hand tool, your instructor will be notified and will
assist you.

DO NOT REPRINT
© FORTINET
Troubleshooting Tips
 Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-
bandwidth or high-latency connections.
For best performance, use a stable broadband connection such as a LAN.
 Prepare your computer's settings by disabling screen savers and changing the power saving
scheme, so that your computer is always on, and does not go to sleep or hibernate.
 If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
 If you can't connect to a VM, on the VM's icon, you can force the VM to start up by clicking
System > Power Cycle. This fixes most problems. If that does not solve the problem, revert the
VM to its initial state by System > Revert to Initial State.
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions
first.

DO NOT REPRINT
© FORTINET
 If during the labs, particularly when reloading configuration files, you see a license message
similar to the below exhibit, the VM is waiting for a response to the authentication server.
To retry immediately, go to the console and enter the CLI command:
exec update-now

DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 1 Examining Initial Configuration
LAB 1—Initial Configuration

In this lab, you will examine the network settings of FortiManager from the CLI and GUI.
You will also enable the FortiAnalyzer feature set on FortiManager, which can be used for logging and
reporting.
Objectives
 Examine initial system settings, including network and time settings
 Enable FortiAnalyzer features on FortiManager
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must update the firmware and initial configurations on the Local-
FortiGate and Remote-FortiGate.
This lab environment is also used for FortiGate 5.4.1 training and initializes in a different state than is
required for FortiManager 5.4.2 training.
To update the FortiGate firmware on both FortiGates

1. From the Local-Windows VM, open a browser and log in as admin (blank password) to the Local-
FortiGate GUI at 10.0.1.254.
2. Go to the Dashboard, and from the System Information widget click Update.

DO NOT REPRINT
© FORTINET
3. Click Upload Firmware.
4. Browse to Desktop > Resources > FortiManager > Introduction and select FGT_VM64-v5-
build1100-FORTINET.out.
5. Click Upgrade.
The system reboots.

6. Once rebooted, log in as admin and ensure the firmware version in the System Information
widget displays v5.4.2, build1100 (GA).
7. Open another browser tab and log in as admin (blank password) to the Remote-FortiGate GUI at
10.200.3.1.
8. Repeat the procedure to update the firmware for Remote-FortiGate.
To restore the FortiGate configuration file on both FortiGates

1. Return to the Local-FortiGate GUI at 10.0.1.254.
2. Go to the Dashboard, and from the System Information widget click Restore.

DO NOT REPRINT
© FORTINET
3. Select to restore from Local PC and click Upload.

4. Browse to Desktop > Resources > FortiManager > Introduction and select local-initial-
5.4.2.conf.
5. Click OK.
6. Click OK.
The system reboots.
7. Once rebooted (you must wait until Local-FortiGate reboots), return to the Remote-FortiGate GUI
at 10.200.3.1.
8. Repeat the same procedure to restore the system configuration for Remote-FortiGate, but select
remote-initial-5.4.2.conf from the Introduction folder.
9. Once rebooted, close the browser for both FortiGates.

DO NOT REPRINT
© FORTINET
1 Examining Initial Configuration

FortiManager is preconfigured with the initial network settings.
In this exercise, you will explore the FortiManager basic configuration settings from the GUI and CLI.
Examine Initial Configuration Through the CLI

You will start by accessing a FortiManager using the CLI to examine initial configuration.
To examine the initial configuration through the CLI

1. In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
2. At the login prompt, enter the username admin (all lower case).
3. Enter the following command to display basic status information about FortiManager:
CLI Command Data Result
# get system status What is the firmware version?

Knowing your FortiManager firmware
version is important, as it determines
what Fortinet products and their
firmware versions are supported.
What is the administrative domain

configuration?
By default, administrative domains
(ADOMs) are disabled.
What is the time zone?

It is important that the system time on
FortiManager and all registered
devices are synced for tunnel
negotiations and logging (if
FortiAnalyzer feature is used).
What is the license status?

To ensure FortiManager continues to
manage devices, a valid license is
required.

DO NOT REPRINT
© FORTINET
4. Enter the following command to display information about the FortiManager interface
configuration:
CLI Command Diagnostic Result
# show system interface What is the IP for port1?

Port 1 is the management port
and is the IP of FortiManager.
What administrative access

protocols are configured for
port1?
This will help troubleshoot any
access issues you may
experience. For example, this
PuTTY session would not be
able to connect without the
SSH protocol enabled.
What is configured for the

service access?
If devices are configured to use
FortiManager as the local FDS
server, service access allows
FortiManager to respond to
FortiGuard queries made by
devices.
What is the IP for port2?

According to the network
topology diagram, port2 is how
traffic is routed between
Remote-FortiGate and
FortiManager. Remote-
FortiGate, therefore, will
connect to FortiManager with
this port2 IP address.
What administrative access

protocols are configured for
port2?
5. Enter the following command to display DNS setting information:
# show system dns What are the primary and

secondary DNS settings?
By default, FortiManager uses
FortiGuard DNS servers.

DO NOT REPRINT
© FORTINET
6. Enter the following commands to display NTP setting information:
# get system ntp Is NTP enabled?

NTP is recommended on
FortiManager and all registered
devices for proper FortiGate-
FortiManager tunnel
establishment.
How often does FortiManager

synchronize its time with the NTP
server?
# show system ntp What server is configured for

NTP?
By default, Fortinet servers are
configured.
7. Enter the following command to display information about the FortiManager routing configuration:
# show system route What is the gateway route

associated with port2?
According to the network
topology diagram, this IP address
is the default route to the
Internet.
8. To test basic network connectivity, and to ensure the default route to the Internet is working, enter
the following command to ping IP 8.8.8.8 (public IP that is highly available):
execute ping 8.8.8.8

Packets should transmit successfully.
9. Close your PuTTY session.

DO NOT REPRINT
© FORTINET
Examine Initial Configuration Through the GUI

You will now log in to the FortiManager device using the GUI to examine initial configuration.
To examine the initial configuration through the GUI

1. From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
Accept the self-signed certificate or security exemption, if a security alert appears.
Note: All the lab exercises were tested running Mozilla Firefox in Local-Windows VM and
Remote-Windows VM. To get consistent results, we recommend using Firefox in this
virtual environment.
2. Click System Settings.
The dashboard shows the FortiManager widgets that display information such as System
Information, License Information, System Resources, and more.
3. Examine the System Information and License Information widgets to display the information
shown below.
This displays the same information available from the CLI command get system status.
 Firmware version
 Administrative Domain status
 System time and time zone
 License status (VM)
4. From the System Information widget, edit the System Time to view the NTP information.

DO NOT REPRINT
© FORTINET
This displays the same information available from the CLI commands get system ntp and
show system ntp.
Note: You will be managing Local-FortiGate and Remote-FortiGate from FortiManager,

which are configured with the same time zone and NTP server.
5. From the left menu, click Network.

This page displays information about the port1 management interface, including the IP address,
administrative access protocols, service access, and DNS information. This displays the same
information available from the CLI commands show system interface and show system
dns.

DO NOT REPRINT
© FORTINET
Note: The fgtupdates, fclupdates in the CLI is equivalent to FortiGate Updates in

the GUI. The webfilter-antispam in the CLI is equivalent to Web Filtering in the GUI.
6. Click All Interfaces to view the configuration of all interfaces.

7. On the left menu, click Network, and from the main window, click Routing Table.
This page displays the network gateway and associated interface. This displays the same
information available from the CLI command show system route.

DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 2 Enabling FortiAnalyzer Features on FortiManager
2 Enabling FortiAnalyzer Features on

FortiManager
FortiManager can be used as a logging and reporting device by enabling FortiAnalyzer features on
FortiManager. Remember that FortiManager has logging rate restrictions compared to FortiAnalyzer.
In this exercise, you will enable FortiAnalyzer features on FortiManager, so that FortiManager can be
used for logging and reporting once the FortiGate devices are added.
To enable FortiAnalyzer features on FortiManager

10.0.1.241.
Notice the default panes available on FortiManager. It doesn’t have panes related to FortiAnalyzer
features.
3. Under the System Information widget, turn on FortiAnalyzer Features.
4. Click OK.
FortiManager will reboot to initialize the FortiAnalyzer features and apply the changes.
5. Wait for FortiManager to reboot and then log in as admin to the FortiManager GUI at
10.0.1.241.

DO NOT REPRINT
© FORTINET
 LAB 1—Initial Configuration 2 Enabling FortiAnalyzer Features on FortiManager
You will notice that after enabling FortiAnalyzer features, there are more panes related to logging
and reporting — FortiView, Log View, Event Management, and Reports.

DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management
LAB 2—Administration and Management

In this lab, you will configure administrative domains (ADOMs) and an administrator. You will also
restrict administrator access based on administrator profile, trusted hosts, and ADOMs.
Then, you will enable ADOM locking, which disables concurrent access to the same ADOM.
Additionally, the lab will guide you through how to properly backup and restore FortiManager
configuration, view alert messages in the Alert Message Console, and view event logs.
Objectives
 Enable ADOMs and configure a new ADOM
 Configure an administrator and restrict access to a newly created ADOM
 Enable ADOM locking
 Backup FortiManager, restore the backup and disable offline mode
 Read entries in the alert message console and view event logs
Time to Complete

DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 1 Configure Administrative Domain (ADOMs)
1 Configure Administrative Domain (ADOMs)

ADOMs group devices for administrators to monitor and manage. The purpose of ADOMs is to divide
the administration of devices and control (restrict) access.
In this exercise, you will enable and configure ADOMs.
Enabling ADOMs
ADOMs are not enabled by default and can only be enabled by the admin administrator, or an
administrator with the Super_User access profile.
You will now enable ADOMs on FortiManager.
To enable ADOMs
10.0.1.241.
Notice there is no All ADOM tab below Dashboard, prior to enabling Administrative Domain.
3. Under the System Information widget, turn on Administrative Domain.
4. Click OK.
You will be logged out from FortiManager.

DO NOT REPRINT
© FORTINET
Viewing ADOM Information

Before creating new ADOMs, you should be aware of what ADOM types are available to you. You will
view ADOM information through both the GUI and the CLI.
To view ADOM information

1. Log back in as admin to the FortiManager GUI at 10.0.1.241.
2. Select the root ADOM.
4. From the left menu, click All ADOMs.
Note that this page is only available when ADOMs are enabled. This page lists all available
ADOMs and lists any devices added to those ADOMs.
5. Still working from the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER
saved session (connect over SSH).
6. Log in as admin and execute the following command to view what ADOMs are currently enabled
on FortiManager and the type of device you can register to each ADOM:
Note: The CLI output formatting is easier to read if you maximize your PuTTY window. If
you've already executed the command, once the window is maximized, press the up arrow
to show the last command you entered and click Enter to re-run.
# diagnose dvm adom list

DO NOT REPRINT
© FORTINET
As you can see, there are 13 ADOMs that FortiManager supports, each associated with different
devices along with their supported firmware versions.
7. Close your PuTTY session.
Configuring ADOM
When ADOMs are enabled, by default, the FortiManager will create ADOMs based on supported
device types. The root ADOM is based on the FortiGate ADOM type.
When creating a new ADOM, you must match the device type. For example, if you want to create an
ADOM for a FortiGate, you must select FortiGate as the ADOM type. With FortiGate ADOMs
specifically, you must also select the firmware version of the FortiGate device. Different firmware
versions have different features, and therefore different CLI syntax. Your ADOM setting must match
the device’s firmware.
You will now create and configure a new ADOM.
To configure ADOMs
1. Still logged in the FortiManager GUI, click All ADOMs.
2. Click Create New.

3. Configure the following:
Field Value

DO NOT REPRINT
© FORTINET
Name My_ADOM
Type FortiGate and 5.4
You configuration should look like this:
4. Click Select Device.

If you had any devices registered to FortiManager, you could select your device and add it to the
ADOM at this time. However, in this lab, you have not yet registered any devices, so the list is
empty.
5. Leave other settings at their defaults and click OK.

You should observe a list of predefined ADOMs, including your new ADOM.
Tip: You can switch between ADOMs within the GUI. You do not have to log out and log
back in. To switch within the GUI, click ADOM in the top right of the GUI. Your

DO NOT REPRINT
© FORTINET
administrator privileges determine which ADOMs you have access.

DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 2 Creating and Assigning Administrators
2 Creating and Assigning Administrators

In this lab, you will create an administrative user with restricted access permissions.
In an active deployment scenario, having more than one administrative user makes administering the
network easier, especially if users are delegated specific administrative roles, or confined to specific
areas within the network. In a multi-administrator environment, you also want to ensure every
administrator has only those permissions necessary to do their particular job.
To create and assign administrators

10.0.1.241.
2. Click root.
4. Click Admin > Administrators.

Field Value
User Name student
Admin Type LOCAL
New Password fortinet
Confirm Password fortinet
Admin Profile Standard_User
Administrative Domain Specify
Click to Select ADOMs… My_ADOM

DO NOT REPRINT
© FORTINET
Note: FortiManager comes preinstalled with four default profiles that you can assign to
other administrative users. Alternatively, you can create your own custom profile.
In this lab, we have assigned a preconfigured Standard_User profile to the newly
created student administrator. The Standard_User profile provides read and write
access for all devices privileges, but not to the system privileges.
7. Leave other settings at their defaults and click OK.

8. Click admin.
9. Click Log Out.
Testing Administrator Privileges

You will now log in to FortiManager with the newly created administrator (student) and test the
administrator privileges.
To test administrator privileges

1. Log in to the FortiManager GUI at 10.0.1.241 with username student and password
fortinet.
You will be limited to the My_ADOM administrative domain.
Also, there are no System Setting and FortiGuard tabs.

DO NOT REPRINT
© FORTINET
This shows how you can control or restrict administrator access based on administrative profiles
and ADOMs.
Restricting Administrator Access Using Trusted Host

You will now restrict access to FortiManager by configuring a trusted host for the administrator
accounts. Only administrators connecting from a trusted subnet will be able to access the
FortiManager.
To restrict administrator access

1. In the FortiManager GUI, log out of the student account's GUI session.
2. Log in as admin.
3. Click root.
5. Go to Admin > Administrators.
6. Edit the student account.

DO NOT REPRINT
© FORTINET
7. Turn ON Trusted Hosts.

8. Set Trusted IPv4 Host 1 to 10.0.1.0/24.
9. Click OK at the bottom to save the changes.
Testing the Restricted Administrator Access

In this procedure, you will confirm that administrators outside the subnet 10.0.1.0/24 cannot access
FortiManager.
To test the restricted administrator access

1. From the Remote-Windows VM, open a browser and go to https://10.200.1.241.
2. Try to log with username student and password fortinet to the FortiManager GUI.
What is the result?
Because you are trying to connect from the 10.0.2.10 IP address, your login authentication
will fail. This is because you restricted logins to only the source IP addresses in the list of
trusted hosts.

DO NOT REPRINT
© FORTINET
Note: The IP address specified in the URL here is not the same as the one used
previously, because now the FortiManager is being accessed from a device that is in a
different part of the network (see Network Topology). As such, we are now connecting to
the port2 interface of the FortiManager device.
3. Go back to the Local-Windows.

4. You should still be logged in as admin to the FortiManager GUI and edit the student account.
5. Toggle Trusted Host to OFF.
6. Click OK.
This allows the administrative user to log in from any IP and subnet.
7. Next, switch back to Remote-Windows and attempt to log in to the FortiManager GUI again with
username student and password fortinet.
This time, you should gain access because we just turned off the requirement to log in from a
trusted host.
8. Logout from FortiManager.

DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 3 ADOM Locking (Workspace Mode)
3 ADOM Locking (Workspace Mode)

By default, multiple administrators can log in to the same ADOM at the same time which allows
concurrent access. This can cause conflicts, however, if two or more administrators try to make
changes in the same ADOM at same time.
You will be enabling ADOM locking which allows:
 Disabling concurrent ADOM access
 ADOM locking
 Single administrator with read/write access to the ADOM
 All other administrators have read-only access to that ADOM
ADOM Locking (Workspace Mode)

ADOM locking is configured from the FortiManager CLI only.
Before enabling ADOM locking, ensure all FortiManager administrators are notified and asked to save
their work on FortiManager because enabling ADOM locking will terminate all management sessions.
You will now be enabling ADOM locking from the FortiManager CLI.
To enable ADOM locking (Workspace Mode)

1. In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect
over SSH).
3. Enter the following commands:
config system global
set workspace-mode normal
end
4. From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241
with username student and password fortinet.
5. Click Lock on the top.
You will notice the lock status changed from unlocked to a green locked state.
6. From the Remote-Windows VM, open a browser and go to https://10.200.1.241.
7. Log in as admin to the FortiManager GUI.
You will notice the lock status is red for My_ADOM.
Hover your mouse over the red lock icon. It will tell you the name of the admin who locked this
ADOM, along with the date and time.
8. Click on My_ADOM.

DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 3 ADOM Locking (Workspace Mode)
9. Click Log Out.
10. Go back to the Local-Windows and log out as student from FortiManager.
Note: If an administrator has locked one or more ADOMs and then logged out of
FortiManager, all those ADOMs will be unlocked.
In this example, when student administrator locked My_ADOM and then logged out,
FortiManager unlocked My_ADOM.
Caution: Always log out gracefully from FortiManager, when ADOM locking is enabled.
If a session is not closed gracefully (due to a PC crash or closed browser window),
FortiManager will not close the admin session until it times out or the session is deleted.
Until this time, the ADOM will remain in a locked state.
If this situation arises and you cannot wait for the admin session to time out, then delete
the session manually through the GUI or the CLI.
From the GUI, click the System Information widget, and then click Current
Administrators > Admin Session List.
From CLI:

DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 4 Backup and Restore
4 Backup and Restore

In this exercise, you will back up the FortiManager configuration.
In an active deployment scenario, it is a best practice to back up the device configuration prior to
making any configuration changes. If the new configuration does not perform as expected, you can
revert to the last sane configuration. Likewise, during these labs, it is beneficial to have a backup of
the initial configuration, should you need to roll back for any reason.
Note: FortiManager configuration files are not stored in plain text like FortiGate configuration files. It is
stored as .dat file. It can be uncompressed and viewed offline with archive tools such as WinRar & tar.
Backing up FortiManager Configuration

You will now back up the FortiManager configuration from the GUI.
To back up FortiManager
10.0.1.241.
2. Select root.
5. Go to System Information widget > System Configuration, and then click the backup icon.
6. Deselect Encryption.
7. Click OK.
8. Select Save.
9. Click OK.

DO NOT REPRINT
© FORTINET
10. Note the location of the backup file and rename this file to: lab2.dat.
11. While still on the FortiManager GUI, go to Admin > Administrator.
12. Right click student and click Delete.
13. Click OK.
Restore FortiManager Configuration

There are a few options when restoring a FortiManager configuration:
 Overwrite current IP, routing, and HA settings: By default, this option is enabled. If
FortiManager has an existing configuration, restoring a backup will overwrite everything, including
the current IP, routing, and HA settings. If you disable this option, FortiManager will still restore the
configurations related to device information and global database information, but will preserve the
basic HA and network settings.
 Restore in Offline Mode: By default, this is enabled and grayed out – you cannot disable it. While
restoring, FortiManager temporarily disables the communication channel between FortiManager
and all managed devices. This is a safety measure in case any of the devices are being managed
by another FortiManager. To re-enable the communication, disable Offline Mode.
To restore FortiManager configuration

1. Still logged in the FortiManager GUI, click Dashboard.
2. Go to System Information widget > System Configuration, and then click the restore icon.

DO NOT REPRINT
© FORTINET
3. Click Browse.
4. Select your backup file lab2.dat.
There is no password to enter because the file was not encrypted.
5. Leave Overwrite current IP, routing and HA settings enabled.
6. Click OK.
It will reboot FortiManager.
7. Wait for FortiManager to reboot, and then log in as admin to the FortiManager GUI at
10.0.1.241.
8. Select root.
11. Go to Admin > Administrator.
The student administrator account will show there.
12. Log out from FortiManager.

DO NOT REPRINT
© FORTINET
 LAB 2—Administration and Management 5 Monitoring Alerts and Event Logs
5 Monitoring Alerts and Event Logs

In this exercise, you will view the alerts from the alert console widget and view the event logs. You will
also configure filter options to locate specific logs.
First, you will disable offline mode, which is enabled by default when FortiManager backup is restored.
Offline Mode
You will disable offline mode on FortiManager.
To disable offline mode

10.0.1.241.
2. Select root.
On the top bar you should observe that FortiManager is in Offline Mode.

5. Go to Advanced > Advanced Settings.
6. Select Disable for Offline Mode.
7. Click Apply.

DO NOT REPRINT
© FORTINET
You will notice that the Offline Mode message disappears. At this point, FortiManager can
establish a management connection with the managed devices.
Viewing Alerts and Event Logs

You will now view the alerts on the Alert Message Console and logs under Event Logs.
To view alerts and event logs

1. Still logged in the FortiManager GUI, click Dashboard.
2. Go to the Alert Message Console widget.

You should observe that Offline mode is disabled and see Restore all settings messages,
along with other alert messages.
3. Click Event Log on the left-hand menu.

DO NOT REPRINT
© FORTINET
4. Click Add Filter.

5. Click Sub Type.
6. Click System manager event.
7. Click Go.
Now you will have the filtered system manager events only.
8. You can download and/or view them in raw format.

DO NOT REPRINT
© FORTINET
9. Log out of FortiManager.

DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration
LAB 3—Device Registration

In this lab, you will explore the common operations performed using the device manager. You will use
the Device Manager pane to add FortiGate devices.
Objectives
 Create and apply system templates to your managed devices
 Review central management settings on the FortiGate device
 Add a device using the add device wizard
Time to Complete

DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 1 Configuring System Templates
1 Configuring System Templates

The system templates on FortiManager can be configured in advance, which can be used to provision
common system-level settings to FortiGate devices when adding them into FortiManager, or to the
already managed FortiGate devices.
Configuring System Templates

You will be configuring and applying system templates to the FortiGate device, when adding it to
FortiManager.
To configure system templates

1. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
2. Click Device Manager.
3. Click Provisioning Templates.
You will notice that you have read only access.
This is because when ADOM locking is enabled; you must lock the ADOM prior to making
configuration changes.
4. Click Lock on the top to lock My_ADOM.
5. Under System Templates, click default.

DO NOT REPRINT
© FORTINET
6. Go to the Log Settings widget and enable Send Logs to FortiAnalyzer/FortiManager.

Field Value
Specify IP Address Select and type 10.200.1.241

(Note: This is the port2 IP address of
FortiManager. Refer to the network
topology for details.)
Upload Options Realtime
Encrypt Log Transmission Turn ON this option
Your configuration should look like this:
8. Click Apply.
9. Close all other widgets by clicking X and then the checkmark symbol.

DO NOT REPRINT
© FORTINET
10. Click Save.
Note: When ADOM locking is enabled, you must save the changes, in order for them to be
copied to the FortiManager database.
11. Click Unlock on the top to unlock My_ADOM.
Disabling ADOM Locking (Workspace Mode)

You will now disable ADOM locking because, in this practical lab, every student has dedicated
ADOMs to work on.

DO NOT REPRINT
© FORTINET
Prior to disabling workspace mode, inform all the administrators logged into FortiManager to save their
work.
To disable ADOM locking (workspace mode)

over SSH).
3. Enter the following commands.
set workspace-mode disabled
end
It will log out administrators from FortiManager, to save the changes.

DO NOT REPRINT
© FORTINET
 LAB 3—Device Registration 2 Registering a Device to FortiManager
2 Registering a Device to FortiManager

There are multiple ways to add FortiGate devices to FortiManager. These include:
 Use the Add Device wizard
 Send a request from FortiGate to FortiManager, and then accept the request from FortiManager
 Add multiple devices from the device manager
You will add the FortiGate devices using the Add Device wizard.
Note: The FMG-Access on the both FortiGate devices is enabled on the interface facing
FortiManager. It is the communication protocol used between FortiManager and the managed
FortiGate devices.
Reviewing Central Management Configuration on

Local-FortiGate
Before adding FortiGate to FortiManager, you will review the central management configuration on
Local-FortiGate.
To review central management configuration on Local-FortiGate

1. In the Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
3. Enter the following command:
get system central-management

You should observe the following output:
Note: The serial-number is the FortiManager serial number, which is non-configurable

from the FortiGate device. This setting is set by FortiManager, which is managing this
device. In this case, it is empty because we have not yet added the device to
FortiManager.
4. Close the PuTTY session.

DO NOT REPRINT
© FORTINET
Enabling Real-Time Debug

You will now enable real-time debug on FortiManager to view the real-time status when adding
FortiGate to FortiManager.
To enable real-time debug

over SSH).
diagnose debug reset
diagnose debug disable
diagnose debug application depmanager 0
diagnose debug enable
It is recommended to place this putty session and the FortiManager GUI side-by-side, so that you
can view the real-time debugs while adding FortiGate from the FortiManager GUI.
Note the output is very verbose and you might have to scroll up or down to review the information.
Alternatively, you can save the log file on your desktop and open it using a text editor, such as
Notepad++.
Adding Local-FortiGate Using the Add Device

Wizard
Now, you will add Local-FortiGate to FortiManager in My_ADOM using the Add Device wizard, and
you will apply the System Template created earlier.
To add the Local-FortiGate using the Add Device wizard

1. From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
3. Click Add Device.

DO NOT REPRINT
© FORTINET
4. In the Add Device wizard, make sure the Discover radio button is selected and configure the
following:
Field Value
IP Address 10.200.1.1
(This is the port1 IP address of FortiGate)
Username admin
5. Leave other settings at their default values, and click Next.

6. Review the discovered device information and compare it with the output from the FortiManager
PuTTy session.
7. You should observe the following:
8. Hit the up arrow on your keyboard and select these commands to disable the debug.
Alternatively, you can enter these commands manually.

DO NOT REPRINT
© FORTINET
diagnose debug disable
diagnose debug reset

10. Go back to FortiManager GUI and click Next.
11. Ensure the Name is set to Local-FortiGate.
12. Select default from the drop down for System Template.
13. Click Next.

14. Click Import Now.
15. Click Next.

DO NOT REPRINT
© FORTINET
16. In the policy package import page, complete the following:

A. Make sure the policy package name is configured as Local-FortiGate.
B. Accept the policy and object import defaults.
C. Click Next.
17. On the conflict page, click View Conflict.
This will show you the details of configuration difference between FortiGate and FortiManager.
18. Leave the default setting of FortiGate in the Use Value From column.
19. Click Next.

Note the objects identified. These should be identified as duplicates, new, or updating exiting
FortiManager.
20. Click Next.
21. Click Download Import Report.
22. Open the import report in text editor such as Notepad ++.
Note: The download import report is only available on this page. As a best practice, it is
recommended that you download the report and review the important information, such as
which device is imported into which ADOM, as well as the name of the policy package
created along with objects imported.
FortiManager imports new objects, and updates existing objects based on the option
chosen on the conflict page. The duplicate objects are skipped as FortiManager does not
import duplicate entries into the ADOM database.

DO NOT REPRINT
© FORTINET
23. Close the text editor.

24. Click Finish.
The Local-FortiGate device should be now listed in Device Manager.
25. In Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect
over SSH).
get system central-management

You should observe the following output:
Note: The serial-number is the serial number of FortiManager, which is non-configurable from
FortiGate. This has been set by FortiManager, which is managing this device. Also, the
FortiManager IP address is set.
28. Close PuTTY session.
Viewing the Local-FortiGate Policy Package

As you have imported policy and dependent objects for Local-FortiGate, you will be viewing the
policy package created for Local-FortiGate.

DO NOT REPRINT
© FORTINET
To view the Local-FortiGate policy package

1. Still in the FortiManager GUI, click Device Manager and select Policy & Objects.
2. You will notice that a policy package named Local-FortiGate was created when you imported
firewall policies from your Local-FortiGate.
3. Click Object Configurations at the top.
4. Click Interface.

DO NOT REPRINT
© FORTINET
5. Click on the expand arrow for any interface to view the ADOM Interface mapping to device-level
mappings, which got created when the device was added. These interfaces are used in policy
packages to map firewall policies to interfaces on the firewall.
Importing System Template Settings From FortiGate

As Local-FortiGate is now added to FortiManager, you will import NTP server settings from Local-
FortiGate. These server settings can be used by multiple FortiGate devices using this system
template.
To import System Template settings from FortiGate

1. Still in the FortiManager GUI, click Policy & Objects and select Device Manager.
2. Click Provisioning Templates.

DO NOT REPRINT
© FORTINET
3. Click default.
4. Click Toggle Widgets and click NTP Server.
5. Click the import icon.

DO NOT REPRINT
© FORTINET
6. In the Import NTP Server window, select Local-FortiGate.
7. Click OK.
Adding Remote-FortiGate Using the Add Device

Wizard
You will now add Remote-FortiGate to FortiManager in My_ADOM using the Add Device Wizard.
You will apply the System Template to Remote-FortiGate.
Also, you will import the policies and objects for Remote-FortiGate later in the training.
To add Remote-FortiGate using the Add Device wizard

1. Still logged in FortiManager GUI, click Device & Groups.

DO NOT REPRINT
© FORTINET
2. Click Add Device.
3. In the Add Device wizard, make sure the Discover radio button is selected, and configure the
following:
Field Value
(This is the port4 IP address of FortiGate)
Username admin
4. Leave other settings at default and click Next.

5. Click Next.
6. Select default from the System Template drop-down menu.
7. Click Next.
8. Click Import Later.

DO NOT REPRINT
© FORTINET
The Remote-FortiGate device should be now listed in Device Manager.
Stop and Think

Why is the FortiGate Policy Package Status showing Never Installed?
Discussion
When Import Later is chosen in the Add Device wizard, or an unregistered device is
added into FortiManager, the policy package status will show Never Installed because
there is still no policy package created for the newly added FortiGate.
You will run the Import Policy wizard later in training.
If you add an unregistered device, then you need to run the Import Policy wizard to
import the device’s firewall policy into a new policy package.

DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation
LAB 4—Device Level Configuration and

Installation
In this lab, you will explore the common operations performed using the device manager, such as
configuring device-level changes, checking managed device statuses, installing configuration
changes, and keeping the managed device in sync with the device database on FortiManager.
Objectives
 Understand managed device statuses on FortiManager
 Use the status information in the Configuration and Installation Status widget
 Make and install configuration changes from Device Manager
 Make configuration changes locally on FortiGate and verify that they are retrieved automatically by
FortiManager
 Identify entries in the Revision History and the management action that created the new revision
 Install a large number of managed device changes using scripts
Time to Complete

DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 1 Understanding Managed Device Status
1 Understanding Managed Device Status

In this exercise, you will check and learn about the status of FortiGate devices on FortiManager.
Depending upon the configuration changes, a FortiGate device can have a different Sync Status and
Device Settings Status.
 The Sync Status indicates whether the FortiGate configuration matches the latest
revision history or not.
 The Device Settings Status indicates whether the FortiGate configuration stored at
device level database matches with latest running revision history or not.
To check managed device status

Stop and Think

Why does Config Status for the FortiGate devices show the status Modified?
Discussion
In the last exercise, you applied System Templates to both FortiGate devices. The
configuration running on the FortiManager device-level database is different from the latest
revision history. This changes the Config Status to Modified. The provisioning templates
changes need to be installed to the FortiGate devices to return the devices to the
synchronized state.
3. Click on the Local-FortiGate on the left-hand menu.

DO NOT REPRINT
© FORTINET
4. Under the Configuration and Installation Status widget, check Device Settings Status; it
should appear as Modified.
Stop and Think

If the Device Settings Status is Modified, why is the FortiGate Sync Status still showing
as Synchronized?

DO NOT REPRINT
© FORTINET
Discussion
The Device Setting Status is the status between the device-level database configuration
and the latest revision history. Applying System Templates changes the device level
database configuration, so it goes to the Modified state.
The Sync Status is the status between the latest revision history and the actual FortiGate
configuration. As the latest revision history is same as the FortiGate configuration, the
Sync Status is in Synchronized state.
over SSH).
7. Enter the following command to display the device statuses through the CLI.
diagnose dvm device list
The output will show the serial number of the device, the connecting IP address of the device, the

DO NOT REPRINT
© FORTINET
firmware version, the name of the device on FortiManager, and the ADOM in which the device is
added.
Note: You will see FortiAnalyzer as an unregistered device because FortiAnalyzer is configured to
query FortiManager for the threat intelligence database (a feature on the FortiAnalyzer). This is
configured for the FortiAnalyzer labs, which use the same lab environment.
8. Examine the STATUS row of the diagnose dvm device list output for Local-FortiGate and
Remote-FortiGate.
Data What that means? Actions to take
db: Device-level configuration changes made from The FortiManager

Modified FortiManager. administrator can install
configuration changes to
the managed device to
return it to the unmodified
state.
conf: in Latest revision history is in sync with the

sync FortiGate configuration.
cond: Configuration changes need to be installed. The FortiManager

pending administrator can install
configuration changes to
the managed device to
return it to the unmodified
state.

DO NOT REPRINT
© FORTINET
conn: up The FGFM tunnel between FortiManager and

FortiGate is up

DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 2 Install System Template Changes to
Managed Devices
2 Install System Template Changes to

Managed Devices
In the previous lab, you have added FortiGate devices into the FortiManager and applied System
Templates.
In this exercise, you will install System Templates changes to both FortiGate devices and then view
those changes locally login to each FortiGate.
Installing System Templates

You will now install the default system template changes to Local-FortiGate and Remote-FortiGate
using the Install Wizard.
To install System Template

3. Click Install > Install Wizard.
4. In the Install Wizard, make sure Install Device Settings (only) is selected and click Next.

DO NOT REPRINT
© FORTINET
Managed Devices
5. On the Device Settings page, ensure both FortiGate devices are selected.
6. Click Next.
7. Click Preview for the Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device.
8. Click Cancel on the Install Preview page.
Optionally, you can also select Preview for Remote-FortiGate.
9. Make sure both FortiGate devices are selected.
10. Click Install.

11. Once the installation is successful, click the View Log icon.

DO NOT REPRINT
© FORTINET
Managed Devices
This is the install log that shows what exactly is installed on the managed device.
Here is an example provided for Local-FortiGate.
12. Click Close.

13. Click Finish.
Checking Managed Device Status

You will check the managed device status after the install.
To check managed device status

1. Still in the FortiManager GUI, check the Config Status.
It should now appear as Synchronized.
2. Click Local-FortiGate from the left-hand menu.

DO NOT REPRINT
© FORTINET
Managed Devices
3. Under Configuration and Installation Status, you should observe that Device Settings Status
is in the Unmodified state.
This means that FortiGate's device-level database configuration is the same as the latest revision
history.
over SSH).
6. Enter the following command to display device statuses through the CLI.
diagnose dvm device list

You should observe the following in the output for Local-FortiGate and Remote-FortiGate.
The db status is not modified which means that FortiGate's device level database
configuration matches with the latest running revision history. The dm: installed field
means that the install was performed from FortiManager.
7. Enter the following command to display the FGFM tunnel statuses.

DO NOT REPRINT
© FORTINET
Managed Devices
diagnose fgfm session-list
This command can be used to view the connecting IP of managed devices, the link-level address
assigned by FortiManager, and the uptime of the FGFM tunnel between FortiGate and
FortiManager.
Viewing Pushed Configuration on the FortiGate

From FortiManager, you have installed the System Templates configuration on both FortiGate
devices.
You will now log in to the Local-FortiGate and Remote-FortiGate GUIs to view the configuration
installed from FortiManager.
To view a pushed configuration from the Local-FortiGate GUI

1. In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Click Login Read-Only.
Note: When you connect locally to a device managed by FortiManager, you will be
presented with a warning message because the device is centrally managed. Only when it
is absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make configuration
changes and install to manage FortiGate devices.
3. Go to Log & Report > Log Settings.

You will notice the Remote Logging and Archiving settings are the same as the default system
template entries.
4. Logout from FortiGate.
To view a pushed configuration through the Remote-FortiGate GUI

1. In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI
at 10.200.3.1.

DO NOT REPRINT
© FORTINET
Managed Devices

You will notice that the Remote Logging and Archiving settings are the same as the default
system template entries.
4. Log out of FortiGate.

DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 3 Auto Update and Revision History
3 Auto Update and Revision History

By default, configuration changes made directly on FortiGate are automatically updated (retrieved) by
FortiManager, which is reflected in the Revision History. If required, the automatic update behavior
can be disabled from the FortiManager CLI under config system admin settings. This allows
the FortiManager administrator to accept or refuse the configuration changes.
In this lab, you will make configuration changes directly on the FortiGate devices, and verify that the
configuration changes are retrieved automatically by FortiManager.
You will also review the configuration revision histories of FortiGate devices, created by auto update
and by other actions.
Making Direct Changes on Local-FortiGate

You will now make direct changes on Local-FortiGate.
To make direct changes on Local-FortiGate

1. In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Click Login Read-Write.
Note: When you connect locally to a device managed by FortiManager, you will be
presented with a warning message because the device is centrally managed. Only when it
is absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make configuration
changes and install to manage FortiGate devices.
3. Click Yes.
5. Under Local Log settings, disable Enable Local Reports.
6. Click Apply.
7. Logout of the FortiGate.

DO NOT REPRINT
© FORTINET
Making Direct Changes on Remote-FortiGate

You will now make direct changes on Remote-FortiGate. You will repeat the same steps for Remote-
FortiGate as you did it for Local-FortiGate.
To make direct changes on the Remote-FortiGate

1. In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI at
10.200.3.1.
3. Click Yes.
5. Under Local Log settings, disable Enable Local Reports.
6. Click Apply.
Viewing Auto Update and Revision History

As you make the configuration changes locally on both the FortiGate devices, you will now view the
auto update status on FortiManager, and view the configuration revision histories created by
FortiManager.
To view auto update

3. You will notice that Config Status is now in the Auto-Update state for both FortiGate devices.
This confirms that the changes made locally were backed up to FortiManager.
To view Revision History

1. Click Local-FortiGate.

DO NOT REPRINT
© FORTINET
2. In the Configuration and Installation Status widget, click the Revision History icon.
You should observe three configurations, though you may have more if you have made further
changes:
 Your first Installation status should display as Retrieved, indicating that this configuration
was taken from the device’s running configuration, when it was added to FortiManager.
 Your second Installation status should display as Installed, indicating that these changes
were made by FortiManager to the managed device.
 Your third Installation status should display as Auto Updated, indicating that these
changes were made locally on FortiGate and got automatically updated in FortiManager.

DO NOT REPRINT
© FORTINET
Viewing the Install Log

When the installation is done from FortiManager, the install log will show the name of the administrator
who made this change along with the commands sent by FortiManager. If an installation fails, the
install log is useful because it shows what commands were sent to, and accepted by, the managed
device as well as the commands that were not accepted.
To view the install log

1. Still on the Configuration Revision History page, select ID 2 and then click View Install Log.
You should see the CLI commands sent by FortiManager (which are identical to the installation
previewed earlier) and the FortiGate response.

DO NOT REPRINT
© FORTINET
2. Click Close.
Viewing Auto Update, Revision History, and Install

Log for Remote-FortiGate (Optional)
Optionally, you can also view changes made to Remote-FortiGate by following the steps from Viewing
Auto Update and Revision History.
To view auto update, revision history, and the install log for Remote-FortiGate
(Optional)
1. Still logged in to the FortiManager GUI, click Remote-FortiGate and follow the steps from Viewing
Auto Update and Revision History.
For Remote-FortiGate, you will see the NTP settings pushed by FortiManager based on the
imported NTP settings in the default system template from Local-FortiGate.
Log View
As FortiAnalyzer features are enabled on FortiManager, and both FortiGate devices are configured
to send logs to FortiManager, you will be viewing the logs for the managed devices under the Log
View pane.

DO NOT REPRINT
© FORTINET
To view logs for Local-FortiGate

1. Still logged into the FortiManager GUI, click Device Manager and select Log View.
You should see the traffic logs generated by the FortiGate device.
Task Manager
Task Manager provides the status of the task you have performed and can be used for
troubleshooting various types of issues such as adding, importing, and/or installing changes from
FortiManager.
You will now check the entries in Task Manager.
To check Task Manager entries

1. Log out from the FortiManager GUI and log back into the FortiManager GUI as admin.
2. Click root.
4. Click Task Monitor on the left-hand menu.

DO NOT REPRINT
© FORTINET
This shows the tasks performed by all the users.
5. Click on the dropdown menu for the Install Device entry and click on the View Installation
Log icon for Local-FortiGate or Remote-FortiGate.

DO NOT REPRINT
© FORTINET
This will show the installation log corresponds to the installation that you performed earlier.
6. Click Close.

DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 4 Configuring Device Level Changes
4 Configuring Device Level Changes

The device-level settings of the managed FortiGate can be viewed and configured from the Device
Manager pane. Most of these settings have a one-to-one correlation with the device configuration that
you would see if you logged in locally, on each FortiGate’s GUI or CLI.
You will now make configuration changes for the managed FortiGate from the Device Manager pane.
Changing Managed FortiGate Interface Settings

If you try to change the managed FortiGate interface used for communicating with FortiManager, it will
warn you that this may break the communication between FortiManager and FortiGate. If there is a
communication disruption between FortiManager and FortiGate during an install, FortiManager will
attempt to recover the connection, but this will revert the installation changes.
You will now change the Remote-FortiGate port4 interface Administrative Access setting that is
used by Remote-FortiGate to communicate with the FortiManager.
To change managed FortiGate interface settings

3. Click Remote-FortiGate.
4. Click System : Dashboard and then click Interface.

DO NOT REPRINT
© FORTINET
5. Right click port4 and click Edit.

6. Under Administrative Access, uncheck TELNET.
7. Click OK.
When you edit the interface with the IP address that is used by FortiManager to reach the
managed device(s), FortiManager provides this warning message:
8. Click OK.
9. Click Managed FortiGates.
Stop and Think

Why is Config Status showing the Modified (recent auto-updated) state for Remote-
FortiGate?
Discussion
The Modified status means that the device-level database change has been made to
Remote-FortiGate. You changed the interface configuration.
The status recent auto-updated in parenthesis means that the previous configuration

DO NOT REPRINT
© FORTINET
changes were locally made on FortiGate and were auto updated on FortiManager. You
made changes to logging settings locally in the previous lab.
Filtering Devices Based on Their Statuses

FortiManager allows you to filter devices based on their current status. This is very helpful when you
are managing a large number of devices in the same ADOM. Based on the status, FortiManager
administrator can take appropriate action.
You can filter device statuses based on:
 Connection
 Device Config (Device database status)
 Policy Package (ADOM database status)
You will now filter devices based on their device config and policy package status.
To filter devices based on their status

1. Still logged in to the FortiManager GUI, click on Managed FortiGates.
2. Click the drop-down arrow on Devices (Device Config Modified) and click Modified.
It will show only Remote-FortiGate in the Managed FortiGates list.

3. Click the drop-down arrow on Devices (Policy Package Modified) and click Imported.

DO NOT REPRINT
© FORTINET
This time it will show only Local-FortiGate in the Managed FortiGates list.
Configuring the Administrator Account

You will now create a new administrator account for Local-FortiGate on FortiManager.
To configure the administrator account

1. Still in the FortiManager GUI, click on Local-FortiGate.
2. Click Display Options.
3. Click Customize
4. In the System category, click Administrators.

DO NOT REPRINT
© FORTINET
5. Click OK.
6. Click System : Dashboard and then click Administrators.
Field Value
Administrator training
Type Regular
Password fortinet
Confirm Password fortinet

DO NOT REPRINT
© FORTINET
Admin Profile prof_admin
9. Leave all other settings at their default values and click OK.
You will notice that Config Status has changed to Modified for Local-FortiGate.
This is because you made a device-level configuration change for Local-FortiGate by configuring
the administrator account.

DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 5 Installing Configuration Changes
5 Installing Configuration Changes

Now, you have made configuration changes to the managed device(s) from FortiManager.
 For Remote-FortiGate, you have changed administrative access on port4
 For Local-FortiGate, you have configured a new administrator
You will now install these changes to the managed device using the Install wizard, and view the
installation history. You will also compare the differences in the revision history configurations using
the Revision Diff feature.
Viewing the Install Preview

You will first preview the install changes from the Configuration and Installation Status widget.
To view install Preview

3. Click Remote-FortiGate.
4. Under the Configuration and Installation Status widget, click Preview.

DO NOT REPRINT
© FORTINET
This shows the device-level configuration changes that will be installed on the managed device
when FortiManager performs the device-level install.
Note: The install Preview under the Configuration and Installation Status widget only
shows the preview for the device-level changes, not the changes related to policies and
objects.
5. Click OK.
Optionally, you can follow this same procedure to view the install Preview for Local-FortiGate.
Install Wizard
You will install these changes to the managed devices using the Install wizard.
To install configuration changes to FortiGates using the Install Wizard

1. Still logged into the FortiManager GUI, click Install Wizard.
2. Select Install Device Settings (only).
3. Click Next.
4. On the Device Settings page, ensure both FortiGate devices are selected.

DO NOT REPRINT
© FORTINET
5. Click Next.
6. Click Preview for Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device.
7. Click Cancel on the Install Preview page.
Optionally, you can also check the Preview for Remote-FortiGate.
8. Make sure both FortiGate devices are selected.
9. Click Install.
10. Once the install is successful, click the View Log icon.

DO NOT REPRINT
© FORTINET
This is the install log which shows what exactly is installed on the managed device.
11. Click Close on the Install Log page.
12. Click Finish.
The Config Status should now be in the Synchronized state.
Revision Diff
After every retrieve, auto update, and install operation, FortiManager stores the FortiGate’s
configuration checksum output with the revision history. This is how the out-of-sync condition is
calculated.
The Revision Diff is a useful feature that can be used to compare the differences between previous
revisions, a specific revision, or the factory default configuration. In terms of the output, you can
choose to show full configuration with differences, only differences, or you can capture the differences
to a script.
You will now compare the differences between the latest revision and the previous revision.
To view Revision Diff

1. Still logged into the FortiManager GUI, click Local-FortiGate.

DO NOT REPRINT
© FORTINET
2. Under the Configuration and Installation Status widget, click the Revision History icon.
3. Click ID 4 and click Revision Diff.
4. Select Show Diff Only.

DO NOT REPRINT
© FORTINET
5. Click Apply.
It shows the difference in configuration between the previous version and the current running version.
Remember, you configured the administrator account for Local-FortiGate.
6. Click Close.
7. Click ID 4 again and click Revision Diff.
8. Select Capture Diff to a Script.
9. Click Apply.
10. Select Save File.
11. Click OK.
Note the folder where is it downloaded.

DO NOT REPRINT
© FORTINET
12. Click Close.
13. Click Close.

14. Click the download icon on Firefox.
15. Right-click on the file name and click Open Containing Folder.
16. Open the file using Notepad++.
This will show you the exact CLI syntax of the changes. This script can be used to configure other
FortiGate devices if they require the same settings using script feature on FortiManager.
17. Close the Notepad++.
Caution: This is to demonstrate capturing diff in the form of scripts. Make sure the script
captured is valid for other FortiGate devices, before using them for other FortiGate
devices. If required, you can edit the script before applying it to other FortiGate devices.
For example, if you have configured a static route along with the administrator setting, the
static route settings might be not valid for other FortiGate devices.

DO NOT REPRINT
© FORTINET
 LAB 4—Device Level Configuration and Installation 6 Scripts
6 Scripts
A script can make many changes to a managed device and is useful for bulk configuration changes
and consistency across multiple managed devices. You can configure and install scripts from
FortiManager to managed devices.
Scripts can be run on:
 Device Database (default)
 Policy Package, ADOM Database
 Remote FortiGate Directly (via CLI)
An install must be performed if a script is run on a device database or Policy Package, ADOM
database.
In this exercise, you will make many configuration changes by using the script feature and installing
them on the managed devices.
Enabling the Script Feature

Scripts are disabled by default, and can be enabled from Display Options in Admin Setting and
configured from Device Manager.
To enable the Script feature

10.0.1.241.
2. Select root.
3. Select System Settings.
4. Go to Admin > Admin Settings.
5. Click the dropdown menu for Display Options on GUI and enable Show Scripts.
6. Click Apply.

DO NOT REPRINT
© FORTINET
Configuring Scripts
You will now configure scripts for the managed devices.
To configure scripts
3. Click Scripts.
4. Click More and click Import.
5. In the Script Name field enter Local.

6. Click Browse.
7. Browse to Desktop > Resources > FortiManager > Device-Config and select Local-
Script.
8. Click the dropdown menu for Advanced Filters.
9. Click Device and select Local-FortiGate from the dropdown menu.

DO NOT REPRINT
© FORTINET
10. Click OK.

11. Click More and click Import.
12. In the Script Name field enter Remote.

13. Click Browse.
14. Browse to Desktop > Resources > FortiManager > Device-Config and select Remote-Script.
15. Click on the dropdown menu for Advanced Filters.
16. Click Device and select Remote-FortiGate from the dropdown menu.
17. Click OK.
Running and Installing Scripts

As the scripts are targeting the device database, you will first run the scripts against the device
database and then install these scripts on the managed devices.
To run scripts
1. Still logged in to the FortiManager GUI, right-click the Local and click Run Script Now.

DO NOT REPRINT
© FORTINET
2. Select Local-FortiGate and click Run Now at the bottom.

3. Click View Details and then click the View Script Execution History icon.
Scroll to the bottom of the script execution window to check that the script ran successfully on the
device database.
Note: If needed, you can also view the script execution history later from the
Configuration and Installation Status widget or from the Task Monitor.

DO NOT REPRINT
© FORTINET
4. Click Close.
5. Click Close.
6. Right-click on Remote and click Run Script Now.
7. Select Remote-FortiGate and click Run Now at the bottom of the page.
8. Click Close.
To install scripts
1. Still logged in to the FortiManager GUI, click Device & Groups.
Stop and Think

Why is the Config Status showing Modified for both FortiGate devices?
Why is the Policy Package Status for Local-FortiGate showing Out of Sync, but the
Policy Package Status for Remote-FortiGate remains unchanged as Never Installed?
Discussion
The scripts contain configuration changes related to device-level settings and policies.
The Config Status is Modified for both FortiGate devices because of device-level
changes.
As the Local-FortiGate policy package was imported when you added FortiGate,
FortiManager detects policy-level changes and marks the Local-FortiGate Policy Package
Status as Out of Sync.
For Remote-FortiGate, the policy package was never imported; hence FortiManager
cannot compare the differences in the policies.
2. Select Local-FortiGate and Remote-FortiGate and click Install, and then click Install Config.
3. Click OK.

DO NOT REPRINT
© FORTINET
The installation will be successful on both FortiGate devices.
Note: The Install Config option does not provide an option for install preview and install
log. It should be used only if you are absolutely sure about the changes you are trying to
install.
If needed, you can view the installation history later from the Configuration and
Installation Status widget or from the Task Monitor.
4. Click Finish.

DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects
LAB 5—Policy & Objects

In this lab, you will explore the common operations of the Policy & Objects pane in order to centrally
manage FortiGate firewall policies, and to manage shared and dynamic objects.
Objectives
 Import firewall polices and objects from a managed device and review the imported policy
packages
 Create ADOM revisions
 Use workflow mode to configure and send changes for approval
 Find duplicate objects and merge them, and delete used objects
 Create and assign header policies to policy packages in an ADOM
 Create a policy package shared across multiple devices
 Create shared objects and dynamic objects with mapping rules
 Identify the different policy and object interface mapping types and configure zones mappings
 Install a policy package and device settings from the Policy & Objects pane
Time to Complete

DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 1 Import Policy and ADOM Revisions
1 Import Policy and ADOM Revisions

In the previous lab, you installed scripts that contain device-level and policy configuration changes.
Because the scripts were run on a device database that created the revision history containing these
changes, the policy packages are not automatically updated and need to be imported manually.
In this exercise, you will import the policies using the Import Policy wizard in order to reflect and
update the policy packages.
Additionally you will create an ADOM revision, which is a snapshot of all the policy and objects
configurations for an ADOM.
Import Policy
You will now import policies and objects for both managed FortiGate devices.
To import policies
3. Right-click the Local-FortiGate and click Import Policy.
4. Click Next.
5. Rename Policy Package Name to Local-FortiGate-1.
6. Select Import All Objects.
7. Click Next.

DO NOT REPRINT
© FORTINET
8. Click Next on the conflict page.

Review the objects to be imported.
9. Click Next.
10. Click Download Import Report.
11. Select Open with and click OK to review the download import report.
12. Review the download import report and close the notepad.
13. Click Finish.
Note: Download Import Report is available only on this page; make

sure to download the import report before clicking finish.
14. Right-click the Remote-FortiGate and click Import Policy.

15. Click Next until you reach the Finish page.
16. Click Finish.
17. Click Device Manager and click Policy & Objects.
18. Compare the policies in the Local-FortiGate and Local-FortiGate-1 policy packages by clicking
IPv4 Policy on each policy package.
Policy package: Local-FortiGate
Policy package: Local-FortiGate-1

DO NOT REPRINT
© FORTINET
Creating ADOM Revisions

An ADOM revision creates a snapshot of the policy and objects configuration for the ADOM. Now that
we have imported policies and objects from both FortiGate devices, we will be creating ADOM
revisions which are stored locally on the FortiManager and are useful for comparing the differences
between two revisions, or reverting to a previous revision.
To create an ADOM Revision

1. Still logged into the FortiManager GUI, click ADOM Revisions.
2. Click Create New and name the revision: Initial revision.

3. Enable Lock this revision from auto-deletion.
4. Click OK.
You will notice the lock icon, name of the administrator who created it, and the date and time.

DO NOT REPRINT
© FORTINET
5. Click Close.

DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 2 Workflow Mode
2 Workflow Mode
Workflow mode is used to control the creation, configuration, and installation of policies and objects. It
helps to ensure that all changes are reviewed and approved before they are applied.
Workflow mode is similar to ADOM locking (workspace mode), but it also allows the administrators to
submit their configuration changes for approval. The configuration changes are not committed to the
FortiManager database until the approval administrator approves those configuration changes. Once
approved, then only these configuration changes can be installed on the managed device.
In this exercise, you will enable workflow mode and then make configuration changes related to
policies and objects. You will send it for approval and once approved you will install these changes.
To enable workflow mode and configure approval permissions

1. On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session
(connect over SSH).
3. Enter the following command to enable workspace mode:
set workspace-mode workflow
end
Note: Before enabling workflow mode, ensure all FortiManager administrators are notified
to save their changes and work on the FortiManager.
This is because enabling workflow mode will terminate all management sessions.
4. Enter the following commands to configure approval permissions.

You are now configuring admin administrator as approver for the My_ADOM.
config system workflow approval-matrix
edit My_ADOM
config approver
edit 1
set member admin
next
end
end

DO NOT REPRINT
© FORTINET
To configure policy and objects and send them for approval

2. Click Lock at the top to lock the ADOM.
3. Click Policy & Objects.

4. Click Sessions > Session List.

6. In the Session Name field, type Training.
7. Click OK.
8. Click Object Configurations on the top.
9. Click Tools > Find Duplicate Objects.
10. Click Firewall Address.

You will notice that LAN and LOCAL_SUBNET have the same configuration. It will also show
you other objects that have the same values.

DO NOT REPRINT
© FORTINET
11. Click Merge for the LAN and LOCAL_SUBNET firewall address.
12. In the Merge all to drop-down list, select LOCAL_SUBNET.
13. Click Merge.

14. Click Close.
Note: By merging the duplicate objects, you can reduce the object database, which
sometimes can overwhelm the FortiManager administrator with a large number of objects

DO NOT REPRINT
© FORTINET
from different FortiGate devices in the same ADOM. You can also delete the unused
objects in the same Tools menu, if they will be not used in the future.
15. Click Firewall Objects > Addresses.

16. Right-click the LINUX address object and click Delete.
17. Click OK.

18. Click Where Used icon.
This will show you where the object is referenced.
It is referenced in the Local-FortiGate-1 policy package in the firewall policy 1 as destination

address.
19. Click Close.
20. Click Delete Anyway.
Caution: FortiManager allows you to delete a used object. Be careful before deleting used
object as it will be replaced by the none address 0.0.0.0/255.255.255.225.
This means any traffic meeting that specific firewall policy will be blocked if there is no
catch all or shadowed policy below it. In this case, the destination address of firewall
policy 1 in the Local-FortiGate-1 policy package is replaced by none after the LINUX
address object is deleted.

DO NOT REPRINT
© FORTINET
You will test this later in this exercise.
21. Click Save.
22. Click Sessions and click Submit.
23. Click OK.

The ADOM will unlock itself after submitting the changes.
Note: Your changes are still not saved in the FortiManager database because they must
be approved by the approval administrator.
To approve the changes

1. Log out of FortiManager and log back in as admin.
2. Click My_ADOM.
3. Click Lock.
5. Click Sessions > Session List.

DO NOT REPRINT
© FORTINET
Note: The session list will show you the name of the request made, user, date, and
approval status.
The approver administrator can approve, reject, discard, or view the differences between
two revisions. The approver administrator can also create a session that can be sent to
different approval administrator, or can self-approve based on the workflow approval
matrix.
6. Select ID 1 and click Approve.
7. Click OK.
8. Click Continue Without Session.
9. Click Unlock.

DO NOT REPRINT
© FORTINET
Note: If an administrator has locked ADOMs and logs out of FortiManager, the lock
releases and unlocks all locked ADOMs locked by that administrator.
Caution: Always log out of FortiManager gracefully, when ADOM locking (workspace or
workflow) is enabled.
If a session is not closed gracefully (PC crash or closed browser window), FortiManager
will not close the administrator session until the administrator session timeout or the
session is deleted. The locked ADOM will remain in locked state.
The session will have to be deleted manually through the GUI or the CLI.
In the GUI: System Settings > System Information widget > Current Administrators >
Admin Session List.
In the CLI:
To install configuration changes after approval

2. Click Lock at the top.
4. Click Local-FortiGate-1 > IPv4 Policy.
You will notice LINUX is replaced by none.
5. On the Local-Windows VM, open a command prompt in Windows and run a continuous ping to
the LINUX address object.
ping 10.200.1.254 -t

DO NOT REPRINT
© FORTINET
You will notice the request timed out because the firewall policy has the destination as LINUX and
the action as DENY locally on the Local-FortiGate.
Screenshot from the Local-FortiGate.
6. Return to the FortiManager GUI and click Install > Install Wizard.
7. Make sure the following are selected:

 Install Policy Package and Device Settings
 Policy Package : Local-FortiGate-1
8. Click Next.
9. Click Next.
10. Click Preview.
11. Press Ctrl+F and search for the following:
 config firewall policy
 LINUX
You will notice FortiManager is replacing the destination address of firewall policy 1 with none and
deleting the LINUX address object.
FortiManager will also delete any other unused objects. This is normal because when you install a
policy package for the first time FortiManager will delete all unused objects.

DO NOT REPRINT
© FORTINET
12. Click Cancel in the Install Preview pop-up window.

13. Click Install.
14. After the install is successful, click View Log to view the installation history.
15. Click Close.

16. Click Finish.
17. Go back to the command prompt where you initiated the ping to LINUX.
You will get replies because there was catch all policy below the BLOCK_LINUX policy. As after
installation, LINUX is replaced by none, and the traffic starts processing by the seq#2 firewall
policy.
18. Close the command prompt.
To disable workflow mode

(connect over SSH).
3. Enter the following commands.
set workspace-mode disabled

DO NOT REPRINT
© FORTINET
end
All administrators will be logged out of the FortiManager GUI to save the changes. So prior to
disabling workspace-mode inform all the administrators logged into FortiManager to save their
work.

DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM
3 Creating and Assigning Header Policies in

the Global ADOM
Header and footer policies are used to envelop the policies in each individual ADOM. The header and
footer policies can be created once on the Global ADOM and assigned to multiple policy packages in
the different ADOMs.
In this exercise, you will create the header policy in the global ADOM and assign the header policy to
the managed devices in My_ADOM. Then you will install the header policy to the managed devices.
To create a header policy

1. On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select Global Database.
3. Click IPv4 Header Policy.

Field Value
Name Global_Policy
Incoming Interface any
Outgoing Interface any
Source Address gall
Destination Address gall
Service gPING
Schedule galways
Action Deny

DO NOT REPRINT
© FORTINET
6. Click OK.
To assign a header policy

1. Click Assignment.
2. Click Add ADOM.
3. Choose the following:
Field Value
ADOMs My_ADOM
Specify ADOM to policy package to Check the box and select the following:
exclude:
default
Local-FortiGate

DO NOT REPRINT
© FORTINET
4. Click OK.
5. Click Assign.
The header policy is assigned to the Local-FortiGate-1 and Remote-FortiGate policy packages.
To install a header policy

1. Still logged into the FortiManager GUI, click ADOM: Global Database.
2. Click My_ADOM.
3. Click Local-FortiGate-1 > IPv4 Header Policy to view the assigned header policy.
Optionally, you can perform the previous step to view the header policy in the Remote-FortiGate
policy package.
4. Click Local-FortiGate-1 policy package.
5. Click Install > Re-install Policy.

DO NOT REPRINT
© FORTINET
6. Click Preview.
The configuration changes that will be installed on FortiGate will display. In this case, the header
policy and related objects will be installed.
7. Click Cancel in the Install Preview pop-up window.

8. Click Next.
9. Click Finish.
10. Click the Remote-FortiGate policy package.

DO NOT REPRINT
© FORTINET
12. Click Next.

13. Click Finish.
14. Log in to the Local-FortiGate (https://10.0.1.254) and Remote-FortiGate (https://10.200.3.1) with
the username of admin.
16. Go to Policy & Objects > IPv4 Policy.
You should observe the header policy at the top.
17. Log out of both FortiGate devices.

18. On the Local-Windows VM, open a command prompt and try to ping an external host (example
4.2.2.2). You should observe that the ping fails, because the header policy was configured to
block the ping.
19. Close the command prompt.

DO NOT REPRINT
© FORTINET
 LAB 5—Policy & Objects 4 Creating a Common Policy for Multiple Devices
4 Creating a Common Policy for Multiple

Devices
You will create a single policy package that can be shared by multiple devices, as opposed to having a
policy package per device which is the current configuration. You will use the installation target setting
in a firewall policy to target specific policies to specific FortiGate devices.
Dynamic Mappings - Address Objects

First, you will configure dynamic mapping for objects that are used to map a single logical object to a
unique definition per device.
To create dynamic mappings for address objects

1. On the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241
3. Click Object Configuration.
4. Click Firewall Objects > Addresses.

5. Click Create New > Address.
Field Value
Address Name Internal
Type IP/Netmask
IP/Netmask 10.0.0.0/8
7. For the Per-Device Mapping, configure the following:

 Turn on Per-Device Mapping.
 Click Add.

DO NOT REPRINT
© FORTINET
 Select Local-FortiGate for the Mapped Device.

 Type 10.0.1.0/24 for IP/NetMask.
 Click OK.
 Click Add again.

DO NOT REPRINT
© FORTINET
 Select Remote-FortiGate for the Mapped Device.

 Type 10.0.2.0/24 for IP/NetMask.
 Click OK.
8. Click OK.
Dynamic Mappings - Interfaces and Zones

You will be now creating dynamic mappings for interfaces and zones.
To create dynamic mappings for interfaces and zones

1. Still in the FortiManager GUI, click Zone/Interfaces > Interface.

DO NOT REPRINT
© FORTINET
2. Click Create New > Dynamic Interface.

3. In the Name field type Inside.
4. Turn ON the Per-Device Mapping switch and click Add.

 Select port3 for the Device Interface.
 Click OK.
Note: You will get the following warning message “The new mapping will delete the old
mapping, are you sure you want to continue”. This is because interfaces were dynamically
mapped when the devices were added to the FortiManager. Now, FortiManager will delete

DO NOT REPRINT
© FORTINET
the old mapping and add these interfaces to map to this newly created interface.
 Click OK in the warning pop-up window.

 Select port6 for the Device Interface.
 Click OK.
 Click OK on the warning message.
6. Click OK.
7. Still in the FortiManager GUI, click Create New > Zone.
8. In the Name field type Outside.

9. Turn ON the Per-Device Mapping switch and click Add.
 Select port1, port2 for the Device Interface.
 Enable Block intra-zone traffic.
 Click OK.

DO NOT REPRINT
© FORTINET
 Click OK in the warning pop-up window.

 Select port4, port5 for the Device Interface.
 Enable Block intra-zone traffic.
 Click OK.
 Click OK in the warning message.

11. Click OK.

You have now created a dynamic interface and zone.

DO NOT REPRINT
© FORTINET
Creating a Common Policy Package

FortiManager can be used to target a common policy package to multiple devices.
So far you have created the dynamic mapping for objects and interfaces, now you will be creating a
common policy package to target the Local-FortiGate and Remote-FortiGate.
To create a common policy package

1. Still in the FortiManager GUI, click Policy Package.
2. Click Policy Package > New Package.

DO NOT REPRINT
© FORTINET
3. Name the new policy package as Training and click OK.

4. Click Training > IPv4 Header Policy.
You will notice that it automatically got assigned global Header Policy. This is because in the
previous exercise we assigned My_ADOM for the global policy assignment and, by default, when
a new policy package is created it assigns the global policies to the new package.
5. Log out and log in again with the admin user in FortiManager.
6. Click Global Database.
7. Click Assignment.
8. Select My_ADOM and click Edit ADOM.
9. Add Training to the policy package exclude list.

DO NOT REPRINT
© FORTINET
10. Click OK.

11. Click Assign.
12. Log out of the FortiManager GUI, and log in again with username student and password
fortinet.
14. Click Training.
You will notice that the Training policy package no longer has a header policy.
15. Click IPv4 Policy and click Create New.

DO NOT REPRINT
© FORTINET
Field Value
Name For_Local
Incoming Interface Inside
Outgoing Interface Outside
Source Address Internal
Source User student
Destination Address all
Service HTTP, HTTPS, ALL_ICMP
Schedule always
Action Accept
NAT Enable the checkbox
Security Profiles Enable

Use Standard Security Profiles
AntiVirus Profile default
17. Click OK.

18. Click Create New to create a second policy and configure the following:
Field Value
Name For_All

DO NOT REPRINT
© FORTINET
Outgoing Interface Outside
Service SSH, DNS
Schedule always
Action Accept
NAT Enable the checkbox
19. Click OK.

Configuring an Installation Target and Install On

A policy package can be targeted to multiple devices. When you configure an installation target, by
default, all policies in the policy package are targeted to all selected FortiGate devices. You can further
restrict the policies in the policy package to be targeted to specific FortiGate devices by using the
Install On feature, which targets specific policies in the policy package to specific selected FortiGate
devices in the Install On column.
To configure an installation target and install on

1. Still logged in to the FortiManager GUI, click Installation Targets for the Training policy package.
2. Click Add.

DO NOT REPRINT
© FORTINET
3. Select Local-FortiGate, Remote-FortiGate and click OK.

The Policy Package Status column shows the name of the currently active policy packages for
these FortiGate devices.
4. Click IPv4 Policy for the Training policy package.

5. Click Column Settings and click Install On.
Once added, you can drag the Install On column to where you want it positioned in the column
list.
6. For the For_Local policy, click Installation Targets.
7. Select Local-FortiGate.
8. Click OK.

DO NOT REPRINT
© FORTINET
Your policies should look similar to as below.
To install a policy package

1. Click Install > Install Wizard.
2. Make sure the following are selected:

 Install Policy package & Device Settings
 Policy Package : Training
3. Enable Create Revision and name the revision Common Package.

DO NOT REPRINT
© FORTINET
4. Click Next.
5. Make sure both FortiGate devices are selected and click Next.
6. Select both FortiGate devices.
If you hover your cursor over the Status column of the FortiGate devices, it will show you the
name of the previous policy package.
Optionally, you can preview the changes before the installation attempt.
7. Make sure both FortiGate devices are selected and click Install.
8. Once the installation is successful, you can click on View Log to see the installation history for
each FortiGate.

DO NOT REPRINT
© FORTINET
9. Click Close in the Install Log window.

10. Click Finish.
To view configuration changes locally on FortiGate

1. Log into the Local-FortiGate (https://10.0.1.254) with the username of admin.
You should observe the following:
 There are two firewall policies based on the Training policy package
 The Inside interface is translated to port3 locally on FortiGate and Outside zone is
created locally on FortiGate as per the dynamic mapping of interfaces and zones.
4. Click Addresses.
The Internal is translated to 10.0.1.0/24 as per the dynamic mapping of address objects.
5. Click Network > Interfaces.
An Outside zone is created with interfaces port1, port2 as per interfaces and zones dynamic
mappings.
7. Try to log into Remote-FortiGate (https://10.200.3.1).
Why you are getting an authentication page?
This is because of the identity policy on the Local-FortiGate. You will need to authenticate all
outgoing http and https traffic on the Local-FortiGate device.
8. When prompted for firewall authentication, enter the username student and the password
fortinet.
9. Once authenticated, log in into the Remote-FortiGate using admin as the username and no
password.

DO NOT REPRINT
© FORTINET
10. Click Login read-only.

12. You should observe the following:
 There is only one firewall policy based on the Training policy package Install On targets.
 The Inside interface is translated to port6 locally on the FortiGate and Outside zone is
created locally on the FortiGate as per the dynamic mapping of interfaces and zones.
Optionally, you can check the interface and zone under Network, and Internal address object
under Addresses.
To review ADOM revisions

1. Return to the FortiManager GUI and under Policy & Objects, click ADOM revisions.
2. Right-click Common Package and click Lock.

3. Right-click Initial revision and click Delete.
4. Click OK.
5. Click Close.
You can use this revision to revert changes made to your policy packages and objects in your
ADOM. Remember this does not revert Device Manager level settings.

DO NOT REPRINT
© FORTINET
 LAB 6—VPN
LAB 6—VPN
In this lab, you will configure a site-to-site IPsec VPN between Local-FortiGate and Remote-FortiGate
using Device Manager.
Objectives
 Create an IPsec VPN using Device Manager.
Time to Complete

DO NOT REPRINT
© FORTINET
 LAB 6—VPN 1 Configuring IPsec VPN
1 Configuring IPsec VPN

In this exercise, you will configure a site-to-site IPsec VPN between the managed FortiGate devices.
Configuring IPsec Phase I and Phase II

Now, you will configure IPsec phase I and phase II for Local-FortiGate.
To configure IPsec Phase I and Phase II for Local-FortiGate

1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241
3. Click Tools > Global Display Options.
4. Select the following check boxes:

 IPsec Phase 1
 IPsec Phase 2
 IPsec VPN
5. Click OK.

DO NOT REPRINT
© FORTINET
7. Click Display Options.
8. Select Inherit From ADOM.
9. Click OK.
10. Click VPN > IPsec Phase 1.

12. Configure the following values:
Field Value
Name To_Remote
Remote Gateway Static IP Address

DO NOT REPRINT
© FORTINET
Local Interface port1
Mode Main
Authentication Method Pre-shared Key
Pre-shared Key fortinet

(Tip: delete all dots before typing pre-
shared key
Peer Options Any peer id
13. Click Advanced …(XATUH, NAT-traversal, DPD).

Field Value
P1 Proposal
 Encryption AES128
 Authentication SHA256
(Delete all other entries)
Diffie-Hellman Groups 5
Dead Peer Detection On Idle
15. Leave all other settings at their default values, and then, at the bottom of the page, click OK.

Field Value
Tunnel Name To_Rem_P2
Phase 1 To_Remote

DO NOT REPRINT
© FORTINET
Configuring Static Route

Now, you will now configure the static route for IPsec VPN.
To configure Static Route on Local-FortiGate

1. In the FortiManager GUI, click Router > Static Route.
2. Click Create New > Static Route.

Field Value
Destination Subnet
10.0.2.0/24
Device To_Remote
Configuring IPsec Phase I and Phase II

Now, you will configure IPsec phase I and phase II for Remote-FortiGate.
To configure IPsec Phase I and Phase II for Remote-FortiGate

1. In the FortiManager GUI, click Remote-FortiGate.

DO NOT REPRINT
© FORTINET

Field Value
Name To_Local
Remote Gateway Static IP Address
Local Interface port4
Mode Main
Authentication Method Pre-shared Key
Pre-shared Key fortinet

(Tip: delete all dots before typing pre-
shared key
Peer Options Any peer id
5. Click Advanced …(XATUH, NAT-traversal, DPD).

DO NOT REPRINT
© FORTINET
Field Value
P1 Proposal
 Encryption AES128
 Authentication SHA256
(Delete all other entries)
Diffie-Hellman Groups 5
Dead Peer Detection On Idle

Field Value
Tunnel Name To_Local_P2
Phase 1 To_Local
Configuring Static Route

Now, you will configure the static route for IPsec VPN.
To configure Static Route on Remote-FortiGate

1. In the FortiManager GUI, click Router > Static Route.
2. Click Create New > Static Route.
Field Value
Destination Subnet

DO NOT REPRINT
© FORTINET
10.0.1.0/24
Device To_Local
Installing device-level configuration changes

Now, you have configured IPsec phase 1, phase 2, and static routes on both FortiGate devices.
Now, you will install these device-level configuration changes on both FortiGate devices.
To install device level configuration changes

1. In the FortiManager GUI, click Install Wizard.
2. Select Install Device Settings (only), and then click Next.

3. Make sure both devices are selected, and then click Next.
4. Make sure both devices are selected in Preview window, and then click Install.
5. Optionally, after the installation is successful, you can view Install Log.
6. Click Finish.
Creating Dynamic Interface Mapping

Now, you will create dynamic interface mapping for virtual IPsec VPN interfaces, so that you can
create IPsec firewall policies.

DO NOT REPRINT
© FORTINET
To create dynamic interface mapping

1. In the FortiManager GUI, click Device Manager > Policy & Objects.
2. Click Object Configuration.

3. Click Zone/Interface > Interface.
4. Click Create New > Dynamic Interface.
5. In the Name field, type VPN.

6. Turn on the Per-Device Mapping switch, and then click Add.
 In the Mapped Device drop-down list, select Local-FortiGate.
 In the Device Interface drop-down list, select To_Remote.
 Click OK.
 Click Add.
 In the Mapped Device drop-down list, select Remote-FortiGate.

DO NOT REPRINT
© FORTINET
 In the Device Interface drop-down list, select To_Local.

 Click OK.
Your configuration should look like the following example:
8. Click OK.
Creating firewall policies for IPsec VPN

Now, you will create IPsec VPN firewall policies.
To create firewall policies for IPsec VPN

1. In the FortiManager GUI, click Policy Packages.
2. For the Training policy package, click IPv4 Policy.
3. Click Create New to create a new firewall policy.


DO NOT REPRINT
© FORTINET
Field Value
Name To_IPsec
Outgoing Interface VPN
Service ALL
Schedule always
Action Accept
5. Leave all other settings at their default values, and then click OK.
6. Click Create New to create a second new firewall policy.
Field Value
Name From_IPsec
Incoming Interface VPN
Outgoing Interface Inside
Source Address all
Destination Address Internal
Service ALL
Schedule always
Action Accept
8. Leave all other settings at their default values, and then click OK.

DO NOT REPRINT
© FORTINET
Installing Training Policy Package

You have configured IPsec firewall policies in the Training policy package.
Now, you will install the Training policy package on the managed FortiGate devices.
To install the Training policy package

1. In the FortiManager GUI, for the Training policy package, click IPv4 Policy.
3. Click Next.
4. After the installation is successful, click Finish.
Testing IPsec VPN

Now, you will test the IPsec VPN by pinging the remote subnet IP address from Local-Windows.
To test IPsec VPN

1. On the Local-Windows VM, open a command prompt and ping the remote host 10.0.2.10.
ping 10.0.2.10
2. In the FortiManager GUI, click Policy & Objects > Device Manager.

DO NOT REPRINT
© FORTINET
4. Click Query > IPsec VPN.
You will see the IPsec tunnel is up between the FortiGate devices.

DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting
LAB 7—Diagnostics and Troubleshooting

In this lab, you will perform diagnostics and troubleshooting when installing device-level settings and
importing firewall policies.
Objectives
 Diagnose and troubleshoot issues when installing System Templates
 Diagnose and troubleshoot issues when importing policy packages
Time to Complete
Prerequisites
Before beginning this lab, you must restore the configuration files to the Local-FortiGate, Remote-
FortiGate, and FortiManager.
To restore the FortiGate configuration file on both FortiGate devices

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254
with the username admin.
3. Click Yes.
4. Go to Dashboard, and then, in the System Information widget, click Restore.
5. Select the option to restore from Local PC, and then click Upload.

DO NOT REPRINT
© FORTINET
6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select Local-
diag.conf.
7. Click OK.
8. Click OK.
The system reboots.
9. After the reboot finishes (you must wait until Local-FortiGate reboots), open a new browser and
log in as admin to the Remote-FortiGate GUI at 10.200.3.1.
10. Repeat the same procedure to restore the system configuration for the Remote-FortiGate but, in
the Troubleshooting folder, select Remote-diag.conf.
11. After the reboot finishes, close both browser tabs.
To restore the FortiManager configuration

1. On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at
10.0.1.241.
2. Select root.
3. Select System Settings.
4. In the System Information widget, in the System Configuration field, click the Restore icon.

DO NOT REPRINT
© FORTINET
5. Click Browse.
6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select FMG-
diag.dat
There is no password to enter because the file was not encrypted.
7. Leave the Overwrite current IP, routing and HA settings check box selected.
8. Click OK.
FortiManager reboots.
9. Wait for the FortiManager to reboot, and then log in as admin to the FortiManager GUI at
10.0.1.241.
10. Click root.
12. Go to Advanced > Advanced Settings.

DO NOT REPRINT
© FORTINET
13. For Offline Mode, select Disable.
14. Click Apply.

You will see that the Offline Mode message disappears. At this point, FortiManager can establish
a management connection with the managed devices.

DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues
1 Diagnose and Troubleshoot Install Issues

FortiManager is preconfigured as follows:
 ADOMs are enabled
 ADOM1 is configured for FortiGate firmware version 5.4
 Local-FortiGate and Remote-FortiGate are managed by FortiManager in ADOM1. The
 Remote-FortiGate policy package is not imported.
 The default system template is configured with only the DNS widget
 The default system template is applied to the Local-FortiGate and Remote-FortiGate
In this exercise, you will diagnose and troubleshoot issues that occur when installing configuration
changes to Local-FortiGate and Remote-FortiGate.
Viewing the Installation Preview

Now, you will view the installation preview to learn what device-level configuration changes will be
installed on the FortiGate devices. The objective of this exercise is to verify and troubleshoot to make
sure the correct configuration settings will be installed on the FortiGate devices.
To view the installation preview for Local-FortiGate

1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at
10.0.1.241 with username student and password fortinet.

DO NOT REPRINT
© FORTINET
4. In the Configuration and Installation Status widget, click Preview.

Notice that default is listed as the System Template, which is pre-assigned to Local-FortiGate.
The installation preview generates.
5. Write down the DNS settings that will be installed on the Local-FortiGate.
Primary: ______________________
Secondary: ______________________
6. Click OK.
To view the installation preview for Remote-FortiGate

1. In the FortiManager GUI, click Remote-FortiGate.

DO NOT REPRINT
© FORTINET
2. In the Configuration and Installation Status widget, click Preview.

3. Write down the DNS settings that will be installed on the Remote-FortiGate.
Primary: ______________________
Secondary: ______________________
4. Click OK.
Stop and Think

The system template was configured with two entries. Why did the Local-FortiGate show
only one DNS entry, but the Remote-FortiGate showed two entries?
Discussion
The Local-FortiGate device was preconfigured with the primary DNS entry
208.91.112.53.When the Local-FortiGate was added to FortiManager, it automatically
updated to the device-level database. To verify, check the current revision history and
search for config system dns.
If you are not able to figure it out, follow the procedure below to view the system template
and DNS settings in the CLI.
Viewing the DNS Configuration

Now, you will view the DNS configuration for the configured system template and compare it with the
device-level database settings for DNS (for both Local-FortiGate and Remote-FortiGate). You will view
the configuration in the CLI.
To view the system template configuration in the CLI

1. On the Local-Windows VM, open PuTTY, and then connect to the FORTIMANAGER saved
session (connect over SSH).
2. Log in as admin and run the following command to view the CLI configuration for the system
template configuration:
# execute fmpolicy print-prov-templates ADOM1 5 1020 15

The output should appear as follows:
Dump all objects for category [system dns] in adom [ADOM1] package
[1020]:
---------------
config system dns
set primary 208.91.112.53

DO NOT REPRINT
© FORTINET
set secondary 208.91.112.52
end
Note: The execute fmpolicy print- command tree allows you to view the CLI
configuration for provisioning templates, ADOM, and the device database on
FortiManager.
The syntax for provisioning templates is:
# execute fmpolicy print-prov-templates <adom> <prov> <package>
<category>|all [<key>|all|list]
You can use the help feature by typing ? to open the command tree syntax.
To view the DNS settings for FortiGates (CLI)

1. In the FORTIMANAGER PuTTY session, run the following command to view the Local-FortiGate
DNS settings in the FortiManager device-level database.
# execute fmpolicy print-device-object ADOM1 Local-FortiGate root 15

Dump all objects for category [system dns] in device [Local-

FortiGate] vdom[root]:
---------------
config system dns
set primary 208.91.112.53
end
Note: The syntax for the device object is:

execute fmpolicy print-device-object <adom> <devname> <vdom>
<category>|all [<key>|all|list]
2. Execute the following command to view the Remote-FortiGate DNS settings in the
FortiManager device-level database.
# execute fmpolicy print-device-object ADOM1 Remote-FortiGate root

15
Dump all objects for category [system dns] in device [Remote-

FortiGate] vdom[root]:
---------------

DO NOT REPRINT
© FORTINET
config system dns
set primary 4.2.2.2
end
Compare the FortiManager system template entries with each FortiGate device. The Local-
FortiGate primary DNS entry matches the default system template primary DNS entry. Because
of that, FortiManager skips the primary DNS entry for the Local-FortiGate, because Local-
FortiGate has already been configured with the same entry.
Installing Device-Level Configuration Changes

Now, you will install device-level configuration changes (system templates) on the managed FortiGate
devices.
To install device-level changes (system templates)

1. In the FortiManager GUI, click Managed FortiGates.
2. Select Local-FortiGate and Remote-FortiGate.
3. In the drop-down list, click Install > Install Wizard.
4. Select Install Device Settings (only), and then click Next.

DO NOT REPRINT
© FORTINET
5. Make sure both devices are selected, and then click Next.
6. For Local-FortiGate, click Preview.

The preview generates.
Optionally, you can download the preview setting.

7. Click Cancel.
8. For Remote-FortiGate, click Preview.
The preview generates.

DO NOT REPRINT
© FORTINET
9. Click Cancel.
10. Make sure both FortiGate devices are selected, and then click Install.
The installation begins.
11. After the installation finishes, click the View Log icon to view and verify what is being installed on
each device.
12. In the Install Log pop-up window, click Close.

13. Click Finish.
The Config Status for both FortiGate devices should be Synchronized.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
 LAB 7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues
2 Troubleshoot Policy Import Issues

First, you will view the policies and objects imported into the ADOM database. The objects share the
common object database for each ADOM and are saved in the ADOM database, which can be shared
or used among different managed FortiGate devices in the same ADOM.
In this exercise, you will diagnose and troubleshoot issues that occur while importing the Remote-
FortiGate policy package.
Viewing the Policy Package and Objects

Now, because the Local-FortiGate policy package is imported into ADOM1, you will view the Local-
FortiGate policy package and objects imported into the ADOM1 database.
To view the policy package and objects for the Local-FortiGate

with the username student and password fortinet.
3. On the left side of the window, expand Local-FortiGate, and then click IPv4 Policy.
You will see the two policies for the Local-FortiGate.

Notice the source address of Test_PC for the Ping_Test firewall policy.
4. On the menu bar, click Object Configurations.
5. On the left side of the window, expand Firewall Objects, and then click Addresses.

DO NOT REPRINT
© FORTINET
6. Review the configuration for the Test_PC firewall address. In the ADOM database, it is set to any
interface based on the configuration imported from the Local-FortiGate.
Reviewing Policies and Objects Locally on the

Remote-FortiGate
You need to import the policies and objects from the Remote-FortiGate. But before importing policies
and objects, you will review the policies and objects locally on the Remote-FortiGate.
To review policies and objects locally on the Remote-FortiGate

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at
10.200.3.1 with the username admin.
4. Hover the mouse over the Test_PC object in the Source column of the Seq.# 1 firewall policy.
You will see that the Test_PC address object is bound to the port6 interface.
5.
Remember, the Test_PC address object is bound to any interface in the ADOM database.
6. Log out of Remote-FortiGate.
Importing a Policy Package

Now, you will import the policies and objects for the Remote-FortiGate into the policy package, and
troubleshoot issues with the policy import.

DO NOT REPRINT
© FORTINET
To import the policy package

1. Return to the FortiManager GUI, click Policy & Objects > Device Manager.
2. Right-click Remote-FortiGate, and then click Import Policy.
3. Click Next.
4. Make sure the policy package name is Remote-FortiGate.
5. Leave all other settings at their default values, and then click Next.
6. Click Next.
7. Click Next.
Did you notice it skipped one firewall policy out of two policies?
8. Click Download Import Report to view the reason for skipping a firewall policy.

DO NOT REPRINT
© FORTINET
9. Open the file (or you can save it for future reference).
Did you notice it failed when importing firewall policy ID # 2(SEQ# 1)?
Stop and Think

The output provides the reason for this policy import failure.
reason=interface(interface binding contradiction. detail: any<-
port6) binding fail)"
What does this error mean? What is the impact? How can you fix this partial policy import
issue?
Discussion
Remember, in the ADOM1 database, the Test_PC firewall address is bound to the any
interface, based on the configuration imported from the Local-FortiGate. On the Remote-
FortiGate, policy ID 2 is using the Test_PC firewall address bound to port6 as the source
address.
This is the expected behavior on FortiManager because it doesn’t allow the same address
object name to bind to different interfaces.
Because FortiManager imported partial policies in the policy package, if you try to make a
change to the policy package and try to install, it will delete the skipped policies and
objects associated with those policies, along with all unused objects.
You must change the Test_PC firewall address binding to the any interface by locally
logging in to the Remote-FortiGate.
10. Close the import report, and then click Finish.

DO NOT REPRINT
© FORTINET
Check the Impact of Partial Policy Import (Optional)

The two procedures below show the impact of making changes to the FortiManager policy package
Remote-FortiGate and then try to install the policy package. It will try to delete policy ID 2 and the
Test_PC address object on the Remote-FortiGate. FortiManager will also try to delete any unused
objects.
If you are now familiar with the behavior, you can skip the following procedures:
 To make configuration changes to the Remote-FortiGate Policy Package (Optional)
 To preview the installation changes (Optional)
To make configuration changes to the Remote-FortiGate Policy Package (Optional)

1. In the FortiManager GUI, click Device Manager > Policy & Objects.
2. On the left side of the window, click Remote-FortiGate, and then click IPv4 Policy.
You will see that the firewall policy with Test_PC as the source address is not imported.
3. Double click the Seq# 1 firewall policy.
4. In the Description field, type Training, and then click OK.
To preview the installation changes (Optional)

1. Ensure IPv4 Policy is selected for the Remote-FortiGate policy package, and then click
Install > Re-install Policy.

DO NOT REPRINT
© FORTINET
2. Click Preview.
3. Notice that it is trying to delete the firewall policy with ID=2 and the Test_PC address object.
Note: When installing a policy package for the first time, FortiManager also deletes all unused
objects.
This is the firewall policy with Test_PC as the source address.

DO NOT REPRINT
© FORTINET
4. In the Install Preview window, click Cancel.

5. Click Cancel.
Fixing a Partial Policy Import Issue

You must change the Test_PC firewall address binding to the any interface by locally logging in to the
Remote-FortiGate.
Then, on FortiManager you will be able to import the policy package for the Remote-FortiGate.
To make local changes on Remote-FortiGate

1. On the Local-Windows VM, open a new browser tab, and then log in to the Remote-FortiGate
GUI at 10.200.3.1 as admin
3. In the warning window, click Yes.
4. Click Policy & Objects > Addresses.

DO NOT REPRINT
© FORTINET
5. Right-click Test_PC, and then select Edit in CLI.
6. Enter the following command in the CLI window:

unset associated-interface
end
7. Close the CLI Console window.

8. Refresh the page.

DO NOT REPRINT
© FORTINET
9. Log out of Remote-FortiGate.
To import the policy package again

1. Return to the FortiManager GUI, click Policy & Objects > Device Manager.
2. On the left side of the window, click Managed FortiGates.
3. Right-click Remote-FortiGate, and then select Import Policy.
4. Click Next.
5. Select the Overwrite check box.
6. Leave all other settings at their default values, and then click Next.
Did you notice that Test_PC appeared as Dynamic Mapping?

DO NOT REPRINT
© FORTINET
FortiManager automatically creates a dynamic mapping of the object with same values. The
interface must has to be the same as the ADOM database.
7. Click Next.
8. You will see both firewall policies are imported this time.
9. Click Finish.

DO NOT REPRINT
© FORTINET
 LAB 8—Advanced Configuration
LAB 8—Advanced Configuration

The learning goals for this lab are to understand the troubleshooting commands used for FortiGuard
Management, and to learn how to use FortiManager to upgrade the firmware on managed FortiGate
devices.
Objectives
 Review the central management configuration on both FortiGate devices
 Understand and run FortiGuard debug commands
 Import the firmware image for FortiGate devices and upgrade from FortiManager
Time to Complete

DO NOT REPRINT
© FORTINET
1 FortiGuard Management
In this exercise, you will review the central management settings on the FortiGate devices. Then, you
will run the CLI commands related to FortiGuard diagnostics on FortiManager to understand
FortiGuard settings on FortiManager.
To review central management settings on both FortiGate devices

1. On the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE and REMOTE-
FORTIGATE saved session (connect over SSH).
show system central-management

Your output for the Local-FortiGate and Remote-FortiGate devices should look similar to the
following examples:
Local-FortiGate:
Remote FortiGate:
You will see that server-list is configured on the FortiGate devices with the FortiManager
IP address, and the include-default–servers is disabled. This means FortiGate devices

DO NOT REPRINT
© FORTINET
are pointed to FortiManager for its FortiGuard services and access to public FortiGuard servers is
disabled.
Diagnosing FortiGuard Issues

Now, you will run CLI commands on FortiManager to verify the FortiGuard configuration in order to
troubleshoot FortiGuard issues.
To diagnose FortiGuard issues

(connect over SSH).
3. Run the following commands:
diagnose fmupdate view-serverlist fds
You should see that there is only one default server in the list. FortiManager is unable to connect
to the public FDN servers because of unreachability or disabled service. In this lab environment,
communication with the public FortiGuard servers is disabled.
diagnose fmupdate view-serverlist fds
You should see that there is no information on Upullstat, UpullServer, because

FortiManager is not connected to the public FDS, which would provide that information.
diagnose fmupdate dbcontract

DO NOT REPRINT
© FORTINET
FortiManager is operating in a closed network environment and license contracts are uploaded
manually on FortiManager. You should see the contract information, which includes the types of
contracts that the device currently has along with the expiry dates.
Note: The same information can be viewed in the FortiGate GUI in the License Information
widget.
You will also see FortiAnalyzer contract information, which is uploaded manually on FortiManager.
The FortiAnalyzer labs use FortiManager as the local FDS in order to use the IOC features on
FortiAnalyzer.

DO NOT REPRINT
© FORTINET
2 Upgrading FortiGate Firmware Using

FortiManager
You can use FortiManager as your local firmware cache and to upgrade firmware on supported
devices.
In this exercise, you will import the firmware image for FortiGate and then upgrade both FortiGate
devices using FortiManager.
To import and upgrade firmware

2. Click FortiGuard.
3. Click Firmware Images > Import Images.
4. Click Import, and then click Browse.

5. Browse to Desktop > Resources > FortiManager > Advanced-Configuration, and then select
FGT_VM64-v5-build7605-FORTINET.out.
6. Click OK.
You will see that the firmware image has been saved on FortiManager.
7. Click FortiGuard > Device Manager.

8. Click Firmware.
9. Select both FortiGate devices and click Upgrade.

DO NOT REPRINT
© FORTINET
10. In the Upgrade to drop-down list, select FGT_VM64-v5-build7605-FORTINET.out.
11. Click OK.

You should see successful firmware upgrades for both FortiGate devices.
12. Click Close.

13. Optionally, you can open the console connection for the Local-FortiGate and Remote-FortiGate
to see the firmware upgrades.

FortiManager Lab Guide-Online

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

FortiManager Lab Guide-Online

Загружено:

Авторское право:

Доступные форматы

DO NOT REPRINT

FortiManager Lab Guide 1

FortiManager Lab Guide

VIRTUAL LAB BASICS ...................................................................................9

Network Topology ...................................................................................................................9

Lab Environment .....................................................................................................................9

System Checker ......................................................................................................................10

Transferring Files to the VM....................................................................................................15

Screen Resolution ...................................................................................................................15

International Keyboards ..........................................................................................................16

Student Tools: View Broadcast and Raise Hand....................................................................16

Troubleshooting Tips ..............................................................................................................17

LAB 1—INITIAL CONFIGURATION .................................................................19

Time to Complete ....................................................................................................................19

1 Examining Initial Configuration ............................................................................................22

Examine Initial Configuration Through the CLI .......................................................................22

Examine Initial Configuration Through the GUI ......................................................................25

2 Enabling FortiAnalyzer Features on FortiManager..............................................................28

LAB 2—ADMINISTRATION AND MANAGEMENT ..............................................30

Time to Complete ....................................................................................................................30

1 Configure Administrative Domain (ADOMs) ........................................................................31

Viewing ADOM Information.....................................................................................................32

Configuring ADOM ..................................................................................................................33

2 Creating and Assigning Administrators ...............................................................................36

Testing Administrator Privileges .............................................................................................37

Restricting Administrator Access Using Trusted Host ............................................................38

Testing the Restricted Administrator Access ..........................................................................39

3 ADOM Locking (Workspace Mode) .....................................................................................41

ADOM Locking (Workspace Mode) ........................................................................................41

4 Backup and Restore ............................................................................................................43

Backing up FortiManager Configuration .................................................................................43

Restore FortiManager Configuration ......................................................................................44

5 Monitoring Alerts and Event Logs ........................................................................................46

Offline Mode ............................................................................................................................46

Viewing Alerts and Event Logs ...............................................................................................47

LAB 3—DEVICE REGISTRATION ...................................................................50

Time to Complete ....................................................................................................................50

1 Configuring System Templates ............................................................................................51

Configuring System Templates ...............................................................................................51

Disabling ADOM Locking (Workspace Mode) ........................................................................53

2 Registering a Device to FortiManager .................................................................................55

Reviewing Central Management Configuration on Local-FortiGate .......................................55

Enabling Real-Time Debug .....................................................................................................56

Adding Local-FortiGate Using the Add Device Wizard ...........................................................56

Viewing the Local-FortiGate Policy Package..........................................................................60

Importing System Template Settings From FortiGate ............................................................62

Adding Remote-FortiGate Using the Add Device Wizard.......................................................64

LAB 4—DEVICE LEVEL CONFIGURATION AND INSTALLATION ........................67

Time to Complete ....................................................................................................................67

1 Understanding Managed Device Status ..............................................................................68

2 Install System Template Changes to Managed Devices .....................................................73

Installing System Templates ...................................................................................................73

Checking Managed Device Status..........................................................................................75

Viewing Pushed Configuration on the FortiGate ....................................................................77

3 Auto Update and Revision History .......................................................................................79

Making Direct Changes on Local-FortiGate ...........................................................................79

Making Direct Changes on Remote-FortiGate .......................................................................80

Viewing Auto Update and Revision History ............................................................................80

Viewing the Install Log ............................................................................................................82

Task Manager .........................................................................................................................84

4 Configuring Device Level Changes .....................................................................................87

Changing Managed FortiGate Interface Settings ...................................................................87

Filtering Devices Based on Their Statuses .............................................................................89

Configuring the Administrator Account ...................................................................................90