FortiManager Student Guide-Online

DO NOT REPRINT
© FORTINET
FortiManager
Student Guide
for FortiManager 5.2.1
DO NOT REPRINT
© FORTINET
FortiManager Student Guide
for FortiManager 5.2.1
Last Updated: 8 April 2015
Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2015 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
© FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................6
Topology .............................................................................................................................. 6
Logging In ............................................................................................................................ 7
Disconnections/Timeouts .............................................................................................................................11
Transferring Files to the VM ................................................................................................. 11
Using HTML5 Instead of Java .............................................................................................. 11
Screen Resolution ................................................................................................................ 12
International Keyboards ....................................................................................................... 12
Troubleshooting Tips ............................................................................................................ 13
SYSTEM SETTINGS .......................................................................................15
Lab 1: FortiManager System Settings .................................................................................. 15

Objectives.....................................................................................................................................................15
Time to Complete .........................................................................................................................................15
Exercise 1 FortiManager Initial System Settings .................................................................. 16

Enabling FortiAnalyzer feature set ...............................................................................................................17
Exercise 2 Configuring ADOMs ............................................................................................ 19

Enabling ADOM Locking ..............................................................................................................................21
Exercise 3 Backup and Restore ........................................................................................... 24
DEVICE MANAGER ........................................................................................28
Lab 1: Device Manager ........................................................................................................ 28

Objectives.....................................................................................................................................................28
Time to Complete .........................................................................................................................................28
Exercise 1 Adding FortiGate Devices ................................................................................... 29

Review central management settings on the FortiGate ................................................................................29
Creating Provisioning Templates ..................................................................................................................31
Add FortiGate to FortiManager .....................................................................................................................32
DO NOT REPRINT
© FORTINET
Install Provisioning Templates changes to Managed device ........................................................................38
Auto Update .................................................................................................................................................40
Exercise 2 Configuring Managed Devices ............................................................................ 42

Configuring Managed Devices .....................................................................................................................42
Install Wizard and View Installation History ..................................................................................................45
FortiView ......................................................................................................................................................47
Exercise 3 Scripts................................................................................................................. 48
Scripts ..........................................................................................................................................................48
POLICY & OBJECTS ......................................................................................52
Lab 1: Policy &Objects ......................................................................................................... 52

Objectives.....................................................................................................................................................52
Time to Complete .........................................................................................................................................52
Exercise 1 Import Policy and ADOM Revisions .................................................................... 53

Import Policy.................................................................................................................................................53
ADOM Revisions ..........................................................................................................................................57
Exercise 2 Creating and assigning header policy from Global ADOM.................................. 58
Exercise 3 Creating a common Policy Package for multiple devices ................................... 62

Dynamic Mapping – Objects.........................................................................................................................62
Dynamic Mapping – Interfaces and Zones ...................................................................................................66
Creating common policy package ................................................................................................................70
Install On ......................................................................................................................................................74
Exercise 4 Policy & Device IPsec VPN Configuration .......................................................... 80
ADDITIONAL SYSTEM SETTINGS ....................................................................89
Lab1: Additional System Settings ......................................................................................... 89

Objectives.....................................................................................................................................................89
Time to Complete .........................................................................................................................................89
Exercise 1: FortiGuard troubleshooting commands and firmware upgrade .......................... 90
APPENDIX A: ADDITIONAL RESOURCES........................................................93
APPENDIX B: PRESENTATION SLIDES ...........................................................94
Introduction to FortiManager ................................................................................................ 95
System Settings ................................................................................................................... 122

DO NOT REPRINT
© FORTINET
Device Manager ................................................................................................................... 173
Policy & Objects ................................................................................................................... 233
Additional System Settings ................................................................................................... 292

DO NOT REPRINT  Virtual Lab Basics Topology
© FORTINET
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Topology
port2
10.200.1.241
FortiManager FortiAnalyzer
WIN-LOCAL port1 port1
10.0.1.10 10.0.1.241 10.0.1.210
10.0.1.254/24 port3
port3 10.200.1.210
LOCAL
port2 port1
10.200.2.1/24 10.200.1.1/24
LINUX
10.200.2.254 10.200.1.254
eth2 eth1
eth0
eth4 eth3
10.200.4.254 10.200.3.254
REMOTE
10.200.4.1/24 10.200.3.1/24
port5 port4
WIN-REMOTE
10.0.2.10 port6
10.0.2.254/24
FortiManager Student Guide 6

DO NOT REPRINT  Virtual Lab Basics Logging In
© FORTINET
Logging In
1. Run the System Checker. This will fully verify both:
 compatibility with the virtual lab environment's software, and
 that your computer can connect
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
Use the URL for your location.
North America/South America:
https://Remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
Europe/Middle East/Africa:
https://Remotelabs.training.fortinet.com/training/syscheck/?location=Europe
Asia/Pacific:
https://Remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the result messages for the browser
and network checks will each display a check mark icon. Continue to the next step.

© FORTINET
If a browser test fails, this will affect your ability to access the virtual lab environment. If a network
test fails, this will affect the usability of the virtual lab environment. For solutions, either click the
Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab. Either:
https://Remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
3. If prompted, select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.

© FORTINET
4. Click Enter Lab.
A list of virtual machines that exist in your virtual lab should appear.
From this page, you can access the console of any of your virtual devices by either:
 clicking on the device’s square, or
 selecting System > Open.

© FORTINET
5. Click K2-Win-Student to open a connection to that server.
A new window should open within a few seconds. (Depending on your account’s preferences, the
window may be a Java applet. If this fails, you may need change browser settings to allow Java to
run on this web site. You also may need to review and accept an SSL certificate.)
Depending on the virtual machine, the applet provides access to either the GUI or a text-based
CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will
connect to this VM.

DO NOT REPRINT  Virtual Lab Basics Transferring Files to the VM
© FORTINET
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If your session frequently times out or does not connect, ask your instructor.
Transferring Files to the VM

When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to
the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM,
you could create it on your computer, then drag it into the Java application window that is connected to
the Windows VM. Usually the destination folder is C:\Uploads.
Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the web
browser to download them to your VM instead.
Using HTML5 Instead of Java

When you open a VM, your browser may download and use a Java application to connect to the
virtual lab’s VM. This means that Java must be installed, updated, and enabled in your browser.
Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client. Click
Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.)

DO NOT REPRINT  Virtual Lab Basics Screen Resolution
© FORTINET
When connecting to a VM, your browser should then open a display in a new window or tab.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the Java client, to configure the screen resolution, click the arrow at the top of the window.
In the HTML 5 client, to configure screen resolution, open the System menu.
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.

DO NOT REPRINT  Virtual Lab Basics Troubleshooting Tips
© FORTINET
To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either
display an on-screen keyboard, or send text from your computer to the VM's clipboard.
To solve this in the Java client, copy and paste between your computer and the Java applet. This
sends special characters or combinations using the keyboard icon at the top of the applet window.
Troubleshooting Tips
 If the HTML 5 client does not work, try the Java client instead. Remembering this preference
requires that your browser allow cookies.
 Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable
broadband connection such as a LAN.
 Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On
Windows, if the Java applet is allowed and successfully downloads, but does not appear to
launch, you can open the Java console while troubleshooting. To do this, open the Control
Panel, click Java, and change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.

DO NOT REPRINT  Virtual Lab Basics Troubleshooting Tips
© FORTINET
 Prepare your computer's settings:

o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go to
sleep or hibernate
 If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
 If during the labs, particularly when reloading configuration files, you see a message similar to the
one shown below, the VM is waiting for a response to the authentication server.
 To retry immediately, go to the console and enter the CLI command:
exec update-now

DO NOT REPRINT  System Settings Lab 1: FortiManager System Settings
© FORTINET
System Settings
Lab 1: FortiManager System Settings
The learning goal for this lab is to familiarize the student with the FortiManager system settings in
order to perform common system settings and maintenance tasks.
Objectives
In this lab, students will perform the following tasks:
 View initial system settings including network and time settings.
 Enable FortiAnalyzer features on FortiManager
 Enable ADOMs and configure new ADOM
 Configure administrator and restricting access to newly created ADOM
 Disabling concurrent ADOM access and enabling ADOM locking
 Backup FortiManager, restore the backup and disable offline mode.
 Read entries in the alert message console and event log.
Time to Complete
Estimated: 30 minutes

© FORTINET
Exercise 1 FortiManager Initial System Settings
1. Access the console of the FortiManager device by clicking on (K3-FMG), enter the username of
admin and leave the password blank then enter the following CLI commands to view the version
and initial system network settings:
get system status
show system interface
show system route

Note the port1 IP address is 10.0.1.241 and the port2 IP address in 10.200.1.241.
The default route is on port2 and the gateway is 10.200.1.254.
2. To test the default route enter the following:
execute ping 4.2.2.2

3. Click on Student Server desktop to launch it and open a web browser and enter the following URL
to access the FortiManager GUI:
https://10.0.1.241
Accept the self-signed certificate.
4. At the login screen, enter the username of admin and leave the password blank. Click Login.
5. Go to System Settings > Network and click All interfaces and Routing Table to examine the
configured interface and routing settings for your FortiManager device.
You can also test connectivity from the GUI by clicking Diagnostic Tools. Enter an internet IP
address for running a ping or traceroute command then click Go to display the results.
6. Check the date and set time to your time zone for your FortiManager device from System
Information widget .
System Settings > Dashboard > System Information widget

© FORTINET
Leave all other settings at their defaults.
Enabling FortiAnalyzer feature set

Now we have viewed the basic networking setting on FortiManager and adjusted time based on your
time zone. We will be enabling FortiAnalyzer features on FortiManager so that it can be used for
logging and reporting once the FortiGate devices are added into FortiManager.
1. Notice the default available tabs on FortiManager. It doesn’t have tabs related to FortiAnalyzer
features.
From the System Information widget, locate FortiAnalyzer Features and enable it.

© FORTINET
Note: Pop-up window will appear with this message:
“Are you sure you want to enable FAZ features? System will reboot to
apply the change”
Click Ok on the pop up.

FortiManager will reboot to initialize FortiAnalyzer features and apply the changes.
2. Log back into the FortiManager with default credentials. Enter the username of admin and leave
the password blank. Click Login.
Notice after enabling FortiAnalyzer features, there are three more tabs — FortiView, Event
Management, and Reports.
3. Connect to both the student (https://10.0.1.254) and Remote (https://10.200.3.1) FortiGate devices
from the same Student Server Desktop and check their system date and set time to your time
zone from System Information Widget in FortiGate Dashboard.
Click OK and again OK to save the changes.

Repeat this step for second FortiGate.

© FORTINET
Exercise 2 Configuring ADOMs
1. From the System Settings tab, go to Dashboard. Under System Information widget, enable
Administrative Domain.
Notice there is no All ADOM tab below Dashboard prior to enabling Administrative Domain.
You will be prompted to logout. Click OK and log in again using the admin account.
2. From System Settings tab, go to All ADOMs on left side pane and Create New.
Name: myADOM
Device Type: FortiGate
Version: 5.2
Mode: Normal

© FORTINET
VPN Management: Policy & Device VPNs
Click OK.
You should observe a list of predefined ADOMs including your new ADOM.
3. Next, create a new admin user for your ADOM. Go to Admin > Administrator and click Create
New.
User Name: student
Type: Local
New Password: 123456
Confirm Password: 123456
Admin Profile: Standard_User
Administrative
Specify: myADOM
Domain:
Remove any other ADOMs and make sure only myADOM is selected.
Leave all other settings at their defaults.
Your configuration should appear as follows:
Click OK.

© FORTINET
4. Log out and log in to FortiManager with your ADOM level account (that you created in previous
step).
You will have fewer tabs and will be limited to the myADOM administrative domain. There is no
System Setting tab and FortiGuard tab.
Enabling ADOM Locking

Now we will be enabling ADOM locking which allows:
 Disable and restrict concurrent ADOM access
 ADOM locking
 Single administrator with read/write access to the ADOM
 All other administrators have read-only access to that ADOM
1. Logout and log back into the FortiManager with default credentials (username admin and leave
the password blank).
Go to System Setting Tab > Dashboard > CLI Console widget. Click in the window to get
connected.
Type the following command and at the bottom, check workspace-mode is set to disabled
get system global
Now set the workspace-mode to normal
config system global
set workspace-mode normal
end
You will get session is invalid and FortiManager logs you out.
2. Login back into the FortiManager with default credentials (username admin and leave the
password blank).
Go to the Device Manager tab and under ADOM dropdown select myADOM from list and lock
the ADOM.

© FORTINET
You will notice the lock status changed from unlocked to green locked state. Hover your mouse to
the right hand pane on the green lock.
It will tell you “This ADOM was locked by admin since (date and time)".
3. Open different browser and login with student account ( User Name: student and Password:
123456)
You will notice the lock status is red and if you hover to the right hand side to red lock, it will tell
you “This ADOM was locked by admin since (date and time)".
Also notice, under Device Manager tab, all options (example Add Device, Add Group etc.) are
grayed out and you cannot make changes in this ADOM, until admin administrator unlocks the
ADOM and student administrator locks it.
4. We will be disabling ADOM locking as in this practical lab every student has dedicated ADOM to
work on.
Go to the browser in which you are logged in with admin administrator and type the following
commands in the CLI Console widget located at System Setting Tab > Dashboard > CLI Console
widget
set workspace-mode disable
press y to continue
end

© FORTINET
It will logout all both administrators (admin and student) to save changes. So prior to disabling
workspace-mode inform all the administrators logged into FortiManager to save their work.

© FORTINET
Exercise 3 Backup and Restore
1. Log in to FortiManager as the admin user.

Go to System Settings > Dashboard and under System Information widget, select Backup next to
System Configuration.
Deselect Encryption and click OK.

Note the location of the backup file and rename this file to: lab1.dat.
2. Go to System Settings > Admin > Administrator. Right click on student and click Delete.
Click OK.
3. Go to System Settings > All ADOMs. Right click on myADOM and click Delete.

© FORTINET
.
Click OK.
4. Go to System Settings > Dashboard. From System Information select Restore next to System
Configuration.
Select your backup file lab1.dat. There is no password to enter because the file was not
encrypted. Leave Overwrite current IP, routing and HA settings and other settings enabled, note
the reference to Offline mode which we look at next.
Click OK. It will reboot the FortiManager

5. When the restore is complete, log in to FortiManager as the admin user. .
You should observe your configuration settings are restored (ADOMs, Users, etc.)
6. Go System Settings > Dashboard > Alert Console widget. You should observe “Restore all
settings” message in the Alert Console widget.
Go System Settings > Dashboard > System Information widget. You should observe that in the
System Information widget that Offline Mode is enabled.

© FORTINET
Note: When offline mode is enabled the service for management

connections to managed FortiGate devices is not running, this is done
on purpose to prevent this device establishing management
connections should you load your backup to another FortiManager for
testing purposes.
We will look at the details of offline mode when we look at the FGFM protocol in a later module.
For now, go to System Settings tab > Advanced > Advanced Settings and disable Offline Mode.
Return to the System Information widget. You will notice Offline Mode field disappears. At this
point the FortiManager can establish a management connection with the managed devices.
7. Go to System Settings > Event Log to view the logs that got generated during this session.
Click on funnel icon next to Sub Type and on the Filter Settings pop up click Enable, and click
System manager event to filter only System manager events.

© FORTINET
Click OK at the bottom.

Now you will have filtered System manager events only. You can download logs, view them in raw
format, or click refresh to refresh logs.

DO NOT REPRINT  Device Manager Lab 1: Device Manager
© FORTINET
Device Manager
Lab 1: Device Manager
In this lab, you will explore the common operations of the device manager in order to centrally manage
FortiGate devices and keep the managed device in sync with the device database on FortiManager.
Objectives
Review central management settings on the FortiGate device
 Create and apply Provisioning Profiles to your managed devices
 Add a device using the add device wizard
 Make and install configuration changes from Device Manager
 Make configuration changes locally on the FortiGate and verify that they are retrieved
automatically by the FortiManager
 Install a large number of managed device changes using scripts
 Identify entries in the Revision History and identify the management action which created that
revision
 Use the status information in the Configuration and Installation Status widget
Time to Complete

© FORTINET
Exercise 1 Adding FortiGate Devices
Review central management settings on the FortiGate

Before adding FortiGate into FortiManager, we will review the central management settings on the
FortiGate.
1. Connect to the CLI of the Student FortiGate device (http://10.0.1.254), using the console or SSH.
2. From the CLI of the student FortiGate device, enter the following command to see the full
configuration information for the central management branch of the configuration:
show full-configuration system central-management

You should observe the following output:
config system central-management
set mode normal
set type fortimanager
set schedule-config-restore enable
set schedule-script-restore enable
set allow-push-configuration enable
set allow-pushd-firmware enable
set allow-Remote-firmware-upgrade enable
set allow-monitor enable
set fmg ''
set fmg-source-ip 0.0.0.0
set fmg-source-ip6 ::
set vdom "root"
config server-list
edit 1
set server-type update rating
set server-address 10.0.1.241
next

© FORTINET
end
set include-default-servers disable
set enc-algorithm default
end
3. Next, enter the following command to see the status information for that branch of the
configuration:
get system central-management

mode : normal
type : fortimanager
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable
allow-pushd-firmware: enable
allow-Remote-firmware-upgrade: enable
allow-monitor : enable
serial-number :
fmg :
fmg-source-ip : 0.0.0.0
fmg-source-ip6 : ::
vdom : root
server-list:
== [ 1 ]
id: 1 server-type: update rating
include-default-servers: disable
enc-algorithm : default
Note in bold the serial-number, which is non-configurable from the FortiGate device. This setting is
set by the FortiManager(s) which are managing this device. In this case, it is empty because we
have not yet added the devices to FortiManager.

© FORTINET
Creating Provisioning Templates
Now we have checked the central management settings on FortiGate, We will be creating Provisioning
Templates on the FortiManager and will apply these later when adding FortiGate to FortiManager.
1. Connect to the GUI of the FortiManager (https://10.0.1.241) as your ADOM user.

Go to Device Manager >select your ADOM
Next, create a provisioning profile which will apply some common settings to your managed
devices. Select the Provisioning Templates tree menu from the lower content pane and edit the
default profile in System Templates.
2. Go to Log Settings by scrolling down and configure it to send logs to the FortiManager by
specifying the port2 address of 10.200.1.241 and change the upload options to Store & Upload
Logs.
Leave other settings as default and scroll to the bottom and select Apply.
3. Close all other widgets so they do not interfere with device settings.

© FORTINET
Add FortiGate to FortiManager

So far we checked central management setting on the FortiGate and created Provisioning Templates,
next we will be adding FortiGate into FortiManager and apply Provisioning Template created earlier.
This helps aid in applying common configuration, when device is first added.
1. You will now add your Student FortiGate device.

From the GUI of the Student FortiGate device (https://10.0.1.254), check that port1 has FMG-
Access enabled in the Administrative Access settings.
2. On the FortiManager, in the Device Manager tab, in myADOM, under Devices & Groups, right-
click on the Managed FortiGates and choose Add Device (or click on Add device).

© FORTINET
3. You will discover the Student FortiGate device and import its configuration using the add device
wizard.
Enter the port1 IP address of the Student FortiGate, 10.200.1.1 and username admin.
If the discovery fails, check if you can ping this address from the FortiManager and re-check the
FMG-Access settings on the FortiGate interface.
When the device is discovered, leave other settings as default click Next.
Add Device: Screenshot below shows default settings for logging and manage FortiAP and
FortiClient. Leave settings at their default and click Next.
FortiManager will create device, retrieves, and checks device status
Templates: Enable your default Provisioning Template (system template) and click Next.

© FORTINET
VDOM: Skipped because VDOMs are not enabled, click Next.

Interface Mapping: Accept the default mappings and accept ‘Add mappings for all unused
interfaces’ and click Next.
Policy: Accept the policy import defaults and click Next.
Object: If Conflict state occurs, leave the default setting “Use value from -> FortiGate.
Click view details to see the configuration difference between FortiGate and FortiManager.
Note the Objects identified, these should be identified as duplicates, new or updating exiting
FortiManager. Click Next.
Import: The current policy and objects are added to a new policy package, at the Import, click
Next.
Summary: View the device summary. Download and view the import report and click Finish to exit
from the Add Device window.
4. The Student FortiGate device should be now listed in Device Manager. Its configuration status will
be Modified because the changes applied in the provisioning profile have yet to be configured
(installed) on the managed device.
Note: Hover the mouse on modified icon and it will display the message.
5. Click on Managed FortiGates, then on Student FortiGate, it will take you to the dashboard of
the device. Under Configuration and Installation Status widget, check Device Settings Status,
it should appear as Modified.

© FORTINET
6. Click on Policy &Objects tab on the top, then go to Objects in the lower content pane, choose
Interface to see the ADOM Interface names that got created when the device was added. These
interfaces are used in policy packages to map firewall policies to interfaces on the firewall.
7. Double click on any port (example port1, port2, port3, etc.) to view the dynamic port mapping
Note the Name field is grayed out which refers to the ADOM Interface created on FortiManager
and below under Dynamic Mapping, it shows port mapping for device.
Example showing Interface Mapping for port1
Note: Do not make any changes; it will cause issues, when using Install wizards.
Click Cancel.
8. Select Policy & Objects and from the Policy Package tree menu, select the policy package
Student that got created when you imported firewall policies from your Student FortiGate device.

© FORTINET
In a later exercise, you will create a new policy package and push this package to the managed
device.
9. Go to the CLI on the Student FortiGate device (10.0.1.254) and enter the following command:

mode : normal
type : fortimanager
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable
allow-pushd-firmware: enable
allow-Remote-firmware-upgrade: enable
allow-monitor : enable
fortimanager-fds-override: disable
serial-number : "FMG-VMXXXXXXXXX"
fmg : 10.200.1.241
fmg-source-ip : 0.0.0.0
vdom : root
server-list:
== [ 1 ]
id: 1 server-type: update rating
include-default-servers: disable
enc-algorithm : default

© FORTINET
Note in bold the FortiManager serial-number (FMG-VMXXXXXXXXX  where XXXXXXXX is the
actual serial no of FortiManager), which is non-configurable from the FortiGate, has now been set
by the FortiManager managing this device. Also, FortiManager IP is set.
10. Go back to FortiManager GUI and add DNS widget in the default System Template.
Click on Device Manager tab > Provisioning Templates (in the lower content pane) > System
Templates >default.
Click Add widget and click on DNS.
Click Close once DNS widget is added.

11. Hover mouse over the bar on the DNS widget and select Import and import settings from the
Student FortiGate device.
Click Ok and then Apply in DNS widget.

You have now imported DNS settings into the default provisioning profile which will be applied to
the other devices you add.

© FORTINET
12. You will now add the Remote FortiGate device.
In the Device Manager tab, in myADOM, right-click on Managed FortiGates and choose Add
Device. Enter the port4 IP address of the Remote FortiGate, 10.200.3.1, and username admin.
Click Cancel.
If the discovery fails with the above message, log into Remote FortiGate (https://10.200.3.1) with
username admin and leave the password blank and check and enable the FMG-Access settings
on the FortiGate interface port4 and if necessary check that you can ping this address from the
FortiManager.
Again try to add Remote FortiGate from FortiManager.
Assign the default system template profile.
Step through all the other Add Device wizard steps accepting the default settings.
13. You will have both devices managed by FortiManager and they will have the Config Status as
Modified because of the changes made from applying the Provisioning Profile during the Add
Device wizard.
Click on Remote or Student under Managed FortiGates, it will take you to the dashboard of
the device. Under Configuration and Installation Status widget, check Device Settings Status, it
should now appear as Modified.
Install Provisioning Templates changes to Managed device

Now we have added and applied provisioning templates to Student and Remote FortiGate’s and
because of that configuration running on FortiManager and FortiGate is different, and config status
is showing Modified for both devices, provisioning templates changes need to be installed to make
devices back in synchronized state.

© FORTINET
1. Select Managed FortiGates in the tree menu and right-click. Select Install and choose Install
Device Settings (only).
Click Next, In Device selection window, ensure both devices are selected then click Next.
2. Select to preview the configuration changes for each device which will be installed on the
managed device and click Close.
Click Next to install.
To check that changes are successful installed you may click on the History icon. Should an
install fail, the history information is useful to identify the stage it failed at.
Click Finish.
The Config Status should now appear Synchronized.

© FORTINET
3. Click on Remote or Student under Managed FortiGates, it will take you to the dashboard of the
device. Under Configuration and Installation Status widget, check Device Settings Status, it should
now appear as Unmodified.
Auto Update
So far we have covered, installing Provisioning Template configuration changes; next we will make
configuration changes locally on the FortiGate and verify that they are retrieved automatically by the
FortiManager.
1. View the configuration changes by connecting to the local GUI on each FortiGate device (Student
https://10.0.1.254 and Remote https://10.200.3.1). When you connect locally to a device managed
by FortiManager you will be presented with a warning because the device is centrally managed.
Choose the option Login Read-Write, and click on Continue on the next pop up. This allow you
to make device level changes which will be backed up when you log out, with the exception of
Firewall Policy changes which must be imported into a new policy package.
2. Go to Log & Report > Log Config > Log Settings and ensure that the IP address of the
FortiManager is set. Make the following changes to both devices:
 For Disk, disable local reports

© FORTINET
 For Send Logs to FortiManager/FortiAnalyzer check that the IP address is 10.200.1.241 and
change the upload option to Realtime.
Click Apply and log out from the FortiGate device.

Repeat this for the second managed device.
3. Return to the Device Manager tab on FortiManager and select one of your devices.
Go to Configuration and Installation Status widget. Locate Total Revisions and select Revision
History.
You should observe three configurations, though you may have more if you have made further
changes.
 Your first Installation should display as Retrieved, indicating that this configuration was taken
from the device’s running configuration, when it got added into the FortiManager.
 Your second installation should display as Installed, indicating that these changes were made
by FortiManager.
 Your third installation should display as AutoUpdate, indicating that these changes were made
locally on the FortiGate and got automatically updated in FortiManager.
1 2 3
4. Click on View Installation History and then click on browse corresponding to ID number of this
installation; you should see the CLI commands sent (which are identical to the installation
previewed earlier) and the FortiGate response.

DO NOT REPRINT  Device Manager Exercise 2 Configuring Managed Devices
© FORTINET
You should observe that the Config Status icon changes after the auto update.
The Config Status informs us that changes made locally were backed up to FortiManager.
Exercise 2 Configuring Managed Devices
Configuring Managed Devices

So far we have covered, making local changes to managed devices and automatic retrieval of
configuration on FortiManager; next we will make configuration changes for managed FortiGate from
FortiManager Device Manager tab.
1. Log in to FortiManager as your ADOM user.
2. Go to Device Manager and from the Managed FortiGates device list, click the name of the
Student FortiGate device to edit its configuration settings. The configuration can be edited
from Menu tab on the right side.
Click on Menu >System>Interface.

© FORTINET
Then right click Interface Member to edit the interface settings.
3. Check the interface IPs and configure the following Access settings for the interfaces for the
Student FortiGate device, as shown in the list below.
Port1 10.200.1.1/24 allow HTTPS, PING, FMG-Access, SSH
Port2 10.200.2.1/24 allow HTTPS, PING, FMG-Access, SSH
Port3 10.0.1.254/24 allow HTTPS, PING, SSH
When you edit the interface with the IP address used by FortiManager to reach that device, the
following warning message displays:

© FORTINET
Click OK to save the changes.

4. Next, we will be adding static route. Click on Menu >Router>Static Route
Click Create New to add the second static route.
Configure the following:
Destination
0.0.0.0/0.0.0.0
IP/Mask:
Gateway: 10.200.2.254
Interface: port2
Distance: 10
Priority: 5
Click OK to save changes.

5. Click on Managed FortiGates, verify that the Config Status for Student FortiGate changed to
Modified.
Click on Student under Managed FortiGates and verify Configuration and Installation Status
widget indicates that the Device Settings Status as Modified.

© FORTINET
Install Wizard and View Installation History

Now we have made configuration changes from FortiManager to managed devices; next we will install
these changes to managed device using Install wizard, and view the View installation history. Also we
will be comparing the revision history using diff feature in the revision history.
1. Click on Install from the top pane and choose Install Device Settings only to install the
configuration changes for the Student FortiGate device and generate a new revision in the revision
history.
The task should complete with status OK. Select Finish, to close the Install window.
2. Once the changes are installed, verify the Configuration and Installation Status widget indicates
that the Configuration Change Status is back to Unmodified.
3. Go to Managed FortiGates >Student. In the Student dashboard under Configuration and
Installation Status widget, click on Revision History and observe the new entry in the table. Note
that this revision was created from an Install operation.
4. Click on Revision History, then select View Installation History and view the install corresponding
to the latest revision ID.

© FORTINET
Select Return to close.

5. Click the Diff icon to view differences between the selected and previous configuration revisions.
6. Click on Diff Only

© FORTINET
Note that the Student device shows Synchronized, as changes were made on FortiManager and
installed to Student FortiGate and Remote FortiGate still shows Auto-updated, as no changes
were made on FortiManager for this device and it still have Auto Update status from our previous
exercise.
FortiView
The FortiManager can be used for logging and reporting as it supports the FortiAnalyzer logging and
reporting features; next we will be viewing the logs from managed devices under FortiView tab.
1. You should also observe that FortiManager is receiving logs from your managed devices.
Go to FortiView > Log View (at the lower content pane) and click on “Traffic” to see the log
messages.

DO NOT REPRINT  Device Manager Exercise 3 Scripts
© FORTINET
Exercise 3 Scripts
Scripts
A script can make many changes to a managed device and are useful for bulk configuration changes
and consistency across multiple managed devices.
You can configure and install scripts from FortiManager to managed devices, in this section of lab
exercise we will be configuring scripts and installing on the managed devices.
1. Next you will make many device changes by using the script feature.
Log in to FortiManager as the admin user. Go to System Settings > Admin > Admin Settings and
enable Show Script. Click Apply.
2. Logout and log back into FortiManager as your ADOM user.
3. Go to Device Manager > myADOM > Script (at the lower content pane) and click Create New.
Create two separate scripts from the student.txt and Remote.txt text files in the
Resources/FortiManager/Scripts folder on the Windows Server desktop. Open each file using
Notepad++ copy the contents to a separate script.
4. In the Advanced Device Filters choose the device that the script applies to and leave all other
settings as default.

© FORTINET
If you notice by default script runs on “Device Database”. Click OK at the bottom to save the script.
5. Run the Student script on the Student FortiGate.

© FORTINET
The Student FortiGate device will now show a status of Modified because the script runs on the
device database (DB) and not directly on the device, unless overridden.
6. Run the Remote script on the Remote FortiGate device.

7. Check the script execution history from the Configuration and Installation Status widget of both
devices. If the script failed to execute discuss with your instructor.
8. Click on browse to view the script ran.

© FORTINET
9. Scroll to the bottom to check that the script ran successfully on the DB.
Click Return and again Return.

The script ran on the device database and not directly on the device, the configuration status of
both devices is now modified.
10. Now perform an Install and chose Install Device Settings (only) to make the changes to both
devices.
View the installation history from the Revision History to see the configuration commands sent to
the device and check the configuration locally.
At this stage the device is unmodified and the config status is synchronized however Policy
Package Status is still showing Imported because script was ran on Device Database and policy
package is not aware of the changes and does not know which firewall polices are installed on the
managed devices. You will look at this in the next section.
11. Log in to FortiManager as the admin user and make a new backup of the FortiManager.
Go to System Settings > Dashboard > System Information and click on Backup. Uncheck
Encryption. Rename the backup to: lab2.dat.
Note: You must factory reset a FortiManager device before restoring a

configuration backup. The FortiManager must be running the same
version of lab2firmware on which the backup was taken.

DO NOT REPRINT  Policy & Objects Lab 1: Policy &Objects
© FORTINET
Policy & Objects
Lab 1: Policy &Objects
In this lab, you will explore the common operations of Policy & Objects in order to centrally manage
FortiGate firewall policies and to managed shard and dynamic objects. The lab looks at configuring
header policies from Global ADOM and assigning to individual policy packages in the ADOM and
installing on the FortiGate device.
Objectives
In this lab you will perform the following tasks:
 Import firewall polices and objects from a managed device and review the imported policy
packages.
 Create ADOM revisions
 Edit firewall policies in policy packages using the right-click menu options.
 Create and assign header policies to policy packages in a ADOM.
 Create a policy package shared across multiple devices.
 Create shared objects and dynamic objects with mapping rules.
 Identify the different policy and object interface mapping types and configure zones mappings.
 Install a policy package and device settings from policy and objects tab.
 Use the where used feature to monitor object usage.
 Create as IPSec VPNs using the Policy & Device VPN mode.
Time to Complete

© FORTINET
Exercise 1 Import Policy and ADOM Revisions
Import Policy
In the previous exercise we learned about auto update and executed scripts which contains
configuration related to policies and objects. Policy Packages are unaware of these changes as scripts
were run on device database which created revision history containing these changes. In order to
reflect and update the policy packages we will run import policy wizard.
1. Log in to FortiManager as your ADOM user.
2. Check the current policy package status of your managed devices in the Device Manager tab.
As the status is Imported you will perform an Import Policy action to import any new firewall
configuration into a new policy package in order to review the changes.
Note: The FortiGate and FortiManager device database are synchronized and
there are no pending changes however the policy package selected may not be
representative of what is installed on the device because of previous auto update
and script execution, which is why the status of the policy package is currently
Imported from the first time when we added the Fortigate’s.
3. Right-click on each device and select Import Policy. This will import firewall policies and objects
into the Policy & Objects tab.
When prompted, rename policy package to Remote_1and Student_1 respectively and choose
Import all objects and not just objects reference in firewall policies.

© FORTINET
If conflicts are detected, accept the default settings from the FortiGate device.
Review the objects to import.

© FORTINET
Download and review the import report.
Note: Download import report is available only on this page; make

sure to download the import report before clicking finish.
Click Finish.
Now, perform an Import Policy on your second managed device, and again select Import all
objects. If conflicts are detected, accept the default settings from the FortiGate device.
Check the current policy package status of your managed devices in the Device Manager tab.
Now it should show new policy package names and refers to the latest imported policy
package.

© FORTINET
4. From the Policy & Objects tab, review the current policy packages and compare the previous and
newly created packages by clicking on them to see the rules contained. You will observe that
there are differences. Student_1 and Remote_1 are the latest policy packages and they represent
what is installed on the firewall.
Policy package: Remote
Policy package: Remote_1
This shows the difference between Remote and Remote_1 policy package. You can compare
Student and Student_1.
5. Next, from Policy & Objects, in the lower content pane under Objects, select an address object
and right click to use the Where used function to check the utilization of the imported address
object.
Click Close.

© FORTINET
ADOM Revisions
It creates a snapshot of the all policy & objects configuration for the ADOM. Now we have imported
policies and objects from both FortiGate devices, we will be creating ADOM revisions which are stored
locally on the FortiManager and useful to compare difference between two revisions or reverting to
previous revision.
1. In Policy & Objects, select ADOM revisions under Tools drop down menu.
Click Create New and name the revision: Initial revision myADOM. Next, enable the option Lock
this revision from auto-deletion.
Click OK to save.
You will notice the lock icon and also name of the admin who created it and date and time.
Click Close.

© FORTINET
Exercise 2 Creating and assigning header policy from
Global ADOM
Now you have imported the policies from the Student and Remote FortiGate devices, you will be
configuring header policy from Global ADOM. This policy package will be assigned and installed to
only Remote_1 and Student_1 policy package.
1. Log in to FortiManager as the admin user. Go to the Policy & Objects tab; from the ADOM drop
down menu select Global.
Click on Policy menu and from the drop down click Header Policy.
2. Configure the following for policy:
Source Interface: any
Source Address: gall
Destination Interface: any
Destination Address: gall
Schedule: galways
Service: gPING
Action: DENY
Leave all other settings to their default values and click OK at the bottom.
Your policy should appear similar to the following:

© FORTINET
3. Click on Assignment tab and then click on Add ADOM and in the Add ADOM dialog box, choose
the following:
ADOMs: myADOM
Specify ADOM to policy package to

Check the box and add the following
exclude:
default, Remote, Student
Your settings should appear similar to the following:

© FORTINET
Click OK at the bottom to save the changes.

4. You will notice the ‘Status’ column is showing ‘Pending Changes’ because it is still not assigned to
the policy package in myADOM. Also under ‘ADOM Policy Packages’ it shows ‘Partial (2/5)’
because there were 5 policy packages in myADOM and we excluded 3 policy packages in the
previous step.
Click on myADOM to select it and then click on Assign Selected.
In the ‘Assign’ pop up window, check the box for “Automatically Install Policies to ADOM devices”.
This option will assign the global policy package to individual policy packages in myADOM and
also install it to the managed devices.
Leave all other settings at their defaults and click on OK.

It should complete with success.
5. Log out and log back into the FortiManager as your ADOM user (User name: student,
Password: 123456).
Go to the Policy & Objects tab; click on Remote_1 or Student_1 policy package and you will

© FORTINET
notice header policy on the top, which is greyed out. Try to edit it by right clicking on this new
policy; you will be not able to edit it as it is global header policy.
6. Log into the Student (https://10.0.1.254) and Remote (https://10.200.3.1) FortiGate devices.
Choose Login Read-Only.
Go to Policy & Objects > Policy > IPv4.
From the windows desktop, open a command prompt and try to ping external host (example
4.2.2.2), you should observe ping fails, because the header policy was configured to block ping.

© FORTINET
Exercise 3 Creating a common Policy Package for
multiple devices
You will now create a single policy package which is shared by multiple devices, as opposed to having
a policy package per device which is the current configuration. You will use the installation target
setting in a firewall policy to managed device level exceptions.
Dynamic Mapping – Objects

As you will be creating common policy package for both FortiGate devices, you will be configuring
dynamic mapping for these object which are used to map a single logical object to a unique definition
per device.
1. Login into the FortiManager as your ADOM user (User name: student, Password: 123456).
2. In the Policy & Objects tab, from the Objects menu, go to Firewall Objects > Address. Click
Create New and select Address.
Address name: myInternal
Type: Subnet / IP Range
IP Range/Subnet: 10.0.0.0/8
This object is configured with a value which can be overridden by enabling dynamic object
configuration in the address object.
3. Now you will create a dynamic mapping rule for the “myInternal” address object for both the
Student and Remote FortiGate devices.
Turn ON Dynamic Mapping and click Create New, pop-up for dynamic mapping will appear.
On Mapped Device, click on “Click to add” and select the Student FortiGate device and click
OK and enter IP Range/Subnet.

© FORTINET
Click OK to save.
Again click on Create New in Dynamic Mapping and select the Remote FortiGate device in
Mapped Device field and enter IP Range/Subnet.
Click OK to save.
Now scroll all the way to the bottom of the address object myInternal and click on OK to save
these changes.
4. Next you will configure ADOM level objects for content inspection.
In Policy & Objects tab, select Display Options in the Tools menu bar and make sure Proxy
Options and SSL/SSH Inspection are enabled under display options. Click Cancel.

© FORTINET
Click Cancel.
5. Under Policy and Objects, in the lower pane of the window under Objects, go to Security Profiles >
AntiVirus Profile.
Create a new profile called web-only.
Now enable virus scan for HTTP as follows:
Inspection Mode: Proxy
Protocol
HTTP: Enable it

© FORTINET
Leave other settings as default and scroll to bottom and click OK.
6. In the Policy & Objects tab, go to Objects > Interface.

Right click on any interface and click on edit to view the current dynamic mappings.
You will notice that interfaces are automatically dynamically mapped when devices were added.
Click Cancel to return to Interface page.

© FORTINET
Dynamic Mapping – Interfaces and Zones
So far you have created dynamic mapping for the objects; next you will be creating zones and
dynamically map these interfaces to zones.
7. Next, you will create new zones from Policy & Objects and map them to interfaces by enabling
Dynamic Mapping.
In the Policy & Objects tab, go to Objects > Interface and click Create New.
Name: Internal
Enable Zone: Enable it
Make sure to check Enable Zone and click OK to save.

Click Create New again to create “External” zone and follow the same step above.
Note: By enabling zone option, it will create an actual zone on the

FortiGate locally when install is performed.
8. Right click on the Internal zone, and click on Edit.

© FORTINET
Now turn ON Dynamic Mapping and click Create New.
On Mapped Device, click on “Click to add” and select the Student FortiGate device and click on
OK.
On the interface, click on “Click to add” and select the port3 and Click OK.
Note: You will get warning message “The new mapping will delete the
old mapping, are you sure to continue”. This is because interfaces
were dynamically mapped when the devices were added into the
FortiManager. Now the FortiManager will delete the old mapping and
add these interfaces to map to the zones.
Click OK and again click OK on the Dynamic Mapping pop up window.

© FORTINET
Again click on Create New in Dynamic Mapping to add Remote FortiGate interface to Internal
zone.
On Mapped Device, click on “Click to add” and select the Remote FortiGate device and click on
OK.
On the interface, click on “Click to add” and select the port6 and Click OK.
Click OK and ignore warning message and click OK on the Dynamic Mapping pop up window.
Now you will have Dynamic mapping for Internal zone.

Now we have created Internal zone and added dynamic interface mapping for both FortiGate
devices.
9. Next, we will be editing External zone and adding dynamic mapping for interfaces on both
FortiGate devices.
Right click on External zone and click Edit.
Now turn ON Dynamic Mapping and click Create New
On Mapped Device, click on “Click to add” and select the Student FortiGate device and click OK.
On the interface, click on “Click to add” and select both interfaces by holding “Shift” key on your
keyboard.
Interface: Port1, Port2
Click OK and again pop up warning message will come up, ignore and click on OK. Again click on
OK.
Select “Block intra-zone traffic” and click on OK.

© FORTINET
Again click on Create New in Dynamic Mapping to add Remote FortiGate interfaces to External
zone.
On Mapped Device, click on “Click to add” and select the Remote FortiGate device and click on
OK.
On the interface, click on “Click to add” and select both interfaces by holding “Shift” key on your
keyboard.
Interface: Port4, Port5
Click OK and again pop up warning message will come up, ignore and click on OK. Again click on
OK.
Select “Block intra-zone traffic” and click on OK.
Now you will have Dynamic mapping for External zone.

You have now created global zones and mapping rules per device.

© FORTINET
Creating common policy package
FortiManager can be used target common policy package to multiple devices.
So far we have created the dynamic mapping for objects and interfaces, now we will be creating
common policy package to target Student and Remote FortiGate.
10. Next, you will now create the policy package.

In the Policy & Objects tab, right-click on the default policy package and select Create New.
Name the new package “training”, deselect Clone Policy Package.
Click Apply.
11. Click on newly created training policy package and you will notice that it automatically got
assigned Global Header Policy. This is because in the previous exercise we assigned
‘myADOM’ for global policy assignment and by default when a new policy package is created it
assigns the global policies to the new package.

© FORTINET
12. Log out and log back with the admin user in the FortiManager and un-assign the training policy
package in the Global ADOM.
Click on Policy & Objects tab > select Global in the ADOM dropdown > click on Assignment >
select myADOM and click on Edit ADOM > add training in the policy package exclude list.

13. Click on myADOM to select it and then click on Assign Selected.
In the ‘Assign’ pop up window, Leave all settings at their defaults and click on OK.
14. Log out and log back with the myADOM user account (User name: student and Password:
123456). You will notice training policy package has no header policy now. Select the training
policy package and right-click the local domain policies area of that package.
Select Create New and create the following policies using the settings shown below:

© FORTINET
Source Interface: Internal
Source Address: myInternal
Destination Interface: External
Destination Address: all
Schedule: always
Service: SSH, DNS
Action: Accept
NAT: Enabled
Click OK at the bottom to save changes.

Policy should appear as:
To create the additional policies, right-click on the existing policy sequence number and select
Create New. Configure the following settings:
Source Interface Internal
Source Address myInternal

© FORTINET
Source User(s) student
Destination Interface External
Destination Address all
Schedule always
Service HTTP, HTTPS
Action Accept
NAT: Enabled
Logging Options: Log All Sessions
Security Profiles Use Standard Security Profiles
Enable Antivirus web-only
Leave all other settings to default and click OK at the bottom to save changes.
15. Using drag and drop to reorder the user identity policy so that it appears first in the list.
16. You will now add the installation targets as both devices.
Select training policy package >Installation; then click on Add.

© FORTINET
In Device/Group click on “Click to add” and select the Student and Remote, click OK at the
bottom.
You will notice the policy package status is greyed out and hover the mouse on “X” and it displays
“Never Installed”, which reflects that we created policy package and added the devices as
installation target but still haven’t installed the changes.
Install On
When you configure installation target, by default all policies within policy package are targeted to all
selected FortiGate devices. You can further restrict the policies within policy package to be targeted to
specific FortiGate Devices using “Install On” feature, which target specific policies within the policy
package to specific selected FortiGate devices in install on column.
17. You will now restrict the user identity policy so that it only installs on the Student FortiGate
device and not both devices which the policy package is selected for.
Click on training policy package and enable Install On column by right-clicking on any of the
column headings and selecting Column Settings.

© FORTINET
You can drag the Install On column to where you want it positioned in the column list.
Next right-click on the Install On field of the user authentication policy and select Add Objects(s).
Select Student and click on OK.
You will notice that authentication policy has installation target set to Student FortiGate.

© FORTINET
18. Now you will be installing training policy package to both the managed devices.
Right-click on the training policy package and select Install Wizard.
Create a revision and enter the revision name: ‘training initial’ and click Next.
Make sure both devices are selected and click Next.
If you see a interface mapping error, go back to the objects >interfaces and check the interface
mappings. When this is done attempt the install again.

© FORTINET
When you have successful validation you may click Preview to view the configuration settings that
will be sent to each device. Select Next to Install.
If either device fails to return a status of OK then review your configuration and try again. If it still
fails, ask your instructor. Select Finish to close the installation window.
The policy package status is updated for both devices in the Device Manager tab.
19. Connect locally to Student FortiGate device with default login credentials and click on Login read-
only on pop-up warning window to review the installed configuration. Check the dynamic address
values, services and firewall policies.
The address objects and firewall policy for the Student FortiGate device appear as follows:
When you connect to the Remote FortiGate device, you will need to authenticate all outgoing http
and https traffic on the Student FortiGate device. This is because of the identity policy. When
prompted for firewall authentication, enter the username ‘student’ and password ‘F0rtinet’. Once
authenticated, you will be presented with FortiGate login page, use default credentials – admin
and no password and click on Login read-only on pop-up warning window to review the installed
configuration
The address objects and firewall policy for the Remote FortiGate device appear as follows:

© FORTINET
20. From the windows desktop, open a command prompt and try to ping external host ( example
4.2.2.2), you should observe ping fails, because the policies on Student FortiGate does not have
ICMP included in the service.
Return to the training policy package and on the seq number 2 policy, right click on the existing
services to add new service object.
From the Add Service pop-up, search and add the ALL_ICMP.
Click OK.
Your policies should appear as below.
Install the modified package using the re-install option, which does not start the wizard.

© FORTINET
Right click on training policy package and select Re-install.
Once install finishes, connect locally to FortiGates (read-only) to ensure the change has been
made. Try to ping external host from the windows desktop command prompt. You should observe
you are able to ping external host.
21. On the FortiManager under Policy & Object tab, click on ADOM Revisions icon in the Tools menu
bar and Edit the last revision.
Set the name to ‘training base package’ and select Lock this revision from auto deletion.
Click OK.
Delete all other packages by right clicking on other packages, select Delete.
Click Close.
You can use this revision to revert changes made to your policy packages and objects in your
ADOM. Remember this does not revert Device Manager level settings.

© FORTINET
Exercise 4 Policy & Device IPsec VPN Configuration
1. Log in to FortiManager as your ADOM admin user.

2. In the Device Manager tab, click on Display Options in the menu bar on the top, Customize Device
Tabs will pop up, scroll down to VPN and turn “ON” IPsec Phase 1 and IPsec Phase 2.
Click OK.
You will be able to view and configure IPsec settings for the managed devices in your ADOM.
3. Select the Student FortiGate device and create IPSec Phase 1 and Phase 2 objects. Check you
have selected the correct device.
Click on Menu > VPN > IPsec Phase 1.
Click Create New and configure the following.
Gateway Name: Remote
Remote Gateway: Static IP Address
IP Address: 10.200.3.1
Local Interface: port1

© FORTINET
Authentication Method: Preshared Key
Pre-shared Key: Fortinet
Click Advanced and set the following:
P1 Proposal
1-Encryption: AES256
Authentication: SHA1
Diffie-Hellman Groups: 5
Dead Peer Detection: Enabled
Leave all other settings as default and click OK at the bottom.

Your IPsec Phase 1 settings should appear as below.
Go to Menu >VPN > IPSec Phase 2 and click Create New and configure the following:
Tunnel Name: P2_Remote
Phase 1: Remote (same name as Phase 1 above)
P2 Proposal
1-Authentication: SHA1
Delete other default Encryption settings
Enable replay detection: Enabled
Enable perfect forward secrecy: Enabled
Diffie-Hellman Group: 5
Autokey Keep Alive: Enabled

© FORTINET
4. Create a new static route for the IPSec VPN with the following details:
Go to Menu > Router > Static Route and click Create New:
Destination IP/Mask: 10.0.2.0/24
Interface: Remote
Click OK.
5. Select the Remote FortiGate device and create IPSec Phase 1 and Phase 2 objects.
Click on Menu > VPN > IPsec Phase 1 and click Create New:
Gateway Name: Student
Remote Gateway: Static IP Address
IP Address: 10.200.1.1
Local Interface: port4

© FORTINET
Authentication Method: Preshared Key
Pre-shared Key: Fortinet
P1 Proposal
Authentication: SHA1
Dead Peer Detection: Enabled

Go to Menu >VPN > IPSec Phase 2 and click Create New:
Tunnel Name: P2_Student
Phase 1: Student (same name as Phase 1 above)
P2 Proposal
1-Authentication: SHA1
Delete other Encryption settings
Enable replay detection: Enabled
Enable perfect forward secrecy: Enabled
Autokey Keep Alive: Enable

6. Create a new static route for the IPSec VPN with the following details:
Go to Menu > Router > Static Route and click Create New:
Destination IP/Mask: 10.0.1.0/24

© FORTINET
Interface: Student
Click OK.
7. Select the Managed FortiGates in the ADOM to refresh the view and note that both devices are
now Modified in Config Status. Hover the mouse on modified icon and it will display the following
message.
“Device configuration has been changed, Please install to apply those changes on remote device”
8. In the Device Manager tab, click on Install icon in the menu bar on the top to install the
configuration changes to both FortiGate devices. Select Install device settings only. Check that
both devices are selected and preview the configuration commands to be sent.
9. Go to the Student and Remote FortiGate device (read-only) and check that the new configuration
objects are in place.
10. On the FortiManager, next you will create interface mapping for the IPsec interfaces and create
firewall policies to and from that interface.
In Policy & Objects tab, go to Objects > Interface and select Create New. Name the new interface
VPN.
Turn ON Dynamic Mapping and click Create New to add interface mapping for the Student
FortiGate.
Mapped Device: Student
Interface: Remote
Click OK.
Again click on Create New in Dynamic Mapping to add the Remote FortiGate interface mapping.
Mapped Device: Remote
Interface: Student
Click OK.
Interface mapping for VPN interface will appear for Student and Remote FortiGate as below.

© FORTINET
Click OK at the bottom to save the changes.
11. In the Policy & Objects tab, go to Objects >Firewall Objects >Address and select Create New
>Address.
Address name: myExternal
Type: Subnet / IP Range
This object is a general internal network address which you will override on each device by means
of a dynamic object configuration.
12. Now you will create a dynamic mapping rule for the “myExternal” address object for both the
Student and Remote FortiGate devices.
Turn ON Dynamic Mapping in “myExternal” address object and click Create New to add dynamic
address mapping for Student FortiGate.
Mapped Device: Student
Click OK.
Again click on Create New in Dynamic Mapping to add Remote FortiGate dynamic address
mapping.
Mapped Device: Remote
Click OK.
Your firewall address dynamic mapping for Student and Remote FortiGate will appear similar as
below.
Click OK at the bottom to save the changes. You will be presented with warning message,

© FORTINET
ignore and click OK. This is because IP/Subnet (10.0.0.0/8) defined for myExternal and myInternal
are same.
13. In the Policy & Objects tab, select the “training” policy package and create the following rules.
Select Policy > Create New and configure the following:
Source Interface: Internal
Source Address: myInternal
Destination Interface: VPN
Destination Address: myExternal
Schedule: Always
Service: ALL
Action: Accept
Now configure the second policy. Select Policy >Create New and configure the following:
Source Interface: VPN
Source Address: myExternal
Destination Interface: Internal

© FORTINET
Destination Address: myInternal
Schedule: Always
Service: ALL
Action: Accept
Your policy package should appear similar to the following:
14. Right click on training policy package and select Install Wizard to install the updated “training”
policy package and create a new revision called “device based IPsec VPN”. Make sure both
FortiGate devices are selected. Preview your configuration changes.
15. Go to Device Manager tab and click on Display Options in the top menu bar. Enable IPsec VPN
under Query.
Click OK.
Select Student or Remote FortiGate under Managed FortiGates and go to Menu > Query >
IPsec VPN.

© FORTINET
If the VPN is down, right click on the VPN and click on Bring Tunnel Up and click on OK.
16. From the Window Server execute a ping to the host 10.0.2.10.
If the ping fails, connect locally to the managed FortiGate devices (read-only) and review the
IPsec configuration. If you find a configuration error locally, go back to FortiManager and make
the correction and install it again.
Log in to FortiManager as the admin user. Take a new backup of the FortiManager. Deselect
Encryption and click OK. Rename the backup to: lab3.dat.

DO NOT REPRINT  Additional System Settings Lab1: Additional System Settings
© FORTINET
Additional System Settings
Lab1: Additional System Settings
The learning goal for this lab is to understand the troubleshooting commands used for FortiGuard
Management and using the FortiManager to upgrade the firmware on managed FortiGate devices
through the FortiManager.
Objectives
In this lab you will perform the following tasks:
 Check the central management configuration on both FortiGate devices.
 Understand and run FortiGuard debug commands.
 Import firmware image for FortiGate devices and upgrade from the FortiManager.
Time to Complete

© FORTINET
Exercise 1: FortiGuard troubleshooting commands and
firmware upgrade
1. Log into Student and Remote FortiGate devices and run the following commands in CLI:
show system central-management
Your output should appear similar to following for Student and Remote FortiGate device:
Student FortiGate
Remote FortiGate
If you notice server-list is configured on the FortiGate devices with the FortiManager IP and also
include-default –servers is disabled, which means FortiGate devices are pointed to FortiManager
for its FortiGuard services and access to public FortiGuard servers is disabled.
2. Log into the FortiManager with admin account and run the following command:
diagnose fmupdate vm-license

You should observe both the FortiGate devices license information.
diagnose fmnetwork interface list

You should observe ‘srv_fgfm’ interface with is the special system point-to-point interface for
the management connections with an IP address 169.254.0.1.

© FORTINET
diagnose fgfm session-list
You should observe the session list which shows managed devices, their connecting IP address
and their link local address (169.254.0.x) along with their uptime for FGFM tunnel.
3. Now we will be importing the new firmware image into the FortiManager from local management
computer and upgrading the FortiGate firmware from the FortiManager.
Go to the FortiGuard tab > Firmware Images > Click on Import Images.
Click Import and then click on Browse.
Go to Resources/FortiManager/Firmware folder on the Windows Server desktop and select

FGT_VM64-v5-build0642-Fortinet firmware image.
Click Open and then click on OK.
You will observe that firmware image has been saved on the FortiManager.
4. Click on Device Manager tab and select myADOM from the ADOM drop down list.
Right click on Managed FortiGates and select Firmware Update.

© FORTINET
Open the console connection to Remote and Student FortiGate to observe the firmware upgrade.
Click on Upgrade Now to upgrade the firmware on both the FortiGate devices.
Click on OK on the firmware upgrade pop up message.
You should observe that firmware upgrade has been accepted
5. On the console connection on Remote and Student FortiGate you should observe firmware
upgrade.

DO NOT REPRINT  Appendix A: Additional Resources
© FORTINET
Appendix A: Additional Resources
Training Services http://training.fortinet.com
Technical Documentation http://help.fortinet.com
Knowledge Base http://kb.fortinet.com
Forums https://forum.fortinet.com/
Customer Service & Support https://support.fortinet.com
FortiGuard Threat Research & Response http://www.fortiguard.com

DO NOT REPRINT  Appendix B: Presentation Slides
© FORTINET
Appendix B: Presentation Slides

DO NOT REPRINT  Introduction to FortiManager
© FORTINET
In this lesson, we will show you FortiManager basics. This includes how FortiManager fits into your
existing network architecture.
FortiManager provides centralized policy-based provisioning, configuration, and update management for
various Fortinet security devices, such as FortiGate (including FortiGate, FortiWiFi, and FortiGate VM),
FortiCarrier, and FortiSwitch devices.

© FORTINET
After completing this lesson, you should have these practical skills that you can use to apply and
integrate FortiManager in your network to manage Fortinet security devices.
Although this lesson introduces the concepts and key features, its objectives are about understanding
and implementing these features.

© FORTINET
In network security world, often we get the challenges for mass provisioning, ongoing configuration
changes, and maintaining, tracking, and auditing the changes. It increases management burden as well
as operation costs.
Why do we need FortiManager in our network?
FortiManager is an integrated platform for the centralized management of products in a Fortinet security
infrastructure. It can act as a key device in your network for diversity of deployment types, growth
flexibility, and reduction of operation costs and provides an efficient way to track and audit changes. It is
primarily designed for medium to large enterprises and managed security service providers.
What can FortiManager do?
• Manage up to 10,000 Fortinet devices / virtual domains (VDOMs) from a single FortiManager
interface.
• Rmeote management for FortiGate (including FortiGate, FortiWiFi, and FortiGate VM), FortiCarrier,
FortiSandbox, and FortiSwitch devices.
• Provide centralized policy-based provisioning.
• Act as a central repository for managed devices’ configuration revision control and auditing.
• Deploy and manage complex mesh and star VPN’s ranging from a few to 1000 or more devices.
• Act as an on-site FortiGuard Distribution Server (FDS) for your managed devices and FortiClient
agents.
• Script and automate device provisioning, policy pushing, etc. with JSON APIs or build custom web
portals with the XML API.

© FORTINET
Now that we know what FortiManager is, let’s identify the key features and feature support for various
Fortinet security products that can be managed by FortiManager.

© FORTINET
Let’s outline the key features of the FortiManager, which can help you to better organize and manage
your network:
Key features of the FortiManager are:
• Configuration revision control and tracking. Your FortiManager device records and maintains the
history of all configuration changes made over time. Revisions can be scheduled for deployment or
rolled back to a previous configuration when needed.
• Centralized management. FortiManager can centrally manage the configurations of multiple devices
from a single console. Configurations can then be built in a central repository and deployed to
multiple devices when required.
• Administrative domains. FortiManager can segregate management of large deployments by grouping
devices into geographic or functional ADOMs.
• Local FortiGuard service provisioning . To reduce network delays and minimize external internet
usage, a FortiManager installation can also act as an on-site FortiGuard Distribution Server (FDS) for
your managed devices.
• Firmware management. FortiManager can centrally manage firmware images and can be scheduled
for firmware upgrade for managed devices.
• Scripting. FortiManager supports Command Line Interface (CLI) or Tool Command Language (TCL)-
based scripts to simplify configuration deployments and can be scheduled.
• Logging and reporting. FortiManager can be used to log traffic from managed devices and generate
SQL-based reports. FortiManager also integrates FortiAnalyzer logging and reporting features.

© FORTINET
FortiManager supports a wide variety of Fortinet security products in terms of management, FortiGuard
updates, logging, and reporting.
Products supported by FortiManager include:
• FortiGate
• FortiCarrier
• FortiAnalyzer
• FortiCache
• FortiClient
• FortiMail
• FortiSandbox
• FortiSwitch ATCA
• FortiWeb
• Syslog

© FORTINET
FortiManager fully supports FortiGate and FortiCarrier for FortiGuard updates and can act as a local
FortiGuard Distribution Server (FDS). You can configure FortiManager as a local FDS to provide
FortiGuard updates to other Fortinet security devices and agents on your network. This table illustrates
the updates are available per platform and version.

© FORTINET
Now that we know FortiManager’s key features, let’s identify the key concepts of FortiManager and
commonalities with FortiAnalyzer.

© FORTINET
FortiManager and FortiAnalyzer products share the same hardware and software platform.
FortiManager can also act as logging and reporting device, but there are logging rate restrictions in
comparison with FortiAnalyzer. It can, however, be used as fully functional logging and reporting device
for low volumes of logs. In case of high log volumes, you can integrate FortiAnalyzer into the network.

© FORTINET
FortiManager has these tabs that are used to implement the key features:
• The Systems Settings tab. This enables the configuration of system settings and monitors the
operation of your FortiManager device.
• The Device Manager tab. This contains all ADOMs and devices. You can create new ADOMs;
device groups; provision and add devices; install device settings; and configure revision control and
tracking.
• The Policy & Objects tab. This contains all of your global and local policy packages and objects that
are applicable to all ADOMs, and installs policy & objects.
• The Fortiguard tab. This deploys your FortiManager device as a private FortiGuard Distribution
Server (FDS). FortiManager synchronizes available updates with the FortiGuard Distribution Network
(FDN) and then provides FortiGuard updates to your managed devices. Using a private FDS provides
a faster connection to your security infrastructure.
When the FortiAnalyzer feature set is enabled on FortiManager, the following tabs appear to provide the
logging and reporting features:
• The FortiView tab. This provides detailed logging information that can be viewed and exported. It
gives the ability to view the logs in real-time and historically.
• The Event Management tab. This enables you to configure event handlers based on the log type and
logging filters. You can select to send the event to an email address, SNMP community, or syslog
server.
• The Reports tab. This provides a detailed SQL-based reporting of managed devices.
Note: The FortiAnalyzer feature set is not available on the FortiManager 100C. This lesson focuses on
centralized management and services, not log storage and reports.

© FORTINET
This slide illustrates the different management layers, which are referred to as “tabs” due of their
presentation in the GUI. The Device Manager is illustrated as a Management Module which covers
revision history / scripting.
Let’s identify the function of each tab:
• System Settings tab enables you to manage and configure system settings, such as network
interfaces, administrators, system time, server settings, widgets, and tabs. You can also perform
maintenance and firmware operations.
• FortiGuard tab enables you to download FortiGuard updates from the FortiGuard Distribution
Network (FDN) and can act as local FortiGuard Distribution Servers (FDS) for managed devices. It
also includes firmware revision management and managed devices firmware can be upgraded from
the FortiManager.
• FortiView, Event Management and Reports tab enables FortiManager to act as a logging, event
handler, and reporting device for various Fortinet security devices. There are some restrictions on
logging and reporting based on logs and supported devices. To confirm the feature available for your
device, check the Release Notes for the firmware running on the FortiManager by logging into
https://support.fortinet.com or http://docs.fortinet.com.
• Policies & Objects tab enables you to centrally manage and configure settings related to policies
rules and objects, such as firewall objects, security profiles, and User & Devices settings that are
managed by the FortiManager unit. Policy package can be imported from managed device and
changes related to policy and objects can be installed to the managed devices.
The next few slides look at device management layers and the Device Manager in further detail.

© FORTINET
FortiManager is a robust system with multiple layers that allows you to effectively manage your Fortinet
security infrastructure. Let’s outline the device management layers on the FortiManager.
• The Global ADOM Layer contains two key pieces: the global object database and all header and
footer policy packages. Header and footer policy packages are used to envelop policies within each
individual ADOM. An example of where this would be used is in a carrier environment, where the
carrier would allow customer traffic to pass through their network, but would not allow the customer to
have access to the carrier’s network infrastructure.
• The ADOM Layer is where the FortiManager manages individual devices or groups of devices. It is
inside this layer where policy packages are created, managed, and installed on managed devices.
Multiple policy packages can be created here. It contains one common object database per ADOM,
which contains information such as addresses, services, and Security Profiles.
• The Device Manager Layer records information on devices that are centrally managed by the
FortiManager device, such as the name and type of device, the specific device model, IP address,
current firmware installed, revision history, and real-time status. Device Manager has a database per
managed device, and device settings are configured here.
The next slide illustrates how these layers are implemented.

© FORTINET
This slide details the management model. Understanding the details of this model is one of the key
objectives of this course.
• In the Global ADOM layer, header and footer policy rules are created. These same policy rules can
be assigned to multiple ADOMs, which can contain multiple policy packages. It eliminates the need to
create the same set of policy rules and objects if required by multiple ADOM policy packages.
• In the ADOM layer, objects share the common object database per ADOM and can be shared among
multiple policy packages within the ADOM. Policy packages can be created or imported from the
managed devices and can be installed on managed devices.
• In the Device Manager layer, configuration specifically related to device settings can be configured
and installed per device. If a configuration change is detected—whether the change is made on the
FortiManager for the managed device or locally—it compares the difference between the current
configuration revision to the changed configuration and creates a new configuration revision on
FortiManager. So whether the configuration change is big or small, FortiManager records it and saves
the full new configuration with the change. This is how FortiManager manages revision control and
administrators can audit or revert to previous revisions if required.

© FORTINET
Now that we have an understanding of the management module and the different layers on
FortiManager, let’s explore ADOMs, the different modes of operation, and how to determine which mode
is right for your network.
Administrative Domains (ADOM) are not enabled by default and only the admin administrator can
enable/disable this feature on the main dashboard on the FortiManager. When you configure ADOMs,
you can choose between two modes: Normal or Backup.
By default, FortiManager ADOMs are in Normal mode. All tabs are available in this mode and the ADOM
is in read/write. This allows you to make changes from FortiManager to the ADOM and managed
devices. Alternatively, changes can be made directly, which automatically updates the revision history.
This allows you to configure settings for managed devices, such as device level settings, device
templates for mass provisioning, policy & objects, and scripts to name a few.
But what if managed device configuration changes need to made directly on the device every single time
and you want to use FortiManager for only revision control and tracking purposes? In this case, you can
configure ADOM in backup mode.
When configured in backup mode, the ADOM is considered Read-Only and the Device Manager tab has
restricted functionality. It can be used to add/delete the device and other functions, such as configuring
and installing, but device levels settings are not available. For the same reason, the Policy & Objects tab
is not available. Changes can be made to managed devices only through scripts on the FortiManager. If
changes are made directly on the managed device, it needs to meet specific conditions to back up the
configuration revision, which are:
• Configuration change and session timeout
• Configuration change and logout
• Configuration change and reboot
• Manual configuration backup from the managed device

© FORTINET
Later, we will discuss ADOM modes in further detail. From now, normal ADOM mode will be used.

© FORTINET
The management tasks for devices in a Fortinet security infrastructure follow this typical life cycle:
1. Deployment: An administrator completes configuration of the Fortinet devices in their network after
initial installation.
2. Monitoring: The administrator monitors the status and health of devices in the security
infrastructure, including resource monitoring and network usage. External threats to your network
infrastructure can be monitored and alerts generated to advise.
3. Maintenance: The administrator performs configuration updates as needed to keep devices up-to-
date.
4. Upgrading: Virus definitions; attack and data leak prevention signatures; web and email filtering
services; and device firmware images are all kept current to provide continuous protection for
devices in the security infrastructure.
FortiManager can help to reduce workload in each of these phases.

© FORTINET
Now we know, what is FortiManager and what it can do, let’s identify the various hardware and virtual
appliances available for FortiManager and compatibility with other Fortinet security products.

© FORTINET
The FortiManager can be deployed and integrated in your network as a physical appliance or virtual
machine (VM).
Physical appliances come with different dimensions and rack mount space; interface types (Gigabit
Ethernet, SPF, SPF+) ; levels of RAID management support, and redundant hot swap power supplies.
Due to the hardware differences, the amount of devices you may support and the amount of logging data
per day is limited by the appliance model.
VMs are designed for VMware ESX / ESXi , Microsoft Hyper-V, and Amazon Web Service (AWS). It has
a stackable license model that also has limits on the number of devices, storage, and data rates for
logging. This model allows you to grow your solution as your environment expands.
The next couple of slides look at the FortiManager maximum values and the VM licensing model.

© FORTINET
As you can see, there are many hardware-based models available for FortiManager. Each model is
multifaceted with different capabilities and feature support. Depending on your network, you can choose
the model that suits your needs.
If you are managing a small network of Fortinet devices, you can choose FortiManager-200D, which is 1
RU rack mount with four Gigabit Ethernet (GE) interfaces and capable of managing a maximum of 30
devices. However, it doesn’t support web portal, Shelf Manager, and Closed Network Mode capabilities
(which will be discussed in detail later in the training).
High security organizations managing fewer than 1000 FortiGate appliances may need to restrict Internet
service from internal FortiGate appliances and need to use a local FortiManager appliance to provide
both license validation and FortiGuard Distribution Network (FDN) updates. In this case, you can look at
FortiManager-1000D, which has six Gigabit Ethernet (GE) and two SFP (Small Form-Factor Pluggable)
interfaces, providing speeds up to 4.25 Gbps (useful for faster distribution of updates to the internal
FortiGate appliances).
Large organizations, such as Managed Service Providers or Managing Retail Networks, would require a
more powerful appliance such as FortiManager- 3900E, capable of managing 10,000 devices. From a
hardware prospective, it has two Gigabit Ethernet interfaces and two SFP + (Small Form-Factor
Pluggable) interfaces, providing speed up to 10 Gbps or higher over fiber. It also supports all RAID levels
and has 15 hard drives of 960 GB capacity each, which are hot swappable. The total storage capacity
varies based upon the RAID level configured. It also has two redundant hot swap power supplies.

© FORTINET
Virtual machines use third-party hardware and the features are license-dependant. For example, the
FMG-VM-Base license is capable of managing up to 10 devices, but doesn’t support a shelf manager.
FMG-VM-U-UG is capable of managing unlimited devices. Performance may vary based on the
hardware resources allocated to FortiManager VM.
Both 32-bit and 64-bit FortiManager VMs exist.

© FORTINET
Number of devices supported, capabilities, and supported features depend upon the license purchased
for FortiManager VM.
When configuring your FortiManager VM, ensure to configure hardware settings as outlined in the table
and consider future expansion.
FortiManager VMs include a free 15-day trial license that includes all features. No activation is required
for the built-in evaluation license. The trial period begins the first time you start the FortiManager VM.
Once the trial expires, functionality is disabled until you upload a license file. To upload a license file, you
first need to register the FortiManager VM with the “license registration code” provided upon license
purchase on the Customer Service & Support site at https://support.fortinet.com/ . This provides you with
the actual license file that you can upload to your FortiManager VM.
For more information, see the FortiManager product data sheet available on the Fortinet website:
http://www.fortinet.com/products/fortimanager/virtualappliances.html

© FORTINET
Although FortiManager can support multiple Fortinet security products and different firmware versions of
these products, it is always good practice to check the Release Notes for specific details on product
integration and support. With the release of new firmware versions of different Fortinet security products,
many new features are integrated and release notes provide important information regarding
compatibility and any interoperability issues.
Release notes are updated as the new firmware version is released and are available at the Fortinet
Technical Documentation web site (http://docs.fortinet.com/) or at the Customer Service & Support portal
(https://support.fortinet.com/).
You can also confirm that a device model or firmware version is supported by the current firmware
version running on FortiManager via this CLI command:
diagnose dvm supported-platforms list

© FORTINET
Now let’s outline some common FortiManager use cases.

© FORTINET
A common FortiManager use case involves large retail customers or distributed enterprises, as they tend
to have many smaller customer premises equipment (CPE) devices in their branches as well as remote
sites and several main sites. These customers benefit from centralized firewall provisioning and
monitoring.
Based on some large scale enterprise deployments, the preference is for a low-touch and plug-and-play
format for the initially deployed FortiGate devices, which would only have a basic "phone home"
configuration loaded via USB or copy & paste from a console port session by the installation technician.
This basic configuration would have enough information to allow the FortiGate devices to contact a
FortiManager, where it would be manually identified by an administrator and added to the appropriate
device group and/or ADOM and then the site-specific full configuration would be pushed down to the
device.

© FORTINET
Another common use case involves Managed Security Service Providers (MSSP). Carriers may have
many high-end firewalls implemented and require strict configuration control, which is achievable by
restricting the configuration from the FortiManager. MSSPs may provide customers with access to virtual
firewalls on a high-end platform or managed customer premises devices. In both cases, they need to
maintain revision control for the customer and optionally provide a portal where customers can view
and/or edit some of their configuration settings.
Another important use case for MSSPs is being able to tell (or report) which firewall or configuration
objects are in use or not in use. Firewall polices change over time and associated objects get substituted
for other new objects, but often administrators want to keep the old objects around in case they need to
revert any changes. But eventually, the unused objects start cluttering up the FortiGate configurations,
so performing periodic clean-ups of these orphan configuration objects is useful for keeping the system
uncluttered and easier to maintain.

© FORTINET
As you can see there, there are different requirements for different types of organizations, such as retail
or Managed Security Service Providers (MSSP). We will cover these topics in detail so you can have the
practical skills necessary to manage devices for diverse organizations.

© FORTINET
This diagram illustrates the three APIs available on FortiManager.
• SDK API – This API was originally designed to allow the creation of web portals or to integrate such a
portal into an existing system.
• JSON API – A new addition in FortiManager 5.0, this API allows you to do many of the same
functions as the FortiManager Web User Interface itself. It allows Managed Security Service
Providers and large enterprises to create customized, branded web portals for policy and object
administration.
• XML API – This API enables you to retrieve information about managed devices, execute scripts to
modify device configurations, and install the modified configurations on the devices. It is designed to
allow for quick provisioning of Administrative Domains, devices, and scripts on a FortiManager.
The FortiManager APIs are a very powerful tool that offers administrative web portals to customers,
automated deployment, and provisioning systems. Fortinet Developer Network (FNDN) provides access
tools, sample code, documentation, and the Fortinet developer community (you must subscribe to the
Fortinet Developer Network). It is the recommended path to learn the portal and is not covered in this
course.

© FORTINET
You should now be able to explain FortiManager; understand key features and key concepts; and
understand the different FortiManager models, firmware versions, and FortiManager APIs.
We showed how FortiManager can manage large number of Fortinet Network Security devices to
improve efficiency and reduce operation cost.

DO NOT REPRINT  System Settings
© FORTINET
In this lesson, we will show you how to set up FortiManager.

© FORTINET
After completing this lesson, you should have these practical skills that will allow you to configure and
administer the FortiManager.

© FORTINET
Although this lesson introduces the concepts and key features, its objectives are about understanding
and implementing these features.

© FORTINET
Before FortiManager can start managing Fortinet security devices, it has to be properly deployed in your
network. This involves identifying your deployment requirements, placing your FortiManager correctly
within your network, connecting the appliance, and selecting a configuration tool to manage and
administer the FortiManager.

© FORTINET
FortiManager uses a wide variety of TCP and UDP ports to perform various tasks. Ports are listed based
on traffic originating from FortiManager and traffic received (listening ports) by FortiManager. Traffic
varies by enabled options and configured ports. Only the most common default ports used by
FortiManager are listed in this table. FortiManager uses standard ports for management such as:
HTTP Port 80 (TCP)

HTTPS Port 443 (TCP)
SSH Port 22 (TCP)
TELNET Port 23 (TCP)
It is always good to know what ports are being used by FortiManager when you are deploying it, as it can
help you to analyze, diagnose, and resolve common FortiManager issues.

© FORTINET
This is an example network topology for deploying FortiManager. You can position the FortiManager just
about anywhere that you position a server or other end point device. It is always best practice to deploy
FortiManager behind the firewall (in this example, the firewall is a FortiGate) and to create a virtual IP on
the firewall for accessing FortiManager from outside of your local network or from the internet. On the
perimeter firewall, allow only relevant ports in the firewall policy for FortiManager as a security
consideration.
However, in the case of an emergency, you need to be able to connect to the console port. As such, it is
best practice to have a management computer directly connected to FortiManager by way of switch.

© FORTINET
Once you remove the FortiManager from the box or deploy a FortiManager VM, what is the next step?
Once your FortiManager is connected, your need to begin the initial configuration. There are two tools
you can use to configure the FortiManager, both for initial configuration and beyond – the Web-based
manager and the CLI.
All physical FortiManager models have a console port. For accessing FortiManager via the console port,
you need to configure the following settings on your terminal emulator program.
Baud Rate: 9600
Data bits:8
Parity: None
Stop bits:1
Flow Control: None
The console port provides CLI access without a network.
• On some models, it’s a serial port. A standard null modem cable (DB9 to DB9) can be used to
connect the serial port to your management computer’s serial port.
• On some models, it’s an RJ-45 port. Access by connecting an RJ45-to-serial cable from your
management computer’s serial port to the RJ45 port on FortiManager.
Each device ships with its appropriate cable.

Serial ports on computers are becoming less common. If your computer doesn’t have one, you can
purchase a USB-to-serial adapter.

© FORTINET
It is important to know the default settings for FortiManager in order to access it. You can find the default
settings in your model-specific QuickStart Guide at:
http://docs.fortinet.com/
By default, port1 on FortiManager has an IPv4 IP of 192.168.1.99/24. It is important to change the

default password for security reasons. A complex password is strongly recommended.
Default credentials to log in are:

Username: admin
Password: <blank>
By default, administrative access protocols are enabled on FortiManager so that you can connect to it
from a management computer. However, you can enable or disable these protocols depending on your
preferred protocols or to restrict access.

© FORTINET
The web-based manager is the graphical user interface (GUI) configuration tool for FortiManager. You
can connect to it locally, by connecting an Ethernet cable directly to the FortiManager, or remotely,
through your network.
What features an administrator has access to upon login is dependant on two factors: the FortiAnalyzer
feature set (which is disabled by default) and the administrator profile of the account. For example, when
the FortiAnalyzer feature set is disabled, the GUI does not display the FortiView, Event Management and
Reports tabs. And if logged in with the Standard_User or Restricted_User administrator profile,
full accesses privileges, like those granted to the Super_User, are not available.
Any configuration changes made using the GUI take effect immediately without rebooting FortiManager
or interrupting service.

© FORTINET
The command line interface (CLI) is the other configuration tool for FortiManager and is accessible both
locally and remotely, just like the GUI. You can execute CLI commands through the CLI Console widget
available in the web-based manager under System Settings > Dashboard or use a terminal emulation
application. The latter requires a separate telnet, SSH, or local console connection.
Again, just like the GUI, the commands available to execute are based on the FortiAnalyzer feature set
(whether enabled /disabled) and the administrator profile of the person who logged in. Note that there
are some settings that are CLI-only: they cannot be performed through the GUI.

© FORTINET
Now that we know the deployment considerations and tools available to configure FortiManager, let’s
start configuring FortiManager’s basic network settings in order to access the device locally or remotely.

© FORTINET
In order to connect to the GUI, you need to
1. Connect port1 of FortiManager to a management computer using an Ethernet cable.

2. Configure the management computer to be on the same subnet as Port1 of FortiManager (IP
192.168.1.<x>, net mask 255.255.255.0, where <x> can be 1 to 254, except 99).
3. Access FortiManager’s Web-based manager by browsing to https://192.168.1.99 in a
supported browser.
4. Type admin in lower case the User Name field, leave the Password field blank, then click Login.
Remember: The default login is publicly available knowledge. Never leave the default password
blank! Before you connect your FortiManager to your overall network, set a complex password.

© FORTINET
Once logged in, you must configure the interface, the primary and secondary DNS server IP addresses,
and the default gateway. While you can perform these tasks through the Web-based manager as well as
the CLI, the Web-based manager will be used for the sake of simplicity.
All initial configuration tasks are performed from the same area of the GUI: System Settings > Network.
On next slide, we will show you how to configure these settings.

© FORTINET
To configure the network settings of the management interface, go to System Settings > Network.
Upon initial logon, the IP/Netmask field is prefilled with the default network settings (default IP/Netmask:
192.168.1.99/24), which is Port 1 designated as Management Interface on the FortiManager device.
Change the IP and, if necessary, netmask, associated with this interface based on your own network.
You can assign IPv4 and IPv6 addresses, which must be static.
Administrative Access allows you to select the administrative protocols you want to support for IPv4 and
IPv6. Any interface that is used to provide administration access to FortiManager requires at least HTTP
or HTTPs for Web-based manager access, or SSH for CLI access. These are enabled by default on Port
1 on FortiManager. Administrative access for IPv4 and IPv6 have been separated, so you can mix and
match the options you want.
Service Access allows you to select the FortiGuard services that are allowed access on this interface.
These include FortiGate updates and web filtering/antispam. By default, all service access is enabled on
port1, and disabled on other ports.
Default Gateway allows you to route internal traffic to another, usually external, network. It is the IP of
the next hop in the network. Setting up the default gateway for port1 will add a default route for port1.
DNS settings for Port 1 on FortiManager is configured with the default FortiGuard DNS servers. You can
change these DNS servers to use your internal DNS servers or public DNS servers, if required.
Additional configurations, such as configuring multiple interfaces or routes, can be configured by clicking
All Interfaces and Routing Table (for Ipv4) or IPv6 Routing Table respectively. Diagnostic tools such as
ping, traceroute, and view logs are available for analyzing and diagnosing basic networking issues for
convenience. Click Apply to save the changes.

© FORTINET
Now that we know how to configure the networking settings for FortiManager, let’s start configuring
administrator accounts and administrator profiles.

© FORTINET
In order to efficiently administer your system, FortiManager comes pre-defined with four default profiles
that you can assign to other administrators. Administrator profiles define administrator privileges. The
four profiles, which are located under System Settings > Admin > Profile, are:
• Super_User: Superuser profiles have all system and device permissions enabled. The Super_User
profile cannot be modified, as this profile is the root profile assigned to the default admin
administrator.
• Standard_User: Standard profiles have no system permissions enabled, but have read/write access
for all device permissions.
• Restricted_User: Restricted profiles have no system permissions enabled, and have read-only
access for all device permissions.
• Package_User: Package profiles have read/write policy package and objects permissions enabled,
and have read-only access for system and other permissions.
All these profiles are System Admin types, which provides with read-write, read-only, and “none” access
to the system and device permissions.
If required for your management requirements, you can double-click Standard_User,

Restricted_User, and/or Package_User to modify the individual privileges of the profile. Note that
Super_User cannot be modified.

© FORTINET
What if you don’t want to provide access to the system and device permissions, but only to few security
profiles settings instead?
To do this, you can configure the “Restricted Admin” profile, which allows a delegated administrator to
manage administrative domain (ADOM) security profiles. You can allow the delegated administrator to
make changes to the web filtering profile, IPS sensors, and application sensors associated with their
ADOM.
To create a new “Restricted Admin” profile, go to System Settings > Admin > Profile > Create New.
• Profile Name: Type a name for this profile. In this example, we named it “Junior_Admin”.
• Type: Select Restricted Admin.
• Permission: Enable permission for Web Filter Profile, Application Sensor, and IPS Sensor.
Note that the web portal is no longer available. It has been replaced by the Restricted Admin type in
FortiManager 5.2. You can still access the web portal content via API services.

© FORTINET
You can customize and configure System Admin and Restricted Admin administrator profile types.
For the System Admin type, you can modify one of the pre-defined profiles or create a custom profile if
needed. Only administrators with full system permissions can modify the administrator profiles.
Depending on the nature of the administrator’s work, access level, or seniority, you can allow them to
view and configure as much, or as little, as required. In this example, we provided read-write access only
for the following Device Manager permissions: Install To Devices and Retrieve Configuration from
Devices. From the Policy & Objects permissions, we provided read-write access only for Policy Package
& Objects. Administrators with this access level can only configure and install these changes, and can
only view devices in the Device Manager tab — they do not have permissions to add or delete devices.
Also this administrator does not have access to System Settings, Administrative Domain, FortiGuard
Center, etc.
For Restricted Admin, you can create a new restricted admin profile to allow the delegated administrator
to make changes to the web filtering profile, IPS sensor, and application sensor associated with their
ADOM.

© FORTINET
The FortiManager system supports remote authentication of administrators using LDAP, RADIUS, and
TACACS+ servers. These configurations are similar to FortiGate remote authentication configuration.
For more information about setting up each server, see the FortiManager Administration Guide.
You can configure these remote authentication servers by clicking System Settings > Admin > Remote
Auth Server. RADIUS, LDAP, TACACS+, and PKI can all be used as a means of verifying the
administrator passwords. To configure two-factor authentication (PKI), you require FortiAuthenticator
and FortiToken.
Once your administrative profiles and remote authentication servers are configured, you can create
administrator accounts. This is performed through System Settings > Admin > Administrator. Click
Create New to create a new account.
• The Type drop-down list allows you to select the type of authentication. Options include LOCAL,
RADIUS, LDAP, TACACS+, or PKI.
• The Admin Profile drop-down box allows you to select the administrator profiles you configured
previously. The profile selected determines the administrator’s permission to FortiManager features.
• System Admin: In this example for “System Admin”, the admin profile selected is
“Standard_User”. This allows the administrator to select and manage multiple Administrative
Domains and policy packages associated with these administrative domains.
• Restricted Admin: In this example for “Restricted Admin”, the admin profile selected is
“Junior_Admin” (see slide “Restricted Administrator Profiles” for details). This allows the
administrator to select and manage a single Administrative Domain and security profiles
associated with this ADOM.
• The Trusted hosts drop-down allows you to control access further by setting up trusted hosts for each
administrator. This restricts administrators to logins from specific IP’s or subnets only. FortiManager
allows you to configure up to ten IPv4 or IPv6 trusted hosts.
Administrator domains will be covered in detail later in this lesson.

© FORTINET
Based on the administrative profile and administrator configuration, you can provide granular access to
FortiManager.
Previously, we limited access for administrators with the System Admin type of administrator profile. As
such, only the Device Manager and Policy & Objects tabs are visible. Also, we allowed read-write for
Install To Devices under the Device Manager tab, which is why the option is enabled, and read-only
access for adding/deleting devices, which is why those tabs are disabled. Accordingly, this administrator
cannot add or delete devices from FortiManager.
When the administrator with the restricted admin administrator profile logs into FortiManager, they have
access to the security profiles that are configured for the account.

© FORTINET
For a simple means of tracking administrator sessions, including who is currently logged in and through
what trusted host, select System Settings > Admin > Administrator. Only the default administrator
account named admin can see the complete administrator list. If you do not have required viewing
permissions, you will not see the administrator list.

© FORTINET
Now let’s look into the more advanced features of administering and managing your FortiManager. This
includes features such as:
• Administrative Domains (ADOMs)

• Backup, Restore, and System Checkpoint
• Offline mode
• Meta fields
• Web Service Definition Language (WSDL)
• Event logs
• Task monitor
• Factory reset of FortiManager

© FORTINET
In order to better manage your network through FortiManager and to get a centralized summary of your
system information and a snapshot of your system resources, use the Dashboard in the GUI.
You can find the dashboard under the System Settings tab. The dashboard widgets include:
• System Information: This displays basic information about the FortiManager system, such as up
time and firmware version. You can also enable or disable Administrative Domains and FortiAnalyzer
features. From this widget you can manually backup the FortiManager configuration and update the
FortiManager firmware to a different release.
• System Resources: This displays the real-time and historical usage status of the CPU, memory, and
hard disk.
• CLI Console: This opens a terminal window that enables you to configure FortiManager using CLI
commands directly from the Web-based manager. This widget is hidden by default.
• License Information: This displays the devices being managed by FortiManager and the maximum
numbers of devices allowed.
• Unit Operation: This displays status and connection information for the ports of FortiManager. It also
enables you to shut down and restart the FortiManager device or reformat a hard disk.
• Alert Message Console: This displays log-based alert messages for both the FortiManager device
itself and connected devices.
The System Settings tab contains many options required to get the system operational. The
FortiManager Administration Guide is the best reference for these settings.

© FORTINET
FortiManager can also act as a logging and reporting device, but there are logging rate restrictions in
comparison to FortiAnalyzer.
The FortiAnalyzer feature set on FortiManager are disabled by default and can be enabled (or disabled)
from the GUI under the System Settings > Dashboard > System Information widget. To use the CLI to
enable or disable it:

set faz-status {enable | disable}
end
When enabling or disabling FortiAnalyzer features, your FortiManager reboots to apply these changes.
Then these tabs will appear:
• FortiView
• Event Management
• Reports

© FORTINET
Now let's look into how you can better administer your network through administrative domains, known
as ADOMs. ADOMs allow the admin administrator to create groupings of devices for administrators to
monitor and manage. For example, administrators can maintain managed devices specific to their
geographic location or business division.
Not only does this make device management more effective, as administrators need only worry about
devices in their ADOM, but it also makes the network more secure, as administrators are restricted to
only those devices which they should have access. The security risk increases as you open up and
expose more of your network.
Administrators who have the Super_User profile have full access to all ADOMs, whereas
administrators with any other profile only have access to those which they are assigned — this can be
one or more. ADOMs are not enabled by default and enabling and configuring the domains can only be
performed by the admin administrator.
This slide introduces the concept of ADOMs. FortiGate devices with multiple VDOMs can be divided
among multiple ADOMs. This is referred to as the advanced mode of ADOMs, which we’ll discuss soon.

© FORTINET
What is the best way to organize managed devices using administrative domains (ADOMs)?
You can organize managed devices into ADOMs to simplify management. You can organize these
devices by:
• Firmware version: You can group all devices with the same firmware version into the same ADOM,
for example if the FortiGate devices are running firmware version 5.0, you can group these devices
into version 5.0 ADOM, if FortiGate devices are running firmware version 5.2, you can group these
devices into version 5.2 ADOM.
• Geographic regions: You can group all devices for a specific geographic region into an ADOM, and
devices for a different region into another ADOM. For example, FortiGate devices in Americas can
grouped into ADOM and FortiGate devices in Europe can grouped into another ADOM.
• Administrators: You can group devices into separate ADOMs and assign to specific administrators.
• Customers: You can group all devices for one customer into an ADOM, and devices for another
customer into another ADOM.
• Device type: You can create a separate ADOM for each device type. Non-FortiGate devices are
automatically located in specific ADOMs for their device type. They cannot be moved to other
ADOMs. For example, FortiGate and FortiCarrier devices cannot be grouped into the same ADOM.
FortiCarrier devices are added to a specific default FortiCarrier ADOM.
• Organizational: You can separate “production” and “test network” FortiGate devices into separate
ADOMs.
When organizing managed FortiGate devices, always start grouping based on the firmware
version running on the FortiGate devices, as command syntax is different in different firmware
versions. For example, if you are grouping based on geographic region and have FortiGate devices
running 4.3 and 5.2 firmware in the same region, create separate ADOMs based on the firmware version
for that geographic region.

© FORTINET
ADOMs are enabled (or disabled) from the dashboard’s System Information widget. Once you change
the ADOM mode you are logged out from FortiManager so the system can reinitialize with the new
settings. The maximum number of ADOMs you can enable varies by FortiManager model.
Once enabled, the Web-based manager navigation changes. Now, you must select the ADOM from the
drop-down list in the toolbar to view device information. The Device Manager, Policy & Objects,
FortiView, Event Management, and Reports tabs are displayed in each ADOM.

© FORTINET
With ADOMs enabled, any administrator with the Super_User profile has access to the All ADOMs
page under the System Settings tab. The All ADOMs page displays all the ADOMs configured on the
device and provides the option to create new ADOMs (which we’ll discuss later). FortiManager has
default ADOMs for all non-FortiGate devices. While you can edit the default ADOMs, you cannot edit the
device type or firmware version of the device. These default ADOMs cannot be deleted, so you can
create a new ADOM if the default options do not meet your requirements.
Note that the list of ADOMs displays alphabetically, with capital letters appearing before lower case. So,
in this example, MYADOM2 comes before myadom1, because MYADOM2 is capitalized, but myadom1
comes after Syslog because “S” is capitalized in Syslog. Global Database will always appear at
the bottom of the list.

© FORTINET
Now we know what ADOMs are for, let's explore ADOM modes of operation.
When you configure ADOMs, you can choose between two modes: Normal or Backup.
By default, FortiManager ADOMs are in Normal mode. All tabs are available in this mode and the ADOM
is read/write. This allows you to make changes from FortiManager to the ADOM and managed devices.
Alternatively, changes can be made directly, which automatically updates the revision history. This
allows you to configure settings for managed devices, such as device level settings, device templates for
mass provisioning, policy & objects, and scripts to name a few.
But what if the managed device configuration changes need to be made directly on the device every
single time and you want to use FortiManager for only revision control and tracking purposes? In this
case, you can configure ADOM in Backup mode.
When configured in Backup mode, the ADOM is considered Read-Only and the Device Manager tab
has restricted functionality. It can be used to add and delete the device as well as other functions, such
as configuring and installing, but the device levels settings are not available. For the same reason, the
Policy & Objects tab is not available. Changes can be made to managed devices only through scripts on
FortiManager. If changes are made directly on the managed device, it needs to meet specific conditions
to back up the configuration revision, which are:
(A) Configuration change and session timeout | (B) Configuration change and logout | (C) Configuration
change and reboot | (D) Manual configuration backup from the managed device
Going forward, Normal ADOM mode will be used in this training.

© FORTINET
If the default list of ADOMs do not fit your requirements, you can create a new one. Click Create New
from System Settings > All ADOMs. The Create ADOM dialog box appears. An important field to note
within the dialog box is Device Type. Here, you must not only select the device type (available device
types: FortiGate or FortiCarrier) from the drop-down list, but you must also select the firmware version
of the device.
As different firmware versions on FortiGate may have different configuration syntax (due to addition of
new features or improving existing features), it is very important to make sure the version selected
matches the FortiGate firmware. For information on supported device firmware version, see the
FortiManager Release Notes.
As discussed in the previous slide, you can choose Normal or Backup mode based on your
requirements. When you configure ADOMs, the default VPN Management mode is Policy & Device
VPNs. When Central VPN Console is selected, the VPN Console menu item appears under the Policy &
Objects tab, which we will cover later in the training.
Normal and Backup mode is available when you configure ADOMs. In both scenarios, a FortiGate with
multiple virtual domains (VDOMs) will be added in the same ADOM. This is Normal ADOM device mode.
What if you are managed security service provider and have VDOMs on FortiGate for different
customers and would like to separate and add these VDOMs in different ADOMs?
You can enable advanced mode, which allows you to assign different VDOMs from the same FortiGate
device to multiple ADOMs. The Advanced Mode setting is applied globally to all ADOMs for FortiGate
and allows you assign different VDOMs from the same FortiGate device to multiple ADOMs . This will
result in a reduced operation mode and more complicated management scenarios. It is
recommended for advanced users only.
To enable Advanced mode, go to System Settings > Advanced > Advanced Settings and change the
selection in the ADOM Mode field.

© FORTINET
Each ADOM is associated with a specific FortiGate firmware version, based on the firmware version of
the devices that are in that ADOM. This version is selected when creating a new ADOM.
What if you have FortiGate devices are running firmware version 4.3 were added in ADOM version 4.3 ,
but now you need to upgrade the FortiGate devices to 5.0? What will be the impact of different device
firmware vs ADOM version?
ADOMs can concurrently manage FortiGate devices running both FortiGate firmware versions - v4.3 and
v5.0, or v5.0 and v5.2, allowing devices running these firmware versions to share a common database.
This allows you to continue to manage an ADOM as normal while upgrading the devices within that
ADOM. It is recommended that this feature be used only to facilitate upgrading to new firmware and that
ADOMs are not regularly run in this mode.
What are the steps you must consider prior to upgrading version 4.3 ADOM to version 5.0?
• Make sure that the FortiManager is upgraded to a version that supports this feature.
• In the ADOM, upgrade all of the FortiGate devices to FortiGate firmware version 5.0, and then
resynchronize all the FortiGate devices
• All of your ADOM objects, including Policy Packages, remain as v4.3. It is because only FortiGate
devices are upgraded to firmware version 5.0, but ADOM version is still 4.3.
In order to upgrade the ADOM, you must be logged in as the admin administrator (Super_User
administator). ADOM can be found under System Settings tab >All ADOMs. Locate the ADOM you
would like to upgrade, right click on ADOM and select Upgrade from the pop-up menu.
If the ADOM has already been upgraded to the latest version, this option will not be available.

© FORTINET
In some scenarios, multiple administrators are responsible for managing devices in the same ADOM.
With the concurrent ADOM access feature, administrators can log into the same ADOM concurrently.
This feature is enabled by default.
But what if multiple administrators try to make changes to devices in the same ADOM at the same time?
This can cause conflicts and chances are one administrator’s changes will be overridden by the other’s.
If this is likely to occur, you can disable concurrent ADOM access from CLI. This allows administrators to
lock their ADOM. The command is:

set workspace-mode normal
end
By default, workspace-mode is set to disabled, which allows concurrent access to ADOMs. Once
workspace-mode is set to normal, it disables concurrent access to ADOMs and allows ADOM locking
(which is covered in next few slides). Furthermore, only a single administrator has read/write access to
the ADOM, while all other administrators have read-only access.
You can also configure workspace-mode to workflow, which allows you to define approval or
notification workflow when creating and installing policy changes. Workflow mode is explained in detail in
the next few slides.

© FORTINET
This diagram example explains when workspace mode is set to normal.
When Admin A locks the ADOM prior to making the changes, the ADOM appears with green lock icon.
Admin A has read-write access and can make changes to the managed device in that ADOM.
For Admin B, that ADOM is presented with a red lock icon, which prevents Admin B from making any
changes. Admin B has read-only access to that ADOM and cannot make changes to managed devices
in that ADOM.
Admin A makes configuration changes to the managed devices and unlocks the ADOM. Admin B now
sees the grey unlocked icon and can lock the ADOM prior to making any changes.
Once Admin B locks the ADOM, the lock icon changed to green. Admin B now has read-write access
and can make changes to managed devices in that ADOM. The next slide shows the locking of an
ADOM on FortiManager.

© FORTINET
In order to disable concurrent access to the ADOM, you need to set workspace-mode to normal.
When workspace is enabled, the Device Manager and Policy & Objects tabs are read-only. You must
lock the ADOM to enable read/write permission to make changes to the ADOM.
There are three lock status which indicate the state of the ADOM:
• Grey lock icon: The ADOM/Policy Package is currently unlocked, and is read/write.
• Green lock icon: The ADOM/Policy Package is locked by you (when logged in as an administrator).
• Red lock icon: The ADOM/Policy Package is locked by another administrator.
ADOM lock can be enabled from either the Device Manager tab or Policy & Object tab. When you lock
an ADOM from any one of these tabs, it locks both tabs for that ADOM and the administrator has full
read-write control over the managed device settings in the Device Manager tab and Policy & Object tab.
Other administrators will have read-only access to your locked ADOM and will have red lock. If another
administrator needs read-write access to your ADOM, you can click Unlock ADOM to unlock.
When the ADOM is locked, any changes made to the device level setting in the Device Manager tab, or
policy and object changes in the Policy & Object tab, require you to perform a save operation prior to
installing these changes.

© FORTINET
Workflow mode is a new global mode to define approval or notification workflow when creating and
installing policy changes. When workflow mode is enabled, the administrator will have a new option on
the admin page to approve or reject workflow requests. Workflow mode is disabled by default and can
only be enabled via the CLI.
This mode introduces three new permissions for Super_Admin administrators:
• Self-approval: The account has rights to approve or deny changes without approvals. The account
cannot approve the changes of others without the approval permission.
• Approval: The account has rights to approve or deny the changes made by others. The account
cannot approve their own changes without the self-approval permission. When workflow mode is
enabled, all administrators with the approval permission will receive notifications by default.
• Change Notification: The administrator is notified via email of all changes made on FortiManager.

© FORTINET
Workflow mode can only be enabled via the CLI:

set workspace-mode {disabled | normal | workflow}
end
Before enabling the workflow mode, you must inform other administrators logged into FortiManager to
save their work, as it will terminate all management sessions to the FortiManager device.
When workspace-mode is set to workflow, the Device Manager tab and Policy & Objects tab are
read-only. You must lock the ADOM to create a new workflow session.

© FORTINET
Once the workflow mode is enabled, you can configure the workflow permissions using the command:
config system admin profile
Workflow approval can be enabled, which is read/write, or disabled, which is Read-Only/None.
• Read/Write: Administrator can create sessions, view diff, approve, and reject sessions.
• Read-Only/None: Administrator can create sessions and view diff only.
Once you have configured the profile with appropriate rights, you need to further configure workflow
approval from the GUI under System Settings > Admin > Workflow Approval.
You need to configure the following for workflow approval:
• ADOM: Select the ADOM on which you would like to apply workflow mode.
• Approval Group #1: Add the administrator who will approve the changes in that ADOM. Optionally,
you can click on green + icon to add more than one administrator to approve the changes.
• Send email notification to: You can also send administrators email notifications when another
administrator has made changes and submitted for approval.
• Mail server: You can also select the mail server configured on FortiManager. A mail server can be
configured under System Settings > Advanced > Mail Server.

© FORTINET
This diagram illustrates workspace mode set to workflow.
When Admin A locks the ADOM, the ADOM appears with green lock icon. Admin A has read-write
access and creates a new session under the Policy & Object tab in that ADOM. Admin A makes
configuration changes to the managed devices and submits the request for approval to Admin B. This
approval submission automatically unlocks the ADOM.
Admin B must have Read/Write permission for Workflow Approve. Admin B locks the ADOM and has
read-write access. Admin B opens the session list and has the option to approve, reject, discard, or view
diff for the changes submitted by Admin A.
The next few slides shows the workflow mode on FortiManager.

© FORTINET
Once you have configured workflow permission, you need to lock the ADOM. This can be done by
clicking the Lock ADOM icon either from the Device Manager tab or the Policy & Objects tab. The lock
icon changes to a locked state and on the automatic pop-up dialog, the Session List window is
displayed.
Click the Create New Session icon, type a name for new session, add comments (optional), and select
OK to start the session.

© FORTINET
After you make your required changes to the policies and objects (adding, editing, or deleting), click the
Session menu. The Sessions menu provides three options:
• Save: You can save your changes and continue working on making more changes in the same
workflow session.
• Submit: Once you are completely done with your changes, you can submit your changes for approval
to the administrator having approval rights for your changes.
• Discard: You can also discard your changes if you are not satisfied and it will leave the ADOM policy
and objects in the original state.
Once you click Submit, a pop-up window appears so you can submit the changes for approval.
Optionally, you can add a comment about your changes and/or attach the configuration change details
that will send an email to the approver. The ADOM returns to an unlocked state. An ADOM revision is
created for the workflow session.

© FORTINET
Once the workflow request is submitted, administrators with the appropriate permissions can approve or
reject the pending request.
The approval administrator must lock the ADOM during the decision process. Once the ADOM is locked,
they can bring up the session list by clicking Sessions > Session List.
Session List shows the administrator who submitted the request and other relevant information such as
date of submission, total requests, and comments by the submitting administrator.
Right-clicking the session provides four options:
• Approve: The session is waiting to be reviewed and approved. If the session is approved, no further
action is required.
• Reject: If the session is rejected, the system sends a notification to the administrator that submitted
the session. The approver administrator has the option to repair the changes. A session that is
rejected must be fixed before the next session can be approved.
• Discard: The approval administrator doesn’t agree with the changes and discards them. No further
action is required.
• View Diff: The approval administrator can view the difference between the original policy package
and changes made by the submitting administrator.

© FORTINET
It is recommended to regularly backup FortiManager to your management PC or central management

server to ensure that, should the system fail, you can quickly get the system back to its
original state with minimal effect on the network. This is, after all, your central management system and
you have invested considerable time and resources in building and maintaining your firewall polices.
You can perform ad-hoc backups from the System Information widget. Click Backup in the System
Configuration field. When you perform a backup from the Web-based manager, encryption is enabled by
default. If you use encryption, you must set a password that is used to both encrypt the backup file and
decrypt upon restoration.
You can also configure scheduled backups from the CLI at regular intervals by running command:
config system backup all-settings

© FORTINET
You can perform a system restore manually from the System Information widget. Click Restore in the
System Configuration field. A Restore pop-up box appears and you can browse to the location where
you saved the backup file you want to restore. If you encrypted the file, you must enter the password in
the Password field.
There are few other options in the Restore pop-up box that are worth discussing.
• Overwrite current IP, routing, and HA settings: By default, this check box is selected. If
FortiManager has an existing configuration, it will overwrite the current IP, routing, and HA settings
based on the configuration file you selected. Uncheck this box if you would like to keep the current
networking configuration of FortiManager. It will still restore the other configurations related to all
device information and Global database information.
• Restore in Offline Mode: By default, this check box is selected and grayed out. You cannot un-
check this box. The restore operation temporarily disables the communication channel between
FortiManager and all managed devices. This is a safety measure in case any devices are being
managed by another FortiManager. To re-enable the communication, go to System Settings >
Advanced > Advanced Settings and disable Offline Mode (we will discuss this soon).
You can also restore the FortiManager configuration from the CLI through the “execute restore
all-settings” command (check the FortiManager CLI Reference Guide for an explanation of these
commands).
When you are restoring a backup file, make sure the firmware version running on FortiManager and the
backup file is the same. FortiManager does not support restoring a configuration backup to a
firmware version that does not match.

© FORTINET
You can create a system checkpoint backup to capture a specific configuration. This backup provides a
history where the FortiManager and FortiGate devices are completely in sync. You should make a
system checkpoint backup before installing new firmware to devices or making a major configuration
change to the network. Should there be a major failure, you can completely revert FortiManager to when
it was in working order. These are, in essence, snapshots of your FortiManager managed network
system.
You can perform a system checkpoint manually from the dashboard’s System Information widget.
Select System Checkpoint in the System Configuration field. Click Create New in the menu bar and in
the pop up dialog box appears, add a comment describing the reason for the system checkpoint.
All the system checkpoints are saved in the system checkpoint table, which provide details such as
when system checkpoint was performed, who was the administrator, and comments by that
administrator. Also it provides a option to revert to a previous checkpoint. When reverting to a system
checkpoint, FortiManager needs to reboot.
System checkpoint is not widely used because it reverts (or make configuration changes to) the
configuration of all managed devices to its previous state. Many administrators prefer to roll back
firewalls on a per-device basis when necessary.

© FORTINET
Enabling Offline Mode (which is disabled by default) shuts down the FGFM protocol (TCP port
541) used to communicate with managed devices. This is a feature you can use to troubleshoot
problems, allowing you to change FortiManager device settings without affecting managed devices.
FortiManager cannot automatically connect to FortiGate if offline mode is enabled.
When you restore the FortiManager configuration backup the system automatically goes into offline
mode. In this mode the FGFM protocol (that is FortiGate FortiManager), which is the name of the
protocol used to manage the device, is shutdown. The protocol runs and listen on TCP port 541 and you
can check by running “diagnose fmnetwork netstat tcp” command in the CLI. When enabled
you cannot manage your devices.
This is useful should you load a backup on a second device for testing purposes. This device will then
not connect back to the FortiGate devices and start managing them.

© FORTINET
Different administrators on FortiManager can manage different FortiGate devices on it. What if, in case
of emergency, you need to contact the administrator who manage the FortiGate device in question?
You can configure metadata fields on FortiManager for these managed devices such as contact email,
contact phone, company/organization and more.
Meta fields enable you and other administrators to include extra information when configuring, adding, or
maintaining FortiGate devices or adding new administrators from FortiManager. This is information is
stored in the device database, but is not sent to the managed FortiGate device.
In order to view and configure the meta fields, go to System Settings > Advanced > Meta Fields. By
default, all the predefined Meta Fields are set with Importance to Optional. You can edit and change the
settings or click Create New to create a new meta field and define the following:
• Object: The object to which this metadata field applies.

• You can select either: System Administrators, Devices, Device Groups, Administrative Domain, Firewall
Addresses, Firewall Address Groups, Firewall Services, Firewall Service Groups, or Firewall Policy.
• If you select System Administrators, the object will apply only to administrators on FortiManager. All other
objects are related to FortiGate devices.
• Name: Type the label to use for the field.
• Length: Select the maximum number of characters allowed for the field from the drop-down list
(20,50, or 255).
• Importance: Select Required to make the field mandatory. Otherwise select Optional.
When the Importance field is set to Required, administrators must supply additional information when
they create a new FortiGate object, such as an administrator account or firewall policy.

© FORTINET
As FortiManager supports APIs (JSON, XML, and SDK), you need the format of the commands in order
to use the APIs.
WSDL files can be downloaded from FortiManager for various types of configurations from System
Settings > Advanced > Advanced Settings. Click Download.
Web services is a standards-based, platform-independent, access method for other hardware and
software APIs. The file itself defines the format of commands the FortiManager will accept, as well as the
response to expect. Using the WSDL file, third-party or custom applications can communicate with the
FortiManager device and operate it or retrieve information just as an administrator would from the Web-
based manager or CLI. You can select multiple types of files when downloading, but if Legacy
Operations is selected, no other options can be selected. These downloaded files can be opened and
viewed in any text editor and can be used with the supported FortiManager APIs.
The FortiManager APIs are a very powerful tool that offers administrative web portals to customers,
automated deployment, and provisioning systems. Fortinet Developer Network (FNDN) provides access
tools, sample code, documentation, and the Fortinet developer community (you must subscribe to the
Fortinet Developer Network). It is the recommended path to learn the portal and is not covered in this
course.

© FORTINET
The logs provide important information about the events that happen on FortiManager when analyzing,
troubleshooting, or investigating technical issues. The logs created by FortiManager are viewable within
the Web-based manager from System Settings > Event Log.
You can apply filters if you need to view specific types of log messages. For example, you can filter on
date, time, administrator, sub type, and messages. To apply a filter, click on any funnel icon and the
Filter Settings pop-up dialog appears where you can apply filter settings.
If the filter is applied to any category, the funnel icon turns green. To clear the filter, you can click Clear
All Filters in Filter Settings or click Clear Filter at the top window pane.
You can also download the logs to a local computer by clicking the Download icon, or view the raw logs
on FortiManager by clicking the Raw Log icon. If you need to refresh the logs to view recent logs click
the Refresh icon.
The event logging for FortiManager has several subtypes, some examples of which are given below. In
this lesson, we will refer to log messages in some tasks. For more detail, you should refer to the
FortiManager Log Message Reference Guide, available on:
http://docs.fortinet.com
System manager event, FG-FM protocol event, Device configuration event, Global database event,
Script manager event, Firewall objects event, Policy console event, and Revision history event.
By default, event log severity is set to “information” level. This can be changed (increased or decreased)
from the “config system locallog disk setting” CLI command in FortiManager.
Information-level log severity provides enough details about the log messages to investigate an issue.
Should you need to work with Fortinet Support, you can increase it to debug level to get more details on
the event logs.

© FORTINET
The task monitor allows you to view the status of all tasks that you have performed. You can refer to this
information to help troubleshoot an installation or other management action error message.
In order to view the tasks, go to System Settings > Task Monitor. You can then select a task category
from the View field drop-down list, or leave the default All.
From the View field drop-down list, you can select the following categories:
• Running: The task is still being processed and a percentage bar appears in the status column.
• Pending: The task is still pending (to being processed).
• Done: The task completed with success
• Error: The task completed, but without success. A red X will appear in the Status column
• Cancelled: The administrator cancelled the task
• Cancelling: The administrator is cancelling the task
• Aborted: The FortiManager system stopped performing this task
• Aborting: The FortiManager system is stopping performing this task
• All: Viewing all types of tasks
You can also click on the expand arrow icon to display the specific actions taken under this task. This is
useful when troubleshooting warnings and errors. You can also run the following CLI command to repair
or reset the task database: diagnose dvm task list <adom> <type>. This command lists task
database information. You can optionally type the name of the ADOM or type all to view tasks from all
ADOMs. Also in the same command you can select the task type that you want to view.
“diagnose dvm task repair” repairs the task database while preserving existing data where
possible. The FortiManager reboots after the repairs. It is not recommended to use very often, as it may
make many changes to the FortiManager database.
“diagnose dvm task reset “ resets the task database to its factory default state. All existing tasks
and the task history will be erased. The FortiManager reboots after the reset.

© FORTINET
If for any reason you need to factory reset the FortiManager, make sure to back up the FortiManager
configuration first. Also, you must connect to FortiManager via the console port, as it will erase the
management IP and routes.
In order to completely erase all the configuration database, you need to reset all settings and format the
disk. This can be done by running the following commands:
execute reset all-settings
execute format <disk | disk-ext4> <RAID level> deep-erase <erase-times>
The reset command resets the FortiManager to its factory default settings and erases all the
configuration on flash, including networking settings, such as IP and routes, and reboots the
FortiManager. However, chances are there might be data on the hard drive on the FortiManager, which
can be deleted by running the format disk command.
The format command erases all device settings/images, VPN & Update Manager databases, and log
data on the FortiManager system’s hard drive. You can also optionally select to perform a secure (deep-
erase) format, which
overwrites the hard disk with random data. You can also specify the number of times to erase the disks.

© FORTINET
These are the topics we covered in this module. Now you should be able to deploy and configure
FortiManager, create administrator accounts, and set up FortiManager.

DO NOT REPRINT  Device Manager
© FORTINET
In this lesson, we will describe the major functions of Device Manager, as well as how to manage a
FortiGate from FortiManager.

© FORTINET
After this lesson, you will have the practical knowledge and skills to manage your FortiGate on
FortiManager, including understanding the key features of Device Manager; describing and configuring
provisioning templates; describing FortiManager’s main wizards; adding FortiGate to FortiManager;
managing access points; configuring device level changes from Device Manager and installing them on
the devices; and understanding revision history and various synchronization behaviors.

© FORTINET
In addition, you should be able to describe the refresh command; manage a FortiGate HA; understand
scripts and device groups; replace a managed FortiGate; and finally, understand chassis management
from FortiManager.

© FORTINET
Before the FortiManager can start managing Fortinet security devices, we need to understand the
functionality of the Device Manager tab, which is used to add new devices, view managed devices,
configure display options, and configure and apply provisioning templates to name a few. let's start
exploring the Device Manager tab on FortiManager.

© FORTINET
In the FortiManager Web-based manager, the Device Manager tab provides a summary view of all your
managed devices. It provides important information such as device name, connectivity, managed device
IP, platform, and logging settings of the managed devices. It also allows you to manage devices at the
device level, for example, FortiGate, FortiCarrier, FortiSandbox, and FortiSwitch to name a few. For non-
FortiGate devices, devices must be managed within their administrative domains (ADOMs), which
requires ADOMs to be enabled.
From the Device Manager tab, you can:
• Perform operations for one or more devices

• Perform device synchronization status and configuration revisions
• Configure device settings, and
• Add new devices as well as install changes to the managed devices
Note that configuration related to the FortiGate firewall policy is not managed here—these configuration
settings are stored in the Policy & Objects tab. We will cover policies and objects in another lesson.

© FORTINET
On all FortiManager Web-based managers, the dashboard, available under the System Settings tab,
provides key information about the system, including device operation and system resources. It also
provides the ability to add (or remove) widgets, allowing you to see only the system information you want
to see.
FortiManager also provides a System dashboard for managed FortiGate devices, which is available
under the Device Manager tab by clicking a managed FortiGate. It provides some of the same
information as the dashboard available from the System Settings tab, such as serial number, HA status,
firmware version, and VM license information, but it is specific to your managed device. It allows you to
enable and disable VDOMs, view session information, database configuration, and connection summary
to name a few.
Unlike the System Settings dashboard, the System dashboard does not have widgets that you can add
or remove. It consists of the System Information widget, License Information widget, Connection
Summary widget, and Configuration and Installation Status widget.

© FORTINET
Similar to the FortiGate Web-based manager, not all available options are visible by default on
FortiManager’s Web-based manager.
Under the Device Manager tab, Display Options allows you to customize the device tabs at the ADOM
level. You can turn on or off tabs related to:
• System
• Router
• WAN Opt. & Cache
• Security Profiles
• VPN
• Wireless
• Query, and
• Report
Instead of turning on each category item individually, you can turn on all items in the category at once by
selecting All On within the respective category. To reset the default items for each category, select Reset
within the respective category. Likewise, you can turn on or reset all categories at once by clicking All On
or Reset located the bottom of the window (instead of within each category).
The options available on the dashboard toolbar varies from device to device depending on the feature
set the device supports.

© FORTINET
The Device Manager tab also includes the Provisioning Templates option in the left menu. This allows
you to create profiles that contain device level settings. These profiles facilitate identical device level
settings across many devices and may be edited and reapplied.
There are five types of templates based on common device settings that are located under Device
Manager > Provisioning Templates, including:
• System Templates: This allows you to create and manage common system level settings for the
managed device. System templates are available in v4.3, v5.0, and v5.2 ADOMs.
• WiFi Templates: This allows you to create and manage SSIDs, Custom AP Profiles, and WIDS
Profiles that can be applied to managed FortiAP devices. Wi-Fi templates are available in v5.0 and
v5.2 ADOMs only.
• Threat Weight Templates: This allows you to create threat weights, which can provide information
by tracking client behavior and reporting on activities that you determine risky or otherwise worth
tracking. When threat weight tracking is enabled, the Log Allowed Traffic setting becomes enabled on
all policies. In FortiOS v5.2, client reputation has been renamed threat weight tracking.
• FortiClient Templates: This allows you to create and manage FortiClient profiles, which can then be
assigned to devices. FortiClient templates are available in v5.0 and v5.2 ADOMs only. In FortiOS
v5.2, endpoint profile has been renamed FortiClient profiles.
• Certificate Templates: This allows you to create Certification Authority (CA) certificate templates,
add devices to them, and then generate certificates for selected devices. Once the CA certificates are
generated and signed, you can install them using the install wizard. Certificate templates are
available in v4.3, v5.0, and v5.2 ADOMs.
Note that the provisioning templates are based on specific ADOM versions, so some settings may not be
available.

© FORTINET
Now that we know the purpose of provisioning templates, let’s explore system templates, which are
located under Device Manager > Provisioning Templates > System Templates.
The System Template page contains one generic profile named ‘default’, which is a subset of model
device configurations and contains the following widgets:
• DNS
• Time Settings
• Alert Email
• Admin Settings
• SNMP
• Replacement Messages
• Log Settings
• FortiGuard
Widgets can be added by clicking Add Widget or can be deleted by clicking X on an individual widget.
Right-clicking the default profile provides these options:
• Create New – Creates a new system template.
• Create From Device – Inherits the system settings of a managed device.
• Assigned Devices. -- Associates devices to a profile or view the list of devices already assigned to a
profile.
For example, DNS server and logging settings can be defined by using a System Templates widget and
applied to devices as they are added to FortiManager or assigned to already managed devices by right-
clicking the template name and selecting Assigned Devices from the menu options. This profile
facilitates identical device level settings across many devices. You can also create these templates from
already managed devices by selecting Create From Device from the right-click menu.
We will be applying system templates when adding FortiGate to FortiManager in the next section of this
presentation.

© FORTINET
The Device Manager tab provides device and installation wizards to aid you in various administrative
and maintenance tasks. Using these tools can help you shorten the amount of time it takes to do many
common tasks.
There are 4 main wizards:
• Add Device is used to add devices to central management and import their configurations.
• Install is used to install configuration changes from Device Manager or Policies & Objects to the
managed devices. It allows you to preview the changes and, if the administrator doesn’t agree with
the changes, cancel and modify them.
• Import policy is used to import interface mapping, policy database, and objects associated with the
managed devices into a policy package under the Policy & Object tab. It runs with the Add Device
wizard by default and may be run at any time from the managed device list.
• Re-install policy is used to perform a quick install of the policy package. It doesn’t give the ability to
preview the changes that will be installed to the managed device.
Both the Import policy and Re-install policy wizards can be called by right-clicking your managed device
in the Device Manager tab.

© FORTINET
There is more than one method you can use to register a supported device with FortiManager. This
section aims to explain the available options, including the previously mentioned Add Device wizard.

© FORTINET
Through the Add Device wizard, you can add a FortiGate device with an existing configuration (which
includes its firewall policies) or add a new FortiGate device. The FortiGate device is usually provisioned
with a “call home” configuration, which is the minimum configuration needed to reach FortiManager (the
central management server). Such configurations are typically installed by a technician and the actual
firewall configuration is done by the administrator in the security/network operations center where the
FortiManager resides.
When a device with an existing configuration is imported, its firewall policies are imported into a new
policy package (which can be renamed). Objects share the common object database per ADOM and are
saved in the ADOM database, which can be shared or used among different managed FortiGate devices
in the same ADOM. It also checks for duplicate or conflicting objects, which we’ll discuss further in the
Policy & Objects lesson.

© FORTINET
Now let’s examine the process of adding a device through the Add Device wizard, located under the
Device Manager tab. During this process, the device configuration items are brought into the
FortiManager database. Once complete, the FortiManager and FortiGate are in sync and configuration
changes can be made from FortiManager.
Within the wizard there are two options for adding a device: Discover and Add Model Device.
The Discover option is used to add an existing device. Here, you must enter the FortiGate device’s login
credentials – IP address, user name, and password.
In order to fully discover the device and add the full configuration, login credentials entered here must
have full read-write access on the FortiGate. This also allows FortiManager to install the configuration
to the managed FortiGate.
You can also check that a device model or firmware version is supported by the current firmware version
running on FortiManager by running the following CLI command on FortiManager:
diagnose dvm supported-platforms list
The Add Model Device option is used to provision a new device that is not online. We’ll show that later.

© FORTINET
In this step, FortiManager probes whether the FortiGate device is reachable and also discovers basic
information about the device, including – IP address, Administrative user name, Device model, Firmware
version (build), Serial number, and High Availability mode.
By default, Import Device Policy & Objects is enabled by default. This option allows FortiManager to add
policies in the policy package and objects in the common shared ADOM database. These objects can be
used by multiple FortiGate devices in the same ADOM. If you de-select this option, then the device and
the device level settings are added to the device database, but the firewall policy configuration is not
imported into Policy & Objects. This can be imported later using the Import policy wizard, which we’ll
discuss in the Policy & Objects lesson.
You can also run the following CLI command on FortiManager to obtain a real-time status of the
FortiGate device being added.
diagnose debug application depmanager 255

diagnose debug enable
Note that the output of this command is very verbose and shows the output from other managed devices
too.
Make sure to disable the debug command by running:
diagnose debug application depmanager 0

diagnose debug disable

© FORTINET
The next step allows you to configure the device that was just discovered. You can configure:
• Name: By default, FortiManager displays the host name of the FortiGate, but you do have the option
of entering a unique name for the device. This name will appear locally in FortiManager only—it does
not affect the host name of the FortiGate. The device name cannot contain spaces or special
characters.
• Logging settings: You need to define the logging permissions and quotas in case you are sending
logs to FortiManager. By default, FortiManager allocates 1000 MB for disk log quota and overwrites
the oldest logs when the allocated disk space is full. Also by default all device permissions are
checked.
• FortiAP and FortiClient settings: There are two available options for managing FortiAP and
FortiClient: Per Device and Centrally. Select Per Device if these will be managed by the respective
FortiGate or Centrally if these will be shared in the ADOM database so that multiple FortiGate devices
can use them.
• Group settings: You can choose to add the device to a device group.

© FORTINET
In the next step, FortiManager checks the addition of the FortiGate device and creates the initial
configuration file. This is the full configuration that contains all used and orphaned objects along with the
firewall policies on the FortiGate. It also checks the support contract, which is useful in the event
FortiManager is used as the local FortiGuard server for the managed FortiGate.
The configuration is saved in the revision history, which will be explained later in this lesson.

© FORTINET
The next step in the wizard is templates. System templates are configured under Provisioning Templates
and are useful if multiple managed FortiGate devices are using the same device level settings (for
example, DNS, SNMP, log, and time settings).
Administrators can configure the system template in advance and apply them to new devices as they are
being added to FortiManager. Templates save time by removing the need to repeat common
configuration settings multiple times.
In this example, we are applying the default system template we configured previously in this lesson.

© FORTINET
If virtual domains (VDOMs) are configured, you are prompted to select the VDOMs you want to import.
The majority of a firewall configuration is specific to the VDOM, therefore each VDOM counts as one
managed device.
FortiManager probes the FortiGate and creates an interface mapping in the ADOM database. When
importing configurations from a device, all enabled interfaces require a mapping.
Add mapping for all unused device interfaces is enabled by default. This creates automatic mapping for
the new interface. As such, the FortiManager administrator does not need to create manual mapping.
You can also rename the ADOM interface mapping. For example, this FortiGate has port1 used as the
ingress network and port2 for the egress network. We can rename port1 as “LAN” and port2 as “WAN” in
the associated text fields. This mapping is local to the FortiManager database and policies can be
viewed on FortiManager from “LAN” to “WAN”, even if the actual interface names are still port1 and
port2.
When adding another FortiGate, which has port4 used for the ingress network and port5 for the egress
network, we can rename them to “LAN” and “WAN” as well.
This is useful in large deployments, where administrators can view and track it easily on FortiManager.

© FORTINET
The next stage of the wizard is Policy. The wizard searches for all policies to import into FortiManager’s
database. Here policies are imported into a new policy package on the Policy & Objects tab.
At this junction, you can choose whether to import all polices or selected policies, and whether to import
only referenced objects or all objects. Import All and Import only policy dependent objects are selected
by default when adding a device.

© FORTINET
The next stage of the wizard is Objects. In this step it searches the FortiGate device for objects to import
and if any conflicts exist, they appear here. You can view additional details as well as download the
conflicts in HTML format by clicking Download Conflict File.
If you click View Detail, you can see the General services category object differences between the
FortiGate and FortiManager database. If you select FortiGate from the Use Value from column, the
FortiManager database gets updated with that value. If you select FortiManager, the next time you install
the configuration from FortiManager to FortiGate it makes those changes to the FortiGate firewall. By
default FortiGate is selected.

© FORTINET
Once the object conflicts are noted/resolved, the wizard searches for the objects to import and updates
the existing FortiManager objects.
The service category selected in the previous slide is the object being updated. FortiManager does not
import duplicate entries in the ADOM database, as those objects already exist in the database.

© FORTINET
The final step in the wizard is Import. Here the firewall policies and objects are imported into
FortiManager.

© FORTINET
Once the import is complete, the wizard provides a summary of the tasks completed. You can also
download the import report, which is only available on this page.
As a best practice, it is recommended that you download the report. The next slide shows the
downloaded import report.

© FORTINET
The import report provides important information, such as which device is imported into which ADOM, as
well as the name of the policy package created.
When configurations are imported, new objects are created, and duplicate and conflicting objects are
detected. These objects and policies are created in the Policy & Objects tab for that ADOM.
Since FortiManager does not import duplicate entries in the ADOM database, if a conflict is detected,
FortiManager updates the object of the device you selected on the Objects step of the wizard and in the
import report it is referred as “update previous object’”
Dynamic objects can also be created, whereby a single object name has different values depending on
which device it is installed.

© FORTINET
As we renamed port1 to LAN and port2 to WAN on the interface mapping step of the wizard, you can
see that on the FortiManager the policy is imported as LAN  WAN. However, on the FortiGate it shows
port1  port2. This is called dynamic mapping: firewall policies created in policy packages refer to
these mappings. When the policy packages are installed, the interface mapping is translated to the local
interfaces on the managed device.
This is useful when installing the same policy package to multiple managed FortiGate devices where
interface mapping is translated to the local interfaces on the managed device. We will cover dynamic
mapping in detail in the Policy & Object lesson.

© FORTINET
As mentioned earlier, the Add Device wizard provides two options to add a device. We just went through
the option of adding an existing device using the Discover option. The second option, Add Model Device,
allows you to add a device that is not yet online. By using this option, you can create the configuration in
advance.
Once the FortiGate is deployed with its basic IP and routing configuration to reach FortiManager, the
device’s full configuration can then be installed. A device model also comes in handy for testing
purposes, when you need to simulate FortiGate devices to test certain internal operations.
Note that with this option, the serial number is mandatory. Once added, the model device shows up
under Device Manager and is represented with letter ‘M’ on the FortiGate icon.

© FORTINET
The registration request can be configured on FortiGate Web-based manager through Admin > Setting.
On the Administrators Settings page, the FortiGate administrator must enter the IP address of the
FortiManager under the Central Management section and click Send Request. A pop-up appears stating
that the management request has been sent to FortiManager. Clicking OK logs you out of FortiGate.
If a FortiGate device is configured to use FortiManager and that device has not been registered with
FortiManager, then it is detected as an Unregistered Device in the Device Manager tab. If ADOMs are
enabled, the device appears in the root ADOM, which is management ADOM of FortiManager. You have
the option of adding or deleting the unregistered device. When you click Add, a pop-up window appears
that allows you to add the FortiGate in a different ADOM (if ADOMs are enabled). If you add an
unregistered device, then you need to run the Import Policy wizard to import the device’s firewall policy
into a new policy package.
Only FortiGate can be added to the root ADOM. For all other supported devices, select a custom ADOM
based on the device type or the pre-configured ADOM specific to the device (for example, FortiMail to
the FortiMail ADOM).
Note that it is possible to configure FortiManager to act as a FortiGuard server and handle requests from
unregistered devices. You can configure unregistered device options from the FortiManager CLI only by
running the following commands:
config system admin setting
set allow_register {enable | disable}
set unreg_dev_opt {add_allow_service | add_no_service}
end
By default, the allow_register setting in the CLI is set to disable. As such, unregistered devices will
appear under the Unregistered Devices left-tree menu. If enabled, an unregistered device will appear as
a registered device under the Managed FortiGates left-tree menu. You still need to run the Import Policy
wizard to import the device’s firewall policy into a new policy package.
The unreg_dev_opt {add_allow_service | add_no_service} command allows you to allow
or deny the FortiGuard update request for unregistered devices respectively.

© FORTINET
You can select to manage FortiAPs per device or centrally from Device Manager > Managed FortiGates.
When managing FortiAP centrally, FortiAP devices are listed in the All FortiAP group in the ADOM. The
All FortiAP group contains thin access points (FortiAP) and thick access points (FortiWiFi).
To manage FortiAP per device, select the FortiGate that is managing the FortiAP and select System >
FortiAP .
To add a FortiAP/FortiWiFi access point, right-click a device and click Create New from the pop-up
menu. Type the FortiAP serial number, the name, and select the profile from All Profile drop-down menu.
The new FortiAP automatically installs to FortiGate. The number of FortiAPs you can install is dependent
on the FortiGate model.
To edit the FortiAP, right-click a device and select Edit from the pop-up menu. The Edit FortiAP dialog
box opens where you can edit the settings related to FortiAP.
The right-click menu also includes options to assign a profile, create new, edit, delete, authorize, de-
authorize, upgrade, restart, refresh, view clients, and view rogue APs.

© FORTINET
FortiManager physical devices or virtual machine (VM) licenses support a limited number of devices,
dependent on the device size or license type. A FortiGate high availability (HA) cluster counts as a single
device as does a virtual domain (VDOM). This is because the bulk of the configuration relates to the
firewall polices and objects, and a device that is in a cluster will not increase the size of that
configuration, as devices in the cluster are running the same configuration. The use of VDOMs would
increase size of the configuration.
For example, if there are two FortiGate’s in an HA cluster (active-active or active-passive), both
FortiGate’s have the same configuration and are counted as one device. However, enabling a VDOM will
increase size of the configuration as each VDOM is logically a separate firewall.

© FORTINET
Now we know the different ways of adding (registering) devices to FortiManager, let’s start using
FortiManager to configure each managed FortiGate.

© FORTINET
To configure registered devices, select the device or VDOM from the Device Manager tab on the Web-
based manager. The device level setting of the managed FortiGate can be viewed and configured from
the Menu drop-down in the toolbar. Most of these settings have a one-to-one correspondence with the
local device configuration.
In this example, we have selected STUDENT-1 FortiGate. Click Menu and from the drop-down select
Router > Static Route. To edit the exiting route, right-click the route. To create a new route, click Create
New.
As you can see, you can view, edit, or create a new static route for the managed FortiGate.
Also if you notice, there are only few options in the Menu drop-down list by default. You can click
Customize to customize device tabs at the device level.

© FORTINET
From the Menu drop-down toolbar, CLI-Only Objects allow you to configure device settings that are
normally available and configured through FortiGate’s command line interface only. Historically on
previous FortiManager firmware versions, if the advanced configuration through CLI needed to be
configured and installed on managed devices, it was done through configuring and running scripts.
Starting on version 5.2.0 and up, you can configure advanced configurations using the CLI-Only Objects
menu option on FortiManager.
Note that the options available vary from device, supported features, and firmware version running on
the managed device.
An advanced CLI-Only Objects menu has been added in the Device Manager and Policy & Objects tabs.

© FORTINET
FortiManager also provides a System dashboard for managed devices, which is available under the
Device Manager tab by clicking a managed FortiGate.
On the device dashboard, under the Configuration and Installation Status widget the main status
indicators are Sync Status, Device Settings Status, and Installation Preview.
• The Sync Status compares the running device configuration with the current version in the revision
history. There are three sync statuses:
• If tagged as “synchronized”, the current revision history configuration entry (whether an install or
retrieve) is synchronized with the running configuration on the FortiGate. In detail, the get sys
mgmt-csum value that was collected after the final revision history entry matches what is on the
FortiGate.
• If the sync status is “Out-of-sync”, the current revision history configuration entry does not match
the running configuration on the FortiGate.
• If the sync status is “Unknown”, the FortiManager system is unable to detect which revision (in
the revision history) is currently running on the device.
Clicking Refresh performs a real-time FortiGate get sys mgmt-csum validation with what is stored in the
current FortiManager revision history entry.
• Device Settings Status provides the status of the device settings. When the device is configured from
the Device Manager, the device database is changed and the device settings status is tagged as
Modified because it doesn’t match the latest revision in the revision history for that device. If the
Device Settings Status is ‘Unmodified then the configuration is in sync with the current revision in the
revision history.
• Installation Preview provides a quick way to check what changed in the device database by clicking
the Installation Preview icon.
We configured a new static route in the Configuring Devices slide, which is why Device Settings Status
is tagged as Modified in this screenshot. By clicking the Installation Preview icon, we can see which
commands will be installed on this FortiGate on the next install. We will be installing these changes in
coming slides, which will create a new revision in the revision history and make the configuration
changes to the device.

© FORTINET
Now that we have learned how to make configuration changes to the managed FortiGate from
FortiManager, and understand the impact of these changes on the Configuration and Installation Status
widget, the next step is to understand the install process.

© FORTINET
The installation process involved FortiManager’s Install wizard. Configuration changes made from the
Device Manager do not take immediate effect—they have to be installed. Until they are installed, the
Device Setting Status remains as Modified.
During installation, you are asked to choose between two different installation types:
• Install Policy Package & Device Settings, or

• Install Device Settings only
This first option allows you to install a specific policy package. Any device-specific settings for devices
associated with the package will also be installed. Optionally, you can also select to create a revision
and schedule the install. We will explore this option further in the Policy & Objects lesson.
The second option allows you to install only device settings for a selected set of devices; policy and
object changes will not be updated from the last install. This option is only available when launching the
Install wizard in the Device Manager tab. The next few slides look at the stages when installing device
settings only.

© FORTINET
This diagram illustrates the installation process to push changes from the Device Manager to a device.
For completeness, Policy & Objects is included too.
When a new configuration is installed, FortiManager compares the difference between the latest revision
history running on the device and the changes made on FortiManager, then creates a new revision in the
revision history. FortiManager then installs these changes on the managed device.

© FORTINET
Now let’s go through the process of installing configuration changes through the Install wizard. During
this process, the device configuration items are installed on the managed device. Once complete, the
FortiManager and FortiGate are in sync and Config Status changes from Modified to Sync.
As we have added a new route to the managed FortiGate, the Config Status is showing as Modified.
There are two ways to launch the Install wizard under the Device Manager tab. If you are using ADOMs,
ensure you select the ADOM from the ADOM drop-down menu.
You can either:
• Click Install in the toolbar menu, or

• Right-click Managed FortiGates under Devices & Groups in the left-tree menu

© FORTINET
Once the Install wizard launches, you must select the option you want to use to install your settings. In
this example, we will select Install Device Settings (only).
This option only installs configuration changes related to device settings that were modified under the
Menu drop-down list for the managed device. This option is only available when launching the Install
wizard in the Device Manager tab. The wizard also provides a comment section when you can add a
comment about the installation for future reference.

© FORTINET
The next step, Device Selection, prompts you to select the device to which you want to install the
changes. If you have made device level changes to multiple devices under the Device Manager tab, you
can select multiple devices to install these changes.

© FORTINET
The next step, Validation, performs a check on the device settings and compares it with the latest
running revision history. Click Preview to view the configuration changes that will be installed on the
managed FortiGate. As a best practice, always preview and verify the changes that will be committed to
the FortiGate.

© FORTINET
After clicking Preview, the Device Installation Preview window appears, which shows you the
configuration changes that will be installed to the managed FortiGate. To download this preview, click
Download. The file is saved in a .txt format.
As a best practice, always preview and verify the changes that will be committed to the FortiGate. In the
case of a conflict, you can click Close and then Cancel to exit the installation. Then you can review and
correct the conflicting configuration under Device Manager and re-launch the install wizard to install the
configuration changes.
In this example, a new static route is added.

© FORTINET
The final step of the Install wizard is the actual install. This screen lists the devices on which
configuration changes were installed and also shows you the progress bar for the installation.
It will also show you if there are any errors or warnings that occurred during the install process.
If the installation fails, the installation history provides an indication of what stage the install failed. You
can also check the installation history for the successful install too.
In this example, the installation was successful and FortiManager created a new revision history for this
install.

© FORTINET
FortiManager maintains a configuration repository to manage device configuration revisions. If the

managed FortiGate device configuration is modified directly from the FortiGate, FortiManager compares
the checksum with the latest revision history to the running configuration on the FortiGate and creates a
new revision history in its repository. It then updates the FortiManager database, which includes device
level settings only (Policy & Objects are updated using the Import Policy wizard, which we will cover in
the Policy & Object lesson. If the changes are made from FortiManager to the managed device, when
performing the install it will compare the checksum with the latest revision history to the FortiManager
database and create a new revision history.
So when a change in the configuration is detected, FortiManager creates a new revision history and tags
it with a version/ID number.

© FORTINET
To view or download your revision history, click Revision History from the Configuration and Installation
Status widget on the System dashboard for your managed device. As mentioned previously, the
Revision History repository stores all configuration revisions for the devices and tags each revision with
a version/ID number. The Installation column details the time and the action that created the revision.
Click the revision ID number in the ID column to view the configuration. You also have the option to
download the configuration as a .txt file on this page. After every Retrieve and Install operation, the
FortiManager stores the FortiGate’s configuration checksum output with the revision history. This is how
the out-of-sync condition is calculated.
You can also compare the difference between the revision histories by clicking the Revision Diff icon. A
pop-up window appears and you can choose to compare it to the previous revision or you can specify
the revision version by choosing Any Revision and selecting the revision number from the drop down list.
It also gives you option to choose ‘Full Content or Diff Only.

© FORTINET
When the installation is done from Device Manager, you can view the commands sent for that revision
ID in View Installation History. Should an installation fail because there is no rollback, this history is
useful because it shows what commands were sent to, and accepted by, the device as well as the
commands that were not accepted.
Clicking the browse icon to view the configuration file that was installed on the device. You can also click
the download icon to download this file in .txt format.

© FORTINET
Revision history also allows you to create a new revision from the device’s running configuration by
clicking the Retrieve button. It checks and compares the configuration on the device and current revision
history on FortiManager. If there is a difference between two, FortiManager creates a new revision
history with a new ID number.
This can be used to re-sync the FortiGate device with the FortiManager device database. However,
when retrieving a configuration, firewall policy changes need to be imported to Policy & Objects.
The Comments column automatically generates a comment if a retrieve operation has been performed.

© FORTINET
By default, all changes made directly on the FortiGate are automatically updated (retrieved) by
FortiManager, which is reflected in Revision History and Config Status for that device in the Device
Manager.
To disable this automatic behavior so as to allow the operator a choice to accept or refuse the automatic
update, the following CLI setting must be changed on FortiManager:
config system admin settings

set auto-update disable
end
If an automatic update occurs, it is no longer possible for FortiManager to be sure the selected policy
package is the same as the running firewall policy. As such, Policy Package Status returns an Out of
Sync error. You can hover your mouse over the red x to read the error message. You must run the
Import Policy wizard on FortiManager to sync the policy package. This is covered in the Policy & Objects
lesson.

© FORTINET
Refreshing a device refreshes the connection between the selected devices and the FortiManager
system. This operation updates the device status and the FortiGate HA cluster member information.
Right-click on the device and click Refresh in the pop-up menu. Alternatively, click the Refresh link from
the Connection Summary widget in the System dashboard of the managed device.

© FORTINET
Directly below Refresh in the pop-up menu is Install Config. This option allows you to perform a quick
installation of device level settings without launching the Install wizard. As such, you cannot preview the
changes prior to committing. Administrators should know the changes prior to performing this action, as
it cannot be cancelled after initiating the process.
If unsure about the changes, administrators are encouraged to use the Install wizard as discussed earlier
in this lesson, as they can preview the changes before committing.

© FORTINET
A FortiGate HA cluster is managed as a single device from FortiManager and has a unique ID. You can
use “diagnose dvm device list” in the CLI to view the device members. FortiManager is unaware
of—and will not verify—FortiGate HA synchronization status. The optional dedicated HA-management
FortiGate per-device interface is for SNMP monitoring only and must not be used for FGFM
management.
FortiGate HA configuration on FortiManager is read-only. It is retrievable and visible but cannot be

modified, nor will it be applied to the FortiGate during installs. This is to avoid overwriting HA
configuration if FortiGate HA roles have changed. FortiGate configuration changes concerning HA
parameters will not modify the checksum (get system mgmt-csum) and will not cause an out-of-sync
situation.

© FORTINET
Now that we have learned how to make configuration changes and install these changes to the managed
FortiGate from FortiManager, the next step is to understand and learn advanced operations such as:
• Scripts
• Device groups
• Replacing a managed FortiGate
• Chassis management

© FORTINET
In FortiManager’s GUI, scripts can be enabled from Display Options in System Settings > Admin >
Admin Settings and configured from Device Manager > ADOM > Script
A script can make many changes to a managed device and are useful for bulk configuration changes
and consistency across multiple managed devices. Scripts can be run in three different ways:
• Device Database: By default, a script can be executed on the device database It is recommend you
run the changes on the device database (default setting), as this allows you to check what
configuration changes you will send to the managed device. Once scripts are run on the device
database you can then install these changes to a managed device using the installation wizard.
• Policy Package, ADOM database: A script can be run here to create ADOM level objects that will be
applied to your managed devices and can then be installed using the installation wizard.
• Remote FortiGate Directly (via CLI): A script can be executed directly on the device and you don’t
need to install these changes using the installation wizard. As the changes are directly installed on
the managed device, no option is provided to verify and check the configuration changes through
FortiManager.
You can also apply Advanced Device Filters such as OS Type, OS Version, and Platform to name a few,
which restricts the scripts to running on managed devices only if it matches the set criteria.
FortiManager supports two types of scripts:
• Command Line Interface (CLI): CLI scripts include only FortiOS CLI commands as they are entered
at the command line prompt on a FortiGate device.
• Tool Command Language (TCL): TCL is a dynamic scripting language that extends the functionality
of CLI scripting. In FortiManager TCL scripts, the first line of the script is “#!” as it is for standard TCL
scripts. Do not include the exit command that normally ends TCL scripts; as it will prevent the script
from running. You are required to be familiar with the TCL language and regular expressions. For
more information on TCL scripts, please refer to the official TCL website:
http://www.tcl.tk
In this lesson, we will be covering CLI scripts only.

© FORTINET
Some common best practices for CLI scripts include:
• Use complete commands. For example, if the full command is “config router static”, do not
use “conf rout stat”, as it will cause the script to fail.
• A comment line starts with the number sign (#) will not execute.
• In the “config system console” CLI setting, disable the “output more” function in the
FortiGate CLI and select “output standard” instead. Otherwise, scripts and other output longer than a
screen length will not execute or display correctly. The command is:
config system console

set output {standard | more}
end

© FORTINET
Once the script has been configured, you can browse to the ADOM script list for the ADOM that contains
the script you would like to run. Select the script, then right-click and select Run from the menu. The
Execute Script dialog box appears, which allows you to select the devices and enable a schedule
(“show_schedule_script” must be set to enable in the “config system admin” settings).
This is helpful if you would like to run the script on a specific schedule, for example, when it would not
interfere with business hours. Uncheck Enable Schedule if you would like to run the script now.
The right-click menu also provides other options, such as create new script, edit, clone, and delete the
existing script. You can also export the existing script by clicking Export, which can be saved on your
local computer in .txt format. Scripts can also be imported as text files from your local computer by
clicking Import.

© FORTINET
To view the script history, go to the device dashboard. Under the Configuration and Installation Status
widget, scroll to Last Script Run and click View History which opens the Script Execution History table.
This table also provides additional information such as name, type, execution time, and status of the
script. Click the Browse icon in the far right column of the table to open the Script History dialog box to
view the script.
The Script Execution History table also allows for re-running the script. Click the Run Script Now icon in
the far right column of the table to re-run the script.

© FORTINET
Device groups can be created in an ADOM. These can be used to simplify a management action by
providing a target that represents multiple devices for firmware upgrades, scripts, and configuration
changes.
To create a new group, go to Device Manager > Select ADOM > Add Groups. From the Add Device
Group dialog box, select the FortiGate device in the left frame and click the forward icon to move to the
device to the right frame. In this example STUDENT-1 and STUDENT-2 are part of GROUP-A.
Executing a script on a group is disabled by default. To enable it, enter this command:
config system admin setting

set show_grouping_script enable
end
Note: To delete a device group, you must delete all devices from it first. Similarly, to delete an
ADOM, you must delete all device groups from it first.

© FORTINET
The serial number is verified before each management connection. In the event of a replaced device, it
is necessary to manually change the serial number in the FortiManager system and re-deploy the
configuration.
In order to change the original FortiGate’s recorded serial number on the FortiManager with new
device’s serial number, you must run the following commands in the CLI:
• diagnose dvm device list – Shows the device name of the original FortiGate. If the
replacement device is already listed as unregistered, then you will need to delete this first. You may
do this from Unregistered Devices in the left tree menu of the Device Manager tab.
• execute device replace sn <device_name> <serialnum> – Adds the serial number of the
replaced FortiGate.
Once the replace command is executed, FortiManager updates the serial number in its database. To
verify, enter:
diagnose dvm device list
Alternatively, you can verify from the System Information widget of FortiGate under Device Manager >
Managed FortiGates.
Log into the replaced FortiGate and send a request to register it with FortiManager. This can be done
from FortiGate under System > Admin > Settings > FortiManager IP/Domain Name.
If connectivity is down initially after updating the serial number, you might need to reclaim the
management tunnel:
execute fgfm reclaim-dev-tunnel <device_name>
The device name is optional. If you run the command without the device name, FortiManager will try to
reclaim tunnels from all managed devices.
Optionally, if you are replacing devices due to a hardware issue, you can change the device password:
execute device replace pw <device_name> <password>

© FORTINET
Some FortiManager systems can work with the Shelf Manager to manage the FortiGate 5000 series
chassis. Shelf Manager runs on the Shelf Management Mezzanine hardware platform included with most
FortiGate chassis. You need to enable chassis management under System Settings > Advanced >
Advanced Settings before you can work with the Shelf Manager through FortiManager.
To add chassis in the FortiManager, go to the Device Manager tab, right-click Managed FortiGates and
select Add under Chassis. This slide and the next slide demonstrate this feature.

© FORTINET
Once you have selected Add under Chassis, the Create Chassis dialog box appears. You need to
provide the following information in order to add chassis to FortiManager:
• Chassis Type: Select the chassis type – Chassis 5050, 5060, 5140 or 5140B.
• IP Address: Type the IP address of the Shelf Manager running on the chassis.
• Authentication Type: Select authentication type – Anonymous, MD5, or Password.
• Admin User: Type the administrator user name.
• Password: Type the administrator password.
• Chassis Slot Assignment: FortiGate, FortiCarrier, or FortiSwitch can be selected on FortiGate 5000
series blade to assign to the slot. You cannot assign FortiGate-5000 series blades to the slot until
after the chassis has been added. For information on assigning slots, you can go to the Fortinet
Document Library (http://docs.fortinet.com) for chassis management and the FortiManager
Administration Guide.
The dashboard for chassis provides the information related to slot number, slot information, current state
of blade, and various other parameters. From the dashboard, information related to Blades, PEM, Fan
Tray, Shelf Manager and SAP can be configured or viewed.

© FORTINET
These are the topics we covered in this lesson. After this lesson, you should be able to :
• Add and install changes to managed devices
• Apply Provisioning Profiles to your managed devices
• Understanding Revision and installation history
• Configure and install scripts
• Replace and reclaim tunnel for managed devices
• Understand chassis management

DO NOT REPRINT  Policy & Objects
© FORTINET
In this lesson, we will examine FortiGate configuration changes that you can apply using
FortiManager’s Policy & Objects tab.

© FORTINET
After completing this lesson, you should have these practical skills that will allow you to manage your
FortiGate on FortiManager. This includes understanding the functionality of the Policy & Objects tab,
such as ADOM-level firewall policies, ADOM revisions, dynamic objects, and installation targets.

© FORTINET
It also includes importing/creating policy packages; installing policy and object settings as well as
device level settings; zones and interface mappings; VPN management; and policy and objects at the
global ADOM level.

© FORTINET
Before FortiManager can start managing policies and objects for managed security devices, we need
to understand the functionality of the Policy & Objects tab, which is used to customize policies within
an organization. Typically, administrators may want to customize access and policies based on factors
such as geography, specific security requirements, or legal requirements. Let's start exploring the
Policy & Objects tab on FortiManager.

© FORTINET
Within a single ADOM, administrators can create multiple policy packages. FortiManager allows you
to customize policy packages per device or VDOM within a specific ADOM, or apply a single policy
package for all devices within an ADOM. These policy packages can be targeted at a single device,
multiple devices, all devices, a single VDOM, multiple VDOMs, or all devices within a single ADOM.
By defining the scope of a policy package, an administrator can modify or edit the policies within that
package and keep other policy packages unchanged. FortiManager helps simplify provisioning of new
devices, ADOMs, or VDOMs by allowing you to copy or clone existing policy packages. You can also
create the ADOM revision, which allows you to maintain a revision of the policy packages, objects,
and VPN console settings in an ADOM, and also configure display options to customize the policy and
objects that are displayed in the Policy & Objects tab.

© FORTINET
Policy packages simplify centralized firewall policy management by providing a useful container for
your firewall ruleset. Policy packages contain firewall policies which, in turn, link to objects defined in
the Policy & Objects tab. Objects share the common object database per ADOM and can be shared
among multiple policy packages within the ADOM.
You may manage a common policy package for many devices within a ADOM or have a separate
policy package for each device. Policy packages allow you to maintain multiple versions of the rule
set. For example, you can clone a policy package prior to making changes, thereby allowing you to
preserve the previous ruleset.
A word of caution: while policy packages allow for multiple versions of a firewall policy ruleset, the
objects referenced in those packages do not have multiple versions—they only use a current value.
For example, let’s say you clone a policy package, add a new rule, and change the value of a shared
object. If you roll back to the previous policy package, you will back out of the rule you added, but not
the modification to the shared object. The only way to achieve that level of rollback is using ADOM
revisions, which take a snapshot of the Policy & Objects database for that ADOM.

© FORTINET
Policy packages are located under Policy & Objects > ADOM > Policy Package.
Within a single ADOM, administrators can create multiple policy packages. FortiManager allows you
to customize policy packages per device or VDOM within a specific ADOM, or apply a single policy
package for multiple devices within an ADOM. By defining the scope of a policy package, an
administrator can modify or edit the policies within that package and keep other policy packages
unchanged. To view the policies in a policy package, click the policy package name to view the
policies contained in that policy package.
In this example, clicking the Student policy package shows the policies in that policy package.

© FORTINET
Objects can be created, modified, or deleted under Policy & Objects > Objects.
All objects within an ADOM are managed by a single database unique to that ADOM. Objects inside
that database include firewall objects, security profiles, users, and devices.
Objects are shared within the ADOM and can be used among multiple policy packages. For example,
a security profile can be created once and attached to multiple policy packages for installation on
multiple FortiGate devices. This simplifies the job of the administrator, as the object only needs to be
created once, but can be used multiple times for multiple FortiGate devices.

© FORTINET
ADOM revision saves the policy package and objects locally on FortiManager and can be created,
edited, and deleted under Policy & Objects > Tools > ADOM Revisions.
To create a new ADOM revision, go to Tools > ADOM Revisions and configure the settings in the
Create New ADOM Revision dialog box that appears. Revisions can be automatically deleted based
on given variables, and individual revisions can be locked to prevent them being automatically
deleted. Click Details for access to the auto-deletion settings.
The ADOM database can be reverted to a particular ADOM revision by right-clicking the revision. As a
word of caution, if you choose to revert to a particular ADOM revision, it will revert all the policy
packages and objects based on that revision. A “revision diff” can be performed between revisions in
the right-click menu.

© FORTINET
The display options can be configured under Policy & Objects > Tools > Display Options.
The Display Options feature allows certain feature options to display in the Web-based manager,
including those under the Policy & Objects tab. Display options are dependent on the ADOM version.
These display options will vary from one ADOM to another.
The most common options are displayed by default and illustrated by a green “ON”. The default option
cannot be turned off. You can turn various options on or off (visible or hidden, respectively) by clicking
the ON or OFF button next to the feature name. You can turn on all of the options in a category by
selecting All On under the category name, or turn on all of the categories on by selecting All On at the
bottom of the window.
Also additional firewall policy types such as NAT64, IPv6, and interface policies can be enabled from
here.

© FORTINET
Now that we understand the functionality of the Policy & Objects tab, the next step is to examine the
various options to configure and manage firewall policies from the Policies & Objects tab.

© FORTINET
Right-click a policy package to access the Policy Package menu or click the Policy Package menu
option directly. We will look at creating and installing policy packages first and then look at other
features, such as policy checking and exporting later.

© FORTINET
Policy folders help you manage your policy packages. You can customize policies based on
organization, geography, specific security requirements, or legal requirements for example, and
organize them into specific policy folders.
You can create a new policy folder by right-clicking the existing policy package or by clicking the
Policy Package menu option directly.
You can create sub-folders within existing policy folders to help you better organize your policy
packages. You can also drag a policy package to a policy folder.

© FORTINET
If the policy package does not contain any policies, you will be presented with a section in the GUI
called local domain polices, which is where you create your rules in your policy package. If your
ADOM receives rules from the global ADOM, which we’ll discuss later, then they are presented
outside of the local domain as header or footer policies.
Select your policy package and click Policy > Create New or right-click the local domain policies area
and click Create New to create your first policy rule.

© FORTINET
You can create a new policy by right-clicking the sequence number of an existing policy or by clicking
the Policy menu directly. When creating a new policy, it can be inserted above or below the existing
policy.
If you have not selected any policy in the policy package, Insert Policy  Above or Below is grayed
out in the menu.
Existing policies can be modified from this menu. We will look at other features such as clone, copy,
cut, and paste later in this training.

© FORTINET
Objects can be added, removed, and edited by right-clicking the objects. If a new service needs to be
added in the policy, right-click the existing object in that column and click Add Object(s). A pop-up
menu appears providing a selection of services. Select the objects that needed to be added and click
OK to save the changes.
In this example, policy has HTTP and HTTPS for services and we added two more services: PING
and POP3. Also notice that when you right-click the existing object in the Service column, a menu
appears that is only applicable to service-related objects. For example, if you want to change the
source interface in the policy, right-click the object under the Source Interface column (port2) to see
the menu related to interfaces.

© FORTINET
Each ADOM is associated with a specific FortiOS version, based on the firmware version of the
devices that are managed in that ADOM. This is the CLI syntax that must be used to configure the
devices. Objects created in the Policy & Objects tab will use the CLI syntax of this version of FortiOS.
This version is selected when creating a new ADOM, but it can be modified if all of the devices within
the ADOM have been updated to the latest FortiOS firmware version.
For example, let’s say an ADOM is running firmware version 5.0 and all the managed devices are
running firmware version 5.0.x. Once all the devices have been upgraded to 5.2.x firmware, you can
upgrade the ADOM to 5.2 by right-clicking that ADOM in System Settings > All ADOMs.
The next slide shows a firewall policy object, one for a 5.0 GA ADOM and one for a 5.2 GA ADOM.

© FORTINET
As you can see, in ForitOS 5.0 GA on the left side, the policy type and subtype can be selected when
creating a new policy or modifying an existing policy.
In version 5.2 GA on the right side, the CLI command syntax has changed and is therefore configured
differently. So it is very important to make sure the FortiGate device is added to an ADOM based on
its specific FortiOS firmware version.

© FORTINET
A policy package has an installation target that can be on one or more devices or VDOMs. Policy
packages may share the same installation target, however only one policy package can be active on a
device/VDOM. The active policy package is listed in the Device Manager tab.
An installation target can be added, edited, or deleted by selecting Policy Package > Installation.
In this example, we are adding three installation targets for a policy package named
CommonPackage. To add a installation target, select the policy package, go to Installation, and click
Add. From the Add Installation Target dialog box, select the devices that you will be targeting for this
policy package. Once added, these devices will show in the Installation Target window. If this new
policy package is installed to the devices, it will show in the Device Manager tab under the Policy
Package Status column. If the installation target is configured, but not yet installed, it will show as
Never Installed in the Policy Package Status column.
Once the policy package is installed, CommonPackage appears as the active policy package for these
devices/VDOMs in the Policy Package Status column.
The next slide shows how a single firewall policy may have fewer targets than the policy package.
This allows a general policy package to be shared by several devices with exceptions per device.

© FORTINET
In the previous slide, we selected an installation target for multiple devices/VDOM’s. You can perform
granular installation targets per rule from the actual policy by right-clicking Installation Target in the
Install On column. This allows you to target devices to be added, removed, or set to default.
In this example, rule 1 has an installation target of BranchOffice(Devtest) and rule 4 an installation
target of HeadOffice. So when the install is performed, rule1 will be installed only on the
BranchOffice(Devtest) device and rule 4 will be installed only on HeadOffice.
Rule 2 and 3 have a default installation target that will be installed on all three devices/VDOM’s.
So by using an installation target, a policy package can be shared among multiple devices and rules
can also be defined per-device from the actual policy. This is helpful in environments where many
devices need to share common policies (with the exception of a few policies that can be targeted per-
device) and eliminate the need for multiple policy packages.

© FORTINET
All objects within an ADOM are managed by a single database unique to that ADOM. Many objects
now include the option to enable dynamic mapping. Dynamic objects are used to map a single logical
object to a unique definition per device. Common features such as addresses, interfaces, virtual IPs,
and IP pools, can be dynamically mapped. Objects and dynamic objects are managed in the lower
frame of the Policy & Objects tab.
A common example is a firewall address. You may have a common name for an address object, but
have a different value depending on which device it is installed.
In this example, the dynamic address object “LocalLan” refers to the internal network address of the
managed firewalls. The object has a default value of 192.168.1.0/24. The mapping rules are defined
per device. On the BranchOffice FortiGate device, the object “LocalLan” refers to 10.10.10.0/24,
whereas on the HeadOffice FortiGate device the same object refers to 10.10.11.0/24. The devices in
the ADOM that do not have dynamic mapping for “LocalLan” will have a default value of
192.168.1.0/24.
To add more devices for dynamic mapping, click Create New in the Dynamic Mapping field. A pop-up
window appears where you can select the device and set the IP range/subnet.
Dynamic objects are represented by a computer icon with an arrow.

© FORTINET
Interface mapping on the Policy & Objects tab dynamically maps to interfaces on the managed device.
Firewall policies created in policy packages refer to these mappings. When the policy packages are
installed, the interface mapping is translated to the local interfaces on the managed device.
Interface mapping defined in the Policy & Objects tab have two types: zone and interface. The type
defines how the rule is translated to the device. If zone is selected, then that zone is created locally on
the FortiGate. If zone is not selected, then it is created as the interface type and the name used has a
one-to-one mapping to an interface configured on the managed device.
In this example, a “DMZ” zone has been created for HeadOffice FortiGate, which includes port8,
port9, and port10. Accordingly, when a policy package is installed, it will create zone “DMZ” with
interfaces port8, port9 and port10 locally on the FortiGate. Also, an “External” interface has been
created, which includes mapping for port1 on HeadOffice FortiGate. When installing the policy
package, it will install a policy for port1 and will not create a zone.
Also in this example, Enable Zone is selected for “DMZ” but not for “External”. This means it will
create a DMZ zone locally on the FortiGate, but for the “External” interface. It just translates the local
interface, which is equivalent to port1.

© FORTINET
Previously, we configured interface mappings. In this example, the policy package HeadOffice was
created with two policies (port3  DMZ and port2  External), and installed to the managed device.
Locally on the FortiGate it created a zone type named DMZ, which include interfaces port8, port9, and
port10. Policy is represented as port3  DMZ.
The interface mapping for “External” was configured as an interface type, which is just a local mapping
for port1 for HeadOffice FortiGate on FortiManager. Locally on the FortiGate the policy is
represented as port2  port1.

© FORTINET
Now that we understand the various options for configuring and managing firewall policies from the
Policies & Objects tab, we will examine the wizards used to manage devices from FortiManager. This
section explains the 2 wizards: Import Policy and Install.

© FORTINET
It is common for the FortiGate device to already have a running configuration. The Import Policy
wizard guides you through importing policies and objects into FortiManager. When you import a
device, you create a new policy package that does not interfere with other packages. However,
objects you import will add to, or update, existing objects. You may want to create a new ADOM
revision prior to an import.
The next few slides step through the various stages of the wizard.
You may run the Import Policy wizard from Device Manager by right-clicking the device, or when first
adding a device using the Add Device wizard. If you promote an unregistered device this does not run
the Import Policy wizard. You will need to run the Import Policy wizard after the device is promoted.

© FORTINET
The first step of the wizard is Interface Map. Interface mappings are created for interfaces configured
on the firewall. This allows the device interfaces to be referenced in policy packages. You can rename
the ADOM interface mapping in this wizard.
In this example, we are renaming port1 to “External” and port2 to “Internal”. Actual policies on the local
FortiGate are on port1 and port2, but locally on the FortiManager they will be referenced as “External”
and “Internal”.
The Add mappings for all unused device interfaces option is enabled by default and creates automatic
mapping for the new interface when enabled. The FortiManager administrator doesn’t need to create
manual mapping if this option is enabled. This is useful in large deployments, where administrators
can map different interfaces to logical interfaces on FortiManager, which helps the administrator to
view and track them easily on FortiManager.

© FORTINET
The next step of the wizard is Policy. Here, the wizard performs a policy search to find all policies in
preparation for import into FortiManager’s database. Policies are imported into a new policy package
on the Policy & Objects tab. When you import, you can choose the folder location and the name of the
new policy package. You may chose to import all firewall policies or select specific ones to import.
Also, you can chose whether to import all configured objects or only those referenced by the current
firewall policies.
Import All and Import only policy dependent objects are selected by default when running the Import
Policy wizard.
In the Policy Selection section, if you choose to import only selective policies into the policy package
and later install policy changes, the policies that were not imported will be deleted locally on the
FortiGate. This is because FortiManager does not have those policies in the policy package. For
example, if there are five policies in total and you select only three to import, on the next install the
missing two policies will be deleted locally from the FortiGate. As a best practice, it is recommended
that all policies are imported.
In the Object Selection section, if you choose to import only policy-dependent objects, the orphan
(unused) objects that are not tied to policies locally on the FortiGate will be deleted on next install. If
you choose to import all objects, then all used and unused objects in the FortiManager ADOM object
database are imported, but it will still delete orphan (unused) objects locally on the FortiGate on next
install. In the latter scenario, as all unused objects are imported into the ADOM object database, they
can be used by referencing the policies on FortiManager and installing to the managed devices.
As a word of caution, if you are managing multiple devices in an ADOM (for example, 500 devices)
and choose Import all objects for all devices, the object database will be too big with all these unused
objects and can be overwhelming for an administrator.

© FORTINET
The next step of the wizard is Object. When importing objects, FortiManager will check its existing
definitions. If you attempt to import an object with the same name as an existing object, then a
duplicate or conflict is detected and some action may be necessary to resolve the conflict. If you
import an address object, where an existing object of the same is already present, then a dynamic
mapping is added and this becomes a dynamic object. If however, you import address groups, their
membership may be different and a new object will need to be created and renamed. FortiManager
can check the membership of groups to see if they have the same membership or not. If not, the
object is indexed and a new instance with different values is created.
Always note the changes that are made as you import a device. Moving from per-device to central
management may require some level of modification to object naming.

© FORTINET
The final step of the wizard is Import. Here the firewall policies and objects are imported into
FortiManager.

© FORTINET
Once the import is complete, the wizard provides a summary of the tasks completed in Download
Import Report. You can also download the import report, which is only available on this page and can
be viewed with any text editor.
As a best practice, it is recommended that you download the report.
The import report provides information about FortiGate, the ADOM name on FortiManager, and the
policy package name.
The report also provides additional information, such as the objects that have been added as new
objects. Existing objects with the same values on the local FortiGate and FortiManager are referred to
as “DUPLICATE”. If the value of an existing object is changed, FortiManager updates that in its
database and shows “update previous object” in the import report.
The option to download the report is only available on this page. As a best practice, it is recommended
to download the import report.

© FORTINET
Once you have made configuration changes to the policy package, the Policy Package Status is
flagged as Modified under the Device Manager. Now let’s go through the process of installing policy
configuration changes through the Install wizard. During this process, the policy and device
configuration items are installed on the managed device. Once complete, FortiManager and FortiGate
are in sync and the Policy Package Status changes from Modified to Installed.
There are multiple ways to launch the installation wizard: under the Device Manager tab as well as the
Policy & Objects tab. If you are using ADOMs, ensure you select the ADOM from the ADOM drop-
down menu first.
From the Device Manager tab:

Right-click Managed FortiGates in the left tree menu under Devices & Groups, or
Click Install from the toolbar menu
By default, Install Device Settings (only) is selected when launching the Install wizard from the Device
Manager tab. Make sure to change it to Install Policy Package & Device Settings.
From the Policy & Object tab:

Right-click the policy package name, or
Click Policy Package from the toolbar menu and select Install
By default, only the Install Policy Package & Device Settings is available when launching the Install
wizard from the Policy & Objects tab. In this example, we will launch the Install wizard through the
Policy & Objects tab.

© FORTINET
The first step in the wizard is What to Install. Here, you are prompted by default to select Install Policy
Package & Device Settings. This installs the policy package and any pending device-level changes.
The policy package you select is displayed and you have the option to create a new ADOM revision
with this install. Note that an ADOM revision is a snapshot of the entire ADOM and not the changes
specific to this policy package.
You can also enable Schedule Install, which allows you to specify the date and time to install the latest
policy package changes. When a scheduled install has been configured and is active, a clock icon
appears beside the policy package name. Select this icon to edit or cancel the schedule. Once the
scheduled install is complete, the icon disappears.
The wizard also provides a comment section where you can optionally add a comment about the
installation for future reference.

© FORTINET
The next step is Device Selection. Here, the wizard displays the devices selected in the installation
target for the specific policy package. However, you may override this by deselecting a device.

© FORTINET
The next step of the wizard is Validation. Here, the wizard checks that the policy package selected is
suitable for the installation targets selected, such as whether the interface mapping reference in the
policy package is configured on the installation targets. If the validation fails, the install will stop.
Prior to the install you may preview the changes. Click Preview to view the configuration changes that
will be installed on the managed FortiGate. You can also click Download to open or save the preview
file in .txt format. As a best practice, always preview and verify the changes that will be committed to
the FortiGate.
If this is the first install you may see many changes, as objects may have been renamed during the
import process and unused objects are removed from the device configuration. If you do not want to
proceed with the install you may cancel the install at this step of the wizard.

© FORTINET
The last step is Install, which is the actual installation. The wizard lists the devices on which
configuration changes were installed and also shows you the progress bar for the install. Any errors or
warnings that occur during installation appear here as well.
If the installation fails, the installation history indicates the stage at which the install failed. You can
also check the installation history for the successful install too.
In this example, the wizard indicates that the configuration changes have been successfully installed
to the FortiGate and that FortiManager has created a new revision history for this install.

© FORTINET
FortiManager also provide a Re-install option. A re-install is the same as the install except there are
no prompts and it doesn’t give the ability to preview the changes that will be installed to the managed
device. It will create a new revision history and apply to all selected installation targets.
You can right-click any policy package to access the menu or select the policy package and click the
Policy Package menu directly.

© FORTINET
Now we have learned how to import policies from the managed devices and install Policies & Objects
configuration changes, the next step is to explore the advanced operations, such as:
• Drag-and-drop to move
• Cut, copy and paste
• Cloning policies and policy folders
• Exporting policies
• Policy check

© FORTINET
You can drag and drop both firewall polices and objects in order to configure your ruleset. As soon as
the firewall polices and objects are moved, the changes are saved to the policy package and the
modified policy package must then be installed to the managed device.
Click “drag and drop.mp4” in the slide to open and play this short video.

© FORTINET
Use the cut and paste options to copy and move policies in the same policy package and between
policy packages.
Policies can be copied and cut using the requisite selection from the menu found by right-clicking the
policy sequence number cell. When pasting a copied or cut policy, the policy can be inserted above or
below the current selected policy. The menu also provides the option to cancel in the event you need
to undo the copy or cut that you just performed.

© FORTINET
You can also clone policies. This function is similar to creating a new policy, but the fields are pre-
populated with the settings of the cloned policy.
To clone a policy, right-click the policy sequence number cell and select Clone from the menu. The
Clone Policy dialog box opens with all of the settings of the original policy. You can edit the settings as
required.
The next slide demonstrates how to create a new policy package by cloning the existing one.

© FORTINET
You can clone a policy package by selecting the policy package and clicking Create New under the
Policy Package menu or alternatively, by right-clicking the policy package and clicking Create New. In
the Create New Policy Package dialog box you can specify a name for the new policy package.
Because it’s a clone, it will also have the same installation target, but this can be edited. The progress
bar indicates the cloning of the policy package.
In this example, the existing policy package “CommonPackage” is cloned and named “Training”. The
newly created policy package has the same installation target for devices as “CommonPackage”.
If you recall, we previously set the installation target for “CommonPackage” to three devices/VDOMs.
So when cloning the policy package, “Training” has the same installation targets.

© FORTINET
You can export polices into CSV format, which can then be imported into Microsoft Office applications.
To export policies, right-click an existing policy package or click the Policy Package menu and select
Export.
Alternatively, you may dump the policy packages in FortiOS CLI format:
execute fmpolicy print-global-database <ADOM_name>
The output from this command can be used in scripting in Device Manager. You can override these
scripts to the ADOM level in order to create many objects. This command is useful for firewall policy
management.

© FORTINET
The Policy Check performs the following checks:
• Duplication, where two objects have identical definitions

• Shadowing, where one object completely shadows another object of the same type
• Overlap, where one object partially overlaps another object of the same type
• Orphaning, where an object has been defined, but has not been used anywhere.
To perform a policy check, right-click an existing policy package and select Policy Check from the
menu. In the Consistency Check dialog box you can select two options:
• Perform Policy Consistency Check: This performs a policy check for consistency and provides
any conflicts that may prevent your devices from passing traffic.
• View Last Policy Consistency Check Result: This allows you to view the results of the most
recent consistency check.
The policy check only provides recommendations on what improvements can be made—it does not
actually perform any changes. It uses an algorithm to evaluate policy objects, based on:
• Source and destination interface policy objects

• Source and destination address policy objects
• Service and schedule policy objects

© FORTINET
In this example, policy ID 3 and 8 are from “Internal -> External” and are completely shadowed. Policy
ID 3 has the source address “all” and the services are set to “HTTP, HTTPS”. Policy ID 8 has the
source address “MyLan” and services are set to “FTP, PING”.
By default, address object “all” has value 0.0.0.0/0.0.0.0, which includes any IP subnet/range, so
address object “MyLan” is shadowed by “all”. These two policies can therefore be combined by adding
all the services into one policy.
Remember, the policy check only provides recommendations on what improvements can be made —
it does not actually perform any changes.

© FORTINET
Now we know how to configure, manage, and install Policy & Object configuration changes, the next
step is to understand the options available when configuring a FortiGate IPsec VPN via FortiManager.
FortiManager has 2 ways to configure FortiGate for IPsec VPN:
• Policy & Device VPNs

• Central VPN Console

© FORTINET
The default VPN management mode is Policy & Device VPNs. In this mode, the IPsec phase 1, phase
2, and routes are configured per device and the firewall policies referencing IPsec interfaces are
created in the policy package. The legacy mode of IPsec VPN configuration, policy-based, is
supported in this management mode.
The VPN configuration settings are disabled (hidden) in Display Options and can be turned on under
Device Manager > Display Options. Once enabled, you can configure the IPsec Phase 1 and Phase 2
setting by selecting your device in Device Manager and clicking Menu > VPN.

© FORTINET
In Policy and Device VPNs, IPsec Phase 1 and IPsec Phase 2 are configured in the same way as
performed locally on the FortiGate. Once the IPsec Phase 1, IPsec Phase 2, and routes are
configured, you can configure the firewall policies for IPsec VPN in the policy package under the
Policy & Objects tab.
As in Policy & Device VPNs, the IPsec Phase 1, IPsec Phase 2, and routes are configured per device.
What if you have hundreds of managed FortiGate devices and need to create VPNs between them?
You can use the Central VPN Console, which allows you to create IPsec Phase 1 and IPsec Phase 2
once and target to multiple devices. Also, FortiManager can create automatic routing for the VPN.
The next few slides demonstrate the Central VPN Console configuration steps.

© FORTINET
When you set VPN Management to Central VPN Console for an ADOM, a VPN console tree menu
appears in the Policy & Objects tab under Policy Package.
If this does not show up, you will need to enable the Show VPN Console option in System Settings >
Admin > Admin Settings.

© FORTINET
There are 3 topologies that you can configure from VPN Console. Choose the topology which suits
your network. Options include:
• Full Meshed: Each gateway has a tunnel to every other gateway.

• Star: Each gateway has one tunnel to a central hub gateway. Each FortiGate is defined as either a
hub or spoke.
• Dial Up: Some gateways, often for mobile users, have dynamic IP addresses and contact the main
gateway to establish a tunnel. Similar to Star topology, VPN gateway is defined as either a hub or a
spoke. Peer options are configured similar to the dial-up tunnel as configured directly on the
FortiGate.
From the Policy & Objects tab select VPN Console and click Create New to create a VPN topology
and define IKE Phase 1 and 2 settings. These Phase 1 and phase 2 settings only need to be
configured once and can be applied to multiple FortiGate devices.
The next few slides demonstrate the configuration steps required for the VPN Console using the full
meshed topology. In it, the phase 2 configuration does not include protected networks, which are
configured when configuring managed or external gateways.

© FORTINET
Once you have selected the VPN topology and configured phase1 and phase2 settings, the next step
is to configure gateways. The settings for configuring gateways are dependent on the VPN topology
selected.
Right-click the name of the VPN topology and click Config Gateways in order to enter the VPN
gateway configuration. Click Create New in order to configure managed and external gateways.
• Managed Gateway refers to an IPsec tunnel to a device that is managed by FortiManager.

• External Gateway refers to an IPsec tunnel to a device that is not managed by FortiManager. In
this configuration, you provision one-side of the VPN, entering parameters that match the remote
peer configuration.

© FORTINET
Once you select Managed Gateway, you need to configure the following:
• Device: Select the managed FortiGate from the drop down list
• Default VPN Interface: Usually it is the egress interface for the device, so that it can communicate
with other FortiGate devices to negotiate IKE information.
• Routing: For managed devices, routing can be configured automatically or manually from Device
Manager. The default option is Automatic, as the device is already managed by FortiManager and
it knows the existing routing table and can add the routes for the IPsec tunnel as a result.
• Protected Subnets: Subnets behind the device to which you would like to allow access over VPN.

© FORTINET
Once you have added all managed and external gateways, you need to add firewall policies. Firewall
policies can be configured in the policy package located under the Policy & Objects tab.
The slide shows VPN policies being added to the HeadOffice and BranchOffice policy packages
referencing the special IPsec interface names (vpnmgr_MyVPN_mesh) used for a full mesh topology.
Install the respective policy package to each managed device. On install, preview the configuration
changes and note the IPsec and routing configuration objects that have been created by the VPN
Console configuration. After the install, these special IPsec interfaces will be created locally on the
FortiGate devices.
There are many limitations with VPN Console, which is why it is not the default method. The main
restriction is that you cannot import an existing VPN configuration and it only supports interface-mode.
That said, interface mode is the preferred IPsec configuration and many organizations are happy to
build a new VPN topology within the console because it standardized the VPN object configuration.

© FORTINET
Now we know the IPsec VPN configuration options on FortiManager, so the next step is to understand
the purpose of the global ADOM.

© FORTINET
Header and footer policies are used to envelop policies within each individual ADOM. These are
typically invisible to users and devices in the ADOM layer. An example of where this would be used is
in a carrier environment, where the carrier would allow customer traffic to pass through their network,
but would not allow the customer to have access to the carrier’s network assets.
This diagram illustrates how global policies and objects are assigned to ADOM policy packages.
The next few slides show how a global header policy is applied to deny all ICMP ping to a public IP
address and assigned to an ADOM.

© FORTINET
Header policies are the policies that are placed at the top of the policy package in the individual
ADOM. Footer policies are the policies that are placed at the bottom of the policy package in the
individual ADOM.
To create a new header or footer policy, click the Policy tab or right-click Local Domain Policies (or the
existing policy in the Global ADOM) and select Header Policy or Footer Policy.

© FORTINET
In this example, we have created a header policy to block ICMP ping to address object “gPingblock”
and service set to “gPiNG” and action as “Deny”. The next step is to assign this policy to one policy
package in an individual ADOM.

© FORTINET
Select the global policy package that you would like to assign and click Assignment > Add ADOM. You
can specify the targeted policy package on the individual ADOM.
In this example, the “default” global policy package is added to the “HeadOffice” policy package in the
“root” ADOM by excluding the other three policy packages in that ADOM. Once the policy package is
added, the status appears as Pending changes, as it is not assigned to the policy package. Under the
ADOM Policy Packages column, it also shows only one policy package is selected out of four
packages available in the “root” ADOM. Assignment can be done by clicking Assign or Assign
Selected.
The Assign option commits the global policy package and used objects to the individual ADOM policy
package.
Assign Selected, on the other hand, gives some more advanced options, including:
• Assign USED Objects Only

• Assign ALL Objects
• Automatically Install Policies to ADOM Devices
Once assigned, the status changes to Up to date.

© FORTINET
Once the global ADOM objects are assigned, it will appear in the Policy & Objects tab for that
particular ADOM. In this example, the header policy is added to the “HeadOffice” policy package in
the “root” ADOM.
Only one global policy package can be assigned to an individual ADOM policy package, and assigning
a new global policy package to same individual ADOM policy package will remove previously
assigned policies. Also, the header and footer policies cannot be edited and moved between the rules
in an individual ADOM policy package.

© FORTINET
To review, these are the topics we covered in this lesson. After this lesson, you should be able to:
• Create ADOM revisions
• Create policy folders and policy packages
• Create policies and firewall objects
• Configure installation targets
• Configure and use dynamic objects
• Understand and configure interface and zone mappings
• Use the Import Policy wizard and Install wizards
• Configure IPsec VPNs
• Understand and use of Global ADOM policies

DO NOT REPRINT  Additional System Operations
© FORTINET
In this lesson, we will explore the additional system settings and features available in FortiManager, such
as:
• FortiManager High Availability (HA)
• FortiGuard Management
• FortiGate-to-FortiManager (FGFM) Management Protocol

© FORTINET
After completing this lesson, you should have these practical skills that will allow you to configure,
manage, and troubleshoot issues on FortiManager. This includes:
• Configuring and deploying FortiManager High Availability (HA)

• Describing the FortiGuard services within FortiManager
• Configuring FortiGate devices to work with a local FortiGuard server, and
• Describing the FortiGate-FortiManager management protocol

© FORTINET
FortiManager High Availability (HA) provides a solution for a key requirement of critical enterprise
management and networking components: enhanced reliability. This section provides a general
description of FortiManager HA, how to configure it, and maintenance procedures.

© FORTINET
A FortiManager HA cluster consists of up five FortiManager devices of the same FortiManager model.
One of the devices in the cluster operates as the primary device and the other devices—up to four—
operate as secondary devices. The HA heartbeat packets use TCP port 5199. FortiManager HA
provides geographic redundancy and each FortiManager has its own IP address.
All changes to the FortiManager database are saved on the primary device, and then these changes are
synchronized to the secondary devices. The FortiManager configuration of the primary device is also
synchronized to the secondary devices (except for the HA parameters).

© FORTINET
FortiManager HA does not support IP takeover where an HA state transition is transparent to

administrators. If a failure of the primary occurs, the administrator must take corrective action to resolve
the problem that may include invoking the state transition. If the primary device fails, the administrator
must do the following in order to bring the FortiManager HA to a working state again:
1. Manually reconfigure one of the secondary devices to become the primary device.
2. Reconfigure all other secondary devices to point to the new primary device.
A reboot is not required when promoting from secondary to primary.
If the secondary FortiManager device fails, the administrator can reconfigure the primary device to
remove the secondary configuration. Alternatively, the administrator can keep the secondary
configuration in the HA settings and once the secondary device comes online it will resynchronize with
the primary.
The primary’s device and policy databases are synchronized with the secondary devices. The cluster
functions as active-passive, however the FortiGuard service can be configured to function as active-
active.
The next few slides review an example configuration where the primary and secondary roles are
configured on two different devices. The peers are identified by their IP address and serial number and
authenticated with a group ID and password. When a device leaves or joins the cluster, the administrator
is prompted for an action.

© FORTINET
To configure the FortiManager High Availability (HA), go to System Settings > HA. From here you can
configure FortiManager devices to start a high availability cluster or you can change the HA configuration
of the cluster.
In the Cluster Setting window, you need to configure the following:
• Operation Mode: By default, operation mode is set to Standalone. Change the mode to Master
(primary) or Slave (secondary) to configure the FortiManager device to be the primary or secondary
device, respectively, in a cluster.
• Peer IP Version: FortiManager supports both IPv4 and IPv6 for HA configuration.
• Peer IP: The IP address of another FortiManager that will act as the secondary (“slave”) device in the
cluster.
• Peer SN: The serial number of another FortiManager that will act as the secondary device in the
cluster. Click the green “+” icon to add the Peer IPs and associated serial numbers of up to four
secondary devices.
• Cluster ID: All members of the HA cluster must have the same group ID. By default, cluster ID is
preconfigured with a value of 1, but can be between 0-64.
• Group Password: The password for the HA cluster. All members of the HA cluster must have the
same group password. The maximum password length is 19 characters.
• Heartbeat Interval: The time in seconds that a cluster member waits between sending heartbeat
packets and expecting to receive a heartbeat packet from the other cluster member. By default, the
heartbeat interval is 5 seconds, but can be set between 1 to 255 seconds.
• Failover Threshold: The maximum number of heartbeat intervals that can occur without response
before FortiManager assumes that the other cluster members have failed. The default failover
threshold is 3. Based on the default settings, the failure detection time is 15 seconds (5 second
heartbeat interval x 3 failovers). The failover threshold range is between 1 and 255.

© FORTINET
In the previous slide, we configured FortiManager to act as the primary (Master) device. To configure the
secondary (Slave) device, go to System Settings > HA. You need to configure the Operating Mode as
Slave from the drop-down menu. Select Peer IP Version and configure the primary FortiManager IP in
the Peer IP field and the primary FortiManager serial number in Peer SN field. You also need to
configure the Cluster ID and Group Password, which should be the same as configured on the primary
FortiManager device.
Once the configuration is complete, primary and secondary FortiManager devices will try to negotiate
and synchronize the data. The primary FortiManager will synchronize its data with all the secondary
devices configured.
The label HA Slave appears on the secondary FortiManager’s GUI.

© FORTINET
Once the FortiManager cluster is configured, you can go to System Settings > HA or the System
Settings > Dashboard > System Information widget to view the current status of the HA cluster. You can
also check the logs from System Settings > Event Log or from the System Settings > Dashboard > Alert
Message Console widget.
Once the FortiManagers form a cluster, a pop-up dialog box appears on the secondary FortiManager. It
states that no device configuration changes are possible from the secondary device and that all changes
to the configuration database can only be made on the primary FortiManager, which will synchronize its
changes to all secondary devices.

© FORTINET
If the secondary FortiManager fails due to a hardware or network issue, the cluster status goes down on
both the primary and secondary devices. On the secondary member it will show it is trying to connect to
the peer, which is the primary device.
On the primary device, the failure is detected after the “Heartbeat Interval” multiplied by the “Failover
Threshold” matches it configured settings. In this example, “Heartbeat Interval” and “Failover Threshold”
are set to the default values, resulting in the failure detection after 15 seconds. The secondary member
will show a “Keepalive Failure” on primary device under System Settings > HA. Also on the primary
FortiManager device, a pop-up dialog box appears that asks, “Unable to contact HA Cluster Unit FMG –
xxxxxxxx. Do you wish to remove this unit from the HA Cluster permanently?”
This pop-up provides two options:
• Clicking Yes results in removing the secondary member configuration from the primary, and if the
secondary member comes online, the primary FortiManager HA configuration needs to be
reconfigured to add the secondary member.
• Clicking No results in the primary FortiManager keeping the secondary configuration in the HA
settings and once the secondary member comes online, it will resynchronize with the primary
FortiManager.
In this example, we selected No so that we don’t need to reconfigure the HA setting on the primary
FortiManager for the secondary member.
The next slide shows the steps to recover and synchronize the secondary FortiManager from the primary
FortiManager when it comes online.

© FORTINET
In the previous slide, we choose not to remove the secondary member from the HA configuration on the
primary device and to resynchronize the data when it comes online.
Once the secondary member is online, the primary FortiManager is alerted with an pop-up box stating
that the secondary member is detected and asks whether you would like to accept and resync this
member with the HA cluster. There are two options to choose from:
• Clicking Yes results in the primary FortiManager accepting and resynchronizing its data with the
secondary FortiManager.
• Clicking No results in the primary FortiManager removing the secondary member HA configuration
from the primary FortiManager and this device is considered a new device. The primary FortiManager
HA configuration needs to be reconfigured to add this new member.
In this example, we selected Yes so that we don’t need to reconfigure the HA setting on the primary
FortiManager for the secondary member, and the primary FortiManager will accept and synchronize its
data with the secondary FortiManager. Once the data is fully synchronized, the status of the secondary
FortiManager on the primary FortiManager appears as a green up arrow.

© FORTINET
The FortiGuard Distribution Network (FDN) provides FortiGuard services for your FortiManager system
as well as its managed FortiGate devices and FortiClient agents. In this section, we will describe and
configure options available on FortiManager related to FortiGuard services, such as:
• Antivirus and IPS

• Web filtering and email filtering
• Package management
• Query server management, and
• Firmware image management
Finally, we will examine how to configure FortiGate devices to work with a local FortiGuard server
(FortiManager).

© FORTINET
FortiManager can function as a local FortiGuard Distribution Server (FDS). It continuously connects to
FDS servers to obtain managed device license information and check firmware availability updates
(unless configured for closed-network operations).
All FortiManager devices can provide antivirus, IPS, vulnerability scanning, and signature updates to
supported devices. Select FortiManager devices can provide web filtering and anti-spam services.
Through the FDS connection, FortiManager can also access firmware updates for its managed devices.
FortiGuard information is not synchronized across a FortiManager cluster. In a cluster, each device
individually downloads and updates their FortiGuard contract information and firmware availability
information. Each cluster member maintains its FortiGuard services and can provide these services
independently, providing an active-active operation.
The Service Access settings need to be configured on FortiManager per interface under System Settings
> Network. FortiManager supports requests from registered (managed) devices and unregistered
(unmanaged). The status of the current connection between the FDN and the FortiManager system can
be disconnected, connected, out-of-sync, or synchronized.
After enabling and configuring the FortiManager system’s built-in FDS, you can configure FortiGate
devices to use FortiManager FortiGuard services.
FortiManager acts as a secondary FortiGuard Distribution Server. All FortiGuard activity is stored in a
rolling log file called the ‘umlog’. The update manager log file (umlog) contains FortiGuard AV/IPS/AS/
WF, firmware manager, licensing requests. This file can be exported via the CLI (diagnose system
export umlog {ftp | sftp} <type> <server> <user> <password> [remote path]
[filename]).
Usage of FortiGuard services on FortiManager may be resource intensive and, moreover, you may
dedicate a FortiManager to this task.
The next few slides show the synchronization and the service status.

© FORTINET
You can configure FortiGuard in the GUI under FortiGuard > Advanced Settings. It provides various
options to configure FortiManager as the local FortiGuard servers. You can enable, disable, and set the
following options:
• Communication with FortiGuard servers
• Antivirus and IPS Service
• Web filter and Email Filter Service
• Server Override Mode
• FortiGuard Antivirus and IPS Settings
• FortiGuard Web Filter and Email Filter Settings
• Override FortiGuard Server
We will explore each of these options in detail in next few slides.

© FORTINET
By default, Disable communication with the FortiGuard Servers is unchecked, which allows
FortiManager to continuously connect to FDS servers to obtain managed device information and sync
packages. Disable this option when FortiManager is used in a closed network. When disabled, the
AV/IPS/license packages must all be updated manually, and are no longer automatically retrieved from
the public FDS server(s).
There are four FortiGuard connection statuses:

• Disconnected: If the FortiManager is not able to connect to the FortiGuard Distribution Network
(FDN). It is identified with a red down arrow.
• Connected: If the FortiManager connection to FDN initially succeeds, but a synchronization
connection has not yet occurred. It is identified with a green up arrow.
• Out of Sync: If the initial FDN connection succeeds, but the built-in FDS is disabled.
• Synchronized: If the built-in FDS is enabled and the FDN packages download successfully.
The Enable Antivirus and IPS Service provide the update services for:
• FortiGate – Antivirus and IPS
• FortiMail – Antivirus and Email filter
• FortiAnalyzer - Vulnerability Scan and Management Support
You can run the following CLI command to force, and get updates from, FDN for antivirus and IPS:
diagnose fmupdate fds-updatenow
You can run the following command to force, and get updates from, FDN for FortiGate web
filtering/spam:
diagnose fmupdate fgd-updatenow

© FORTINET
Once the antivirus and IPS services are in a synchronized state, FortiManager shows available updates
based on the OS version for FortiGate, FortiMail, and FortiAnalyzer. Below are the options available
under Antivirus and IPS service:
• Enable Antivirus and IPS Update Service for FortiGate: Select the OS versions from the table for
updating antivirus and intrusion protection for FortiGate. You can select to download updates for
FortiOS versions 5.0 (5.2, 5.0,), 4.0 (4.3, 4.2, 4.1, 4.0), and 3.0 (MR7, MR6).
• Enable Antivirus and Email Filter Update Service for FortiMail: Select the OS versions from the
table for updating antivirus and email filter for FortiMail. You can select to download updates for
FortiMail OS versions 5.0 (5.1, 5.0), 4.0 (4.1,4.0), and 3.0 (MR5, MR4).
• Enable Vulnerability Scan and Management Support for FortiAnalyzer: Select the OS versions
from the table for Vulnerability Scan and Management Support for FortiAnalyzer. You can select to
download updates for FortiAnalyzer OS versions 5.0 (5.0) and 4.0 (4.3, 4.2, 4.1, 4.0).
You can configure the object version based on the device type and OS version by running the following
CLI command:
config fmupdate device-version
In this example for the FortiGate, it is configured only for version 5.0.
config fmupdate device-version
set fgt 5.0
end
If you notice, the only available updates (Antivirus and IPS) for FortiGate are based on firmware version
5.0. As such, it doesn’t show any updates available for version 4.0 or 3.0. If you have FortiGate devices
running on version 4.0, you can configure to include version 4.0 and FortiManager will get the necessary
updates from the FortiGuard Distribution Network.

© FORTINET
FortiManager needs to communicate with the FortiGuard Distribution Network (FDN) in order to check
and download new database and engines so that it can update the managed FortiGate devices. You can
view the FDS server list that FortiManager is communicating to by running the following CLI command:
diagnose fmupdate fds-serverlist
By default, FortiManager will first attempt to connect to the public FDS server fds1.fortinet.com over TCP
port 443 to download the list of secondary FDS servers from which it will then download AV/IPS
packages.
Settings related to antivirus and IPS are configured under FortiGuard > Advanced Settings and under the
FortiGuard AntiVirus and IPS Settings heading. You can configure the following settings:
• Override server address for FortiGate/FortiMail

• Push update
• Web proxy
• Regular schedule updates
• Other advance settings, such as:
• Log update entries from FDS server
• Log update histories for each FortiGate
In the next few slides we will explore these options in detail.

© FORTINET
When you enable Use Override Server Address for FortiGate/FortiMail, you can override the default IP
address, and port; if you want to use a specific FDN server or specific port that is different from the
default. A good example is if you have a dedicated upstream FortiManager that you use to download
AntiVirus and IPS updates. In this case, you can configure your downstream FortiManager to get the
updates from the dedicated upstream FortiManager by configuring the IP address and port of the
upstream FortiManager. When obtaining the updates from another upstream FortiManager, the port
must be configured as ‘8890’. You can add multiple override server addresses by clicking on the add (+)
icon. The maximum number of override servers allowed is 10.
In this example, before configuring Override Server Address, the FDS server list shows that the
FortiManager will try to communicate with the public FDS. You can view the FDS server list that the
FortiManager is communicating to by running the following command:
diagnose fmupdate fds-serverlist
After enabling Use Override Server Address for FortiGate/FortiMail, we have configured the IP address
and port for an upstream FortiManager (192.168.1.152) and public FDS server (208.91.112.71). The
upstream FortiManager has port 8890 (remember, this must be the port for the upstream FortiManager).
If you run the “diagnose fmupdate fds-serverlist” command again, you will see that the
upstream FortiManager is listed first in the list, followed by the public FDS server (208.91.112.71).
But why it is showing other public FDS servers in the list? What if you want to communicate only with the
configured override servers?
By default, Server Override Mode is set to Loose, which allows FortiManager to fall back to the cached
backup FDS servers if the configured override servers are not available. You can change the Server
Override Mode to Strict which prevents this fallback from occurring.

© FORTINET
When you enable Allow Push Update, the FDN can push update notifications to the FortiManager
system’s built-in FDS when an urgent or critical FortiGuard antivirus or IPS signature update becomes
available. The FortiManager system then immediately downloads the update. When Allow Push Update
is enabled it will override the default IP address and port to which the FDN sends Antivirus and IPS push
announcement messages. For example, if FortiManager is behind a NAT device (configured as private
IP address) and push updates are enabled, the FortiManager system sends its IP address to the FDN,
and this IP address is used by the FDN as the destination for push messages. Because of the
FortiManager private IP address, which is not routable from the FDN, this will cause push updates to fail.
Configure the following along with enabling Allow Push Update:
• IP Address: The external IP or virtual IP of the NAT device.
• Port: The default port is UDP 9443 for FortiGate updates. It is the external port on the NAT device for
which you will configure port forwarding. You can change the port if required.
The FortiManager system will notify the FDN to send push updates to this IP address and port number.
On your NAT device you need to configure the following:
• If you entered a virtual IP address, configure the virtual IP address and port forwarding, and use static
NAT mapping.
• If you entered a port number, configure port forwarding. The destination port must be UDP port 9443,
which is the FortiManager system’s listening port for updates.
The built-in FDS may not receive push updates if the external IP address of any intermediary NAT
device is dynamic (such as an IP address from PPPoE or DHCP). When the NAT device’s external IP
address changes, the FortiManager system’s push IP address configuration becomes out-of-date.
In this example, FortiManager is behind a NAT device and we have enabled Allow Push Update and
configured the IP Address (The egress IP of the NAT device), and Port (9800).
On the NAT device (for example FortiGate), we configured the following:
• The virtual IP address and port forwarding. We also used static NAT mapping. In this example, we
configured virtual IP “FortiManager_VIP” on the NAT device (FortiGate) with port forwarding UDP
9800  UDP9443 and the firewall policy to allow the traffic to FortiManager.

© FORTINET
By default, FortiManager connects to FDN via TCP port 443. When you enable Use Web Proxy, if the
FortiManager system’s built-in FDS connects to the FDN through a web (HTTP or HTTPS) proxy, you
must specify the IP address and port of the proxy server. If the proxy requires authentication, you must
supply the user name and password. You can click Update to immediately connect and receive updates
from the FDN. If the FortiGuard connection status under Antivirus and IPS Service appears as
disconnected, FortiManager is unable to connect through the web proxy.
Keeping the built-in FDS up-to-date is important to provide current FortiGuard update packages and
rating lookups to requesting devices. This is especially true, as new viruses, malware, and spam sources
pop up on a very frequent basis. By enabling Schedule Regular Updates, you are guaranteed to have a
relatively recent version of database updates. A FortiManager system acting as an FDS synchronizes its
local copies of FortiGuard update packages with the FDN when:
• You manually initiate an update request by selecting Update Now.
• It is scheduled to poll or update its local copies of update packages.
• If push updates are enabled (it receives an update notification from the FDN).
If the network is interrupted when FortiManager is downloading a large file, it downloads all files again
when the network resumes. You can configure scheduled updates on an hourly, daily, or weekly
schedule.
Under the Advanced section you can configure the logging for FortiGuard Antivirus and IPS updates.
This includes the FortiManager built-in FDS and any registered FortiGate devices that use the
FortiManager’s FDS.
You can view the logs under System Setting > Event Log. You can also filter logs related to FortiGuard
by enabling filtering on Sub Type and setting it to FortiGuard service event.

© FORTINET
FortiManager needs to communicate with the FortiGuard Distribution Network (FDN) in order to check
and download the new database for web filtering and email filtering.
By default, the FortiManager will first attempt to connect to the public FDS server “guard.fortinet.net”
over TCP port 443 to download the list of secondary FDS servers from which it will then download
databases for web filtering and email filtering. You can verify if the service is enabled by running the
following command:
diagnose fmupdate fgd-service-info
Settings related to web filter and email filter are configured under FortiGuard > Advanced Settings >
FortiGuard Web Filter and Email Filter Settings. The following settings can be configured.
• Override Server Address for FortiClient
• Override Server Address for FortiGate/FortiMail
• Use Web Proxy
• Polling Frequency
• Log Settings
In the next few slides we will explore each of these options in detail.

© FORTINET
You can view the FortiClient server list by running the following command:
diagnose fmupdate fct-serverlist
The FDS server guard.fortinet.net is at the bottom of the list with usually distance of 0.
By default, FortiManager will first attempt to connect to the public FortiClient server forticlient.fortinet.net
over TCP port 443 to download the list of secondary servers from which it will then download the
packages for FortiClient.
When you enable Use Override Server Address for FortiClient, you override the default IP address and
port that the FMG contacts when requesting Antivirus updates for FortiClient from either the public FDS
network or a private upstream FMG. If configured to obtain the updates from another upstream FMG,
then the port must be configured as 8891. You can add multiple override server addresses by clicking on
add (+) icon. The maximum number of override servers allowed is 10.
In this example, before configuring Override Server Address for FortiClient, the FortiClient server list
shows that FortiManager will try to communicate with the public FDS. After enabling Use Override
Server Address for FortiClient, we have configured the IP and port for the upstream FortiManager
(192.168.1.152, port 8891). If you notice by running the “diagnose fmupdate fds-serverlist”
command again, the upstream FortiManager is listed first in the list.
But why it is showing other public FDS servers in the list? What if you want to communicate only with the
configured override servers?
By default, Server Override Mode is set to Loose, which allows FortiManager to fall back to the cached
backup FDS servers if the configured override servers are not available. You can change the Server
Override Mode to Strict which prevents this fallback from occurring.

© FORTINET
Now let’s explore the other FortiGuard web filter and email filter settings:
• Use Override Server Address for FortiGate/FortiMail: Previously, we configured an override

server address in the AntiVirus and IPS Setting. This configuration overrides the server address for
FortiGate/FortiMail for the web filter and email filter database. This setting behaves in same way. If
configured to connect to another upstream FMG, then the port must be 8900. You can add multiple
override server addresses by clicking on add (+) icon. The maximum number of override servers
allowed is 10.
• Use Web Proxy: By default, FortiManager connects to FDN via TCP port 443. If the FortiManager
system’s built-in FDS must connect to the FDN through a web (HTTP or HTTPS) proxy, you must
specify the IP address and port of the proxy server. If the proxy requires authentication, you must
supply the user name and password. You can click Update to immediately connect and receive
updates from the FDN.
• Polling Frequency: You can configure the polling interval in hours and minutes to get updates on the
web filter and email filter database from FDN.
• Log Settings: You can track FortiGuard web filtering and email filtering lookup and non-events
occurring on any registered FortiGate device that uses the FortiManager system’s FDS. Before you
can view lookup and non-event records, you must enable logging for FortiGuard web filtering or email
filter events. You can configure rating queries for FortiGuard Web Filtering, FortiGuard Antispam, and
FortiGuard Anti-virus Query.

© FORTINET
The Override FortiGuard Server (Local FortiManager) section allows you to configure and enable
alternate FortiManager FDS devices, rather than use the local FortiManager system. You can set up to
10 alternate FDS servers, and select what services are used. Let’s examine the settings:
• Additional number of private FortiGuard servers (excluding this one): This configures the list of
private server IPs that can provide FDS and FGD services. These are typically other FortiManager
devices with FortiGuard services enabled, however the list can also contain one or more public
FDS/FGD servers. This list would determine exactly which FDS and FGD servers the FortiGate
would try to contact, unless configured otherwise on the FortiGate device to communicate directly
with the public FDN. When adding a private server, you must include the IP address and time zone.
• Enable AntiVirus and IPS Update Service for Private Server: When one or more private
FortiGuard servers are configured, this option updates antivirus and IPS through this private server
instead of using the default FDN. This will provide the list of configured private server IP addresses to
the FortiGate device as possible servers that it can contact to obtain FDS updates.
• Enable Web Filter and Email Filter Update Service for Private Server: When one or more private
FortiGuard servers are configured, this option updates the web filter and email filter through this
private server instead of using the default FDN. This will provide the list of configured private server
IP addresses to the FortiGate device as possible servers that it can contact to obtain FGD updates.
• Allow FortiGates to Access Public FortiGuard servers when Private Servers are Unavailable:
When one or more private FortiGuard servers are configured, this option sends managed FortiGate
devices to those private servers for FortiGuard updates. Enable this feature to allow those FortiGate
devices to then try to access the public FDN servers if the private servers are unreachable.
You can debug on the FortiManager device by running the following commands:
diagnose fmupdate fds-serverlist  For FortiGuard Antivirus and IPS server list
diagnose fmupdate fgd-serverlist  For FortiGuard Web Filtering and Antispam server list

© FORTINET
The antivirus and IPS signature packages are managed in FortiGuard Management > Package
Management. Packages received from FortiGuard are listed under Receive Status. It displays the
package received, version, size, the “to be deployed” version, and update history for FortiGate, FortiMail,
FortiAnalyzer, and FortiClient.
Click Update History to open the update history page for that package. It shows the update times, the
events that occurred, the status of the updates, and the versions downloaded.
You can change the “to be deployed” version of a received packaged by selecting Change in the To Be
Deployed Version column for the package. The Change Version dialog box that appears allows you to
select an available version from the drop-down list.

© FORTINET
Package Management > Service Status shows a list of all the managed FortiGate devices, their last
update time, and their status.
There are 4 possible statuses:
• Up to Date: The latest package has been received by the FortiGate device.
• Pending: The FortiGate device has an older version of the package due to an acceptable reason
(such as the scheduled update time is pending).
• Problem: The FortiGate device missed the scheduled query, or did not correctly receive the latest
package.
• Unknown: The FortiGate device’s status is not currently known.
Pending updates can also be pushed to the devices, either individually or all at the same time. Select the
device in the list and select Push Pending in the toolbar to push the update to the device. Hovering the
mouse over “Pending” will show the update that is pending. If there are multiple devices showing the
status as pending, you can select Push All Pending in the toolbar to push the update to the devices in
the list.
The list can be refreshed by selecting Refresh in the toolbar.

© FORTINET
The Web Filter and Email Filter databases are managed in FortiGuard Management > Query Server
Management. The databases received from FortiGuard are listed under Receive Status. It displays when
updates are received from the server, the update version, the size of the update, and the update history.
Select Update History to open the update history page for that package. It shows the update times, the
events that occurred, the status of the updates, and the version number and size of the download.

© FORTINET
Under Query Server Management > Query Status, you can see the number of queries made from all
managed devices to the FortiManager device in the graphs. It shows the top ten unrated sites, the top
ten devices, and number of queries made to the FortiManager acting as a local FDS.

© FORTINET
The FortiManager includes a licensing overview page that allows you to view license information for all
managed FortiGate devices. To view the licensing status, go to FortiGuard > Licensing Status.
This page displays:
• Show license expired devices only: Select to display devices with an expired license only.
• Refresh: Select the refresh icon to refresh the information displayed on this page.
• Search: Use the search field to find a specific device in the table.
• Device Name: The device name or host name.
• ADOM: Shows the ADOM information in which the FortiGate device is added.
It will also show the license status and expiration date for FortiGuard Antivirus, IPS, Email Filtering, Web
Filtering, and Support. You can change the order that devices are listed by clicking the column title.
There are 3 icons that display the license status:

• Green: License OK
• Orange: License will expire soon
• Red: License has expired

© FORTINET
Now that we understand the FortiGuard configuration on FortiManager, we can look at the configuration
required on the FortiGate in order to use FortiManager for FortiGuard communication.
You need to configure the following on the FortiGate in order to override the default FDS servers.
config system central-management
set fmg <fmg_ipv4>
set include-default-servers {enable | disable}
config server-list
edit <id>
set server-address <IPv4_addr>
set server-type {rating | update}
end
You need to configure the ‘server-list’ where you define the ‘server-address’, which is usually the IP of
FortiManager. Also, you can define the following in the ‘server-type’ field:
• rating — AV, IPS, or AV-query server
• update — web filter or anti-spam rating server
By default, ‘include-default-servers’ is enabled, which allows the FortiGate to communicate with

the public FortiGuard servers if a private server (configured in server-list are unavailable). You can
enable or disable inclusion of public FortiGuard servers in the override server list.
You can also configure the override default server configuration through FortiManager in Provisioning
Templates > System Templates > FortiGuard widget, which can be assigned to managed devices and
installed to them. The decision to override the default FDS server and use FortiManager is a device level
setting. Remember to enable service access on the FortiManager interface. When first building the
FortiManager service it is recommend to disable service access on the interface level, and enable it
once the service is completed the build process.

© FORTINET
FortiManager can download images from the Fortinet Distribution Network (FDN) or you can upload
firmware images from your management computer. This allows you to change the device firmware
through your FortiManager device.
You can manage the firmware under FortiGuard > Firmware Images. From the Show Models drop-down
list you can select Managed or All.
• Managed: Displays the available firmware images for managed devices.
• All: Displays the available firmware images for all devices.
From the Product drop-down list you can select FortiGate, FortiAnalyzer, FortiManager, FortiAP, or
FortiExtender to view the firmware images related to the product. The following information and settings
are available:
• Model: Shows the device model number that the firmware is applicable to.
• Download: Downloads the firmware image from the FDS if it is available. Once downloaded locally
on FortiManager, it will show the size of the firmware image and you can also click Download
Release Note in the Release Note column to view the release notes for that device for the firmware
selected.
Note: Always check the Release Notes for the proper upgrade path and other important
information before applying a new firmware image to the device. If CLI syntax is not compatible,
those settings cannot be converted to the new configuration file format, and will be reset.
• Preferred Version: Shows the firmware version that you would like to use on the device and it is the
firmware version shown in the Latest Version column. To change your preferred version, you can
click Change to open the Change Version dialog box and then select the desired version from the
drop-down list.
What if you want to use a different firmware version for a device that is not listed the available firmware
list? You can click Import Images to view the firmware import list. You can import the firmware for a
device from your management computer by clicking Import.

© FORTINET
You can upgrade the FortiGate firmware in two ways:
• Per Device: Select the FortiGate device in the Managed FortiGates list and in the System Information
widget click Update in the Firmware Version field.
• Group of Devices: Upgrade the firmware version of all the FortiGate devices in an ADOM (group of
devices if device group has been created) by right-clicking on Managed FortiGates and selecting
Firmware Update from the menu. This option is only available if all the devices in an ADOM or group
have valid firmware downloaded to upgrade. For example, if you have FortiGate 60C and FortiWiFi
60D running on firmware version 5.2.1 and you just downloaded the firmware version 5.2.2 for
FortiGate 60C, the available firmware upgrade list will be empty as FortiManager is not aware of the
new firmware image for FortiWiFi 60D.
FortiManager allows you to upgrade the firmware now or you can schedule the upgrade. Click Schedule
Upgrade to choose the date and time. You can also configure FortiManager to retry in case the first
attempt to upgrade the firmware is unsuccessful (this can be due to network interruptions or FortiGate
unable to communicate with the FortiManager, etc.).

© FORTINET
You can diagnose the issues related to FortiGuard by running diagnose command under ‘diagnose
fmupdate’ tree. From this command branch there are several useful commands for troubleshooting the
FortiGuard functionality. Output from these following commands may help you and Fortinet technical
support to investigate and troubleshoot an issue related to FortiGuard on the FortiManager:
• diagnose fmupdate vm-license  Lists FortiGate VM license information.

• diagnose fmupdate getdevice [fct|fds|fgd|fgc]  List the latest package
information download by the FortiGate/FortiClient via the FortiManager.
• diagnose fmupdate service-restart [fct|fds|fgd|fgc]  Restart the linkd service
for fct, fds, fgd, and fgc
• diagnose fmupdate fds-dbcontract  List the FortiGate license, Antivirus and IPS
information retrieved via the FDS.
• diagnose fmupdate fds-serverlist  List of upstream FDS servers FortiManager is
communicating with for Antivirus and IPS service.
• diagnose fmupdate fds-getobject List downloaded antivirus, IPS and vulnerability
scanner packages.
• diagnose fmupdate fds-updatenow  Update FortiGate AV/IPS immediately from public
FDS servers.
• diagnose fmupdate fgd-dbcontract  List the FortiGate Web Filter and Email Filter
information retrieved via the FDS.
• diagnose fmupdate fgd-serverlist List of upstream FDS servers FortiManager is
communicating with for Web Filter and Email Filter service.
• diagnose fmupdate fgd-updatenow Update FortiGate WF/spam packages immediately
from public FDS servers.
• diagnose fmupdate fgd-url-rating  Rate URL within FMG database.

© FORTINET
FortiManager and FortiGate communicate with each other on the FortiGate-FortiManager (FGFM)
management protocol, which runs on TCP port 541. This section explains the FGFM management
protocol and troubleshooting steps related to the FGFM protocol.

© FORTINET
The FGFM is the communication protocol used between FortiManager and the managed FortiGate
devices. The protocol is SSLv3 based on port TCP 541 and uses the firmware certificates for
authentication of the connection. Being TCP-based, the connection works with port-based NAT, which
allows a NATed FortiGate and FortiManager. Once the management tunnel is configured it can be
established in either direction—by FortiManager or the managed FortiGate device. FortiManager
reserves link level addressing using 169.254.0.0/16 subnet and by running ‘diagnose fmnetwork
interface list’, you can see that FortiManager reserves 169.254.0.1 for itself.
The protocol handles most FortiManager to FortiGate communication, with the exception to FortiGuard
AS/WF queries and IPS/AV updates, which are outside of this protocol.
• AV/IPS uses port TCP 8890 and UDP 9443
• WF/AS uses UDP 53 or 8888

© FORTINET
The management protocol FGFM runs on both FortiGate (fgfmd) and FortiManager (fgfmsd). A keep-
alive message is sent from the FortiGate device and this keep-alive includes the checksum of the
FortiGate configuration, which calculates the synchronization status.
The FortiGate login credentials are only required when discovering the device the first time, or reclaiming
the tunnel. This is to set the serial number. Once this is done, the serial number becomes the basis of
authentication. If the serial number needs to be reset, the command ‘execute fgfm reclaim-dev-
tunnel <optional device name>’ will recover the tunnel using the login credentials. This may be
required when a serial number changes, such as an RMA or a new VM license key.
Note: If the device name is not specified in the ‘execute fgfm reclaim-dev-tunnel
<optional device name>’ command, it will try to reclaim the tunnels from all the managed
devices. It is recommended to specify the device name if only one device tunnel needs to be reclaimed.
The device name can be obtained from running the ‘diagnose dvm device list’ command.
The keep-alive messages including the configuration checksums are sent from the FortiGate at a
configured interval on FortiManager by running the following command:
config system dm
set fgfm-sock-timeout <integer>
set fgfm_keepalive_itvl <integer>
• fgfm-sock-timeout: This is the maximum FortiManager/FortiGate communication socket idle time in
seconds. It ranges from 90 to 1800 (seconds) and the default is configured to 900 seconds.
• fgfm_keepalive_itvl: This is the interval at which the FortiManager will send a keepalive signal to a
FortiGate device to keep the FortiManager/FortiGate communication protocol active. It ranges from
30 to 600 (seconds) and the default is configured to 300 seconds.
Should there be no responses to the keep-alive messages for the duration of the timeout value the
tunnel is torn down and attempted to be re-established by both ends. The FortiGate configuration
rollback time is not impacted by these timer values. It remains at 15 minutes (900s).

© FORTINET
Whenever an install is performed from FortiManager to FortiGate, FortiManager always tries to make
sure it has connectivity with the managed FortiGate. In any case, FortiManager will try to recover the
FGFM tunnel by unsetting the command that caused the FGFM tunnel to go down.
For each install, FortiManager sends the following to the managed FortiGate device:
• The set commands needed to apply the configurations changes.
• The unset commands that would recover the configuration changes.
FortiGate uses the following logic when applying changes:

1. Apply the set commands, using memory only, nothing written to a configuration file.
2. Test the FGFM connection to the FortiManager.
You can run the following commands on the FortiGate to view this output:
diagnose debug enable
diagnose debug application fgfmd 255
To disable and reset the debug, run the following commands:

diagnose debug disable
• If the connection fails to re-establish, FortiGate applies the unset command after 15 minutes (not
configurable and not based on sock timeout values).
• If the connection still remains down, the FortiGate device reboots to recover the previous
configuration from its configuration file.
This final step is optional and can be enabled via the FortiManager CLI (by default it is disabled). The
following settings sends the allow reboot command to FortiGate:
config system dm
set rollback-allow-reboot enable
end

© FORTINET
You can diagnose the issues related to FGFM protocol by running diagnose commands. Output from
these following commands may help you and Fortinet technical support to investigate and troubleshoot
an issue related to FGFM:
• diagnose fmnetwork interface list  This displays the ‘srv_fgfm’ interface with the
special system point-to-point interface for the management connections. This interface has an IP
address of 169.254.0.1. Check that the interface is up and is sending and receiving packets.
• diagnose dvm device list  This displays the registered and unregistered devices in
FortiManager and provides information related to FortiGate devices.
• diagnose fgfm session-list  The displays the reachable and unreachable managed
devices, their connecting IP address, and their link local address.
• diagnose debug application fgfm 255 <optional device_name>  This displays
the messages to and from the managed device. It is recommended to define the device name when
running this debug from FortiManager in order to filter the messages for only that managed device
• execute fgfm reclaim-tunnel <optional device_name>  This forces the tunnel to
re-establish with the device and overwrites FortiManager’s serial number on the FortiGate’s central
management configuration section. The following gets reconfigured on the FortiGate during a
tunnel reclaim:
serial-number <serial number of the FortiManager>
• diagnose sniffer packet xxx 'port 541’  This uses the packet sniffer to view the
FGFM session activity.
• execute top  This views the CPU usage of the FGFMSD process to ensure that it is not
running high. It also shows the CPU and memory usage from other daemons running on
FortiManager.

© FORTINET
After this lesson, you should be able to:

• Configure and deploy FortiManager in high availability.
• Configure FortiGuard services available on FortiManager.
• Configure FortiGate devices to work with the FortiManager acting as a local FortiGuard server.
• Understand and troubleshoot the FortiGate-FortiManager (FGFM) management protocol.

FortiManager Student Guide-Online

Uploaded by

Copyright:

Available Formats

FortiManager Student Guide-Online

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiManager Student Guide-Online

Uploaded by

Copyright:

Available Formats

What are the main topics covered in the document?

What are the main topics covered in the document?

What are some of the troubleshooting steps mentioned for the FGFM protocol?

What are some of the troubleshooting steps mentioned for the FGFM protocol?

DO NOT REPRINT

VIRTUAL LAB BASICS ...................................................................................6

Transferring Files to the VM ................................................................................................. 11

Using HTML5 Instead of Java .............................................................................................. 11

Screen Resolution ................................................................................................................ 12

International Keyboards ....................................................................................................... 12

Troubleshooting Tips ............................................................................................................ 13

SYSTEM SETTINGS .......................................................................................15

Lab 1: FortiManager System Settings .................................................................................. 15

Exercise 1 FortiManager Initial System Settings .................................................................. 16

Exercise 2 Configuring ADOMs ............................................................................................ 19

Exercise 3 Backup and Restore ........................................................................................... 24

DEVICE MANAGER ........................................................................................28

Lab 1: Device Manager ........................................................................................................ 28

Exercise 1 Adding FortiGate Devices ................................................................................... 29

Exercise 2 Configuring Managed Devices ............................................................................ 42

POLICY & OBJECTS ......................................................................................52

Lab 1: Policy &Objects ......................................................................................................... 52

Exercise 1 Import Policy and ADOM Revisions .................................................................... 53

Exercise 2 Creating and assigning header policy from Global ADOM.................................. 58

Exercise 3 Creating a common Policy Package for multiple devices ................................... 62

Exercise 4 Policy & Device IPsec VPN Configuration .......................................................... 80

ADDITIONAL SYSTEM SETTINGS ....................................................................89

Lab1: Additional System Settings ......................................................................................... 89

Exercise 1: FortiGuard troubleshooting commands and firmware upgrade .......................... 90

APPENDIX A: ADDITIONAL RESOURCES........................................................93

APPENDIX B: PRESENTATION SLIDES ...........................................................94

Introduction to FortiManager ................................................................................................ 95

System Settings ................................................................................................................... 122

Policy & Objects ................................................................................................................... 233

Additional System Settings ................................................................................................... 292

FortiManager Student Guide 6

FortiManager Student Guide 7

FortiManager Student Guide 8

FortiManager Student Guide 9

FortiManager Student Guide 10

Transferring Files to the VM

Using HTML5 Instead of Java

FortiManager Student Guide 11

FortiManager Student Guide 12

FortiManager Student Guide 13

 Prepare your computer's settings:

 To retry immediately, go to the console and enter the CLI command:

FortiManager Student Guide 14

FortiManager Student Guide 15

get system status

show system interface

show system route

execute ping 4.2.2.2

FortiManager Student Guide 16

Leave all other settings at their defaults.

Enabling FortiAnalyzer feature set

FortiManager Student Guide 17

Click Ok on the pop up.

Click OK and again OK to save the changes.

FortiManager Student Guide 18