DO NOT REPRINT © FORTINET Virtual
Lab Basics
FortiManager 5.4.2 Lab Guide for FortiManager 5.4.2
FortiManager Lab Guide
1
DO NOT REPRINT © FORTINET
FortiManager Lab Guide for FortiManager 5.4.2 Last Updated: 4 May 2017
We would like to acknowledge the following major contributors: Simon Cao and Claudio Capone ®
®
®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other jurisdictions, and other Fort inet names herein may also be tradem arks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2017 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT © FORTINET
VIRTUAL LAB BASICS ......................... ...................................... .......................... .......................... ......................... ...................9 .......9 Network Topology ...................................................................................................................9 Lab Environment .....................................................................................................................9 System Checker ......................................................................................................................10 Logging In ...............................................................................................................................11 Disconnections/Timeouts ........................................................................................................15 Transferring Files to the VM....................................................................................................15 Screen Resolution ......................... .......................... .......................... .......................... ............15 International Keyboards ..........................................................................................................16 Student Tools: View Broadcast and Raise Hand....................................................................16 Troubleshooting Tips ..............................................................................................................17
LAB 1—INITIAL CONFIGURATION ........................ ..................................... .......................... .......................... ...............19 ..19 Objectives ...............................................................................................................................19 Time to Complete ....................................................................................................................19 Prerequisites ...........................................................................................................................19 1 Examining Initial Configuration ............................................................................................22 Examine Initial Configuration Through the CLI .......................................................................22 Examine Initial Configuration Through the GUI ......................................................................25 2 Enabling FortiAnalyzer Features Featu res on FortiManager........................ ........................... ...........28
LAB 2—ADMINISTRATION AND MANAGEMENT ........................ ...................................... ......................30 ........30 Objectives ...............................................................................................................................30
DO NOT REPRINT © FORTINET
Time to Complete ....................................................................................................................30 1 Configure Administrative Domain (ADOMs) ........................................................................31 Enabling ADOMs........................... .......................... .......................... ........................... ...........31 Viewing ADOM Information.....................................................................................................32 Configuring ADOM ..................................................................................................................33 2 Creating and Assigning Administrators ...............................................................................36 Testing Administrator Privileges .............................................................................................37 Restricting Administrator Access Using Trusted Host ............................................................38 Testing the Restricted Administrator Access ..........................................................................39 3 ADOM Locking (Workspace Mode) .....................................................................................41 ADOM Locking Locking (Workspace (Workspace Mode) Mode) ................ ....................... ............... ................ ................ ................ ............... ............... ................ ............... ..........41 ...41 4 Backup and Restore ............................................................................................................43 Backing up FortiManager Configuration .................................................................................43 Restore FortiManager Configuration ......................................................................................44 5 Monitoring Alerts and Event Logs ........................................................................................46 Offline Mode ............................................................................................................................46 Viewing Alerts and Event Logs ...............................................................................................47
LAB 3—DEVICE REGISTRATION ........................ ..................................... .......................... ......................... .................50 .....50 Objectives ...............................................................................................................................50 Time to Complete ....................................................................................................................50 1 Configuring System Templates ............................................................................................51 Configuring System Templates ...............................................................................................51 Disabling ADOM Locking (Workspace Mode) ........................................................................53 2 Registering a Device to FortiManager .................................................................................55 Reviewing Central Management Configuration on Local-FortiGate .......................................55 Enabling Real-Time Debug .....................................................................................................56
DO NOT REPRINT © FORTINET
Adding Local-FortiGa Local-FortiGate te Using the the Add Device Wizard............... ....................... ................ ............... ............... ................ .............56 .....56 Viewing the Local-FortiGate Policy Package..........................................................................60 Package ..........................................................................60 Importing System Template Settings From FortiGate ............................................................62 Adding Remote-F Remote-FortiGate ortiGate Using the Add Device Device Wizard............... ....................... ................ ............... ............... ................ .........64 .64
LAB 4—DEVICE LEVEL CONFIGURATION AND INSTALLATION ........................67 ........................67 Objectives ...............................................................................................................................67 Time to Complete ....................................................................................................................67 1 Understanding Managed Device Status ..............................................................................68 2 Install System Template Changes to Managed Devices .....................................................73 Installing System Templates ...................................................................................................73 Checking Managed Device Status ..........................................................................................75 Viewing Pushed Configuration on the FortiGate ....................................................................77 3 Auto Update and Revision History .......................................................................................79 Making Direct Changes on Local-FortiGate ...........................................................................79 Making Direct Changes on Remote-FortiGate .......................................................................80 Viewing Auto Update and Revision History ............................................................................80 Viewing the Install Log ............................................................................................................82 Viewing Auto Update, Revision History, and Install Log for Remote-FortiGate (Optional) ....83 Log View..................................................................................................................................83 Task Manager .........................................................................................................................84 4 Configuring Device Level Changes .....................................................................................87 Changing Managed FortiGate Interface Settings ...................................................................87 Filtering Devices Based on Their Statuses .............................................................................89 Configuring the Administrator Account ...................................................................................90 5 Installing Configuration Changes .........................................................................................93 Viewing the Install Preview .....................................................................................................93
DO NOT REPRINT © FORTINET
Install Wizard ...........................................................................................................................94 Revision Diff ............................................................................................................................96 6 Scripts ..................................................................................................................................100 Enabling the Script Feature ....................................................................................................100 Configuring Scripts ..................................................................................................................101 Running and Installing Scripts ................................................................................................102
LAB 5—POLICY & OBJECTS ......................... ...................................... ......................... ......................... ......................106 .........106 Objectives ...............................................................................................................................106 Time to Complete ....................................................................................................................106 1 Import Policy and ADOM Revisions.....................................................................................107 Import Policy ...........................................................................................................................107 Creating ADOM Revisions ......................................................................................................109 2 Workflow Mode ....................................................................................................................111 3 Creating and Assigning Header Policies in the Global ADOM ............................................121 4 Creating a Common Policy for Multiple Devices .................................................................126 Dynamic Mappings - Address Objects....................................................................................126 Dynamic Mappings - Interfaces and Zones ............................................................................128 Creating a Common Policy Package ......................................................................................132 Configuring an Installation Target and Install On ...................................................................136
LAB 6—VPN ......................... ...................................... .......................... .......................... .......................... ......................... .................142 .....142 Objectives ...............................................................................................................................142 Time to Complete ....................................................................................................................142 1 Configuring IPsec VPN ........................................................................................................143 Configuring IPsec Phase I and Phase II .................................................................................143 Configuring Static Route .........................................................................................................146
DO NOT REPRINT © FORTINET
Configuring IPsec Phase I and Phase II .................................................................................146 Configuring Static Route .........................................................................................................148 Installing device-level configuration changes .........................................................................149 Creating firewall policies for IPsec VPN .................................................................................151 Installing Training Policy Package ..........................................................................................153 Testing IPsec VPN ..................................................................................................................153
LAB 7—DIAGNOSTICS AND TROUBLESHOOTING .......................... ....................................... .................155 ....155 Objectives ...............................................................................................................................155 Time to Complete ....................................................................................................................155 Prerequisites ...........................................................................................................................155 1 Diagnose and Troubleshoot Install Issues ........................ .......................... .........................1 59 Viewing the Installation Preview .............................................................................................159 Viewing the DNS Configuration ..............................................................................................161 Installing Device-Level Configuration Changes ......................................................................163 2 Troubleshoot Policy Import Issues ........................... .......................... ........................... .......167 Viewing the Policy Package and Objects ...............................................................................167 Reviewing Policies and Objects Locally on the Remote-FortiGate ........................................168 Importing a Policy Package ....................................................................................................168 Check the Impact of Partial Policy Import (Optional )........................ ........................... ...........171 Fixing a Partial Policy Import Issue......................... .......................... ........................... ...........173
LAB 8—ADVANCED CONFIGURATION ........................ ..................................... .......................... ......................177 .........177 Objectives ...............................................................................................................................177 Time to Complete ....................................................................................................................177 1 FortiGuard Management ......................................................................................................178 Diagnosing FortiGuard Issues ................................................................................................179
DO NOT REPRINT © FORTINET
2 Upgrading FortiGate Firmware Using FortiManager ...........................................................181
DO NOT REPRINT © FORTINET Virtual
Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: Note: If your trainer asks you to use a different lab, such as devices physically located in your classroom, please ignore this section. This applies only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer.
Fortinet's virtual lab for hands-on exercises is hosted on remote datacenters that allow each student to have their own training lab environment or PoD - point of deliveries.
FortiManager Lab Guide
9
DO NOT REPRINT © FORTINET Virtual
Lab Basics
Before starting any class, check if your computer can successfully connect to the remote datacenters. The System Checker fully verifies if your network connection and your web browser are reliable to connect to the virtual lab. You do not have to be logged into the lab portal in order to perform the System Checker.
1.
Click the URL for your location: Region
System Checker
AMER - North and South America
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAMWest
EMEA - Europe, Middle East and Africa
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
APAC - Asia and Pacific
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If your computer successfully connects to the virtual lab, the Browser Check and Check and Network Connection Check each Check each display a check mark icon. You can then proceed to log in. If any of the tests fail:
Browser Check: Check: This affects your ability to access the virtual lab environment. Network Connection Check: Check: This affects the usability of the virtual lab environment.
For solutions, click the Support Knowledge Base link Base link or ask your trainer.
FortiManager Lab Guide
10
DO NOT REPRINT © FORTINET Virtual
Lab Basics
Once you confirm your system can successfully run the labs through System Checker, you can proceed to log in.
1.
With the user name and password provided by your trainer, you can either:
Log in from the Login access at the bottom of the System Checker's result. Log into the URL for the virtual lab provided by your trainer:
https://remotelabs.training.fortinet.com/
FortiManager Lab Guide
11
DO NOT REPRINT © FORTINET Virtual
Lab Basics
https://virtual.mclabs.com/
2.
If prompted, select the time zone for your location, and then click Update. Update. This ensures that your class schedule is accurate.
3.
Click Enter Lab. Lab.
FortiManager Lab Guide
12
DO NOT REPRINT © FORTINET Virtual
Lab Basics
Your system dashboard will appear, listing the virtual machines in accordance with your lab topology. 4.
From this page, open a connection to any virtual appliance by doing one of the following:
Click the device’s square (thumbnail) square (thumbnail)
Select Open from Open from the System drop-down System drop-down list associated to the VM you want to access.
FortiManager Lab Guide
13
DO NOT REPRINT © FORTINET Virtual
Lab Basics
Note: Note: Follow the same procedure to access any of your virtual devices.
A new web browser tab opens, grant ing you access to the virtual device. W hen you open a VM, your browser uses HTML5 to connect to it. Depending on the virtual machine you select, the web browser provides access to either a textbased CLI or the GUI.
FortiManager Lab Guide
14
DO NOT REPRINT © FORTINET Virtual
Lab Basics
Connections to the Local-Windows VM Local-Windows VM use a Remote Desktop-like GUI. The web-based connection should automatically log in and then display the Windows desktop. For most lab exercises, you will connect to this Local-Windows VM. Local-Windows VM.
If your computer’s connection with the th e virtual machine times out, or if you are accidentally disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs and open the VM again. If that does not succeed, see the Troubleshooting Tips section Tips section of this guide.
If you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to download them to your Local-Windows VM. Local-Windows VM. From there, if required, you can use a web browser to upload them to Fortinet VMs' GUI. When connecting to a VM, your browser should then open a display in a new applet window.
Some Fortinet devices' user interfaces require a minimum screen size. To configure screen resolution in the HTML 5 client, open the System menu. System menu.
FortiManager Lab Guide
15
DO NOT REPRINT © FORTINET Virtual
Lab Basics
If characters in your language don’t display correctly, keyboard mappings may not be correct. To solve this, open the Keyboard menu Keyboard menu at the top of the tab of any GUI-based VM, and choose to display an on-screen keyboard.
Your instructor is able to broadcast his lab systems in order to allow students to see any on-going task in real-time. When an instructor begins a broadcast, you will receive an alert at the top of all open lab pages. To accept and view the broadcast, you may either click on the notification message or click View Broadcast on Broadcast on the left side panel. If you have any question or issue, use the Raise Hand tool, tool, your instructor will be notified and will assist you.
FortiManager Lab Guide
16
DO NOT REPRINT © FORTINET Virtual
Lab Basics
Do not connect connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other lowbandwidth or high-latency connections. For best performance, use a stable broadband connection such as a LAN.
Prepare your your computer's settings by disabling screen savers and changing the power saving scheme, so that your computer is always on, and does not go to sleep or hibernate. If disconnected disconnected unexpectedly unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor. If you can't connect to a VM, on the VM's icon, you you can force the VM to start up by clicking System > Power Cycle. Cycle. This fixes most problems. If that does not solve the problem, revert the VM to its initial state by System > Revert to Initial State.
Note: Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions first.
FortiManager Lab Guide
17
DO NOT REPRINT © FORTINET Virtual
Lab Basics
If during the labs, particularly when reloading configuration configuration files, you see a license message similar to the below exhibit, the VM is waiting for a response to the authentication server.
To retry immediately, go to the console and enter the CLI command:
exec update-now
FortiManager Lab Guide
18
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1 Examining Initial Configuration 1—
In this lab, you will examine the network settings of FortiManager from the CLI and GUI. You will also enable the FortiAnalyzer feature set on FortiManager, which can be used for logging and reporting.
Examine initial system settings, including network and time settings
Enable FortiAnalyzer features on FortiManager
Estimated: 20 minutes
Before beginning this lab, you must update the firmware and initial configurations on the LocalFortiGate and FortiGate and Remote-FortiGate. Remote-FortiGate . This lab environment is also used for FortiGate 5.4.1 training and initializes in a different state than is required for FortiManager 5.4.2 training.
1.
From the Local-Windows VM, open a browser and log in as admin (blank password) to the LocalFortiGate GUI FortiGate GUI at 10.0.1.254 .
2.
Go to the Dashboard, Dashboard, and from the System Information widget Information widget click Update. Update.
FortiManager Lab Guide
19
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1 Examining Initial Configuration 1—
3.
Click Upload Firmware. Firmware.
4.
Browse to Desktop > Desktop > Resources > FortiManager > Introduction and Introduction and select FGT_VM64-v5build1100-FORTINET.out .
5.
Click Upgrade. Upgrade.
The system reboots. 6.
Once rebooted, log in as admin and ensure the firmware version in the System Information widget displays v5.4.2, build1100 (GA). (GA).
7.
Open another browser tab and log in as admin (blank password) to the Remote-FortiGate GUI Remote-FortiGate GUI at 10.200.3.1.
8.
Repeat the procedure to update the firmware for Remote-FortiGate. Remote-FortiGate .
1.
Return to the Local-FortiGate GUI Local-FortiGate GUI at 10.0.1.254 .
2.
Go to the Dashboard, Dashboard, and from the System Information widget Information widget click Restore. Restore.
FortiManager Lab Guide
20
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1 Examining Initial Configuration 1—
3.
Select to restore from Local PC and PC and click Upload. Upload.
4.
Browse to Desktop > Desktop > Resources > FortiManager > Introduction and Introduction and select local-initial5.4.2.conf.
5.
Click OK. OK.
6.
Click OK. OK. The system reboots.
7.
Once rebooted (you must wait wait until Local-FortiGate reboots), return to the Remote-FortiGate GUI Remote-FortiGate GUI at 10.200.3.1 .
8.
Repeat the same procedure to restore the system configuration for Remote-FortiGate, Remote-FortiGate, but select remote-initial-5.4.2.conf from the Introduction folder. Introduction folder.
9.
Once rebooted, close the browser for both FortiGates.
FortiManager Lab Guide
21
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1 Examining Initial Configuration 1—
FortiManager is preconfigured with the initial network settings. In this exercise, you will explore the FortiManager basic configuration settings from the GUI and CLI.
You will start by accessing a FortiManager using the CLI to examine initial configuration.
1.
In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved FORTIMANAGER saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Enter the following command to display basic status information about FortiManager: CLI Command
# get system status
Data
Result
What is the firmware version? Knowing your FortiManager firmware version is important, as it determines what Fortinet products and their firmware versions are supported. What is the administrative domain configuration? By default, administrative domains (ADOMs) are disabled. What is the time zone? It is important that the system time on FortiManager and all registered devices are synced for tunnel negotiations and logging (if FortiAnalyzer feature is used). What is the license status? To ensure FortiManager continues to manage devices, a valid license is required.
FortiManager Lab Guide
22
DO NOT REPRINT © FORTINET LAB
4.
1—Initial Configuration 1 Examining Initial Configuration 1—
Enter the following command to display information about the FortiManager interface configuration: CLI Command
# show system interface
Diagnostic
Result
What is the IP for port1? Port 1 is the management port and is the IP of FortiManager. What administrative access protocols are configured for port1? This will help troubleshoot any access issues you may experience. For example, this PuTTY session would not be able to connect without the SSH protocol enabled. What is configured for the service access? If devices are configured to use FortiManager as the local FDS server, service access allows FortiManager to respond to FortiGuard queries made by devices. What is the IP for port2? According to the network topology diagram, port2 is how traffic is routed between Remote-FortiGate and FortiManager. RemoteFortiGate, therefore, will connect to FortiManager with this port2 IP address. What administrative access protocols are configured for port2?
5.
Enter the following command to display DNS setting information: CLI Command
# show system dns
Diagnostic
Result
What are the primary and secondary DNS settings? By default, FortiManager uses FortiGuard DNS servers.
FortiManager Lab Guide
23
DO NOT REPRINT © FORTINET LAB
6.
1—Initial Configuration 1 Examining Initial Configuration 1—
Enter the following commands to display NTP setting information: CLI Command
# get system ntp
Diagnostic
Result
Is NTP enabled? NTP is recommended on FortiManager and all registered devices for proper FortiGateFortiManager tunnel establishment. How often does FortiManager synchronize its time with the NTP server?
# show system ntp
What server is configured for NTP? By default, Fortinet servers are configured.
7.
Enter the following command to display information about the FortiManager routing configuration: CLI Command
# show system route
Diagnostic
Result
What is the gateway route associated with port2? According to the network topology diagram, this IP address is the default route to the Internet.
8.
To test basic network connectivity, and to ensure the default route to the Internet is working, enter the following command to ping IP 8.8.8.8 (public IP that is highly available):
execute ping 8.8.8.8 Packets should transmit successfully.
9.
Close your PuTTY session.
FortiManager Lab Guide
24
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1 Examining Initial Configuration 1—
You will now log in to the FortiManager device using the GUI to examine initial configuration.
1.
From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. Accept the self-signed certif icate or security exemption, if a security alert appears. Note: Note: All the lab exercises were tested running Mozilla Firefox in Local-Windows VM and Remote-Windows VM. To get consistent results, we recommend using Firefox in this virtual environment.
2.
Click System Settings. Settings.
The dashboard shows the FortiManager widgets that display information such as System Information, Information, License Information, Information, System Resources, Resources, and more. 3.
Examine the System Information and Information and License Information widgets Information widgets to display the information shown below. This displays the same information available from the CLI command get system status.
4.
Firmware version Administrative Domain status System time and time zone License status (VM)
From the System Information widget, Information widget, edit the System Time to Time to view the NTP information.
FortiManager Lab Guide
25
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1 Examining Initial Configuration 1—
This displays the same information available from the CLI commands get system ntp and show system ntp.
Note: Note: You will be managing Local-FortiGate and Remote-FortiGate from FortiManager, which are configured with the same time zone and NTP server.
5.
From the left menu, click Network. Network. This page displays information about the port1 management interface, including the IP address, administrative access protocols, service access, and DNS information. This displays the same information available from the CLI commands show system interface and show system dns.
FortiManager Lab Guide
26
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1 Examining Initial Configuration 1—
Note: Note: The fgtupdates, fclupdates in the CLI is equivalent to FortiGate Updates in Updates in the GUI. The webfilter-antispam in the CLI is equivalent to Web Filtering in Filtering in the GUI.
6.
Click All Interfaces to Interfaces to view the configuration of all interfaces.
7.
On the left menu, click Network, Network, and from the main window, click Routing Table. Table. This page displays the network gateway and associated interface. This displays the same information available from the CLI command show system route.
FortiManager Lab Guide
27
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1— Configuration 2 Enabling FortiAnalyzer Features Features on FortiManager
FortiManager can be used as a logging and reporting device by enabling FortiAnalyzer features on FortiManager. Remember that FortiManager has logging rate restrictions compared to FortiAnalyzer. In this exercise, you will enable FortiAnalyzer features on FortiManager, so that FortiManager can be used for logging and reporting once the FortiGate devices are added.
1.
From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241. Notice the default panes available on FortiManager. It doesn’t have panes related to FortiAnalyzer features.
2.
Click System Settings. Settings.
3.
Under the System Information widget, Information widget, turn on FortiAnalyzer Features. Features.
4.
Click OK. OK. FortiManager will reboot to initialize the FortiAnalyzer features and apply the changes.
5.
Wait for FortiManager to reboot and then log in as admin to the FortiManager GUI at 10.0.1.241.
FortiManager Lab Guide
28
DO NOT REPRINT © FORTINET LAB
1—Initial Configuration 1— Configuration 2 Enabling FortiAnalyzer Features Features on FortiManager
You will notice that after enabling FortiAnalyzer features, there are more panes related to logging and reporting — FortiView, FortiView , Log View, View, Event Management, Management, and Reports. Reports.
FortiManager Lab Guide
29
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 2—
In this lab, you will configure administrative domains (ADOMs) and an administrator. You will also restrict administrator access based on administrator profile, trusted hosts, and ADOMs. Then, you will enable ADOM locking, which disables concurrent access to the same ADOM. Additionally, the lab will gui de you through how to properly backup and rest ore FortiManager configuration, view alert messages in the Alert Message Console, and Console, and view event logs.
Enable ADOMs and configure a new ADOM
Configure an administrator and restrict access to a newly created ADOM
Enable ADOM locking
Backup FortiManager, restore the backup and disable offline mode
Read entries in the alert message console and view event logs
Estimated: 45 minutes
FortiManager Lab Guide
30
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 1 Configure Administrati ve Domain (ADOMs) 2—
ADOMs group devices for administra tors to monitor and m anage. The purpose of ADOMs is to divide the administration of devices and control (restrict) access. In this exercise, you will enable and configure ADOMs.
ADOMs are not enabled by default and can only be enabled by the admin administrator, or an administrator with the Super_User access profile. You will now enable ADOMs on FortiManager.
1.
From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241.
2.
Click System Settings. Settings. Notice there is no All ADOM tab ADOM tab below Dashboard, prior Dashboard, prior to enabling Administrative Domain. Domain.
3.
Under the System Information widget, Information widget, turn on Administrative Domain. Domain.
4.
Click OK. OK. You will be logged out from FortiManager.
FortiManager Lab Guide
31
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 1 Configure Administrati ve Domain (ADOMs) 2—
Before creating new ADOMs, you should be aware of what ADOM types are available to you. You will view ADOM information through both the GUI and the CLI.
1.
Log back in as admin to the FortiManager GUI at 10.0.1.241 .
2.
Select the root ADOM. root ADOM.
3.
Click System Settings. Settings.
4.
From the left menu, click All ADOMs. ADOMs. Note that this page is only available when ADOMs are enabled. This page lists all available ADOMs and lists any devices added to those ADOMs.
5.
Still working from the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH).
6.
Log in as admin and execute the following command to view what ADOMs are currently enabled on FortiManager and the type of device you can register to each ADOM: Note: Note: The CLI output formatting is easier to read if you maximize your PuTTY window. If you've already executed the command, once the window is maximized, press the up arrow to show the last command you entered and click Enter to re-run.
# diagnose dvm adom list
FortiManager Lab Guide
32
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 1 Configure Administrati ve Domain (ADOMs) 2—
As you can see, there are 13 ADOMs that FortiManager supports, each associated with different devices along with their supported firmware versions. 7.
Close your PuTTY session.
When ADOMs are enabled, by default, the FortiManager will create ADOMs based on supported device types. The root ADOM is based on the FortiGate ADOM type. When creating a new ADOM, you must match the device type. For example, if you want to create an ADOM for a FortiGate, you must select FortiGate as the ADOM type. With Forti Gate ADOMs specifically, you must also select the firmware version of the FortiGate device. Different firmware versions have different features, and therefore different CLI syntax. Your ADOM setting must match the device’s firmware. You will now create and configure a new ADOM.
1.
Still logged in the FortiManager GUI, click All ADOMs. ADOMs.
2.
Click Create New. New.
3.
Configure the following: Field
FortiManager Lab Guide
Value
33
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 1 Configure Administrati ve Domain (ADOMs) 2—
Name
My_ADOM
Type
FortiGate and 5.4
You configuration should look like this:
4.
Click Select Device. Device. If you had any devices registered to FortiManager, you could select your device and add it to the ADOM at this time. However, Ho wever, in this lab, you have not yet register ed any devices, so the list is empty.
5.
Leave other settings at their defaults and click OK. OK. You should observe a list of predefined ADOMs, including your new ADOM.
Tip: Tip: You can switch between ADOMs within the GUI. You do not have to log out and log back in. To switch within the GUI, click ADOM in ADOM in the top right of the GUI. Your
FortiManager Lab Guide
34
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 1 Configure Administrati ve Domain (ADOMs) 2—
administrator privileges determine which ADOMs you have access.
FortiManager Lab Guide
35
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 2 Creating and Assigning Administrat ors 2—
In this lab, you will create an administrative user with restricted access permissions. In an active deployment scenario, having more than one administrative user makes administering the network easier, especially if users are delegated specific administrative roles, or confined to specific areas within the network. In a multi-administrator environment, you also want to ensure every administrator has only those permissions necessary to do their particular job.
1.
From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241.
2.
Click root. root.
3.
Click System Settings. Settings.
4.
Click Admin > Admin > Administrators. Administrators.
5.
Click Create New. New.
6.
Configure the following: Field
Value
User Name
student
Admin Type
LOCAL
New Password
fortinet
Confirm Password
fortinet
Admin Profile
Standard_User
Administrative Domain
Specify
Click to Select ADOMs… ADOMs…
My_ADOM
You configuration should look like this:
FortiManager Lab Guide
36
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 2 Creating and Assigning Administrat ors 2—
Note: Note: FortiManager comes preinstalled with four default profiles that you can assign to other administrative users. Alternatively, you can create your own custom profile. In this lab, we have assigned a preconfigured Standard_User profile to the newly created student administrator. The Standard_User profile provides read and write access for all devices privileges, but not to the system privileges. 7.
Leave other settings at their defaults and click OK. OK.
8.
Click admin. admin.
9.
Click Log Out. Out.
You will now log in to FortiManager with the newly created administrator (student ) and test the administrator privileges.
1.
Log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet. You will be limited to the My_ADOM administrative domain. Also, there are no System Setting and Setting and FortiGuard tabs. FortiGuard tabs.
FortiManager Lab Guide
37
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 2 Creating and Assigning Administrat ors 2—
This shows how you can control or restrict administrator access based on administrative profiles and ADOMs.
You will now restrict access to FortiManager by configuring a trusted host for the administrator accounts. Only administrators connecting from a trusted subnet will be able to access the FortiManager.
1.
In the FortiManager GUI, log out of the student account's GUI session.
2.
Log in as admin.
3.
Click root. root.
4.
Click System Settings. Settings.
5.
Go to Admin > Admin > Administrators. Administrators.
6.
Edit the student account. student account.
FortiManager Lab Guide
38
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 2 Creating and Assigning Administrat ors 2—
7.
Turn ON Trusted Hosts. Hosts.
8.
Set Trusted IPv4 Host 1 to 1 to 10.0.1.0/24 .
9.
Click OK at OK at the bottom to save the changes.
In this procedure, you will confirm that administrators outside the subnet 10.0.1.0/24 cannot access FortiManager.
1.
From the Remote-Windows VM, open a browser and go to https://10.200.1.241 https://10.200.1.241..
2.
Try to log with username student and password fortinet to the FortiManager GUI. What is the result? Because you are trying to connect from the 10.0.2.10 IP address, your login authentication will fail. This is because you restricted logins to only the source IP addresses in the list of trusted hosts.
FortiManager Lab Guide
39
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 2 Creating and Assigning Administrat ors 2—
Note: Note: The IP address specified in the URL here is not the same as the one used previously, because now the FortiManager is being accessed from a device that is in a different part of the network (see (see Network Topology ). ). As such, we are now connecting to the port2 interface of the FortiManager device. 3.
Go back to the Local-Windows.
4.
You should still be logged in as admin to the FortiManager GUI and edit the student account. student account.
5.
Toggle Trusted Host to OFF. OFF.
6.
Click OK. OK. This allows the administrative user to log in from any IP and subnet.
7.
Next, switch back to Remote-Windows and attempt to log in to the FortiManager GUI again with username student and password fortinet. This time, you should gain access because we just turned off the requirement to log in from a trusted host.
8.
Logout from FortiManager.
FortiManager Lab Guide
40
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 3 ADOM Locking (Workspace Mode) 2—
By default, multiple administrators can log in to the same ADOM at the same time which allows concurrent access. This can cause conflicts, however, if two or more administrators try to make changes in the same ADOM at same time. You will be enabling ADOM locking which allows:
Disabling concurrent ADOM access ADOM locking Single administrator with read/write access to the ADOM All other administrators have read-only access to that ADOM
ADOM locking is configured f rom the FortiManager CLI onl y. Before enabling ADOM locking, ensure all FortiManager administrators are notified and asked to save their work on FortiManager because enabling ADOM locking will terminate all management sessions. You will now be enabling ADOM locking from the FortiManager CLI.
1.
In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Enter the following commands:
config system global set workspace-mode normal end 4.
From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
5.
Click Lock on Lock on the top.
You will notice the lock status changed from unlocked to a green locked state. 6.
From the Remote-Windows VM, open a browser and go to https://10.200.1.241 https://10.200.1.241..
7.
Log in as admin to the FortiManager GUI. You will notice the lock status is red for My_ADOM. My_ADOM . Hover your mouse over the red lock icon. It will tell you the name of the admin who locked this ADOM, along with the date and time.
8.
Click on My_ADOM. My_ADOM .
FortiManager Lab Guide
41
DO NOT REPRINT © FORTINET LAB
9.
2— Administration and Managem ent 3 ADOM Locking (Workspace Mode) 2—
Click Log Out. Out.
10. Go back to the Local-Windows and log out as student from FortiManager.
Note: Note: If an administrator has locked one or more ADOMs and then logged out of FortiManager, all those ADOMs will be unlocked. In this example, when student administrator locked My_ADOM and My_ADOM and then logged out, FortiManager unlocked My_ADOM. My_ADOM .
Caution: Caution: Always log out gracefully from FortiManager, when ADOM locking is enabled. If a session is not closed gracefully (due to a PC crash or closed browser window), FortiManager will not close the admin session until it times out or the session is deleted. Until this time, the ADOM will remain in a locked state. If this situation arises and you cannot wait for the admin session to time out, then delete the session manually through the GUI or the CLI. From the GUI, click the System Information widget, Information widget, and then click Current Administrators > Administrators > Admin Session List.
From CLI:
FortiManager Lab Guide
42
DO NOT REPRINT © FORTINET LAB
2— Administration and Management 4 Backup and Restore 2—
In this exercise, you will back up the FortiManager configuration. In an active deployment scenario, it is a best practice to back up the device configuration prior to making any configuration changes. If the new configuration does not perform as expected, you can revert to the last sane configuration. Likewise, during these labs, it is beneficial to have a backup of the initial configuration, should you need to roll back for any reason. Note: Note: FortiManager configuration files are not stored in plain text like FortiGate configuration files. It is stored as .dat file. It can be uncompressed and viewed offline with archive tools such as WinRar & tar.
You will now back up the FortiManager configuration from the GUI.
1.
From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241.
2.
Select root. root.
3.
Click Lock on Lock on the top.
4.
Click System Settings. Settings.
5.
Go to System Information widget > System Configuration, and Configuration, and then click the backup icon. backup icon.
6.
Deselect Encryption. Encryption.
7.
Click OK. OK.
8.
Select Save. Save.
9.
Click OK. OK.
FortiManager Lab Guide
43
DO NOT REPRINT © FORTINET LAB
2— Administration and Management 4 Backup and Restore 2—
10. Note the location of the backup file and rename this file to: lab2.dat. 11. While still on the FortiManager GUI, go to Admin > Admin > Administrator . 12. Right click student and student and click Delete. Delete. 13. Click OK. OK.
There are a few options when restoring a FortiManager configuration:
Overwrite current IP, routing, and HA settings: settings: By default, this option is enabled. If FortiManager has an existing configuration, restoring a backup will overwrite everything, including the current IP, routing, and HA settings. If you disable this option, FortiManager will still restore the configurations related to device information and global database information, but will preserve the basic HA and network settings. Restore in Offline Mode: Mode: By default, this is enabled and grayed out – out – you you cannot disable it. While restoring, FortiManager temporarily disables the communication channel between FortiManager and all managed devices. This is a safety measure in case any of the devices are being managed by another FortiManager. To re-enable the communication, disable Offline Mode. Mode.
1.
Still logged in the FortiManager GUI, click Dashboard. Dashboard.
2.
Go to System Information widget > System Configuration, and then click the restore icon. restore icon.
FortiManager Lab Guide
44
DO NOT REPRINT © FORTINET LAB
3.
Click Browse. Browse.
4.
Select your backup file lab2.dat.
2— Administration and Management 4 Backup and Restore 2—
There is no password to enter because the file was not encrypted. 5.
Leave Overwrite current IP, routing and HA settings enabled. settings enabled.
6.
Click OK. OK. It will reboot FortiManager.
7.
Wait for FortiManager to reboot, and then log in as admin to the FortiManager GUI at 10.0.1.241.
8.
Select root. root.
9.
Click Lock on Lock on the top.
10. Click System Settings. Settings. 11. Go to Admin > Admin > Administrator . The student administrator account will show there. 12. Log out from FortiManager.
FortiManager Lab Guide
45
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 5 Monitoring Alerts and Event Logs 2—
In this exercise, you will view the alerts from the alert console widget and view the event logs. You will also configure filter options to locate specific logs. First, you will disable offline mode, which is enabled by default when FortiManager backup is restored.
You will disable offline mode on FortiManager.
1.
From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241.
2.
Select root. root.
3.
Click Lock on Lock on the top. On the top bar you should observe that FortiManager is in Offline Mode. Mode.
4.
Click System Settings. Settings.
5.
Go to Advanced > Advanced > Advanced Settings. Settings.
6.
Select Disable for Disable for Offline Mode. Mode.
7.
Click Apply. Apply.
FortiManager Lab Guide
46
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 5 Monitoring Alerts and Event Logs 2—
You will notice that the Offline Mode message Mode message disappears. At this point, FortiManager can establish a management connection with the managed devices.
You will now view the alerts on the Alert Message Console and Console and logs under Event Logs. Logs.
1.
Still logged in the FortiManager GUI, click Dashboard. Dashboard.
2.
Go to the Alert Message Console widget. You should observe that Offline mode is disabled and disabled and see Restore all settings messages, settings messages, along with other alert messages.
3.
Click Event Log on Log on the left-hand menu.
FortiManager Lab Guide
47
DO NOT REPRINT © FORTINET LAB
2— Administration and Managem ent 5 Monitoring Alerts and Event Logs 2—
4.
Click Add Filter .
5.
Click Sub Type. Type.
6.
Click System manager event. event .
7.
Click Go. Go.
Now you will have the filtered system manager events only. 8.
You can download and/or view them in raw format.
FortiManager Lab Guide
48
DO NOT REPRINT © FORTINET LAB
9.
2— Administration and Managem ent 5 Monitoring Alerts and Event Logs 2—
Log out of FortiManager.
FortiManager Lab Guide
49
DO NOT REPRINT © FORTINET LAB
3—Device Registration 3—
In this lab, you will explore the common operations performed using the device manager. You will use the Device Manager pane to add FortiGate devices.
Create and apply system templates to your managed devices
Review central management settings on the FortiGate device
Add a device using the add device wizard
Estimated: 30 minutes
FortiManager Lab Guide
50
DO NOT REPRINT © FORTINET LAB
3—Device Registration 1 Configuring System Templates 3—
The system templates on FortiManager can be configured in advance, which can be used to provision common system-level settings to FortiGate devices when adding them into FortiManager, or to the already managed FortiGate devices.
You will be configuring and applying system templates to the FortiGate device, when adding it to FortiManager.
1.
From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Provisioning Templates. Templates.
You will notice that you have read only access.
This is because when ADOM locking is enabled; you must lock the ADOM prior to making configuration changes. 4.
Click Lock on Lock on the top to lock My_ADOM. My_ADOM.
5.
Under System Templates, Templates, click default. default.
FortiManager Lab Guide
51
DO NOT REPRINT © FORTINET LAB
3—Device Registration 1 Configuring System Templates 3—
6.
Go to the Log Settings widget Settings widget and enable Send Logs to FortiAnalyzer/FortiManager .
7.
Configure the following: Field
Specify IP Address
Value Select and type 10.200.1.241 (Note: This is the port2 IP address of FortiManager. Refer to the network topology for details.)
Upload Options
Realtime
Encrypt Log Transmission
Turn ON this option
Your configuration should look like this:
8.
Click Apply. Apply.
9.
Close all other widgets by clicking X and then the checkmark symbol. checkmark symbol.
FortiManager Lab Guide
52
DO NOT REPRINT © FORTINET LAB
3—Device Registration 1 Configuring System Templates 3—
Your configuration should look like this:
10. Click Save. Save.
Note: Note: When ADOM locking is enabled, you must save the changes, in order for them to be copied to the FortiManager database.
11. Click Unlock on Unlock on the top to unlock My_ADOM. My_ADOM.
You will now disable ADOM locking because, in this practical lab, every student has dedicated ADOMs to work on. FortiManager Lab Guide
53
DO NOT REPRINT © FORTINET LAB
3—Device Registration 1 Configuring System Templates 3—
Prior to disabling workspace mode, inform all the administrators logged into FortiManager to save their work.
1.
In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Enter the following commands.
config system global set workspace-mode disabled y end It will log out administrators from FortiManager, to save the changes.
FortiManager Lab Guide
54
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
There are multiple ways to add FortiGate devices to FortiManager. These include:
Use the Add Device wizard
Send a request from FortiGate to FortiManager, FortiManager, and then accept the request from FortiManager
Add multiple devices from the device manager
You will add the FortiGate devices using the Add Device wizard. Note: Note: The FMG-Access on FMG-Access on the both FortiGate devices is enabled on the interface facing FortiManager. It is the communication protocol used between FortiManager and the managed FortiGate devices.
Before adding FortiGate to FortiManager, you will review the central management configuration on Local-FortiGate.
1.
In the Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Enter the following command:
get system central-management You should observe the following output:
Note: Note: The serial-number is the FortiManager serial number, which is non-configurable from the FortiGate device. This setting is set by FortiManager, which is managing this device. In this case, it is empty because we have not yet added the device to FortiManager. 4.
Close the PuTTY session.
FortiManager Lab Guide
55
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
You will now enable real-time debug on FortiManager to view the real-time status when adding FortiGate to FortiManager.
1.
In the Local-Windows, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case).
diagnose debug reset diagnose debug disable diagnose debug application depmanager 0 diagnose debug application depmanager 255 diagnose debug enable
It is recommended to place this putty session and the FortiManager GUI side-by-side, so that you can view the real-time debugs while adding FortiGate from the FortiManager GUI. Note the output is very verbose and you might have to scroll up or down to review the information. Alternatively, you can save the log file o n your desktop and open it using a text editor, such as Notepad++.
Now, you will add Local-FortiGate to FortiManager in My_ADOM using My_ADOM using the Add Device wizard, Device wizard, and you will apply the System Template created Template created earlier.
1.
From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Add Device. Device.
FortiManager Lab Guide
56
DO NOT REPRINT © FORTINET LAB
4.
3—Device Registration 2 Registering a Device to FortiManager 3—
In the Add Device wizard, Device wizard, make sure the Discover radio radio button is selected and configure the following: Field
IP Address
Value 10.200.1.1 (This is the port1 IP address of FortiGate)
Username
admin
5.
Leave other settings at their default values, and click Next. Next.
6.
Review the discovered device information and compare it with the output from the FortiManager PuTTy session.
7.
You should observe the following:
8.
Hit the up arrow on your keyboard and select these commands to disable the debug. Alternatively, you can enter these comm ands manually.
diagnose debug application depmanager 0
FortiManager Lab Guide
57
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
diagnose debug disable diagnose debug reset 9.
Close the PuTTY session.
10. Go back to FortiManager GUI and click Next. Next. 11. Ensure the Name is Name is set to Local-FortiGate. Local-FortiGate. 12. Select default from default from the drop down for System Template. Template.
13. Click Next. Next. 14. Click Import Now. Now.
15. Click Next. Next. FortiManager Lab Guide
58
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
16. In the policy package import page, complete the following: A. Make sure the policy package name is configured as Local-FortiGate. Local-FortiGate. B. Accept the policy and object import defaults.
C. C. Click Next. Next. 17. On the conflict page, click View Conflict. Conflict. This will show you the details of configuration difference between FortiGate and FortiManager. 18. Leave the default setting of FortiGate in FortiGate in the Use Value From column. From column.
19. Click Next. Next. Note the objects identified. These should be identified as duplicates, new, or updating exiting FortiManager. 20. Click Next. Next. 21. Click Download Import Report. Report. 22. Open the import report in text editor such as Notepad ++. Note: Note: The download import report is only available on this page. As a best practice, it is recommended that you download the report and review the important information, such as which device is imported into which ADOM, as well as the name of the policy package created along with objects imported. FortiManager imports new objects, and updates existing objects based on the option chosen on the conflict page. The duplicate objects are skipped as FortiManager does not import duplicate entries into the ADOM database.
FortiManager Lab Guide
59
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
23. Close the text editor. 24. Click Finish. Finish. The Local-FortiGate device should be now listed in Device Manager .
25. In Local-Windows, open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect over SSH). 26. At the login prompt, enter the username admin (all lower case). 27. Enter the following command:
get system central-management You should observe the following output:
Note: The Note: The serial-number is the serial number of FortiManager, which is non-configurable from FortiGate. This has been set by FortiManager, which is managing this device. Also, the FortiManager IP address is set. 28. Close PuTTY session.
As you have imported policy and dependent objects f or Local-FortiGate, you will be viewing the policy package created for Local-FortiGate.
FortiManager Lab Guide
60
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
1.
Still in the FortiManager GUI, click Device Manager and and select Policy & Objects. Objects.
2.
You will notice that a policy package named Local-FortiGate was created when you imported firewall policies from your Local-FortiGate.
3.
Click Object Configurations at Configurations at the top.
4.
Click Interface. Interface.
FortiManager Lab Guide
61
DO NOT REPRINT © FORTINET LAB
5.
3—Device Registration 2 Registering a Device to FortiManager 3—
Click on the expand arrow for any interface to view the ADOM Interface mapping to device-level mappings, which got created when the device was added. These interfaces are used in policy packages to map firewall policies to interfaces on the firewall.
As Local-FortiGate is now added t o FortiManager, you will im port NTP server settings from LocalFortiGate. These server settings can be used by multiple FortiGate devices using this system template.
1.
Still in the FortiManager GUI, click Policy & Objects and Objects and select Device Manager .
2.
Click Provisioning Templates. Templates.
FortiManager Lab Guide
62
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
3.
Click default. default.
4.
Click Toggle Widgets and Widgets and click NTP Server .
5.
Click the import icon. import icon.
FortiManager Lab Guide
63
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
6.
In the Import NTP Server window, window, select Local-FortiGate. Local-FortiGate .
7.
Click OK. OK.
You will now add Remote-FortiGate to FortiManager in My_ADOM using My_ADOM using the Add Device Wizard. Wizard. You will apply the System Template to Template to Remote-FortiGate. Also, you will import t he policies and objects for Rem ote-FortiGate later in the training.
1.
Still logged in FortiManager GUI, click Device & Groups. Groups.
FortiManager Lab Guide
64
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
2.
Click Add Device. Device.
3.
In the Add Device wizard, Device wizard, make sure the Discover radio radio button is selected, and configure the following: Field
IP Address
Value 10.200.3.1 (This is the port4 IP address of FortiGate)
Username
admin
4.
Leave other settings at default and click Next. Next.
5.
Click Next. Next.
6.
Select default from default from the System Template drop-down menu.
7.
Click Next. Next.
8.
Click Import Later .
FortiManager Lab Guide
65
DO NOT REPRINT © FORTINET LAB
3—Device Registration 2 Registering a Device to FortiManager 3—
The Remote-FortiGate device should be now listed in Device Manager . Stop and Think Why is the FortiGate Policy Package Status showing Status showing Never Installed? Installed?
Discussion When Import Later is is chosen in the Add Device wizard, Device wizard, or an unregistered device is added into FortiManager, the policy package status will show Never Installed because Installed because there is still no policy package created for the newly added FortiGate. You will run the Import Policy wizard Policy wizard later in training. If you add an unregistered device, then you need to run the Import Policy wizard Policy wizard to import the device’s firewall policy into a new policy pac kage.
FortiManager Lab Guide
66
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 4—
In this lab, you will explore the common operations performed using the device manager, such as configuring device-level changes, checking managed device statuses, installing configuration changes, and keeping the managed device in sync with the device database on FortiManager.
Understand managed device statuses on FortiManager
Use the status information in the Configuration and Installation Status widget Status widget
Make and install configuration changes from Device Manager
Make configuration configuration changes locally on FortiGate and verify that they are retrieved automatically by FortiManager
Identify entries in the Revision History and History and the management action that created the new revision
Install a large number of managed device changes using scripts
Estimated: 70 minutes
FortiManager Lab Guide
67
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 1 Understanding Managed Device Status 4—
In this exercise, you will check and learn about the status of FortiGate devices on FortiManager. Depending upon the configuration changes, a FortiGate device can have a different Sync Status and Status and Device Settings Status. Status. The Sync Status indicates Status indicates whether the FortiGate configuration matches the latest revision history or not. The Device Settings Status indicates whether the FortiGate configuration stored at device level database matches with latest running revision history or not.
1.
From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager . Stop and Think Why does Config Status for Status for the FortiGate devices show the status Modified? Modified ?
Discussion In the last exercise, you applied System Templates to Templates to both FortiGate devices. The configuration running on the FortiManager device-level database is different from the latest revision history. This changes the Config Status to Status to Modified. Modified. The provisioning templates changes need to be installed to the FortiGate devices to return the devices to the synchronized state. 3.
Click on the Local-FortiGate on Local-FortiGate on the left-hand menu.
FortiManager Lab Guide
68
DO NOT REPRINT © FORTINET LAB
4.
4—Device Level Configuration and Installation 1 Understanding Managed Device Status 4—
Under the Configuration and Installation Status widget, check Device Settings Status; Status; it should appear as Modified. Modified .
Stop and Think If the Device Settings Status is Status is Modified, Modified , why is the FortiGate Sync Status still showing as Synchronized? Synchronized?
FortiManager Lab Guide
69
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 1 Understanding Managed Device Status 4—
Discussion The Device Setting Status is Status is the status between the device-level database configuration and the latest revision history. Applying System Templates changes Templates changes the device level database configuration, so it goes to the Modified state. Modified state. The Sync Status is Status is the status between the latest revision history and the actual FortiGate configuration. As the latest revision history is same as the FortiGate configuration, the Sync Status is Status is in Synchronized state. Synchronized state. 5.
In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved FORTIMANAGER saved session (connect over SSH).
6. At the login prompt, enter the username admin (all lower case). 7.
Enter the following command to display the device statuses through the CLI.
diagnose dvm device list
The output will show the serial number of the device, the connecting IP address of the device, the
FortiManager Lab Guide
70
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 1 Understanding Managed Device Status 4—
firmware version, the name of the device on FortiManager, and the ADOM in which the device is added. Note: Note: You will see FortiAnalyzer as an unregistered device because FortiAnalyzer is configured to query FortiManager for the threat intelligence database (a feature on the FortiAnalyzer). This is configured for the FortiAnalyzer labs, which use the same lab environment. 8.
Examine the STATUS row of the diagnose dvm device list output for Local-FortiGate and Remote-FortiGate. Data
db: Modified
What that means? Device-level configuration changes made from FortiManager.
Actions to take The FortiManager administrator can install configuration changes to the managed device to return it to the unmodified state.
.
conf: in sync
Latest revision history is in sync with the FortiGate configuration.
cond: pending
Configuration changes need to be installed.
FortiManager Lab Guide
The FortiManager administrator can install configuration changes to the managed device to return it to the unmodified state.
71
DO NOT REPRINT © FORTINET LAB
conn: up
9.
4—Device Level Configuration and Installation 1 Understanding Managed Device Status 4—
The FGFM tunnel between FortiManager and FortiGate is up
Close the PuTTY session.
FortiManager Lab Guide
72
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 2 Install System Template Changes to 4— Managed Devices
In the previous lab, you have added FortiGate devices into the FortiManager and applied System Templates. Templates. In this exercise, you will install System Templates changes Templates changes to both FortiGate devices and then view those changes locally login to each FortiGate.
You will now install the default system default system template changes to Local-FortiGate and Remote-FortiGate using the Install Wizard. Wizard .
1.
From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Install > Install Wizard. Wizard.
4.
In the Install Wizard, Wizard, make sure Install Device Settings (only) is (only) is selected and click Next. Next.
FortiManager Lab Guide
73
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 2 Install System Template Changes to 4— Managed Devices
5.
On the Device Settings page, Settings page, ensure both FortiGate devices are selected.
6.
Click Next. Next.
7.
Click Preview for the Local-FortiGate. Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device. 8.
Click Cancel on the Install Preview page. Preview page. Optionally, you can also select Preview for Preview for Remote-FortiGate. Remote-FortiGate.
9.
Make sure both FortiGate devices are selected.
10. Click Install. Install. 11. Once the installation is successful, click the View Log icon. Log icon.
FortiManager Lab Guide
74
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 2 Install System Template Changes to 4— Managed Devices
This is the install log that shows what exactly is installed on the managed device. Here is an example provided for Local-FortiGate.
12. Click Close. Close. 13. Click Finish. Finish.
You will check the managed device status after the install.
1.
Still in the FortiManager GUI, check the Config Status. Status. It should now appear as Synchronized. Synchronized.
2.
Click Local-FortiGate from Local-FortiGate from the left-hand menu.
FortiManager Lab Guide
75
DO NOT REPRINT © FORTINET LAB
3.
4—Device Level Configuration and Installation 2 Install System Template Changes to 4— Managed Devices
Under Configuration and Installation Status, Status, you should observe that Device Settings Status is in the Unmodified state.
This means that FortiGate's device-level database configuration is the same as the latest revision history. 4.
In Local-Windows, open PuTTY and connect to the FORTIMANAGER saved FORTIMANAGER saved session (connect over SSH).
5. At the login prompt, enter the username admin (all lower case). 6.
Enter the following command to display device statuses through the CLI.
diagnose dvm device list You should observe the following in the output for Local-FortiGate and Remote-FortiGate.
The db status is not modified which means that FortiGate's device level database configuration matches with the latest running revision history. The dm: installed field means that the install was performed from FortiManager. 7.
Enter the following command to display the FGFM tunnel statuses.
FortiManager Lab Guide
76
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 2 Install System Template Changes to 4— Managed Devices
diagnose fgfm session-list
This command can be used to view the connecting IP of managed devices, the link-level address assigned by FortiManager, and the uptime of the FGFM tunnel between FortiGate and FortiManager. 8.
Close the PuTTY session.
From FortiManager, you have installed the System Templates configuration Templates configuration on both FortiGate devices. You will now log in to the Local-FortiGate and Local-FortiGate and Remote-FortiGate GUIs Remote-FortiGate GUIs to view the configuration installed from FortiManager.
1.
In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI Local-FortiGate GUI at 10.0.1.254.
2.
Click Login Read-Only. Read-Only. Note: Note: When you connect locally to a device managed by FortiManager, you will be presented with a warning message because the device is centrally managed. Only when it is absolutely necessary should you use the read-write option locally on FortiGate. An FortiGate. An example might be that a FortiManager administrator is unavailable to make configuration changes and install to manage FortiGate devices.
3.
Go to Log & Report > Report > Log Settings. Settings. You will notice the Remote Logging and Archiving settings Archiving settings are the same as the default system default system template entries.
4.
Logout from FortiGate.
1.
In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI Remote-FortiGate GUI at 10.200.3.1 .
FortiManager Lab Guide
77
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 2 Install System Template Changes to 4— Managed Devices
2.
Click Login Read-Only. Read-Only.
3.
Go to Log & Report > Report > Log Settings. Settings. You will notice that the Remote Logging and Archiving settings Archiving settings are the same as the default system template entries.
4.
Log out of FortiGate.
FortiManager Lab Guide
78
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
By default, configuration changes made directly on FortiGate are automatically updated (retrieved) by FortiManager, which is reflected in the Revision History. History. If required, the automatic update behavior can be disabled from the FortiManager CLI under config system admin settings. This allows the FortiManager administrator to accept or refuse the configuration changes. In this lab, you will make configuration changes directly on the FortiGate devices, and verify that the configuration changes are retrieved automatically by FortiManager. You will also review the configuration revision histories of FortiGate devices, created by auto update and by other actions.
You will now make direct changes on Local-FortiGate.
1.
In Local-Windows, open a new browser tab and log in as admin to the Local-FortiGate GUI Local-FortiGate GUI at 10.0.1.254.
2.
Click Login Read-Write. Read-Write. Note: Note: When you connect locally to a device managed by FortiManager, you will be presented with a warning message because the device is centrally managed. Only when it is absolutely necessary should you use the read-write option locally on FortiGate. An FortiGate. An example might be that a FortiManager administrator is unavailable to make configuration changes and install to manage FortiGate devices.
3.
Click Yes Click Yes..
4.
Go to Log & Report > Report > Log Settings. Settings.
5.
Under Local Log settings, disable Enable Local Reports. Reports.
6.
Click Apply. Apply.
7.
Logout of the FortiGate.
FortiManager Lab Guide
79
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
You will now make direct changes on Remote-FortiGate. You will repeat the same steps for RemoteFortiGate as you did it for Local-FortiGate.
1.
In Local-Windows, open a new browser tab and log in as admin to the Remote-FortiGate GUI Remote-FortiGate GUI at 10.200.3.1.
2.
Click Login Read-Write. Read-Write.
3.
Click Yes Click Yes..
4.
Go to Log & Report > Report > Log Settings. Settings.
5.
Under Local Log settings, disable Enable Local Reports. Reports.
6.
Click Apply. Apply.
7.
Log out of FortiGate.
As you make the configuration changes locall y on both the FortiGate devices, you will now view the auto update status on FortiManager, and view the configuration revision histories created by FortiManager.
1.
From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
You will notice that Config Status is Status is now in the Auto-Update state Auto-Update state for both FortiGate devices. This confirms that the changes made locally were backed up to FortiManager.
1.
Click Local-FortiGate. Local-FortiGate.
FortiManager Lab Guide
80
DO NOT REPRINT © FORTINET LAB
2.
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
In the Configuration and Installation Status widget, Status widget, click the Revision History icon. History icon.
You should observe three configurations, though you may have more if you have made further changes: Your first Installation status Installation status should display as Retrieved, Retrieved , indicating that this configuration was taken from the device’s running configuration, con figuration, when it was added to FortiManager. Your second Installation status Installation status should display as Installed, Installed, indicating that these changes were made by FortiManager to the managed device. Your third Installation status Installation status should display as Auto Updated, Updated, indicating that these changes were made locally on FortiGate and got automatically updated in FortiManager.
FortiManager Lab Guide
81
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
When the installation is done from FortiManager, the install log will show the name of the administrator who made this change along with the commands sent by FortiManager. If an installation fails, the install log is useful because it shows what commands were sent to, and accepted by, the managed device as well as the commands that were not accepted.
1.
Still on the Configuration Revision History page, History page, select ID 2 and 2 and then click View Install Log. Log.
You should see the CLI commands sent by FortiManager (which are identical to the installation previewed earlier) and the FortiGate response.
FortiManager Lab Guide
82
DO NOT REPRINT © FORTINET LAB
2.
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
Click Close. Close.
Optionally, you can also view changes made to Remote-FortiGate by following the steps from Viewing Auto Update and Revision History .
1.
Still logged in to the FortiManager GUI, click Remote-FortiGate and follow the steps from Viewing Auto Update and Revision History . For Remote-FortiGate, you will see the NTP settings pushed by FortiManager based on the imported NTP settings in the default system default system template from Local-FortiGate.
As FortiAnalyzer features are enabled on FortiManager, and both FortiGat e devices are configur ed to send logs to FortiManager, you will be viewing the logs for the managed devices under the Log View pane. View pane.
FortiManager Lab Guide
83
DO NOT REPRINT © FORTINET LAB
1.
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
Still logged into the FortiManager GUI, click Device Manager and and select Log View. View.
You should see the traffic logs generated by the FortiGate device.
Task Manager provides provides the status of the task you have performed and can be used for troubleshooting various types of issues such as adding, importing, and/or installing changes from FortiManager. You will now check the entries in Task Manager .
1.
Log out from the FortiManager GUI and log back into the FortiManager GUI as admin.
2.
Click root. root.
3.
Click System Settings. Settings.
4.
Click Task Monitor on on the left-hand menu.
FortiManager Lab Guide
84
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
This shows the tasks performed by all the users.
5.
Click on the dropdown menu for the Install Device entry Device entry and click on the View Installation Log icon for Local-FortiGate or Remote-FortiGate.
FortiManager Lab Guide
85
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 3 Auto Update and Revision History 4—
This will show the installation log corresponds to the installation that you performed earlier. 6.
Click Close. Close.
FortiManager Lab Guide
86
DO NOT REPRINT © FORTINET LAB
4—Device Level 4— Level Configuration and Installation 4 Configuring Device Level Changes Changes
The device-level settings of the managed FortiGate can be viewed and configured from the Device Manager pane. pane. Most of these settings have a one-to-one correlation with the device configuration that you would see if you logged in locally, on each For tiGate’s For tiGate’s GUI or CLI. You will now make configuration changes for the managed FortiGate from the Device Manager pane. pane.
If you try to change the managed FortiGate interface used for communicating with FortiManager, it will warn you that this may break the communication between FortiManager and FortiGate. If there is a communication disruption between FortiManager and FortiGate during an install, FortiManager will attempt to recover the connection, but this will revert the installation changes. You will now change the Remote-FortiGate port4 interface port4 interface Administrative Access setting Access setting that is used by Remote-FortiGate to communicate with the FortiManager.
1.
From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Remote-FortiGate. Remote-FortiGate .
4.
Click System : Dashboard and Dashboard and then click Interface. Interface.
FortiManager Lab Guide
87
DO NOT REPRINT © FORTINET LAB
4—Device Level 4— Level Configuration and Installation 4 Configuring Device Level Changes Changes
5.
Right click port4 and port4 and click Edit. Edit.
6.
Under Administrative Access, Access, uncheck TELNET. TELNET.
7.
Click OK. When you edit the interface with the IP address that is used by FortiManager to reach the managed device(s), FortiManager provides this warning message:
8.
Click OK. OK.
9.
Click Managed FortiGates. FortiGates.
Stop and Think Why is Config Status showing Status showing the Modified (recent auto-updated) state auto-updated) state for RemoteFortiGate?
Discussion The Modified status Modified status means that the device-level database change has been made to Remote-FortiGate. You changed the interface configuration. The status recent auto-updated in parenthesis means that the previous configuration
FortiManager Lab Guide
88
DO NOT REPRINT © FORTINET LAB
4—Device Level 4— Level Configuration and Installation 4 Configuring Device Level Changes Changes
changes were locally made on FortiGate and were auto updated on FortiManager. You made changes to logging settings locally in the previous lab.
FortiManager allows you to filter devices based on their current status. This is very helpful when you are managing a large number of devices in the same ADOM. Based on the status, FortiManager administrator can take appropriate action. You can filter device statuses based on:
Connection Device Config (Device database status) Policy Package (ADOM database status)
You will now filter devices based on their device config and policy package status.
1.
Still logged in to the FortiManager GUI, click on Managed FortiGates. FortiGates.
2.
Click the drop-down arrow on Devices (Device Config Modified) and click Modified. Modified .
It will show only Remote-FortiGate in Remote-FortiGate in the Managed FortiGates list. FortiGates list. 3.
Click the drop-down arrow on Devices (Policy Package Modified) and click Imported. Imported.
FortiManager Lab Guide
89
DO NOT REPRINT © FORTINET LAB
4—Device Level 4— Level Configuration and Installation 4 Configuring Device Level Changes
This time it will show only Local-FortiGate in Local-FortiGate in the Managed FortiGates list. FortiGates list.
You will now create a new administrator account for Local-FortiGate on FortiManager.
1.
Still in the FortiManager GUI, click on Local-FortiGate. Local-FortiGate .
2.
Click Display Options. Options.
3.
Click Customize
4.
In the System category, System category, click Administrators. Administrators.
FortiManager Lab Guide
90
DO NOT REPRINT © FORTINET LAB
4—Device Level 4— Level Configuration and Installation 4 Configuring Device Level Changes Changes
5.
Click OK. OK.
6.
Click System : Dashboard and Dashboard and then click Administrators. Administrators.
7.
Click Create New. New.
8.
Configure the following: Field
Value
Administrator
training
Type
Regular
Password
fortinet
Confirm Password
fortinet
FortiManager Lab Guide
91
DO NOT REPRINT © FORTINET LAB
4—Device Level 4— Level Configuration and Installation 4 Configuring Device Level Changes Changes
Admin Profile
prof_admin
You configuration should look like this:
9.
Leave all other settings at their default values and click OK. OK.
10. Click Managed FortiGates. FortiGates.
You will notice that Config Status has Status has changed to Modified for Local-FortiGate. This is because you made a device-level configuration change for Local-FortiGate by configuring the administrator account.
FortiManager Lab Guide
92
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 5 Installing Configuration Changes 4—
Now, you have made configuration changes to the managed device(s) from FortiManager.
For Remote-FortiGate, you you have changed administrative access access on port4
For Local-FortiGate, you have configured a new administrator
You will now install these changes to the managed device using the Install wizard, Install wizard, and view the installation history. You will also compare the differences in the revision history configurations using the Revision Diff feature. feature.
You will first preview the install changes from the Configuration and Installation Status widget. Status widget.
1.
From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Remote-FortiGate. Remote-FortiGate .
4.
Under the Configuration and Installation Status widget, Status widget, click Preview. Preview.
FortiManager Lab Guide
93
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 5 Installing Configuration Changes 4—
This shows the device-level configuration changes that will be installed on the managed device when FortiManager performs the device-level install.
Note: Note: The install Preview under Preview under the Configuration and Installation Status widget Status widget only shows the preview for the device-level changes, not the the changes related to policies to policies and objects. objects. 5.
Click OK. OK. Optionally, you can follow this same procedure to view the install Preview for Preview for Local-FortiGate.
You will install these changes to the managed devices using the Install wizard. Install wizard.
1.
Still logged into the FortiManager GUI, click Install Wizard. Wizard.
2.
Select Install Device Settings (only). (only).
3.
Click Next. Next.
4.
On the Device Settings page, Settings page, ensure both FortiGate devices are selected.
FortiManager Lab Guide
94
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 5 Installing Configuration Changes 4—
5.
Click Next. Next.
6.
Click Preview for Local-FortiGate. Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device. 7.
Click Cancel on the Install Preview page. Preview page. Optionally, you can also check the Preview for Preview for Remote-FortiGate. Remote-FortiGate .
8.
Make sure both FortiGate devices are selected.
9.
Click Install. Install.
10. Once the install is successful, click the View Log icon. Log icon.
FortiManager Lab Guide
95
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 5 Installing Configuration Changes 4—
This is the install log which shows what exactly is installed on the managed device. 11. Click Close on Close on the Install Log page. Log page. 12. Click Finish. Finish. 13. Click Managed FortiGates. FortiGates.
The Config Status should Status should now be in the Synchronized state.
After every retrieve, aut o update, and install install operation, FortiManager stores the FortiGate’s configuration checksum output with the revision history. This is how the out-of-sync condition is calculated. The Revision Diff is is a useful feature that can be used to compare the differences between previous revisions, a specific revision, or the factory default configuration. In terms of the output, you can choose to show full configuration with differences, only differences, or you can capture the differences to a script. You will now compare the differences between the latest revision and the previous revision.
1.
Still logged into the FortiManager GUI, click Local-FortiGate. Local-FortiGate.
FortiManager Lab Guide
96
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 5 Installing Configuration Changes 4—
2.
Under the Configuration and Installation Status widget, Status widget, click the Revision History icon.
3.
Click ID 4 and click Revision Diff .
4.
Select Show Diff Only. Only.
FortiManager Lab Guide
97
DO NOT REPRINT © FORTINET LAB
5.
4—Device Level Configuration and Installation 5 Installing Configuration Changes 4—
Click Apply. Apply.
It shows the difference in configuration between the previous version and the current running version. Remember, you configured the administrator account for Local-FortiGate. 6.
Click Close. Close.
7.
Click ID 4 again and click Revision Diff .
8.
Select Capture Diff to a Script. Script.
9.
Click Apply. Apply.
10. Select Save File. File. 11. Click OK. OK. Note the folder where is it downloaded.
FortiManager Lab Guide
98
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 5 Installing Configuration Changes 4—
12. Click Close. Close.
13. Click Close. Close. 14. Click the download icon on Firefox. 15. Right-click on the file name and click Open Containing Folder .
16. Open the file using Notepad++. Notepad++.
This will show you the exact CLI syntax of the changes. This script can be used to configure other FortiGate devices if they require the same settings using script feature on FortiManager. 17. Close the Notepad++. Caution: Caution: This is to demonstrate capturing diff in the form of scripts. Make sure the script captured is valid for other FortiGate devices, before using them for other FortiGate devices. If required, you can edit the script before applying it to other FortiGate devices. For example, if you have configured a static route along with the administrator setting, the static route settings might be not valid for other FortiGate devices.
FortiManager Lab Guide
99
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and 4— and Installation 6 Scripts
A script can make many changes to a managed device and is useful for bulk configurat ion changes and consistency across multiple managed devices. You can configure and install scripts from FortiManager to managed devices. Scripts can be run on:
Device Database (default) Policy Package, ADOM Database Remote FortiGate Directly (via CLI)
An install must be perform ed if a script is run on a devic e database or Policy Package, ADOM database. In this exercise, you will make many configuration changes by using the script feature and installing them on the managed devices.
Scripts are disabled by default, and can be enabled from Display Options in Options in Admin Setting and Setting and configured from Device Manager .
1.
From the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241.
2.
Select root. root.
3.
Select System Settings. Settings.
4.
Go to Admin > Admin > Admin Settings. Settings.
5.
Click the dropdown menu for Display Options on GUI and GUI and enable Show Scripts. Scripts.
6.
Click Apply. Apply.
7.
Log out of FortiManager.
FortiManager Lab Guide
100
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 6 Scripts 4—
You will now configure scripts for the managed devices.
1.
From the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Scripts Scripts..
4.
Click More and click Import. Import.
5.
In the Script Name field Name field enter Local. Local.
6.
Click Browse. Browse.
7.
Browse to Desktop > Desktop > Resources > FortiManager > Device-Config and Device-Config and select LocalScript.
8.
Click the dropdown menu for Advanced Filters. Filters.
9.
Click Device and Device and select Local-FortiGate from Local-FortiGate from the dropdown menu.
FortiManager Lab Guide
101
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and 4— and Installation 6 Scripts
10. Click OK. OK. 11. Click More and click Import. Import.
12. In the Script Name field Name field enter Remote. Remote. 13. Click Browse. Browse. 14. Browse to Desktop > Desktop > Resources > FortiManager > Device-Config and Device-Config and select Remote-Script . 15. Click on the dropdown menu for Advanced Filters. Filters. 16. Click Device and Device and select Remote-FortiGate from Remote-FortiGate from the dropdown menu. 17. Click OK. OK.
As the scripts are targeting the device database, you will first run the scripts against t he device database and then install these scripts on the managed devices.
1.
Still logged in to the FortiManager GUI, right-click the Local and Local and click Run Script Now. Now.
FortiManager Lab Guide
102
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 6 Scripts 4—
2.
Select Local-FortiGate and Local-FortiGate and click Run Now at Now at the bottom.
3.
Click View Details and Details and then click the View Script Execution History icon. History icon. Scroll to the bottom of the script execution window to check that the script ran successfully on the device database.
Note: Note: If needed, you can also view the script execution history later from the Configuration and Installation Status widget or from the Task Monitor .
FortiManager Lab Guide
103
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and 4— and Installation 6 Scripts
4.
Click Close. Close.
5.
Click Close. Close.
6.
Right-click on Remote and Remote and click Run Script Now. Now .
7.
Select Remote-FortiGate and Remote-FortiGate and click Run Now at Now at the bottom of the page.
8.
Click Close. Close.
1.
Still logged in to the FortiManager GUI, click Device & Groups. Groups.
Stop and Think Why is the Config Status showing Status showing Modified for both FortiGate devices? Why is the Policy Package Status for Status for Local-FortiGate showing Out of Sync, Sync, but the Policy Package Status for Status for Remote-FortiGate remains unchanged as Never Installed? Installed?
Discussion The scripts contain configuration changes related to device-level settings and policies. The Config Status is Status is Modified for Modified for both FortiGate devices because of device-level changes. As the Local-FortiGate poli cy package was imported when you added FortiGate, FortiManager detects policy-level changes and marks the Local-FortiGate Policy Package Status as Status as Out of Sync. Sync. For Remote-FortiGate, the policy package was never imported; hence FortiManager cannot compare the differences in the policies. 2.
Select Local-FortiGate and Local-FortiGate and Remote-FortiGate and Remote-FortiGate and click Install, and Install, and then click Install Config. Config.
3.
Click OK. OK.
FortiManager Lab Guide
104
DO NOT REPRINT © FORTINET LAB
4—Device Level Configuration and Installation 6 Scripts 4—
The installation will be successful on both FortiGate devices.
Note: Note: The Install Config option Config option does not provide an option for install preview and install log. It should be used only if you are absolutely sure about the changes you are trying to install. If needed, you can view the installation history later from the Configuration and Installation Status widget or from the Task Monitor . 4.
Click Finish. Finish.
FortiManager Lab Guide
105
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 5—
In this lab, you will explore the common operations of the Policy & Objects pane in order to centrally manage FortiGate firewall policies, and to manage shared and dynamic objects.
Import firewall polices and objects from a managed device and and review the imported policy packages
Create ADOM revisions
Use workflow mode to configure and send changes for approval approval
Find duplicate objects and merge them, and delete used objects
Create and assign header policies to policy packages in an ADOM
Create a policy package shared across multiple devices
Create shared objects and dynamic objects with mapping rules
Identify the different policy and object interface mapping types and configure zones zones mappings
Install a policy package and device settings from the Policy & Objects pane
Estimated: 70 minutes
FortiManager Lab Guide
106
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 1 Import Policy and ADOM Revisions 5—
In the previous lab, you installed scripts that contain device-level and policy configuration changes. Because the scripts were run on a device database that created the revision history containing these changes, the policy packages are not automatically updated and need to be imported manually. In this exercise, you will import the policies using the Import Policy wizard Policy wizard in order to reflect and update the policy packages. Additionally you will create an ADOM revision, which is a snapshot of all the policy and objects configurations for an ADOM.
You will now import policies and objects for both managed FortiGate devices.
1.
From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Right-click the Local-FortiGate and Local-FortiGate and click Import Policy. Policy.
4.
Click Next. Next.
5.
Rename Policy Package Name to Name to Local-FortiGate-1. Local-FortiGate-1 .
6.
Select Import All Objects. Objects.
7.
Click Next. Next.
FortiManager Lab Guide
107
DO NOT REPRINT © FORTINET LAB
8.
5—Policy & Objects 1 Import Policy and ADOM Revisions 5—
Click Next on Next on the conflict page. Review the objects to be imported.
9.
Click Next. Next.
10. Click Download Import Report. Report. 11. Select Open with and with and click OK to OK to review the download import report. 12. Review the download import report and close the notepad. 13. Click Finish. Finish. Note: Note: Download Import Report is Report is available only on this page; make sure to download the import report before clicking finish. 14. Right-click the Remote-FortiGate and Remote-FortiGate and click Import Policy. Policy. 15. Click Next until Next until you reach the Finish page. Finish page. 16. Click Finish. Finish. 17. Click Device Manager and and click Policy & Objects. Objects.
18. Compare the policies in the Local-FortiGate and Local-FortiGate and Local-FortiGate-1 policy Local-FortiGate-1 policy packages by clicking IPv4 Policy on Policy on each policy package. Policy package: Local-FortiGate
Policy package: Local-FortiGate-1
FortiManager Lab Guide
108
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 1 Import Policy and ADOM Revisions 5—
An ADOM revision creates a snapshot of the policy and objects configuration f or the ADOM. Now that we have imported policies and objects from both FortiGate devices, we will be creating ADOM revisions which are stored locally on the FortiManager and are useful for comparing the differences between two revisions, or reverting to a previous revision.
1.
Still logged into the FortiManager GUI, click ADOM Revisions. Revisions.
2.
Click Create New and New and name the revision: Initial revision. revision.
3.
Enable Lock this revision from auto-deletion. auto-deletion.
4.
Click OK. OK. You will notice the lock icon, name of the administrator who created it, and the date and time.
FortiManager Lab Guide
109
DO NOT REPRINT © FORTINET LAB
5.
5—Policy & Objects 1 Import Policy and ADOM Revisions 5—
Click Close. Close.
FortiManager Lab Guide
110
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
Workflow mode is used to control the creation, configuration, and installation of policies and objects. It helps to ensure that all changes are reviewed and approved before they are applied. Workflow mode is similar to ADOM locking (workspace mode), but it also allows the administrators to submit their configuration changes for approval. The configuration changes are not committed to the FortiManager database until the approval administrator approves those configuration changes. Once approved, then only these configuration changes can be installed on the managed device. In this exercise, you will enable workflow mode and then make configuration changes related to policies and objects. You will send it for approval and once approved you will install these changes.
1.
On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Enter the following command to enable workspace mode:
config system global set workspace-mode workflow end Note: Note: Before enabling workflow mode, ensure all FortiManager administrators are notified to save their changes and work on the FortiManager. This is because enabling workflow mode will terminate all management sessions. 4.
Enter the following commands to configure approval permissions. You are now configuring admin administrator as approver for the My_ADOM .
config system workflow approval-matrix edit My_ADOM config approver edit 1 set member admin next end end 5.
Close the PuTTY session.
FortiManager Lab Guide
111
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
1.
From the Local-Windows VM, open a browser and login to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Lock at the top to lock the ADOM.
3.
Click Policy & Objects. Objects.
4.
Click Sessions > Sessions > Session List. List.
5.
Click Create New. New.
6.
In the Session Name field, Name field, type Training. Training.
7.
Click OK. OK.
8.
Click Object Configurations on Configurations on the top.
9.
Click Tools > Tools > Find Duplicate Objects. Objects.
10. Click Firewall Address. Address. You will notice that LAN and LAN and LOCAL_SUBNET have LOCAL_SUBNET have the same configuration. It will also show you other objects that have the same values.
FortiManager Lab Guide
112
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
11. Click Merge for Merge for the LAN and LAN and LOCAL_SUBNET firewall LOCAL_SUBNET firewall address.
12. In the Merge all to drop-down to drop-down list, select LOCAL_SUBNET. LOCAL_SUBNET .
13. Click Merge. Merge. 14. Click Close. Close. Note: Note: By merging the duplicate objects, you can reduce the object database, which sometimes can overwhelm the FortiManager administrator with a large number of objects
FortiManager Lab Guide
113
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
from different FortiGate devices in the same ADOM. You can also delete the unused objects in the same Tools menu, Tools menu, if they will be not used in the future. 15. Click Firewall Objects > Objects > Addresses. Addresses. 16. Right-click the LINUX address LINUX address object and click Delete. Delete.
17. Click OK. OK. 18. Click Where Used icon. Used icon. This will show you where the object is referenced.
It is referenced in the Local-FortiGate-1 policy Local-FortiGate-1 policy package in the firewall policy 1 as destination address. address. 19. Click Close. Close. 20. Click Delete Anyway. Anyway. Caution: Caution: FortiManager allows you to delete a used object. Be careful before deleting used object as it will be replaced by the none address 0.0.0.0/255.255.255.225. This means any traffic meeting that specific firewall policy will be blocked if there is no catch all or shadowed policy below it. In this case, the destination address of address of firewall policy 1 in the Local-FortiGate-1 policy Local-FortiGate-1 policy package is replaced by none after none after the LINUX address object is deleted.
FortiManager Lab Guide
114
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
You will test this later in this exercise. 21. Click Save. Save.
22. Click Sessions and Sessions and click Submit. Submit.
23. Click OK. OK. The ADOM will unlock itself after submitting the changes. Note: Note: Your changes are still not saved in the FortiManager database because they must be approved by the approval administrator.
1.
Log out of FortiManager and log back in as admin.
2.
Click My_ADOM. My_ADOM.
3.
Click Lock. Lock.
4.
Click Policy & Objects. Objects.
5.
Click Sessions > Sessions > Session List. List.
FortiManager Lab Guide
115
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
Note: Note: The session list will show you the name of the request made, user, date, and approval status. The approver administrator can approve, reject, discard, or view the differences between two revisions. The approver administrator can also create a session that can be sent to different approval administrator, or can self-approve based on the workflow approval matrix. 6.
Select ID 1 and 1 and click Approve. Approve.
7.
Click OK. OK.
8.
Click Continue Without Session. Session.
9.
Click Unlock. Unlock.
10. Log out of FortiManager.
FortiManager Lab Guide
116
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
Note: Note: If an administrator has locked ADOMs and logs out of FortiManager, the lock releases and unlocks all locked ADOMs locked by that administrator.
Caution: Caution: Always log out of FortiManager gracefully, when ADOM locking (workspace or workflow) is enabled. If a session is not closed gracefully (PC crash or closed browser window), FortiManager will not close the administrator session until the administrator session timeout or the session is deleted. The locked ADOM will remain in locked state. The session will have to be deleted manually through the GUI or the CLI. In the GUI: System Settings > Settings > System Information widget Information widget > Current Administrators > Administrators > Admin Session List.
In the CLI:
1.
From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Lock at Lock at the top.
3.
Click Policy & Objects. Objects.
4.
Click Local-FortiGate-1 > Local-FortiGate-1 > IPv4 Policy. Policy. You will notice LINUX is LINUX is replaced by none. none.
5.
On the Local-Windows VM, open a command prompt in Windows and run a continuous ping to the LINUX address LINUX address object.
ping 10.200.1.254 -t
FortiManager Lab Guide
117
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
You will notice the request timed out because the firewall policy has the destination as LINUX and LINUX and the action as DENY locally DENY locally on the Local-FortiGate. Screenshot from the Local-FortiGate.
6.
Return to the FortiManager GUI and click Install > Install > Install Wizard. Wizard.
7.
Make sure the following are selected:
Install Policy Package and Device Settings Policy Package : Local-FortiGate-1
8.
Click Next. Next.
9.
Click Next. Next.
10. Click Preview. Preview. 11. Press Ctrl+F and search for the following:
config firewall policy LINUX
You will notice FortiManager is replacing the destination address of firewall policy 1 with none and none and deleting the LINUX address LINUX address object. FortiManager will also delete any other unused objects. This is normal because when you install a policy package for the first time FortiManager will delete all unused objects.
FortiManager Lab Guide
118
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
12. Click Cancel in Cancel in the Install Preview pop-up Preview pop-up window. 13. Click Install. Install. 14. After the install is successful, c lick View Log to view the installation history.
15. Click Close. Close. 16. Click Finish. Finish. 17. Go back to the command prompt where you initiated the ping to LINUX. LINUX. You will get replies because there was catch all policy below the BLOCK_LINUX policy. BLOCK_LINUX policy. As after installation, LINUX is LINUX is replaced by none, and the traffic starts processing by the seq#2 seq#2 firewall policy.
18. Close the command prompt.
1.
On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved FORTIMANAGER saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Enter the following commands.
config system global set workspace-mode disabled y
FortiManager Lab Guide
119
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 2 Workf 5— Workflow low Mode
end All administrators will be logged out of the FortiManager GUI to save the changes. So prior to disabling workspace-mode inform all the administrators logged into FortiManager to save their work.
FortiManager Lab Guide
120
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 5—
Header and footer policies are used to envelop the policies in each individual ADOM. The header and footer policies can be created once on the Global ADOM and assigned to multiple policy packages in the different ADOMs. In this exercise, you will create the header policy in the global ADOM and assign the header policy to the managed devices in My_ADOM. My_ADOM . Then you will install the header policy to the managed devices.
1.
On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241.
2.
Select Global Database. Database.
3.
Click IPv4 Header Policy. Policy.
4.
Click Create New. New.
5.
Configure the following: Field
Value
Name
Global_Policy
Incoming Interface
any
Outgoing Interface
any
Source Address
gall
Destination Address
gall
Service
gPING
Schedule
galways
Action
Deny
FortiManager Lab Guide
121
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 5—
You configuration should look like this:
6.
Click OK. OK.
1.
Click Assignment. Assignment.
2.
Click Add ADOM. ADOM.
3.
Choose the following: Field
Value
ADOMs
My_ADOM
Specify ADOM to policy package to exclude:
Check the box and select the following: default Local-FortiGate
FortiManager Lab Guide
122
DO NOT REPRINT © FORTINET LAB
4.
Click OK. OK.
5.
Click Assign. Assign.
5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 5—
The header policy is assigned to the Local-FortiGate-1 and Local-FortiGate-1 and Remote-FortiGate policy Remote-FortiGate policy packages.
1.
Still logged into the FortiManager GUI, click ADOM: Global Database. Database.
2.
Click My_ADOM. My_ADOM.
3.
Click Local-FortiGate-1 > Local-FortiGate-1 > IPv4 Header Policy to Policy to view the assigned header policy.
Optionally, you can perform the previous step to view the header policy in the Remote-FortiGate policy package. 4.
Click Local-FortiGate-1 policy Local-FortiGate-1 policy package.
5.
Click Install > Re-install Policy. Policy.
FortiManager Lab Guide
123
DO NOT REPRINT © FORTINET LAB
6.
5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 5—
Click Preview. Preview. The configuration changes that will be installed on FortiGate will display. In this case, the header policy and related objects will be installed.
7.
Click Cancel in Cancel in the Install Preview pop-up Preview pop-up window.
8.
Click Next. Next.
9.
Click Finish. Finish.
10. Click the Remote-FortiGate policy Remote-FortiGate policy package. 11. Click Install > Re-install Policy. Policy.
FortiManager Lab Guide
124
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 3 Creating and Assigning Header Policies in the Global ADOM 5—
12. Click Next. Next. 13. Click Finish. Finish. 14. Log in to the Local-FortiGate (https://10.0.1.254 (https://10.0.1.254)) and Remote-FortiGate (https://10.200.3.1 (https://10.200.3.1)) with the username of admin. 15. Click Login Read-Only. Read-Only. 16. Go to Policy & Objects > Objects > IPv4 Policy. Policy. You should observe the header policy at the top.
17. Log out of both FortiGate devices. 18. On the Local-Windows VM, open a command prompt and try to ping an external host (example 4.2.2.2). You should observe that the ping fails, because the header policy was configured to block the ping. 19. Close the command prompt.
FortiManager Lab Guide
125
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
You will create a single policy package that can be shared by multiple devices, as opposed to having a policy package per device which is the current configuration. You will use the installation target setting in a firewall policy to target specific policies to specific FortiGate devices.
First, you will configure dynamic mapping for objects that are used to map a single logical object to a unique definition per device.
1.
On the Local-Windows VM, open a browser and log into the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Policy & Objects. Objects.
3.
Click Object Configuration. Configuration.
4.
Click Firewall Objects > Objects > Addresses. Addresses.
5.
Click Create New > Address. Address.
6.
Configure the following: Field
Value
Address Name
Internal
Type
IP/Netmask
IP/Netmask
10.0.0.0/8
7.
For the Per-Device Mapping, Mapping, configure the following:
Turn on Per-Device Mapping. Mapping. Click Add. Add.
FortiManager Lab Guide
126
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
Select Local-FortiGate for Local-FortiGate for the Mapped Device. Device. Type 10.0.1.0/24 for 10.0.1.0/24 for IP/NetMask. IP/NetMask. Click OK. OK.
Click Add again. Add again.
FortiManager Lab Guide
127
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
Select Remote-FortiGate for Remote-FortiGate for the Mapped Device. Device. Type 10.0.2.0/24 for 10.0.2.0/24 for IP/NetMask. IP/NetMask. Click OK. OK.
Your configuration should look like this:
8.
Click OK. OK.
You will be now creating dynamic mappings for interfaces and zones.
1.
Still in the FortiManager GUI, click Zone/Interfaces > Zone/Interfaces > Interface. Interface.
FortiManager Lab Guide
128
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
2.
Click Create New > New > Dynamic Interface. Interface.
3.
In the Name field Name field type Inside. Inside.
4.
Turn ON the Per-Device Mapping switch Mapping switch and click Add. Add.
5.
Configure the following:
Select Local-FortiGate for Local-FortiGate for the Mapped Device. Device. Select port3 for port3 for the Device Interface. Interface. Click OK. OK.
Note: Note: You will get the following warning message “The new mapping will delete the old mapping, are you sure you want to continue”. This is because interfaces were dynamically mapped when the devices were added to the FortiManager. Now, FortiManager will delete
FortiManager Lab Guide
129
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
the old mapping and add these interfaces to map to this newly created interface.
Click OK in OK in the warning pop-up window. Click Add again. Add again. Select Remote-FortiGate for Remote-FortiGate for the Mapped Device. Device. Select port6 for port6 for the Device Interface. Interface. Click OK. OK. Click OK on OK on the warning message.
Your configuration should look like this:
6.
Click OK. OK.
7.
Still in the FortiManager GUI, click Create New > New > Zone. Zone.
8.
In the Name field Name field type Outside. Outside.
9.
Turn ON the Per-Device Mapping switch Mapping switch and click Add. Add.
10. Configure the following:
Select Local-FortiGate for Local-FortiGate for the Mapped Device. Device. Select port1, port2 for port2 for the Device Interface. Interface. Enable Block intra-zone traffic. traffic. Click OK. OK.
FortiManager Lab Guide
130
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
Click OK in OK in the warning pop-up window. Click Add again. Add again. Select Remote-FortiGate for Remote-FortiGate for the Mapped Device. Device. Select port4, port5 for port5 for the Device Interface. Interface. Enable Block intra-zone traffic. traffic. Click OK. OK.
Click OK in OK in the warning message.
Your configuration should look like this:
11. Click OK. OK. You have now created a dynamic interface and zone.
FortiManager Lab Guide
131
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
FortiManager can be used to target a common policy package to multiple devices. So far you have created the dynamic mapping for objects and interfaces, now you will be creating a common policy package to target the Local-FortiGate and Remote-FortiGate.
1.
Still in the FortiManager GUI, click Policy Package. Package.
2.
Click Policy Package > Package > New Package. Package.
FortiManager Lab Guide
132
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
3.
Name the new policy package as Training and Training and click OK. OK.
4.
Click Training > Training > IPv4 Header Policy. Policy. You will notice that it automatically got assigned global Header Policy. Policy. This is because in the previous exercise we assigned My_ADOM for My_ADOM for the global policy assignment and, by default, when a new policy package is created it assigns the global policies to the new package.
5.
Log out and log in again with the admin user in FortiManager.
6.
Click Global Database. Database.
7.
Click Assignment. Assignment.
8.
Select My_ADOM and My_ADOM and click Edit ADOM. ADOM.
9. Add Training to Training to the policy package exclude list.
FortiManager Lab Guide
133
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
10. Click OK. OK. 11. Click Assign. Assign.
12. Log out of the FortiManager GUI, and log in again with username student and password fortinet. 13. Click Policy & Objects. Objects. 14. Click Training. Training. You will notice that the Training policy Training policy package no longer has a header policy. 15. Click IPv4 Policy and Policy and click Create New. New.
FortiManager Lab Guide
134
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
16. Configure the following: Field
Value
Name
For_Local
Incoming Interface
Inside
Outgoing Interface
Outside
Source Address
Internal
Source User
student
Destination Address
all
Service
HTTP, HTTPS, ALL_ICMP
Schedule
always
Action
Accept
NAT
Enable the checkbox
Security Profiles
Enable Use Standard Security Profiles
AntiVirus Profile
default
17. Click OK. OK. 18. Click Create New to New to create a second policy and configure the following: Field Name
FortiManager Lab Guide
Value For_All
135
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
Incoming Interface
Inside
Outgoing Interface
Outside
Source Address
Internal
Destination Address
all
Service
SSH, DNS
Schedule
always
Action
Accept
NAT
Enable the checkbox
19. Click OK. OK. Your configuration should look like this:
A policy package can be targeted to multip le devices. When you configure an installation target, b y default, all policies in the policy package are targeted to all selected FortiGate devices. You can further restrict the policies in the policy package to be targeted to specific FortiGate devices by using the Install On feature, On feature, which targets specific policies in the policy package to specific selected FortiGate devices in the Install On column. On column.
1.
Still logged in to the FortiManager GUI, click Installation Targets for Targets for the Training policy Training policy package.
2.
Click Add. Add.
FortiManager Lab Guide
136
DO NOT REPRINT © FORTINET LAB
3.
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
Select Local-FortiGate, Local-FortiGate , Remote-FortiGate and click OK. OK. The Policy Package Status column Status column shows the name of the currently active policy packages for these FortiGate devices.
4.
Click IPv4 Policy for Policy for the Training policy Training policy package.
5.
Click Column Settings and Settings and click Install On. On.
Once added, you can drag the Install On column On column to where you want it positioned in the column list. 6.
For the For_Local policy, For_Local policy, click Installation Targets.
7.
Select Local-FortiGate. Local-FortiGate .
8.
Click OK. OK.
FortiManager Lab Guide
137
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
Your policies should look similar to as below.
1.
Click Install > Install > Install Wizard. Wizard.
2.
Make sure the following are selected:
3.
Install Policy package & Device Settings Policy Package : Training
Enable Create Revision and Revision and name the revision Common Package. Package.
FortiManager Lab Guide
138
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
4.
Click Next. Next.
5.
Make sure both FortiGate devices are selected and click Next. Next.
6.
Select both FortiGate devices. If you hover your cursor over the Status column Status column of the FortiGate devices, it will show you the name of the previous policy package. Optionally, you can preview the changes before the installation attempt.
7.
Make sure both FortiGate devices are selected and click Install. Install.
8.
Once the installation is successful, you can click on View Log to Log to see the installation history for each FortiGate.
FortiManager Lab Guide
139
DO NOT REPRINT © FORTINET LAB
9.
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
Click Close in Close in the Install Log window. Log window.
10. Click Finish. Finish.
1.
Log into the Local-FortiGate (https://10.0.1.254 (https://10.0.1.254)) with the username of admin.
2.
Click Login Read-Only. Read-Only.
3.
Go to Policy & Objects > Objects > IPv4 Policy. Policy. You should observe the following: There are two firewall policies based on the Training policy Training policy package The Inside interface Inside interface is translated to port3 locally port3 locally on FortiGate and Outside zone Outside zone is created locally on FortiGate as per the dynamic mapping of interfaces and zones.
4.
Click Addresses. Addresses. The Internal is Internal is translated to 10.0.1.0/24 as per the dynamic mapping of address objects.
5.
Click Network > Network > Interfaces. Interfaces . An Outside zone Outside zone is created with interfaces port1, port1, port2 as port2 as per interfaces and zones dynamic mappings.
6.
Log out of FortiGate.
7.
Try to log into Remote-FortiGate (https://10.200.3.1 (https://10.200.3.1). ). Why you are getting an authentication page? This is because of the identity policy on the Local-FortiGate. You will need to authenticate all outgoing http and https traffic on the Local-FortiGate device.
8.
When prompted for firewall authentication, enter the username student and the password fortinet.
9.
Once authenticated, log in into the Remote-FortiGate using admin as the username and no password.
FortiManager Lab Guide
140
DO NOT REPRINT © FORTINET LAB
5—Policy & Objects 4 Creating a Common Policy for Multiple Devices 5—
10. Click Login read-only. read-only. 11. Go to Policy & Objects > Objects > IPv4 Policy. Policy. 12. You should observe the following: There is only one firewall policy based on the Training policy Training policy package Install On targets. On targets. The Inside interface Inside interface is translated to port6 locally port6 locally on the FortiGate and Outside zone Outside zone is created locally on the FortiGate as per the dynamic mapping of interfaces and zones. Optionally, you can check the interface and zone under Network, Network, and Internal address Internal address object under Addresses. Addresses.
1.
Return to the FortiManager GUI and under Policy & Objects, Objects, click ADOM revisions. revisions.
2.
Right-click Common Package and Package and click Lock. Lock.
3.
Right-click Initial revision and revision and click Delete. Delete.
4.
Click OK. OK.
5.
Click Close. Close. You can use this revision to revert changes made to your policy packages and objects in your ADOM. Remember this does not revert Device Manager level level settings.
FortiManager Lab Guide
141
DO NOT REPRINT © FORTINET LAB
6—VPN 6—
In this lab, you will configure a site-to-site IPsec VPN between Local-FortiGate and Remote-FortiGate using Device Manager .
Create an IPsec VPN using Device Manager .
Estimated: 20 minutes
FortiManager Lab Guide
142
DO NOT REPRINT © FORTINET LAB
6—VPN 1 Configuring IPsec VPN 6—
In this exercise, you will configure a site-to-site IPsec VPN between the managed FortiGate devices.
Now, you will configure IPsec phase I and phase II for Local-FortiGate.
1.
On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Tools > Tools > Global Display Options. Options.
4.
Select the following check boxes:
IPsec Phase 1 IPsec Phase 2 IPsec VPN
5.
Click OK. OK.
6.
Click Local-FortiGate. Local-FortiGate.
FortiManager Lab Guide
143
DO NOT REPRINT © FORTINET LAB
7.
Click Display Options. Options.
8.
Select Inherit From ADOM. ADOM.
9.
Click OK. OK.
6—VPN 1 Configuring IPsec VPN 6—
10. Click VPN > VPN > IPsec Phase 1. 1.
11. Click Create New. New. 12. Configure the following values: Field
Value
Name
To_Remote
Remote Gateway
Static IP Address
FortiManager Lab Guide
144
DO NOT REPRINT © FORTINET LAB
IP Address
10.200.3.1
Local Interface
port1
Mode
Main
Authentication Method
Pre-shared Key
Pre-shared Key
fortinet
6—VPN 1 Configuring IPsec VPN 6—
(Tip: delete all dots before typing preshared key Peer Options
Any peer id
13. Click Advanced …(XATUH, NAT-traversal, NAT-traversal, DPD). DPD). 14. Configure the following values: Field
Value
P1 Proposal
Encryption Authentication
AES128 SHA256 (Delete all other entries)
Diffie-Hellman Groups
5
Dead Peer Detection
On Idle
15. Leave all other settings at their default values, and then, at the bottom of the page, click OK. OK. 16. Click VPN > VPN > IPsec Phase 2. 2.
17. Click Create New. New. 18. Configure the following values: Field
Value
Tunnel Name
To_Rem_P2
Phase 1
To_Remote
FortiManager Lab Guide
145
DO NOT REPRINT © FORTINET LAB
6—VPN 1 Configuring IPsec VPN 6—
19. Leave all other settings at their default values, and then, at the bottom of the page, click OK. OK.
Now, you will now configure the static route for IPsec VPN.
1.
In the FortiManager GUI, click Router > > Static Route. Route.
2.
Click Create New > Static Route. Route.
3.
Configure the following values: Field
Destination
Value Subnet 10.0.2.0/24
Device 4.
To_Remote
Leave all other settings at their default values, and then, at the bottom of the page, click OK. OK.
Now, you will configure IPsec phase I and phase II for Remote-FortiGate.
1.
In the FortiManager GUI, click Remote-FortiGate. Remote-FortiGate .
FortiManager Lab Guide
146
DO NOT REPRINT © FORTINET LAB
2.
Click VPN > VPN > IPsec Phase 1. 1.
3.
Click Create New. New.
4.
Configure the following values: Field
6—VPN 1 Configuring IPsec VPN 6—
Value
Name
To_Local
Remote Gateway
Static IP Address
IP Address
10.200.1.1
Local Interface
port4
Mode
Main
Authentication Method
Pre-shared Key
Pre-shared Key
fortinet (Tip: delete all dots before typing preshared key
Peer Options 5.
Any peer id
Click Advanced …(XATUH, NAT-traversal, NAT-traversal, DPD). DPD).
FortiManager Lab Guide
147
DO NOT REPRINT © FORTINET LAB
6.
6—VPN 1 Configuring IPsec VPN 6—
Configure the following values: Field
Value
P1 Proposal
Encryption Authentication
AES128 SHA256 (Delete all other entries)
Diffie-Hellman Groups
5
Dead Peer Detection
On Idle
7.
Leave all other settings at their default values, and then, at the bottom of the page, click OK. OK.
8.
Click VPN > VPN > IPsec Phase 2. 2.
9.
Click Create New. New.
10. Configure the following values: Field
Value
Tunnel Name
To_Local_P2
Phase 1
To_Local
11. Leave all other settings at their default values, and then, at the bottom of the page, click OK. OK.
Now, you will configure the static route for IPsec VPN.
1.
In the FortiManager GUI, click Router > > Static Route. Route.
2.
Click Create New > Static Route. Route.
3.
Configure the following values: Field
Destination
FortiManager Lab Guide
Value Subnet
148
DO NOT REPRINT © FORTINET LAB
6—VPN 1 Configuring IPsec VPN 6—
10.0.1.0/24 Device 4.
To_Local
Leave all other settings at their default values, and then, at the bottom of the page, click OK. OK.
Now, you have configured IPsec phase 1, phase 2, and static routes on both FortiGate devices. Now, you will install these device-level configuration changes on both FortiGate devices.
1.
In the FortiManager GUI, click Install Wizard. Wizard.
2.
Select Install Device Settings (only), and (only), and then click Next. Next.
3.
Make sure both devices are selected, and then click Next. Next.
4.
Make sure both devices are selected in Preview window, Preview window, and then click Install. Install.
5.
Optionally, after the installation is successful, you can view Install Log. Log.
6.
Click Finish. Finish.
Now, you will create dynamic interface mapping for virtual IPsec VPN interfaces, so that you can create IPsec firewall policies.
FortiManager Lab Guide
149
DO NOT REPRINT © FORTINET LAB
6—VPN 1 Configuring IPsec VPN 6—
1.
In the FortiManager GUI, click Device Manager > > Policy & Objects. Objects.
2.
Click Object Configuration. Configuration.
3.
Click Zone/Interface > Zone/Interface > Interface. Interface.
4.
Click Create New > New > Dynamic Interface. Interface.
5.
In the Name field, Name field, type VPN.
6.
Turn on the Per-Device the Per-Device Mapping switch, Mapping switch, and then click Add. Add.
7.
Configure the following:
In the Mapped Device drop-down Device drop-down list, select Local-FortiGate. Local-FortiGate . In the Device Interface drop-down list, select To_Remote. To_Remote. Click OK. OK.
Click Add. Add. In the Mapped Device drop-down Device drop-down list, select Remote-FortiGate. Remote-FortiGate .
FortiManager Lab Guide
150
DO NOT REPRINT © FORTINET LAB
6—VPN 1 Configuring IPsec VPN 6—
In the Device Interface drop-down list, select To_Local. To_Local. Click OK. OK.
Your configuration should look like the following example:
8.
Click OK. OK.
Now, you will create IPsec VPN firewall policies.
1.
In the FortiManager GUI, click Policy Packages. Packages.
2.
For the Training policy Training policy package, click IPv4 Policy. Policy.
3.
Click Create New to New to create a new firewall policy.
4.
Configure the following values:
FortiManager Lab Guide
151
DO NOT REPRINT © FORTINET LAB
Field
6—VPN 1 Configuring IPsec VPN 6—
Value
Name
To_IPsec
Incoming Interface
Inside
Outgoing Interface
VPN
Source Address
Internal
Destination Address
all
Service
ALL
Schedule
always
Action
Accept
5.
Leave all other settings at their default values, and then click OK. OK.
6.
Click Create New to New to create a second new firewall policy.
7.
Configure the following values: Field
Value
Name
From_IPsec
Incoming Interface
VPN
Outgoing Interface
Inside
Source Address
all
Destination Address
Internal
Service
ALL
Schedule
always
Action
Accept
8.
Leave all other settings at their default values, and then click OK. OK. Your configuration should look like the following example:
FortiManager Lab Guide
152
DO NOT REPRINT © FORTINET LAB
6—VPN 1 Configuring IPsec VPN 6—
You have configured IPsec firewall policies in the Training policy Training policy package. Now, you will install the Training policy Training policy package on the managed FortiGate devices.
1.
In the FortiManager GUI, for the Training policy Training policy package, click IPv4 Policy. Policy.
2.
Click Install > Install > Re-install Policy. Policy.
3.
Click Next. Next.
4. After the installation is successful, click Finish. Finish.
Now, you will test the IPsec VPN by pinging the remote subnet IP address from Local-Windows.
1.
On the Local-Windows VM, open a command prompt and ping the remote host 10.0.2.10.
ping 10.0.2.10 2.
In the FortiManager GUI, click Policy & Objects > Objects > Device Manager .
3.
Click Local-FortiGate. Local-FortiGate.
FortiManager Lab Guide
153
DO NOT REPRINT © FORTINET LAB
4.
6—VPN 1 Configuring IPsec VPN 6—
Click Query > Query > IPsec VPN. VPN.
You will see the IPsec tunnel is up between the FortiGate devices.
FortiManager Lab Guide
154
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 7—
In this lab, you will perform diagnostics and troubleshooting when installing device-level settings and importing firewall policies.
Diagnose and troubleshoot issues when installing System installing System Templates
Diagnose and troubleshoot issues when importing policy packages
Estimated: 30 minutes
Before beginning this lab, you must restore the configuration files to the Local-FortiGate, RemoteFortiGate, and FortiManager.
1.
On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the username admin.
2.
Click Login Read-Write. Read-Write.
3.
Click Yes Click Yes..
4.
Go to Dashboard, Dashboard, and then, in the System Information widget, Information widget, click Restore. Restore.
5.
Select the option to restore from Local PC, and PC, and then click Upload. Upload.
FortiManager Lab Guide
155
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 7—
6.
Browse to Desktop > Desktop > Resources > FortiManager > Troubleshooting and Troubleshooting and select Localdiag.conf.
7.
Click OK. OK.
8.
Click OK. OK. The system reboots.
9. After the reboot finishes (you must wait wait until Local-FortiGate reboots), open a new browser and log in as admin to the Remote-FortiGate GUI at 10.200.3.1 . 10. Repeat the same procedure to restore the system configuration for the Remote-FortiGate but, Remote-FortiGate but, in the Troubleshooting folder, Troubleshooting folder, select Remote-diag.conf .
11. After the reboot finishes, close both browser tabs.
1.
On the Local-Windows VM, open a browser and log in as admin to the FortiManager GUI at 10.0.1.241.
2.
Select root. root.
3.
Select System Settings. Settings.
4.
In the System Information widget, in the System Configuration field, Configuration field, click the Restore icon. Restore icon.
FortiManager Lab Guide
156
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 7—
5.
Click Browse. Browse.
6.
Browse to Desktop > Desktop > Resources > FortiManager > Troubleshooting and Troubleshooting and select FMGdiag.dat There is no password to enter because the file was not encrypted.
7.
Leave the Overwrite current IP, routing and HA settings check settings check box selected.
8.
Click OK. OK. FortiManager reboots.
9.
Wait for the FortiManager to reboot, and then log in as admin to the FortiManager GUI at 10.0.1.241.
10. Click root. root. 11. Click System Settings. Settings. 12. Go to Advanced > Advanced > Advanced Settings. Settings.
FortiManager Lab Guide
157
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 7—
13. For Offline Mode, select Mode, select Disable. Disable.
14. Click Apply. Apply. You will see that the Offline Mode message Mode message disappears. At this point, FortiManager can establish a management connection with the managed devices. 15. Log out of FortiManager.
FortiManager Lab Guide
158
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
FortiManager is preconfigured as follows:
ADOMs are enabled ADOM1 is ADOM1 is configured for FortiGate firmware version 5.4 Local-FortiGate and Remote-FortiGate are managed by FortiManager in ADOM1. ADOM1. The Remote-FortiGate policy package is not imported. The default system template is configured with only the DNS widget The default system default system template is applied to the Local-FortiGate and Remote-FortiGate
In this exercise, you will diagnose and troubleshoot issues that occur when installing configuration changes to Local-FortiGate and Remote-FortiGate.
Now, you will view the installation preview to learn what device-level configuration changes will be installed on the FortiGate devices. The objective of this exercise is to verify and troubleshoot to make sure the correct configuration settings will be installed on the FortiGate devices.
1.
On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click Device Manager .
3.
Click Local-FortiGate. Local-FortiGate.
FortiManager Lab Guide
159
DO NOT REPRINT © FORTINET LAB
4.
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
In the Configuration and Installation Status widget, Status widget, click Preview. Preview. Notice that default is default is listed as the System Template, Template, which is pre-assigned to Local-FortiGate. The installation preview generates.
5.
Write down the DNS settings that will be installed on the Local-FortiGate. Primary:
______________________
Secondary:
______________________
6.
Click OK. OK.
1.
In the FortiManager GUI, click Remote-FortiGate. Remote-FortiGate .
FortiManager Lab Guide
160
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
2.
In the Configuration and Installation Status widget, Status widget, click Preview. Preview.
3.
Write down the DNS settings that will be installed on the Remote-FortiGate.
4.
Primary:
______________________
Secondary:
______________________
Click OK. OK. Stop and Think The system template was configured with two entries. Why did the Local-FortiGate show only one DNS entry, but the Remote-FortiGate showed two entries?
Discussion The Local-FortiGate device was preconfigured with the primary DNS entry 208.91.112.53.When the Local-FortiGate was added to FortiManager, it automatically updated to the device-level database. To verify, check the current revision history and search for config system dns. If you are not able to figure it out, follow the procedure below to view the system template and DNS settings in the CLI.
Now, you will view the DNS configuration for the configured system template and compare it with the device-level database settings for DNS (for both Local-FortiGate and Remote-FortiGate). You will view the configuration in the CLI.
1.
On the Local-Windows VM, open PuTTY, and then connect to the FORTIMANAGER saved FORTIMANAGER saved session (connect over SSH).
2.
Log in as admin and run the following command to view the CLI configuration for the system template configuration:
# execute fmpolicy print-prov-templates ADOM1 5 1020 15 The output should appear as follows:
Dump all objects for category [system dns] in adom [ADOM1] package [1020]: --------------config system dns set primary 208.91.112.53
FortiManager Lab Guide
161
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
set secondary 208.91.112.52 end Note: Note: The execute fmpolicy print- command tree allows you to view the CLI configuration for provisioning templates, ADOM, and the device database on FortiManager. The syntax for provisioning templates is:
# execute fmpolicy print-prov-templates
|all [|all|list] You can use the help feature by typing ? to open the command tree syntax.
1.
In the FORTIMANAGER PuTTY FORTIMANAGER PuTTY session, run the following command to view the Local-FortiGate DNS settings in the FortiManager device-level database.
# execute fmpolicy print-device-object ADOM1 Local-FortiGate root 15 The output should appear as follows:
Dump all objects for category [system dns] in device [LocalFortiGate] vdom[root]: --------------config system dns set primary 208.91.112.53 set secondary 4.2.2.2 end Note: Note: The syntax for the device object is:
execute fmpolicy print-device-object |all [|all|list] 2.
Execute the following command to view the Remote-FortiGate DNS settings in the FortiManager device-level database.
# execute fmpolicy print-device-object ADOM1 Remote-FortiGate root 15 The output should appear as follows:
Dump all objects for category [system dns] in device [RemoteFortiGate] vdom[root]: ---------------
FortiManager Lab Guide
162
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
config system dns set primary 4.2.2.2 set secondary 8.8.8.8 end Compare the FortiManager system template entries with each FortiGate device. The LocalFortiGate primary DNS entry matches the default system default system template primary DNS entry. Because of that, FortiManager skips the primary DNS entry for the Local-FortiGate, because LocalFortiGate has already been configured with the same entry. 3.
Close the PuTTY session.
Now, you will install device-level configuration changes (system templates) on the managed FortiGate devices.
1.
In the FortiManager GUI, click Managed FortiGates. FortiGates.
2.
Select Local-FortiGate and Local-FortiGate and Remote-FortiGate. Remote-FortiGate .
3.
In the drop-down list, click Install > Install Wizard. Wizard.
4.
Select Install Device Settings (only), (only), and then click Next. Next.
FortiManager Lab Guide
163
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
5.
Make sure both devices are selected, and then click Next. Next.
6.
For Local-FortiGate, click Preview. Preview. The preview generates.
Optionally, you can download the preview setting. 7.
Click Cancel. Cancel.
8.
For Remote-FortiGate, click Preview. Preview . The preview generates.
FortiManager Lab Guide
164
DO NOT REPRINT © FORTINET LAB
9.
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
Click Cancel. Cancel.
10. Make sure both FortiGate devices are selected, and then click Install. Install. The installation begins.
11. After the installation f inishes, click the View Log icon Log icon to view and verify what is being installed on each device.
12. In the Install Log pop-up Log pop-up window, click Close. Close. 13. Click Finish. Finish. The Config Status for Status for both FortiGate devices should be Synchronized. Synchronized.
FortiManager Lab Guide
165
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 1 Diagnose and Troubleshoot Install Issues 7—
FortiManager Lab Guide
166
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
First, you will view the policies and objects imported into the ADOM database. The objects share the common object database for each ADOM and are saved in the ADOM database, which can be shared or used among different managed FortiGate devices in the same ADOM. In this exercise, you will diagnose and troubleshoot issues that occur while importing the RemoteFortiGate policy package.
Now, because the Local-FortiGate policy package is imported into ADOM1, ADOM1, you will view the LocalFortiGate policy package and objects imported into the ADOM1 database. ADOM1 database.
1.
On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with the username student and password fortinet .
2.
Click Policy & Objects. Objects.
3.
On the left side of the window, expand Local-FortiGate, and Local-FortiGate, and then click IPv4 Policy. Policy.
You will see the two policies for the Local-FortiGate. Notice the source address of Test_PC for Test_PC for the Ping_Test firewall Ping_Test firewall policy.
4.
On the menu bar, click Object Configurations. Configurations.
5.
On the left side of the window, expand Firewall Objects, Objects, and then click Addresses. Addresses.
FortiManager Lab Guide
167
DO NOT REPRINT © FORTINET LAB
6.
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
Review the configuration for the Test_PC firewall Test_PC firewall address. In the ADOM database, it is set to any interface based on the configuration imported from the Local-FortiGate.
You need to import the policies and objects from the Remote-FortiGate. But before importing policies and objects, you will review the policies and objects locally on the Remote-FortiGate.
1.
On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI Remote-FortiGate GUI at 10.200.3.1 with the username admin.
2.
Click Login Read-Only. Read-Only.
3.
Go to Policy & Objects > Objects > IPv4 Policy. Policy.
4.
Hover the mouse over the Test_PC object Test_PC object in the Source column Source column of the Seq.# 1 firewall 1 firewall policy. You will see that the Test_PC address Test_PC address object is bound to the port6 interface.
5. Remember, the Test_PC address Test_PC address object is bound to any interface any interface in the ADOM database. 6.
Log out of Remote-FortiGate.
Now, you will import the policies and objects for the Remote-FortiGate into the policy package, and troubleshoot issues with the policy import.
FortiManager Lab Guide
168
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
1.
Return to the FortiManager GUI, click Policy & Objects > Objects > Device Manager .
2.
Right-click Remote-FortiGate, Remote-FortiGate, and then click Import Policy. Policy.
3.
Click Next. Next.
4.
Make sure the policy package name is Remote-FortiGate .
5.
Leave all other settings at their default values, and then click Next. Next.
6.
Click Next. Next.
7.
Click Next. Next. Did you notice it skipped one firewall policy out of two policies?
8.
Click Download Import Report to Report to view the reason for skipping a firewall policy.
FortiManager Lab Guide
169
DO NOT REPRINT © FORTINET LAB
9.
7—Diagnostics and Troubleshooting 7— Troubleshooting 2 Troubleshoot Policy Import Issues
Open the file (or you can save it for future reference).
Did you notice it failed when importing firewall policy ID # 2(SEQ# 1)?
Stop and Think The output provides the reason for this policy import failure.
reason=interface(interface binding contradiction. detail: any
Discussion Remember, in the ADOM1 database, ADOM1 database, the Test_PC firewall Test_PC firewall address is bound to the any interface, based on the configuration imported from the Local-FortiGate. On the RemoteFortiGate, policy ID 2 is 2 is using the Test_PC firewall Test_PC firewall address bound to port6 as port6 as the source address. This is the expected behavior on FortiManager because it doesn’t allow the same address object name to bind to different interfaces. Because FortiManager imported partial policies in the policy package, if you try to make a change to the policy package and try to install, it will delete the skipped policies and objects associated with those policies, along with all unused objects. You must change the Test_PC firewall Test_PC firewall address binding to the any interface any interface by locally logging in to the Remote-FortiGate. 10. Close the import report, and then click Finish. Finish. FortiManager Lab Guide
170
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
The two procedures below show the impact of making changes to the FortiManager policy package Remote-FortiGate and Remote-FortiGate and then try to install the policy package. It will try to delete policy ID 2 and the Test_PC address Test_PC address object on the Remote-FortiGate. FortiManager will also try to delete any unused objects. If you are now familiar with the behavior, you can skip the following procedures:
To make configuration changes to the Remote-FortiG ate Policy Package (Optional) To preview the installation changes (Optional)
1.
In the FortiManager GUI, click Device Manager > > Policy & Objects. Objects.
2.
On the left side of the window, click Remote-FortiGate, and Remote-FortiGate, and then click IPv4 Policy. Policy. You will see that the firewall policy with Test_PC as Test_PC as the source address is not imported.
3.
Double click the Seq# 1 firewall 1 firewall policy.
4.
In the Description field, Description field, type Training, and then click OK. OK.
1.
Ensure IPv4 Policy is Policy is selected for the Remote-FortiGate policy Remote-FortiGate policy package, and then click Install > Install > Re-install Policy. Policy.
FortiManager Lab Guide
171
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
2.
Click Preview. Preview.
3.
Notice that it is trying to delete the firewall policy with ID=2 and ID=2 and the Test_PC address Test_PC address object. Note: Note: When installing a policy package for the first time, FortiManager also deletes all unused objects. This is the firewall policy with Test_PC as Test_PC as the source address.
FortiManager Lab Guide
172
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
4.
In the Install Preview window, Preview window, click Cancel. Cancel.
5.
Click Cancel. Cancel.
You must change the Test_PC firewall Test_PC firewall address binding to the any interface any interface by locally logging in to the Remote-FortiGate. Then, on FortiManager you will be able to import the policy package for the Remote-FortiGate.
1.
On the Local-Windows VM, open a new browser tab, and then log in to the Remote-FortiGate GUI at 10.200.3.1 as admin
2.
Click Login Read-Write. Read-Write.
3.
In the warning window, click Yes click Yes..
4.
Click Policy & Objects > Objects > Addresses. Addresses.
FortiManager Lab Guide
173
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
5.
Right-click Test_PC, and Test_PC, and then select Edit in CLI. CLI.
6.
Enter the following command in the CLI window:
unset associated-interface end
7.
Close the CLI Console window. Console window.
8.
Refresh the page.
FortiManager Lab Guide
174
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
Your configuration should look like the following example:
9.
Log out of Remote-FortiGate.
1.
Return to the FortiManager GUI, click Policy & Objects > Objects > Device Manager .
2.
On the left side of the window, click Managed FortiGates. FortiGates.
3.
Right-click Remote-FortiGate, and Remote-FortiGate, and then select Import Policy. Policy.
4.
Click Next. Next.
5.
Select the Overwrite check box.
6.
Leave all other settings at their default values, and then click Next. Next. Did you notice that Test_PC appeared Test_PC appeared as Dynamic Mapping? Mapping?
FortiManager Lab Guide
175
DO NOT REPRINT © FORTINET LAB
7—Diagnostics and Troubleshooting 2 Troubleshoot Policy Import Issues 7—
FortiManager automatically creates a dynamic mapping of the object with same values. The interface must has to be the same as the ADOM database. 7.
Click Next. Next.
8.
You will see both firewall policies are imported this time.
9.
Click Finish. Finish.
FortiManager Lab Guide
176
DO NOT REPRINT © FORTINET LAB
8— Advanced Configuration 8—
The learning goals for this lab are to understand the troubleshooting commands used for FortiGuard Management, and to learn how to use FortiManager to upgrade the firmware on managed FortiGate devices.
Review the central management configuration on both FortiGate devices
Understand and run FortiGuard debug commands
Import the firmware image for FortiGate devices and upgrade from FortiManager
Estimated: 15 minutes
FortiManager Lab Guide
177
DO NOT REPRINT © FORTINET
LAB 8— 8— Advanced Configuration
In this exercise, you will review the central management settings on the FortiGate devices. Then, you will run the CLI commands related to FortiGuard diagnostics on FortiManager to understand FortiGuard settings on FortiManager.
1.
On the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE LOCAL-FORTIGATE and and REMOTEFORTIGATE saved FORTIGATE saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Enter the following command:
show system central-management Your output for the Local-FortiGate and Remote-FortiGate devices should look similar to the following examples: Local-FortiGate:
Remote FortiGate:
You will see that server-list is configured on the FortiGate devices with the FortiManager IP address, and the include-default –servers is disabled. This means FortiGate devices
FortiManager Lab Guide
178
DO NOT REPRINT © FORTINET
LAB 8— 8— Advanced Configuration
are pointed to FortiManager for its FortiGuard services and access to public FortiGuard servers is disabled.
Now, you will run CLI commands on FortiManager to verify the FortiGuard configuration in order to troubleshoot FortiGuard issues.
1.
On the Local-Windows VM, open PuTTY and connect to the FORTIMANAGER saved FORTIMANAGER saved session (connect over SSH).
2. At the login prompt, enter the username admin (all lower case). 3.
Run the following commands:
diagnose fmupdate view-serverlist fds
You should see that there is only one default server in the list. FortiManager is unable to connect to the public FDN servers because of unreachability or disabled service. In this lab environment, communication with the public FortiGuard servers is disabled.
diagnose fmupdate view-serverlist fds
You should see that there is no information on Upullstat , UpullServer, because FortiManager is not connected to the public FDS, which would provide that information.
diagnose fmupdate dbcontract
FortiManager Lab Guide
179
DO NOT REPRINT © FORTINET
LAB 8— 8— Advanced Configuration
FortiManager is operating in a closed network environment and license contracts are uploaded manually on FortiManager. You should see the contract information, which includes the types of contracts that the device currently has along with the expiry dates. Note: Note: The same information can be viewed in the FortiGate GUI in the License Information widget. You will also see FortiAnalyzer contract information, which is uploaded manually on FortiManager. The FortiAnalyzer labs use FortiManager as the local FDS in order to use the IOC features on FortiAnalyzer.
FortiManager Lab Guide
180
DO NOT REPRINT © FORTINET
LAB 8— 8— Advanced Configuration
You can use FortiManager as your local firmware cache and to upgrade firmware on supported devices. In this exercise, you will import the firmware image for FortiGate and then upgrade both FortiGate devices using FortiManager.
1.
On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username student and password fortinet.
2.
Click FortiGuard. FortiGuard.
3.
Click Firmware Images > Images > Import Images. Images.
4.
Click Import, Import, and then click Browse. Browse.
5.
Browse to Desktop > Desktop > Resources > FortiManager > Advanced-Configuration, Advanced-Configuration, and and then select FGT_VM64-v5-build7605-FORTINET.out .
6.
Click OK. OK. You will see that the firmware image has been saved on FortiManager.
7.
Click FortiGuard > FortiGuard > Device Manager .
8.
Click Firmware. Firmware.
9.
Select both FortiGate devices and click Upgrade. Upgrade.
FortiManager Lab Guide
181
DO NOT REPRINT © FORTINET
LAB 8— 8— Advanced Configuration
10. In the Upgrade to drop-down list, select FGT_VM64-v5-build7605-FORTINET.out FGT_VM64-v5-build7605-FORTINET.out..
11. Click OK. OK. You should see successful firmware upgrades for both FortiGate devices.
12. Click Close. Close. 13. Optionally, you can open the console connection for the Local-FortiGate and Remote-FortiGate to see the firmware upgrades.
FortiManager Lab Guide
182