FortiManager 6 2 Lab Guide Online

DO NOT REPRINT
© FORTINET
FortiManager Lab Guide

for FortiManager 6.2
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
6/27/2019
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Virtual Lab Basics 6

Network Topology 6
Lab Environment 6
Remote Access Test 7
Logging In 8
Disconnections and Timeouts 10
Screen Resolution 10
Sending Special Keys 11
Student Tools 12
Troubleshooting Tips 12
Lab 1: Initial Configuration 15
Exercise 1: Examining the Initial Configuration 17
Examine the Initial Configuration Using the CLI 17
Examine the Initial Configuration Using the GUI 19
Exercise 2: Enabling FortiAnalyzer Features on FortiManager 23
Lab 2: Administration and Management 25
Exercise 1: Configure Administrative Domains (ADOMs) 26
Enable ADOMs 26
View ADOM Information 26
Configure ADOMs 27
Exercise 2: Creating and Assigning Administrators 31
Test Administrator Privileges 33
Restrict Administrator Access Using a Trusted Host 33
Test the Restricted Administrator Access 34
Exercise 3: ADOM Locking (Workspace Mode) 36
ADOM Locking (Workspace Mode) 36
Exercise 4: Backup and Restore 39
Back Up the FortiManager Configuration 39
Restore the FortiManager Configuration 40
Exercise 5: Monitoring Alerts and Event Logs 42
Offline Mode 42
View Alerts and Event Logs 43
Lab 3: Device Registration 45
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring System Templates 46
Configure System Templates 46
Disable ADOM Locking (Workspace Mode) 49
Exercise 2: Registering a Device to FortiManager 50
Review Central Management Configuration on Local-FortiGate 50
Enable Real-Time Debug 51
Add Local-FortiGate Using the Add Device Wizard 51
View the Local-FortiGate Policy Package 55
Import System Template Settings From FortiGate 57
Add Remote-FortiGate Using the Add Device Wizard 59
Lab 4: Device Level Configuration and Installation 62
Exercise 1: Understanding the Managed Device Status 63
Exercise 2: Install System Template Changes to Managed Devices 68
Install System Templates 68
Check Managed Device Status 70
View Pushed Configuration on FortiGate 72
Exercise 3: Auto Update and Revision History 74
Make Direct Changes on Local-FortiGate 74
Make Direct Changes on Remote-FortiGate 75
View Auto Update and Revision History 75
View the Install Log 77
View Auto Update, Revision History, and the Install Log for Remote-FortiGate (Optional) 78
Log View 78
Task Manager 79
Exercise 4: Configuring Device-Level Changes 81
Change Managed FortiGate Interface Settings 81
Filter Devices Based on Status 82
Configure the Administrator Account 83
Exercise 5: Installing Configuration Changes 87
View the Install Preview 87
Install Wizard 88
Revision Diff 91
Exercise 6: Scripts 95
Configure Scripts 95
Run and Install Scripts 97
Lab 5: Policy & Objects 100
Exercise 1: Import Policy 101
Import Policy 101
Create ADOM Revisions 103
Exercise 2: Workflow Mode 105
Exercise 3: Creating a Common Policy for Multiple Devices 115
DO NOT REPRINT
© FORTINET
Dynamic Mappings-Address Objects 115
Dynamic Mappings-Interfaces and Zones 118
Create a Common Policy Package, Installation Target, and Install On 122
Lab 6: SD-WAN and Security Fabric 131
Exercise 1: Configuring SD-WAN 135
Configure SD-WAN 135
Create a Firewall Policy for SD-WAN 138
Install SD-WAN Policy 139
Create a default SD-WAN Static Route on FortiManager and Install the Route 140
Monitor SD-WAN Status 141
Exercise 2: Creating and Assigning Header Policies in the Global ADOM 143
Exercise 3: Configuring the Security Fabric 150
Configure the Security Fabric 150
Authorize All the Security Fabric FortiGate Devices on FortiAnalyzer 152
Lab 7: Diagnostics and Troubleshooting 156
Exercise 1: Diagnose and Troubleshoot Install Issues 159
View the Installation Preview 159
View the DNS Configuration 161
Install Device-Level Configuration Changes 163
Exercise 2: Troubleshoot Policy Import Issues 166
View the Policy Package and Objects 166
Review Policies and Objects Locally on Remote-FortiGate 167
Import a Policy Package 168
Check the Impact of Partial Policy Import (Optional) 170
Fix a Partial Policy Import Issue 172
Retrieve the new configuration from FortiManager 175
Lab 8: Additional Configuration 178
Exercise 1: FortiGuard Management 179
Diagnose FortiGuard Issues 180
Exercise 2: Upgrading FortiGate Firmware Using FortiManager 182
DO Virtual
NOT REPRINT
Lab Basics Network Topology
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
FortiManager 6.2 Lab Guide 6

Fortinet Technologies Inc.
DO Remote
NOTAccess
REPRINT
Test Virtual Lab Basics
© FORTINET
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
To run the remote access test

1. From a browser, access the following URL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.

The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those
estimations are not within the recommended values, you will get any error message:
7 FortiManager 6.2 Lab Guide

DO Virtual
NOT REPRINT
Lab Basics Logging In
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
To log in to the remote lab

1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.

4. Click Register and Login.

DO Logging
NOTIn REPRINT Virtual Lab Basics
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:

l From the top navigation bar, click a VM's tab.
l From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.

DO Virtual
NOT REPRINT
Lab Basics Disconnections and Timeouts
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
Disconnections and Timeouts
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
If that fails, see Troubleshooting Tips on page 12.
Screen Resolution
The GUIs of some Fortinet devices require a minimum screen size.
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:

DO Sending
NOTSpecial
REPRINT
Keys Virtual Lab Basics
© FORTINET
Sending Special Keys
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:

DO Virtual
NOT REPRINT
Lab Basics Student Tools
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.

DO Troubleshooting
NOT REPRINT Tips Virtual Lab Basics
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.

DO Virtual
NOT REPRINT
Lab Basics Troubleshooting Tips
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
To expedite the response, enter the following command in the CLI:

execute update-now

DO NOT REPRINT
© FORTINET
Lab 1: Initial Configuration
In this lab, you will examine the network settings on the FortiManager the CLI and GUI.
You will also enable the FortiAnalyzer feature set on FortiManager, which can be used for logging and reporting.
Objectives
l Examine initial system settings, including network and time settings
l Enable FortiAnalyzer features on FortiManager
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate and Remote-FortiGate.
To restore the Remote-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the
username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiManager > Introduction and select Remote-Initial.conf and then
click Open.
5. Click OK.
6. Click OK to reboot.

DO Lab
NOT 1: InitialREPRINT
Configuration
© FORTINET
To restore the Local-FortiGate configuration file
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the

4. Click Desktop > Resources > FortiManager > Introduction and select local-Initial.conf and then click
Open.
5. Click OK.
7. Once restarted, close the browser for both FortiGate devices.

DO NOT REPRINT
© FORTINET
Exercise 1: Examining the Initial Configuration
FortiManager is preconfigured with the initial network settings.
In this exercise, you will explore the FortiManager basic configuration settings on the GUI and CLI.
Examine the Initial Configuration Using the CLI
You will start by accessing FortiManager using the CLI to examine the initial configuration.
To examine the initial configuration using the CLI

1. On the Local-Windows VM, open PuTTY and connect over SSH to the FORTIMANAGER saved session.
2. At the login prompt, enter the username admin and password password.
3. Enter the following command to display basic status information about FortiManager:
CLI Command Data Result
# get system What is the firmware version?

status
Knowing your FortiManager firmware version is
important because it identifies what Fortinet
products and their firmware versions are
supported.
What is the administrative domain (ADOM)

configuration?
By default, ADOMs are disabled.
What is the time zone?
It is important that the system time on

FortiManager and all registered devices are
synced for tunnel negotiations and logging (if
FortiAnalyzer feature is used).
What is the license status?
To ensure FortiManager continues to manage

devices, a valid license is required.
4. Enter the following command to display information about the FortiManager interface configuration:

DO Exercise
NOT1: Examining
REPRINTthe Initial Configuration Examine the Initial Configuration Using the CLI
© FORTINET
CLI Command Diagnostic Result
# show system What is the IP for port1?

interface
Port 1 is the management port and is the IP of
FortiManager.
What administrative access protocols are

configured for port1?
This will help troubleshoot any access issues

you may experience. For example, this PuTTY
session would not be able to connect without
the SSH protocol enabled.
What is configured for the service access?
If devices are configured to use FortiManager

as the local FDS server, service access allows
FortiManager to respond to FortiGuard queries
made by devices.
What is the IP for port2?
According to the network topology diagram,

port2 is how traffic is routed between Remote-
FortiGate and FortiManager. Remote-
FortiGate, therefore, will connect to
FortiManager with this port2 IP address.
What administrative access protocols are

configured for port2?
5. Enter the following command to display DNS setting information:
# show system What are the primary and secondary DNS settings?
dns
By default, FortiManager uses FortiGuard DNS
servers.
6. Enter the following commands to display NTP setting information:

DO Examine
NOTtheREPRINT
Initial Configuration Using the GUI Exercise 1: Examining the Initial Configuration
© FORTINET
# get system ntp Is NTP enabled?
NTP is recommended on FortiManager and all

registered devices for correct FortiGate-
FortiManager tunnel establishment.
How often does FortiManager synchronize its

time with the NTP server?
# show system ntp What server is configured for NTP?
By default, Fortinet servers are configured.
7. Enter the following command to display information about the FortiManager routing configuration:
# show system What is the gateway route associated with port2?

route
According to the network topology diagram, this IP
address is the default route to the Internet.
8. To test basic network connectivity, and to ensure the default route to the Internet is working, enter the following
command to ping IP 8.8.8.8 (public IP that is highly available):
execute ping 8.8.8.8
Packets should transmit successfully.
9. Close your PuTTY session.
Examine the Initial Configuration Using the GUI
You will now log in to FortiManager using the GUI to examine the initial configuration.
To examine the initial configuration using the GUI

1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with the

DO Exercise
NOT1: Examining
REPRINTthe Initial Configuration Examine the Initial Configuration Using the GUI
© FORTINET
Accept the self-signed certificate or security exemption, if a security alert appears.
All the lab exercises were tested running Mozilla Firefox on the Local-Windows VM
and Remote-Windows VM. To get consistent results, we recommend using Firefox in
this virtual environment.
2. Click System Settings.
The dashboard shows the FortiManager widgets that display information such as System Information,
License Information, System Resources, and more.
3. Examine the System Information and License Information widgets to display the information shown below.
These widgets display the same information as the CLI command get system status:
l Firmware version
l Administrative domain status
l System time and time zone
l License status (VM)
4. Using the System Information widget, edit the System Time to view the NTP information.
This displays the same information as the CLI commands get system ntp and show system ntp.

DO Examine
NOTtheREPRINT
Initial Configuration Using the GUI Exercise 1: Examining the Initial Configuration
© FORTINET
You will be managing Local-FortiGate and Remote-FortiGate using FortiManager,

which are configured with the same time zone and NTP server.
5. On the menu on the left side of the screen, click Network.

This page displays information about the port1 management interface, including the IP address,
administrative access protocols, service access, and DNS information. This displays the same information as
the CLI commands show system interface and show system dns.
The fgtupdates, fclupdates on the CLI is equivalent to FortiGate Updates on

the GUI. The webfilter-antispam on the CLI is equivalent to Web Filtering on
the GUI.
6. Click All Interfaces to view the configuration of all interfaces.

7. On the menu on the left side of the screen, click Network, and on the main window, click Routing Table.

DO Exercise
NOT1: Examining
REPRINTthe Initial Configuration Examine the Initial Configuration Using the GUI
© FORTINET
This page displays the network gateway and associated interface. This displays the same information as the
CLI command show system route.

DO NOT REPRINT
© FORTINET
Exercise 2: Enabling FortiAnalyzer Features on
FortiManager
You can use FortiManager as a logging and reporting device by enabling FortiAnalyzer features on FortiManager.
Remember that FortiManager has logging rate restrictions compared to FortiAnalyzer.
In this exercise, you will enable FortiAnalyzer features on FortiManager so that you can use FortiManager for
logging and reporting after the FortiGate devices are added.
To enable FortiAnalyzer features on FortiManager

Notice the default panes available on FortiManager. It doesn’t have panes related to FortiAnalyzer features.

3. Using the System Information widget, turn on the FortiAnalyzer Features switch.
4. Click OK.
FortiManager will reboot to initialize the FortiAnalyzer features and apply the changes.
5. Wait for FortiManager to reboot and then log in to the FortiManager GUI at 10.0.1.241 with the username
admin and password password.

DO Exercise
NOT2: Enabling
REPRINT
FortiAnalyzer Features on FortiManager
© FORTINET
You will notice that, after enabling FortiAnalyzer features, there are more panes related to logging and
reporting—SOC , Log View, Incidents & Events, and Reports.

DO NOT REPRINT
© FORTINET
Lab 2: Administration and Management
In this lab, you will configure administrative domains (ADOMs) and an administrator. You will also restrict
administrator access based on administrator profile, trusted hosts, and ADOMs.
Then, you will enable ADOM locking, which disables concurrent access to the same ADOM.
Additionally, the lab will guide you through how to properly back up and restore a FortiManager configuration,
view alert messages in the Alert Message Console, and view event logs.
Objectives
l Enable ADOMs and configure a new ADOM
l Configure an administrator and restrict access to a newly created ADOM
l Enable ADOM locking
l Back up FortiManager, restore the backup, and disable offline mode
l Read entries in the alert message console and view event logs
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Configure Administrative Domains (ADOMs)
ADOMs group devices for administrators to monitor and manage. The purpose of ADOMs is to divide the
administration of devices and control (restrict) access.
In this exercise, you will enable and configure ADOMs.
Enable ADOMs
ADOMs are not enabled by default and can be enabled only by the admin administrator, or an administrator with
the Super_User access profile.
You will now enable ADOMs on FortiManager.
To enable ADOMs
3. In the System Information widget, turn on Administrative Domain.
4. Click OK.
You will be logged out of FortiManager.
View ADOM Information
Before creating new ADOMs, you should be aware of what ADOM types are available to you. You will view ADOM
information using both the GUI and the CLI.
To view ADOM information

1. Log back in to the FortiManager GUI at 10.0.1.241 with the username admin and password password.
2. Select the root ADOM.

DO Configure
NOTADOMs REPRINT Exercise 1: Configure Administrative Domains (ADOMs)
© FORTINET
4. On the menu on the left side of the screen, click All ADOMs.
5. Remaining on the Local-Windows VM, open PuTTY and connect over SSH to the FORTIMANAGER saved
session.
7. Enter the following command to view what ADOMs are currently enabled on FortiManager and the type of device
you can register to each ADOM:
The CLI output formatting is easier to read if you maximize your PuTTY window. If
you've already executed the command, once the window is maximized, press the up
arrow to show the last command you entered and click Enter to run the command
again.
# diagnose dvm adom list
As you can see, there are 15 ADOMs that FortiManager supports, each associated with different devices
along with their supported firmware versions.
8. Close your PuTTY session.
Configure ADOMs
By default, when you enable ADOMs, FortiManager will create ADOMs based on supported device types. The
root ADOM is based on the FortiGate ADOM type.

DO Exercise
NOT1: Configure
REPRINTAdministrative Domains (ADOMs) Configure ADOMs
© FORTINET
When creating a new ADOM, you must match the device type. For example, if you want to create an ADOM for
FortiGate, you must select FortiGate as the ADOM type. With FortiGate ADOMs specifically, you must also
select the firmware version of the FortiGate device. Different firmware versions have different features, and
therefore different CLI syntax. Your ADOM setting must match the device’s firmware.
You will now create and configure a new ADOM.
To configure ADOMs
1. Remaining logged in to the FortiManager GUI, click All ADOMs.
2. Select root ADOM andEdit.

3. Examine the maximum allowed disk utilization is set to 1000 MB.
By default, when FortiAnalyzer feature is enabled, root ADOM disk utilization is set to 40 GB. This value is
adjusted to 1000 MB based on our lab environment.
4. Click OK.
5. Click Create New.
6. Configure the following settings:
Field Value
Name My_ADOM
Type FortiGate and 6.2
Disk Utilization: Maximum Allowed 1000 MB
You configuration should look like the following example:

DO Configure
NOTADOMs REPRINT Exercise 1: Configure Administrative Domains (ADOMs)
© FORTINET
7. Click Select Device.

If you had any devices registered to FortiManager, you could select your device and add it to the ADOM at
this time. However, in this lab, you have not yet registered any devices, so the list is empty.
8. Keep the default values for all other settings and click OK.
You should see a list of predefined ADOMs, including your new ADOM.

DO Exercise
NOT1: Configure
REPRINTAdministrative Domains (ADOMs) Configure ADOMs
© FORTINET
You can switch between ADOMs on the GUI. You do not have to log out and log back
in. To switch between ADOMs on the GUI, click ADOM on the upper-right corner of
the GUI. Your administrator privileges determine which ADOMs you have access to.

DO NOT REPRINT
© FORTINET
Exercise 2: Creating and Assigning Administrators
In this lab, you will create an administrative user with restricted access permissions.
In an active deployment scenario, having more than one administrative user makes administering the network
easier, especially if users are delegated specific administrative roles, or confined to specific areas within the
network. In a multi-administrator environment, you should ensure that every administrator has only those
permissions necessary to do their particular job.
To create and assign administrators

2. Click root.
4. Click Admin > Administrators.

Field Value
User Name student
Admin Type LOCAL
New Password fortinet
Confirm Password fortinet
Admin Profile Standard_User

DO Exercise
NOT2: Creating
REPRINT
and Assigning Administrators
© FORTINET
Field Value
Administrative Domain Specify
Click to Select ADOMs… My_ADOM (select root and remove it to exit from the drop down list)
Your configuration should look like the following example:
FortiManager comes preinstalled with four default profiles that you can assign to
other administrative users. Alternatively, you can create your own custom profile.
In this lab, we have assigned a preconfigured Standard_User profile to the newly

created student administrator. The Standard_User profile provides read and
write access for all device privileges, but not to the system privileges.
8. Click admin.
9. Click Log Out.

DO Test
NOT REPRINT
Administrator Privileges Exercise 2: Creating and Assigning Administrators
© FORTINET
Test Administrator Privileges
You will now log in to FortiManager with the newly created administrator (student) and test the administrator
privileges.
To test administrator privileges

1. Log in to the FortiManager GUI at 10.0.1.241 with user name student and password fortinet.
You will be limited to the My_ADOM administrative domain.
Also, there are no System Setting and FortiGuard tabs.
Above screen shot shows how you can control or restrict administrator access based on administrative
profiles and ADOMs.
Restrict Administrator Access Using a Trusted Host
You will now restrict access to FortiManager by configuring a trusted host for the administrator accounts. Only
administrators connecting from a trusted subnet will be able to access the FortiManager.
To restrict administrator access

1. On the FortiManager GUI, log out of the student account's GUI session.
2. Log in as admin with username admin and password password.
3. Click root.
6. Edit the student account.

DO Exercise
NOT2: Creating
REPRINT
and Assigning Administrators Test the Restricted Administrator Access
© FORTINET
7. Turn on the Trusted Hosts switch.

8. Set Trusted IPv4 Host 1 to 10.0.1.0/24.
9. Click OK at the bottom of the screen to save the changes.
Test the Restricted Administrator Access
In this procedure, you will confirm that administrators outside the subnet 10.0.1.0/24 cannot access
FortiManager.
To test the restricted administrator access

1. On the Remote-Windows VM, open a browser and go to https://10.200.1.241.
2. Try to log in to the FortiManager GUI using the username student and password fortinet.
What is the result?

DO Test
NOT REPRINT
the Restricted Administrator Access Exercise 2: Creating and Assigning Administrators
© FORTINET
Because you are trying to connect from the 10.0.2.10 IP address, your login authentication will fail. This is
because you restricted logins to only the source IP addresses in the list of trusted hosts.
The IP address specified in the URL here is not the same as the one used previously,
because now FortiManager is being accessed from a device that is in a different part
of the network (see Network Topology on page 6). Now, you are connecting to the
port2 interface of the FortiManager device.
3. Return to the Local-Windows VM.

4. You should still be logged in as admin to the FortiManager GUI and edit the student account.
5. Turn off the Trusted Host switch.
6. Click OK.
Turning off the Trusted Host switch allows the administrative user to log in from any IP and subnet.
7. Next, return to the Remote-Windows VM and attempt to log in to the FortiManager GUI again using the username
student and password fortinet.
This time, you should gain access because you just turned off the requirement to log in from a trusted host.
8. Log out of FortiManager.

DO NOT REPRINT
© FORTINET
Exercise 3: ADOM Locking (Workspace Mode)
By default, multiple administrators can log in to the same ADOM at the same time, which allows concurrent
access. This can cause conflicts, however, if two or more administrators try to make changes in the same ADOM
at same time.
You will be enabling ADOM locking which allows:
l Disabling concurrent ADOM access

l ADOM locking
l Single administrator access to the ADOM with read/write privileges
l Read-only access to that ADOM for all other administrators
ADOM Locking (Workspace Mode)
ADOM locking is configured using the FortiManager CLI only.
Before enabling ADOM locking, ensure all FortiManager administrators are notified and asked to save their work
on FortiManager because enabling ADOM locking will terminate all management sessions.
Now, you will enable ADOM locking using the FortiManager CLI.
To enable ADOM locking (Workspace Mode)

1. On the Local-Windows VM, open PuTTY and connect over SSH to theFORTIMANAGER saved session.
3. Enter the following commands:
config system global
set workspace-mode normal
end
4. From the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with the
username student and password fortinet.
5. At the top of the screen, click Lock.
You will notice the lock status changed from unlocked to a green locked state.
6. On the Remote-Windows VM, open a browser and go to https://10.200.1.241.

7. Log in to the FortiManager GUI with the user name admin and password password.
You will notice the lock status is red for My_ADOM.
8. Hover your mouse over the red lock icon.

It will tell you the name of the administrator who locked this ADOM, along with the date and time.
9. Click admin.
10. Click Log Out.

DO ADOM
NOT REPRINT
Locking (Workspace Mode) Exercise 3: ADOM Locking (Workspace Mode)
© FORTINET
11. Return to the Local-Windows VM and log out as student from FortiManager.
If an administrator has locked one or more ADOMs and then logged out of
FortiManager, all those ADOMs will be unlocked.
In this example, when the student administrator locked My_ADOM and then
logged out, FortiManager unlocked My_ADOM.

DO Exercise
NOT3: ADOM
REPRINT
Locking (Workspace Mode) ADOM Locking (Workspace Mode)
© FORTINET
Always log out gracefully from FortiManager when ADOM locking is enabled.
If a session is not closed gracefully (because of a PC crash or closed browser

window), FortiManager will not close the administrator session until it times out or
the session is deleted. Until this time, the ADOM will remain in a locked state.
If this situation arises and you cannot wait for the administrator session to time out,
then delete the session manually using the GUI or the CLI.
On the GUI, click the System Information widget, and then click Current
Administrators > Current Session List.
From CLI:

DO NOT REPRINT
© FORTINET
Exercise 4: Backup and Restore
In this exercise, you will back up the FortiManager configuration.
In an active deployment scenario, it is a best practice to back up the device configuration before making any
configuration changes. If the new configuration does not perform as expected, you can revert to the last sane
configuration. Likewise, during these labs, it is beneficial to have a backup of the initial configuration, should you
need to revert for any reason.
FortiManager configuration files are not stored in plain text like FortiGate
configuration files. They are stored as .dat files. You can uncompress and view them
offline using archive tools such as WinRar and tar.
Back Up the FortiManager Configuration
Now, you will back up the FortiManager configuration on the GUI.
To back up FortiManager
2. Select root.
5. In the System Information widget, click System Configuration, and then click the backup icon.
6. Clear the Encryption check box.

7. Click OK.
8. Select Save.
9. Click OK.
10. Note the location of the backup file and rename this file to: lab2.dat.
11. Remaining on the FortiManager GUI, click Admin > Administrators.

DO Exercise
NOT4: Backup
REPRINT
and Restore Restore the FortiManager Configuration
© FORTINET
12. Right-click student and click Delete.
13. Click OK.
Restore the FortiManager Configuration
You can use the following options when restoring a FortiManager configuration:
l Overwrite current IP, routing, and HA settings: By default, this option is enabled. If FortiManager has an
existing configuration, restoring a backup will overwrite everything, including the current IP, routing, and HA
settings. If you disable this option, FortiManager will still restore the configurations related to device information
and global database information, but will preserve the basic HA and network settings.
l Restore in Offline Mode: By default, this option is enabled and grayed out–you cannot disable it. While restoring,
FortiManager temporarily disables the communication channel between FortiManager and all managed devices.
This is a safety measure in case any of the devices are being managed by another FortiManager. To re-enable the
communication, disable Offline Mode.
To restore FortiManager configuration

1. Remaining logged to in the FortiManager GUI, click Dashboard.
2. In the System Information widget, click System Configuration, and then click the restore icon.
3. Click Browse.
4. Select your backup file lab2.dat.
There is no password to enter because the file was not encrypted.
5. Leave Overwrite current IP, routing and HA settings enabled.

DO Restore
NOTtheREPRINT
FortiManager Configuration Exercise 4: Backup and Restore
© FORTINET
6. Click OK.
FortiManager will reboot.
7. Wait for FortiManager to reboot, then log in to the FortiManager GUI at 10.0.1.241 with the username
8. Select root.
9. Click Lock at the top of the screen.
11. Click Admin > Administrator.
The student administrator account will show there.

DO NOT REPRINT
© FORTINET
Exercise 5: Monitoring Alerts and Event Logs
In this exercise, you will view the alerts in the alert console widget and view the event logs. You will also configure
filter options to locate specific logs.
First, you will disable offline mode, which is enabled by default when the FortiManager backup is restored.
Offline Mode
Now, you will disable offline mode on FortiManager.
To disable offline mode

2. Select root.
3. Click Lock on the top.
On the top bar you should observe that FortiManager is in Offline Mode.

5. Click Advanced > Advanced Settings.
6. Select Disable for Offline Mode.

DO View
NOT Alerts REPRINT
and Event Logs Exercise 5: Monitoring Alerts and Event Logs
© FORTINET
7. Click Apply.
You will notice that the Offline Mode message disappears. At this point, FortiManager can establish a
management connection with the managed devices.
View Alerts and Event Logs
Now, you will view the alerts on the Alert Message Console and logs under Event Logs.
To view alerts and event logs

1. Remaining logged in to the FortiManager GUI, click Dashboard.
2. Go to the Alert Message Console widget.

You should observe that Offline mode is disabled and see Restore all settings messages, along with
other alert messages.
3. In the menu on the left side of the screen, click Event Log.

DO Exercise
NOT5: Monitoring
REPRINT Alerts and Event Logs View Alerts and Event Logs
© FORTINET
4. Click Add Filter.

5. Click Sub Type.
6. Click System manager event.
Now you will see only the filtered system manager events.
7. You can download and view them in raw format.

DO NOT REPRINT
© FORTINET
Lab 3: Device Registration
In this lab, you will explore the common operations performed using the device manager. You will use the Device
Manager pane to add FortiGate devices.
Objectives
l Create and apply system templates to your managed devices
l Review central management settings on FortiGate
l Add a device using the Add Device wizard
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring System Templates
You can configure the system templates on FortiManager in advance. You can use system templates to provision
common system-level settings on FortiGate devices when adding them to FortiManager, or to the already
managed FortiGate devices.
Configure System Templates
You will configure and apply system templates to FortiGate.
To configure system templates

1. On the Local-Windows VM, open a browser and log in to the FortiManager GUI at 10.0.1.241 with username
2. Click root.
5. Edit student and select All ADOMs.
6. Click OK.
7. Click Log Out.
8. Log in to the FortiManager GUI at 10.0.1.241 with user name student and password fortinet.
9. Click My_ADOM.
10. Click Device Manager.
11. Click Provisioning Templates.
You will notice that you have read-only access.

DO Configure
NOTSystem REPRINT
Templates Exercise 1: Configuring System Templates
© FORTINET
This is because when ADOM locking is enabled, you must lock the ADOM before making configuration
changes.
12. At the top of the screen, click Lock to lock My_ADOM.
13. Under System Templates, click default.
14. In the Log Settings widget, enable Send Logs to FortiAnalyzer/FortiManager.

15. Select This FortiManager and Upload Option Real-time.
16. Enable Encrypt Log Transmission.
17. Click Apply.

18. Close all other widgets by clicking X and then the check mark symbol.

DO Exercise
NOT1: Configuring
REPRINT System Templates Configure System Templates
© FORTINET
19. Click CLI Configurations > log > fortianalyzer >setting.

20. Enable reliable switch and Apply.
21. Click Save.

DO Disable
NOTADOM REPRINT
Locking (Workspace Mode) Exercise 1: Configuring System Templates
© FORTINET
When ADOM locking is enabled, you must save the changes in order for them to be
copied to the FortiManager database.
22. At the top of the screen, click Unlock to unlock My_ADOM.
Disable ADOM Locking (Workspace Mode)
Now, you will disable ADOM locking because, in this practical lab, every student has dedicated ADOMs to work
on.
Before disabling workspace mode, inform all the administrators logged into FortiManager to save their work.
To disable ADOM locking (workspace mode)

3. Enter the following commands.
set workspace-mode disabled
y
end
This command logs out administrators from FortiManager, to save the changes.

DO NOT REPRINT
© FORTINET
Exercise 2: Registering a Device to FortiManager
There are multiple ways to add FortiGate devices to FortiManager. These include:
l Use the Add Device wizard

l Send a request from FortiGate to FortiManager, and then accept the request from FortiManager
l Add multiple devices using the Device Manager
You will add the FortiGate devices using the Add Device wizard.
The FMG-Access on both FortiGate devices is enabled on the interface facing

FortiManager. It is the communication protocol used between FortiManager and the
managed FortiGate devices.
Review Central Management Configuration on Local-FortiGate
Before adding FortiGate to FortiManager, you will review the central management configuration on Local-
FortiGate.
To review the central management configuration on Local-FortiGate

1. On the Local-Windows VM, open PuTTY and connect over SSH to theLOCAL-FORTIGATE saved session.
3. Enter the following command:
get system central-management
You should observe the following output:
The serial-number is the FortiManager serial number, which you cannot configure
on FortiGate. This setting is set by FortiManager, which is managing this device. In
this case, it is empty because you have not yet added the device to FortiManager.
4. Close the PuTTY session.

DO Enable
NOT REPRINT
Real-Time Debug Exercise 2: Registering a Device to FortiManager
© FORTINET
Enable Real-Time Debug
Now, you will enable real-time debug on FortiManager to view the real-time status when adding FortiGate to
FortiManager.
To enable real-time debug

2. At the login prompt, enter the username admin (all lower case) and password password.
diagnose debug reset
diagnose debug disable
diagnose debug application depmanager 0
diagnose debug enable
You should place this PuTTY session and the FortiManager GUI side-by-side so that you can view the real-
time debugs while adding FortiGate on the FortiManager GUI.
The output is verbose and you might have to scroll up or down to review the
information. Alternatively, you can save the log file on your desktop and open it using a
text editor, such as Notepad++.
Add Local-FortiGate Using the Add Device Wizard
Now, you will add Local-FortiGate to FortiManager in My_ADOM using the Add Device wizard, and you will
apply the System Template created earlier.
To add the Local-FortiGate using the Add Device wizard

student and password fortinet.
2. Click My_ADOM.
4. Click Add Device.
5. In the Add Device wizard, make sure the Discover radio button is selected and configure the following settings:

DO Exercise
NOT2: Registering
REPRINT a Device to FortiManager Add Local-FortiGate Using the Add Device Wizard
© FORTINET
Field Value
IP Address 10.200.1.1
(This is the port1 IP address of FortiGate)
Username admin
Password password
6. Click Next.
7. Review the discovered device information and compare it with the output from the FortiManager PuTTy session.
8. You should observe the following:
9. Press the up arrow on your keyboard and select the following commands to disable the debug. Alternatively, you
can enter these commands manually.
diagnose debug disable
diagnose debug reset

11. Return to the FortiManager GUI.
12. Ensure Name is set to Local-FortiGate.
13. In the System Template drop-down list, select default.

DO Add
NOT REPRINT
Local-FortiGate Using the Add Device Wizard Exercise 2: Registering a Device to FortiManager
© FORTINET
14. Click Next.

15. Click Import Now to import policies and objects.
16. On the policy package import page, complete the following:

DO Exercise
NOT2: Registering
REPRINT a Device to FortiManager Add Local-FortiGate Using the Add Device Wizard
© FORTINET
l Make sure the policy package name is configured as Local-FortiGate_root.
l Accept the policy and object import defaults.
17. Click Next.

18. On the conflict page, click View Conflict.
This will show you the details of the configuration differences between FortiGate and FortiManager.
19. In the Use Value From column, keep the default setting of FortiGate.
20. Click Next.

Note the objects identified. These should be identified as duplicates, new, or updating existing
FortiManager.
21. Click Next.

22. Click Download Import Report.
23. Open the import report in a text editor such as Notepad ++.
The download import report is only available on this page. As a best practice, you
should download the report and review the important information, such as which
device is imported into which ADOM, as well as the name of the policy package
created along with objects imported.
FortiManager imports new objects, and updates existing objects based on the option
chosen on the conflict page. The duplicate objects are skipped because FortiManager
does not import duplicate entries into the ADOM database.

DO View
NOT REPRINT
the Local-FortiGate Policy Package Exercise 2: Registering a Device to FortiManager
© FORTINET
24. Close the text editor.
25. Click Finish.
The Local-FortiGate device should be now listed in Device Manager.
26. On the Local-Windows VM, open PuTTY and connect over SSH to the Local-FortiGate saved session.
27. At the login prompt, enter the user name admin and password password.
get system central-management
You should observe the following output:
The serial-number is the serial number of FortiManager, which you cannot

configure on FortiGate. This has been set by FortiManager, which is managing this
device. Also, the FortiManager IP address is set.
View the Local-FortiGate Policy Package
Because you have imported policy and dependent objects for Local-FortiGate, you will view the policy package
created for Local-FortiGate.

DO Exercise
NOT2: Registering
REPRINT a Device to FortiManager View the Local-FortiGate Policy Package
© FORTINET
To view the Local-FortiGate policy package
1. Remaining on the FortiManager GUI, click Device Manager and select Policy & Objects.
You will notice that a policy package named Local-FortiGate_root was created when you imported firewall
policies from your Local-FortiGate.
2. At the top of the screen, click Object Configurations.
3. Click Interface.

DO Import
NOT REPRINT
System Template Settings From FortiGate Exercise 2: Registering a Device to FortiManager
© FORTINET
4. Click the arrow beside any interface to view the ADOM Interface mapping to device-level mappings, which were
created when the device was added.
These interfaces are used in policy packages to map firewall policies to interfaces on the firewall.
Import System Template Settings From FortiGate
Because Local-FortiGate is now added to FortiManager, you will import NTP server settings from Local-
FortiGate. These server settings can be used by multiple FortiGate devices using this system template.
To import System Template settings from FortiGate

1. Remaining on the FortiManager GUI, click Policy & Objects and select Device Manager.
2. Click Provisioning Templates.
3. Click default.

DO Exercise
NOT2: Registering
REPRINT a Device to FortiManager Import System Template Settings From FortiGate
© FORTINET
4. Click Toggle Widgets icon, and then click NTP Server.
5. Click the import icon.
6. On the Import NTP Server window, select Local-FortiGate.

DO Add
NOT REPRINT
Remote-FortiGate Using the Add Device Wizard Exercise 2: Registering a Device to FortiManager
© FORTINET
7. Click OK.
Add Remote-FortiGate Using the Add Device Wizard
Now, you will add Remote-FortiGate to FortiManager in My_ADOM using the Add Device Wizard. You will
apply the System Template to Remote-FortiGate.
Also, you will import the policies and objects for Remote-FortiGate later in the training.
To add Remote-FortiGate using the Add Device wizard

1. Remaining logged in on the FortiManager GUI, click Device & Groups.
3. In the Add Device wizard, make sure the Discover radio button is selected, and configure the following settings:
Field Value
(This is the port4 IP address of FortiGate)
Username admin
Password password
4. Click Next.
5. In the System Template drop-down list, select default.

DO Exercise
NOT2: Registering
REPRINT a Device to FortiManager Add Remote-FortiGate Using the Add Device Wizard
© FORTINET
6. Click Next.
7. Click Import Later.
The Remote-FortiGate device should be now listed in Device Manager.

DO Add
NOT REPRINT
Remote-FortiGate Using the Add Device Wizard Exercise 2: Registering a Device to FortiManager
© FORTINET
Stop and think!
Why is the FortiGate Policy Package Status showing Never Installed?
When Import Later is chosen in the Add Device wizard, or an unregistered device is added to
FortiManager, the policy package status will show Never Installed because there is still no policy package
created for the newly added FortiGate.
You will run the Import Policy wizard later in this training.
If you add an unregistered device, then you need to run the Import Policy wizard to import the device’s
firewall policy into a new policy package.

DO NOT REPRINT
© FORTINET
Lab 4: Device Level Configuration and Installation
In this lab, you will explore the common operations performed using the device manager, such as configuring
device-level changes, checking managed device statuses, installing configuration changes, and keeping the
managed devices in sync with the device database on FortiManager.
Objectives
l Understand managed device statuses on FortiManager
l Use the status information in the Configuration and Installation Status widget
l Make and install configuration changes using Device Manager
l Make configuration changes locally on FortiGate and verify that they are retrieved automatically by FortiManager
l Identify entries in the Revision History and the management action that created the new revision
l Install a large number of managed device changes using scripts
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Understanding the Managed Device Status
In this exercise, you will check and learn about the status of FortiGate devices on FortiManager. Depending upon
the configuration changes, a FortiGate device can have a different Sync Status and Device Settings Status.
l The Sync Status indicates whether the FortiGate configuration matches the latest revision history
l The Device Settings Status indicates whether the FortiGate configuration stored at device-level database
matches with latest running revision history
To check managed device status

2. Click My_ADOM.
Stop and think!

Why does Config Status for the FortiGate devices show the status Modified?
In the last exercise, you applied system templates to both FortiGate devices. The configuration running on
the FortiManager device-level database is different from the latest revision history. This changes the
Config Status to Modified. The provisioning template changes need to be installed on the FortiGate
devices to return the devices to the synchronized state.
4. In the menu on the left side of the screen, click Local-FortiGate.

DO Exercise
NOT1: Understanding
REPRINT the Managed Device Status
© FORTINET
5. In the Configuration and Installation Status widget, check Device Settings Status; it should appear as
Modified.

DO NOT REPRINT Exercise 1: Understanding the Managed Device Status
© FORTINET
Stop and think!
If the Device Settings Status is Modified, why is the FortiGate Sync Status still showing as
Synchronized?
The Device Setting Status is the status between the device-level database configuration and the latest
revision history. Applying system templates changes the device-level database configuration, so it enters
the Modified state.
The Sync Status is the status between the latest revision history and the actual FortiGate configuration.
Because the latest revision history is same as the FortiGate configuration, the Sync Status is in the
Synchronized state.
8. Enter the following command to display the device statuses on the CLI.
diagnose dvm device list
The output will show the serial number of the device, the connecting IP address of the device, the firmware
version, the name of the device on FortiManager, and the ADOM on which the device is added.

DO Exercise
NOT1: Understanding
REPRINT the Managed Device Status
© FORTINET
You will see FortiAnalyzer as an unregistered device because FortiAnalyzer is
configured to query FortiManager for the threat intelligence database (a feature on
FortiAnalyzer). This is configured for the FortiAnalyzer labs, which use the same lab
environment. You may also see unregistered FortiGate devices.
9. Examine the STATUS row of the diagnose dvm device list output for Local-FortiGate and Remote-
FortiGate.
Actions to
Data What that Means?
Take
dev-db: not Device-level configuration changes made on FortiManager. The

modified FortiManager
administrator
template:
can install
[modified]
configuration
default
changes to the
managed
device to return
it to the
unmodified
state.
Note: In GUI, Device Settings will show as Modified.

However, the CLI shows separate status for dev-db and
template.
conf: in sync Latest revision history is in sync with the FortiGate

configuration.

DO NOT REPRINT Exercise 1: Understanding the Managed Device Status
© FORTINET
Actions to
Data What that Means?
Take
cond: pending Configuration changes need to be installed. The

FortiManager
administrator
can install
configuration
changes on the
managed
device to return
it to the
unmodified
state.
conn: up The FGFM tunnel between FortiManager and FortiGate is

open.

DO NOT REPRINT
© FORTINET
Exercise 2: Install System Template Changes to Managed
Devices
In the previous lab, you added FortiGate devices to FortiManager and applied system templates.
In this exercise, you will install system template changes to both FortiGate devices and then view those changes
locally, by logging in to each FortiGate.
Install System Templates
Now, you will install the default system template changes to Local-FortiGate and Remote-FortiGate using the
Install Wizard.
To install system templates

2. Click My_ADOM.
3. Click Device Manager >Managed Devices.
4. Click Install > Install Wizard.
5. In the Install Wizard, make sure Install Device Settings (only) is selected, and click Next.
6. On the Device Settings page, ensure both FortiGate devices are selected.

DO Install
NOT REPRINT
System Templates Exercise 2: Install System Template Changes to Managed Devices
© FORTINET
7. Click Next.
8. Click Install Preview for the Local-FortiGate.
This will show you the changes that will be installed (applied) to the FortiGate device.
9. Click Close on the Install Preview page.

Optionally, you can also select Install Preview for Remote-FortiGate.
10. Make sure both FortiGate devices are selected.
11. Click Install.

12. Once the installation is successful, click the View Log icon.

DO Exercise
NOT2: Install
REPRINT
System Template Changes to Managed Devices Check Managed Device Status
© FORTINET
This is the install log that shows exactly what is installed on the managed device.
The following image is an example log for Local-FortiGate.
13. Click Close.

14. Click Finish.
Check Managed Device Status
Now, you will check the managed device status after the installation.
To check the managed device status

1. Remaining on the FortiManager GUI, check the Config Status.
It should now appear as Synchronized.
2. In the menu on the left side of the screen, click Local-FortiGate.

DO Check
NOT REPRINT
Managed Device Status Exercise 2: Install System Template Changes to Managed Devices
© FORTINET
3. Under Configuration and Installation Status, you should observe that the Device Settings status is in the
Unmodified state.
This means that FortiGate's device-level database configuration is the same as the latest revision history.
6. Enter the following command to display device statuses on the CLI.
diagnose dvm device list
You should observe the following in the output for Local-FortiGate and Remote-FortiGate.
The dev-db status is not modified which means that FortiGate's device-level database
configuration matches the latest running revision history. The dm: installed field means that the
installation was performed on FortiManager.
7. Enter the following command to display the FGFM tunnel statuses:

diagnose fgfm session-list

DO Exercise
NOT2: Install
REPRINT
System Template Changes to Managed Devices View Pushed Configuration on FortiGate
© FORTINET
You can use this command to view the connecting IP of managed devices, the link-level address assigned by
FortiManager, and the uptime of the FGFM tunnel between FortiGate and FortiManager.
View Pushed Configuration on FortiGate
Using FortiManager, you have installed the system templates configuration on both FortiGate devices.
Now, you will log in to the Local-FortiGate and Remote-FortiGate GUIs to view the configuration installed using
FortiManager.
To view a pushed configuration on the Local-FortiGate GUI

2. Click Login Read-Only.
When you connect locally to a device managed by FortiManager, you will be presented
with a warning message because the device is centrally managed. Only when it is
absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make
configuration changes and installations to manage FortiGate devices.
3. Click Log & Report > Log Settings.

You will notice the Remote Logging and Archiving settings are the same as the default system template
entries.
4. Log out of FortiGate.

DO View
NOT REPRINT
Pushed Configuration on FortiGate Exercise 2: Install System Template Changes to Managed Devices
© FORTINET
To view a pushed configuration on the Remote-FortiGate GUI
1. On the Local-Windows VM, open a new browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with
the username admin and password password.
You will notice that the Remote Logging and Archiving settings are the same as the default system
template entries.

DO NOT REPRINT
© FORTINET
Exercise 3: Auto Update and Revision History
By default, configuration changes made directly on FortiGate are automatically updated (retrieved) by
FortiManager, which is reflected in the Revision History. If required, you can disable the automatic update
behavior on the FortiManager CLI under config system admin settings. This allows the FortiManager
administrator to accept or refuse the configuration changes.
In this lab, you will make configuration changes directly on the FortiGate devices, and verify that the configuration
changes are retrieved automatically by FortiManager.
You will also review the configuration revision histories of FortiGate devices, created by auto update and by other
actions.
Make Direct Changes on Local-FortiGate
Now, you will make direct changes on Local-FortiGate.
To make direct changes on Local-FortiGate

1. On the Local-Windows VM, open a new browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the
2. Click Login Read-Write.
When you connect locally to a device managed by FortiManager, you will be presented
with a warning message because the device is centrally managed. Only when it is
absolutely necessary should you use the read-write option locally on FortiGate. An
example might be that a FortiManager administrator is unavailable to make
configuration changes and installations to manage FortiGate devices.
3. Click Yes.
5. Turn off the Enable Local Reports switch.
6. Click Apply.

DO Make
NOT DirectREPRINT
Changes on Remote-FortiGate Exercise 3: Auto Update and Revision History
© FORTINET
Make Direct Changes on Remote-FortiGate
Now, you will make direct changes on Remote-FortiGate. You will repeat the same steps for Remote-FortiGate
as you did for Local-FortiGate.
To make direct changes on Remote-FortiGate

3. Click Yes.
5. In the Local Log settings window, turn off the Enable Local Reports switch.
6. Click Apply.
View Auto Update and Revision History
As you make the configuration changes locally on both the FortiGate devices, you will now view the auto update
status on FortiManager, and view the configuration revision histories created by FortiManager.
To view auto update

2. Click My_ADOM.
3. Click Device Manager >Managed Devices.
4. You will notice that Config Status is now in the Auto-Update state for both FortiGate devices.
This confirms that the changes made locally were backed up to FortiManager.
To view the revision history

1. Click Local-FortiGate.

DO Exercise
NOT3: Auto
REPRINT
Update and Revision History View Auto Update and Revision History
© FORTINET
2. In the Configuration and Installation Status widget, click the Revision History icon.
You should observe three configurations, though you may have more if you have made further changes:
l Your first Installation status should display as Auto Updated, indicating that these changes were made
locally on FortiGate and were automatically updated in FortiManager.
l Your second Installation status should display as Installed, indicating that these changes were made by
FortiManager on the managed device.
l Your third Installation status should display as Retrieved, indicating that this configuration was taken from
the device’s running configuration, when it was added to FortiManager.

DO View
NOT REPRINT
the Install Log Exercise 3: Auto Update and Revision History
© FORTINET
View the Install Log
When the installation is done using FortiManager, the install log will show the name of the administrator who
made this change along with the commands sent by FortiManager. If an installation fails, the install log is useful
because it shows what commands were sent to, and accepted by, the managed device, as well as the commands
that were not accepted.
To view the install log

1. Remaining on the Configuration Revision History page, select ID 2 and then click View Install Log.
You should see the CLI commands sent by FortiManager (which are identical to the installation previewed
earlier) and the FortiGate response.

DO Exercise
NOT3: Auto
History
Update and Revision
REPRINT View Auto Update, Revision History, and the Install Log for Remote-
FortiGate (Optional)
© FORTINET
2. Click Close twice to close the Configuration Revision History window.
View Auto Update, Revision History, and the Install Log for Remote-FortiGate
(Optional)
Optionally, you can also view changes made to Remote-FortiGate by following the steps from View Auto Update
and Revision History on page 75.
To view auto update, revision history, and the install log for Remote-FortiGate (Optional)
1. Remaining logged in to the FortiManager GUI, click Remote-FortiGate and follow the steps from View Auto
Update and Revision History on page 75.
For Remote-FortiGate, you will see the NTP settings pushed by FortiManager based on the imported NTP
settings in the default system template from Local-FortiGate.
Log View
As FortiAnalyzer features are enabled on FortiManager, and both FortiGate devices are configured to send logs
to FortiManager, you will view the logs for the managed devices on the Log View pane.
To view logs for Local-FortiGate

1. Remaining logged in to the FortiManager GUI, click Device Manager and select Log View.

DO Task
NOT REPRINT
Manager Exercise 3: Auto Update and Revision History
© FORTINET
You should see the traffic logs generated by the FortiGate device.
Task Manager
The task manager provides the status of the task you performed. You can use it for troubleshooting various types
of issues such as adding, importing, and installing changes from FortiManager.
You will now check the entries in Task Manager.
To check Task Manager entries

1. Log out of the FortiManager GUI and log back in to the FortiManager GUI with the username admin and
password password.
2. Click root.
4. On the menu on the left side of the screen, click Task Monitor.

DO Exercise
NOT3: Auto
REPRINT
Update and Revision History Task Manager
© FORTINET
Task Monitor shows the tasks performed by all the users.

DO NOT REPRINT
© FORTINET
Exercise 4: Configuring Device-Level Changes
You can view and configure device-level settings of the managed FortiGate on the Device Manager pane. Most
of these settings have a one-to-one correlation with the device configuration that you would see if you logged in
locally on each FortiGate’s GUI or CLI.
Now, you will make configuration changes for the managed FortiGate on the Device Manager pane.
Change Managed FortiGate Interface Settings
If you try to change the managed FortiGate interface used for communicating with FortiManager, it will warn you
that this may disrupt the communication between FortiManager and FortiGate. If there is a communication
disruption between FortiManager and FortiGate during an installation, FortiManager will attempt to recover the
connection, but this will revert the installation changes.
Now, you will change the Remote-FortiGate port4 interface Administrative Access setting that is used by
Remote-FortiGate to communicate with FortiManager.
To change the managed FortiGate interface settings

2. Click My_ADOM.
4. Click Remote-FortiGate.
5. Click System : Dashboard and then click Interface.

DO Exercise
NOT4: Configuring
REPRINT Device-Level Changes Filter Devices Based on Status
© FORTINET
6. Right-click port4, and click Edit.

7. Under Administrative Access, check the FortiTelemetry check box.
8. Click OK.
9. Click Managed Devices.
Stop and think!

Why is Config Status showing the Modified (recent auto-updated) state for Remote-FortiGate?
The Modified status means that the device-level database change has been made to Remote-FortiGate.
You changed the interface configuration.
The status recent auto-updated in parentheses means that the previous configuration changes were
locally made on FortiGate and were auto updated on FortiManager. You made changes to logging settings
locally in the previous lab.
Filter Devices Based on Status
FortiManager allows you to filter devices based on their current status. This is very helpful when you are
managing a large number of devices in the same ADOM. Based on the status, the FortiManager administrator
can take appropriate action.
You can filter device statuses based on:

DO Configure
NOTtheREPRINT
Administrator Account Exercise 4: Configuring Device-Level Changes
© FORTINET
l Connection
l Device config (device database status)
l Policy package (ADOM database status)
You will now filter devices based on their device config and policy package status.
To filter devices based on status

1. Remaining logged in to the FortiManager GUI, click Managed Devices.
2. In the Devices (Device Config Modified) drop-down list, click Modified.
Only Remote-FortiGate will show in the Managed FortiGates list.
3. In the Devices (Policy Package Modified) drop-down list, click Imported.

This time, only Local-FortiGate will show in the Managed FortiGates list.
Configure the Administrator Account
Now, you will create a new administrator account for Local-FortiGate on FortiManager.
To configure the administrator account

1. Remaining on the FortiManager GUI, click Local-FortiGate.

DO Exercise
NOT4: Configuring
REPRINT Device-Level Changes Configure the Administrator Account
© FORTINET
2. Click Display Options.
3. Click Customize.
4. In the System category, click Administrators.
5. Click OK.
6. Click System : Dashboard and then click Administrators.

DO Configure
NOTtheREPRINT
Administrator Account Exercise 4: Configuring Device-Level Changes
© FORTINET
Field Value
Administrator training
Type Local User
Password fortinet
Confirm Password fortinet
Admin Profile prof_admin

DO Exercise
NOT4: Configuring
REPRINT Device-Level Changes Configure the Administrator Account
© FORTINET
10. Click Device & Groups >Managed Devices.
You will notice that Config Status has changed to Modified for Local-FortiGate.
This is because you made a device-level configuration change for Local-FortiGate by configuring the
administrator account.

DO NOT REPRINT
© FORTINET
Exercise 5: Installing Configuration Changes
You have made configuration changes to the managed device(s) using FortiManager.
l For Remote-FortiGate, you have enabled FortiTelemetry service on port4

l For Local-FortiGate, you have configured a new administrator
Now, you will install these changes on the managed device using the Install wizard, and view the installation
history. You will also compare the differences in the revision history configurations using the Revision Diff
feature.
View the Install Preview
First, you will preview the installation changes on the Configuration and Installation Status widget.
To view install Preview

2. Click My_ADOM.
5. On the Configuration and Installation Status widget, click Preview.

DO Exercise
NOT5: Installing
REPRINT Configuration Changes Install Wizard
© FORTINET
This shows the device-level configuration changes that will be installed on the managed device when
FortiManager performs the device-level install.
The installation preview in the Configuration and Installation Status widget shows
only the preview for the device-level changes, not the changes related to policies and
objects.
6. Click OK.
Optionally, you can follow this same procedure to view the installation preview for Local-FortiGate.
Install Wizard
You will install these changes on the managed devices using the Install wizard.
To install configuration changes on FortiGate using the Install wizard

1. Remaining logged in to the FortiManager GUI, click Install Wizard.
2. Select Install Device Settings (only).

DO Install
NOT REPRINT
Wizard Exercise 5: Installing Configuration Changes
© FORTINET
3. Click Next.
4. On the Device Settings page, ensure both FortiGate devices are selected.
5. Click Next.
6. Click Install Preview for Local-FortiGate.
This will show you the changes that will be installed (applied) to FortiGate.
7. Click Close on the Install Preview page.

Optionally, you can also check the Install Preview for Remote-FortiGate.
8. Make sure both FortiGate devices are selected.

DO Exercise
NOT5: Installing
REPRINT Configuration Changes Install Wizard
© FORTINET
9. Click Install.
10. Once the install has completed successfully, click the View Log icon.
This is the install log that shows exactly what is installed on the managed device.
11. Click Close on the Install Log page.

12. Click Finish.
13. Click Managed Devices.
The Config Status should now be in the Synchronized state.

DO Revision
NOTDiffREPRINT Exercise 5: Installing Configuration Changes
© FORTINET
Revision Diff
After every retrieve, auto update, and install operation, FortiManager stores the FortiGate’s configuration
checksum output with the revision history. This is how the out-of-sync condition is calculated.
The Revision Diff is a useful feature that can be used to compare the differences between previous revisions, a
specific revision, or the factory default configuration. In terms of the output, you can choose to show full
configuration with differences, only the differences, or you can capture the differences to a script.
Now, you will compare the differences between the latest revision and the previous revision.
To view the revision differences

1. Remaining logged in to the FortiManager GUI, click Local-FortiGate.
2. Click System Dashboard.

DO Exercise
NOT5: Installing
REPRINT Configuration Changes Revision Diff
© FORTINET
4. Click ID 4 and click Revision Diff.
5. Select Show Diff Only.
6. Click Apply.
This shows the difference in configuration between the previous version and the current running version.
Remember, you configured the FortiAnalyzer settings for both FortiGates.

DO Revision
NOTDiffREPRINT Exercise 5: Installing Configuration Changes
© FORTINET
7. Click Close.
8. Click ID 4 again and click Revision Diff.
9. Select Capture Diff to a Script.
10. Click Apply.

11. Select Save File.
12. Click OK.
Note the folder where is it downloaded.
13. Click Close.
14. Click Close.

15. On the Firefox window, click the download icon
16. Right-click the file name and click Open Containing Folder.
17. Open the file using Notepad++.

DO Exercise
NOT5: Installing
REPRINT Configuration Changes Revision Diff
© FORTINET
This will show you the exact CLI syntax of the changes. You can use this script to configure other FortiGate
devices if they require the same settings using the script feature on FortiManager.
18. Close the Notepad++ and Downloads windows.
This is to demonstrate capturing differences in the form of scripts. Make sure the
script captured is valid for other FortiGate devices, before using them for other
FortiGate devices. If required, you can edit the script before applying it to other
FortiGate devices.
For example, if you have configured a static route along with the administrator
setting, the static route settings might be not valid for other FortiGate devices.

DO NOT REPRINT
© FORTINET
Exercise 6: Scripts
A script can make many changes to a managed device and is useful for bulk configuration changes and
consistency across multiple managed devices. You can configure and install scripts from FortiManager to
managed devices.
Scripts can be run on:
l Device database (default)

l Policy package, ADOM database
l Remote FortiGate directly (using the CLI)
You must perform an installation if a script is run on a device database, policy package,or ADOM database.
In this exercise, you will make many configuration changes by using the script feature, and install them on the
managed devices.
Configure Scripts
Now, you will configure scripts for the managed devices.
To configure scripts
2. Click My_ADOM.
4. Click Scripts.
5. Click Import CLI Script.
6. Click Add Files.

DO Exercise
NOT6: Scripts
REPRINT Configure Scripts
© FORTINET
7. Click Desktop > Resources > FortiManager > Device-Config and select Local-Script.
8. Click Open, keep the default values for all other settings, and click Import.
9. Click Close.
10. Click Import CLI Script again.
11. Click Add Files.

12. Click Desktop > Resources > FortiManager > Device-Config and select Remote-Script.
13. Click Open, keep the default values for all other settings, and click Import.
14. Click Close.

DO Run
NOT REPRINT
and Install Scripts Exercise 6: Scripts
© FORTINET
Run and Install Scripts
As the scripts are targeting the device database, you will first run the scripts against the device database and then
install these scripts on the managed devices.
To run scripts
1. Remaining logged in to the FortiManager GUI, select the Local-Script and click Run Script.
2. Select Local-FortiGate and click Run Now at the bottom.

3. Click View Details and then click the View Script Execution History icon.
Scroll to the bottom of the script execution window to check that the script ran successfully on the device
database.

DO Exercise
NOT6: Scripts
REPRINT Run and Install Scripts
© FORTINET
If needed, you can also view the script execution history later in the Configuration
and Installation Status widget or on the Task Monitor.
4. Click Close.
5. Click Close.
6. Clear the Local-Script check box, select theRemote-Script check box, and then click Run Script.
7. Select Remote-FortiGate and click Run Now at the bottom of the page.
8. Click Close.
To install scripts
1. Remaining logged in to the FortiManager GUI, click Device & Groups > Managed Devices.
Stop and think!

Why is the Config Status showing Modified for both FortiGate devices? If you do not see the Modified
status, refresh the page a few times.
Why is the Policy Package Status for Local-FortiGate showing Out of Sync, but the Policy Package
Status for Remote-FortiGate remains unchanged as Never Installed?
The scripts contain configuration changes related to device-level settings and policies.
The Config Status is Modified for both FortiGate devices because of device-level changes.
Because the Local-FortiGate policy package was imported when you added FortiGate, FortiManager
detects policy-level changes and marks the Local-FortiGate Policy Package Status as Out of Sync.
For Remote-FortiGate, the policy package was never imported; hence FortiManager cannot compare the
differences in the policies.
2. Select Local-FortiGate and Remote-FortiGate and click Install, and then click Quick Install.

DO Run
NOT REPRINT
and Install Scripts Exercise 6: Scripts
© FORTINET
3. Click OK.
The installation will be successful on both FortiGate devices.
The Quick Install option does not provide an option for install preview and install
log. You should use it only if you are absolutely sure about the changes you are trying
to install.
4. Click Finish.

DO NOT REPRINT
© FORTINET
Lab 5: Policy & Objects
In this lab, you will explore the common operations of the Policy & Objects pane in order to centrally manage
FortiGate firewall policies, and to manage shared and dynamic objects.
Objectives
l Import firewall polices and objects from a managed device and review the imported policy packages
l Create ADOM revisions
l Use workflow mode to configure and send changes for approval
l Find duplicate objects and merge them, and delete used objects
l Create a policy package shared across multiple devices
l Create shared objects and dynamic objects with mapping rules
l Identify the different policy and object interface mapping types and configure zone mappings
l Install a policy package and device settings on the Policy & Objects pane
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Import Policy
In the previous lab, you installed scripts that contain device-level and policy configuration changes. Because you
ran the scripts on a device database that created the revision history containing these changes, the policy
packages are not automatically updated, so you must import them manually.
In this exercise, you will import the policies using the Import Policy wizard in order to reflect and update the
policy packages.
Additionally you will create an ADOM revision, which is a snapshot of all the policy and objects configurations for
an ADOM.
Import Policy
Now, you will import policies and objects for both managed FortiGate devices.
To import policies
2. Click My_ADOM.
4. Right-click Local-FortiGate and click Import Policy.
5. Rename Policy Package Name to Local-FortiGate-1.

6. Select Import All Objects.

DO Exercise
NOT1: Import
REPRINT
Policy Import Policy
© FORTINET
7. Click Next.
8. Click Next on the conflict page.
Review the objects to be imported.
9. Click Next.
10. Click Download Import Report.
11. Select Open with and click OK to review the download import report.
12. Review the download import report and close the notepad.
13. Click Finish.
Download Import Report is available only on this page; make sure to download the
import report before clicking finish.
14. Right-click the Remote-FortiGate and click Import Policy.

15. Click Next until you reach the Finish page.
16. Click Finish.
17. Click Device Manager and click Policy & Objects.
18. Compare the policies in the Local-FortiGate_root and Local-FortiGate-1 policy packages by clicking IPv4
Policy on each policy package.
Policy package: Local-FortiGate_root:

DO Create
NOT REPRINT
ADOM Revisions Exercise 1: Import Policy
© FORTINET
Policy package: Local-FortiGate-1:
Create ADOM Revisions
An ADOM revision creates a snapshot of the policy and objects configuration for the ADOM. Now that you have
imported policies and objects from both FortiGate devices, you will create ADOM revisions that are stored locally
on the FortiManager and are useful for comparing the differences between two revisions, or reverting to a
previous revision.
To create an ADOM Revision

1. Remaining logged in to the FortiManager GUI, click ADOM Revisions.
2. Click Create New and name the revision: Initial revision.

3. Enable Lock this revision from auto-deletion.

DO Exercise
NOT1: Import
REPRINT
Policy Create ADOM Revisions
© FORTINET
4. Click OK.
You will notice the lock icon, name of the administrator who created it, and the date and time.
5. Click Close.

DO NOT REPRINT
© FORTINET
Exercise 2: Workflow Mode
Workflow mode is used to control the creation, configuration, and installation of policies and objects. It helps to
ensure that all changes are reviewed and approved before they are applied.
Workflow mode is similar to ADOM locking (workspace mode), but it also allows the administrators to submit their
configuration changes for approval. The configuration changes are not committed to the FortiManager database
until the approval administrator approves those configuration changes. Once approved, then only these
configuration changes can be installed on the managed device.
In this exercise, you will enable workflow mode and then make configuration changes related to policies and
objects. You will send it for approval and, once approved, you will install these changes.
To enable workflow mode and configure approval permissions

3. Enter the following command to enable workspace mode:
set workspace-mode workflow
end
Before enabling workflow mode, ensure all FortiManager administrators are notified
to save their work on FortiManager.
This is because enabling workflow mode will terminate all management sessions.
4. Enter the following commands to configure approval permissions.

You are now configuring admin administrator as approver for the My_ADOM.
config system workflow approval-matrix
edit My_ADOM
config approver
edit 1
set member admin
next
end
end
To configure policy and objects and send them for approval

2. Click My_ADOM.
3. At the top of the screen, click Lock, to lock the ADOM.

DO Exercise
NOT2: Workflow
REPRINT
Mode
© FORTINET
4. Click Policy & Objects.

5. Click Sessions > Session List.
6. Click Create New Session.

7. In the Session Name field, type Training.
8. Click OK.
9. At the top of the screen, click Object Configurations.
10. Click Tools > Find Duplicate Objects.
11. Click Firewall Address and Merge for the LOCAL_SUBNET firewall address.

DO NOT REPRINT Exercise 2: Workflow Mode
© FORTINET
You will notice that both LAN and LOCAL_SUBNET firewall addresses are showing as duplicate objects
because both have the same values. It will also show you other objects that have the same values.
12. In the Merge all to drop-down list, select LOCAL_SUBNET.
13. Click Merge.

14. Click Close.
By merging the duplicate objects, you can reduce the object database, which
sometimes can overwhelm the FortiManager administrator with a large number of
objects from different FortiGate devices in the same ADOM. You can also delete the
unused objects in the same Tools menu, if they will be not used in the future.
15. Click Firewall Objects > Addresses.

16. Right-click the LINUX address object and click Delete.

DO Exercise
NOT2: Workflow
REPRINT
Mode
© FORTINET
17. Click OK.

18. Click the Where Used icon.
This will show you where the object is referenced.
It is referenced in the Local-FortiGate-1 policy package in the firewall policy 1 as destination address.
19. Click Close.

20. Click Delete Anyway.
FortiManager allows you to delete a used object. Be careful before deleting a used
object as it will be replaced by the none address 0.0.0.0/255.255.255.225.
This means any traffic meeting that specific firewall policy will be blocked if there is
no catch all or shadowed policy below it. In this case, the destination address of
firewall policy 1 in the Local-FortiGate-1 policy package is replaced by none after
the LINUX address object is deleted.
You will test this later in this exercise.
21. Click Save.

© FORTINET
22. Click Sessions and click Submit.
23. Click OK.

The ADOM will unlock itself after submitting the changes.
Your changes are still not saved in the FortiManager database because they must be
approved by the approval administrator.
To approve the changes

1. Log out of FortiManager and log back in with the username admin and password password.
2. Click My_ADOM.
3. Click Lock.
5. Click Sessions > Session List.

DO Exercise
NOT2: Workflow
REPRINT
Mode
© FORTINET
The session list will show you the name of the request made, user, date, and
approval status.
The approval administrator can approve, reject, discard, or view the differences
between two revisions. The approval administrator can also create a session that can
be sent to a different approval administrator, or can self-approve based on the
workflow approval matrix.
6. Select ID 1 and click Approve.
7. Click OK.
8. Click Continue Without Session.
9. Click Unlock.
If an administrator has locked ADOMs and logs out of FortiManager, the lock releases
and unlocks all locked ADOMs locked by that administrator.

© FORTINET
Always log out of FortiManager gracefully, when ADOM locking (workspace or
workflow) is enabled.
If a session is not closed gracefully (PC crash or closed browser window),

FortiManager will not close the administrator session until the administrator session
timeout or the session is deleted. The locked ADOM will remain in the locked state.
The session will have to be deleted manually on the GUI or the CLI.
In the GUI: System Settings > System Information widget > Current
Administrators > Admin Session List.
In the CLI:
To install configuration changes after approval

2. Click My_ADOM.
5. Click Local-FortiGate-1 > IPv4 Policy.
You will notice LINUX is replaced by none.
6. On the Local-Windows VM, open a command prompt in Windows and run a continuous ping to the LINUX
address object.
ping 10.200.1.254 -t
You will notice the request timed out because the firewall policy has the destination as LINUX and the action
as DENY locally on Local-FortiGate.
Example from Local-FortiGate:

DO Exercise
NOT2: Workflow
REPRINT
Mode
© FORTINET
7. Return to the FortiManager GUI and click Install > Install Wizard.
8. Make sure the following are selected:

l Install Policy Package and Device Settings
l Policy Package: Local-FortiGate-1
9. Click Next.
10. Click Next.
11. Click Install Preview.
12. Press Ctrl+F and search for the following:
l config firewall policy
l LINUX
You will notice FortiManager is replacing the destination address of firewall policy 1 with none and deleting
the LINUX address object.
FortiManager will also delete any other unused objects. This is normal because when you install a policy
package for the first time FortiManager will delete all unused objects.

© FORTINET
13. Click Close in the Install Preview pop-up window.

14. Click Install.
15. After the installation is successful, click View Log to view the installation history.
16. Click Close.

17. Click Finish.
18. Return to the command prompt where you initiated the ping to LINUX.
You will get replies because there was catch all policy below the BLOCK_LINUX policy. As after installation,
LINUX is replaced by none, and the traffic starts processing by the seq#2 firewall policy.
19. Close the command prompt.
To disable workflow mode

3. Enter the following commands.
set workspace-mode disabled
y
end

DO Exercise
NOT2: Workflow
REPRINT
Mode
© FORTINET
All administrators will be logged out of the FortiManager GUI to save the changes. So, before you disable
workspace mode, inform all the administrators logged into FortiManager to save their work.

DO NOT REPRINT
© FORTINET
Exercise 3: Creating a Common Policy for Multiple Devices
You will create a single policy package that can be shared by multiple devices, as opposed to having a policy
package for each device, which is the current configuration. You will use the installation target setting in a firewall
policy to target specific policies to specific FortiGate devices.
Dynamic Mappings-Address Objects
First, you will configure dynamic mappings for objects that are used to map a single logical object to a unique
definition for each device.
To create dynamic mappings for address objects

2. Click My_ADOM.
4. Click Object Configurations.
5. Click Firewall Objects > Addresses.

6. Click Create New > Address.
Field Value
Address Name Internal
Type Subnet
IP/Netmask 10.0.0.0/8
8. For the Per-Device Mapping, configure the following:

DO Exercise
NOT3: Creating
REPRINT
a Common Policy for Multiple Devices Dynamic Mappings-Address Objects
© FORTINET
a. Turn on Per-Device Mapping.
b. Click Create New.
c. Select Local-FortiGate for the Mapped Device.

d. Type 10.0.1.0/24 for IP/NetMask.
e. Click OK.
f. Click Create New again.

DO Dynamic
NOTMappings-Address
REPRINT Objects Exercise 3: Creating a Common Policy for Multiple Devices
© FORTINET
g. Select Remote-FortiGate for the Mapped Device.

h. Type 10.0.2.0/24 for IP/NetMask.
i. Click OK.

DO Exercise
NOT3: Creating
REPRINT
a Common Policy for Multiple Devices Dynamic Mappings-Interfaces and Zones
© FORTINET
9. Click OK.
Dynamic Mappings-Interfaces and Zones
Now, you will create dynamic mappings for interfaces and zones.
To create dynamic mappings for interfaces and zones

1. Remaining on the FortiManager GUI, click Zone/Interface > Interface.
2. Click Create New > Dynamic Interface.

3. In the Name field, type Inside.

DO Dynamic
NOTMappings-Interfaces
REPRINTand Zones Exercise 3: Creating a Common Policy for Multiple Devices
© FORTINET
4. Turn on the Per-Device Mapping switch and click Create New.
5. Configure the following:

a. Select Local-FortiGate for the Mapped Device.
b. Select port3 for the Device Interface.
c. Click OK.
You will get the following warning message “The old mapping will be deleted, are you
sure you want to continue?”. This is because interfaces were dynamically mapped
when the devices were added to FortiManager. Now, FortiManager will delete the old
mapping and add these interfaces to map to this newly created interface.
d. Click OK in the warning pop-up window.

e. Click Create New again.
f. Select Remote-FortiGate for the Mapped Device.
g. Select port6 for the Device Interface.
h. Click OK.
i. Click OK on the warning message.

DO Exercise
NOT3: Creating
REPRINT
a Common Policy for Multiple Devices Dynamic Mappings-Interfaces and Zones
© FORTINET
6. Click OK.
7. Remaining on the FortiManager GUI, click Create New > Zone.
8. In the Name field, type Outside.

9. Turn on the Per-Device Mapping switch and click Create New.
10. Configure the following:
a. Select Local-FortiGate for the Mapped Device.
b. Select port1, port2 for the Device Interface.
c. Enable Block intra-zone traffic.
d. Click OK.

DO Dynamic
NOTMappings-Interfaces
REPRINTand Zones Exercise 3: Creating a Common Policy for Multiple Devices
© FORTINET
e. Click OK in the warning pop-up window.
f. Click Create New again.
g. Select Remote-FortiGate for the Mapped Device.
h. Select port4, port5 for the Device Interface.
i. Enable Block intra-zone traffic.
j. Click OK.
k. Click OK in the warning message.

11. Click OK.

You have now created a dynamic interface and zone.

DO Exercise
NOT3: Creating
Devices
a Common Policy for Multiple
REPRINT Create a Common Policy Package, Installation Target, and
Install On
© FORTINET
Create a Common Policy Package, Installation Target, and Install On
You can use FortiManager to target a common policy package to multiple devices.
So far, you have created the dynamic mapping for objects and interfaces, now you will create a common policy
package to target the Local-FortiGate and Remote-FortiGate.
A policy package can be targeted to multiple devices. When you configure an installation target, by default, all
policies in the policy package are targeted to all selected FortiGate devices. You can further restrict the policies in
the policy package to be targeted to specific FortiGate devices by using the Install On feature, which targets
specific policies in the policy package to specific selected FortiGate devices in the Install On column.
To create a common policy package

1. Remaining on the FortiManager GUI, click Policy Packages.
2. Click Policy Package > New.

DO Create
NOT
Install
a Common Policy Package, Installation Target, and
On REPRINT
Exercise 3: Creating a Common Policy for Multiple
Devices
© FORTINET
3. Name the new policy package Training and click OK.
To configure an installation target and install on

1. Remaining logged in to the FortiManager GUI, click Installation Targets for the Training policy package.
2. Click Add.

DO Exercise
NOT3: Creating
Devices
Install On
© FORTINET
3. Select Local-FortiGate, Remote-FortiGate and click OK.
The Policy Package Status column shows the name of the currently active policy packages for these
FortiGate devices.
4. Click IPv4 Policy for the Training policy package.

Field Value
Name For_Local
Incoming Interface Inside
Outgoing Interface Outside
Source Address Internal
Source User student
Destination Address all
Service HTTP, HTTPS, ALL_ICMP
Schedule always

DO Create
NOT
Install
On REPRINT
Devices
© FORTINET
Field Value
Action Accept
NAT Enable the checkbox
7. Click OK.
8. Click Create New to create a second policy and configure the following settings:
If you do not see all the interfaces when creating the second policy, make sure to
clear the interface filter when selecting interfaces!
Field Value
Name For_All
Incoming Interface Inside
Outgoing Interface Outside
Source Address Internal
Service SSH, DNS
Schedule always
Action Accept
NAT Enable the checkbox
9. Click OK.

DO Exercise
NOT3: Creating
Devices
Install On
© FORTINET
10. Click Column Settings and make sure Install On is checked.
Once added, you can drag the Install On column to where you want it positioned in the column list.
11. For the For_Local policy, click Installation Targets.

12. Select Local-FortiGate.
13. Click OK.
Your policies should look similar to the following example:
To install a policy package

1. Return to Policy Packages, clickTraining > IPv4 Policy, and click Install > Install Wizard.

DO Create
NOT
Install
On REPRINT
Devices
© FORTINET
2. Make sure the following are selected:

l Install Policy package & Device Settings
l Policy Package : Training
3. Enable Create ADOM Revision and leave the default Revision Name.
4. Click Next.
5. Make sure both FortiGate devices are selected and click Next.
6. Select both FortiGate devices.
If you hover your cursor over the Status column of the FortiGate devices, it will show you the name of the
previous policy package.
Optionally, you can preview the changes before the installation attempt.

DO Exercise
NOT3: Creating
Devices
Install On
© FORTINET
7. Make sure both FortiGate devices are selected and click Install.
8. Once the installation is successful, you can click View Log to see the installation history for each FortiGate.
9. Click Close in the Install Log window.

10. Click Finish.
To view configuration changes locally on FortiGate

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
3. Click Policy & Objects > IPv4 Policy and select By Sequence view.
You should observe the following:

DO Create
NOT
Install
On REPRINT
Devices
© FORTINET
l There are two firewall policies based on the Training policy package.
l The Inside interface is translated to port3 locally on FortiGate and the Outside zone is created locally on
FortiGate, according to the dynamic mapping of interfaces and zones.
4. Click Addresses.
Internal is translated to 10.0.1.0/24 as according to the dynamic mapping of address objects.
5. Click Network > Interfaces.
An Outside zone is created with interfaces port1and port2, according to the interfaces and zones dynamic
mappings.

7. Try to log in to Remote-FortiGate (https://10.200.3.1).
Why you are getting an authentication page?
This is because of the identity policy on Local-FortiGate. You will need to authenticate all outgoing http and
https traffic on Local-FortiGate.
8. When prompted for firewall authentication, enter the username student and the password fortinet.
9. Once authenticated, log in toRemote-FortiGate with the user name admin and password password.
10. Click Login read-only.
11. Click Policy & Objects > IPv4 Policy.
12. You should observe the following:
l There is only one firewall policy based on the Training policy package Install On targets.
l The inside interface is translated to port6 locally on the FortiGate and the outside zone is created locally on
FortiGate as per the dynamic mapping of interfaces and zones.
Optionally, you can check the interface and zone under Network, and Internal address object under
Addresses.
To review ADOM revisions

1. Return to the FortiManager GUI and under Policy Packages, click ADOM revisions.

DO Exercise
NOT3: Creating
Devices
Install On
© FORTINET
2. Right-click Training revision and click Lock Revision.

3. Right-click Initial revision and click Delete.
4. Click OK.
5. Click Close.
You can use this revision to revert changes made to your policy packages and objects in your ADOM.
Remember, this does not revert Device Manager level settings.

DO NOT REPRINT
© FORTINET
Lab 6: SD-WAN and Security Fabric
In this lab, you will enable and configure SD-WAN, a global header policy, and the Security Fabric.
Objectives
l Create SD-WAN using Device Manager
l Create a global header policy and assign it to a device
l Configure Security Fabric on Local-FortiGate and Remote-FortiGate, add a Security Fabric group to FortiManager,
and run and check the security rating
Time to Complete
Prerequisites
It is important to restore the Remote-FortiGate configuration first, followed by the

LocalFortiGate configuration and the FortiManager configuration.
Before beginning this lab, you must restore the configuration files to Remote-FortiGate,Local-FortiGate, and
FortiManager.
To restore the Remote-FortiGate configuration file

3. Click Yes.

DO Lab
NOT REPRINT
6: SD-WAN and Security Fabric
© FORTINET
6. Click Desktop > Resources > FortiManager > SD-WAN and Security Fabric and select Remote-sd-
wan.conf and then click Open.
7. Click OK.
To restore the Local-FortiGate configuration file

3. Click Yes.

6. Click Desktop > Resources > FortiManager > SD-WAN and Security Fabric and select Local-sd-
wan.conf and then click Open.
7. Click OK to reboot (you must wait until Local-FortiGate reboots).
8. Once Local-FortiGate is rebooted, close the browser for both FortiGate devices.
To restore the FortiManager configuration

2. Select root.
3. Select System Settings.
4. In the System Information widget, in the System Configuration field, click the Restore icon.

DO NOT REPRINT Lab 6: SD-WAN and Security Fabric
© FORTINET
5. Click Browse.
6. Click Desktop > Resources > FortiManager >SD-WAN and Security Fabric and select FMG-sd-wan.dat.
7. Leave the Overwrite current IP, routing and HA settings check box selected.
8. Click OK.
FortiManager reboots.
9. Wait for the FortiManager to reboot, then log in to the FortiManager GUI at 10.0.1.241 with the username
10. Click root.
12. Click Advanced > Advanced Settings.

DO Lab
NOT REPRINT
6: SD-WAN and Security Fabric
© FORTINET
13. Beside Offline Mode, select Disable.
14. Click Apply.

You will see that the Offline Mode message disappears. At this point, FortiManager can establish a

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring SD-WAN
In this exercise, you will configure SD-WAN on FortiManager and push the configuration to LocalFortiGate.
Configure SD-WAN
To configure SD-WAN for Local-FortiGate

2. Click My_ADOM.
3. Click System Settings >All ADOMs.
4. Edit My_ADOM.
5. Enable SD-WAN and click OK.
6. Click System Settings > Device Manager > SD-WAN .
7. Click Health-Check Servers > Create New.


DO Exercise
NOT1: Configuring
REPRINT SD-WAN Configure SD-WAN
© FORTINET
Field Value
Name Remote-Server
Detect Server 10.200.3.1
9. Click OK.
10. Click Interface Members > Create New.
Field Value
Name port1
Default Interface port1
Gateway 10.200.1.254
12. Click OK.

13. Repeat the previous steps to add the second interface for SD-WAN using the following settings:
Field Value
Name port2
Default Interface port2
Gateway 10.200.2.254
Your interface members should look like the following example:
14. Click SD-WAN Templates > Create New.

Field Value
Name SD-WAN
Interface Members Create New and add both port1 and port2, one at a time
16. Click Create New in Performance SLA.


DO Configure
NOTSD-WAN REPRINT Exercise 1: Configuring SD-WAN
© FORTINET
Field Value
Name SLA1
Detect Protocol PING
Detect Server Remote-Server
Member Port1 and Port2
SLA Create New and accept the default values
19. Click OK to save the SD-WAN Templates.

20. Click Assigned Devices.
21. Click Create New, select the following in the drop-down list, and click OK:
l Local-FortiGate
l SD-WAN

DO Exercise
NOT1: Configuring
REPRINT SD-WAN Create a Firewall Policy for SD-WAN
© FORTINET
Create a Firewall Policy for SD-WAN
Now, you will create a SD-WAN firewall policy.
To create firewall policies for SD-WAN

1. On the FortiManager GUI, click Device Manager > Policy & Objects.
2. For the Local-FortiGate policy package, click Installation Targets and add Local-FortiGate.
3. Click IPv4Policy and Create New to create a new SD-WAN firewall policy.

DO Install
NOT REPRINT
SD-WAN Policy Exercise 1: Configuring SD-WAN
© FORTINET
Field Value
Name SD-WAN
Incoming Interface port3
Outgoing Interface sd-wan
Source Address all
Service ALL
Schedule always
Action Accept
NAT enable
5. Keep the default values for all other settings, and click OK.
Install SD-WAN Policy
You have configured SD-WAN firewall policy in the Local-FortiGate policy package.
Now, you will install the SD-WAN policy onLocal-FortiGate.
To install the SD-WAN policy

1. On the FortiManager GUI, for the Local-FortiGate policy package, click IPv4 Policy.
2. Click Install > Install Wizard.

DO Exercise
NOT1: Configuring
REPRINT SD-WAN Create a default SD-WAN Static Route on FortiManager and Install the Route
© FORTINET
3. Ensure that Install Policy Package & Device Settings and Local-FortiGate policy package are selected.
4. Click Next.
5. Ensure that Local-FortiGate is selected and click Next.
6. Click Install and Finish.
Create a default SD-WAN Static Route on FortiManager and Install the Route
Now, you will configure the static route for SD-WAN. There are two ways to configure static routes: using Device
Manager or a script. In this lab, you will use a Device Manager method to create and push the default SD-WAN
route to Local-FortiGate.
To create a default SD-WAN static route.

1. Click Device Manager > Device & Groups > Local-FortiGate > Router > Static Route.
2. Select the default static route and click Delete.

DO Monitor
NOTSD-WAN
REPRINT
Status Exercise 1: Configuring SD-WAN
© FORTINET
There should not be any existing static routes to the SD-WAN member interface which
is port1. You are deleting the existing static route in following step and replacing it with
the SD-WAN default route to the Local-FortiGate.
3. Click Create New to create a SD-WAN Static Route.
4. Select SD-WAN interface from Device and click OK.
5. Click Install Wizard to install the route.

6. Select Install Device Settings (only) and click Next.
7. Click Next, Install and Finish.
Monitor SD-WAN Status
You have installed the SD-WAN configuration on Local-FortiGate.Now, you will check the SD-WAN status on
Local-FortiGate.
To monitor SD-WAN status

1. Log in to Local-FortiGate (https://10.0.1.254) with the with username admin and password password.
3. Click Network > SD-WAN .

DO Exercise
NOT1: Configuring
REPRINT SD-WAN Monitor SD-WAN Status
© FORTINET
You will notice that both port1 and port2 are part of the SD-WAN. Also examine the SD-WAN usage charts.
4. Log out of the Local-FortiGate and FortiManager.

DO NOT REPRINT
© FORTINET
Exercise 2: Creating and Assigning Header Policies in the
Global ADOM
Header and footer policies are used to envelop the policies in each ADOM. You can create the header and footer
policies once on the global ADOM and assign them to multiple policy packages in the other ADOMs.
In this exercise, you will create the header policy in the global ADOM and assign the header policy to the
managed devices in My_ADOM. Then you will install the header policy on the managed devices.
To create a header policy

2. Click My_ADOM.
Add the Remote-FortiGate using Discover mode and the following settings:
Field Value
User Name admin
Password password
5. Click Next, Next.

6. Click Import Now to import the policy package.
7. Accept the default values and finish importing the policy package.
Your configuration should look like following example:
8. Click My_ADOM.
9. Select Global Database ADOM.

DO Exercise
NOT2: Creating
REPRINT
and Assigning Header Policies in the Global ADOM
© FORTINET
10. Click IPv4 Header Policy.

Field Value
Name Global_Policy
Incoming Interface any
Outgoing Interface any
Source Address gall
Destination Address gall
Service gPING
Schedule galways
Action Deny

DO NOT REPRINT Exercise 2: Creating and Assigning Header Policies in the Global ADOM
© FORTINET
13. Click OK.
To assign a header policy

1. Click Assignment.
2. Click Add ADOM.
Field Value
ADOMs My_ADOM
Specify ADOM to policy Check the box and select the following:
package to exclude:
default

DO Exercise
NOT2: Creating
REPRINT
© FORTINET
4. Click OK.
5. Click Assign.
The header policy is assigned to the Local-FortiGate and the Remote-FortiGate_root policy packages.
To install a header policy

1. Remaining logged in to the FortiManager GUI, click ADOM: Global Database.
2. Click My_ADOM.
3. Click Local-FortiGate > IPv4 Header Policy to view the assigned header policy.
4. Click Install > Re-install Policy.

© FORTINET
5. Click OK.
The configuration changes that will be installed on FortiGate will appear. In this case, the header policy and
related objects will be installed.
7. Click Close in the Install Preview pop-up window.

8. Click Next.

DO Exercise
NOT2: Creating
REPRINT
© FORTINET
9. Click Finish.
10. Click the Remote-FortiGate_root policy package.
11. Click Install > Re-install Policy.
12. Click OK.

13. Click Next.
14. Click Finish.
15. Log in to Local-FortiGate (https://10.0.1.254) and Remote-FortiGate (https://10.200.3.1) with the
You should observe the header policy at the top.

© FORTINET
18. Log out of both FortiGate devices.
19. On the Local-Windows VM, open a command prompt window and try to ping an external host (example
4.2.2.2).
You should observe that the ping fails, because the header policy was configured to block the ping.
20. Close the command prompt.
You can also promote ADOM objects to Global objects. Right click any of the ADOM
objects and select Promote to Global. Promoted objects and can be used in Global
ADOM.

DO NOT REPRINT
© FORTINET
Exercise 3: Configuring the Security Fabric
In this exercise, you will configure the Security Fabric for the Local-FortiGate and Remote-FortiGate devices on
FortiManager.
Configure the Security Fabric
Configure Security Fabric settings on FortiManager for the Local-FortiGate and Remote-FortiGate.Then, install
changes.
To configure the Security Fabric for the Local-FortiGate and Remote-FortiGate on

FortiManager
2. Click My_ADOM.
3. Click Device Manager > Managed Devices.
4. Click Tools > Global Display Options.
5. Enable Security Fabric, and click OK.
6. Click Managed Devices > Local-FortiGate > System > Interface.

DO Configure
NOTtheREPRINT
Security Fabric Exercise 3: Configuring the Security Fabric
© FORTINET
7. Edit port1 and enable FortiTelemetry, click OK.

8. Click System > Security Fabric and configure the following values:
Field Value
Enable Security Fabric Enable
Group name training
Group password fortinet
9. Keep the default values for all other settings, and click Apply.
10. Click Remote-FortiGate > System > Interface.
11. Edit port4 and enable FortiTelemetry, click OK.
12. Click System > Security Fabric and configure the following values:
Field Value
Enable Security Fabric Enable
Group name training
Group password fortinet
Connect to upstream FortiGate enable
FortiGate IP (root Local-FortiGate) 10.200.1.1
Management IP Use WAN IP
13. Click Apply.
To install the Security Fabric for Local-FortiGate and Remote-FortiGate

1. Remaining logged in to the FortiManager GUI, click Install Wizard.
2. Ensure that Install Device Settings (only) is selected and click Next.
3. Ensure that Local-FortiGate and Remote-FortiGate are selected and click Next.
4. Click Install.
5. Click Finish.
6. Log out of both FortiGate devices and FortiManager.

DO Exercise
NOT3: Configuring
REPRINT the Security Fabric Authorize All the Security Fabric FortiGate Devices on FortiAnalyzer
© FORTINET
Authorize All the Security Fabric FortiGate Devices on FortiAnalyzer
Now, you will add FortiAnayzer device settings on the root Local-Fortigate and authorize all the Security Fabric
devices on FortiAnalyzer.
To authorize Local-FortiGate and Remote-FortiGate on FortiAnalyzer

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
3. Click Yes.
4. Click Security Fabric > Settings.
5. In the IP address field, type 10.200.1.210 and click Apply.
6. Click OK to verify the FortiAnalyzer serial number.

DO Authorize
NOTAllREPRINT
the Security Fabric FortiGate Devices on FortiAnalyzer Exercise 3: Configuring the Security Fabric
© FORTINET
A warning appears indicating that FortiGate is not authorized on FortiAnalyzer. You
will authorize Local-FortiGate and Remote-FortiGate from FortiAnalyzer.
FortiAnalyzer settings will be retrieved from the root Local-FortiGate when Remote-
FortiGate connects to root Local-FortiGate.
7. On the Local-Windows VM, open another browser tab, and log in to the FortiAnalyzer GUI at 10.0.1.210, using
the username admin and the password password.
9. Click Unauthorized.
Both FortiGate devices appear as unauthorized devices.
10. Select the check boxes beside Local-FortiGate and Remote-FortiGate, and then click Authorize.
11. In the Authorize Device wizard, leave all the Assign New Device Name settings at the default values, and
click OK.
Both devices will be added to the FortiAnalyzer root ADOM. After you refresh your browser a few times, the
Security Fabric group will appear on FortiAnalyzer.
12. Log out of FortiAnalyzer.

13. Return to the Local-FortiGate GUI and refresh the page.
14. Click Security Fabric > Security Rating.
After you refresh your browser a few times, the Security Rating widget appears on FortiGate.
15. Log out of Local-FortiGate.
To access the Security Fabric on FortiManager


DO Exercise
NOT3: Configuring
REPRINT the Security Fabric Authorize All the Security Fabric FortiGate Devices on FortiAnalyzer
© FORTINET
2. Click My_ADOM.
3. Click Device Manager > Managed Devices.
4. Right-click Local-FortiGate, and click Refresh Device.
5. Click Close.
After you refresh your browser a few times, the Security Fabric group will appear on FortiManager. Also note
that an asterisk (*) beside the Local-FortiGate device indicates the root FortiGate.
To access the Security Fabric on FortiManager

2. Click My_ADOM.
3. Click Fabric View.

DO Authorize
NOTAllREPRINT
the Security Fabric FortiGate Devices on FortiAnalyzer Exercise 3: Configuring the Security Fabric
© FORTINET
4. Click Security Rating.
You will see a security rating score for the root FortiGate device.
You cannot use FortiManager to generate Security Fabric ratings. You must use
FortiOS to generate the Security Fabric ratings for a FortiGate Security Fabric group.
Then, you can see the Security Fabric ratings in FortiManager.

DO NOT REPRINT
© FORTINET
Lab 7: Diagnostics and Troubleshooting
In this lab, you will perform diagnostics and troubleshooting when installing device-level settings and importing
firewall policies.
Objectives
l Diagnose and troubleshoot issues when installing System Templates
l Diagnose and troubleshoot issues when importing policy packages
Time to Complete
Prerequisites
Before beginning this lab, you must restore the configuration files to the Remote-FortiGate, Local-FortiGate, and
FortiManager.
To restore the FortiGate configuration file on both FortiGate devices

3. Click Yes.
5. Click Local PC,and then click Upload.

6. Click Desktop > Resources > FortiManager >Troubleshooting and select Remote-diag.conf.
7. Click OK.
9. Open a new browser tab and log in to the Local-FortiGate GUI at 10.0.1.254 with the username admin and
password password.
10. Repeat the same procedure to restore the system configuration for Local-FortiGate but, in the Troubleshooting

DO NOT REPRINT Lab 7: Diagnostics and Troubleshooting
© FORTINET
folder, select Local-diag.conf.
11. After the reboot finishes, close both browser tabs.
To restore the FortiManager configuration

2. Select root.
3. Select System Settings.
4. In the System Information widget, in the System Configuration field, click the Restore icon.
5. Click Browse.
6. Browse to Desktop > Resources > FortiManager > Troubleshooting and select FMG-diag.dat.
7. Leave the Overwrite current IP, routing and HA settings check box selected.
8. Click OK.
FortiManager reboots.
9. Wait for FortiManager to reboot, and then log in as admin to the FortiManager GUI at 10.0.1.241.
10. Click root.
12. Go to Advanced > Advanced Settings.

DO Lab
NOT REPRINT
7: Diagnostics and Troubleshooting
© FORTINET
13. For Offline Mode, select Disable.
14. Click Apply.

You will see that the Offline Mode message disappears. At this point, FortiManager can establish a

DO NOT REPRINT
© FORTINET
Exercise 1: Diagnose and Troubleshoot Install Issues
FortiManager is preconfigured as follows:
l ADOMs are enabled.

l ADOM1 is configured for FortiGate firmware version 6.2.
l Local-FortiGate and Remote-FortiGate are managed by FortiManager in ADOM1. The Remote-FortiGate policy
package is not imported.
l The default system template is configured with only the DNS widget.
l The default system template is applied to Local-FortiGate and Remote-FortiGate.
In this exercise, you will diagnose and troubleshoot issues that occur when installing configuration changes on
Local-FortiGate and Remote-FortiGate.
View the Installation Preview
Now, you will view the installation preview to learn what device-level configuration changes will be installed on the
FortiGate devices. The objective of this exercise is to verify and troubleshoot to make sure the correct
configuration settings will be installed on the FortiGate devices.
To view the installation preview for Local-FortiGate

2. Click ADOM1.

DO Exercise
NOT1: Diagnose
REPRINT
and Troubleshoot Install Issues View the Installation Preview
© FORTINET
4. Click Local-FortiGate.
5. In the Configuration and Installation Status widget, click Preview.

Notice that default is listed as the System Template, which is preassigned to Local-FortiGate.
The installation preview generates.
6. Write down the DNS settings that will be installed on Local-FortiGate.
Primary:
Secondary:
7. Click OK.

DO View
NOT REPRINT
the DNS Configuration Exercise 1: Diagnose and Troubleshoot Install Issues
© FORTINET
To view the installation preview for Remote-FortiGate
1. On the FortiManager GUI, click Remote-FortiGate.
2. In the Configuration and Installation Status widget, click Preview.
3. Write down the DNS settings that will be installed on Remote-FortiGate.
Primary:
Secondary:
4. Click OK.
Stop and think!

The system template was configured with two entries. Why did Local-FortiGate show only one DNS entry,
but Remote-FortiGate showed two entries?
Local-FortiGate was preconfigured with the primary DNS entry 208.91.112.53.When Local-FortiGate
was added to FortiManager, it automatically updated on the device-level database. To verify, check the
current revision history and search for config system dns.
If you are not able to figure it out, use the following procedure to view the system template and DNS
settings on the CLI.
View the DNS Configuration
Now, you will view the DNS configuration for the configured system template and compare it with the device-level
database settings for DNS (for both Local-FortiGate and Remote-FortiGate). You will view the configuration on
the CLI.
To view the system template configuration in the CLI

1. On the Local-Windows VM, open PuTTY, and then connect over SSH to the FORTIMANAGER saved session.
2. Log in as admin and run the following command to view the CLI configuration for the system template
configuration:
# execute fmpolicy print-prov-templates ADOM1 5 1296 15
The output should appear as follows:

Dump all objects for category [system dns] in adom [ADOM1] package [1296]:
---------------
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end

DO Exercise
NOT1: Diagnose
REPRINT
and Troubleshoot Install Issues View the DNS Configuration
© FORTINET
The execute fmpolicy print- command tree allows you to view the CLI
configuration for provisioning templates, ADOMs, and the device database on
FortiManager.
The syntax for provisioning templates is:

# execute fmpolicy print-prov-templates <adom> <prov>
<package> <category>|all [<key>|all|list]
You can use the help feature by typing ? to open the command tree syntax.
To view the DNS settings for FortiGate (CLI)

1. In the FORTIMANAGER PuTTY session, run the following command to view the Local-FortiGate DNS settings
in the FortiManager device-level database:
# execute fmpolicy print-device-object ADOM1 Local-FortiGate root 15

Dump all objects for category [system dns] in device [Local-FortiGate] vdom[root]:
---------------
config system dns
set primary 208.91.112.53
end
The syntax for the device object is:

execute fmpolicy print-device-object <adom> <devname> <vdom>
<category>|all [<key>|all|list]
2. Run the following command to view the Remote-FortiGate DNS settings in the FortiManager device-level
database:
# execute fmpolicy print-device-object ADOM1 Remote-FortiGate root 15

Dump all objects for category [system dns] in device [Remote-FortiGate] vdom[root]:
---------------
config system dns
set primary 4.2.2.2
end
3. Compare the FortiManager system template entries with each FortiGate device.
The Local-FortiGate primary DNS entry matches the default system template primary DNS entry. Because of that,
FortiManager skips the primary DNS entry for Local-FortiGate, because Local-FortiGate has already been
configured with the same entry.

DO Install
NOT REPRINT
Device-Level Configuration Changes Exercise 1: Diagnose and Troubleshoot Install Issues
© FORTINET
Install Device-Level Configuration Changes
Now, you will install device-level configuration changes (system templates) on the managed FortiGate devices.
To install device-level changes (system templates)

1. On the FortiManager GUI, click Managed Devices.
2. Select Local-FortiGate and Remote-FortiGate.
3. In the drop-down list, click Install > Install Wizard.
4. Select Install Device Settings (only), and then click Next.
5. Make sure both devices are selected, and then click Next.
6. For Local-FortiGate, click Install Preview.

The preview generates.

DO Exercise
NOT1: Diagnose
REPRINT
and Troubleshoot Install Issues Install Device-Level Configuration Changes
© FORTINET
Optionally, you can download the preview setting.
7. Click Close.
8. For Remote-FortiGate, click Install Preview.
The preview generates.
9. Click Close.
10. Make sure both FortiGate devices are selected, and then click Install.
The installation begins.
11. After the installation finishes, click the View Log icon to view and verify what is being installed on each device.

DO Install
NOT REPRINT
Device-Level Configuration Changes Exercise 1: Diagnose and Troubleshoot Install Issues
© FORTINET
12. In the Install Log window, click Close.

13. Click Finish.
The Config Status for both FortiGate devices should be Synchronized.

DO NOT REPRINT
© FORTINET
Exercise 2: Troubleshoot Policy Import Issues
First, you will view the policies and objects imported into the ADOM database. The objects share the common
object database for each ADOM and are saved in the ADOM database, which can be shared or used among
different managed FortiGate devices in the same ADOM.
In this exercise, you will diagnose and troubleshoot issues that occur while importing the Remote-FortiGate policy
package.
View the Policy Package and Objects
Because the Local-FortiGate policy package is imported into ADOM1, you will view the Local-FortiGate policy
package and objects imported into the ADOM1 database.
To view the policy package and objects for the Local-FortiGate

2. Click ADOM1.
4. On the left side of the window, expand Local-FortiGate, and then click IPv4 Policy.
You will see the two policies for Local-FortiGate.
Notice the source address of Test_PC for the Ping_Test firewall policy.

DO Review
NOT REPRINT
Policies and Objects Locally on Remote-FortiGate Exercise 2: Troubleshoot Policy Import Issues
© FORTINET
5. On the menu bar, click Object Configurations.
6. On the left side of the window, expand Firewall Objects, and then click Addresses.
7. Review the configuration for the Test_PC firewall address. In the ADOM database, it is set to any interface based
on the configuration imported from Local-FortiGate.
Review Policies and Objects Locally on Remote-FortiGate
You need to import the policies and objects from Remote-FortiGate. But before importing policies and objects,
you will review the policies and objects locally on Remote-FortiGate.
To review policies and objects locally on Remote-FortiGate

4. In the Source column of the ID# 2 firewall policy, hover the mouse over the Test_PC address object.
You will see that the Test_PC address object is bound to the port6 interface.
Remember, the Test_PC address object is bound to any interface in the ADOM database.

DO Exercise
NOT2: Troubleshoot
REPRINT Policy Import Issues Import a Policy Package
© FORTINET
5. Log out of Remote-FortiGate.
Import a Policy Package
Now, you will import the policies and objects for the Remote-FortiGate in to the policy package, and troubleshoot
issues with the policy import.
To import the policy package

1. Return to the FortiManager GUI and click Policy & Objects > Device Manager.
2. Right-click Remote-FortiGate, and then click Import Policy.
3. Make sure the policy package name is Remote-FortiGate.

4. Keep the default values for all other settings, and then click Next.
5. Click Next.
6. Click Next.
Did you notice the policy import skipped one firewall policy out of two policies and firewall address object?

DO Import
NOT REPRINT
a Policy Package Exercise 2: Troubleshoot Policy Import Issues
© FORTINET
7. Click Download Import Report to view the reason for skipping a firewall policy.
8. Open the file (or save it for future reference).
Did you notice the policy import failed when importing firewall policy 2 and Test_PC address object?

DO Exercise
NOT2: Troubleshoot
REPRINT Policy Import Issues Check the Impact of Partial Policy Import (Optional)
© FORTINET
Stop and think!
The following output provides the reason for this policy import failure:
reason=interface(interface binding contradiction. detail: any<-port6) binding
fail)"
What does this error mean? What is the impact? How can you fix this partial policy import issue?
Remember, in the ADOM1 database, the Test_PC firewall address is bound to the any interface, based on
the configuration imported from Local-FortiGate. On the Remote-FortiGate, policy ID 2 is using the Test_
PC firewall address bound to port6 as the source address.
This is the expected behavior on FortiManager because it doesn’t allow the same address object name to
bind to different interfaces.
Because FortiManager imported partial policies in the policy package, if you try to make a change to the
policy package and install it, FortiManager will delete the skipped policies and objects associated with
those policies, along with all unused objects.
You must change the Test_PC firewall address binding to the any interface by locally logging in to Remote-
FortiGate.
9. Close the import report, and then click Finish.
Check the Impact of Partial Policy Import (Optional)
The following two procedures show the impact of making changes to the FortiManager policy package Remote-
FortiGate and then trying to install the policy package. FortiManager will try to delete policy ID 2 and the Test_PC
address object on Remote-FortiGate. FortiManager will also try to delete any unused objects.
If you are now familiar with the behavior, you can skip the following procedures:
l To make configuration changes to the Remote-FortiGate Policy Package (Optional)

l To preview the installation changes (Optional)
To make configuration changes to the Remote-FortiGate Policy Package (Optional)

1. On the FortiManager GUI, click Device Manager > Policy & Objects > Policy Packages.

DO Check
NOT REPRINT
the Impact of Partial Policy Import (Optional) Exercise 2: Troubleshoot Policy Import Issues
© FORTINET
2. On the left side of the window, click Remote-FortiGate, and then click IPv4 Policy.
You will see that the firewall policy with Test_PC as the source address is not imported.
3. Double-click the Seq# 1 firewall policy.

4. In the Comments field, enter Training, and click OK.
To preview the installation changes (Optional)

1. Ensure IPv4 Policy is selected for the Remote-FortiGate policy package, and then click Install > Re-install
Policy.
2. Click OK.
4. Notice that FortiManager is trying to delete the firewall policy with ID=2 and the Test_PC address object.
When installing a policy package for the first time, FortiManager also deletes all
unused objects.

DO Exercise
NOT2: Troubleshoot
REPRINT Policy Import Issues Fix a Partial Policy Import Issue
© FORTINET
This is the firewall policy with Test_PC as the source address.
5. In the Install Preview window, click Close.

6. Click Cancel.
Fix a Partial Policy Import Issue
You must change the Test_PC firewall address binding to the any interface by locally logging in to Remote-
FortiGate and then retrieve the configuration to the FortiManager.
Then, on FortiManager you will be able to import the policy package for Remote-FortiGate.

DO Fix
NOT a PartialREPRINT
Policy Import Issue Exercise 2: Troubleshoot Policy Import Issues
© FORTINET
To make local changes on Remote-FortiGate
3. In the warning window, click Yes.
4. Click Policy & Objects > Addresses.
5. Right-click Test_PC, and then select Edit in CLI.
6. Enter the following command on the CLI:

unset associated-interface
end

DO Exercise
NOT2: Troubleshoot
REPRINT Policy Import Issues Fix a Partial Policy Import Issue
© FORTINET
7. Close the CLI Console window.

8. Edit the Test_PC address.
9. Click Cancel.
10. Log out of Remote-FortiGate.

DO Retrieve
NOTtheREPRINT
new configuration from FortiManager Exercise 2: Troubleshoot Policy Import Issues
© FORTINET
Retrieve the new configuration from FortiManager
Now, you will retrieve the change made to the Remote-FortiGate on the FortiManager.
To retrieve the Remote-FortiGate configuration change on the FortiManager

1. Return to the FortiManager GUI, and click Device Manager > Managed Devices.
5. Click Retrieve Config.

6. Click Close to close the View Retrieve task window.
7. Click Close to close the Configuration Revision History window.
To import the policy package again

1. On the FortiManager GUI, click Managed Devices.
2. Right-click Remote-FortiGate, and then select Import Policy.

DO Exercise
NOT2: Troubleshoot
REPRINT Policy Import Issues Retrieve the new configuration from FortiManager
© FORTINET
3. Select the Overwrite check box.
4. Click Next.
5. Keep the default values for all other settings, and then click Next.
Did you notice that Test_PC appeared as Dynamic Mapping?
FortiManager automatically creates a dynamic mapping of the object with same values. The interface must
be the same as the ADOM database.

DO Retrieve
NOTtheREPRINT
new configuration from FortiManager Exercise 2: Troubleshoot Policy Import Issues
© FORTINET
6. You will see both firewall policies are imported this time.
7. Click Finish.

DO NOT REPRINT
© FORTINET
Lab 8: Additional Configuration
The learning goals for this lab are to understand the troubleshooting commands used for FortiGuard
Management, and to learn how to use FortiManager to upgrade the firmware on managed FortiGate devices.
Objectives
l Review the central management configuration on both FortiGate devices
l Understand and run FortiGuard debug commands
l Import the firmware image for FortiGate devices and upgrade using FortiManager
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: FortiGuard Management
In this exercise, you will review the central management settings on FortiGate. Then, you will run the CLI
commands related to FortiGuard diagnostics on FortiManager to understand FortiGuard settings on
FortiManager.
To review central management settings on both FortiGate devices

1. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE and REMOTE-
FORTIGATE saved sessions.
show system central-management
Your outputs for Local-FortiGate and Remote-FortiGate should look similar to the following examples:
Local-FortiGate:
Remote FortiGate:
You will see that server-list is configured on the FortiGate devices with the FortiManager IP address,
and include-default–servers is disabled. This means FortiGate devices are pointed to FortiManager
for its FortiGuard services and access to public FortiGuard servers is disabled.

DO Exercise
NOT1: FortiGuard
REPRINT Management Diagnose FortiGuard Issues
© FORTINET
Diagnose FortiGuard Issues
Now, you will run CLI commands on FortiManager to verify the FortiGuard configuration in order to troubleshoot
FortiGuard issues.
To diagnose FortiGuard issues

3. Run the following commands:
diagnose fmupdate view-serverlist fds
You should see that there is only one default server in the list. FortiManager is unable to connect to the public
FDN servers because of unreachability or disabled service. In this lab environment, communication with the
public FortiGuard servers is disabled.
diagnose fmupdate update-status fds
You should see that there is no information on Upullstat, UpullServer, because FortiManager is not
connected to the public FDS, which would provide that information.
diagnose fmupdate dbcontract

DO Diagnose
NOTFortiGuard
REPRINT
Issues Exercise 1: FortiGuard Management
© FORTINET
FortiManager is operating in a closed network environment and license contracts are uploaded manually on
FortiManager. You should see the contract information, which includes the types of contracts the device
currently has along with the expiry dates.
The same information can be viewed on the FortiGate GUI in the License
Information widget.

DO NOT REPRINT
© FORTINET
Exercise 2: Upgrading FortiGate Firmware Using
FortiManager
You can use FortiManager as your local firmware cache and to upgrade firmware on supported devices.
In this exercise, you will import the firmware image for FortiGate and then upgrade both FortiGate devices using
FortiManager.
To import and upgrade firmware

2. Click ADOM1.
3. Click FortiGuard > Firmware Images > Import Images.
4. Click Import, and then click Browse.

5. Click Desktop > Resources > FortiManager > Additional-Configuration, and then select FGT_VM64-v6-
build0909-FORTINET.out.
6. Click OK.
You will see that the firmware image has been saved on FortiManager.
7. Click FortiGuard > Device Manager.

8. Click Firmware.
9. Select both FortiGate devices and click Upgrade.

DO NOT REPRINT Exercise 2: Upgrading FortiGate Firmware Using FortiManager
© FORTINET
10. In the Upgrade to drop-down list, select FGT_VM64-v6-build0909-FORTINET.out.
11. Click OK.

12. Click Continue
The firmware upgrade process may take several minutes; therefore, leave the Upgrade Firmware Task
window open until progress bar reaches 100%. After a few minutes, you should see successful firmware
upgrades for both FortiGate devices.
13. Click Close.

14. Optionally, you can open the console connection for Local-FortiGate and Remote-FortiGate to see the firmware
upgrades.

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiManager 6 2 Lab Guide Online

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiManager 6 2 Lab Guide Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

FortiManager Lab Guide

Fortinet Network Security Expert Program (NSE)

Virtual Lab Basics 6

FortiManager 6.2 Lab Guide 6

To run the remote access test

2. Inside the Speed Test box, click Run.

7 FortiManager 6.2 Lab Guide

To log in to the remote lab

3. Enter your first and last name.

FortiManager 6.2 Lab Guide 8

5. To open a VM from the dashboard, do one of the following:

Follow the same procedure to access any of your VMs.

9 FortiManager 6.2 Lab Guide

Disconnections and Timeouts

If that fails, see Troubleshooting Tips on page 12.

The GUIs of some Fortinet devices require a minimum screen size.

FortiManager 6.2 Lab Guide 10

Sending Special Keys

11 FortiManager 6.2 Lab Guide

FortiManager 6.2 Lab Guide 12

13 FortiManager 6.2 Lab Guide

To expedite the response, enter the following command in the CLI:

FortiManager 6.2 Lab Guide 14

To restore the Remote-FortiGate configuration file

3. Click Local PC, and then click Upload.

15 FortiManager 6.2 Lab Guide

3. Click Local PC, and then click Upload.

FortiManager 6.2 Lab Guide 16

FortiManager is preconfigured with the initial network settings.

Examine the Initial Configuration Using the CLI

To examine the initial configuration using the CLI

CLI Command Data Result

# get system What is the firmware version?

What is the administrative domain (ADOM)

By default, ADOMs are disabled.

What is the time zone?

It is important that the system time on

What is the license status?

To ensure FortiManager continues to manage

17 FortiManager 6.2 Lab Guide

# show system What is the IP for port1?

What administrative access protocols are

This will help troubleshoot any access issues

What is configured for the service access?

If devices are configured to use FortiManager

What is the IP for port2?

According to the network topology diagram,

What administrative access protocols are

5. Enter the following command to display DNS setting information:

CLI Command Diagnostic Result

6. Enter the following commands to display NTP setting information:

FortiManager 6.2 Lab Guide 18

# get system ntp Is NTP enabled?

NTP is recommended on FortiManager and all

How often does FortiManager synchronize its

# show system ntp What server is configured for NTP?

By default, Fortinet servers are configured.

CLI Command Diagnostic Result

# show system What is the gateway route associated with port2?

Packets should transmit successfully.

9. Close your PuTTY session.

Examine the Initial Configuration Using the GUI