Tag Archives: fortinet fortimanager

FortiGuard Management – FortiManager 5.2

FortiGuard Management

The FortiGuard Distribution Network (FDN) provides FortiGuard services for your FortiManager system and its managed devices and FortiClient agents. The FDN is a world-wide network of FortiGuard Distribution Servers (FDS) which update the FortiGuard services on your FortiManager system on a regular basis so that your FortiManager system is protected against the latest threats.

The FortiGuard services available on the FortiManager system include:

l Antivirus and IPS engines and signatures l Web filtering and email filtering rating databases and lookups (select systems) l Vulnerability scan and management support for FortiAnalyzer

To view and configure these services, go to FortiGuard > FortiGuard Management > Advanced Settings.

In FortiGuard Management, you can configure the FortiManager system to act as a local FDS, or use a web proxy server to connect to the FDN. FortiManager systems acting as a local FDS synchronize their FortiGuard service update packages with the FDN, then provide FortiGuard these updates and look up replies to your private network’s FortiGate devices. The local FDS provides a faster connection, reducing Internet connection load and the time required to apply frequent updates, such as antivirus signatures, to many devices.

As an example, you might enable FortiGuard services to FortiGate devices on the built-in FDS, then specify the FortiManager system’s IP address as the override server on your devices. Instead of burdening your Internet connection with all the devices downloading antivirus updates separately, the FortiManager system would use the Internet connection once to download the FortiGate antivirus package update, then redistribute the package to the devices.

FortiGuard Management also includes firmware revision management. To view and configure firmware options, go to FortiGuard Management > Firmware Images. You can download these images from the Customer Service & Support portal to install on your managed devices or on the FortiManager system.

Before you can use your FortiManager system as a local FDS, you must:

  • Register your devices with Fortinet Customer Service & Support and enable the FortiGuard service licenses. See your device documentation for more information on registering your products.
  • If the FortiManager system’s Unregistered Device Options do not allow service to unregistered devices, add your devices to the device list, or change the option to allow service to unregistered devices. For more information, see the FortiManagerCLI Reference.

For information about FDN service connection attempt handling or adding devices, see Device Manager.

  • Enable and configure the FortiManager system’s built-in FDS. For more information, see Configuring network interfaces. l Connect the FortiManager system to the FDN.

The FortiManager system must retrieve service update packages from the FDN before it can redistribute them to devices and FortiClient agents on the device list. For more information, see Connecting the built-in FDS to the FDN.

  • Configure each device or FortiClient endpoint to use the FortiManager system’s built-in FDS as their override server. You can do this when adding a FortiGate system. For more information, see Adding a device.

This section contains the following topics:

  • Advanced settings l Configuring devices to use the built-in FDS l Configuring FortiGuard services l Logging events related to FortiGuard services l Restoring the URL or antispam database l Package management l Query server management l Firmware images

For information on current security threats, virus and spam sample submission, and FortiGuard service updates available through the FDN, including antivirus, IPS, web filtering, and email filtering, see the FortiGuard Center website, http://www.fortiguard.com/.

Central VPN Console – FortiManager 5.2

Central VPN Console

When Central VPN Console is selected for VPN Management when creating an ADOM, a VPN Console tree menu item will appear in the Policy & Objects tab under Policy Package. You will need to enable the Show VPN Console option in System Settings > Admin > Admin Settings. You can create VPN topologies in this page. Once you have configured a VPN topology and gateway, you can configure the related firewall policies, preview and install. For more information, see Managing policies.

VPN topology

You can create full meshed, star, and dial up VPN topologies. Once you have created the topology, you can create the VPN gateway.

Create VPN Topology

Configure the following settings:

 

Name Type a name for the VPN topology.  
Description Type an optional description.
Topology Select the topology type from the drop-down list. Select one of:

Full Meshed: Each gateway has a tunnel to every other gateway.

Star: Each gateway has one tunnel to a central hub gateway.

Dial up: Some gateways, often mobile users, have dynamic IP addresses and contact the gateway to establish a tunnel.

IKE Profile Define the IKE Profile. Configure IKE Phase 1, IKE Phase 2, Advanced settings, and Authentication settings.
IKE Phase 1 Define the IKE Phase 1 proposal settings .

Device Configurations – FortiManager 5.2

Device Configurations

The FortiManager system maintains a configuration repository to manage device configuration revisions. After modifying device configurations, you can save them to the FortiManager repository and install the modified configurations to individual devices or device groups. You can also retrieve the current configuration of a device, or revert a device’s configuration to a previous revision.

This section contains the following topics: l Checking device configuration status l Managing configuration revision history

Checking device configuration status

In the Device Manager tab, when you select a device, you can view that device’s basic information under the device dashboard. You can also check if the current configuration file of the device stored in the FortiManager repository is in sync with the one running on the device.

If you make any configuration changes to a device directly, rather than using the FortiManager system, the configuration on the device and the configuration saved in the FortiManager repository will be out of sync. In this case, you can re synchronize with the device by retrieving the configuration from the device and saving it to the FortiManager repository.

You can use the following procedures when checking device configuration status on a FortiGate, FortiCarrier, or FortiSwitch.

To check the status of a configuration installation on a FortiGate unit:

  1. Go to the Device Manager tab, then select the ADOM and device group.
  2. In the All FortiGate page, select the FortiGate unit that you want to check the configuration status of. The device dashboardof for that unit is shown in the right content pane.
  3. In the dashboard, locate the Configuration and Installation Status
  4. Verify the status in the Installation Tracking

Configuration and installation status widget

Checking device configuration status

The following information is shown:

Device Profile The device profile associated with the device. Select Change to set this value.
Database Configuration Select View to display the configuration file of the FortiGate unit.
Total Revisions Displays the total number of configuration revisions and the revision history. Select Revision History to view device history.
Sync Status The synchronization status with the FortiManager.

Synchronized: The latest revision is confirmed as running on the device.

Out_of_sync: The configuration file on the device is not synchronized with the FortiManager system.

Unknown: The FortiManager system is unable to detect which revision (in revision history) is currently running on the device.

Select Refresh to update the Installation Status.

Warning Displays any warnings related to configuration and installation status.

None: No warning.

Unknown configuration version running on FortiGate: FortiGate configuration has been changed!: The FortiManager system cannot detect which revision (in Revision History) is currently running on the device.

Unable to detect the FortiGate version: Connectivity error! l Aborted: The FortiManager system cannot access the device.

Installation Tracking  
Device Settings Status Modified: Some configuration on the device has changed since the latest revision in the FortiManager database. Select Save Now to install and save the configuration.

UnModified: All configuration displayed on the device is saved as the latest revision in the FortiManager database.

Installation Preview Select icon to display a set of commands that will be used in an actual device configuration installation in a new window.
Last Installation Last Installation: The FortiManager system sent a configuration to the device at the time and date listed.
Scheduled Installation Scheduled Installation: A new configuration will be installed on the device at the date and time indicated.
Script Status Select Configure to view script execution history.
Last Script Run Displays the date when the last script was run against the managed device.
Scheduled Script Displays the date when the next script is scheduled to run against the managed device.

FortiManager Wizards – FortiManager 5.2

FortiManager Wizards

The FortiManager Device Manager tab provides you with device and installation wizards to aid you in various administrative and maintenance tasks. Using these tools can help you shorten the amount of time it takes to do many common tasks.

FortiManager offers four wizards:

Add device wizard

Discover: The device will be probed using the provided IP address and credentials to determine the model type and other important information.

Add Model Device: The device will be added using the serial number, firmware version, and other explicitly entered information. You can also select to assign a system template to the provisioned device.

Install wizard

Install Policy Package & Device Settings: Install a specific policy package. Any device specific settings for devices associated with the package will also be installed. You can select to create a revision and schedule the install.

Install Device Settings (only): Install only device settings for a selected set of devices; policy and object changes will not be updated from the last install. This option is only available when launching the Install Wizard in the Device Manager tab.

Install Interface Policy (only): Install interface policy only in a selected policy package. Any device specific settings for devices associated with the package will also be installed.

Import policy wizard

Import device

Re-install policy

Re-install Policy Package: You can right-click on the Config Status column icon in the Device Manager tab to perform a quick install of a policy package without launching the Install wizard.

This section will describe each wizard and their usage.

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.

Provisioning Templates – FortiManager 5.2

Provisioning Templates

The Provisioning Templates section of the Device Manager tree menu provides configuration options for System templates, WiFi templates, Threat Weight templates, FortiClient templates, and Certificate templates.

Provisioning templates

Select the ADOM from the drop-down list and select Provisioning Templates in the tree menu.

System templates

System templates

The System Templates menu allows you to create and manage device profiles. A system template is a subset of a model device configuration. Each device or device group will be able to be linked with a system template. When linked, the selected settings will come from the template, not from the Device Manager database.

By default, there is one generic profile defined. System templates are managed in a similar manner to policy packages. You can use the context menus to create new device profiles. You can configure settings in the widget or import settings from a specific device.

Go to the Device Manager tab, then select Provisioning Templates > System Templates > default in the tree menu to configure system templates.

The following widgets and settings are available:

 

System

Widget Description
DNS Primary DNS Server, Secondary DNS Server, Local Domain Name, IPv6 DNS settings.

Configure in the system template or import settings from a specific device. Select Apply to save the setting.

Hover over the widget heading to select the following options:

l  Import: Import DNS settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings.

l  Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.

Time Settings Synchronize with NTP Server and Sync Interval settings. You can select to use the FortiGuard server or specify a custom server.

Configure in the system template or import settings from a specific device.

Select Apply to save the setting.

Hover over the widget heading to select the following options:

l  Import: Import time settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings.

l  Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.

Alert Email SMTP Server settings including server, authentication, SMTP user, and password.

Configure in the system template or import settings from a specific device.

Select Apply to save the setting.

Hover over the widget heading to select the following options:

l  Import: Import alert email settings from a specific device. Select the device in the drop-down list. Select OK to import settings. Select Apply to save the settings.

l  Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.

Admin Settings Web Administration Ports, Timeout Settings, and Web Administration. Configure in the system template and select Apply to save the setting.

Hover over the widget heading to select the following options:

l Refresh: Refresh the information displayed in the widget. l Close: Close the widget and remove it from the system template.

Workflow Mode – FortiManager 5.2

Workflow Mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy or object changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, an administrator with the appropriate workflow permissions will be able to approve or reject workflow sessions before they are implemented to the database.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button. You can then proceed to make changes to policies and objects. When you are done making changes, select the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

Enable or disable workflow mode

You can enable or disable workflow mode from the CLI only.

To enable or disable workflow mode:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command lines:

config system global set workspace-mode {workflow | disabled}

end

  1. The FortiManager session will end and you must log back into the FortiManager system.

sessions                                                                                                                        Workflow Mode

When workspace-mode is workflow, the Device Manager tab and Policy & Objects tab are readonly. You must lock the ADOM to create a new workflow session.

Optionally, you can select to enable or disable ADOM lock override. When this feature is enabled, an administrator can select to unlock an ADOM that is locked by another administrator.

To enable or disable ADOM lock override:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command lines:

config system global set lock-prempt {enable | disable}

end

Workflow sessions

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button in the Session List dialog box. Type a name for the session and select OK. You can then proceed to make changes to policy packages and objects. When you are done making changes, select the Save button and then the Submit button in the toolbar. In the Submit forApproval dialog box, type a comment and the notification email. Once the session is submitted, the lock is released and other administrators may initiate a session.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the administrator that submitted the session. If the session was approved, no further action is required. If the session was rejected, the administrator will need to log on and repair their changes. Once they create a session, the administrator will make their repair on top of the last session changes.

To start a workflow session:

  1. Select the Policy & Objects tab in the navigation pane.
  2. Select the ADOM from the drop-down list.
  3. Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed.
  4. Select the Create New Session button, type a name for new session, type optional comments, and select OK to start the session.
  5. Make the required changes to Policy Package and Objects and select Sessions > Submit in the toolbar to submit changes for approval. The Submit forApproval dialog box is displayed.

Enter the following:

Comments Type a comment for the session.
Attach configuration change details Select to attach configuration change details to the email.

 

Mode                                                                                                                      Workflow sessions

  1. Select OK to send submit the session for approval.

The session is submitted for approval, an email is sent to the approver, and the ADOM is returned to an unlocked state. An ADOM revision is created for the workflow session.

To approve, reject, or repair a workflow session:

  1. Select the Policy & Objects tab in the navigation pane.
  2. Select the ADOM from the drop-down list.
ID   The session identifier.
Status   The session status. One of the following:

Waiting Approval: The session is waiting to be reviewed and approved.

Approved: The workflow session was approved by the approver. l Rejected: The workflow session was rejected by the approver.

Repaired: The rejected workflow session was repaired. When a rejected session is repaired, a new session ID is created for this repaired session.

Name   The user defined name to identify the session.
User   The administrator name who created the session.
Date Submitted   The date and time that the session was submitted for approval.
  1. Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed. Alternatively, select Sessions > Session List from the toolbar.

The following information is displayed:

sessions                                                                                                                      Workflow Mode

Comments Select a policy in the list to view or add comments to the session. The comments box displays comments from the session creator. The session approver can add comments.
Create New Session Select to create a new workflow session.
Continue Without Session Select to continue without starting a new session. When a new session is not started, all policy and objects are read-only.

Right-clicking on a session in the list opens a pop-up menu with the following options:

Approve Select Approve when the session status is Waiting Approval.
Reject Select Reject when the session status is Waiting Approval. A rejected session must be repaired before the next session in the list can be approved.
Repair Select Repair when the session status is Rejected. A repaired session results in a new session being created for the repair. This session is added after the last session in the list.
View Diff Select View Diff to view the difference between the two revisions. You can select to download the revision in a CSV file to your management computer.
  1. Select to Approve, Reject, Repair, or View Diff.

Fortinet Management Theory

Fortinet Management Theory

FortiManager is an integrated platform for the centralized management of products in a Fortinet security infrastructure. A FortiManager provides centralized policy-based provisioning, configuration and update management for FortiGate (including FortiGate, FortiWiFi, and FortiGate VM), FortiCarrier, FortiSwitch, and FortiSandbox devices.

To reduce network delays and minimize external Internet usage, a FortiManager installation can also act as an on-site FortiGuard Distribution Server (FDS) for your managed devices and FortiClient agents to download updates to their virus and attack signatures, and to use the built-in web filtering and email filter services.

The FortiManager scales to manage up to 5 000 devices and virtual domains (VDOMs) from a single FortiManager interface. It is primarily designed for medium to large enterprises and managed security service providers.

Using a FortiManager device as part of an organization’s Fortinet security infrastructure can help minimize both initial deployment costs and ongoing operating expenses. It allows fast device provisioning, detailed revision tracking, and thorough auditing.

Key features of the FortiManager system

Configuration revision control and tracking

Your FortiManager unit records and maintains the history of all configuration changes made over time. Revisions can be scheduled for deployment or rolled back to a previous configuration when needed.

Centralized management

FortiManager can centrally manage the configurations of multiple devices from a single console. Configurations can then be built in a central repository and deployed to multiple devices when required.

Administrative domains

FortiManager can segregate management of large deployments by grouping devices into geographic or functional ADOMs. See Administrative Domains.

Local FortiGuard service provisioning

A FortiGate device can use the FortiManager unit for antivirus, intrusion prevention, web filtering, and email filtering to optimize performance of rating lookups, and definition and signature downloads. See FortiGuard Management.

Firmware management

FortiManager can centrally manage firmware images and schedule managed devices for upgrade.

 

Scripting

FortiManager supports CLI or Tcl based scripts to simplify configuration deployments. See Scripts.

Logging and reporting

FortiManager can also be used to log traffic from managed devices and generate Structured Query Language (SQL) based reports. FortiManager also integrates FortiAnalyzer logging and reporting features.

Fortinet device life cycle management

The management tasks for devices in a Fortinet security infrastructure follow a typical life cycle:

  • Deployment: An administrator completes configuration of the Fortinet devices in their network after initial installation.
  • Monitoring: The administrator monitors the status and health of devices in the security infrastructure, including resource monitoring and network usage. External threats to your network infrastructure can be monitored and alerts generated to advise.
  • Maintenance: The administrator performs configuration updates as needed to keep devices up-to-date.
  • Upgrading: Virus definitions, attack and data leak prevention signatures, web and email filtering services, and device firmware images are all kept current to provide continuous protection for devices in the security infrastructure.

Inside the FortiManager system

FortiManager is a robust system with multiple layers to allow you to effectively manage your Fortinet security infrastructure.

Device Manager tab

The Device Manager tab contains all ADOMs, and devices. You can create new ADOMs, device groups, provision and add devices, install policy packages and device settings. See Device Manager.

Policy & Objects tab

The Policy & Objects tab contains all of your global and local policy packages and objects that are applicable to all ADOMs, and configuration revisions. See Policy & Objects.

System Settings tab

The Systems Settings tab enables the configuration of system settings and monitors the operation of your FortiManager unit. See System Settings.

 

Inside the FortiManager device manager tab

Global ADOM layer

The global ADOM layer contains two key pieces: the global object database and all header and footer policies.

Header and footer policies are used to envelop policies within each individual ADOM. These are typically invisible to users and devices in the ADOM layer. An example of where this would be used is in a carrier environment, where the carrier would allow customer traffic to pass through their network but would not allow the customer to have access to the carrier’s network assets.

ADOM layer

The ADOM layer is where the FortiManager manages individual devices or groups of devices. It is inside this layer where policy packages and folders are created, managed and installed on managed devices. Multiple policy packages can be created here, and they can easily be copied to other ADOMs to facilitate configuration or provisioning of new devices on the network. The ADOM layer contains one common object database per ADOM, which contains information such as addresses, services, antivirus and attack definitions, and web filtering and email filter.

Device manager layer

The device manager layer records information on devices that are centrally managed by the FortiManager unit, such as the name and type of device, the specific device model, its IP address, the current firmware installed on the unit, the device’s revision history, and its real-time status.