DO NOT REPRINT

© FORTINET

FortiManager Administrator
Study Guide
FortiManager 7.4
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

12/18/2023
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction and Initial Configuration 4

02 Administration and Management 40
03 Device Registration 81
04 Device-level Configuration and Installation 123
05 Policies and Objects 166
06 Global Database ADOM and Central Management 218
07 Diagnostics and Troubleshooting 237
08 Additional Configuration 288
 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the key features of FortiManager and how FortiManager fits into your
existing network infrastructure.

FortiManager 7.4 Administrator Study Guide 4

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 5

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding FortiManager key features and concepts, you will be able to
use FortiManager more effectively in your network.

FortiManager 7.4 Administrator Study Guide 6

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In large enterprises and managed security service providers (MSSPs), the size of the network introduces
challenges that smaller networks don’t have. Some of these challenges include mass provisioning, scheduling
rollout of configuration changes, and maintaining, tracking, and auditing many changes.

FortiManager provides automation-driven centralized management of your Fortinet devices from a single
console. Centralized management through FortiManager can help you to more easily manage many
deployment types with many devices, and to reduce cost of operation.

What can FortiManager do?

• Provision firewall policies across your network

• Act as a central repository for configuration revision control and security audits
• Deploy and manage complex mesh and star IPsec VPNs
• Act as a private FortiGuard Distribution Network (FDN) server for your managed devices
• Automate device provisioning and keep track of policy changes

FortiManager 7.4 Administrator Study Guide 7

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager can help you to better organize and manage your network. Key features of FortiManager
include:

• Centralized management: Instead of logging in to hundreds of FortiGate devices individually, you can use
FortiManager to manage them all from a single console.
• ADOMs: FortiManager can group devices into geographic or functional ADOMs, ideal if you have a large
team of network security administrators.
• Configuration revision control: Your FortiManager keeps a history of all configuration changes. You can
schedule FortiManager to deploy a new configuration or revert managed devices to a previous
configuration.
• Local FortiGuard service provisioning: To reduce network delays and minimize internet bandwidth usage,
your managed devices can use FortiManager as a private FortiGuard server.
• Firmware management: FortiManager can schedule firmware upgrades for managed devices.
• Scripting: FortiManager supports CLI and Tcl based scripts to simplify configuration deployments.
• Manager panes (VPN, FortiAP, FortiSwitch, Fabric View): FortiManager management panes simplify the
deployment and administration of VPN, FortiAP, FortiSwitch, and Fabric View.
• Logging and reporting: Managed devices can store logs on FortiManager. From that log data, you can
generate SQL-based reports, because FortiManager has many of the same logging and reporting features
as FortiAnalyzer.
• MEAs: Allow you to enable licensed applications that are released and signed by Fortinet. The applications
are installed and run on FortiManager as docker containers. Refer to the FortiManager administrator guide
for more details.

FortiManager 7.4 Administrator Study Guide 8

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager administrators can use administrative domains (ADOMs) to group devices logically, and then
specify which administrators can manage them. For example, you can create an ADOM for each branch
office, and then restrict administrators to manage devices only on their assigned branches.

ADOMs can be used in two device modes: normal or advanced. When advanced mode is enabled, you can
assign different FortiGate virtual domains (VDOMs) to different ADOMs.

Administrator accounts can be tied to one or more ADOMs and can only manage those devices or VDOMs
that belong to the ADOMs to which they are assigned.

Administrator accounts with the Super_User profile, such as the admin account, can manage all ADOMs and
the devices within them.

FortiManager 7.4 Administrator Study Guide 9

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

You can add and then manage most of the FortiAnalyzer features from FortiManager. This is the
recommended solution for environments with a high volume of logs.

After you add a FortiAnalyzer device, the following panes are enabled automatically on FortiManager:

• FortiView and LogView: Provide visibility of FortiAnalyzer logs

• Incidents & Events: Allows you to manage FortiAnalyzer incidents, events, handlers, and work with the
Threat Hunting tool and Outbreak Alerts, when available
• Reports: Allow you to manage FortiAnalyzer reports

FortiManager can manage multiple FortiAnalyzer devices, but each FortiAnalyzer must be in its own ADOM.
You can add the same FortiAnalyzer device to more than one ADOM. When you do this, the FortiAnalyzer
features and visibility in the ADOM are limited to the logging devices included in that ADOM.

Note that you cannot enable advanced ADOM mode when FortiManager is managing FortiAnalyzer.
Advanced ADOM mode is discussed later in this course.

FortiManager 7.4 Administrator Study Guide 10

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager can act as a logging and reporting device for your network when you manually enable
FortiAnalyzer features. Keep in mind that FortiManager requires additional resources (CPU, memory, disk
space) to process and store logs and reports.

Additionally, logging rate restrictions considerably reduce the supported log rates compared to the capabilities
of FortiAnalyzer. For example, the highest log rate FortiManager supports is 150 logs/second. However,
FortiAnalyzer’s lowest supported log rate is 500 logs/second, and it can reach 150,000 logs/second in high-
end models.

Another restriction is that the licensing for FortiAnalyzer features is not stackable. For these reasons, this
solution is feasible only for environments that have a low volume of logs. For example, it could be used for
testing purposes. For high log volumes, you should use a dedicated FortiAnalyzer.

When you enable FortiAnalyzer features, all log and storage settings are configured on FortiManager. This
means that you must specify how much disk space to use, and for how long to store the logs for each ADOM.
You can monitor disk utilization for each ADOM and adjust storage settings for logs, as needed.

If FortiAnalyzer features are enabled, you cannot add FortiAnalyzer to FortiManager. You will also not be able
to configure FortiManager high availability (HA).

FortiManager 7.4 Administrator Study Guide 11

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Inside FortiManager there are several management layers that are represented as panes in the GUI.

The default panes include:

• Device Manager: To add and authorize devices, create device configuration changes and install device
and policy packages.
• Policy & Objects: To centralize the management of firewall policies, objects, and security profiles among
others
• VPN Manager: To view and configure IPsec VPN and SSL-VPN settings that you can install to one or more
devices
• AP Manager: To manage FortiAP access points that are controlled by FortiGate devices
• FortiSwitch Manager: To manage FortiSwitch devices that are controlled by FortiGate devices
• Extender Manager: To manage connected FortiExtenders
• Fabric View: To view Security Fabric Ratings of configurations for FortiGate Security Fabric groups, as well
as create fabric connectors
• FortiGuard: To provide FortiGuard services for your FortiManager system and its managed devices and
FortiClient agents
• System Settings: To manage system options for your FortiManager device

Other panes can be added depending on the requirements of your network, for example, when you add
FortiAnalyzer features.

FortiManager 7.4 Administrator Study Guide 12

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 13

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiManager key features and concepts.

Now, you will learn how to initially configure FortiManager.

FortiManager 7.4 Administrator Study Guide 14

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the initial configuration of FortiManager, you will be able to add
FortiManager to your network and perform basic administrative tasks.

FortiManager 7.4 Administrator Study Guide 15

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Often, your first consideration is where you should place FortiManager in your network.

Typically, you should deploy FortiManager behind a firewall, such as FortiGate. On the perimeter firewall,
allow only relevant ports in the firewall policy for FortiManager. If administrators or remote FortiGate devices
will make inbound connections to FortiManager from outside your local network, such as from the internet,
create a virtual IP.

To safeguard against losing access if your network is down, connect your management computer directly to
FortiManager or through a switch.

FortiManager 7.4 Administrator Study Guide 16

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

You can operate FortiManager as a local FortiGuard Distribution Service (FDS) server for managed devices
with no internet connectivity.

More complex scenarios may require the use of several FortiManager devices. This slide illustrates two
possible topologies that can be used in such scenarios.

In both examples, only one FortiManager is connected to internet, and is the one downloading the updates
from FortiGuard. There are two modes for distributing those updates to the rest of the devices:

• Cascade mode: The main FortiManager device is connected to the other devices, and they download the
updates directly from it. FortiGate devices can then download the updates from their associated
FortiManager device.
• Air gap mode: Since there is no connection between the main FortiManager device and the rest of the
devices, the downloaded packages must be exported and then imported into the other FortiManager
devices. FortiGate devices can then download the updates from their associated FortiManager.

FortiManager 7.4 Administrator Study Guide 17

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Knowing which ports FortiManager uses can help you analyze, diagnose, and resolve common network
issues. This is especially true if your FortiManager device is deployed behind a firewall.

FortiManager uses many TCP and UDP ports to perform tasks. The table shown on this slide includes some
of the ports used by FortiManager to manage FortiGate devices. Visit https://docs.fortinet.com for the
complete list of ports.

By default, the standard management ports are:

• HTTP: port 80 (TCP)

• HTTPS: port 443 (TCP)
• SSH: port 22 (TCP)

FortiManager 7.4 Administrator Study Guide 18

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Your FortiManager manages all your Fortinet network security devices, so it is vital that this device, and its
data, are properly protected.

Here are some security recommendations:

• Deploy your FortiManager in a protected and trusted private network. It should never be deployed directly
on the internet.
• Always use secure connection methods for management: HTTPS for web-based management or SSH for
the CLI. Insecure methods like HTTP are strongly discouraged.
• Use trusted hosts to allow logins only from specific locations.
• If you need to open outside access to the device so that remote devices can connect, open only the
required ports. If you need to open direct login access from the outside, be sure to set up dedicated user
accounts for this purpose.
• Ensure that you use secure, strong passwords, and a password policy to enforce their use.
• You can enable and configure following password policies:
• Minimum Length: Specify the minimum number of characters that a password must be, from 8 to
32. The default is 8.
• Must Contain: Specify the types of characters a password must contain.
• Admin Password Expires after: Specify the number of days a password is valid for. When the
time expires, the administrator is prompted to enter a new password.
• Check event logs frequently
• Configure external syslog and email server for quick notifications.

FortiManager 7.4 Administrator Study Guide 19

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

It is important to know the factory default settings, such as the default username and password, the IP
address of port1, netmask, and default supported management access protocols, so that you can initially
connect and configure FortiManager for your network.

Different FortiManager models have different numbers of ports, but port1 is the management port and will
always have the IP address 192.168.1.99 configured by default.

If you are deploying a FortiManager in the cloud, the management IP address and its assignment depend on
the cloud provider you use.

To log in to the FortiManager GUI for the first time, open a browser and enter the URL https:// <the
factory default IP address>. After the login screen appears, use the factory default administrator
credentials to log in. The default credentials are username admin and a blank password.

After you log in for the first time, the FortiManager Setup Wizard is displayed.

FortiManager 7.4 Administrator Study Guide 20

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

When you log in to FortiManager for the first time, the FortiManager Setup wizard displays to help you set up
FortiManager by performing the following actions:

• Register with FortiCare and enable FortiCare single sign-on

• Specify a hostname
• Change your password
• Upgrade the firmware

The FortiManager Setup wizard requires that you complete the Register and SSO with FortiCare step before
you can access the FortiManager appliance or VM. This step requires internet access, unless FortiManager is
operating in a closed network, in which case you must request account entitlement files from Fortinet
Customer Service & Support for devices, and then upload the files using this wizard, or later from the
FortiGuard pane.

When you complete an action, a green check mark displays beside it in the wizard. Once all actions are
configured the wizard no longer displays after you log in to FortiManager.

FortiManager 7.4 Administrator Study Guide 21

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The initial configuration of FortiManager is very similar to FortiGate. To configure FortiManager for your
network, you must set the IP address and netmask, select supported administrative access protocols, and
specify a default gateway. You can do all of this from the Network page.

Port1, the management interface, has a default IP address and netmask: 192.168.1.99/24. If your
management subnet uses a different subnet, or uses IPv6, change these settings accordingly. The IP address
must be a unique static IP address. Additionally, enter the IP address of the next hop router in Gateway, and
specify your DNS servers. By default, FortiGuard DNS servers are configured in the DNS settings, to help
guarantee connectivity for FortiGuard downloads and queries. However, you can specify a local DNS server
instead.

Service access allows you to enable the FortiManager response to the requests from managed devices for
FortiGuard services on each interface. This includes FortiGate updates and web filtering. By default, all
services to managed devices are enabled on port1 and disabled on other ports.

FortiManager 7.4 Administrator Study Guide 22

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

ADOMs are not enabled by default and can be enabled (or disabled) only by an administrator that has the
Super_User profile.

After you change the ADOM mode, the system logs you out so the it can reinitialize with the new settings.
When you log in with ADOMs enabled, you must select the ADOM you want to manage from your list of
configured ADOMs. You can easily switch between ADOMs by clicking the ADOM list on the upper-right side
of the GUI.

The maximum number of ADOMs varies by FortiManager physical model or VM license.

FortiManager 7.4 Administrator Study Guide 23

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

With ADOMs enabled, administrators with the Super_User profile have access to the ADOMs page, where all
default ADOMs and custom ADOMs the administrator created appear.

If the default ADOMs do not fit your requirements, you can create your own.

The ADOM type you create must match the device type you are adding later. For example, if you want to
create an ADOM for FortiGate devices, you must select FortiGate as the ADOM type. The exception to this
rule is the Fabric type, which allows you to add FortiGate devices and other types of devices. Additionally,
you must select the firmware version for each new ADOM. This is because different firmware versions have
different features, and therefore may use different CLI syntax. Your ADOM settings must match the device
firmware.

The default ADOM operation mode is Normal. In the Central Management field, you can select VPN to
centrally manage IPsec VPNs for all managed devices in that ADOM. By default, FortiAP and FortiSwitch
central management are selected.

FortiManager 7.4 Administrator Study Guide 24

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 25

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand how to initially configure FortiManager.

Now, you will examine some of the use cases for FortiManager, based on different organizations.

FortiManager 7.4 Administrator Study Guide 26

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By understanding FortiManager use cases, you will be able to see the different ways in which FortiManager is
commonly used in other organizations and, if applicable, employ some of these strategies.

FortiManager 7.4 Administrator Study Guide 27

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

One common FortiManager use case involves large retail customers or distributed enterprises, because they
tend to have many smaller customer premises equipment (CPE) devices in their branches, plus remote sites,
and several main sites. These customers benefit from centralized firewall provisioning and monitoring.

In large scale enterprise deployments, administrators usually prefer a basic initial configuration that the
installation technician loads through a USB memory, or copies and pastes into the console. This basic
configuration allows FortiGate to contact FortiManager, where the administrator can add it to the appropriate
device group or ADOM, and then sends the full configuration to that FortiGate.

FortiManager 7.4 Administrator Study Guide 28

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Another common use case involves MSSPs.

Carriers often have many powerful firewalls and require strict configuration control, which is achievable by
restricting configuration from the FortiManager. MSSPs may subdivide their firewalls into virtual firewalls that
they provide to customers, or they may manage devices on customer premises. In both cases, they need to
maintain configuration revisions for the customer and, optionally, provide a portal where customers can view
or edit some of their settings.

Another important use case for MSSPs is being able to determine (or report) which firewall or configuration
objects are in use or not in use. Firewall policies change over time and associated objects are substituted for
other new objects. However, administrators often want to keep the old objects temporarily, in case they need
to revert changes. Eventually, unused objects clutter the FortiGate configuration, making it harder to
understand and troubleshoot. So, performing periodic clean-ups of these orphan configuration objects is
useful.

FortiManager allows MSSPs to avoid the overhead of perpetual licenses using the Fortinet VM On-Demand
Program with auto-scaling. When an auto-scale event is triggered, the public cloud platform will launch a new
FortiGate-VM and it will appear automatically on FortiManager as an authorized device in the Device
Manager. When a scale-in event occurs, the device will be automatically removed from FortiManager.

FortiManager 7.4 Administrator Study Guide 29

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

As shown on this slide, different organizations may use FortiManager ADOMs and policy packages differently.

In a retail organization, you may have a single ADOM with many FortiGate devices, or multiple ADOMs with
one FortiGate each. In the case of MSSPs, each customer’s FortiGate devices are placed in their dedicated
ADOM.

We will cover these topics in detail so you can have the practical skills necessary to manage devices for
diverse organizations.

FortiManager 7.4 Administrator Study Guide 30

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The FortiManager JSON API allows you to perform configuration and monitoring operations on a
FortiManager appliance or VM. The JSON API is based on JSON-RPC, a remote procedure call protocol
encoded in JSON. The API allows you to do many of the same tasks as the FortiManager GUI using
FortiPortal or other third-party applications. It allows MSSP and large enterprises to create customized,
branded web portals for FortiManager administration, without directly logging in to FortiManager. This method
is very useful in an MSSP environment, where many MSSP customers need their own portal to access
FortiManager.

The client must send standard HTTP POST requests to the fixed url
https://<FortiManagerIP>/jsonrpc. FortiManager must be configured to accept HTTPS requests
and have an administrative user with rpc-permit set to read-write. This is the account that you use for the
initial authentication of your requests.

FortiManager 7.4 Administrator Study Guide 31

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Within the body of the JSON request, the following methods are supported: get, add, update, delete, set,
move, clone, and exec.

When a client makes an HTTP request, FortiManager responds by returning the requested data in JSON
format. This process is similar to what happens when a web browser requests a web page from a server, and
then the server responds with the web page in HTML format.

The FNDN provides access tools, sample code, documentation, and access the Fortinet developer
community when you subscribe. You can also get more details from the Fortinet document library.

FortiManager 7.4 Administrator Study Guide 32

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

As shown on this table, the API returns an HTTP status code to indicate the status of the request.

FortiManager 7.4 Administrator Study Guide 33

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

This slide shows an example of a login request sent, and the response received. After successfully
authenticating, you receive a session ID in the response that you can use as authentication token for
subsequent API requests. Notice the method used in the body is exec.

Although it is not shown on the slide, remember that all requests are sent as a standard HTTP POST
message to https://<FortiManagerIP>/jsonrpc.

FortiManager 7.4 Administrator Study Guide 34

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The API example on this slide shows a request for the installation targets of policy package named Packg1, in
the ADOM named ADOM1. Notice that this example used a get method in the JSON body. The session ID
was included to authenticate the request.

The response shows that the device named FG-BR01 is the target for that policy package.

FortiManager 7.4 Administrator Study Guide 35

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

This slide shows an example of a logout request sent, and the response received.

It is recommended to always logout after you finish working. If you do not logout the session will stay active for
the configured timeout.

FortiManager 7.4 Administrator Study Guide 36

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 37

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this
lesson.

FortiManager 7.4 Administrator Study Guide 38

 Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

This slide shows the objectives covered in this lesson.

By mastering the objectives covered in this lesson, you learned the basics of FortiManager and how to use it
in your network.

FortiManager 7.4 Administrator Study Guide 39

 Administration and Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to set up and administer FortiManager. You will also learn how to use
features that are critical to day-to-day use, such as ADOM locks, administrative access controls, and
configuration backup and restore.

FortiManager 7.4 Administrator Study Guide 40

 Administration and Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 41

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in ADOMs, you will be able to organize FortiGate devices effectively within
FortiManager.

FortiManager 7.4 Administrator Study Guide 42

 Administration and Management

DO NOT REPRINT
© FORTINET

When you create or configure ADOMs, you can choose between two operation modes: normal or backup.

By default, ADOMs run in normal operation mode which keeps all management panes available. An ADOM in
normal operation mode is read-write, which allows you to make configuration changes to managed devices
stored in the ADOM database, and then install those changes on managed devices. You can also make
configuration changes to each managed device through the FortiGate CLI or GUI.

You can configure ADOMs in backup operation mode if all configuration changes must be done directly on the
managed devices and you want to use FortiManager only for revision control and tracking purposes.

When in backup operation mode, an ADOM is read-only, and some management options are not available
while others are restricted. For example, in the Device Manager pane, you can add and delete devices, but
the device-level settings are not available for configuration and installation.

In backup operation mode, you can import firewall address and service objects into FortiManager, and
FortiManager stores the objects in the Device Manager database. You can view the objects on the Policy &
Objects pane, but they are not stored in the central database. This lets you maintain a repository of objects
used by all devices in the backup ADOM that is separate from the central database.

To make configuration changes from FortiManager to managed devices while in backup mode, you must use
the script feature. Additionally, if you make changes directly on the managed device, those changes need to
meet specific conditions for the device to send the configuration revision to FortiManager. For example, if you
make a configuration change, and then you log out of or reboot the device, a configuration revision is sent.

FortiManager 7.4 Administrator Study Guide 43

 Administration and Management

DO NOT REPRINT
© FORTINET

An ADOM can work in two device modes: Normal, which is the default mode, and Advanced.

In Normal mode, you cannot assign different FortiGate virtual domains (VDOMs) to different FortiManager
ADOMs.

In Advanced mode, you can assign different VDOMs from the same FortiGate device to different ADOMs.
The system applies this setting globally to all ADOMs. This results in more complex management scenarios,
and it is recommended for advanced users only.

FortiManager 7.4 Administrator Study Guide 44

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 45

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand ADOMs.

Now, you will examine administrator accounts on FortiManager.

FortiManager 7.4 Administrator Study Guide 46

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using administrative access controls, you will be able to better safeguard the
administration and management of FortiManager and the managed devices.

FortiManager 7.4 Administrator Study Guide 47

 Administration and Management

DO NOT REPRINT
© FORTINET

You can configure administrator profiles in one of two types: System Admin and Restricted Admin. Only
administrators with full system permissions can modify administrator profiles.

For the System Admin type, you can modify one of the predefined profiles, or create a new custom profile.
Depending on the nature of the administrator’s work, access level, or seniority, you can allow them to view
and configure as much, or as little, as required.

Profiles with the Restricted Admin type allows you to delegate administrators the management of web
filtering profile, IPS sensors, and application sensor associated with their ADOM. When a restricted
administrator logs in to the FortiManager, they enter the Restricted Admin Mode.

FortiManager 7.4 Administrator Study Guide 48

 Administration and Management

DO NOT REPRINT
© FORTINET

Depending on your deployment, you may want to divide FortiManager administrative tasks among multiple
employees by creating additional administrator accounts.

You can control and restrict administrator access using several methods, but the following are the most used:

• ADOMs: Administrators have access to only those ADOMs to which they are assigned.
• Administrative profiles: The level of access is determined by the administrative profile selected. When the
administrators are restricted to specific ADOMs, you can assign different profiles for each ADOM, or the
same profile for all ADOMs.
• Trusted hosts: This option restricts administrators to log in only from specific IP addresses or subnets. The
trusted hosts you define apply to both the GUI and the CLI when accessed through SSH. This feature is
available for IPv4 and IPv6 addresses.

FortiManager 7.4 Administrator Study Guide 49

 Administration and Management

DO NOT REPRINT
© FORTINET

Instead of creating local administrators, where logins are validated by FortiManager, you can configure
external servers to validate your administrator logins. You can use RADIUS, LDAP, TACACS+, and public key
infrastructure (PKI) as means of verifying the administrator credentials.

Additionally, you can configure two-factor authentication using FortiAuthenticator or FortiToken cloud. Refer to
the FortiManager Administration Guide for more details.

FortiManager 7.4 Administrator Study Guide 50

 Administration and Management

DO NOT REPRINT
© FORTINET

To track administrator user sessions, including who is currently logged in and through what trusted host, click
System Settings > Administrators. Only the default admin administrator, or administrators with the
Super_User profile can see the complete administrator’s list.

To track installation changes made by the FortiManager user, click Log & Report > System Events on the
managed FortiGate device.

FortiManager 7.4 Administrator Study Guide 51

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 52

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand administrator accounts.

Now, you will examine concurrent administrators on FortiManager.

FortiManager 7.4 Administrator Study Guide 53

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using ADOM, device, or policy package locking, you will be able to better
safeguard the administration and management of FortiManager and the managed devices.

FortiManager 7.4 Administrator Study Guide 54

 Administration and Management

DO NOT REPRINT
© FORTINET

By default, multiple administrators can access the same ADOM concurrently because workspace-mode is
set to disabled.

Usually this is acceptable, especially if you configured administrator profiles with non-overlapping
permissions. However, the probability of two administrators changing the same setting in a network with many
devices is still possible and should be avoided. The solution for such a scenario is to enable workspace mode.

FortiManager 7.4 Administrator Study Guide 55

 Administration and Management

DO NOT REPRINT
© FORTINET

You can use the CLI or the GUI to enable workspace mode and prevent concurrent ADOM access. This
allows administrators to lock entire ADOMs, as well as specific devices, policy packages and objects.

You have the following three options:

• Workspace (ALL ADOMs): All ADOMs can be locked.

• Workspace (Per-ADOM): Only ADOMs configured for workspace mode can be locked.
• Workflow (ALL ADOMs): In addition to locking ADOMs, this mode is used to ensure that all changes are
reviewed and approved by authorized administrators before they are applied.

Optionally, you can enable Per-Policy Lock, which allows you to lock individual policies.

FortiManager 7.4 Administrator Study Guide 56

 Administration and Management

DO NOT REPRINT
© FORTINET

Enabling workspace mode allows you to lock different items in FortiManager, effectively preventing concurrent
read/write access to any locked item. Only the administrator that initiated the lock has read/write access to
that item, while all other administrators have read-only access.

You can lock entire ADOMs, as well as specific devices, policy packages, objects, and individual policies.

After you make all required configuration changes, you can unlock the item manually. Another way that you
can release the locks is to log out of FortiManager.

When you lock an ADOM, all existing locks on devices and policy packages that you created within that
ADOM are removed. Additionally, if another administrator locked devices or policy packages, you cannot lock
the ADOM that contains those devices or policy packages.

FortiManager 7.4 Administrator Study Guide 57

 Administration and Management

DO NOT REPRINT
© FORTINET

The example in the slide shows an example of the process of working with locked ADOMs when workspace
mode is enabled.

1. Prior to making changes, Admin A locks the ADOM. A closed lock icon with a green background appears.
Admin A now has read/write access and can make changes to the managed devices in that ADOM.
2. During this time, Admin B sees a closed lock icon with a red background on the ADOM. Admin B has
read-only access to that ADOM and cannot make changes.
3. When Admin A finishes making changes, he saves the changes and then unlocks the ADOM. The icon
changes to an open lock icon. Admin B sees that the ADOM is now available for use.
4. Now, Admin B locks the ADOM, and again the lock icon changes accordingly. Admin B now has read-
write access and can safely make changes without risk of conflicts.

FortiManager 7.4 Administrator Study Guide 58

 Administration and Management

DO NOT REPRINT
© FORTINET

To enable exclusive read/write permission, and make changes to an ADOM, you must lock the ADOM.

You can lock the ADOM in the upper-right corner of the GUI. After you lock the ADOM, you can safely make
changes to the managed device settings, in that ADOM, without worrying about conflicts. If you make changes
to the managed device configuration or policy packages, the changes must be saved prior to attempting to
install them. Other administrators can’t make changes to the ADOM because they have read-only
permissions.

There are three lock status icons:

• Open lock icon: The ADOM is currently unlocked.

• Closed lock icon with green background: The ADOM is locked by you. You can make changes in that
ADOM.
• Closed lock icon with red background: The ADOM is locked by another administrator. You have read/only
access and must wait for ADOM to be unlocked before you can make changes.

FortiManager 7.4 Administrator Study Guide 59

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 60

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand how you can use workspace mode to handle concurrent administrator
sessions.

Now, you will examine ADOM best practices and troubleshooting.

FortiManager 7.4 Administrator Study Guide 61

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in ADOM best practices and troubleshooting, you will be able to organize and
manage your FortiGate device more effectively within FortiManager.

FortiManager 7.4 Administrator Study Guide 62

 Administration and Management

DO NOT REPRINT
© FORTINET

In FortiManager, each ADOM is associated with a specific firmware version, based on the firmware version of
the devices that are in that ADOM. The firmware version determines the appropriate database schema.

What if you created an ADOM using version 7.2, added FortiGate devices running FortiOS 7.2, but then
needed to upgrade the FortiGate devices to FortiOS 7.4?

Depending on its version, an ADOM can concurrently manage FortiGate devices running different firmware
versions; for example, FortiOS 7.2 and 7.4. Therefore, the devices running those firmware versions can share
a common FortiManager database.

Although multiple FortiOS versions can exist in the same ADOM, some of the features of the newer firmware
version may be restricted if you are using an older ADOM version. This is because the CLI command syntax
for the newer firmware version might have changed because of new features and is, therefore, configured
differently. It is very important to make sure you add FortiGate to an ADOM that is based on the same FortiOS
firmware version. You should not add a higher version FortiGate to a lower version ADOM. Also, keep in mind
that upgrading the FortiManager firmware version will not upgrade the version of the existing ADOMs
automatically.

You should use this feature only to facilitate upgrading to new firmware and avoid having ADOMs with mixed
firmware. In the case of having multiple firmware versions, it is recommended to use separate ADOMs
instead.

FortiManager 7.4 Administrator Study Guide 63

 Administration and Management

DO NOT REPRINT
© FORTINET

Before designing your ADOM structure, verify the maximum number of ADOMs and the maximum number of
managed devices that your FortiManager model supports. You can find this information in the License
Information widget, or by using the get system status command.

You should use a scheme that simplifies management. For example, you could organize your devices by:

• Firmware version: You can group all devices with the same firmware version in the same ADOM. For
example, if FortiGate devices are running firmware version 7.4, you can group these devices in a version
7.4 ADOM. This is the recommended method for grouping devices.
• Assigned administrators: You can group devices into separate ADOMs and assign them to specific
administrators.
• Geographic regions: You can group all devices for a specific geographic region into one ADOM.
• Customers: You can create a dedicated ADOM for each customer.
• Organizational needs: You can group devices based on their department or function. For example, you can
create dedicated ADOMs for production, development, and test networks.

When you organize managed FortiGate devices, it is highly recommended that you group them based on their
FortiOS firmware version. This is because valid command syntax varies by firmware version, which affects
script compatibility and other features. For example, if you have FortiGate devices running FortiOS 7.2 and
FortiOS 7.4 firmware in the same region, you should create an ADOM for each firmware version.

FortiManager 7.4 Administrator Study Guide 64

 Administration and Management

DO NOT REPRINT
© FORTINET

You can upgrade the ADOM version before or after updating all devices in that ADOM. However, it is
recommended to upgrade the devices first, and then upgrade the ADOM.

Note: If there are many ADOM revisions, FortiManager requires more system resources, and the ADOM
upgrade can take more time to complete. You will learn about ADOM revisions later in this course.

FortiManager 7.4 Administrator Study Guide 65

 Administration and Management

DO NOT REPRINT
© FORTINET

You can upgrade the ADOM in System Settings > ADOMs. You can upgrade an ADOM to one version
higher at a time. For example, you can upgrade an ADOM running version 7.0 to version 7.2 first, and then
repeat the process to upgrade it to version 7.4.

The upgrade process only updates the selected ADOM’s database. If the ADOM is using Global ADOM
objects you must upgrade Global Database ADOM to same version first, otherwise you will lose some of the
configuration. You’ll learn more about global ADOM later in the course.

FortiManager 7.4 Administrator Study Guide 66

 Administration and Management

DO NOT REPRINT
© FORTINET

If you need to upgrade only a few FortiGate devices in an ADOM, you should first upgrade the devices in the
original ADOM, and then move them to a new ADOM that uses a matching firmware version.

Keep in mind that if you move a device from one ADOM to another, policies and objects are not imported into
the new ADOM database. You must run the Import Configuration wizard to import policies and objects into
the ADOM database.

In some scenarios, moving devices from one ADOM to another is not a recommended practice. For example,
if you have configured complex IPsec VPNs with VPN Manager, you will need to reconfigure the VPN settings
after you move the IPsec VPNs from one ADOM to another.

FortiManager 7.4 Administrator Study Guide 67

 Administration and Management

DO NOT REPRINT
© FORTINET

You can move devices between ADOMs after registering them on the ADOMs page. You can move devices
between ADOMs by editing the destination ADOM to which you want to add the device, and then selecting the
device to add to it.

FortiManager 7.4 Administrator Study Guide 68

 Administration and Management

DO NOT REPRINT
© FORTINET

Before an ADOM upgrade, you should install any pending device settings or policy package changes to the
managed devices and get all devices and policy packages synchronized.

Once you have upgraded the devices and the ADOM, you should examine the installation preview. The
Install preview shows you any changes that occurred during the upgrade process. You will need to check
that all the to-be-installed changes occurred during the upgrade process, and make corrections if required.

When you move devices from one ADOM to another ADOM, shared policy packages and objects do not move
to the new ADOM. You will need to import policy packages from managed devices.

FortiManager 7.4 Administrator Study Guide 69

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 70

 Administration and Management

DO NOT REPRINT
© FORTINET

Good job! You now understand ADOM best practices and troubleshooting.

Now, you will examine backup and restore on FortiManager.

FortiManager 7.4 Administrator Study Guide 71

 Administration and Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in backup and restore, you will be able to ensure that if there is a severe
hardware failure, you can quickly restore FortiManager to a working state without affecting the network. This
is, after all, your central network management system, and you will probably be investing considerable time
and resources in building and maintaining your firewall policies. So, you will learn how to keep the data safe.

FortiManager 7.4 Administrator Study Guide 72

 Administration and Management

DO NOT REPRINT
© FORTINET

At any time, you can back up the FortiManager configuration in the System Information widget on the GUI.
By default, encryption is enabled when you use the GUI for backups. If you use encryption, you must set a
password that is used to encrypt the backup file. The backup file can’t be restored unless you provide the
same password. Keep in mind that Fortinet Technical Support usually requests the FortiManager backup in
unencrypted format.

The backup contains everything except the logs, FortiGuard cache, and firmware images saved on
FortiManager.

You can also schedule backups at regular intervals using the GUI and the CLI.

After performing backups, you can view the backup history to see all backups performed on the FortiManager.

If changes are made to FortiManager that end up negatively affecting your network, you can restore the
configuration from any of the backups you performed.

FortiManager 7.4 Administrator Study Guide 73

 Administration and Management

DO NOT REPRINT
© FORTINET

You can restore the FortiManager configuration using the GUI or CLI. When you perform a restore,
FortiManager restarts, and the changes take effect.

The two options in the Restore System window are:

• Overwrite current IP, routing and HA settings: By default, this option is enabled. If FortiManager has an
existing configuration, restoring a backup overwrites everything, including the current IP address, routing,
and HA settings. If you disable this option, FortiManager will still restore the configurations related to
device information and global database information but will preserve the current HA and network settings.
• Restore in Offline Mode: By default, this option is enabled and grayed out—you cannot disable it. While
restoring a backup, FortiManager temporarily disables the communication channel between FortiManager
and all managed devices. This is a safety measure in case any devices are being managed by another
FortiManager device.

FortiManager 7.4 Administrator Study Guide 74

 Administration and Management

DO NOT REPRINT
© FORTINET

You can back up the configuration on one FortiManager model and restore this configuration on a different
FortiManager model. This can be useful for:

• Troubleshooting purposes, by restoring the configuration to a different FortiManager model.

• Upgrading FortiManager to a bigger model, because it will preserve your already-configured devices and
task manager database. System settings are not preserved.

The steps required to migrate the configuration are simple. You need to back up the configuration on the first
FortiManager model, and then run the exec migrate all-settings command on the second
FortiManager.

If the original FortiManager has databases from FortiGuard (antivirus, antispam, webfilter, etc.), they will not
be included in the configuration file. After migrating, export the packages from the original FortiManager and
import them to the other FortiManager.

FortiManager supports FTP, SCP, and SFTP protocols to migrate a configuration from one FortiManager
model to another FortiManager model.

FortiManager 7.4 Administrator Study Guide 75

 Administration and Management

DO NOT REPRINT
© FORTINET

By default, offline mode is disabled, allowing FortiManager to manage the devices.

When you perform a configuration restore, FortiManager restarts in offline mode, which effectively disables
the FGFM protocol. You can manually enable or disable offline mode in System Settings > Advanced >
Misc Settings.

When should you enable offline mode? You can enable offline mode manually to troubleshoot problems.
Offline mode allows you to change FortiManager device settings without affecting managed devices. You can
also restore a backup on a second FortiManager for testing purposes. That way, the second FortiManager
cannot automatically connect to your FortiGate devices and start managing them.

FortiManager 7.4 Administrator Study Guide 76

 Administration and Management

DO NOT REPRINT
© FORTINET

If you need to factory reset FortiManager, connect using the console port.

The execute reset all-settings command returns FortiManager to its factory default settings and
reboots FortiManager.

The execute format disk command erases all device settings and images, FortiGuard databases, and
log data on the FortiManager hard drive.

To completely erase all configuration databases, reset all settings, then format the disk.

Even if you format your disks, this only destroys the file system tables. Files remain, and attackers could use
forensic tools to recover the data. Failure to overwrite your configuration databases jeopardizes the security of
your entire network. So, if you will be replacing or selling your FortiManager, or replacing the hard disk, you
should use a secure (deep-erase) disk formatting process to overwrite the hard disk with random data.
Usually, the deep-erase feature takes longer to complete and is not necessary in most cases.

FortiManager 7.4 Administrator Study Guide 77

 Administration and Management

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 78

 Administration and Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiManager 7.4 Administrator Study Guide 79

 Administration and Management

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to set up and administer FortiManager.
You also learned how to use features that are critical for day-to-day use, such as ADOM locks, administrative
access controls, and configuration backup and restore.

FortiManager 7.4 Administrator Study Guide 80

 Device Registration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the primary functions of the device manager, and how to register FortiGate
device in FortiManager.

FortiManager 7.4 Administrator Study Guide 81

 Device Registration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 82

 Device Registration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in provisioning common settings, you will be able to use FortiManager to
configure common settings for many FortiGate devices.

FortiManager 7.4 Administrator Study Guide 83

 Device Registration

DO NOT REPRINT
© FORTINET

Provisioning templates allow you to create profiles that contain device-level settings. These templates
facilitate the configuration of identical device-level settings across many devices. You can edit and reapply the
templates as needed. Note that by default, only some of the templates are visible. You can choose which
templates are visible by selecting them under Feature Visibility.

FortiManager includes many templates for commonly encountered scenarios, such as system templates,
IPsec tunnel, SD-WAN, and several more.

The name of each template indicates its purpose. For example, you can use system templates to create and
manage common system-level settings for the managed devices, and SD-WAN templates to configure SD-
WAN for one or more devices. Refer to the FortiManager Administration Guide for more details.

Note that the provisioning templates are based on specific ADOM versions. Because of this, some settings
may not be available.

FortiManager 7.4 Administrator Study Guide 84

 Device Registration

DO NOT REPRINT
© FORTINET

The System Templates page contains one generic template named default, which is a subset of the model
device configurations and contains several widgets such as DNS, Alert Email, Admin Settings, and several
others.

You can create a new system template and configure the settings in the included widgets, or you can import
the settings from a specific managed device to inherit the system-level settings of that managed device.

You can use the Assign to Device/Group button to associate devices with a template.

Applying these templates to multiple devices within the same ADOM facilitates identical device-level settings
across all those devices.

FortiManager 7.4 Administrator Study Guide 85

 Device Registration

DO NOT REPRINT
© FORTINET

You can export and import system templates from one ADOM to another ADOM using the CLI. To avoid
unexpected results, both ADOMs should be running the same firmware version.

The first step is to export the system template from the original ADOM with the execute fmprofile
export-profile command, and then you can import that profile into the other ADOM with the execute
fmprofile import-profile command.

An example of these steps is shown on this slide.

FortiManager 7.4 Administrator Study Guide 86

 Device Registration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 87

 Device Registration

DO NOT REPRINT
© FORTINET

Good job! You now understand how to configure provisioning templates to apply common settings to several
devices.

Now, you will learn about device registration methods.

FortiManager 7.4 Administrator Study Guide 88

 Device Registration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in device registration, you will be able to add devices into FortiManager for
management and administration.

FortiManager 7.4 Administrator Study Guide 89

 Device Registration

DO NOT REPRINT
© FORTINET

Under Device & Groups you can find several device and installation wizards to help you perform
administrative and maintenance tasks. Using these tools can help you shorten the amount of time it takes to
do many common tasks.

There are four main wizards:

• Add Device: Adds devices to central management and imports their configurations.
• Install Wizard: Installs changes to device settings and/or policies to the managed devices. It allows you to
preview the changes and, if the administrator doesn’t agree with the changes, cancel and modify them.
• Import Configuration: Imports interface mapping, policy database, and objects associated with the
managed devices into a policy package under the Policy & Objects pane. You can run it while using the
Add Device wizard and at any time from the managed device list.
• Re-install Policy: Installs the policy package already assigned to the device quickly. It also shows you a
preview of the changes that will be installed on the managed device.
• Quick Install (Device DB): Pushes device configuration from the FortiManager device layer to a FortiGate
device. This operation does not have an installation preview, and you cannot cancel this operation.

You can access these wizards from the top bar in the GUI, or by right-clicking your device under Managed
FortiGate.

FortiManager 7.4 Administrator Study Guide 90

 Device Registration

DO NOT REPRINT
© FORTINET

There are two ways you can register a device using FortiManager.

The first method involves the FortiManager Add Device wizard. If the device is supported and all the details
of the device are correct, FortiManager registers the device.

The second method involves a request for registration from a supported device. When the FortiManager
administrator receives that request, the request is accepted (though it can be denied).

FortiManager 7.4 Administrator Study Guide 91

 Device Registration

DO NOT REPRINT
© FORTINET

Using the Add Device wizard, you can add a FortiGate device with an existing configuration (which includes
its firewall policies) or add a new FortiGate device that is not yet online. FortiGate is usually provisioned with a
call home configuration, which is the minimum configuration needed to reach FortiManager (the central
management server). Such configurations are typically installed by a technician and the actual firewall
configuration is done by the administrator in the security/network operations center where FortiManager
resides.

This wizard also allows you to add FortiGate HA clusters and devices from a CSV file.

When you import a device that has an existing configuration, you can choose to import the device firewall
policies into a new policy package (which you can rename). Objects share the common object database for
the ADOM. FortiManager saves the objects in the ADOM database, which you can share or use among
different managed FortiGate devices in the same ADOM. FortiManager also checks for duplicate or conflicting
objects.

FortiManager 7.4 Administrator Study Guide 92

 Device Registration

DO NOT REPRINT
© FORTINET

With the Add Device wizard, the FortiManager administrator proactively initiates and, ultimately, performs
the device registration. This method requires that the administrators know specific details about the device
that they are registering.

You can launch the wizard from the Device & Groups pane by clicking Add Device on the top bar. If you
have enabled ADOMs and want to add the device to a specific ADOM, select that ADOM from the ADOM list
before starting the Add Device wizard.

FortiManager 7.4 Administrator Study Guide 93

 Device Registration

DO NOT REPRINT
© FORTINET

To use the Add Device wizard and discover mode with the OAuth protocol, you must type in the IP address of
the FortiGate management port, and make sure the Use Legacy Device Login option is disabled. After you
click Next to continue, the following actions occur:

1. FortiManager connects to the online FortiGate device.

2. A window opens to let you log in to FortiGate as part of the authorization process. Note that you must
allow pop-ups for the FortiManager page to be able to continue.
3. When FortiManager connects to FortiGate, it retrieves the FortiOS management IP address and
management port.

Depending on your network topology, it is possible that FortiManager can access the FortiGate management
IP, but the management computer you use cannot. To ensure this method works you must specify a
management IP address and port on FortiOS that can be reached from the management computer you use to
connect to FortiManager.

FortiManager 7.4 Administrator Study Guide 94

 Device Registration

DO NOT REPRINT
© FORTINET

As an alternative to using the OAUTH method, you can use the legacy login for the Add Device wizard with
discover mode. If you are adding a FortiGate running FortiOS 6.4.x or older, you must use the legacy login.

The legacy login method is useful for certain topologies where the management computer used to connect to
FortiManager cannot connect to the FortiGate device.

You use the Use Legacy Device Login options to add an existing device. Here, you must enter the login
credentials for the FortiGate device—IP address, username, and password.

To fully discover the device and add the full configuration, the login credentials that you enter must have full
read-write access on FortiGate. This also allows FortiManager to install the required configuration on the
managed FortiGate.

FortiManager 7.4 Administrator Study Guide 95

 Device Registration

DO NOT REPRINT
© FORTINET

In this step, FortiManager determines whether the FortiGate device is reachable and discovers basic
information about the device, including IP address, hostname, administrator username, device model,
firmware version (build), serial number, and high-availability mode.

Administrators can apply an existing provisioning template to new devices as they are being added to
FortiManager. Templates save time by removing the need to repeat common configuration settings multiple
times.

FortiManager 7.4 Administrator Study Guide 96

 Device Registration

DO NOT REPRINT
© FORTINET

In the next step, FortiManager checks the addition of the FortiGate device and creates the initial configuration
file in the revision history. This is the full configuration that contains all used and orphaned objects along with
the firewall policies on FortiGate. It also checks the support contract, which is useful in the event FortiManager
is used as the local FortiGuard server for the managed FortiGate.

There are two options for importing policies and objects:

• Clicking Import Now adds the policies to a new policy package and objects in the common shared ADOM
database. These objects can be used by multiple FortiGate devices in the same ADOM.
• Clicking Import Later adds only the device-level settings to the device database. The firewall policy and
objects are not imported into Policy & Objects. You can import these later using the Import
Configuration wizard.

In the example shown on this slide, the Import Now option is selected.

FortiManager 7.4 Administrator Study Guide 97

 Device Registration

DO NOT REPRINT
© FORTINET

If you select the option to import now, the wizard searches for all policies to import into the FortiManager
database. In this step, policies are imported into a new policy package under Policy & Objects.

At this point, you can choose whether to import all policies or selected policies, and whether to import only
referenced objects or all objects. By default, the Import All and Import only policy dependent objects
options are selected when adding a device.

FortiManager probes FortiGate and creates interface mappings in the ADOM database. Optionally, you can
apply a normalized name to each interface. In the example on this slide, the FortiGate device has the
interfaces port1 and port3 renamed to WAN and LAN, respectively. Since the Per-Device mapping option is
selected, this this setting applies to this device only. Other devices can have other interfaces mapped to the
same normalized names. This mapping is local to the FortiManager at the ADOM level, and you can create
policies on FortiManager referring to the LAN and WAN interfaces that refer to different interfaces on other
devices. Keep in mind that ADOM interface names are case sensitive.

Using the Per-Platform mapping option would make all devices of the same model have the same mapping.
For example, all FGT-100F can refer to their port1 as WAN.

Correct interface mappings are useful in large deployments, where administrators can use common names for
ADOM interfaces.

By default, the Add mappings for all unused device interfaces setting is enabled. When enabled, this
setting creates an automatic mapping for all interfaces. As such, the FortiManager administrator does not
need to create a manual mappings for them.

FortiManager 7.4 Administrator Study Guide 98

 Device Registration

DO NOT REPRINT
© FORTINET

Next, the wizard searches the FortiGate device for objects to import and, if any conflicts exist, they appear
here. You can view additional details, as well as download an html file listing all the conflicts found in a table.

If you select FortiGate from the Use Value From column, the FortiManager database gets updated with that
value. If you select FortiManager, the next time you install the configuration from FortiManager to FortiGate it
makes those changes to the FortiGate firewall. By default, FortiGate is selected.

FortiManager 7.4 Administrator Study Guide 99

 Device Registration

DO NOT REPRINT
© FORTINET

After the object conflicts are noted and resolved, the wizard searches for the objects to import. FortiManager
adds new objects and updates the existing FortiManager objects as needed. FortiManager does not import
duplicate entries in the ADOM database.

The final page of the wizard shows a summary of the firewall policies and objects imported into FortiManager.

Optionally, you can download the import report, which is available only on this page. As a best practice, it is
recommended that you download the report.

FortiManager 7.4 Administrator Study Guide 100

 Device Registration

DO NOT REPRINT
© FORTINET

The import report provides important information, such as which device is imported into which ADOM, as well
as the name of the policy package created along with objects imported. These objects and policies are
created in the Policy & Objects pane for that ADOM.

FortiManager does not import already existing, or duplicate, entries into the ADOM database. If a conflict is
detected, FortiManager updates the object associated with the selected device in the Objects Conflict step of
the wizard. In the import report, the object is referred to as update previous object.

The example on this slide shows entries in an import report for a duplicate object, two new objects, and an
updated object.

FortiManager 7.4 Administrator Study Guide 101

 Device Registration

DO NOT REPRINT
© FORTINET

In the example on this slide, because you renamed port3 to LAN and port1 to WAN in the interface mapping
step of the wizard, the policy shows the custom interface names. However, on FortiGate the policy shows
port1 and port3.

This is called dynamic mapping, and firewall policies created in policy packages refer to these mappings.
When the policy packages are installed, the interface mapping is translated to the local interfaces on the
managed device.

Dynamic mapping is useful when installing the same policy package to multiple managed FortiGate devices,
where the interface mapping is translated to the local interfaces on the managed device.

FortiManager 7.4 Administrator Study Guide 102

 Device Registration

DO NOT REPRINT
© FORTINET

The second option in the Add Device wizard is Add Model Device, which allows you to add a device that is
not yet online. This option is intended for new FortiGate deployments, where no pre-existing configuration
must be preserved. The configuration you create with this option in FortiManager is associated with the model
device and overwrites the configuration of the FortiGate after it is registered.

You can link to the real device using one the following two methods:

• Serial Number: The serial number of the device you want to add.
• Pre-shared Key: A unique pre-shared key for each device you want to add. Useful when the exact device
model is not known.

With both options you can select several parameters that will be applied to the managed device once it is
registered.

FortiManager 7.4 Administrator Study Guide 103

 Device Registration

DO NOT REPRINT
© FORTINET

You can use the GUI and the CLI to send a registration request from FortiGate. Regardless of the device
model option you use, you must configure the central management type as fortimanager, and point to the
IP address of the FortiManager using the command sequence shown on this slide as step 1.

After the first step, if a pre-shared key was used in the model device, FortiGate shows as an unregistered
device in the root ADOM. If the serial number was used, FortiGate shows as an unregistered device in the
ADOM where it was pre-staged.

The second and final step consists of running the execute central-mgmt register-device command
on FortiGate. This command requires the FortiManager serial number and a pre-shared key. The pre-shared
key must match the value used when the device model was added. However, if the model device used the
serial number, you can type any text as the pre-shared key since the device authentication uses the serial
number instead.

If all parameters are correct, the FortiGate device is registered in the ADOM where you configured the device
model.

FortiManager 7.4 Administrator Study Guide 104

 Device Registration

DO NOT REPRINT
© FORTINET

You can create device blueprints to simplify configuration of certain device settings, including device groups,
configuring pre-run templates, policy packages, provisioning templates, and so on. Once a device blueprint
has been created, it can be selected when adding a model device or when importing multiple model devices
from a CSV file.

Devices that are assigned a blueprint are automatically configured with the settings specified by that blueprint
when they are added to FortiManager.

FortiManager 7.4 Administrator Study Guide 105

 Device Registration

DO NOT REPRINT
© FORTINET

To initiate a registration request from FortiGate, you must configure the central management settings with the
FortiManager IP address.

After this, a window opens stating that the management request has been sent to FortiManager. Click OK to
open the FortiManager Status window, where you can authorize the FortiGate device if you have the proper
credentials.

The example on this slide shows the configuration in the GUI but you can also use the CLI.

FortiManager 7.4 Administrator Study Guide 106

 Device Registration

DO NOT REPRINT
© FORTINET

After the request is made from the supported device, it appears under Device Manager > Device & Groups
> Unauthorized Devices on the FortiManager root ADOM.

The FortiManager administrator should review the details of the unauthorized device and, if satisfied,
authorize the device. Finally, authorizing a device does not create a policy packages automatically. For that
reason, you must run the Import Configuration wizard to import the device firewall policy into a new policy
package.

If ADOMs are enabled, the device appears in the root ADOM by default, and you can authorize FortiGate to
join a different, previously created ADOM.

Optionally, you can enable automatic authorization of unauthorized devices from the FortiManager CLI.

FortiManager 7.4 Administrator Study Guide 107

 Device Registration

DO NOT REPRINT
© FORTINET

If you need to add multiple FortiGate devices at the same time you can enable Show Add Multiple Button
under System Settings. Once enabled the option becomes available in the More button under Manage
Devices. You can click Add and enter the IP address, username, and password of each FortiGate device that
you want to add.

Like in the case of adding an unauthorized device, policy packages are not automatically created. You must
run the Import Configuration wizard to import the devices firewall policies into a new policy package.

FortiManager 7.4 Administrator Study Guide 108

 Device Registration

DO NOT REPRINT
© FORTINET

After you register FortiGate devices, they appear on the Device Manager in the ADOM to which they were
added.

FortiManager 7.4 Administrator Study Guide 109

 Device Registration

DO NOT REPRINT
© FORTINET

Some FortiManager models can work with the Shelf Manager to manage the FortiGate 5000 series chassis.
To do so, you first must enable Chassis Management on System Settings > Advanced > Misc Settings.
After you enable it, you can add the chassis in the default chassis ADOM.

The dashboard for the chassis provides the information related to slot number, slot information, current state
of blade, and various other parameters. On the dashboard, you can view or configure information related to
the blades, power entry modules (PEM), fan tray, shelf manager, and shelf alarm panel (SAP).

FortiManager 7.4 Administrator Study Guide 110

 Device Registration

DO NOT REPRINT
© FORTINET

FortiManager physical devices or virtual machine (VM) support a limited number of managed devices. That
number depends on the FortiManager model and license.

A FortiGate high availability (HA) cluster counts as a single managed device in FortiManager. This is because
the bulk of the configuration relates to the firewall policies and objects, and devices in the cluster are running
the same configuration.

When using VDOMs, each one counts as one managed device. This is because each VDOM is logically a
separate firewall and has its own configuration.

On the example on the slide, there is a FortiGate cluster with two device members, and another FortiGate with
three VDOMs. This yields a total of four devices managed by FortiManager. Note that in this example the
physical FortiGate is not managed by FortiManager.

FortiManager 7.4 Administrator Study Guide 111

 Device Registration

DO NOT REPRINT
© FORTINET

A FortiGate HA cluster is managed as a single device from FortiManager, and has a unique ID. You can use
the diagnose dvm device list command on the CLI to view the cluster device members.

FortiManager reports the FortiGate HA synchronization status it receives form the cluster, allowing you to
identify possible network issues. You need to refresh the GUI session to see the most up-to-date status
information.

FortiManager has read-only access to the FortiGate HA configuration. However, you can promote a
secondary cluster member to become the primary from FortiManager.

FortiGate configuration changes concerning HA parameters do not modify the system checksum for
FortiManager (get system mgmt-csum) and do not cause an out-of-sync state.

It is not recommended that FortiGate devices in an HA cluster use the ha-mgmt-interface or the standalone
management VDOMs to establish the FGFM connection since they are designed specifically to manage the
cluster directly.

FortiManager 7.4 Administrator Study Guide 112

 Device Registration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 113

 Device Registration

DO NOT REPRINT
© FORTINET

Good job! You now understand how you can register devices in FortiManager.

Now, you will examine common device discovery issues and how to resolve them.

FortiManager 7.4 Administrator Study Guide 114

 Device Registration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in device discovery troubleshooting, you will be able to diagnose and resolve
issues related to device discovery.

FortiManager 7.4 Administrator Study Guide 115

 Device Registration

DO NOT REPRINT
© FORTINET

The management protocol FGFM runs on both FortiGate (fgfmd) and FortiManager (fgfmsd). FortiManager
and FortiGate create a secure tunnel using port TCP 541. Being TCP-based, the connection works with port-
based NAT, which allows both FortiGate and FortiManager to be behind a NAT device. On the FortiGate side,
you must enable the FMG-Access setting for each interface facing FortiManager.

Once you have configured the management tunnel, it can be established in either direction—by FortiManager
or by the managed FortiGate device. FortiManager uses link-level addressing from the 169.254.0.0/16
subnet for the tunnel. The 169.254.0.1 IP address is reserved for FortiManager and managed devices are
allocated to other IP addresses in the 169.254.0.0/16 range.

A keepalive message is sent from the FortiGate device. The keep-alive message includes the checksum of
the FortiGate configuration, which calculates the synchronization status.

FortiGate login credentials are required when discovering the device for the first time or reclaiming the tunnel.
The login credentials are to set the serial number. After the login credentials have been entered, the serial
number becomes the basis of authentication.

FortiManager 7.4 Administrator Study Guide 116

 Device Registration

DO NOT REPRINT
© FORTINET

There are two steps involved when FortiGate is registering on FortiManager:

1. Discovery: In this step, FortiManager sends a get system status CLI command to obtain the
minimum information for FortiGate.
2. Adding: During this step, complete configuration details of FortiGate are obtained by FortiManager and
FortiGate configuration is stored in the device database.

The secure FGFM tunnel can be initiated by either device, FortiGate or FortiManager, depending on the
registration method used.

If the tunnel is initiated by FortiGate, the device is added to the FortiManager unauthorized device list in the
root ADOM. At this point, it has not been discovered. The complete discovery and add process starts once the
device is authorized.

FortiManager 7.4 Administrator Study Guide 117

 Device Registration

DO NOT REPRINT
© FORTINET

When FortiManager is discovering and adding FortiGate, it sends several commands to FortiGate to get its
complete information. This slide shows only some of those commands.

To see the complete list of commands, you can run the diagnose debug cli 8 command on FortiGate,
while you add it to FortiManager.

FortiManager 7.4 Administrator Study Guide 118

 Device Registration

DO NOT REPRINT
© FORTINET

Refer to this basic checklist if FortiManager is having issues discovering FortiGate devices:

• Verify that you have sufficient administrator privileges in FortiManager to add a FortiGate device.
• Verify that offline mode is disabled. Remember that offline mode is enabled after a configuration restore.
• Verify that parameters like credentials, IP address, serial numbers, and pre-shared keys are correct in the
Add Device wizard.
• Verify that FGFM access is enabled on the FortiGate interface facing FortiManager.

Additionally, you can check if the required ports are open in all intermediary devices and run the diagnose
sniffer packet command to examine the traffic sent and received.

FortiManager 7.4 Administrator Study Guide 119

 Device Registration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 120

 Device Registration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiManager 7.4 Administrator Study Guide 121

 Device Registration

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the primary functions of the device
manager, and how to register FortiGate devices in FortiManager.

FortiManager 7.4 Administrator Study Guide 122

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to configure device-level changes, understand the status of a managed
FortiGate on FortiManager, and install changes to managed FortiGate devices. You will also learn how to use
the revision history for troubleshooting, and you will learn about the capabilities of scripts and device groups.

FortiManager 7.4 Administrator Study Guide 123

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 124

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding FortiGate configuration status and synchronization behavior,

you will be able to diagnose and take action based on the status of FortiGate.

FortiManager 7.4 Administrator Study Guide 125

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can configure device-level settings by selecting the desired device under Device & Groups > Managed
FortiGate. The available settings can be managed by selecting them from the toolbar near the top, which
includes tabs to configure network, VPN, and system settings, among others. Most of the settings that you
find here have a one-to-one correlation with the options that you would see if you logged in locally using the
FortiGate GUI or CLI.

As an example, this slide shows how you can create a new static route on the device named ISFW. Keep in
mind that changes made here are not applied to the device automatically, and they must be installed to take
effect. You will learn about this process later in this lesson.

Not all available options are shown by default in the toolbar. To include more options, or to hide the ones you
don’t need, you can click Feature Visibility to select them as shown in the slide. Note that the available
options vary according to the device supported features, and firmware version.

FortiManager 7.4 Administrator Study Guide 126

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

This diagram shows the different statuses a managed FortiGate can have. FortiManager keeps FortiGate
configurations in the revision history. The latest revision history is compared with the FortiGate configuration
to provide the configuration statuses. The latest revision history is also compared with the device-level
database of the FortiGate, which indicates if FortiGate configuration has changed on the FortiManager.

Knowing the overall configuration status of a managed device helps the administrator identify issues and take
appropriate actions from FortiManager:

• Synchronized / Auto-Update: The latest revision history configuration entry (whether an install, retrieve,
or auto-update) is aligned with the configuration on FortiGate.
• Modified: Configurations are modified on FortiManager and not synchronized between FortiManager and
the managed device.
• Out-of-Sync: The latest revision history configuration entry does not match the configuration on the
FortiGate due to configuration changes made locally on FortiGate or a previous partial install failure. It is
recommended that you perform a retrieve from the FortiManager.
• Conflict: If the changes are made locally on the FortiGate but are not retrieved, and changes are also
made from FortiManager, the status goes in conflict state. Depending on the configuration changes, you
can either retrieve the configuration or install the changes from FortiManager. The Conflict status can also
indicate a failed installation.
• Unknown: The FortiManager is unable to determine the synchronization status because the FortiGate is
not reachable, or due to a partial install failure. It is recommended that you perform a retrieve from the
FortiManager.

FortiManager 7.4 Administrator Study Guide 127

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

On the Device Manager pane, click a managed FortiGate to select it and view its dashboard. You can see the
Config Status field under the Configuration and Installation widget.
The Config Status compares the running device configuration with the current version in the revision history.
There are few possible sync statuses:
• Synchronized: The current revision history configuration entry (whether an install or retrieve) is
synchronized with the running configuration on the FortiGate.
• Out-of-Sync: The current revision history configuration entry does not match the running configuration on
the FortiGate. It can be caused by failed installation or direct changes made on FortiGate that were not
auto-updated.
• Unknown: The FortiManager system is unable to detect which revision (in the revision history) is currently
running on the device due to a connection issue. The Unknown status can also indicate that you added a
model device, which does not generate a revision.
• Conflict: When install failed or configuration are modified on both FortiManager and the managed device,
and not automatically synchronized with FortiManager.

FortiManager 7.4 Administrator Study Guide 128

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The Config Status indicates the status of the device settings on FortiManager. There are three configuration
statuses:
• Modified: If the device is configured from the Device Manager, the device database is changed and the
device settings status is tagged as Modified, because it doesn’t match the running configuration or latest
revision history for that device. If changes are installed, it puts the device back into the synchronized state.
• Auto-Updated: The configuration changes are made directly on FortiGate, and the device database is
updated automatically.
• Modified (recent auto-updated): Configurations are modified on FortiManager, and configurations
modified on the managed device are automatically synchronized with FortiManager.

FortiManager 7.4 Administrator Study Guide 129

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can view the changes made to the device database on FortiManager by clicking Install Preview under
the Configuration and Installation widget. The preview includes the exact commands that will be installed
on that FortiGate when the next install is performed.

This slide shows a new static route that will be pushed to FortiGate on the next install. Because a
configuration change was made, but it still hasn’t been installed on the device, the Config Status is tagged as
Modified.

FortiManager 7.4 Administrator Study Guide 130

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The diagnose dvm device list command provides the list of all devices that are managed by
FortiManager, as well as any unregistered devices. Any registered VDOMs are also listed here. This output
provides information, such as serial number, connecting IP, firmware, HA mode, and status for device-level
settings and policy packages.

The example on this slide shows that the FortiGate configuration is in sync with the latest running revision
history. However, changes have been made in FortiManager to the device-level settings. That is why the CLI
output is showing db:modified and the cond is showing as pending. After you install the changes on
FortiGate, the output displays db: not modified and cond: OK.

Finally, this command also shows whether the FGFM tunnel between FortiGate and FortiManager is up or
down.

FortiManager 7.4 Administrator Study Guide 131

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can use the diagnose fgfm session-list command to verify the FGFM tunnel uptime between
FortiManager and FortiGate devices, display the connecting IP addresses of all managed devices, and show
the link-local addresses assigned by FortiManager to FortiGate devices for management traffic.

If you need to re-establish the connection between the selected device and FortiManager, you can use the
Refresh Device option. This operation updates the device status and retrieves basic information about the
managed device, such as serial number, firmware version, support contracts, and FortiGate HA cluster
member information.

You can refresh the connection by selecting the device in the Device Manager and then selecting Refresh
Device from the More drop-down list.

FortiManager 7.4 Administrator Study Guide 132

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 133

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand the device-level settings and status of the managed devices on FortiManager.

Now, you will learn how to install configuration changes from FortiManager.

FortiManager 7.4 Administrator Study Guide 134

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in installing configuration changes, you will successfully make changes to
managed devices through FortiManager.

FortiManager 7.4 Administrator Study Guide 135

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

This slide shows an example of when the configuration status of a managed FortiGate is updated after you
make a change in FortiManager, as well as the process that takes place when you run the Install Wizard to
install those changes.

FortiManager keeps FortiGate configurations in the revision history. The latest revision history is compared
with the FortiGate configuration to provide the configuration status and it is updated if needed.

When a new configuration is installed, FortiManager compares the latest configuration revision with the
changes made on FortiManager. If they are different, FortiManager then creates a new revision and installs
the changes on the managed device.

FortiManager 7.4 Administrator Study Guide 136

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Configuration changes made from the Device Manager do not take immediate effect—they must be installed.
Until they are installed, the configuration status of the device remains as Modified. The installation process
involves the FortiManager Install Wizard.

During installation, you are asked to choose between two different installation types.

If you choose Install Device Settings (only), the wizard installs only device-level configuration changes
made from FortiManager. If you have made changes to the device-level configuration and policies in the
policy packages, you can choose Install Policy Package & Device Settings, which installs policy package
changes and any device-specific settings. You will learn about policy packages later in this course.

To launch the install wizard, click Install Wizard on the toolbar, or click Install and choose Install Wizard like
is shown on this slide.

In the example on the slide, Install Device Settings (only) is selected. Once the installation completes, the
FortiManager and FortiGate will be back in sync, and the Config Status changes from Modified to
Synchronized.

FortiManager 7.4 Administrator Study Guide 137

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After you choose the installation type, you need to select the device on which you want to install the changes.
If you’ve made device-level changes to multiple devices under the Device Manager, you can select multiple
devices on which to install those changes.

The next step is validation. The Install Wizard checks the device settings and compares them with the latest
running revision history. At this point, you can click Install Preview to view the configuration changes that will
be installed on the managed FortiGate. You can download the preview by clicking Download. The file is
saved in a .txt format.

As a best practice, you should always preview and verify the changes that will be committed to FortiGate. In
the case of a conflict, you can cancel the installation. Then, you can review and correct the conflicting
configuration under Device Manager and relaunch the Install Wizard.

In the example shown on this slide, a new static route has been added.

FortiManager 7.4 Administrator Study Guide 138

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The final step performed using the Install Wizard is the installation. After the installation is complete, you can
view the Install Log to see the list of devices on which the configuration changes were installed.

The log also shows any errors or warnings that occurred during the installation process. Click View
Installation Log to view the configuration changes installed on the managed FortiGate. If the installation fails,
the install log provides an indication of the stage where the failure occurred.

Optionally, you can download the install log for your records, or to use it as a reference for future installs.

In the example shown on this slide, the installation was successful and FortiManager created a new revision
history for the installation.

FortiManager 7.4 Administrator Study Guide 139

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The Quick Install (Device DB) option allows you to perform a quick installation of device-level settings
without launching the Install Wizard.

When you use this option, you cannot preview the changes prior to installing them. Administrators should be
certain of the changes made before using this option because the install can’t be cancelled after the process
is initiated.

If unsure about the changes, administrators are encouraged to use the Install Wizard, so that they can
preview the changes before committing them.

FortiManager 7.4 Administrator Study Guide 140

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 141

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand the steps involved in installing device-level configuration changes.

Now, you will learn about the revision history repository for the managed FortiGate devices on FortiManager.

FortiManager 7.4 Administrator Study Guide 142

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using the configuration revision history, you will be able to diagnose and
troubleshoot common issues related to FortiGate configuration changes.

FortiManager 7.4 Administrator Study Guide 143

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

A new configuration revision is created by many different operations, such as adding a device, installing
changes, retrieving a configuration, or the occurrence of an automatic update.

FortiManager maintains a repository of the configuration revisions associated with its managed devices. This
collection is the configuration revision history and allows the FortiManager administrator to examine
configuration changes between revisions, view the installation history, and view which administrator or
process created the new configuration revision. This is very useful for troubleshooting.

FortiManager 7.4 Administrator Study Guide 144

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

To examine the revision history, select the device and, in the Configuration and Installation widget, you can
view, download, or compare the differences between revisions.

FortiManager 7.4 Administrator Study Guide 145

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Several important pieces of information are available when you examine the Configuration Revision
History. The Installation and Created by columns provide details about the action, process, and
administrator that created the revision.

You can select any of the revisions to view or download the corresponding configuration revision. This
includes the complete configuration of the managed device, not just the device-level configuration.

You can also compare the differences between versions by clicking Revision Diff. You can compare the
revision history to a previous version, select a specific version, or compare it to the factory default
configuration. You can choose to show the full configuration with differences, or just the differences like the
example on this slide.

The View Install Log option is available only from entries with the value of Installed. This is useful because it
shows which commands were sent to, and accepted by, the device, as well as the commands that were not
accepted if any errors occurred.

For all the options mentioned above, you can choose to download the information to a file. You can use this
file, for example, to create configuration scripts later.

FortiManager 7.4 Administrator Study Guide 146

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

If you are not satisfied with the running configuration, there are multiple ways to resolve the configuration
issues. You can:

• Retrieve the configuration of the managed device.

• Modify the configuration directly on the managed device.
• Modify the configuration on FortiManager and then install it to the managed device.
• Revert to a previous working configuration.
• Import previously exported revision files from a local computer.

After every retrieve, auto-update, or revert operation, you must use the Import Configuration tool to ensure
the policy information is also synchronized.

FortiManager 7.4 Administrator Study Guide 147

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Using the Configuration Revision History window, you can create a new revision that is based on the
current configuration of a managed device. When you click Retrieve Config, FortiManager proceeds to get
the selected device configuration, and then creates a new revision.

This option can be used to resync the FortiGate device with the FortiManager device database. However,
after retrieving the configuration, you must use the Import Configuration wizard to ensure the policy
information is also synchronized.

The Comments column automatically generates a comment if a retrieve operation is performed.

FortiManager 7.4 Administrator Study Guide 148

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

By default, all changes made directly on a managed FortiGate device are automatically updated on
FortiManager and reflected in Revision History and Config Status for that device.

You can use the commands shown on this slide to disable the default automatic update behavior. This allows
the FortiManager administrator to accept or refuse the update.

If an automatic update occurs, it is no longer possible for FortiManager to be sure the selected policy package
is the same as the running firewall policy. To achieve full synchronization, you must run the Import
Configuration tool on FortiManager to sync the policy package.

FortiManager 7.4 Administrator Study Guide 149

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The green checkmark in the revision history indicates which revision history configuration corresponds to the
device manager database configuration. It is usually the top entry, which is synchronized with the FortiGate
configuration.

A revert operation changes the device database configuration to a previous configuration state. You must
install these reverted changes on FortiGate, which then creates a new revision entry. This new revision is a
copy of the reverted one and in sync with the FortiGate configuration.

You can revert to any previous revision by right-clicking that entry and then clicking Revert. The selected
entry automatically updates the Installation column to Revision Revert. FortiManager also updates the
Comments column with the number of the revision it is reverted from and indicating that a new revision ID will
be generated on an install.

Performing a revert operation followed by an installation only reverts device-level changes and does not revert
policy packages. To achieve full synchronization, you must run the Import Configuration tool on
FortiManager to sync the policy package.

FortiManager 7.4 Administrator Study Guide 150

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 151

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Good job! You now understand the purpose of the revision history and how it can be used.

Now, you will learn about scripts and device groups.

FortiManager 7.4 Administrator Study Guide 152

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using scripts, you will be able to make bulk configuration changes to many
managed FortiGate devices. Using device groups, you will be able to administer and manage your FortiGate
devices more effectively and efficiently.

FortiManager 7.4 Administrator Study Guide 153

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can use scripts to make configuration changes to a managed device. Scripts are useful for bulk
configuration changes and to keep consistency across multiple devices. FortiManager supports two types of
scripts:

• CLI: includes only FortiOS CLI commands as you would type them at the command line prompt on a
FortiGate device.
• Tcl: a dynamic scripting language that allows for the use of global variables and decision structures. You
must be familiar with the Tcl language and regular expressions to use it. For more information about Tcl
scripts, visit: http://www.tcl.tk

By default, CLI scripts are enabled. To use Tcl scripts, however, they must be enabled with the command
shown on this slide.

Note that Tcl scripts do not run through the FGFM tunnel like CLI scripts do. Tcl scripts use SSH to tunnel
through FGFM and they require SSH authentication to do so. If FortiManager does not use the correct
administrative credentials in the device manager, the Tcl script fails.

CLI scripts use the FGFM tunnel, and the FGFM tunnel is authenticated using the FortiManager and FortiGate
serial numbers.

Although it is not available for the creation of standalone scripts, you can use Jinja scripts when creating CLI
templates. Jinja uses a Python-like syntax and allows you to use FortiManager variables in a CLI template
that you can apply to one or more devices.

In this lesson, you will learn about CLI scripts only.

FortiManager 7.4 Administrator Study Guide 154

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

When creating CLI scripts, follow the following best practices:

• Use complete FortiOS CLI commands. Partial syntax can be used; however, it may cause the script to fail.
• A line that starts with the number sign (#) is considered a comment and will not execute.
• In the FortiGate CLI, ensure the console output is set to standard. Otherwise, scripts and other output
longer than a screen in length will not execute or display correctly.

FortiManager 7.4 Administrator Study Guide 155

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Scripts can be run on three different locations:

• Device Database: By default, a script is executed on the device database. It is recommended that you run
the changes on the device database because this allows you to check what configuration changes are sent
to the managed device. Once scripts are run on the device database, you can then install the changes on a
managed device using the installation wizard.
• Policy Package or ADOM Database: If a script contains changes related to ADOM-level objects and
policies, you can change the default selection to run the script on Policy Package or ADOM Database
instead, and then install the changes using the installation wizard.
• Remote FortiGate Directly (via CLI): A script can be executed directly on the device, and you don’t need
to install the changes using the installation wizard. As the changes are directly installed on the managed
device, no option is provided to check the configuration changes through FortiManager before executing
them.

You can also apply options in Advanced Device Filters, which allows you to restrict the scripts to run on
managed devices, only if the device matches the set criteria. For example, you can limit the script to run only
on a subset of the managed devices, or on devices with a specific platform.

FortiManager 7.4 Administrator Study Guide 156

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Once you’ve configured a script, you can run it manually by selecting Run Script. You can also schedule it to
run at a specific time; for example, outside of business hours. This is useful when you don’t want to interfere
with the production network in the business hours.

To schedule it, right-click the script and then click Schedule Script. Schedules cannot be used on scripts that
must be run on Policy Package or ADOM Database.

The right-click menu also provides other options, such as edit, clone, delete, and export the script. The
exported script can be saved on your local computer in .txt format. Scripts can also be imported as text files
from your local computer.

The script running history is available in the Configuration and Installation Status widget of each managed
device, as well as under System Settings > Task Monitor.

FortiManager 7.4 Administrator Study Guide 157

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can also use scripts to get information from the FortiGate device. This type of script usually consists of
only one-line that uses a show or get command and should be set to run on Remote FortiGate Directly (via
CLI). Running such a script on the device database, or on the ADOM database, does not provide any useful
information or simply fails with an error.

FortiManager supports dynamic mapping of interfaces and objects so that they can be used with multiple
policy packages. You can configure these dynamic mappings from the FortiManager GUI under the Policy &
Object pane. But what if you need to configure dynamic mapping for hundreds of FortiGate devices for an
address object or interface?

For those cases, you can use scripts that requires special CLI syntax that is applicable to FortiManager
internally and is used for creating dynamic mapping. It is two-part script:

• The top part is the regular FortiOS CLI syntax defining the object.
• The bottom part is special FortiManager CLI syntax to create dynamic mapping for the object or interface
defined in top part.

FortiManager 7.4 Administrator Study Guide 158

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

The table on the slide includes common errors and common causes for the scripts to fail. You can use these
to diagnose and troubleshoot script failure issues.

The common errors and causes for scripts to fail are:

• command parse error: It was not possible to parse this line of your script into a valid FortiGate CLI
command. This is usually caused by misspelled keywords or an incorrect command format.
• unknown action: Generally, this message indicates the previous line of the script was not executed,
causing the following CLI commands to fail to execute properly.
• Device <name> failed-1: This usually means there is a problem with the end of the script. The
<name> is the name of the FortiGate on which the script is executed. If a script has no end statement, or
that line has an error in it, you may see this error message. You may also see this message if the
FortiGate unit is not synchronized with FortiManager.

To resolve these script issues, use the script history to examine which CLI commands are executed, and
which commands are failing to execute.

FortiManager 7.4 Administrator Study Guide 159

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

When troubleshooting scripts, you can check the script execution history to see details about the script. This is
available in the Configuration and Installation Status widget of each managed device, as well as under
System Settings > Task Monitor.

Additionally, you can examine details about the script execution using Event Logs.

FortiManager 7.4 Administrator Study Guide 160

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can use the execute fmscript <option> command on FortiManager for several operations related
to scripts. The table on this slide shows some of the options available.

The command example shown runs the script with ID 244 on the devices that are members of the group with
ID 245 in the ADOM named My_ADOM. Keep in mind that the script target and where you want to run it must
match. For example, you cannot run a script configured to run on the device database on an ADOM.

FortiManager 7.4 Administrator Study Guide 161

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

You can create device groups in an ADOM to simplify management tasks. For example, you can provide a
target that represents multiple devices for scripts, firmware upgrades, and configuration changes.

You can create a new device group by clicking Device Group > Create New Group and selecting the
devices to be added to this group.

Note that to delete a device group, you must delete all devices from the group first. Similarly, to delete an
ADOM, you must delete all device groups from the ADOM first.

FortiManager 7.4 Administrator Study Guide 162

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 163

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiManager 7.4 Administrator Study Guide 164

 Device-Level Configuration and Installation

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure device-level changes,
understand the status of a managed FortiGate on FortiManager, and install changes to the managed
FortiGate devices. You also learned how to use the revision history for troubleshooting and about the
capabilities of scripts and device groups.

FortiManager 7.4 Administrator Study Guide 165

 Policies and Objects

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to manage policies and objects on FortiManager for FortiGate. You will also
learn how to configure policies and objects on FortiManager, and then install them on FortiGate.

FortiManager 7.4 Administrator Study Guide 166

 Policies and Objects

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 167

 Policies and Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding, configuring, and using policies and objects, you will be able
to create customized access and policies based on the needs of your organization.

FortiManager 7.4 Administrator Study Guide 168

 Policies and Objects

DO NOT REPRINT
© FORTINET

Policy packages simplify centralized firewall policy management by providing a useful container for your
firewall rule set. Policy packages contain firewall policies which, in turn, link to the objects you define on the
Firewall Objects pane. Objects share the common object database for each ADOM. You can share objects
among multiple policy packages in the ADOM.

You can manage a common policy package for many devices in an ADOM, or have a separate policy
package for each device. Policy packages allow you to maintain multiple versions of the rule set. For example,
you can clone a policy package before you make changes, which allows you to preserve the previous rule set.

A word of caution: while policy packages allow for multiple versions of a firewall policy rule set, the objects
referenced in those packages do not have multiple versions—they use only a current value.

For example, say you clone a policy package, add a new rule, and then change the value of a shared object. If
you return to a previous version of the policy package, you will back out of the rule that you added, but not the
modification to the shared object. The only way to return to a previous version of the policy package, including
backing out of the rule that you added and the modification to the shared object, is to use ADOM revisions,
which takes a snapshot of the Policy & Objects database for that ADOM.

FortiManager 7.4 Administrator Study Guide 169

 Policies and Objects

DO NOT REPRINT
© FORTINET

In a single ADOM, administrators can create multiple policy packages. FortiManager allows you to customize
the policy packages for each device or VDOM in a specific ADOM, or apply a single policy package for
multiple devices in an ADOM. By defining the scope of a policy package, an administrator can modify or edit
the policies in that package, without changing other policy packages.

FortiManager 7.4 Administrator Study Guide 170

 Policies and Objects

DO NOT REPRINT
© FORTINET

All objects in an ADOM are managed by a single database that is unique to that ADOM. Objects inside the
database include firewall objects, security profiles, users, and devices, among others.

Objects are shared in the ADOM and can be used in multiple policy packages. This simplifies the job of the
administrator. For example, you can create a security profile once and attach it to multiple policy packages for
installation on multiple FortiGate devices.

To create or edit existing objects, go to Policy & Objects > Firewall Objects and select the object type from
the top menu of the screen. On this slide, the Addresses tab is selected.

FortiManager 7.4 Administrator Study Guide 171

 Policies and Objects

DO NOT REPRINT
© FORTINET

The Feature Visibility window allows you to display specific features on the GUI. The available options
depend on the ADOM version and vary from one ADOM to another.

By default, when you open Feature Visibility, the checkboxes for the most common options are selected.
You can show or hide a feature in Feature Visibility by selecting or clearing the checkbox beside the feature.
You can show all the options in a category by selecting the checkbox beside the category name or show all
the categories by selecting Check All at the bottom of the Feature Visibility window.

You can also enable additional firewall policy types such as NAT64, IPv6, and interface policies in Feature
Visibility.

FortiManager 7.4 Administrator Study Guide 172

 Policies and Objects

DO NOT REPRINT
© FORTINET

A policy package has an installation target on one or more devices or VDOMs. Policy packages can share the
same installation target, however, only one policy package can be active on a device or VDOM. The active
policy package is listed on the Device Manager pane.

You can add, edit, or delete an installation target on the Installation Targets pane.

After you add an installation target, it appears in the list of Installation Targets. When you install a newly
assigned policy package on a target, the installation wizard displays a warning message that contains the
name of the previously assigned policy package.

After you install the new policy package, it appears as the active policy package for these devices or VDOMs
on the Device Manager pane, in the Policy Package Status column.

FortiManager 7.4 Administrator Study Guide 173

 Policies and Objects

DO NOT REPRINT
© FORTINET

What if you need to share a policy package among many devices, except for only a few policies for specific
FortiGate devices?

You can perform granular installation targets per rule in the actual policy by clicking the Install On column.
This allows you to target devices to add, remove, or set to defaults.

So, by using an installation target, you can share a policy package among multiple devices, and define rules
per device in the policy. Shared policy packages are helpful in environments where many devices need to
share common policies (except for a few policies that you can target per device) and eliminate the need for
multiple policy packages.

FortiManager 7.4 Administrator Study Guide 174

 Policies and Objects

DO NOT REPRINT
© FORTINET

All objects in an ADOM are managed by a single database unique to the ADOM. Many objects now include
the option to enable dynamic mapping. You can use dynamic objects to map a single logical object to a
unique definition per device. You can dynamically map common features such as addresses, interfaces,
virtual IPs, and IP pools. A common example is a firewall address. You may have a common name for an
address object, but have a different value depending on the device it is installed on.

In the example shown on this slide, the dynamic address object Internal refers to the internal network address
of the managed firewalls. The object has a default value of 10.0.0.0/8. The mapping rules are defined per
device. For Remote-FortiGate, the address object Internal refers to 10.0.2.0/24, whereas for Local-
FortiGate the same object refers to 10.0.1.0/24. The devices in the ADOM that do not have dynamic
mapping for Internal have a default value of 10.0.0.0/8.

To add devices for dynamic mapping, select the Per-Device Mapping arrow, and then, in the Per-Device
Mapping section, click Create New. In the pop-up window that opens, select the device and set the IP
range/subnet.

FortiManager 7.4 Administrator Study Guide 175

 Policies and Objects

DO NOT REPRINT
© FORTINET

Default normalized interfaces are created when ADOMs are created. Default normalized interfaces contain
several per-platform mapping rules for all FortiGate models.

In the example shown on this slide, interface internal1 is mapped to internal1 for the platforms highlighted.
Default per-platform mapping rules allow you to install policies on FortiGate devices without first creating
custom mapping rules.

You can map normalized interface names to different physical interface names on different FortiGate models.
In the example shown on this slide, the normalized interface named Inside is mapped to port3 for Local-
FortiGate and to port6 for Remote-FortiGate.

You can also select normalized interfaces when you create virtual wire pairs.

FortiManager 7.4 Administrator Study Guide 176

 Policies and Objects

DO NOT REPRINT
© FORTINET

In this example, Inside is mapped to port3 on Local-FortiGate. Therefore, after a firewall policy is installed on
the managed FortiGate, the Inside interface will appear as port3.

Outside, however, remains untouched, because it is installed on the device as a zone and the port1 and
port2 interfaces are part of it.

FortiManager 7.4 Administrator Study Guide 177

 Policies and Objects

DO NOT REPRINT
© FORTINET

On FortiManager, it is possible to delete a used object. FortiManager will display a warning message stating
that the object is currently used by other firewall policies or objects. To view the references of this object, click
Where Used. However, if you delete a used object, FortiManager will replace it with a none object. The none
object is equal to null, which means any traffic that meets that firewall policy will be blocked, unless there is a
broader policy that still meets the traffic requirement, or a policy defined to allow all traffic (catch all).

You should double-check all references to objects before deleting them, to avoid unintended firewall policy
behavior.

FortiManager 7.4 Administrator Study Guide 178

 Policies and Objects

DO NOT REPRINT
© FORTINET

Find Unused Objects is a built-in GUI tool available to administrators to help you locate all unused firewall
objects in the FortiManager ADOM object database. Find Unused Objects searches all types of firewall
objects and displays the results in a pop-up window. You can delete unused objects directly in the Unused
Objects pop-up window. This removes the selected object from the FortiManager ADOM objects database.

Similar to Find Unused Objects, the Find Duplicate Objects tool searches the FortiManager firewall object
database and displays all objects that have duplicate values assigned to them. In the example shown on this
slide, the tool found that the custom service objects FTP, FTP_GET, and FTP_PUT have the same value.
After duplicate objects are found, you can merge those objects, if needed.

FortiManager 7.4 Administrator Study Guide 179

 Policies and Objects

DO NOT REPRINT
© FORTINET

Policy Check provides recommendations only on what improvements can be made—it does not perform any
changes. It uses an algorithm to evaluate policy objects based on:
• Source and destination interface policy objects
• Source and destination address policy objects
• Service and schedule policy objects

Policy Check checks for:

• Duplication, where two objects have identical definitions
• Shadowing, where one object completely shadows another object of the same type
• Overlap, where one object partially overlaps another object of the same type
• Orphaning, where an object has been defined, but has not been used anywhere

To perform a policy check, select a policy package, and then, in the Policy Package drop-down list, click
Policy Check. In the Policy Check dialog box, you can select one of the following options:
• Perform Policy Check: This performs a policy check for consistency and provides any conflicts that may
prevent your devices from passing traffic.
• View Last Policy Check Result: This allows you to view the results of the most recent consistency check.

In the example shown on this slide, policy with ID 1 uses a none object in its source field and must be fixed to
allow traffic.

It is important to note that the policy check only provides recommendations on what improvements can be
made—it does not actually make any changes.

FortiManager 7.4 Administrator Study Guide 180

 Policies and Objects

DO NOT REPRINT
© FORTINET

Meta Fields allow administrators to add additional attributes to several types of objects and administrator
accounts. You can make meta fields required or optional. When meta fields are required, administrators must
supply additional information when they create an associated object. For example, if you create a required
meta field for a device object, administrators must define a value for the meta field for all devices.

When you create a new meta field, you must choose a value for the following fields:

Object: allows you to select the object type this meta field applies to, such as administrative domain, firewall
address group, firewall policy, central NAT, administrator, and so on.
Name: the label used for this field
Length: the maximum number of characters allowed for the field.
Importance: determines if the field is compulsory, or not.
Status: determines the availability of meta fields to select in the objects. This option is available only for non-
firewall objects.

Meta fields cannot be used as variables in scripts or provisioning templates. Instead, you can use ADOM-level
metadata variables for that purpose.

The example on this slide shows the creation of a new meta field for firewall policies. The new field is labelled
“Specify Inbound or Outbound” and marked as required.

FortiManager 7.4 Administrator Study Guide 181

 Policies and Objects

DO NOT REPRINT
© FORTINET

ADOM-level metadata variables can be used as variables in scripts, templates, firewall address objects, IP
pools, and virtual IPs (VIPs).

Typing $ into an object's field where metadata variables are supported displays the available metadata
variables for selection. Fields that support metadata variables are identified with a magnifying glass icon.

You can configure ADOM-level metadata variables in Policy & Objects > Advanced > Metadata Variables.

By default, metadata variables are only available in the ADOMs in which they were created. However, you can
export them and then import them into another ADOM.

Metadata variables can also be created in the Global Database ADOM. When creating ADOM-level metadata
variables in the Global Database, you can configure per-ADOM mapping to assign specific values to all
devices within an ADOM.

The example on this slide, shows the creation of a new metadata variable that refers to the subnet for each
branch and how the new variable is used in a firewall address object.

FortiManager 7.4 Administrator Study Guide 182

 Policies and Objects

DO NOT REPRINT
© FORTINET

The example on this slide shows a metadata variable being referenced in a firewall policy, and how the
variable value is adjusted based on the device the firewall policy is installed to. In this example,
Branch_Subnet is translated to 10.0.1.0/24 for Local-FortiGate. That is, the third octet becomes 1.

FortiManager 7.4 Administrator Study Guide 183

 Policies and Objects

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 184

 Policies and Objects

DO NOT REPRINT
© FORTINET

Good job! You now understand policy and object management.

Now, you will learn about import and install wizards.

FortiManager 7.4 Administrator Study Guide 185

 Policies and Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the options for configuring and managing firewall policies on
the Policy & Objects pane, you will examine the Import Configuration wizard and the Install Wizard, which
you can use to manage devices on FortiManager.

FortiManager 7.4 Administrator Study Guide 186

 Policies and Objects

DO NOT REPRINT
© FORTINET

The screen capture at the top of this slide shows the output of the diagnose dvm device list, in which
the policy package is modified while the configuration status is in sync. This indicates that only the policy
package is modified, not the device-level settings.

The same information is also available on the GUI, as shown in the screen capture on this slide.

FortiManager 7.4 Administrator Study Guide 187

 Policies and Objects

DO NOT REPRINT
© FORTINET

After every retrieve, auto-update, and installation operation, FortiManager stores the FortiGate configuration in
the revision history.

The illustration on this slide shows the status of the policy package:
• Imported: Indicates that a policy package was successfully imported for a managed device.
• Synchronized: Indicates that a policies and objects are synchronized between FortiManager and the
managed device.
• Never Installed: Policy package was never created, hence it was never imported for a managed device.
• Modified: Policy package configuration is changed on FortiManager and changes have not yet pushed to
the managed device.
• Out-of-sync: The latest policy package does not match the policies and objects configuration on the latest
revision history because of configuration changes made locally on FortiGate or a previous partial
installation failure. You should perform a retrieve, and then import policies from FortiManager.
• Conflict: If you make policy configuration changes locally on FortiGate and don’t import the changes into
the policy package, and you also made the changes on FortiManager, the status enters conflict state.
Depending on the configuration changes, you can either import a policy package or install the changes
from FortiManager.
• Unknown: FortiManager is unable to determine the policy package status.

You can resolve most policy status issues by importing a policy package or installing a policy package.

FortiManager 7.4 Administrator Study Guide 188

 Policies and Objects

DO NOT REPRINT
© FORTINET

It is common for FortiGate to have a running configuration already. The Import Configuration wizard guides
you through importing policies and objects into FortiManager. When you import a device, you create a new
policy package that does not interfere with other packages. However, objects you import will add to, or
update, existing objects. You may want to create a new ADOM revision before performing an import.

If you add an unregistered device to FortiManager, you must run the Import Configuration wizard after
promoting the device.

The next few slides explore the stages that the wizard guides you through.

FortiManager 7.4 Administrator Study Guide 189

 Policies and Objects

DO NOT REPRINT
© FORTINET

By default, interface mappings exist for interfaces configured on the firewall. This allows the device interfaces
to be referenced in policy packages. You can rename the ADOM interface mapping in the wizard.

The wizard performs a policy search to find all policies in preparation for import into the FortiManager
database. You may choose to import all firewall policies, or select specific policies to import. If you choose to
import only specific policies into the policy package and later install policy changes, the policies that were not
imported will be deleted locally on FortiGate. This is because FortiManager does not have those policies in
the policy package.

Also, you can choose whether to import all configured objects, or only the objects referenced by the current
firewall policies. Regardless of whether you choose to import only policy-dependent objects or all objects, the
system will delete orphan (unused) objects that are not tied to policies locally on FortiGate in the next
installation. But if you choose to import all objects, then the system imports all used and unused objects in the
FortiManager ADOM object database and can use them later by referencing the policies on FortiManager and
installing them on the managed devices.

By default, Import All and Import only policy dependent objects are selected when you run the Import
Policy wizard. As a word of caution, if you are managing many devices in an ADOM and select Import all
objects for all devices, the object database will become too full of unused objects, which can be
overwhelming for an administrator.

FortiManager 7.4 Administrator Study Guide 190

 Policies and Objects

DO NOT REPRINT
© FORTINET

After the import is complete, the wizard provides the Policy Import Summary and the Download Import
Report. You can download the import report, which is only available on the Import Device page. You can
view the report using any text editor.

As a best practice, you should download the report.

The import report provides information about FortiGate, the ADOM name on FortiManager, and the policy
package name. The report also provides additional information, such as the objects that have been added as
new objects. Existing objects that have the same values locally on FortiGate and FortiManager are referred to
as DUPLICATE. If the value of an existing object is changed, FortiManager updates that in its database and
shows update previous object in the import report.

FortiManager 7.4 Administrator Study Guide 191

 Policies and Objects

DO NOT REPRINT
© FORTINET

After you make configuration changes to the policy package, the Policy Package Status is flagged as
Modified on the Device Manager pane. There are multiple ways to launch the Install Wizard on the Device
Manager pane, as well as on the Policy & Objects pane. If you are using ADOMs, make sure you select the
ADOM in the ADOM drop-down list first.

Now, you will explore the process of installing policy configuration changes using the Install Wizard. During
this process, the policy and device configuration items are installed on the managed device. After the
installation is complete, FortiManager and FortiGate are in sync and the Policy Package Status changes
from Modified to Installed (Synchronized).

FortiManager 7.4 Administrator Study Guide 192

 Policies and Objects

DO NOT REPRINT
© FORTINET

When you select Install Policy Package & Device Settings, the Install Wizard installs the policy package
and any pending device-level changes.

The policy package you select is displayed and you have the option to create a new ADOM revision for this
installation. Note that an ADOM revision is a snapshot of the entire ADOM and not the changes specific to this
policy package.

You can also enable Schedule Install, which allows you to specify the date and time to install the latest policy
package changes.

The next step is Device Selection. In this step, the wizard displays the devices selected in the installation
target for the specific policy package.

FortiManager 7.4 Administrator Study Guide 193

 Policies and Objects

DO NOT REPRINT
© FORTINET

The next step in the wizard is validation. In this step, the wizard checks that the policy package selected is
suitable for the installation targets selected, such as whether the interface mapping reference in the policy
package is configured on the installation targets. If the validation fails, the installation will stop.

Before performing the installation, as a best practice, always preview and verify the changes that will be
committed to FortiGate. If this is the first installation, you may see many changes, because objects may have
been renamed during the import process and unused objects removed from the device configuration. If you
don’t want to proceed with the installation, you can cancel the installation at this step in the wizard.

The last step is Install, which is the actual installation. The wizard lists the devices on which configuration
changes were installed. Any errors or warnings that occur during installation appear here as well. If the
installation fails, the installation history indicates the stage at which the installation failed. You can also check
the installation history for the successful installation too.

FortiManager 7.4 Administrator Study Guide 194

 Policies and Objects

DO NOT REPRINT
© FORTINET

FortiManager also provides a Re-install Policy option. A re-installation is the same as an installation except
there are no prompts and it provides the ability to preview the changes that will be installed on the managed
device. The Re-install Policy will create a new revision history and apply it to all selected installation targets.

The Re-install Policy option works only after the first policy installation. The option is greyed out or
unavailable if Policy Package Status on the Device Manager pane shows as Never Installed for the
managed device.

FortiManager 7.4 Administrator Study Guide 195

 Policies and Objects

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 196

 Policies and Objects

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiManager import and install wizards.

Now, you will learn about ADOM revision and database versions.

FortiManager 7.4 Administrator Study Guide 197

 Policies and Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding ADOM revisions and database versions, you will understand
their effect on policy and object configurations.

FortiManager 7.4 Administrator Study Guide 198

 Policies and Objects

DO NOT REPRINT
© FORTINET

ADOM revisions allow you to save locally in FortiManager snapshots of the policy packages, objects, and
VPN console settings contained in an ADOM.

When you create multiple ADOM revisions, you can view differences between them, or revert to a specific
revision. As a word of caution, if you choose to revert to a specific ADOM revision, you will revert all the policy
packages and objects based on that revision.

FortiManager can delete ADOM revisions automatically based on specified parameters as shown on this
slide. Optionally, you can lock individual revisions to prevent them from being automatically deleted.

Warning: Keep in mind that ADOM revisions can significantly increase the size of the configuration backup.

FortiManager 7.4 Administrator Study Guide 199

 Policies and Objects

DO NOT REPRINT
© FORTINET

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the devices that
are managed in that ADOM. The selected version determines the CLI syntax that is used to configure the
devices. Select this version when you create a new ADOM.

It is recommended to update all the FortiGate devices in an ADOM to the latest FortiOS firmware version
before you upgrade the ADOM version.

FortiManager 7.4 Administrator Study Guide 200

 Policies and Objects

DO NOT REPRINT
© FORTINET

When you move a device from one ADOM to another, policies and objects (used and unused) don’t move to
the new ADOM.

If you need to move a device from one ADOM to another, run the Import Configuration wizard to import the
policy package into the new ADOM.

What if you need to use unused objects from a previous ADOM in the new ADOM? You can copy objects from
one ADOM to another using the FortiManager CLI.

When FortiGate devices are upgraded, it is best to keep them in the same ADOM and use the ADOM
upgrade. Moving FortiGate devices to a new ADOM introduces additional work and certain complications.
Also, manager panes like VPN manager do not move, and FortiManager administrator must reconfigure all
the VPN configuration on the managed device.

FortiManager 7.4 Administrator Study Guide 201

 Policies and Objects

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 202

 Policies and Objects

DO NOT REPRINT
© FORTINET

Good job! You now understand ADOM revision and database versions.

Now, you will learn about policy locking and workflow mode.

FortiManager 7.4 Administrator Study Guide 203

 Policies and Objects

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the purpose and use of policy locking and workflow mode on
FortiManager, you will be able to understand how they impact your network.

FortiManager 7.4 Administrator Study Guide 204

 Policies and Objects

DO NOT REPRINT
© FORTINET

Policy locking is available in workspace normal and per-ADOM modes. Policy locking allows administrators to
work on, and lock, a single policy package instead of locking the whole ADOM. In order to use policy locking,
you must set workspace-mode to normal. You can lock either the whole ADOM or a specific policy
package. Policy locking is an extension of ADOM locking, which allows multiple administrators to work on
separate policy packages on the same ADOM at the same time.

FortiManager 7.4 Administrator Study Guide 205

 Policies and Objects

DO NOT REPRINT
© FORTINET

In workspace normal and per-adom modes, you can also lock specific devices to make changes to them.
Other administrators will be unable to make changes to those devices until you unlock them, log out of
FortiManager, or are forcibly disconnected when another administrator locks the ADOM that the device is in.

Locking an ADOM automatically removes locks on devices and policy packages that you have locked within
that ADOM.

Keep in mind that you cannot lock individual devices if ADOMs are in Advanced mode.

FortiManager 7.4 Administrator Study Guide 206

 Policies and Objects

DO NOT REPRINT
© FORTINET

In workspace mode, administrators can lock individual policies, except for policies used by policy blocks. You
cannot lock an individual policy when the policy is used in a policy block. If you want to modify a policy, you do
not need to lock the entire policy package. Once you lock a policy, a padlock icon appears beside the policy.
Other administrators are now unable to modify your policy or lock the policy package where the locked policy
is in, and unable to lock the ADOM.

The policy lock is automatically released at administrator timeout, or if the administrator closes a session
gracefully without unlocking the policy package or policy.

FortiManager 7.4 Administrator Study Guide 207

 Policies and Objects

DO NOT REPRINT
© FORTINET

Instead of workspaces, you can use workflow mode. As with the other workspace modes, enabling workflow
terminates all management sessions. You must notify other administrators to save their work to prevent any
data loss. You can enable workflow mode on the CLI or GUI.

You can use workflow mode to control the creation, configuration, and installation of several settings.
However, this feature is mostly used to control changes to firewall policies and objects.

Approval is required before changes can be installed on a device. All the modifications made in a workflow
mode session must be discarded or submitted for approval at the end of the session. Sessions that are
rejected can be repaired and resubmitted for approval as new sessions. All sessions must be approved in the
same order in which they were created to prevent any conflicts.

In workflow mode, panes related to FortiGate configuration are read-only at first. To create a new workflow
mode session, you must lock the ADOM first, similar to workspaces.

FortiManager 7.4 Administrator Study Guide 208

 Policies and Objects

DO NOT REPRINT
© FORTINET

The graphic on this slide shows how to use workflow mode.

When Admin A locks the ADOM, a green lock icon appears. Admin A has read/write access and creates a
new session on the Policy & Objects pane in the ADOM. Admin A makes configuration changes to the
managed devices and submits the request for approval to Admin B. This approval submission automatically
unlocks the ADOM.

Admin B must have read/write permission for workflow approval. Admin B then locks the ADOM and has
read-write access. Admin B opens the session list and has the option to approve, reject, discard, or view
differences in the changes submitted by Admin A.

FortiManager 7.4 Administrator Study Guide 209

 Policies and Objects

DO NOT REPRINT
© FORTINET

An administrator must be part of an approval group, and have rights over the ADOM in which the session was
created, in order to approve a session. Being part of the Super_Admin profile is not enough to approve a
session.
On the Workflow Approval pane, configure the workflow approval matrix using the following values:
• ADOM: Select the ADOM you want to apply workflow mode to.
• Approval Group #1: Add the administrators who will approve the changes in the ADOM.
• Send email notification to: Send administrators email notifications when another administrator makes
changes and submits the changes for approval.
• Mail server: Select the email server that FortiManager will use to send its notifications on the Mail Server
pane.

FortiManager 7.4 Administrator Study Guide 210

 Policies and Objects

DO NOT REPRINT
© FORTINET

The administrator must lock the ADOM before they are allowed to create a new session. After the ADOM is
locked, the administrator has the option to create a new session and start making changes to the policy
package. Note that the administrator cannot make any changes to policy packages until they create a new
session.

FortiManager 7.4 Administrator Study Guide 211

 Policies and Objects

DO NOT REPRINT
© FORTINET

After you edit firewall policies or objects, click Save to save your session, then submit your changes.
Alternatively, you can click Submit, which saves and submits the changes automatically. You can view a
session diff before submitting the session for approval.

After you submit your changes for approval or have discarded them, the ADOM automatically returns to the
unlocked state.

FortiManager 7.4 Administrator Study Guide 212

 Policies and Objects

DO NOT REPRINT
© FORTINET

After the workflow request is submitted, administrators with the appropriate permissions can approve or reject
the pending request.

The approval administrator must lock the ADOM during the decision process. After the ADOM is locked, they
can open the session list. The session list shows the administrator who submitted the request and other
information, such as date of submission, total requests, and comments by the submitting administrator.

The approver administrator has several option available:

• Approve: The session is waiting to be reviewed and approved. If the session is approved, no further action
is required.
• Reject: If the session is rejected, the system sends a notification to the administrator who submitted the
session. The approver administrator has the option to repair the changes. A session that is rejected must
be fixed before the next session can be approved.
• Repair: When a session is rejected, it can be repaired to correct the problems with it.
• Discard: The approval administrator doesn’t agree with the changes and discards them. No further action
is required.
• Revert: A previously approved session can be reverted, which undoes any existing later sessions. This
creates a new session at the top of the session list that is automatically submitted for approval.
• View Diff: The approval administrator can view the differences between the original policy package and
changes made by the submitting administrator.

In the example shown on this slide, the administrator user student submitted the request for approval.

FortiManager 7.4 Administrator Study Guide 213

 Policies and Objects

DO NOT REPRINT
© FORTINET

When a FortiManager session is interrupted, such as a when the management computer crashes, or when
you close a browser with an open GUI session, that session remains open for the system configured timeout,
or until an administrator manually deletes it. When a session associated with a locked ADOM is interrupted,
the read-write access to that ADOM is not possible for other administrators until the interrupted session is
deleted.

You can delete administrator sessions on the GUI or the CLI as shown on this slide After the session is
deleted, the ADOM will be unlocked immediately.

FortiManager 7.4 Administrator Study Guide 214

 Policies and Objects

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 215

 Policies and Objects

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiManager 7.4 Administrator Study Guide 216

 Policies and Objects

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to manage policies and objects on
FortiManager for FortiGate. You also learned how to configure policies and objects on FortiManager, and then
install them on FortiGate.

FortiManager 7.4 Administrator Study Guide 217

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the global administrative domain (ADOM), and central management.

FortiManager 7.4 Administrator Study Guide 218

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 219

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

Now, you will learn about the global database ADOM and its feature sets.

FortiManager 7.4 Administrator Study Guide 220

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

Global policies and objects allow administrators to push firewall policies to some or all ADOMs. You must
explicitly assign global policy packages to specific ADOMs on which administrators want to install similar
policies.

The illustration on this slide shows that different ADOMs can use separate global policies. When you create a
global policy package, you can choose ADOMs that you want to apply specific policies to. Furthermore, you
can even pick specific policy packages in individual ADOMs that you want to apply the global policies to.

You can create global policy packages based on the type of network environment that you are managing and
apply header or footer policies to meet the security requirements.

FortiManager 7.4 Administrator Study Guide 221

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

You can use header and footer policies to wrap policies in individual ADOMs. An example of where header
and footer policies would be used is in a carrier environment, in which the carrier would allow customer traffic
to pass through their network but would not allow the customer to have access to the carrier network assets.

The illustration on this slide shows how global policies and objects are assigned to ADOM policy packages.

FortiManager 7.4 Administrator Study Guide 222

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

Enter the Global Database ADOM to access the global policy database.

Header policies are the policies located at the top of the policy package in the individual ADOM.

Footer policies are the policies located at the bottom of the policy package in the individual ADOM.

FortiManager 7.4 Administrator Study Guide 223

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

In the example shown on this slide, a header policy blocks Telnet traffic from passing through the managed
firewalls.

The next step is to assign this policy to one policy package in an individual ADOM.

FortiManager 7.4 Administrator Study Guide 224

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

This slide shows the steps to assign a global policy package to an ADOM policy package.

In this example, the default global policy package is added to the ISFW policy package in ADOM2. After
installation, the status changes to Up to date.

Notice that there are several options available when assigning a global policy package, including:

• Assign used objects only

• Assign all objects
• Automatically install policies on ADOM devices

FortiManager 7.4 Administrator Study Guide 225

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

After you assign the global database ADOM objects, they appear on the Policy & Objects pane for that
ADOM. All global objects start with "g" and are edited or deleted in the global database ADOM only.

A word of caution. Never create address objects or security profiles starting with letter “g” on an ADOM
database or directly on the managed devices because this may create conflicts with global database ADOM
objects and cause configuration failure issues.

In the example shown on this slide, the header policy is added to the ISFW device. You can assign only one
global policy package to an individual ADOM policy package. Assigning an additional global policy package to
the same individual ADOM policy package removes previously assigned policies. Also, you cannot edit and
move the header and footer policies between the rules in an individual ADOM policy package.

You must install policy packages on the managed devices for the new rules to work. A header policy is
installed at the top of the list of the firewall rules on the target device.

FortiManager 7.4 Administrator Study Guide 226

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 227

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

Good job! You now understand the global ADOM.

Now, you will learn about other manager panes and the Security Fabric features available on FortiManager.

FortiManager 7.4 Administrator Study Guide 228

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the Security Fabric and its feature sets, you will be able to
use the Security Fabric effectively in your network.

FortiManager 7.4 Administrator Study Guide 229

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

FortiManager allows you to manage your Fortinet devices centrally using several panes.

VPN Manager: On the VPN Manager pane, you can configure IPsec VPN settings that you can install on
multiple devices. The settings are stored as objects in the objects database. You push the IPsec VPN settings
to one or more devices by installing a policy package. Enabling VPN Manager for an ADOM overrides existing
VPN configurations for managed devices in that ADOM. Mixed-mode VPN allows you to configure VPNs
concurrently through VPN Manager and on the FortiGate device in Device Manager.

AP Manager: The AP Manager pane allows you to manage FortiAP devices that are controlled by FortiGate
devices that are managed by FortiManager. The administrator can use Wi-Fi templates to easily manage and
distribute AP profiles, SSIDs, and wireless intrusion detection system (WIDS) profiles. The administrator can
also monitor all wireless clients and check AP health.

FortiSwtich Manager: The FortiSwitch Manager pane allows you to centrally manage FortiSwitch templates
and VLANs, and monitor FortiSwitch devices that are connected to FortiGate devices. You can configure
multiple templates for specific FortiSwitch platforms that can be assigned to multiple devices.

Extender Manager: The Extender Manager pane allows you to manage connected FortiExtender devices.
You can use the Extender Manager to create custom templates, SIM profiles, and data plans for up to two
modems.

FortiManager 7.4 Administrator Study Guide 230

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

The Fabric View pane allows you to display the Security Rating reported by managed FortiGate devices.
When FortiManager is managing FortiGate units that are part of a Security Fabric, the option to view the
physical and logical topologies of the fabric becomes available.

From this pane you can also add several types of connectors that allow FortiManager to interact, and use
objects created in other products and platforms, both in the local network and cloud based. Refer to the
FortiManager Administrator Guide for the complete list of connectors available.

FortiManager supports the ability to orchestrate the deployment of FortiGate autoscaling groups (ASG) on
Amazon Web Services (AWS). This allows administrators to use FortiManager as a single pane to deploy all
resources required to implement FortiGate ASG in the public cloud.

FortiManager 7.4 Administrator Study Guide 231

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

The Security Rating feature includes checks that can help you make improvements to your organization’s
network, such as enforce password security, apply recommended login attempt thresholds, encourage two-
factor authentication, and so on. You can view Security Fabric ratings for all FortiGate devices managed by
FortiManager.

The Security Rating page includes the same three scorecards available on FortiGate:

• Security Posture
• Fabric Coverage
• Optimization

These scorecards provide an executive summary of the three largest areas of security focus in the Security
Fabric.

The scorecards show an overall letter grade and breakdown of the performance in subcategories. Clicking a
scorecard drills down to a detailed report of itemized results and compliance recommendations. The point
score represents the net score for all passed and failed items in that area. The report includes the security
controls that were tested against, linking to specific FSBP or PCI compliance policies. You can click the FSBP
and PCI buttons to reference the corresponding standard.

FortiManager 7.4 Administrator Study Guide 232

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

FortiManager recognizes Security Fabric groups of devices and lets you display their fabric topology. You can
click Fabric View > Physical Topology, or Fabric View > Logical Topology to view the full topology. This
view includes shortcuts to any existing security recommendations that redirect you to the Security Rating
pane.

You can also can right-click any device in the fabric, and then select Fabric Topology to view its location
relative to other fabric members. This is illustrated on the slide for the ISFW device.

FortiManager 7.4 Administrator Study Guide 233

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 234

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiManager 7.4 Administrator Study Guide 235

 Global Database ADOM and Central Management

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the global database ADOM, and the
Security Fabric.

FortiManager 7.4 Administrator Study Guide 236

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to diagnose and troubleshoot issues related to FortiManager and managed
devices.

FortiManager 7.4 Administrator Study Guide 237

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 238

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding various FortiManager deployment scenarios, keepalive

messages, and how to replace a managed FortiGate device, you will be able to deploy FortiGate devices in
various scenarios and manage FortiGate devices.

FortiManager 7.4 Administrator Study Guide 239

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In the scenario shown on this slide, FortiManager is operating behind a NAT device. By default, only
FortiManager can discover a new device. If the FGFM tunnel is torn down, only FortiManager tries to
reestablish the FGFM tunnel. This is because, by default, the NATed FortiManager IP address is not
configured on FortiGate central management.

How can FortiGate announce itself to the NATed FortiManager, or try to re-establish the FGFM tunnel if it is
torn down?

You can configure the FortiManager NATed IP address on FortiGate under the central management
configuration. This allows FortiGate to announce itself to FortiManager and try to re-establish the FGFM
tunnel, if it is torn down. Configuring the FortiManager NATed IP address on FortiGate allows both
FortiManager and FortiGate to re-establish the FGFM tunnel. Also, if you configure the FortiManager NATed
IP address under the FortiManager system administrator settings, FortiManager sets this address on
FortiGate during the discovery process.

Additionally, if your FortiManager has an FQDN associated, you can also configure it so FortiGate devices
can use it to announce themselves and reconnect to FortiManager if needed.

FortiManager 7.4 Administrator Study Guide 240

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this scenario, FortiGate is operating behind a NAT device. FortiManager can discover FortiGate through the
FortiGate NATed IP address. FortiGate can also announce itself to FortiManager. What if the FGFM tunnel is
interrupted? If the FGFM tunnel is torn down, only FortiGate attempts to re-establish the connection.
FortiManager treats the NATed FortiGate as an unreachable device and doesn’t attempt to reestablish the
FGFM tunnel. However, you can force a one-time connection attempt from FortiManager by clicking the
Refresh Device icon in the Managed FortiGate for the managed device in Device Manager.

FortiManager 7.4 Administrator Study Guide 241

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

What if both devices—FortiManager and FortiGate—are behind a NAT device? Then, the FortiGate device is
discovered by FortiManager through the FortiGate NATed IP address. Just like it was in the NATed
FortiManager scenario, the FortiManager NATed IP address in this scenario is not configured under the
FortiGate central management configuration. FortiManager does not attempt to reestablish the FortiGate to
FortiManager (FGFM) tunnel to the FortiGate NATed IP address, if the FGFM tunnel is interrupted. If the
FortiManager NATed IP address is configured on FortiGate under the central management configuration,
FortiGate tries to reestablish the FGFM tunnel, if it is torn down.

FortiManager 7.4 Administrator Study Guide 242

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Keepalive messages are sent from FortiGate at configured intervals. If there are no responses to the
keepalive messages for the duration of the sock timeout value, the tunnel is torn down and both ends attempt
to reestablish it.

You can configure the timeout and interval by setting the following parameters:

• fgfm-sock-timeout: the maximum FortiManager or FortiGate communication socket idle time, in

seconds
• fgfm_keepalive_itvl: the interval at which the FortiGate sends a keepalive signal to a FortiManager
device to keep the FortiManager or FortiGate communication protocol active

FortiManager 7.4 Administrator Study Guide 243

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Only the FortiGate devices send keepalive messages to FortiManager, regardless of which device established
the FGFM tunnel. FortiGate includes a configuration checksum in the keepalives to confirm synchronization
as a part of the keepalive message. The IPS version is also included in the messages.

FortiManager 7.4 Administrator Study Guide 244

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When an installation is performed from FortiManager to FortiGate, FortiManager always tries to ensure
connectivity with the managed FortiGate device. If the connection fails, FortiManager tries to recover the
FGFM tunnel by unsetting the command that caused the tunnel to go down.

For each installation, FortiManager sends the following commands to the managed FortiGate device:
• Set commands, needed to apply the configuration changes
• Unset commands, to recover the configuration changes

When applying changes, FortiGate:

• Applies the set commands, using memory only, nothing written to a configuration file
• Tests the FGFM connection to FortiManager

If the connection fails to reestablish, FortiGate applies the unset command after 15 minutes (not configurable
and not based on sock timeout values). If the connection remains down, and rollback-allow-reboot is
enabled on FortiManager, FortiGate reboots to recover the previous configuration from its configuration file.

FortiManager 7.4 Administrator Study Guide 245

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiManager saves the configuration revisions of a managed device. But what happens if you need to replace
the standalone managed device because of hardware failure or return merchandise authorization (RMA)?

You can replace the faulty standalone device by manually changing the serial number of the faulty device to
the serial number of the replacement device on FortiManager. Then, you redeploy the configuration. The
serial number is verified before each management connection, because the licenses are attached to the
FortiGate serial number. When replacing a FortiGate cluster member, FortiManager learns the new serial
number through the FGFM tunnel.

FortiManager 7.4 Administrator Study Guide 246

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Note that the replacement FortiGate should not contact FortiManager before the execute device
replace sn <devname> <serial_number> command is run. If it does, you will have to delete the
unregistered device entry prior to rerunning the command.

To replace the faulty device with the new device, take the following steps:
1. Note the device name of the original FortiGate.
If the replacement device is already listed as unregistered, then you will need to delete it from the
unregistered device list in the root ADOM.
2. Add the serial number of the replacement FortiGate.
After the replace command is executed, FortiManager updates the serial number in its database.
3. Verify that the new device serial number is associated with the faulty device in FortiManager.
You can do this using the CLI or the System Information widget of FortiGate.
4. Send a request from the replacement device to register it with FortiManager.

If connectivity fails after you update the serial number, you might need to reclaim the management tunnel. The
device name is optional. If you run the command without the device name, FortiManager tries to reclaim
tunnels from all managed devices.

Optionally, you can change the device password that you used when you added the device by running the
execute device replace pw <device_name> <password> command.

FortiManager 7.4 Administrator Study Guide 247

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 248

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand deployment scenarios.

Now, you will learn how to use some diagnostic commands to troubleshoot issues with FortiManager
connectivity and performance.

FortiManager 7.4 Administrator Study Guide 249

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using diagnostics and troubleshooting techniques, you will be able to
manage and maintain the integrity of FortiGate devices in your network.

FortiManager 7.4 Administrator Study Guide 250

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows some CLI commands that you can use to troubleshoot FortiManager connectivity and
resource issues.

These commands are similar to the FortiGate commands that you can use to diagnose and troubleshoot
common issues. For example, to view the top running processes you can run execute top. You can use the
execute iotop command to identify system processes with high I/O usage (usually the disk activity). You
can view the crash log entries. If FortiManager is dropping packets or not receiving packets, you can run a
packet capture (sniffer) to help diagnose the reason. You can also test the device reachability and confirm the
status of the FGFM tunnel.

FortiManager 7.4 Administrator Study Guide 251

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The get system performance command provides summarized information about system resource
usage. The output includes the following resource types:

• CPU: provides an overview of CPU usage information on the system. It shows what type of processes are
using what percentage of the CPU
• Memory: provides total memory available to the unit and how much memory is currently in use
• Hard Disk: provides hard disk usage information, including total disk space available and how much is
in use
• Flash Disk: provides flash disk usage information

Always check the Used row to check resource usage. If the resources usage is high, you may experience
issues managing devices from FortiManager. For example, adding devices or installing changes may take a
long time.

FortiManager 7.4 Administrator Study Guide 252

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The execute top command displays real-time system statistics that are very useful for system monitoring.
The statistics are displayed in rows, as follows:

Row 1: current time, uptime, users sessions, average system load (last minute, 5 minutes and 15 minutes)
Row 2: total number of processes running, processes actively running, processes sleeping, stopped, in
zombie state
Row 3: CPU usage for user processes, system processes, priority processes, CPU idle, processes waiting for
I/O, hardware irq, software irq, and steal time
Row 4 and Row 5: physical and virtual memory usage, respectively
Row 6: details for each process, including the process ID, user, priority, nice value, virtual memory used,
percent of memory (RAM) used, percent of CPU used, total activity time, state of the process, and name of
the process

When you are troubleshooting issues with high CPU or memory usage, check the overall system resources.
Then check individual processes for high CPU or memory usage.

This is an interactive command, and you can change the format used in its output. For example, you can
change the sorting order, or change the number of tasks displayed. This command includes a help page you
can access by pressing h or Shift+?.

FortiManager 7.4 Administrator Study Guide 253

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the execute iotop command to identify the specific processes that may be causing high disk
I/O read/writes.

By default, processes are sorted by the highest percentage under the IO> column, but you can change which
column is used to sort them. Press < to move the sorting column to the column on the left of the current one,
and press > to move the sorting column to the right of the current one. The current sorting column is indicated
by the > sign.

FortiManager 7.4 Administrator Study Guide 254

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The diagnose system print df command displays the file system information on FortiManager. It
shows the file systems currently mounted, as well as their sizes, usage, available space, usage in percentage,
and mount point.

This command can be useful when troubleshooting issues related to disk space utilization.

Some of the common file systems used by fortiManager include:

• /dev/shm is used as shared memory.

• /tmp is temporary file storage file system.
• /data is the pointer to the flash disk partition.
• /var is used for FortiManager database storage.
• /drive0 is used as the FortiAnalyzer archives and postgres database.
• /Storage is used for FortiAnalyzer log and report storage.

FortiManager 7.4 Administrator Study Guide 255

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

On FortiManager, processes lock and unlock the database. However, they should not remain stuck in the
locked state. There should be no locks on an idle system.

What if FortiManager is taking too long to complete a task? You can use the diagnose dvm proc list
command to identify any process or task that is stuck. A stuck task may prevent other subsequent tasks from
being processed. If a task is taking too long to process, it is listed here.

You can cancel or delete the pending (stuck) task from Task Monitor on the System Settings pane.
Sometimes, Task Monitor does not cancel or delete the stuck or pending tasks from GUI. In that scenario,
you can run the following CLI commands to cancel or delete:

• diagnose dvm task repair keeps existing data where possible while repairing the task database.
• diagnose dvm task reset completely removes the logs from the FortiManager task database. All
existing tasks and task history is erased.

Keep in mind that these CLI commands reboot FortiManager after fixing the task database.

FortiManager 7.4 Administrator Study Guide 256

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the debug commands shown on this slide to troubleshoot issues between FortiManager and
FortiGate. These issues could be related to actions such as adding, deleting, refreshing, auto-updating, and
installing.

Running a debug command shows the output from all other enabled debugs, if they are not disabled or reset.
As a general best practice, and before you run any debug commands, you should always check if any other
debugs are enabled. Always reset the debug level setting before enabling any new debugs.

FortiManager 7.4 Administrator Study Guide 257

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The example on this slide shows a partial output of the diagnose debug application depmanager
255 command. This command allows you to obtain the real-time status of the FortiGate device being added.

Note that the output of this command is verbose and includes the output from all managed devices.

FortiManager 7.4 Administrator Study Guide 258

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

An ungraceful shutdown on FortiManager can cause corruption to the file system and the internal databases.
This applies to both hardware and virtual machines.

If FortiManager loses power, a message on the console connection advises you to repair the file system.
Information about this and other unexpected events is also found in the Alert Message Console widget and
Event Logs.

Remember, always back up FortiManager prior to repairing the file system.

It is also highly recommended that you connect FortiManager to an uninterruptible power supply (UPS) to
prevent an unexpected shut down.

FortiManager 7.4 Administrator Study Guide 259

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

To ensure database integrity on FortiManager, you should follow these best practices:

• Always gracefully shut down FortiManager. Using a hard shutdown can damage the internal databases.
• If multiple administrators are performing operations on FortiManager, enable ADOM locking to avoid
configuration conflicts.
• Always follow the correct upgrade path. If you don’t, it may cause inconsistencies in the database.
• Make sure all administrators are logged off, and perform database integrity checks before performing a
firmware upgrade.

If you cannot resolve a data integrity issue, you can perform a factory reset on FortiManager, and then restore
the configuration using a good backup.

FortiManager 7.4 Administrator Study Guide 260

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

If you are experiencing unusual behavior on FortiManager, check for issues with the databases integrity.

Database integrity commands modify any database errors that are found. It is recommended that you perform
a backup before executing database integrity commands. Additionally, it is recommended to have all the
administrators log out and all the ADOMs unlocked, if workspace mode is enabled before running the integrity
check commands.

Having a backup is helpful when you don’t want to keep changes that were made by the integrity commands,
and you need to restore the FortiManager configuration.

As a best practice, configure a scheduled backup of FortiManager. FortiManager automatically runs database
integrity commands prior to a schedule backup and creates logs. If there are any issues with database
integrity, you must rerun the commands to fix the problem since schedule backups do not make the
necessary corrections.

FortiManager 7.4 Administrator Study Guide 261

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide lists several commands that you can use to verify and maintain database integrity.

After executing a database integrity command that performs corrections to the database, you should re-run
the command to verify the proper implementation of those corrections.

FortiManager 7.4 Administrator Study Guide 262

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In the example on this slide, FortiManager does not find any integrity errors in the device manager databases
or the My_ADOM ADOM database.

In the case any errors are found, the system displays a message recommending you to perform a backup
before applying any changes to the database.

FortiManager 7.4 Administrator Study Guide 263

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 264

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand how to diagnose and troubleshoot various issues with FortiManager.

Now, you will learn about troubleshooting device and ADOM databases.

FortiManager 7.4 Administrator Study Guide 265

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in understanding how to use CLI commands related to device-level and
ADOM-level databases, you will learn how to troubleshoot device-level and ADOM-level issues.

FortiManager 7.4 Administrator Study Guide 266

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can verify which templates are applied to which FortiGate device from the Provisioning Templates
pane, or from the individual device Configuration and Installation widget.

In the example on this slide, the default system template is applied to Local-FortiGate and Remote-FortiGate
for DNS settings.

FortiManager 7.4 Administrator Study Guide 267

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use this command to view the CLI configuration of templates and which CLI commands will be
pushed to the managed FortiGate devices.

In the example on this slide, the default system template, indicated by the ID 3547, is configured with primary
and secondary DNS entries. Remember that the default system template is applied to Local-FortiGate and
Remote-FortiGate, as shown on the previous slide.

To find the parameters available for this command, press ? for help.

FortiManager 7.4 Administrator Study Guide 268

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the execute fmpolicy print-device-database command to export the entire device
configuration to a file, which you can then upload to an FTP, SFTP, or SCP server.

Optionally, you can display the output directly on a CLI session, but the information is extremely verbose, and
you will have to increase the buffer size of your terminal session considerably to make it fit.

The same information is available by clicking the View Full Config button in the Configuration and
Installation widget.

FortiManager 7.4 Administrator Study Guide 269

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the execute fmpolicy print-device-object command to display the configuration of
objects in managed devices.

This slide shows an example of the DNS settings for the Local-FortiGate device compared to the settings in
the system template applied to that device. In this case, the entries for the secondary DNS do not match. For
this reason, when you install the device-level configuration on Local-FortiGate, the installation skips the
primary DNS entry and installs only the secondary DNS entry.

To find the parameters available for the fmpolicy print-device-object command, press ? for help.

FortiManager 7.4 Administrator Study Guide 270

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can also view the policies and objects at the ADOM level, using the commands shown on this slide.

FortiManager 7.4 Administrator Study Guide 271

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows an example of how you can use the CLI to compare the configuration in the device database
with the configuration in the ADOM database.

On the left side, at the device level, the firewall policy named For_Local-FortiGate includes FTP in the list of
services allowed.

On the right side, the ADOM database does not include FTP in the list of services allowed in this policy. This
discrepancy indicates that the most recent version of the policy needs to be installed on Local-FortiGate.

Alternatively, for the example on this slide, you can obtain the same information in the GUI by right clicking the
Local-FortiGate device, and then selecting the Policy Package Diff option. The differences between both
versions of the policy can be examined in the Policy Package Diff window as shown in the image.

FortiManager 7.4 Administrator Study Guide 272

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 273

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand how to diagnose and troubleshoot device and ADOM database issues on
FortiManager.

Now, you will learn how to troubleshoot import and installation issues.

FortiManager 7.4 Administrator Study Guide 274

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in understanding import and installation issues, you will be able to troubleshoot
them if they occur in your network.

FortiManager 7.4 Administrator Study Guide 275

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this example, the configuration is correctly retrieved and saved in the revision history; however, the problem
occurs when updating the device database. Usually, issues like this are caused by inconsistent or corrupt
FortiGate configurations.

You can troubleshoot reload failures to see at which stage the configuration is failing to load into the device-
level database.

When you execute the reload failure command, FortiManager connects to FortiGate and downloads its
configuration file. Then, FortiManager performs a reload operation on the device database.

There are two possible outcomes:

• If there are no errors in the FortiGate configuration, the reload is successful, and the device-level database
is updated with the FortiGate configuration. However, note that a new revision history entry is not created.
• If there are errors in the FortiGate configuration, the output of the reload command indicates the point in
the configuration at which the device-level database failed to update.

You can also check the event logs to see if they contain details about the cause of the failure.

FortiManager 7.4 Administrator Study Guide 276

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When you add a FortiGate device using the Add Device wizard, or import policies using the Import
Configuration wizard, always make sure that the policies and objects are successfully imported.

In the example on this slide, the FortiManager ADOM database has a firewall address object named Test_PC
that is associated with the interface any. However, Remote-FortiGate also has a firewall address object
named Test_PC, but that is associated with the interface port6. This firewall address object is referenced in a
firewall policy on the Remote-FortiGate.

When a policy package was added or imported to Remote-FortiGate, the operation failed to import the firewall
address object Test_PC, as well as the associated firewall policy. The partial output of the import report
shown in the image provides the reason for the failed import.

FortiManager can create a dynamic mapping for an address object if the address object name is the same but
contains a different value locally. However, there is one restriction—the associated interface cannot be
different. This is because, at the ADOM level, this address object might be used by other policy packages,
which might not have the same interfaces.

Examining the event logs in FortiManager can also provide details about the objects that caused the import
failure issue.

FortiManager 7.4 Administrator Study Guide 277

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After you make configuration changes from FortiManager to the partial imported policy package and attempt
to install it using the installation wizard for Policy & Objects, FortiManager deletes the failed objects and
policies. This is because the policy package is not aware of missing or failed policies and objects.

There are two ways to fix the problem:

• You can remove the interface binding to make it the same as the FortiManager ADOM object.
• If there is a need to keep the interface binding for FortiGate that is having issues with a partial policy
import, you can rename the address object to a unique name that is not part of the ADOM database.

To use either of these methods, you can run a script from FortiManager using the Remote FortiGate Directly
(via CLI) option, or you can locally log in to FortiGate to make the configuration change.

Note that FortiManager allows you to choose the object either from FortiManager or FortiGate if both have the
same object name without Per-device Mapping.

FortiManager 7.4 Administrator Study Guide 278

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When you perform a policy package installation, the copy operation is the first operation that FortiManager
performs, before you perform the actual installation. It is the operation in which FortiManager tries to copy the
ADOM-level object or policy to the device database. It is the opposite of the import operation.

Copy failure issues are usually caused by having incorrect or missing object dependencies, or invalid
parameters being used when copying from the ADOM database to the device database. The incorrect or
missing object dependencies can be caused by corruption or inconsistencies in the FortiManager database.
Invalid parameters are usually caused by human error.

The View Progress Report section helps you to identify the failing issue.

When a copy failure happens, the device database is restored to its original state, prior to the copy attempt.

FortiManager 7.4 Administrator Study Guide 279

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Always check View Install Log to see which CLI commands were not executed or accepted by FortiGate.

The following are among the most common reasons for installation failures:

• An ADOM and FortiGate mismatch version, which created an object using incorrect CLI syntax
• An ADOM upgrade, which modifies existing objects incorrectly, because of database corruption
• Not following the correct order of operation on FortiManager, for example, pushing an SD-WAN policy
without enabling SD-WAN on FortiManager

FortiManager 7.4 Administrator Study Guide 280

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The example on the slide shows the installation log for the failed installation.

In this case, a new firewall policy named sd-wan was not added (failed) because of an unavailable
virtual-wan-link interface on FortiGate.

In this scenario, the administrator did not follow the correct steps to enable the SD-WAN interface before
pushing the SD-WAN policy, and FortiGate rejected the addition of the SD-WAN firewall policy.

FortiManager 7.4 Administrator Study Guide 281

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The verification report shows the differences between the configuration that was expected to be installed and
what was installed on the FortiGate device.

Because the virtual-wan-link is not available, a firewall policy was not created on the FortiGate device.

FortiManager 7.4 Administrator Study Guide 282

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

To fix installation failure issues, start by verifying that the FortiGate version is the same as, or supported by,
the ADOM version.

If the FortiGate version is not supported by the ADOM version, or if FortiManager doesn’t support some
FortiGate CLI features, then:

1. Move the FortiGate device to the supported ADOM or use a script to resolve the issue.
2. Perform the installation again in the new ADOM.

If the FortiGate version is supported by the ADOM version, then:

1. Retrieve the FortiGate configuration so that FortiManager updates the device database with the correct
syntax.
2. Make a small device-level change and install it to ensure that there is not a device-database issue.
• If the installation is unsuccessful, check and fix the device-level settings.
• If the installation is successful, check and, if needed, recreate the object or policy.
3. Perform the installation again.

FortiManager 7.4 Administrator Study Guide 283

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

If none of the previous steps fixed the installation failure issues, you can:

1. Create a new ADOM with a version that matches that of the firmware on FortiGate.
2. Move the FortiGate device to the new ADOM.
3. Retrieve the FortiGate configuration and import policy packages.
4. Recreate the object or policy from the FortiManager GUI (if supported), or using a script.
5. Perform the installation again.

FortiManager 7.4 Administrator Study Guide 284

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 285

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiManager 7.4 Administrator Study Guide 286

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to diagnose and troubleshoot issues
related to FortiManager and managed devices.

FortiManager 7.4 Administrator Study Guide 287

 Additional Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to set up a FortiManager high availability (HA) cluster, and how to use
FortiManager as a local FortiGuard server for your devices.

FortiManager 7.4 Administrator Study Guide 288

 Additional Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiManager 7.4 Administrator Study Guide 289

 Additional Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in FortiManager HA cluster fundamentals, you will be able to explain how this
FortiManager solution enhances reliability in your network.

FortiManager 7.4 Administrator Study Guide 290

 Additional Configuration

DO NOT REPRINT
© FORTINET

A FortiManager HA cluster consists of up to five FortiManager devices of the same FortiManager model and
firmware. One of the devices in the cluster operates as the primary device and the other devices—up to four—
operate as secondary devices.

The HA heartbeat packets use TCP port 5199. FortiManager HA supports geographic redundancy so the
primary unit and secondary units can be in different locations attached to different networks as long as
communication is possible between them (for example, on the internet, on a WAN, or in a private network).

When performing a firmware upgrade on the cluster, always schedule a maintenance window because
upgrading the firmware on the primary FortiManager also upgrades the firmware on all the secondary devices,
and reboots all the devices in the cluster. Administrators may not be able to connect to the GUI until the
upgrade synchronization process is completed. During the upgrade, SSH or telnet connections to the CLI may
also be slow. You can still use the console to connect to the CLI of the primary device.

FortiManager 7.4 Administrator Study Guide 291

 Additional Configuration

DO NOT REPRINT
© FORTINET

All changes to the FortiManager database are saved on the primary FortiManager. These changes are then
synchronized with the secondary FortiManager devices. The configuration and device and policy databases of
the primary device are also synchronized with the secondary devices.

There are a few configuration settings, FortiGuard databases, and logs that are not synchronized between the
primary and secondary devices. The FortiGuard databases and packages are downloaded separately, and
each device can provide FortiGuard services to managed devices.

The cluster functions as an active-passive cluster; however, you can configure the cluster members to act as
independent active local FortiGuard servers.

FortiManager 7.4 Administrator Study Guide 292

 Additional Configuration

DO NOT REPRINT
© FORTINET

There are two HA failover modes:

1. Manual
2. VRRP (Automatic)

In manual mode, when the primary unit fails, you must manually configure one of the secondary units to
become the primary unit. The new primary unit will keep its IP address. The FortiManager IP address
registered on FortiGate will be automatically changed when the new primary unit is selected.

You don’t need to reboot devices that you promote from secondary to primary.

You can select VRRP to configure automatic failover. When the monitored interface for the
primary FortiManager is unreachable or down, HA automatic failover occurs, and the
secondary FortiManager with the highest priority automatically becomes the primary. This mode requires the
configuration of a virtual IP (VIP) for the cluster, a VRRP interface, priorities for each member, and a
monitored IP.

FortiManager 7.4 Administrator Study Guide 293

 Additional Configuration

DO NOT REPRINT
© FORTINET

The managed FortiGate devices are updated by the primary FortiManager with the serial numbers of all
cluster members. Similarly, if you remove a secondary member from the HA configuration, the primary
FortiManager removes the secondary serial number from the central management configuration of FortiGate,
and updates the managed FortiGate devices immediately.

FortiManager 7.4 Administrator Study Guide 294

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 295

 Additional Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand how to implement, configure, and troubleshoot an HA cluster.

Now, you will learn about FortiGuard services.

FortiManager 7.4 Administrator Study Guide 296

 Additional Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using FortiGuard services on FortiManager, you will be able to use your
FortiManager effectively as a local FDS.

FortiManager 7.4 Administrator Study Guide 297

 Additional Configuration

DO NOT REPRINT
© FORTINET

A FortiManager device that is acting as a local FortiGuard, synchronizes the FortiGuard updates and
packages with the public FortiGuard Distribution Network (FDN), and then provides the updates to the
supported devices in your network. The local FortiGuard reduces the internet connection load and provides a
faster connection, which minimizes the time required to apply updates, such as IPS signatures, to many
devices.

FortiManager 7.4 Administrator Study Guide 298

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiManager can function as a local FortiGuard cache unless it is configured for closed-network operations. It
continuously connects to the public FortiGuard servers to obtain managed device license information and
check for firmware updates available.

In a FortiManager cluster, the FortiGuard information is not synchronized, and each cluster member
individually downloads and is able to provide these services independently.

FortiManager supports requests from registered (managed) and unregistered (unmanaged) devices.

The use of FortiGuard services on FortiManager may be resource intensive and you may need to consider
using a dedicated FortiManager for this task.

FortiManager 7.4 Administrator Study Guide 299

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiGuard services represent the antivirus, IPS, web-filtering, and antispam update services that Fortinet
provides to its clients.

Historically, the antivirus and IPS services have been referred to as the FortiGuard Distribution Servers
(FDS), and the web filter and email filter services as the FortiGuard service.

Currently, the term FortiGuard covers all services; however, specific FortiManager GUI or CLI configuration
sections continue to refer to them using the terminology shown on this slide.

FortiManager 7.4 Administrator Study Guide 300

 Additional Configuration

DO NOT REPRINT
© FORTINET

In order to enable the built-in FortiGuard service, you must enable the service access setting on the
FortiManager interface and the FortiGuard services.

You must configure the Service Access settings on FortiManager per interface. This is useful when different
FortiGate devices are communicating with FortiManager on different interfaces. FortiGate devices use
FortiGuard services to query and obtain updates from FortiManager. The FortiGate Updates service is for
antivirus, IPS, and license validation. The Web Filtering service is for web filter and antispam.

FortiManager 7.4 Administrator Study Guide 301

 Additional Configuration

DO NOT REPRINT
© FORTINET

The second configuration step is to enable services on FortiManager. By default, communication to the public
FDN is enabled, which allows FortiManager to continuously connect to FDN servers to obtain managed
device information and sync packages. However, you must enable services, such as antivirus and IPS, web
filter, and email filter so that FortiManager can download updates for these services from the public servers.

You can select Servers Located in the US Only to limit communication to FortiGuard servers located in the
USA. Select Global Servers to communicate with servers anywhere.

When you use FortiManager in a closed network, disable communication with FortiGuard. When
communication is disabled, you must upload antivirus, IPS, license packages, web filter, and email filter
databases manually because they are no longer automatically retrieved from the public FortiGuard servers.

During first-time setup, FortiManager is still receiving updates from the public FDN and you should disable
service access at the interface level. This is because FortiManager is still downloading updates and may not
be able to provide accurate ratings or updates to FortiGate. You can enable service access after
FortiManager has downloaded the packages and databases.

FortiManager 7.4 Administrator Study Guide 302

 Additional Configuration

DO NOT REPRINT
© FORTINET

The antivirus and IPS services are enabled together and use TCP port 443 to obtain the updates from the
public FortiGuard servers. You can enable updates for the supported products by enabling the firmware
version that you want to download the updates for.

By default, FortiManager first attempts to connect to the public FDS server fds1.fortinet.com through
TCP port 443 to download the list of secondary FDS servers that it will download AV/IPS packages from.

FortiManager 7.4 Administrator Study Guide 303

 Additional Configuration

DO NOT REPRINT
© FORTINET

Keeping the built-in FDS up-to-date is important to provide current FDS update packages. By enabling
Schedule Regular Updates, you are guaranteed to have a relatively recent version of signature and package
updates.

A FortiManager system acting as an FDS synchronizes its local copies of FortiGuard update packages with
the FDN when:

• FortiManager is scheduled to poll or update its local copies of update packages

• Push updates are enabled (it receives an update notification from the FDN)

If the network is interrupted when FortiManager is downloading a large file, FortiManager downloads all files
again when the network resumes. You can configure scheduled updates on an hourly, daily, or weekly
schedule.

By default, FortiManager schedules updates every ten minutes because antivirus updates occur frequently.

FortiManager 7.4 Administrator Study Guide 304

 Additional Configuration

DO NOT REPRINT
© FORTINET

What if there are important IPS updates available on the public FortiGuard? How can you ensure that
FortiManager always receives new updates?

If you enable Allow Push Update, the FDN can push update notifications to the FortiManager built-in FDS, as
soon as new signature updates are released publicly by FortiGuard. FortiManager then downloads the
updates immediately.

Usually, when you enable push updates, FortiManager sends its IP address to the FDN. FDN uses this IP
address as the destination for push messages.

What if FortiManager is behind a NAT device?

If FortiManager is behind a NAT device, sending its IP address for push updates causes push updates to fail
because this is a non-routable IP address from the FDN. You must configure the following:
• On FortiManager, configure the NAT device IP address and port used for push updates. By default, the
port for push updates is UDP 9443, but you can configure a different port number.
• On the NAT device, configure the virtual IP and port that forwards to FortiManager. FortiManager may not
receive push updates if the external IP address of the NAT device changes.

The built-in FDS may not receive push updates if the external IP address of any intermediary NAT device is
dynamic (such as an IP address from PPPoE or DHCP). When the external IP address of the NAT device
changes, the FortiManager push IP address configuration becomes out of date.

FortiManager 7.4 Administrator Study Guide 305

 Additional Configuration

DO NOT REPRINT
© FORTINET

The Receive Status displays the package received, latest version, size, to be deployed version, and update
history for the antivirus and IPS signature packages received from FortiGuard.

The Update History shows the update times, the events that occurred, the status of the updates, and the
versions downloaded.

You can also change the version you want to deploy.

FortiManager 7.4 Administrator Study Guide 306

 Additional Configuration

DO NOT REPRINT
© FORTINET

There are five main statuses for FortiGate devices configured to receive updates from the FortiManager:

• Up to Date: The latest package has been received by the FortiGate device.
• Never Updated: The device never requested or received the package.
• Pending: The FortiGate device has an older version of the package because of an acceptable reason
(such as the scheduled update time is pending).
• Problem: The FortiGate device missed the scheduled query, or did not correctly receive the latest
package.
• Unknown: The FortiGate device status is not currently known.

You can also push pending updates to the devices, either individually or all at the same time.

FortiManager 7.4 Administrator Study Guide 307

 Additional Configuration

DO NOT REPRINT
© FORTINET

You must enable the web filter and email filter services individually. By default, FortiManager first attempts to
connect to the public FortiGuard server over TCP port 443 to download the list of secondary FortiGuard
servers from which then it downloads web and antispam packages. By default, FortiManager is scheduled to
check for updates every ten minutes.

FortiManager 7.4 Administrator Study Guide 308

 Additional Configuration

DO NOT REPRINT
© FORTINET

When you enable web and anti-spam services for the first time, it may take several hours to download and
merge the databases. During this time, you will notice higher I/O wait times and a spike in CPU usage related
to web and email processes on FortiManager.

FortiManager 7.4 Administrator Study Guide 309

 Additional Configuration

DO NOT REPRINT
© FORTINET

The web and antispam databases received from FortiGuard are listed under Receive Status. The date and
time updates are received from the server, the update version, the size of the update, and the update history
are also shown. You can click Update History to see more information about individual packages
downloaded.

The Query Status shows the number of queries made from all managed devices to the FortiManager device
that is acting as a local FDS.

FortiManager 7.4 Administrator Study Guide 310

 Additional Configuration

DO NOT REPRINT
© FORTINET

The server override setting allows FortiManager to fall back to the other FDN servers if FortiManager is not
able to communicate with one of the configured servers in the override server address list. By default, Server
Override Mode is set to Loose, which is the recommended mode.

You can change the Server Override Mode to Strict, which prevents the fallback from occurring. This setting
allows FortiManager to communicate only with the servers configured in the override server address list.

FortiManager 7.4 Administrator Study Guide 311

 Additional Configuration

DO NOT REPRINT
© FORTINET

You can configure the override server addresses for antivirus, IPS, web filter, and email filter for FortiGate,
FortiMail, and FortiClient.

An example of a good situation in which to configure an override server address is if you have a dedicated
upstream FortiManager that you use to download antivirus and IPS updates. In this case, you can configure
your downstream FortiManager to get the updates from the dedicated upstream FortiManager by configuring
the IP address and port used by the upstream FortiManager.

FortiManager 7.4 Administrator Study Guide 312

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiManager tries to obtain updates from the servers configured in the Use Override Server Address for
FortiGate/FortiMail section. Depending on the Server Override Mode configuration, you can restrict
FortiManager to receiving updates from the configured override servers list, or allowing fallback to other public
FDS servers if FortiManager is not able to communicate and receive updates from the configured server list.

In the example shown on this slide, one override server address is configured. The image illustrates how,
when Server Override Mode is set to Strict, FortiManager gets updates only from the server in the list. There
is no fallback to other public servers, even if this configured server is not available.

However, if you set Server Override Mode to Loose, FortiManager first tries to get updates from the
configured server list and; if that server becomes unavailable, FortiManager falls back to other public FDS
servers to get updates.

FortiManager 7.4 Administrator Study Guide 313

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiManager includes a licensing overview page that allows you to view license information for all managed
FortiGate devices. You can quickly verify if the FortiGate license has expired or not.

FortiManager 7.4 Administrator Study Guide 314

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiManager can download images from the FDN, or you can upload firmware images from your
management computer that you can then use to change the device firmware using your FortiManager device.

You can view the available firmware based on the supported product type, and filter for all devices or only
managed devices.

FortiManager 7.4 Administrator Study Guide 315

 Additional Configuration

DO NOT REPRINT
© FORTINET

You can upgrade the FortiGate firmware in the following ways:

• For each device, using the System Information widget

• For multiple devices, on the Firmware tab in the ADOM. You can upgrade the firmware version of all the
FortiGate devices, selected FortiGate devices, or FortiGate devices in a group.

FortiManager allows you to upgrade the firmware now or schedule the upgrade for later using the Firmware
Templates option.

FortiManager 7.4 Administrator Study Guide 316

 Additional Configuration

DO NOT REPRINT
© FORTINET

You can also configure unmanaged FortiGate devices to use FortiManager as a local FDS. For this, you must
configure the server-list in the central-management settings of FortiGate, which include:

• The IP address of FortiManager used as the local FDS for FortiGate devices
• The server type, which can be one or both of the following:

• update — used for antivirus, IPS updates, and FortiGate license verification
• rating — used for web filter or anti-spam rating

By default, the include-default-servers option is enabled, which allows a FortiGate device to

communicate with the public FortiGuard servers if a private server (configured in the server-list) is
unavailable. You can enable or disable the inclusion of public FortiGuard servers in the override server list.

FortiManager 7.4 Administrator Study Guide 317

 Additional Configuration

DO NOT REPRINT
© FORTINET

By default, when FortiGate is managed by FortiManager, it uses public FortiGuard servers. This is because
not every organization uses FortiManager for local FDS.

You can configure FortiGate to use FortiManager as a local FDS using one of the following procedures:

• Configure FortiGuard settings in a system template that you can assign to and install on managed devices.
The decision to override the default FDS server and use FortiManager is a device-level setting. Remember
to enable service access settings on the FortiManager interface.
• Configure and install a script that includes the settings of the central management with the use inclusion of
the default servers as shown on this slide.

FortiManager 7.4 Administrator Study Guide 318

 Additional Configuration

DO NOT REPRINT
© FORTINET

The first step you should perform when troubleshooting FortiGuard issues is to verify the configuration on
FortiManager. You should confirm that:

• You can resolve the public FDN servers by domain name. For example, check if you are able to ping
fds1.fortinet.com.
• The communication to public network and services is enabled on FortiManager
• The services are enabled on FortiManager

FortiManager 7.4 Administrator Study Guide 319

 Additional Configuration

DO NOT REPRINT
© FORTINET

After you verify the configuration, check if FortiManager is communicating with the upstream FortiGuard
server(s).

If FortiManager is unable to connect to the public FDN servers, only the primary FDN servers appear in the
server list. This can be caused by FortiManager being unreachable, or by disabled services on FortiManager.

After FortiManager connects to the public FDN servers, it downloads the list of secondary FDN servers from
which it downloads the updates and packages.

FortiManager 7.4 Administrator Study Guide 320

 Additional Configuration

DO NOT REPRINT
© FORTINET

You can also check the status of the connection to the public FDN. If FortiManager is not able to connect to
the public FDN, or the service is disabled, the UpullStat for the current status is empty, and there is no
information about the date, time, download size, and package.

After FortiManager is able to communicate with the public FDN, FortiManager displays the download size,
package, and IP address of the FDN server that FortiManager is communicating with to download the
updates.

The UpullStat has four main statuses:

• Connected: The FortiManager connection to FDN initially succeeds, but a synchronization connection has
not yet occurred.
• Syncing: The built-in FDS is enabled, and FortiManager is downloading and syncing packages available
on the FDN.
• Synced: The built-in FDS is enabled and the FDN packages download successfully.
• Out-of-sync: The initial FDN connection succeeds, but the built-in FDS is disabled.

FortiManager 7.4 Administrator Study Guide 321

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiGate devices must have valid and active service contracts to receive updates from FortiManager.

You can check the contract information of all FortiGate devices on the FortiManager CLI. An expired or trial
FortiGate license shows as 99, which means FortiGate is unable to receive the updates from FortiManager.

FortiManager 7.4 Administrator Study Guide 322

 Additional Configuration

DO NOT REPRINT
© FORTINET

On the FortiGate CLI, you can check the latest update version, when it was last updated, and the contract
information for FortiGate.

You can also run a real-time debug along with the update command, which tries to download the latest
definitions and packages from the FDS server (or configured local FDS server in the central management
configuration).

FortiManager 7.4 Administrator Study Guide 323

 Additional Configuration

DO NOT REPRINT
© FORTINET

FortiManager 7.4 Administrator Study Guide 324

 Additional Configuration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiManager 7.4 Administrator Study Guide 325

 Additional Configuration

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the fundamentals of FortiManager HA
clusters, and how to use FortiManager as a local FortiGuard server for your devices.

FortiManager 7.4 Administrator Study Guide 326

DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.