FCP_FMG_AD-7.4 Additional Configuration

Additional Configuration Detailed Explanation

7.1 FortiManager High Availability (HA)

What is High Availability (HA)?

High Availability (HA) in FortiManager ensures that if one FortiManager fails, another takes over seamlessly. This prevents service interruptions and ensures continuous network management.

Why is HA Important?

• Prevents downtime – Ensures continuous availability of FortiManager.
• Automatic failover – If the primary FortiManager goes down, the secondary one takes over automatically.
• Redundant management – Ensures that policies, configurations, and logs are not lost.

HA Modes in FortiManager

FortiManager supports Active-Passive HA, which includes:

HA Mode	Description
Active-Passive	One primary FortiManager (active) handles management. A secondary FortiManager (passive) takes over if the active unit fails.

Key HA Features:

• Configuration synchronization between active and passive FortiManagers.
• Automatic failover in case of hardware failure.
• Ensures all FortiGate devices remain managed without disruption.

How to Configure FortiManager HA (Active-Passive Mode)

Step 1: Prepare FortiManager Devices

• You need two or more FortiManager units.
• Ensure they run the same firmware version.
• Connect both devices to the same network segment.

Step 2: Configure the Primary (Active) FortiManager

1. Log in to FortiManager CLI.

2. Enter HA configuration mode:

config system ha
set mode a-p
set group-name FMG-HA
set priority 200
set peer-ip <Secondary_FortiManager_IP>
set sync-interface port1
end

3. Explanation:

• mode a-p – Sets HA mode to Active-Passive.
• group-name – Defines HA group name.
• priority – Higher value means higher priority (Primary Unit).
• peer-ip – IP address of the Secondary FortiManager.
• sync-interface – The interface used for configuration synchronization.

Step 3: Configure the Secondary (Passive) FortiManager

1. Log in to Secondary FortiManager CLI.

2. Run the following commands:

config system ha
set mode a-p
set group-name FMG-HA
set priority 100
set peer-ip <Primary_FortiManager_IP>
set sync-interface port1
end

3. Explanation:

• Lower priority value (100) means this unit is the backup.

Step 4: Verify HA Status

1. On Primary FortiManager, run:

diagnose system ha status

2. Expected Output:

HA Mode: Active-Passive
Primary: 192.168.1.1
Secondary: 192.168.1.2
Sync Status: Synchronized

3. If status shows “Out of Sync”, manually force synchronization:

execute ha synchronize

7.2 SNMP and Monitoring in FortiManager

What is SNMP?

SNMP (Simple Network Management Protocol) allows external monitoring tools to collect FortiManager health and performance data.

Why Use SNMP in FortiManager?

• Monitor system performance (CPU, memory, storage usage).
• Receive alerts for policy changes, device disconnects, and errors.
• Integrate with third-party monitoring tools (e.g., Zabbix, PRTG, SolarWinds).

How to Enable SNMP on FortiManager

Step 1: Enable SNMP Agent

1. Log in to FortiManager GUI.
2. Navigate to System Settings → Network → SNMP Agent.
3. Click Enable SNMP Agent.
4. Set SNMP version (v1, v2c, or v3).

Step 2: Configure SNMP Community

1. Click Create New SNMP Community.
2. Set the Community Name (e.g., FMG-SNMP).
3. Define Allowed Hosts (e.g., 192.168.1.100).
4. Click Apply.

Step 3: Configure SNMP Traps

1. Navigate to SNMP Traps.
2. Enable Critical Events like:

• Device Disconnects
• Policy Installation Failures
• License Expiry Warnings

3. Set SNMP Trap Server (e.g., 192.168.1.200).
4. Click Save.

Expected Outcome:

• FortiManager sends alerts to the SNMP monitoring server.
• External tools display real-time FortiManager performance metrics.

Verifying SNMP Configuration

1. On an SNMP server, run:

snmpwalk -v 2c -c FMG-SNMP <FortiManager_IP>

2. If SNMP is working, you will see output like:

SNMPv2-MIB::sysName.0 = STRING: "FortiManager-HA"
SNMPv2-MIB::sysUpTime.0 = Timeticks: 12345678

7.3 REST API and Automation

What is the FortiManager API?

The FortiManager REST API allows administrators to automate firewall policies, device management, and configuration changes.

Why Use the API?

• Automates repetitive tasks (e.g., adding firewall rules).
• Integrates with third-party orchestration tools (e.g., Ansible, Terraform).
• Reduces manual errors when managing multiple FortiGates.

How to Use the FortiManager API

Step 1: Enable API Access

1. Log in to FortiManager GUI.
2. Navigate to System Settings → Admin Profiles.
3. Create a New API Admin with permissions.
4. Set API Key Authentication.
5. Click Save.

Step 2: Create an API Key

1. Navigate to System Settings → Administrators.
2. Click Create API Key.
3. Copy the API Key for later use.

Example: Adding a Firewall Policy via API

Run the following curl command:

curl -k -X POST "https://<FortiManager_IP>/api/v2/cmdb/firewall/policy/" \
-H "Authorization: Bearer <API_KEY>" \
-H "Content-Type: application/json" \
-d '{
  "name": "Allow_Web_Traffic",
  "srcintf": [{"name": "port1"}],
  "dstintf": [{"name": "port2"}],
  "srcaddr": [{"name": "all"}],
  "dstaddr": [{"name": "all"}],
  "service": [{"name": "HTTP"}, {"name": "HTTPS"}],
  "action": "accept"
}'

Expected Outcome:

• The firewall rule is automatically created without using the GUI.

7.4 Troubleshooting FortiManager HA (High Availability)

1. Checking HA Status

1. What command is used to check the current HA status in FortiManager?

Answer:

diagnose system ha status

Explanation:

• Displays HA mode, primary and secondary units, and sync status.
• Helps verify if FortiManager units are synchronized properly.

2. Forcing HA Synchronization

2. How can you manually synchronize the secondary FortiManager with the primary?

Answer:

execute ha synchronize

Explanation:

• Forces the secondary FortiManager to sync with the primary unit.
• Useful if the sync status shows "Out of Sync".

3. Troubleshooting HA Failover Issues

If the secondary unit is not taking over after a primary failure:

3. What steps should be taken if FortiManager failover is not working correctly?

Answer:

1. Verify HA status:

diagnose system ha status

2. Check if both devices have the correct HA configuration:

show system ha

3. Ensure the sync interface is correctly set:

diagnose netlink interface list | grep sync

4. If necessary, force a failover manually:

execute ha failover set 1

5. Reboot the primary device to test failover.

7.5 Troubleshooting SNMP and Monitoring

1. Verifying SNMP Configuration

4. How can you check if FortiManager’s SNMP service is running?

Answer:

diagnose test application snmpd 1

Explanation:

• Displays SNMP service status and active connections.
• Helps verify if SNMP is running correctly.

2. Testing SNMP Connectivity

5. What command can be used to test if an SNMP server can retrieve data from FortiManager?

Answer:

snmpwalk -v 2c -c <community_name> <FortiManager_IP>

Explanation:

• Confirms that SNMP is properly configured and accessible.
• If SNMP is not working, check firewall rules allowing SNMP traffic.

3. Fixing SNMP Trap Issues

6. What should you check if SNMP traps are not being received by the monitoring system?

Answer:

1. Verify SNMP trap configuration:

show system snmp sysinfo

2. Ensure the SNMP trap destination is correct:

show system snmp community

3. Check if SNMP traffic is being blocked by the firewall.

4. Restart the SNMP service if needed:

execute restart snmpd
```</ANSWER>  

7.6 FortiManager API Automation – Troubleshooting and Best Practices

1. Testing API Connectivity

7. What command can be used to test API access to FortiManager?

Answer:

curl -k -X GET "https://<FortiManager_IP>/api/v2/cmdb/system/status" \
-H "Authorization: Bearer <API_KEY>"

Explanation:

• Confirms that FortiManager’s API is accessible and returning data.
• If the request fails, ensure API access is enabled in FortiManager.

2. Troubleshooting API Authentication Errors

8. What should you check if API authentication fails with an "Unauthorized" error?

Answer:

1. Verify that the API key is correct and has sufficient permissions.

2. Check that the API admin account has REST API access enabled.

3. Ensure that API requests are made to the correct URL format:

https://<FortiManager_IP>/api/v2/

4. If using an API token, confirm that it has not expired.

3. Debugging API Errors in FortiManager

9. How can you enable API debug logs in FortiManager?

Answer:

diagnose debug enable
diagnose debug application restapi -1

Explanation:

• Provides detailed logs on API requests and responses.
• Helps troubleshoot failed API requests.

7.7 Best Practices for HA, SNMP, and API Automation

1. FortiManager HA Best Practices

10. What are best practices for configuring FortiManager HA?

Answer:

1. Ensure both FortiManager devices are running the same firmware version.

2. Use a dedicated sync interface for fast failover.

3. Set different priority values to define the primary and secondary devices.

4. Regularly test failover to ensure HA is working as expected.

5. Monitor HA sync status using:

diagnose system ha status
```</ANSWER>  

2. SNMP Monitoring Best Practices

11. What are best practices for SNMP configuration in FortiManager?

Answer:

1. Use SNMPv3 for better security.

2. Restrict SNMP access to trusted IP addresses.

3. Enable SNMP traps for critical events like:

• Device disconnects
• Policy installation failures
• High CPU usage

4. Test SNMP connectivity using:

snmpwalk -v 2c -c <community_name> <FortiManager_IP>
```</ANSWER>  

3. API Automation Best Practices

12. What are best practices for using the FortiManager API?

Answer:

1. Use API keys instead of passwords for authentication.

2. Limit API access to trusted IPs for security.

3. Use FortiManager logs to monitor API activity:

diagnose debug application restapi -1

4. Automate repetitive tasks like:

• Firewall rule creation
• Policy deployment
• Device configuration backup

5. Test API requests in a sandbox environment before applying to production.