FCP_FMG_AD-7.4 Administration and Management

Administration and Management Detailed Explanation

1.1 Overview of FortiManager

What is FortiManager?

FortiManager is a centralized network security management solution developed by Fortinet. It provides administrators with a single platform to manage multiple Fortinet security devices, particularly FortiGate firewalls. Instead of configuring each FortiGate manually, FortiManager allows centralized control, saving time, reducing errors, and improving security consistency across the network.

Why Do You Need FortiManager?

Imagine you are managing hundreds of FortiGate firewalls spread across different locations. Configuring each firewall manually would be time-consuming, error-prone, and inefficient. With FortiManager, you can:

• Apply security policies across multiple firewalls at once.
• Ensure consistent security settings across all devices.
• Monitor network activity and generate reports.
• Backup and restore device configurations to prevent data loss.

Key Features and Benefits

FortiManager offers several features that make it essential for large-scale Fortinet deployments:

1. Centralized Configuration Management

• Instead of configuring each firewall separately, administrators can manage security policies, NAT rules, firewall configurations, and objects from a single interface.
• This ensures consistency across multiple FortiGate devices.

2. Multi-Domain Administration (ADOMs)

• ADOMs (Administrative Domains) allow network administrators to segment the network into different administrative areas.
• Example: A large organization with multiple branches can assign each branch its own ADOM, ensuring that changes in one branch do not affect other branches.

3. Automated Backup and Revision Control

• FortiManager automatically saves different versions of device configurations.
• If a mistake is made or a configuration issue arises, administrators can restore previous settings.

4. Real-time Monitoring and Logging

• FortiManager collects logs from all connected devices, providing real-time visibility into network threats, security events, and compliance status.
• Example: If a firewall detects suspicious activity, FortiManager logs it and can trigger an alert.

5. Integration with FortiAnalyzer

• FortiManager can work with FortiAnalyzer, a powerful log management and analytics tool.
• This integration allows administrators to perform detailed forensic analysis, log correlation, and reporting for enhanced security insights.

1.2 FortiManager Access Methods

Administrators can interact with FortiManager using three primary access methods:

1. Graphical User Interface (GUI)

• The GUI is a web-based interface that provides an easy-to-use dashboard.

• It includes the following key sections:

  • Dashboard – Displays system status, device health, and alerts.
  • Device Manager – Allows administrators to register, monitor, and configure FortiGate devices.
  • Policy & Objects – Used to define firewall policies, address groups, services, and security profiles.
  • FortiGuard Services – Manages security services like IPS, Antivirus, and Web Filtering.
  • Log View & Reports – Provides real-time monitoring and historical analysis of network events.

• How to Access FortiManager GUI:

  1. Open a web browser (Chrome, Firefox, Edge, etc.).
  2. Enter FortiManager’s IP address in the address bar.
  3. Log in using your administrator username and password.
  4. Navigate through the dashboard to manage your network.

2. Command-Line Interface (CLI)

• CLI provides a text-based command environment for advanced users.

• It is useful for scripting, troubleshooting, and bulk configuration.

• Administrators can access the CLI via:

  • SSH (Secure Shell) for remote access.
  • Console (Serial Port) for direct physical access.

• Common CLI Commands:

  • Check system status:

    get system status
    

  • View registered devices:

    show device
    

  • Restart FortiManager:

    execute reboot
    

3. REST API

• The REST API (Representational State Transfer Application Programming Interface) allows administrators to automate tasks and integrate FortiManager with third-party applications.

• It enables bulk configuration changes without manual intervention.

• Example API request to fetch firewall policies:

  curl -X GET "https://fortimanager-ip/api/v2/cmdb/firewall/policy"
  

• Why Use the API?

  • Automates repetitive tasks (e.g., adding new firewall rules).
  • Reduces human error.
  • Allows integration with other security tools.

1.3 FortiManager System Administration

1. System Settings Configuration

Administrators must configure basic system settings before using FortiManager effectively.

Hostname and System Time Settings

• The hostname is the unique identifier for the FortiManager device.

• System time should be synchronized with NTP (Network Time Protocol) to ensure accurate log timestamps.

• Example CLI command to configure NTP:

  config system ntp
      set server "pool.ntp.org"
      set syncinterval 60
  end
  

Network Interfaces and IP Address Configuration

• FortiManager must have a static IP address to be reachable.

• Interfaces should be assigned to different network zones for security.

• Configuration example:

  config system interface
      edit "port1"
          set ip 192.168.1.100 255.255.255.0
      next
  end
  

DNS and Routing Settings

• Configure DNS servers to enable FortiManager to resolve domain names.

• Static routes should be defined for proper network communication.

• Example DNS setup:

  config system dns
      set primary 8.8.8.8
      set secondary 8.8.4.4
  end
  

2. Administrator Accounts and Roles

FortiManager supports different administrator roles to enforce security and access control.

Types of Administrator Accounts

1. Super_Admin

• Has full access to all features, settings, and ADOMs.
• Can create new administrators and manage security policies.

2. Restricted_Admin

• Has limited access based on role-based permissions.
• Can only modify assigned policies and devices.

3. API User

• A specialized account for automation tasks using REST API.
• Cannot log into the GUI but can interact with FortiManager through API calls.

3. Role-Based Access Control (RBAC)

• RBAC allows administrators to define roles with specific permissions.
• Why is RBAC important?
  • Ensures only authorized users can modify security settings.
  • Limits potential misconfigurations by junior administrators.
• Example RBAC settings:
  • Read-Only Admin – Can view settings but cannot make changes.
  • Policy Manager – Can modify firewall policies but not system settings.
  • Device Manager – Can register and configure FortiGate devices but not change policies.

4. FortiManager High Availability (HA)

• HA ensures system reliability by preventing downtime.
• Active-Passive (A-P) mode: One active unit and one backup unit.
• Database Synchronization: Ensures configurations are replicated across multiple FortiManager instances.

1.4 FortiManager Overview With Hands-on Examples

Lab Setup for Learning FortiManager

To practice FortiManager administration, you can set up a lab environment using one of the following methods:

Option 1: Use a Fortinet Virtual Machine (VM)

1. Download FortiManager VM from the Fortinet Support Portal (requires a Fortinet account).
2. Deploy the FortiManager VM in VMware Workstation, VirtualBox, or ESXi.
3. Configure a FortiGate device in the same virtual environment to register and manage.

Option 2: Use an Online Fortinet Lab

• Fortinet provides online training environments for certification courses.
• Visit Fortinet NSE Training and register for FortiManager Labs.

1. Accessing the FortiManager GUI

Step 1: Log into FortiManager

1. Open a web browser (Chrome, Firefox, Edge).
2. Enter the FortiManager IP Address in the browser (e.g., https://192.168.1.100).
3. Log in using admin credentials.

Step 2: Explore the Dashboard

The Dashboard provides an overview of:

• System Status (CPU, memory usage, and system uptime).
• Device Manager (Lists all FortiGate devices).
• Policy & Objects (Where you manage firewall rules).
• Log View & Reports (Shows traffic and security events).

[Screenshot: FortiManager Dashboard]
(I will generate an image representation for you upon request.)

Step 3: Configure System Settings

1. Go to System Settings → Network.
2. Set the Hostname (e.g., FortiManager-Training).
3. Configure the Management IP Address (e.g., 192.168.1.100).
4. Set DNS Servers (e.g., Google DNS 8.8.8.8).

Lab Exercise:
Try to change the hostname in FortiManager and verify if it updates in the CLI.

2. Using FortiManager CLI (Hands-on)

Why use the CLI?

• The CLI is useful for advanced configurations and troubleshooting.
• You can access it via SSH or the Console.

How to Access FortiManager CLI

1. Open PuTTY or any SSH client.

2. Connect to FortiManager using:

ssh [email protected]

3. Enter your admin password.

Basic CLI Commands

1. Check System Status

get system status

Expected Output:

• Displays FortiManager version, serial number, and uptime.

2. Show Current Network Configuration

show system interface

Expected Output:

• Shows configured interfaces and IP addresses.

3. Set a Static IP Address

config system interface
  edit "port1"
     set ip 192.168.1.100 255.255.255.0
     set allowaccess ping http https ssh
  next
end

Expected Output:

• Updates IP address and access permissions.

Lab Exercise:
Try to change the FortiManager IP address and verify it in the GUI and CLI.

3. FortiManager API (Automation Practice)

Why use the API?

• Allows automation of firewall rule deployment.
• Helps integrate FortiManager with third-party tools.

Step 1: Enable API Access

1. Log into FortiManager GUI.
2. Navigate to System Settings → Admin Settings.
3. Enable REST API Access.

Step 2: Make an API Request

• Open a terminal and execute:

  curl -k -X GET "https://192.168.1.100/api/v2/cmdb/firewall/policy"
  

  Expected Output:

  • Returns a list of firewall policies.

Lab Exercise:
Try to create a new API user and retrieve FortiManager policies using an API request.

1.5 FortiManager User Accounts and Role-Based Access Control (RBAC)

1. Creating Administrator Accounts

1. Go to System Settings → Administrators.
2. Click Create New.
3. Set:

• Username: security_admin
• Password: StrongPassword123
• Administrator Profile: Read-Only

4. Click OK.

Expected Outcome:

• A new user with limited permissions is created.

Lab Exercise:
Log out and try logging in with the new administrator account. Check what functions are restricted.

2. Configuring Role-Based Access Control (RBAC)

Why RBAC is Important

• Ensures only authorized users can modify settings.
• Protects against accidental or malicious changes.

Example: Creating a Custom Role

1. Navigate to System Settings → Admin Profiles.
2. Click Create New and set:

• Profile Name: Policy_Manager
• Permissions: Only allow access to Policy & Objects.

3. Assign this role to a new administrator.

Lab Exercise:
Try creating another administrator with only read access and verify their permissions.

1.6 FortiManager High Availability (HA)

Why Use HA?

• Ensures failover protection.
• Prevents downtime if one FortiManager fails.

Step 1: Configure Active-Passive HA

1. Connect to both FortiManager devices.

2. On the Primary Device (Active), run:

config system ha
  set mode a-p
  set group-name "FMG-HA"
  set priority 200
end

3. On the Secondary Device (Passive), run:

config system ha
  set mode a-p
  set group-name "FMG-HA"
  set priority 100
end

4. Check HA status:

diagnose system ha status

Expected Outcome:

• The Primary device (Active) handles management.
• If it fails, the Secondary device (Passive) takes over.

Lab Exercise:
Simulate an HA failover by shutting down the Primary device and checking if the Secondary device takes over.