FCP_FMG_AD-7.4 Device-Level Configuration and Installation

Device-Level Configuration and Installation Detailed Explanation

3.1 Configuration Management in FortiManager

What is Configuration Management?

Configuration management in FortiManager allows administrators to centrally manage multiple FortiGate firewalls. Instead of configuring each FortiGate manually, you can use FortiManager to push standardized configurations across your network.

Key Features of Configuration Management in FortiManager

1. Create and Edit Firewall Configurations Centrally

• Instead of logging into each FortiGate separately, you can modify all settings from FortiManager.
• This includes interfaces, routing, security policies, and VPN settings.

2. Use Configuration Templates for Multiple Devices

• If you have many FortiGate devices, you can create standard templates to apply common settings.
• This ensures that all devices have consistent configurations.

3. Track Configuration Changes with Revision History

• FortiManager keeps a record of all changes made to firewall configurations.
• You can see who modified what and when.

4. Rollback to Previous Configurations if Needed

• If a configuration change causes issues, you can revert to an older version with a single click.

Hands-on Lab: Viewing and Editing Configuration in FortiManager

Step 1: Viewing a FortiGate’s Configuration in FortiManager

1. Log in to FortiManager GUI.
2. Navigate to Device Manager.
3. Click on the FortiGate device you want to manage.
4. Go to System Settings → Configuration.
5. Click Retrieve Config to get the latest settings from the device.

Step 2: Editing a Configuration

1. After retrieving the configuration, go to Policy & Objects.
2. Modify a setting, for example:

• Change the default gateway under Network Settings.
• Modify an existing security policy.

3. Click Save.

Step 3: Pushing the Configuration to FortiGate

1. Click Install Wizard.
2. Select the FortiGate device to apply the changes.
3. Click Preview Changes to ensure everything is correct.
4. Click Install to push the new configuration.

Expected Outcome:

• The new configuration should now be applied to the FortiGate device.
• If something goes wrong, you can rollback to a previous configuration version.

3.2 Policy Packages and Installations

What is a Policy Package?

A Policy Package in FortiManager is a set of firewall rules, NAT settings, and security profiles that you can apply to FortiGate devices. Instead of configuring rules one by one, you can create a template and apply it to multiple firewalls.

Components of a Policy Package

1. Firewall Rules – Control traffic flow between networks.
2. NAT Settings – Define how IP addresses are translated.
3. Security Profiles – Includes antivirus, web filtering, IPS, etc.

Steps to Create and Install a Policy Package

Step 1: Create a Policy Package

1. Log in to FortiManager.
2. Navigate to Policy & Objects.
3. Click Create New → Policy Package.
4. Enter a name and description for the policy package.

Step 2: Define Firewall Rules

1. Click Add New Policy.
2. Define the following settings:

• Source & Destination networks.
• Services (e.g., allow HTTP, SSH, etc.).
• Security Profiles (IPS, Web Filtering, etc.).

3. Click Save.

Step 3: Assign the Policy Package to a Device

1. Go to Device Manager.
2. Select a FortiGate device.
3. Click Assign Policy Package.
4. Choose the policy package you created.
5. Click OK.

Step 4: Preview Changes Before Deployment

1. Click Install Wizard.
2. Select the target FortiGate device.
3. Click Preview Changes.

• This step ensures you are not overwriting critical settings.

Step 5: Install the Policy Package on the Device

1. Click Install.
2. Wait for the installation to complete.
3. Verify that the new policies are active on the FortiGate device.

Expected Outcome:

• The new security policies should now be applied to the firewall.
• The FortiGate device will enforce the new rules and security settings.

3.3 Configuration Synchronization

Why Do We Need Configuration Synchronization?

When managing multiple firewalls, it’s important to keep configurations up to date. FortiManager allows two types of synchronization:

1. Manual Sync – Admins must manually trigger synchronization.
2. Automatic Sync – FortiManager periodically updates configurations.

Manual Synchronization Process

Step 1: Check if FortiGate and FortiManager Are Synchronized

1. Open FortiManager GUI.
2. Go to Device Manager.
3. Check the Sync Status next to each device.

• Green = Synced
• Red = Out of sync

Step 2: Manually Sync the Configuration

1. Select the FortiGate device.
2. Click Retrieve Config.
3. Click Compare Configurations to see differences.
4. Click Sync Now to update FortiManager with the latest settings.

Automatic Synchronization Process

1. Open FortiManager GUI.
2. Go to System Settings → Auto Sync Settings.
3. Enable Automatic Sync.
4. Set the synchronization interval (e.g., every 30 minutes).
5. Click Save.

Expected Outcome:

• FortiManager will automatically check for configuration changes and update its database.
• This ensures that all devices stay updated without manual intervention.

3.4 Troubleshooting Configuration Errors in FortiManager

Even when following best practices, configuration issues can occur. Below are common errors and how to fix them.

Common Configuration Issues and Fixes

Issue	Possible Cause	Solution
Policy package not installing on FortiGate	FortiGate is out of sync with FortiManager	Perform a manual sync before pushing policies
Device appears "Disconnected" in FortiManager	Network issue or FortiGate management IP has changed	Check connectivity and verify correct IP address
Configuration rollback failed	The rollback version is corrupted or incomplete	Try a different backup version
Policy conflict error	Duplicate firewall rules exist	Review and resolve conflicting policies
Auto-sync is not working	Incorrect synchronization settings	Verify that auto-sync is enabled and check logs

How to Troubleshoot Configuration Issues in FortiManager

Step 1: Check the Configuration Status

1. Log in to FortiManager GUI.
2. Navigate to Device Manager.
3. Look for warning icons next to devices.
4. Click Sync Status to see the latest updates.

Step 2: View FortiGate Configuration Differences

1. Select the FortiGate device.
2. Click Compare Configurations.
3. Review differences between FortiManager and FortiGate.
4. Click Apply Sync to update.

Step 3: Debug Policy Package Installation

If a policy package fails to install, check logs:

1. Open FortiManager CLI and run:

diagnose debug application install -1

2. Check FortiGate logs for errors:

diagnose debug console timestamp enable
diagnose debug application fgfmsd -1

3. If you see an error, resolve the conflicting rule before retrying the installation.

3.5 Rollback Strategies for Configuration Changes

If a configuration change causes problems, FortiManager allows you to rollback to a previous version.

How to Rollback a Configuration Change

1. Log in to FortiManager.
2. Go to Device Manager.
3. Select the FortiGate device.
4. Click Revisions → View Configuration History.
5. Select a previous working configuration.
6. Click Restore.
7. Click Install to apply the rollback.

Expected Outcome:

• The previous configuration is restored, undoing unwanted changes.
• This is useful when a new update causes network disruptions.

Automating Configuration Backups

FortiManager can automatically create backups before making changes.

Enable Auto-Backup

1. Open System Settings.
2. Go to Backup Settings.
3. Enable Auto-Backup before every change.
4. Set the backup retention period (e.g., keep last 10 versions).
5. Click Save.

Why is this important?

• If an error occurs, you can restore the last working configuration.
• Prevents accidental misconfigurations from disrupting the network.

3.6 Best Practices for FortiManager Configuration Management

Following best practices reduces errors and improves efficiency.

1. Always Test Configurations Before Deployment

• Use Preview Changes before installing policies.
• Avoid pushing changes during business hours.

2. Use Policy Packages to Standardize Configurations

• Create different policy packages for different locations.
• Example:
  • Branch Office Policy Package → For remote sites.
  • Data Center Policy Package → For high-security environments.

3. Enable Automatic Synchronization

• Prevents manual sync errors.
• Ensures FortiManager always has the latest configurations.

4. Implement Role-Based Access Control (RBAC)

• Limit access to configuration changes.
• Example:
  • Junior Admins → Read-only access.
  • Senior Engineers → Can modify configurations.

5. Regularly Audit Firewall Rules

• Over time, unused rules accumulate.

• Run:

  diagnose firewall rule list
  

• Remove unused firewall policies to improve performance.

3.7 Hands-on Lab: Full Configuration Management Workflow

Scenario: Configure and Deploy a Policy Package

You are an administrator responsible for managing 20 FortiGate devices using FortiManager. You need to:

1. Create a policy package.
2. Apply it to multiple devices.
3. Ensure all devices stay synchronized.

Step 1: Create a New Policy Package

1. Open FortiManager.
2. Navigate to Policy & Objects.
3. Click Create New → Policy Package.
4. Name it "Branch_Office_Policy".

Step 2: Define Firewall Rules

1. Click Add New Policy.
2. Configure:

• Source: Internal_Network
• Destination: Internet
• Service: Allow HTTPS, SSH
• Security Profile: Enable Antivirus, Web Filtering

3. Click Save.

Step 3: Assign to Multiple FortiGate Devices

1. Go to Device Manager.
2. Select all branch office devices.
3. Click Assign Policy Package.
4. Choose Branch_Office_Policy.

Step 4: Deploy the Policy Package

1. Click Install Wizard.
2. Select the target devices.
3. Click Preview Changes to verify settings.
4. Click Install to apply.

Step 5: Verify Configuration Sync

1. Open Device Manager.

2. Check Sync Status (should be green).

3. Run CLI command:

diagnose sys cmdb status

4. If "Out of Sync," manually trigger a sync.

Expected Outcome:

• The new security policies are applied to all branch offices.
• FortiManager keeps all devices updated and synchronized.