FCSS_EFW_AD-7.4 Central management

Central Management Detailed Explanation

This section provides a detailed walkthrough of Central Management, focusing on FortiManager, FortiAnalyzer, and Security Fabric Integration.

2.1 FortiManager

FortiManager is a centralized management solution for Fortinet devices, including FortiGate. It simplifies configuration, policy management, and device monitoring in complex environments.

2.1.1 Centralized Policy Management

FortiManager allows administrators to create and deploy consistent policies across multiple devices.

Step 1: Create Policy Packages

• Policy packages are collections of firewall rules, NAT configurations, and security profiles that can be applied to devices or device groups.

1. Log into FortiManager:
   • Use a web browser to access the FortiManager GUI.
   • Default credentials: Username: admin, Password: (blank).
2. Create a New Policy Package:
   • Navigate to Policy & Objects > Policy Packages.
   • Click Create New and define a package name (e.g., Corporate_Policies).
3. Add Firewall Policies:
   • Within the package, define rules for traffic filtering:
     • Source, destination, services, and actions (e.g., allow, deny).
     • Attach security profiles like antivirus or IPS.

Step 2: Deploy Policies

1. Select Devices:
   • Map the policy package to a FortiGate device or ADOM (Administrative Domain).
2. Install Policies:
   • Review changes and click Install to push the policies to selected devices.
3. Verify Installation:
   • Check the deployment status for errors or conflicts.

Step 3: Use Administrative Domains (ADOMs)

• ADOMs allow segmentation of devices into logical groups based on function, location, or department.
  • Enable ADOMs in System Settings > Admin Settings.
  • Create ADOMs and assign devices to their respective ADOMs for role-based access control.

2.1.2 Configuration Backups and Rollbacks

FortiManager can schedule regular configuration backups and rollbacks to ensure device consistency and disaster recovery.

Step 1: Automate Backups

1. Schedule Backups:
   • Go to Device Manager > Device Settings.
   • Set up a backup schedule for selected devices (e.g., daily, weekly).
2. Choose Backup Types:
   • Full configuration or incremental changes.

Step 2: Rollback Changes

• If a misconfiguration occurs, rollback to a previous version:
  • Navigate to Device Manager > Revision History.
  • Select a backup and click Restore.

2.1.3 Script Automation

FortiManager enables administrators to automate repetitive tasks across multiple devices using scripts.

Step 1: Create a CLI Script

1. Access the Script Manager:

   • Navigate to Scripts in the FortiManager GUI.
   • Click Create New and choose CLI Script.

2. Write the Script:

   • Example: Configure interface IPs on multiple devices:

     config system interface
        edit port1
        set ip 192.168.1.1/24
        set allowaccess ping https ssh
        end
     

3. Save and Test:

   • Test the script on a single device before applying it globally.

Step 2: Execute the Script

1. Select Target Devices:
   • Assign the script to specific devices or groups.
2. Schedule Execution:
   • Run immediately or set a future execution time.

2.2 FortiAnalyzer

FortiAnalyzer is a log management and analysis platform that works seamlessly with FortiGate to provide insights into network activity.

2.2.1 Centralized Logging and Analysis

Step 1: Log Collection

1. Connect FortiGate Devices:

   • In the FortiGate GUI, configure log forwarding to FortiAnalyzer:

     config log fortianalyzer setting
        set status enable
        set server <FortiAnalyzer_IP>
        set source-ip <FortiGate_IP>
        end
     

2. Enable Logging on Policies:

   • On FortiGate, ensure firewall policies have logging enabled:

     config firewall policy
        edit 1
        set logtraffic all
        end
     

Step 2: Use Filters and Queries

1. Access Logs:
   • In the FortiAnalyzer GUI, navigate to Log View.
2. Apply Filters:
   • Filter logs by criteria like date, severity, or source IP.
3. Run Queries:
   • Use query language to identify patterns or specific incidents.

2.2.2 Reporting

Step 1: Generate Reports

1. Access the Reporting Module:
   • Navigate to Reports > All Reports.
2. Select a Report Template:
   • Use predefined templates for traffic analysis, threat detection, or compliance (e.g., GDPR, PCI-DSS).
3. Customize Reports:
   • Add or remove sections as needed, such as bandwidth usage or user activity.

Step 2: Schedule Reports

1. Set Frequency:
   • Schedule reports to generate automatically (daily, weekly, or monthly).
2. Delivery Options:
   • Send reports via email or download them directly.

2.3 Fabric Integration

FortiManager and FortiAnalyzer can integrate with the Fortinet Security Fabric to provide centralized visibility and coordination across Fortinet devices.

2.3.1 Security Fabric Integration

1. Enable Security Fabric:

   • On FortiGate, enable Fabric connectors to link other Fortinet products:

     config system settings
        set security-fabric enable
        end
     

2. View Fabric Topology:

   • In the FortiAnalyzer or FortiManager GUI, navigate to Fabric View to see a visual map of connected devices.

2.3.2 Threat Intelligence Sharing

1. Enable Threat Feeds:
   • Integrate third-party threat intelligence feeds with FortiAnalyzer.
   • Use dynamic blocklists to enhance security policies.
2. Automated Responses:
   • Configure Fabric automation rules to respond to detected threats, such as isolating infected hosts.

Central Management (Additional Content)

1. FortiManager – Policy Package Locking and Revision Control

In environments where multiple administrators manage policies and devices, revision control and policy locking ensure consistent configurations and prevent conflicts.

1.1 Policy Package Locking

FortiManager allows you to lock policy packages during editing. This prevents others from modifying the same package simultaneously.

• When a user opens a package, it becomes “locked” to that user.

• Others will see it as “locked by [username]” and cannot edit until it’s released.

This is critical in multi-admin setups to avoid overlapping changes or misconfigurations.

1.2 Revision History and Change Management

FortiManager tracks changes to configurations through revision control:

• Every time a policy package is modified and saved, a new revision version is created.

• You can compare revisions, rollback to previous versions, or create labeled restore points for known-good configurations.

CLI View of Revision History:

diagnose dvm revision list <device_name>
diagnose dvm revision diff <device_name> <revision_id_1> <revision_id_2>

This enables effective auditing, troubleshooting, and disaster recovery.

2. FortiAnalyzer – Event Management and Threat Score

FortiAnalyzer offers powerful tools for security event correlation and risk assessment across Fortinet devices.

2.1 Event Handlers

An event handler is a predefined or custom rule that matches specific log patterns or network behaviors.

• Examples: "Excessive Failed Logins", "Malware Detected", "VPN Tunnel Down"

• You can configure:

  • Trigger criteria (e.g., severity level)

  • Time window

  • Notification actions (e.g., email alert)

2.2 Threat Score

Threat scores are used to rank incidents by severity and risk, helping prioritize responses.

• The score is calculated based on:

  • Threat type (e.g., malware, exploit)

  • Source/destination

  • Repetition/frequency

• Displayed in:

  • Incidents & Events dashboard

  • Threat Map

  • Reports

Threat scores assist security teams in identifying critical events requiring immediate attention.

3. FortiManager’s Role in Security Fabric

In a Fortinet Security Fabric deployment, FortiManager acts as the centralized policy orchestrator, coordinating policy decisions and responses across multiple devices.

3.1 Receiving Fabric Events

FortiManager can receive security events generated within the Fabric, such as:

• Compromised host detection from FortiAnalyzer

• Fabric Connector updates (e.g., new IoT device appears)

These events can trigger automated policy changes or administrative alerts.

3.2 Enforcing Coordinated Responses

As part of a Fabric Automation workflow, FortiManager can:

• Push updated security policies to FortiGate based on Fabric triggers

• Initiate endpoint quarantine actions by integrating with FortiClient EMS or NAC solutions

• Collaborate with FortiAnalyzer to log and visualize incident flows

3.3 Visualizing Fabric Topology

In FortiManager’s Fabric View, administrators can:

• Monitor connected Fortinet devices (e.g., FortiSwitch, FortiAP, FortiClient)

• View status and health metrics

• Drill down into device-specific policies and logs

This enhances situational awareness and speeds up response in distributed networks.

Summary

Area	Key Additions
FortiManager – Policy Locking	Prevents conflicts; enables revision tracking, version control
FortiAnalyzer – Event/Threat	Event handlers trigger actions; threat scores help prioritize response
Security Fabric – FMG Role	Receives Fabric alerts, coordinates responses, integrates via automation