Administration and Management Flashcards
What to do if you forget admin password
execute migrate
Allows to load a backup of the config
Or format the flash and reload the image(from BIOS config menu), which erases the system settings, including the administrative accounts
External Authentication of Administrators
Can use external servers: LDAP, RADIUS, TACACS+, and PKI
Must configure server entries for each authentication server in your network
Wildcard Admin
Allows you to authenticate users from one or more groups
Supports LDAP, RADIUS, TACACS+, GROUP: Group supports multiple auth server types(configured in CLI)
SAML Admin Authentication
SAML can be enabled across all Security Fabric devices
Allows smooth movement between devices for the admin (SSO)
FAZ can be the identity provider (IdP) or the service provider (SP)
There is also an option to use SSO with a FortiCloud account or its identity and access management (IAM) users. FAZ must be registered under that account
Wildcard admin for SAML
A wildcard SSO admin can be created that will match multiple users with an IdP. If the IdP uses a remote server, such as LDAP, this drastically reduces config requirements. If you don’t enable the Match All users on remote server wildcard option, then you must create all those users in FAZ
Viewing Admin Event Logs
FAZ audits admin activity. System Settings > Event Logs will show event logs(config changes and logins), including administrator activity.
By default, only available to Super User access
Monitoring Tasks
The Task Monitor page allows you to view admin tasks, as well as the progress and status of those tasks.
By default, only available to Super User access
Monitor FortiGate Admin Logins
Under the System page on FAZ
The Failed Authentication Attempts page shows failed login attempts, and includes the source IP of the login, the login type, interface, protocol used, and number of failed attempts.
The admin logins page shows logins, failed logins, login duration, and configuration changes.
Admin Profiles
Super_User - All system and device privileges enabled
Standard_User - No system and read-write access for devices
Restricted_User - No system and read-only access for devices
ADOMS with FGT VDOMS
Normal: Cannot assign VDOMs from the same FGT to multiple FAZ ADOMS. Must assign the FGT and all of its VDOMs to a single ADOM
Advanced: Can assign VDOMs from the same FGT to multiple FAZ ADOMs. Can use FortiView, Event Management, and Reports functions to analyze data for individual VDOMs
Creating an ADOM
Create new ADOMs if default ones do not fit requirements. Devices and be registers to their device-specificADOMs only
Disk quota configured per ADOM
Cannot delete default ADOMs
Cannot delete a custom ADOM if a device is still assigned to is.
command to view ADOMs: # diagnose dvm adom list
ADOM type must match the device type you are planning to add. By default, the ADOM type is set to Fabric for the root ADOM or when creating a new ADOM
Security Fabric ADOM
Can contain all devices in a Security Fabric in the same ADOM
Allows for fast data processing and log correlation
Combines results to be presented in: Reports, FortiView, Incidents & Events, Device Manager, LogView
After a Fabric ADOM is created, it is listed under the Security Fabric section of All ADOMs
When alloted disk space is full:
An automatic alert is generated
Oldest logs are overwritten (Default behavior)
Can stop logging when full using the command: config system locallog disk setting
set diskfull nolog
end
Disk Quota
Comprised of Analytics logs and Archive Logs
Default Ratio is 30%/70%
% for Reserved Disk Quota and % for allocated
5-20% reserved for system usage and unexpected quota overflow
Only 80-95% is available for allocation to devices
Command to see amount of reserved space on FAZ
diagnose log device
How Raid affects Reserved Disk Quota
It determines the disk size and reserved quota level.
Total Quota Value
Total System Storage - Reserved Space
Allocated Space
Archive Quota + Analytics Quota for all ADOMs
Disk Quota on License Information Widget
It shows values lower than the disk quota
Only reports on the number of logs pushed to FAZ on THAT DAY
Limited to stats gathered by fortilogd daemon
Disk Quota Enforcement Daemons
logfiled - Monitors and enforces log file size, SQL database size, and archive file size; sends commands to the other daemons to process. checks processes every two minutes(unless system resources are high) and estimates space used by SQL database. If the disk quota is estimated to be above 95%, FAZ removes files as needed until down to 85%
sqlplugind - Enforces the SQL database size
oftpd - Enforces the archive file size
Modify ADOM Disk Quota
diagnose log device
Allocating an insufficient quota can:
prevent you from reaching log retention objective
cause unnecessary CPU resources enforcing quota with log deletion and database trims
affect reporting if the quota enforcement acts on analytical data before a report is complete
Increasing Disk Space
With FAZ VMs, you can dynamically add more disk space:
1. Power off the VM and add a new virtual disk
2. Start the VM and run execute lvm info to confirm the new disk was detected (it will be labeled as unused)
3. Run execute lvm extend (adds the space of the new disk to the lvm volume)
4. Reboot the VM, and then run the command get system status to see the new disk space available
With hardware FAZ, you must add one or more disks to the device. (If using RAID, must rebuild RAID array)
System Config Backup contains…
Backups contain system info, Device list, report information
Does NOT include logs and generated reports
Can only restore to same model and firmware version
If FAZ is a VM, can use VM snapshots
