Central Management Flashcards
FortiManager Architecture
FMGR allows you to enable multiple virtual instances knows as ADOMs
When ADOMs not enabled, you work in default ADOM named ‘root’ and it contains two databases: Device Layer and Policy Layer
When ADOMs are enabled, each has unique functions, such as Scripts, Provision Templates, VPN Manager, AP Manager, FortiSwitch Manager, Extender Manager, Fabric View, and FortiAnalyzer Capability. The FortiGuard Database servers all ADOMs.
Mixing FortiGate versions in ADOMs is permitted, especially for Migration Purposes, but you should use Matching firmware for ADOMs and FGT devices.
Global Database
It stores common objects and policies for use across multiple ADOMs, enabling the creation and management of global security policies, objects, and configurations that can be simultaneously applied to several ADOMs.
Global ADOM and Local ADOMs are compatible for the same and one higher version.
global objects and configs in FMGR are prefixes with g-, which is reserved to prevent the creation of custom objects with this prefix.
Objects in the Device layer
It is possible to configure policies in the device layer, it is not recommended. It is best to restrict configurations to device settings(Network, VPN, System, and Log & Report) See page 28 in PDF
Each FGT has its own device database, which is recorded in the revision history of each firewall
Changes made here directly affect the FGT
Objects in the Policy layer
This is where you configure all objects related to firewall policies.
Changes made here depend on the included policy package and are applied only after policy deployment and installation approval.
FMGR Operation: Retrieve
Captures FGT’s current config and saves it as a new version, without updating the policy package.
FMGR Operation: Auto-Retrieve
Initiated when a FGT is added to the device layer, capturing any changes made directly on the FGT into its revision history. Auto-retrieve doesn’t update the policy package; an import operation is required for that
FMGR Operation: Install Device settings
Applies the device layer config to FGT device, offering a preview before installation to review changes
FMGR Operation: Quick Install
Similar to Install Device settings, but without preview. It applies the device layer config to FGT immediately. Ideal for Zero-touch provisioning (ZTP) or when you are confident about changes.
FMGR Operation: Revert
Chooses an earlier revision from the history for potential import or installation on FGT. To synchronize the device and policy layers afterward, importing is required.
FMGR Operation: Import
Moves policies from a selected revision in the history into the policy package, which can then be renamed or left with the default name. Care is needed to prevent conflicts, especially with objects sharing the same name in the policy layer
FMGR Operation: Install policy package
Transfers the policy package from the policy layer to both the device layer and FGT, displaying a step-by-step wizard and installation preview with an option to cancel.
FMGR Operation: Reinstall Policy
Bypasses the wizard because the FGT and policy package are already selected. It offers an installation preview with an option to cancel. Also, reinstall applies not only to policy package settings but also any modifications directly to the FGT in the device database.
Global Policy Package Installation
Automatically Install Policies to ADOM Devices: the Global ADOM directly installs assigned policy packages on three targets - policy package in the policy layer, the device database, and FGT. No additional steps required, however, this bypasses the install preview.
Assign: Starts from the FMGR Global ADOM and updates the policy layer, indicating a modified status. Next, must install or reinstall the policies to apply them to the Device layer and FGT.
Provisioning Templates
Overrides Device Database and supersede other device layer settings.
Normalized Interface via Policy Layer
Zones, VLANs, and SSIDs.
Set up in VPN Manager, AP Manager, and FortiSwitch Manager
Standardizing FortiGate Interfaces
Use Normalized Interfaces feature. Available on both the Policy and Device layer
Two Methods:
per-platform mapping - applies uniform settings across similar device models
per-device mapping - Allows customized configurations for individual devices.
Case Sensitive!
Dynamic Mapping
Interface Mapping
Object Configurations
Metafield values
Metadata variable mapping
Example, LAN firewall address can be set per-device on page 37
Per-Device Mapping Objects
Firewall Objects:
-Addresses
-Services & Service Group
-Virtual IPs & Virtual IP Group
-IPv4 Pool and IPv6 Pool
-Virtual Server & IPv6 Virtual Server
-ZTNA Server & IPv6 ZTNA Server
Security Profiles:
N/A
User & Authentication:
-User Groups
-LDAP Servers
-Radius Servers
-TACACS+
-SAML Server
Security Fabric:
-FortiNAC
-Fortinet SSO Agent
Advanced:
-Metadata Variables
-Dynamic Local Certificate
-Dynamic VPN Tunnel
Metadata Integration
The GUI indicates Metadata variables by an icon of a magnifying glass with the $ symbol
Remote Script Key Points
Executing a script directly on a FortiGate allows for automatic synchronization of the device database through auto-retrieve, provided the changes do not involve firewall policy configs. Changes to FW policies require manual intervention to sync the the policy layer
Device Scripts Key Points
When scripts modify policy settings in the device database, these changes cannot be automatically imported into the policy layer.
Policy Scripts Key Points
Changes do not automatically update the device database and FortiGate. You must install or reinstall the policy package to apply these Changes.
Global Scripts Key Points
Scripts run in the global database require manual action to apply changes to global policies, either through assignment or automatic installation.
All scripts can be written in either the CLI or TCL
Configuring ZTP/LTP
Config a model device for a FGT before you add it to FMGR. FMGR allows you to add FGT models using either a serial number or a pre-shared key. FMGR admin configs the model device, and when a real FGT device connects, the auto-link process installs the settings and policies from the model device on it. Once auto-linking completes, the real device is configured, connected to FMGR< and replaces the model device for Central management.
ZTP
Zero Touch Provisioning - FGT automatically connects to the WAN or the internet and links to FMGR without any preconfiguration
LTP
Low-touch provisioning: Some initial setup on FGT is neded, such as network settings and FMGR location, before it can discover and connect to FMGR
Pre-Run CLI templates
Feature of ZTP and LTP
Intended for specific, one-time tasks, do not remain in the FGT device database after installation.
Create/Assign Template -> Quick Install -> Auto-detach template -> Connect to FMGR -> Install Config
CLI templates
Designed for repeated use and do not automatically unassign after the initial setup, unlike pre-run CLI templates. Overwrites the device database.
Create/Assign Template -> Install device settings (only) or Quick install (device DB)
metadata variables available and CLI/Jinja compatibility
