Professional Documents
Culture Documents
Enterprise FW 05-Central Management
Enterprise FW 05-Central Management
Enterprise FW 05-Central Management
Central Management
FortiOS 7.2
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
January
January
23, 23,
20242024
Objectives
• Examine FortiManager key features
• Explore FortiManager architecture
• Explore Device Manager wizards
• Learn about scripts
• Identify the APIs supported by FortiManager
• Understand the meta fields available on FortiManager
3
What Is FortiManager?
• Single-pane-of-glass management
• Minimizes both initial costs and ongoing operating expenses for large deployments
• Helps maintain regulatory compliance
• Reduces WAN usage with local FortiGuard cache server
• Provides centralized device management for many Fortinet devices
• Automates mass device provisioning and maintains policies
• Local distribution and control point for firmware and policy updates
• Complex mesh and star IPsec VPN
• Provides logging and reporting
Po FortiGate Headquarters
licie
s Data Center
Policies Po
lici
es
FortiGate s
li cie
Po
Branch
Office FortiManager
6
Inside FortiManager
LDAP / RADIUS/ FortiGuard Fortinet Security
TACACS+ server Subscription Devices
Services
JSON /
XML APIs JSON APIs
Logging protocol
FortiGate-FortiManager
FortiGuard Communication
Communication Protocol
Protocol
Management Module
ADOM 1 ADOM 2
Objects Objects
ADOM Layer
Policy Folders
Policy Folders
Import device-
level changes to
Device Device ADOM layer Device Device
A B C D
Device Manager
Layer
Configuration Revision Configuration Revision
(per Device) (per Device)
Install on managed device
12
Scripts
• Can make many changes to multiple managed devices
• Can be used to provision FortiGate devices
• Can be used to automate configuration changes
• TCL scripts do not run through the FGFM tunnel like CLI scripts
• TCL scripts use SSH and require SSH authentication to work
Saves the output in the This is the program to run, Wait up to 10 seconds for the
script history log which is a CLI command command prompt to display "# "
before running the command. If the
"# " is not displayed after 10
Runs a program on seconds, do not run the command
New line and return an error
FortiGate
#!
set newhostname "NGFW"
20
FortiManager—API
• An API is a set of rules that allow programs to
talk to each other HTTP request
• The FortiManager API is based on the JSON
RPC standard
• Allows MSSPs and large enterprises to create Response
(XML/JSON) format
FortiManager self-service web portals
• Using FortiPortal or any other third-party applications
JSON example
• A RESTful API uses standard HTTP methods
(GET, POST, DELETE) to provide interactions
between a client and a server
• The following operations are supported by a
RESTful API: XML example
}
]
© Fortinet Inc. All Rights
} Reserved. 23
API—Example (Contd)
• Add the policy package in the ADOM
Request Response
{
https://<ip address>:<port>/jsonrpc
"id": 1,
{ "result": [
"method": "add", {
"params": [ "status": {
{ "code": 0,
"message": "OK"
"data": [
},
{ "url": "\/pm\/pkg\/adom\/Core"
"name": "Training", }
"type": "pkg" ]
} }
],
"url": "/pm/pkg/adom/Core"
}
],
"session": "string",
"id": 1 name and type parameters are
} mandatory to create the policy
package
25
FortiManager—Meta Fields
• Meta Fields
• Allows an administrator to add extra information when they configure, add, or maintain FortiGate
devices
• Can be required or optional
• Meta variable is automatically created
System Settings > Advanced > Meta Fields
ADOM-level
metadata variables
System-level
meta fields
Device
Metadata
mapping to add
variable used in
value/hostname
firewall objects
Instead of creating multiple unique objects with the same logical name
but different values for each site, an administrator can use meta fields
with fewer objects created in the FortiManager database to add
objects
Device mapping
to add value
Device mapping 2
to add a
value/host name
Device hostname
changed after
installation
33
Lab 5—Central Management
• For each FortiGate:
• Configure the FortiManager IP
address
• Register FortiGate on FortiManager
• Import the policy package