I❤FMG 7.

6
Hands on Lab

Septiembre 2025
Buenos Aires, Argentina

1
Content
DOCUMENT HISTORY ............................................................................................................................................................ 5
00 – CONNECT TO THE ENVIRONMENT (10 MIN) .................................................................................................................. 6
LAB TOPOLOGY ................................................................................................................................................................................... 6
GETTING STARTED IN THE FNDN LAB ENVIRONMENT ................................................................................................................................. 7
01 INTRODUCTION AND INITIAL CONFIGURATION (30 MIN) ............................................................................................... 10
EXAMINE THE INITIAL CONFIGURATION ................................................................................................................................................... 10
ADJUST DATE AND TIME ..................................................................................................................................................................... 11
CONFIGURE ADOMS ......................................................................................................................................................................... 12
Advanced Mode ADOM ............................................................................................................................................................ 14
Quick Challenge: ....................................................................................................................................................................... 14
FORTIMANAGER AND FORTIANALYZER .................................................................................................................................................. 15
02 ADMINISTRATION AND MANAGEMENT (30 MIN) .......................................................................................................... 17
CREATING ADMINISTRATORS................................................................................................................................................................ 17
WORKSPACE MODE ........................................................................................................................................................................... 18
WORKFLOW MODE ........................................................................................................................................................................... 23
BACKUP AND RESTORE ....................................................................................................................................................................... 28
03 DEVICE REGISTRATION (60 MIN) .................................................................................................................................... 30
REQUEST FROM DEVICE ...................................................................................................................................................................... 30
ADD DEVICE WIZARD ......................................................................................................................................................................... 34
ADD MODEL DEVICE .......................................................................................................................................................................... 37
DEVICE BLUEPRINT ............................................................................................................................................................................ 45
IMPORT MODEL DEVICES FROM A CSV FILE ............................................................................................................................................ 52
DEVICE IN BACKUP MODE ADOM........................................................................................................................................................ 55
OPTIONAL – TABLE/MAP/RING VIEW ................................................................................................................................................... 62
04 DEVICE LEVEL CONFIGURATION AND INSTALLATION (90 MIN) ....................................................................................... 65
MORE ON AUTO-UPDATE AND AUTO-RETRIEVE ....................................................................................................................................... 65
Auto-Update in Backup ADOM ................................................................................................................................................. 65
Auto-Update in Normal ADOM ................................................................................................................................................ 67
Disable Auto-Update ................................................................................................................................................................ 69
MODIFIED ........................................................................................................................................................................................ 71
OUT OF SYNC.................................................................................................................................................................................... 74
CONFLICT ......................................................................................................................................................................................... 74
Challenge - Conflict................................................................................................................................................................... 75
INSTALLING SYSTEM TEMPLATE CHANGES ON MANAGED DEVICES .............................................................................................................. 76
CONFIGURING DEVICE LEVEL CHANGES .................................................................................................................................................. 81
DEVICE MANAGER SCRIPTS.................................................................................................................................................................. 85
CHALLENGE – SD-WAN TEMPLATE ...................................................................................................................................................... 92
SD-WAN Monitor ...................................................................................................................................................................... 92
Common Template with disparate sites ................................................................................................................................... 93
05 POLICIES AND OBJECTS (90 MIN).................................................................................................................................... 95
POLICY PACKAGES.............................................................................................................................................................................. 95

2
 More on CLI configurations .................................................................................................................................................... 104
Common Policy Packages ....................................................................................................................................................... 108
Challenge - Common Policy .................................................................................................................................................... 111
POLICY PACKAGE SCRIPTS.................................................................................................................................................................. 112
OBJECTS AND DYNAMIC OBJECTS........................................................................................................................................................ 116
Solving Conflicts ..................................................................................................................................................................... 123
POLICY BLOCK................................................................................................................................................................................. 127
USING METADATA VARIABLES............................................................................................................................................................ 130
ADOM REVISIONS .......................................................................................................................................................................... 135
SD-WAN MANAGEMENT (30 MIN) .................................................................................................................................... 136
06 GLOBAL DATABASE ADOM AND CENTRAL MANAGEMENT (30 MIN) ............................................................................ 141
GLOBAL OBJECTS ............................................................................................................................................................................. 141
HEADER AND FOOTER POLICIES .......................................................................................................................................................... 141
CENTRAL MANAGEMENT .................................................................................................................................................................. 146
Fabric View - Topology ........................................................................................................................................................... 146
Fabric View – Security Rating ................................................................................................................................................. 150
07 DIAGNOSTICS AND TROUBLESHOOTING (30 MIN) ....................................................................................................... 151
BREAK THE FGFM PROTOCOL COMMUNICATION ..................................................................................................................................... 151
Rollback-allow-reboot ............................................................................................................................................................ 154
08 ADDITIONAL CONFIGURATIONS (20 MIN) .................................................................................................................... 155
UPGRADE FORTIGATE FIRMWARE USING FORTIMANAGER ...................................................................................................................... 155
09 SD-WAN CHALLENGE (90 MIN) ..................................................................................................................................... 157
NETWORK TOPOLOGY ...................................................................................................................................................................... 157
OBJECTIVE...................................................................................................................................................................................... 157
WINNING CONDITIONS ..................................................................................................................................................................... 157
SUMMARY: .................................................................................................................................................................................... 158
HINTS............................................................................................................................................................................................ 159
Overlay Template Hint 1: ....................................................................................................................................................... 159
Overlay Template Hint 2: ....................................................................................................................................................... 160
Policy Hint 3:........................................................................................................................................................................... 160
Policy Hint 4:........................................................................................................................................................................... 161
Check the VPN Monitor .......................................................................................................................................................... 161
Routing Hint 5: ....................................................................................................................................................................... 162
SD-WAN Strategy Hint 6: ........................................................................................................................................................ 162
APPENDIX ......................................................................................................................................................................... 163
CONFIGURATION SCRIPTS .................................................................................................................................................................. 163
Site1-1 .................................................................................................................................................................................... 163
Site1-2 .................................................................................................................................................................................... 163
Site1-H1 .................................................................................................................................................................................. 164
Site1-H2 .................................................................................................................................................................................. 165
Site2-1 .................................................................................................................................................................................... 165
Site2-H1 .................................................................................................................................................................................. 166
FORTIMANAGER GUIDES .................................................................................................................................................................. 166
JINJA DOCUMENTATION WIKI ............................................................................................................................................................ 166
Jinja Orchestrator ................................................................................................................................................................... 167

3
4
 Document History

Date Version Changes Changed by

June 25, 2025 1.0 Document creation Mariano Tomaz
August 12, 2025 1.2 Document update Mariano Tomaz
August 20, 2025 1.3 Document update Hernán Müller
August 29, 2025 1.5 Document update Mariano Tomaz

NOTE: This document is inspired by the FortiManager 7.6 official admin guides and trainings.

5
00 – Connect to the environment (10 min)

LAB Topology

The topology diagram includes the following main components:

• FortiManager 7.6.3 build3492 (Feature)
• 6x FortiGate VM, FortiOS version 7.6.3 build3510 (GA)

6
Getting Started in the FNDN Lab Environment
The lab leader will provide you with a passphrase for the individual lab environments. The same
passphrase is used for everyone, but FortiDemo will provide access only to your personal lab
environment.

➔ Using a Web Browser, access the CSE Lab at: https://fndn.fortinet.net/cse

➔ Fill in the information requested including the passphrase provided by your instructor, then respond
to the reCAPTCHA prompts and click Sign In.

Note: After signing in, you will see the details of your lab. Keep this page open in a tab in your browser
as an easy reference to Your Training instance and the administrative login IDs and passwords to the
different infrastructure components in your lab.

Note: This lab uses self-signed certificates from the lab certificate authority. Expect to see certificate
warnings when connecting.

7
➔ Test the connectivity to FortiManager by clicking the HTTPs button in the main instance page

➔ And login to FortiManager

➔ Select the root ADOM

8
➔ Verify that the FortiManager Firmware version is 7.6.3

➔ Check Device Manager → Device & Groups u Y u u u u z D ’

change anything yet.

Important Note: f y u ’ , ’ w y; check the Training Instance Tab in your

browser and login (GUI) to the missing device, to confirm if the VM is working.
• If the device is UP and running, ignore it from the FortiManager. You will add all devices in the
following sections.
• If the missing device is NOT UP and running, talk to the proctor.

9
01 Introduction and Initial Configuration (30 min)

Examine the initial configuration

In this section we will inspect the FortiManager configuration, we will configure two ADOMs and we will
see how to enable/disable FortiAnalyzer features in FortiManager.

➔ Login to FortiManager and open the CLI window

➔ Check the output of the following commands

o get system status
o show system interface
o show system dns
o get system ntp
o show system ntp
o show system route

➔ Try to answer the following questions

o W ’ u ?
o Which admin access protocols are configured in each port?
o Is NTP enabled?

➔ Test Internet connectivity

➔ Now check the same information using the GUI, go to:

o Dashboard → System Information
o Dashboard → License Information
o System Settings → Network

10
Adjust Date and Time
Adjust FortiManager date and time
➔ Go to Dashboard → System Information widget and edit the System Time

➔ Select the right Time Zone and NTP parameters → click OK

➔ Refresh the FortiManager GUI and check the results.

11
Configure ADOMS
ADOMs group devices for administrators to monitor and manage. The purpose of ADOMs is to divide
the administration of devices and control (restrict) access.

➔ ADOM functionality is already enabled in this lab.

o You can verify in Dashboard → System Information
o Or by navigating to System Settings → ADOMs and see the ADOMs that FortiManager
currently supports and the type of device you can register to each ADOM

o You can view the same information from the CLI using the following command:
▪ diagnose dvm adom list

➔ In the System Settings → ADOMs menu, click +Create New button to add a new ADOM

➔ Explore the options and create a new ADOM with the following characteristics:
o Name: BAE_FMG
o FortiGate 7.6
o Normal Mode
o Disable FortiAP and FortiSwitch management
12
➔ Check the rest of the options for Data Policy, Disk Utilization quota, Time Zone and DNS.
o This is a LAB environment, y u ’ y k qu f DO
o Where is the advanced ADOM mode setting?

➔ Click OK to create the ADOM

➔ Switch to the new ADOM by clicking the ADOM button

➔ Select the new ADOM and you will be placed automatically in the new ADOM: BAE_FMG

13
➔ Now browse to Device Manager → Device & Groups and confirm the ADOM is empty

Advanced Mode ADOM

In Normal mode, you cannot assign FortiGate VDOMs to different ADOMs. The FortiGate unit can only
be added to a single ADOM. In Advanced mode, you can assign a VDOM from a single device to a
different ADOM. This allows you to analyze data for individual VDOMs, but will result in more
complicated management scenarios. It is recommended only for advanced users.

➔ ADOM Advanced mode setting is in System Settings → Advanced → Misc Settings page
o D b W ’ b

Quick Challenge:
➔ Create a new ADOM in Backup Mode. You will use it later.

14
FortiManager and FortiAnalyzer

➔ Did you notice that you already have FortiView, Log View, Incidents and Reports in FortiManager
menu?

➔ Browse to Dashboard and check the bottom of the System Information widget
o Notice FortiAnalyzer features are enabled on FortiManager

You can use FortiManager as a logging and reporting device by manually enabling FortiAnalyzer
features on FortiManager

➔ OPTIONAL: If you want, you can Click on the slider and disable FortiAnalyzer features in
FortiManager.
o We wont use and FAZ feature in the LAB
o This will restart FortiManager.

15
➔ After FortiManager restarts, check the System Information again to verify FortiAnalyzer features has
been disabled.

16
02 Administration and Management (30 min)

Creating Administrators
You will create an administrator with restricted access permissions. We will use it later in the
Workspace and Workflow labs.

➔ Login to FortiManager and jump to BAE_FMG ADOM → System Settings → Administrators →

Admin Profiles

➔ Edit the Standard_User Profile to check the privileges, ’ k y

o If you want, you can create a new profile.
o Whats the difference between Standard User and the Super User profiles?

➔ Then go to System Settings → Administrators → +Create New → Administrator

➔ Create a new user administrator with the following characteristics:

17
 o Use any username and password you like
o Admin type Local
o Only allow it to access the new ADOMs created in the previous section
o Select the Standard_User profile

T ’ it! We will test this new admin in the following exercises.

Workspace Mode
Workspace mode disables concurrent read/write access to the ADOM.

➔ Login to FortiManager with admin privileges, then go to System Settings → Advanced →

Workspace
o Enable Workspace (ALL ADOMs)
o Enable Per-Policy Lock

This enables Workspace mode in all ADOMs.

18
➔ Click Apply and OK
o You will be logged out

➔ Login using the new user administrator.

➔ Enter the new ADOM: BAE_FMG (notice the padlock icon)

➔ Go to Device Manager → Device and Groups and check the upper menu to see if you can Add
Devices or create Device Groups or even run the Install Wizard.

➔ As you can see, everything is disabled.

➔ Lock the ADOM by clicking the padlock icon next to the ADOM name

19
➔ This will lock the ADOM

➔ Now, check the menu again to see if you can add devices or groups.
o The menus are enabled now

➔ Also, leave the current FortiManager session open and then:

o Open a new browser window in incognito and login with the admin user administrator (you
can copy the IP:port from the current session and paste into the incognito window)
o Select the ADOM: BAE_FMG (notice the padlock icon)

➔ Check the status of the ADOM

20
➔ Try to add a new Device from Device Manager → Devices and Groups
o What happens?

➔ Then browse to Dashboard → System Information → click the Icon next to Current
Administrators to check the Admin Session List

Remember: an ADOM with Workspace mode enabled will be read-only until you lock it.

➔ Log out from all FMG sessions

Now we will try per-ADOM Workspace mode.

➔ Login to FortiManager with admin privileges, then go to System Settings → Advanced →
Workspace
o Enable Workspace (Per-ADOM)
o Enable Per-Policy Lock

Enabling Workspace per-ADOM, allows you to select which ADOMs have Workspace mode enabled.

➔ Click Apply

21
➔ Next, browse System Settings → ADOMs and edit the new ADOM: BAE_FMG to enable
Workspace in that ADOM

➔ Click OK

➔ Login again with the second administrator user.

o Notice that you can only lock the BAE_FMG ADOM with Workspace mode
o You cannot lock the rest.

➔ Lock the ADOM and test the locking like the previous exercise using both admins

Remember: In Workspace mode you can lock a device, a policy package, an individual policy, an
object or a Policy Block. You can test this in the next sections after we add devices and policies.

22
Workflow Mode
Workflow mode is used to control the creation, configuration, and installation of policies and objects. It
helps to ensure all changes are reviewed and approved before they are applied.
When workflow mode is enabled, the ADOM must be locked, and a session must be started before
policy or object changes can be made in an ADOM. Workflow approvals must be configured for an
ADOM before any sessions can be started in it.

➔ Login into FortiManager with admin

o browse to System Settings → Advanced → Workspace → click Workflow (ALL ADOMs)

➔ In the Workflow Approvals section, click +Create New

o Configure the New Approval Matrix for the ADOM: BAE_FMG
o Only select the ADOM and the Approval Group. No need for email notifications now.

➔ Click OK and Apply

➔ Login to FMG using the second administrator/operator

o Navigate to Policy and Objects → Firewall Objects

➔ Lock the ADOM to enable configurations.

o The Session List window will pop

23
➔ Note: If the Session List is not shown, you can also go to Sessions → Session List

➔ And click Create New Session

➔ Complete the Session Name and comments and click OK

24
➔ Now make some changes
o For example, you can create a new Address Object

➔ When you are done, save the changes using the Save button
o You can save and continue as many times as you need

➔ Once you are done, click Sessions → View Diff

25
➔ Check the Revision Diffs and click Close

➔ Then click Sessions → Submit

o And click OK

➔ The changes need approval before installing, login as admin, lock the ADOM and check the
Sessions
o You can Approve, Reject, Repair, Discard or Revert the session

26
➔ Select the session and View Diff.
o Check the Details and CLI Diff

➔ Finally, Approve the Session.

➔ You can now see the changes in the FW Objects configuration

➔ D ’ f disable Worflow Mode

27
Backup and Restore

➔ Login to FMG and go to Dashboard → System Information → Click the backup icon in the
System Configuration section

➔ In the Backup Now section, type a password and click OK

➔ Select the local folder to store the backup and wait for the download to complete

➔ Make a change to the FortiManager: remove an ADOM or the new user.

➔ Then go back to Dashboard → System Information → Click the Restore icon in the System
Configuration section
o Complete the File location and password and restore the System

28
➔ Verify the changes are restored.

➔ If you selected to Restore in Offline mode, jump to System Settings → Advanced → Misc
Settings and disable Offline Mode

Remember: Backups contain everything except logs, FortiGuard Cache and firmware saved on
FortiManager.

29
03 Device Registration (60 min)

In this section we are going to try the different Device Registration options: initiated from the Device,
initiated from the FortiManager and its alternatives.

Request from Device

To initiate a registration request from FortiGate you must configure the central management settings
with the FortiManager IP address. In this exercise we are going to add site1-1 to FMG in the new
ADOM: BAE_FMG

➔ Switch to the root ADOM and browse to Device Manager → Device & Groups → Unauthorized
Devices
o You should see a list of 6 devices with their serial numbers and IP Address like the following
capture (in your environment the serial numbers will be different)

Think: Do you know why and how these devices are being shown in FMG?
Answer: These devices are already preconfigured with the FortiManager IP address and they started a
request process. However, this request is not completed.

We are going to properly register site1-1 using this method.

➔ Open the main instance tab in your browser and connect to site1-1

➔ Login to site1-1 and open the CLI >_

o type the following commands:

get system central-management

show system central-management

➔ You should see something like this

30
This means that the Central Management Settings have been pre-configured with the IP address of the
FortiManager.

All you must do next is authorize the device in FortiManager. But before you authorize site1-1 in FMG, it
is important to accept the FortiManager serial number from the FortiGate side.

➔ Still in site1-1 FortiGate, go to Security Fabric → Fabric Connectors

➔ Click the Central Management card and Edit

31
➔ A pop-up should appear to Accept the FortiManager Serial Number

➔ Click OK in the confirmation pop-up

➔ Close the slide-in window (we will authorize from FortiManager)

➔ You will be logged out from FortiGate.

32
➔ Next, Go back to FortiManager → root ADOM → Device Manager → Devices and Groups →
Unauthorized Devices
o Select site1-1 and click the Authorize button

➔ Select the ADOM BAE_FMG the FortiGate belongs to and click OK.
o Do not assign any Policy Package or Template.

➔ Wait for the Device Authorization to complete and click Close

➔ Switch to the ADOM BAE_FMG and check the device status.

o Check the Config Status, it should be Synchronized

➔ Login again to site1-1 FortiGate, you will notice the following message:

33
➔ Login in Read-Only mode. You should always enter the devices in Read-Only mode when using
FMG.

Congrats! You have added your first Device in FortiManager! In the following exercises we will explore
different ways to add devices.

Add Device Wizard

To initiate a registration request from FortiManager you can use the Add Device Wizard. The Wizard
adds devices to central management and imports their configurations. In this exercise we are going to
add site1-2 to FMG in the ADOM BAE_FMG.

➔ First, login to site1-2 Fortigate from the main instance page

➔ Open the CLI and remove the Central-Management configuration.

site1-2 # show system central-management
config system central-management
set type none
end

site1-2 #

➔ Or use the GUI → Security Fabric → Fabric Connectors → Central Management → Disabled

34
➔ Check site1-2 FortiGate management interface configuration (port10)
o Notice the IP address and Admin Access. FMG-Access should be enabled.

➔ Now, login into FortiManager and enter the ADOM BAE_FMG → Device Manager → Device and
Groups
o Click Add Device in the upper menu and select Discover Device

35
➔ Enter the IP address from site1-2 and enable Legacy Login.
o Use the credentials admin/Fortinet

➔ Click Next and wait for the device to be discovered and examine the information
o Do not change anything or assign any template
o Click Next

➔ Wait until the process is completed and click Import Later

36
➔ The new device will be shown in the Managed FortiGate section
o And the Config Status should also be Synchonized

Add Model Device

Model Device allows you to add devices that are not yet online, for zero-touch provisioning (ZTP). In
this exercise we are going to add site1-H1 to FMG in the ADOM BAE_FMG.

➔ Login to Site1-H1 and check the Central-Management configuration

site1-H1 # show system central-management
config system central-management
set type fortimanager
set fmg "192.168.0.15"
end

➔ Open port10 configuration and write down the IP address. Also, check FMG-Access is enabled.

37
➔ Also, take note of the serial number, you are going to need it soon.

site1-H1 # get system status | grep Serial

Serial-Number: FGVM02TM25007892

site1-H1 #

➔ IMPORTANT: backup site1-H1 configuration.

o Go to Admin → Configuration → Backup and save a copy of the configuration to the local
PC.
o Also, go to Admin → Configuration → Revisions and save a local Revision change.

➔ Shutdown site1-H1

38
➔ Go to FortiManager and switch to the root ADOM.
o Make sure site1-H1 is not in the Unauthorized Devices list. Delete it if necessary.

➔ Go back to the BAE_FMG ADOM and browse to → Device Manager → Device and Groups
o Click → Add Device → Add Model Device

➔ Complete the Model Device Name and Serial Number

o Select the right Device Model and port provision
o Disable Automatically Link to Real Device

39
➔ Click Next and wait for the Wizard to complete.
o Then click Finish.

➔ You will have a new Model Device in the list of Managed FortiGate window, like the following
screenshot (your serial number will be different)
o Notice the differences between the Model Device and the previously added Devices

Model devices are used to store configuration for a device that is not yet online and not yet connected
to the network.

40
➔ Right-click on site1-H1 and select Edit

➔ Complete the Admin User and Password and click OK

➔ Open the Lab Dashboard from the main tab.

➔ You will enter the FortiPOC Dashboard.

41
➔ Search for site1-H1 in the Device list and notice the status Shut Off

➔ Click Action → Power On

➔ Wait until the pop up says Task Completed and then click Close

42
➔ Give it a minute for the VM to power on.
o You will see a Ready for Auto-link status in FortiManager

➔ Hover over the warning sign and click on Auto-Link now

➔ Wait for the auto-link process to complete

➔ You will see a conflict Status after the auto-link, but the site1-H1 should be up

43
➔ We have a conflict because FortiManager has wiped the device configuration and is not in sync with
the FMG DB (both Device DB and Remote Device Config have been modified)
o We can manually sync now.
o Select site1-H1 from the Managed FortiGate section and search the Dashboard Summary
→ Configuration and Installation widget

➔ Click on the Revision History Icon

➔ And then Retrieve Config

➔ Wait until the process is complete and click Finish, then Close

44
➔ Back to Device and Groups → Managed FortiGate and check the Device List
o site1-H1 should be Synchronized

We have just simulated part of the ZTP process:

➔ First, we created a model device while the device was shut down
➔ Then, when the device was powered on, it connected to FortiManager via its own Central
Management configuration (request from device). This part is usually done via FortiCloud.
➔ Then, the auto-link process linked the model device with the real device, and we synchronized
the configurations. We can add templates here to finish the configuration process. We will do it
later.

Challenge: Answer the following questions

➔ Do you know why the hostname shows the serial number for site1-H1 and not for the rest?
➔ What happened to the ’ original configuration?
➔ In which scenario would you use the model device method of adding devices?

Device Blueprint
Device blueprints can be used when adding model devices to simplify configuration of certain device
settings, including device groups, configuring pre-run templates, policy packages, provisioning
templates, and more. In this exercise we are going to add site1-H2 to FMG in the BAE_FMG ADOM
using a Blueprint.

➔ IMPORTANT: First, backup site1-H2 configuration.

➔ Then, login to FortiManager and create a new Device Group from Device Manager → Device &
Groups → Device Group → + Create a New Group

45
➔ Type a Group Name and select OK

➔ The new Group should be empty

➔ Next, we are going to create a new System template to apply to the Blueprint. We will cover
templates in the next sections, but for now we need a basic template.
o Go to Device Manager → Provisioning Templates → System Templates

46
➔ Click More → Import

➔ Type a new Template Name and select the site1-1 device.

o Click OK
o This will create a new System Template based on site1-1 current configuration

➔ You will have a new System Template and since it is based on site1-1, it is already assigned to
site1-1.
o The important thing here to note is that it is only assigned to site1-1.

➔ Right click and Edit the new System Template

➔ Remove the Host Name field in the template. Leave it blank and click OK.

47
➔ Now we will create a Device Blueprint that automatically assigns the new System Template and the
new Device Group to Model Devices.
o Go back to Device Manager → Managed FortiGate
o Click the arrow next to Add Device and select Device Blueprint

➔ Click on + Create New

➔ And complete all the parameters for the New Blueprint

o Name, Device Model, Auto Link, Device Group and Template
o Click OK when done

48
➔ You should see something like this in the Device Blueprint window, then click Close

➔ Next, we are going to add Site1-H2 as a Model Device

o Go to Add Device and select Add Model Device
o Complete the parameter for site1-H2 like we did in the previous exercise, the difference is
now we add a Blueprint, like the following screenshot (your serial number will be different),
and click Next
o Just like previous exercise, you must remove site1-H2 from the unauthorized device list in
root ADOM.

49
➔ Wait for the process to complete and click Finish

➔ Edit site1-H2 to set the admin password

➔ Reboot/Power-on site1-H2 and wait a minute or two for the VM to come back on

➔ After a moment, you will notice site1-H2 in the modified state, and the site is connected (Green
Arrow) u C f u kw ’ w f u

➔ If you get a Last Try Failed status, you probably have the wrong Blueprint! Fix it and start over

50
➔ Once Auto-Link is completed; retrieve site1-H2 configuration like we did in previous exercise to
synchronize the device.

➔ Check which Device Group site1-H2 belongs to

➔ Finally, browse to Provisioning Templates → System Templates and see if site1-H2 has been
assigned the new System Template.

51
Import Model Devices from a CSV file
In this exercise we are going to add site2-1 and site2-H1 to FMG in the new ADOM (BAE_FMG) using a
CSV file, model device and Blueprint.

➔ First, we create the CSV file. Instead of creating a file from scratch, we will create a new one from
FortiManager
o Open the Device Blueprint window

➔ Select the Blueprint and click Generate CSV

➔ Select the prefix FGVM02 to use for generating the serial number and click OK

➔ Save the file add_device_with_blueprint_FGT_VM_KVM.csv to your desktop.

52
➔ Open the new generated CVS file and add site2-1 and site2-H1 serial numbers and names.
o Your serial numbers are different

➔ Jump to the root ADOM and remove the devices from the unauthorized list. You cannot add new
devices if the serial number is already present in any other ADOM

➔ Switch to BAE_FMG ADOM and select Device Manager → Add Device → Import Model Devices
from CSV File

➔ Upload/Drag the CSV file

53
➔ Wait for the serial numbers to be added, it should look like this:

➔ Click Next and wait for the process to complete, then Finish

➔ Again, both devices will be added. Edit both site2-1 and site2-H1 to add the admin password

➔ Reboot both devices and complete the process.

o D ’ f back up the configuration
o Retrieve the configurations to synchronize the devices with FortiManager

54
➔ After retrieving site2-1 and site2-H1 configuration, the device table should look like this:

Questions:
• Did you notice the hostnames differences between the devices? Why some devices have
hostnames and others serial numbers?
• Why site1-1 Config Status is Modified?

Device in Backup Mode ADOM

When creating an ADOM in Backup Mode, the ADOM is considered Read Only, where you cannot
make changes to the ADOM and managed devices from FortiManager. Changes are made via scripts,
w u , u ’ U CL y
the FortiManager when specific conditions are met:

• Configuration change and session timeout

• Configuration change and log out
• Configuration change and reboot
• Manual configuration backup from the managed device.

In this section, we are moving site1-1 to the backup ADOM to test these conditions.

➔ Browse to System Settings → ADOMs and edit the Backup Mode ADOM

55
➔ Click on Select Device to move devices to this ADOM

➔ Select site1-1 and click OK

➔ And OK again on the ADOM page

56
 o Now site1-1 has been moved from the normal ADOM to the backup ADOM.

➔ Switch to the Backup ADOM and select Device Manager → Devices and Groups

➔ Select site1-1 from the Managed Fortigate menu

o Do you notice any differences
o You lo longer have the configuration menus like Network, CLI configurations, etc

➔ Login to site1-1 GUI and check if you can access read-only mode or read-write mode.

57
➔ As you can see, site1-1 Central Management is working in Configuration Backup Mode

➔ Jump to FortiManager → BackUp Mode ADOM → Device Manager → Managed FortiGate

o Check the status of the device Configuration
▪ It should be Synchronized or Auto-Update
o We will see this in the next section, but keep in mind that in backup ADOM mode changes
can be done running scripts from FortiManager or directly from the devices GUI/CLI
o And we can retrieve the configuration manually from the device into FortiManager

➔ First, go to site1-1 Dashboard. You will notice that the widgets are also different in a BackUP
ADOM.
o From the Configuration Revision History, click the Retrieve Config button to create a new
revision from the device configuration.

➔ Click on one of the Revision IDs and click View Config

o Check the timezone configuration, use the search function

58
➔ Now switch to site1-1 GUI and change the timezone configuration directly from the device

➔ Do not logout from site1-1 GUI

➔ Switch to FortiManager → Device Manager → Managed FortiGate and check site1-1

configuration status

➔ Now logout from site1-1 GUI

➔ Again, switch to FortiManager → Device Manager → Managed FortiGate and check site1-1
configuration status
o Ou f y … W y???
o It should be updated based on the conditions explained at the beginning of the test.

In BackUp Mode ADOM we must enable fcp-cfg-service. This allows the FortiGate to upload its
configuration to the FortiManager's management system, creating backups and revisions in the
designated ADOM.
59
➔ Open FortiManager CLI

➔ And type the following commands

config system global
set fcp-cfg-service enable
end

➔ Now, go to site1- U k D ’ b k y !

➔ Click Apply, but don’t logout from site1-1 GUI

➔ Check FortiManager → Device Manager → And verify site1-1 is still Out of Sync

➔ Then logout from site1-1 GUI

60
➔ And check again FortiManager. Now site1-1 is synchronized

➔ Check the latest Revision Configuration to verify the changes

➔ This last test confirms the conditions in which a device configuration is updated in a BackUp ADOM.
Revisions are sent to the FortiManager when specific conditions are met:
• Configuration change and session timeout
• Configuration change and log out
• Configuration change and reboot
• Manual configuration backup from the managed device.

61
Optional – Table/Map/Ring View
You can arrange the devices in a map for a visual representation of the network.

➔ Go to Device Manager → Device & Groups → Managed Fortigates → Select Map View from the
dropdown menu
o Use the Normal ADOM: BAE_FMG

➔ You will see something like the next screenshot.

o Click on each device mini-map on the right to drag and drop the device on the map or enter
the location coordinates

➔ Select each device from the list and drag/drop the device on the map to the right.
o Have fun with it!
o Click Close, to exit

62
➔ Place each device in its own location:

➔ Now select Ring View from the drop-down menu and see what happens!
o Select One by One in the menu. It will circle through all devices

63
➔ You can always go back to Table View.

64
04 Device Level Configuration and Installation (90 min)
In previous sections we used the Device Manager pane to add and authorize devices for management
by FortiManager. You can also use the Device Manager pane to create device configuration changes
and install device and policy package changes to managed devices. You can also monitor managed
devices from the Device Manger pane.

We are also going to explore the different Configuration Status we can get for the devices to try to
understand w ’ going on in FMG and how to avoid conflicts.

Remember! The device configuration state should always be Synchronized. This means that the latest
revision is confirmed as running on the device.

More on Auto-Update and auto-retrieve

When a change is made on FortiGate, but the change is not initiated by a FortiManager installation
operation, FortiGate automatically sends the configuration changes to FortiManager.
The auto-retrieve operation is only invoked if FortiGate fails to initiate an auto-update operation. When
FortiManager detects a change on FortiGate, it automatically retrieves the full configuration.

Auto-Update in Backup ADOM

In the previous section we already tested that, in BackUp ADOM, we need to enable fcp-cfg-service in
FortiManager if you want to Auto-Update the devices configuration changes made from the GUI.
fy u ’ b f -cfg-service, you can manually update by retrieving the configuration.

This is important because you can use the revision to track the changes in FortiGate configurations

➔ Switch to the Backup ADOM and select the site1-1 device.

o The Config Status should be in the Synchronized or Auto-Update state. Hover the mouse
over the check symbol to see the details

➔ Now click site1-1 and check the Configuration Revision History Widget

65
➔ Select the latest revision ID and select View Config icon
o You can view, search and download the current Device configuration

➔ Hit Close and go back to the Configuration Revision History

o Select the latest ID again and this time click Revision Diff

➔ You can compare the different configuration revisions.

o Select Previous Version and Show Diff Only, then click Apply

66
➔ Review the Configuration Comparison. Does it make sense according to the latest changes in the
device?

➔ Try the options at the bottom of the slide window.

Auto-Update in Normal ADOM

N DO y u ’ b y f u -update to work. It already enabled by
default.

➔ Now we are going to test the auto-update actions in a normal ADOM

o Move site1-1 to the normal ADOM BAE_FMG

67
➔ Switch to ADOM BAE_FMG and verify all devices are ok.

➔ Remove/Unassign the System Template from all devices.

o Click the Assign to device/Group and remove all devices from the list

➔ In the Managed FortiGate window, check all devices are Synchronized or Auto-Update

➔ Login to site1-1 GUI in Read-Write Mode and create a simple firewall policy

68
➔ Check FortiManager again for the Config Status of site1-1. It should be Auto-Update.
o If it is in Modified State, wait a minute. It should Auto-Update.

➔ Check the revision Diff with Previous version

o You should see the changes in the Firewall Policies.

Disable Auto-Update
The auto-update operation is enabled by default. To disable auto-update and allow the administrator to
accept or refuse updates, use the following CLI commands:

config system admin setting

set auto-update disable
end

➔ Continuing from previous exercise, we are going to test disabling the auto-update operation in
FortiManager.
o Login to FortiManager CLI and apply the following commands
69
➔ Login to site1-1 GUI in Read-Write mode and delete the previously configured firewall policy

➔ Switch to FortiManager and update the device table.

o Site1-1 is Out of Sync

➔ Now you can choose to either install or retrieve the configuration

➔ D ’ f b u -update again!

config system admin setting

set auto-update enable
end

70
Modified
You can change the Device Level DB directly from FMG. This is done from the Device Manager menu.
The Modified status means that configurations are modified on FortiManager and not synchronized
between FortiManager and the managed device. For example, you made a device-level database
change, and after this you must Install the Changes via Install Wizard.

➔ Browse to FMG → Device Manager → Devices & Groups → Managed Fortigate → site1-1
o Select System → Settings from the upper menu

➔ Search for the timezone option in the Advanced Options section

➔ Change the timezone to any timezone you like

o Click Apply

➔ Go back to the Devices Table and check the Config Status. It should be Modified.

71
➔ This means that the Device DB has been Modified, and ’ different from the latest revision history
and different from the remote device config.

➔ If you check site1-1 GUI → System → Settings y u w T z ’

➔ To install this, go to FMG → Device Manager and run the Install Wizard
o This will install the changes to site1-1 and updates the Revision History

➔ Install Device Settings (only)

72
➔ Check the Install Preview

➔ And select Install when you are ready

o Wait for the Wizard to finish

➔ Verify the Configuration Status again. It should be synchronized.

73
Out of Sync
This means that the configuration file on the device is not synchronized with the FortiManager system.

➔ We saw the Out of Sync Status in the Backup ADOM exercise when you make changes to the
FortiGate device and the FortiManager is not updated.
o We also already saw this when you disabled the Auto-Update.

Just remember, every time you see a device configuration Out of Sync, you have to choose either to
retrieve the configuration or install the device DB configuration.

Conflict
Conflict happens when the Install Failed or when configurations were modified on both FortiManager
and managed device, and not auto synced to FortiManager

➔ We have already seen the conflict Status after the auto-link in the Add Model Device exercise.

74
Challenge - Conflict

➔ We will try to create a Conflict by disabling auto-update again and making changes in both Device
Level and Remote Device Config

➔ Disable Auto-Update

config system admin setting

set auto-update disable
end

➔ Make simple changes in both Device Manager and site1-1 GUI

o Check the Config Status in FortiManager. It should be in Conflict

➔ Enable Auto-Update and solve the conflict!

config system admin setting

set auto-update enable
end

We can also get Conflict status even with Auto-Update enabled. If the change from FortiGate is a
device level setting, the policy layer status in FortiManager remains unchanged. If the change from
FortiGate is a policy level setting, the policy layer status in FortiManager might change to Conflict
status. It is highly recommended to always modify settings on FortiManager and not on FortiGate.

Repeat after me:

It is highly recommended to always modify settings on FortiManager and not on FortiGate.
🙂

75
Installing System Template Changes on Managed Devices
In this exercise, we are going to use a single System Template to set some general parameters that
apply to all devices.

➔ Edit the System Template

o Browse to Device Manager → Provisioning Templates → Select System Template and
click on Edit

➔ Locate the Time Zone section and set it to any value you like

➔ Remove any Geographic Coordinate you may have.

➔ Also, scroll down to Log Settings and configure to send the logs to This FortiManager

➔ Now assign the template to all devices

76
➔ Browse to Device & Groups → Managed Fortigate and check the configuration Status

The Configuration Status is in Modified state because we have changed the Device Level DB by
applying a Template, but the remote devices are not updated.

➔ Device configuration and/or provisioning templates have been changed, please run the Install
Wizard to apply changes to remote device.
o Click the Install Wizard button and select Install Device Settings (only)

➔ Follow the Wizard. And check the Install Preview to verify the changes

77
➔ Click install when you are ready and wait for the Wizard to Finish.

➔ All devices should be Synchronized

➔ Also check the Provisioning Templates column in the Managed FortiGate table

78
➔ Now, login to site1-1 GUI in Read-Write Mode, and change the timezone like we did before
o Change the current Time Zone setting to any other value you like
o Click Apply to save the changes

➔ Go back to FMG → Device Manager → Managed FortiGate and check site1-1 Config Status
o Site1-1 shows Auto-Update
o If the Status is Out of Sync, just wait for a minute to change.

➔ Browse to Managed Fortigate → site1-1 → System Settings menu to see what timezone its
shown in the Device DB
o It should be the same we just set via the GUI

79
➔ And check the Revision History to compare the new auto updated revision against the Previous
Version
o Show Diff Only

➔ Everything seems fine, right?

o The changes in the GUI were automatically updated into the Device DB and the Revision
History shows the changes.
o The Configuration Status is synchronized because the Device Level DB is in sync with the
Remote Device Configuration.

➔ W ’ going to happen if I run the Install Wizard again to Install Device Settings?
o Try it now
o Check the install Preview and complete the Wizard

➔ What happened to the Time Zone in the FortiGate device, the Device DB and Revision History?
o Verify all configurations

80
Remember: Provisioning Templates are a way to indirectly modify the Device DB and they take
precedence over the Device DB settings for that Template.

Configuring Device Level Changes

We can use Device Manager to make changes to ’ f u

➔ Login to site-1-1 GUI in READ ONLY mode and check the interfaces table.
o Notice the Administrative access column for port1. Only PING is enabled.

➔ Go to FMG → Device Manager → Managed Fortigate → site1-1 → Network Interfaces

o You should see the same as the GUI

➔ Edit port1 and enable Administrative Access HTTPS, HTTP and SSH

➔ Click OK and check the configuration Status

o It should be Modified because the Device DB has changed, but not the Remote Device
Config.

81
➔ You can verify that site1- f u ’ by f b w U

➔ Now, run the Install Wizard to apply the changes.

o Check the Preview

➔ Refresh site1-1 GUI again to see the changes

82
L ’ try another change in the Device DB to test the behavior when a template is applied.

➔ Still in site1-1 GUI, browse to System → Setting and check the timezone value we set in the
previous exercise.

➔ Go to FMG → Device Manager → Device & Groups → site1-1 → System Setting and change the
timezone again to any value
o Then click Apply

➔ Like the previous exercise, site1-1 Config status is Modified. So, we run the Install Wizard to apply
the changes.

83
➔ Check the Install Preview
o Why is there no preview?

➔ Finish the Wizard

➔ Check site1-1 GUI and site1-1 Device DB Configuration again.

o What happened?
o Why the f u ’

Quick Challenge: Fix the Devices groups and arrange them in a better way.

➔ We currently have site1-H2, site2-1 and site2-H1 in the same device group (HUBs). Reorganize all
devices in a different structure that makes more sense. See the following screenshot for an
example.

84
➔ Now apply different System Templates to different Device Groups

➔ Finally, unassign the System templates. What happens with the remote device configuration?

Remember: Removing a Template does not remove the configuration from the remote device. If you
need to unset configuration from a Template, then keep the Template assigned to the device and edit
the Template to remove the configuration you want.

Device Manager Scripts

Scripts allow you to automate and simplify bulk changes.

➔ We are going to use scripts to make bulk changes to devices. One simple way of creating Scripts is
using the revision history.

➔ Go to Device Manager → Device & Groups → Managed FortiGate → select site1-1 and check
the revision history
o Show the Diff Only with the previous version. You should have the latest changes from the
previous exercise.

85
➔ Select the Save Diff as Script button at the bottom and save the script to your local computer.

➔ Open the script with a Notepad and check the contents.

config system interface
edit "port1"
set allowaccess https ping ssh http
next
end

➔ Edit the Script to add fgfm to the allowacess

config system interface
edit "port1"
set allowaccess https ping ssh http fgfm
next
end

➔ Next, browse to Device Manager → Scripts and select + Create New

86
➔ Complete the Script options to apply the commands we took from the revision history to all devices.
o Use the following screenshot as reference

➔ Make sure to Run the script on Device Database and click OK.

➔ Select the Script and click Run Script

➔ Next select the entries to run the script in the devices or groups you want.
o And click Run Now

87
➔ Review and Confirm with OK
o Close after the Script is completed

➔ Now browse to Device Manager → Managed FortiGate → and check the devices table Config
Status:

➔ This confirms that the Script modified the devices DBs, and now we need to apply the Changes to
Sync the configurations.
o Run the Install Wizard and check the install preview before applying the changes.

88
➔ Edit the Script to remove HTTP, PING and SSH from the allowaccess options.
o Also change to Run the Scripts on remote FortiGate Directly via CLI

➔ Run the Script in all Devices from Region2 or any other group you have.

89
➔ Validate and click OK

➔ Close when done

➔ Check the devices. Everything should be in sync.

➔ You can verify the local device configuration by logging to the devices GUI and see the

90
 configuration. Also, check in FMG the configuration revision history.

➔ You can also browse the Configuration and Installation Widget and see the Script Status
o It is in Device Manager → Devices & Groups → Managed FortiGate → Select a device
→ Dashboard: Summary → Config and Installation widget

➔ Click on Script Running History button to see the details

91
Remember: After running scripts, the same rules apply for resolving synchronization Config Status.

Challenge – SD-WAN Template

➔ Create an SD-WAN Template for site1-1 and site1-2
o They both have port1 and port2 connected to Internet
o Create a simple SD-WAN template to enable SD-WAN on both interfaces
o Have a Health Check to test DNS and ping connectivity to Internet
o Create an SD-WAN strategy (rule) for Internet traffic

SD-WAN Monitor
➔ You should be able to see the SD-WAN status in Device Manager → Monitors → SD-WAN
Monitor

92
➔ You should be able to drill down on one site and see the Health Check details and SD-WAN History
View

Common Template with disparate sites

➔ Now, add site2-1 to the same SD-WAN Template, but keep in mind that site2-1 only have one
Internet connection, which is connected to port1.
o Use the same SD-WAN Template for all 3 devices
o site1-1 and site1-2 have two SD-WAN members (port1 and port2)
o site2-1 have one SD-WAN member (port1)
o site2-1 port2 is not an SD-WAN member

Do not use different templates for the sites!

Hint1:
Use a single SD-WAN Template, check inside the template for the installation target column.

93
Hint2:

94
05 Policies and Objects (90 min)

Policy Packages
Policy & Objects enables you to centrally manage policies and any objects used by those policies for
devices that are managed by the FortiManager.
All changes related to policies and objects should be made on the FortiManager Policy Database, and
not on the remote managed devices.

➔ In FortiManager, go to Device Manager → Device & Groups → Managed FortiGate to see the
Table View
o Right Click on site1-1 and select Import Configuration
o This will import all the policies and objects from the remote device and create a Policy
Package in FortiManager assigned to the remote device.

➔ Select Import Policy Package

➔ In the second step, leave all options by default

95
➔ Resolve any conflicts and click Next

➔ Check the summary and click Finish

➔ Check the Device Table View and search for the Policy Package Status column

96
➔ Now, browse to Policy & Objects → Policy Packages → and select site1-1
o Notice the Firewall Policy and Installation Targets sections

➔ Run the Install Wizard and select Install Policy Package & device Settings
o We do this as a sanity measure to see if there is some configuration left to synchronize
o Do not Create an ADOM Revision

➔ As you can see, there was some configuration to purge/set to fully synchronize the remote site with
FMG.

97
➔ Now site1-1 is fully synchronized to FMG (Device DB, Revision History, Policy Package and
Provisioning Template)

98
➔ Login to site1-1 GUI in READ-ONLY mode and check the Firewall Policies
o Navigate the GUI Policy & Objects → Firewall Policy → select by Sequence
o Only the implicit rule is present

➔ Go back to FMG → Policy & Objects → Policy Packages → site1-1 → Firewall Policy
o You will see the same as the local GUI

➔ Create a new Firewall Policy in FMG. Click on + Create New button

➔ And complete the New Policy. Make it simple, like the following screenshot

99
➔ Run the Install Wizard to push the new Policy to site1-1

➔ Check the Install Preview to review the changes

100
➔ After the Wizard is completed, jump to site1-1 GUI to verify the installation of the new policy

➔ In FMG → Device Manager → Device & Groups → Managed FortiGate → check the device table
for site1-1. It should be synchronized.

➔ Now, ’ try to remove the policy directly from site1-1 GUI.

➔ From site1-1 GUI, change login to Read-Write

101
➔ Next, Go to → Policy & Objects → Firewall Policy and delete the new policy

➔ Go back to FMG → Device Manager → Managed Fortigate → And see the device table for site1-1
Config Status
o It will show as Auto-Update
o If you see Out-of-Sync, wait for a few seconds until it updates

➔ Go to Policy & Objects → Policy Packages → site1-1 → Firewall Policy

➔ T k w …

Question:
Why do you still see the Firewall Policy in FMG Policy Packages?
Why does the device shows as auto-updated in Device Manager?

102
➔ Browse to FMG → Device Manager → Device & Groups → Managed FortiGate → Select site1-1
o Click on CLI configurations
o In this section we can see site1-1 full Device DB

➔ Use the search function or browse through the configuration tree to find the Firewall Policy section
of the configuration.

As you can see, there are no firewall configurations in site1-1 Device DB in FMG, which is why you see
site1-1 is synchronized in Device Manager Table View.
Policy & Objects is a separate objects database that is shared among multiple devices. When a device
auto-updates its configuration, it only updates its Device DB in Device Manager.

➔ If we run the installation Wizard again, we can push the policy again.
o We must run the Wizard from the Policy Package and Device Settings level

➔ After the Wizard is completed. Check site1-1 cli configurations again.

103
 o Now you see the Firewall Policy back in Device DB
o And of course, the policy is back to site1-1 GUI because it was installed by the wizard.

More on CLI configurations

➔ Did you know that you can use CLI configurations to create a Firewall Policy from Device Manager,
without using Policy & Objects?
o Browse to Device Manager → Device & Groups → Managed FortiGate → select site1-2 →
CLI Configurations
o Search for policy in the search field

➔ Click on + Create New and complete the slide in window for the new policy configuration

➔ Select the following options:

104
 o Action: deny
o Scradd: all
o Dstadd: all
o Srcintf: any
o Dstintf: any
o Service: ALL_UDP
o Schedule: always
o Logtraffic: all

➔ Click OK

➔ Now check the Device Table, and verify that site1-2 has Config Status Modified

105
 o This is because we just modified the Device DB

➔ Login to site1-2 GUI in Read-Only Mode to check the new Firewall Policy is not present. We only
modified the FMG site1-2 Device DB.

➔ And there is no Policy Package assigned to site1-2 yet.

➔ Run the Install Wizard to push the new Firewall Policy to site1-2.
o Run the Wizard from Install Device Settings (only).
o Do you understand why only Device Settings is enough here?

➔ Check the Install Preview for site1-2 and complete the Wizard.
o Site1-2 Config Status will be in Synch again

106
➔ Check site1-2 GUI again to verify the new Firewall Policy has been installed

T b w y f u w …

➔ In FMG, Import site1-2 configuration to create a Policy Package for site1-2, like we did for site1-1

➔ After importing the configuration, the sites will look like this in the Table View

107
➔ Check the new Policy Package in Policy & Objects → Policy Packages → select site1-2
o Notice the FW Policy created from CLI Configuration has been imported.

➔ Run the Install Wizard from the Policy Package level just to make sure everything is installed.
o Check the installation Preview if you are curious, some objects might be synchronized.

Common Policy Packages

We are going to use a Common Policy Package for multiple devices.

➔ First ’ clean the current Policy Package configuration by removing the deny_icmp and the
deny_udp policies from both Policy Packages

108
➔ Run the install Wizard to remove the FW Policies from site1-1 and site1-2.
o You must run the Wizard twice. One for every Policy Package

➔ Now that the policies are clean, edit site1-1 Policy Package to rename it to something more general
and click OK

➔ Delete site1-2 from the installation target of site1-2 Policy Package

➔ And then Delete site1-2 Policy Package

109
➔ Go to the new Policy Package (Branches) and add site1-2 to the Installation Targets.
o Now both site1-1 and site1-2 will use the same Policy Package

➔ Check the Device Status from Device Manager Table View

110
➔ Run the install Wizard for the new Policy Package.
o E u f u ’ ,w
policies. So, we need to run the Wizard again to Synch everything.

Challenge - Common Policy

➔ Using only the common Policy Package (Branches) create new Firewall Policies in a way that:
o Site1-1 and site1-2 deny all ICMP traffic
o Site1-2 only also deny all UDP traffic
o You must use only one Policy Package
o Verify the results logging into the devices GUIs in Read-Only mode

111
➔ Try to solve the Challenge without using the Hint

Hint:

Policy Package Scripts

We can use Scripts to add Firewall Objects or Firewall Policies in FMG

➔ Browse to Device Manager → Scripts and create two new Scripts, one for the Firewall Objects and
another for the Firewall Policies
o Make sure you select the option to Run the Script on Policy Package or ADOM DB

➔ For the FW Objects Script, configure the following

config firewall address

edit "test123"
set type fqdn
set fqdn "test123.com"
next
end

112
➔ For the FW Policy Script, configure the following

config firewall policy

edit 99
set name "deny_ftp"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "FTP"
set logtraffic all
next
end

➔ Before running the Scripts, go to Policy & Objects → Firewall Objects → and search for an object
named test123

➔ Now go back to Device Manager → Scripts → and run the fw_objects_script

113
➔ Select the Policy Package you want to run the Script

➔ Once completed, click Close and search for the Firewall Objects again

➔ Now, for the FW Policy we can run the Script like before, or we can do it from the Policy Package
menu.
o Right Click on the Firewall Policy menu in the Branches Policy Package and select Run
Script

➔ Select the Script and click Run Now

114
➔ W u ’ u fu kC

➔ You should see the new Firewall Policy in the Policy Package

➔ We need to Run the Installation Wizard to apply the new Firewall Policy.
o Notice the Policy Package has been modified

115
➔ Run the Wizard

Objects and Dynamic Objects

All policy objects within an ADOM are managed by a single database unique to that ADOM, for
example: Firewall Objects and Security Profiles. Some objects include the option to enable dynamic
mapping to map a single logical object to a unique definition based on the device or platform, for
example Interface Mappings also called Normalized Interface.

Remember, Policy & Objects uses a different DB than the ones in Device Manager (Device DB), so all
objects must be defined in the Policy & Object DB to be used in Policy Packages, this includes device
Interfaces via the Normalized Interface Dynamic Object.

➔ Browse to Device Manager → Managed FortiGate → Select site1-H1 → Select Network:

Interfaces tab

➔ Click on + Create New → Interface

116
➔ And create a new loopback Interface.
o Name: loopback1
o IP address: 1.1.1.1/32
o Administrative Access: PING

➔ Run the Install Wizard to push the configuration to the Device

➔ And then right-click site1-H1 from the Table View and Import Configuration to import and create the
policy package.

117
➔ Now Import Configuration for site1-H2 too.

➔ After Importing both Policy Packages, create a loopback interface in site1-H2.

o Name: loopback2
o IP address: 2.2.2.2/32
o Administrative Access: PING
o

➔ Run the Install Wizard for everything we just did.

118
➔ L ’ pause for a moment to think about something:
Do you understand why we are running the Install Wizard for both site1-H1 and site1-H2?
• In site1- w ’ y D DB, w ju C f u for
the Policy Package. Running the Wizard is necessary because we just imported the Policy
Package, and the first time we do this it might be necessary to synchronize any Object from the
Policy & Object DB to the remote device. The Wizard will not install anything new from the
Device DB in Device Manager, only Policy & Objects DB.
• In site1-H2 we added a loopback2 interface, so we changed the Device DB and also, we
imported the Policy Package. So, we need to push the new loopback interface along with any
Object from the Policy & Object DB.

➔ Now, browse to Device Manager → Managed FortiGate → select site1-H1 → click on Network:
Interfaces
o Search for the new loopback in the interfaces table.
o Pay attention to the Normalized Interface column.

119
As you can see, the loopback1 interface has already been normalized to an object called loopback1

➔ Do the same for site1-H2 device

o Search for the new loopback in the interfaces table

Why is loopback2 not normalized?

This is normal and depends on the way we do things in FMG. Some Wizard automatically normalizes
interfaces, but the interface must be already created in the device before the normalization can happen
during the task. For example, during the Import Configuration task to import the Policy Package, you
might notice that there is an option to map the interfaces, and it is enabled by default.

This is what made the difference in this scenario.

If you did the SD-WAN template challenge you will notice that the SD-WAN Zones are not normalized,
however if you run the Overlay Template Wizard, it will normalize the zones automatically.

➔ L ’ fix the normalization for site1-H2 loopback2. There are different ways to do this, but the
important thing is to understand the concept.
o Go to the menu Policy & Objects → Normalized Interface
o Here you can see all the Dynamic Interface Objects and their mappings
o Search for the object loopback in the search field

As you can see, there is only one dynamic Object with the name loopback1, and it is already mapped to
interface/Zone loopback1

120
➔ Select the loopback1 Object and click Edit

➔ Since this is a dynamic object and the mapping will take different values, we are going to use a
more generic name.
o Change the name from loopback1 to loopback.
o Then Click on Per-Device Mapping → + Create New

➔ And create the new mapping for site1-H2

➔ It should look like this

121
➔ Now check the mappings for both site1-H1 and site1-H2 from Device Manager → Interface table

Question: W y y y z bu w ’ u y Wz ?

Objects and Dynamic Objects only exist in Policy & Objects DB. FortiManager will translate into CLI the
Object and mappings configuration to the remote device during the Install Wizard. In the previous
exercise we only changed the name of the Object and mapping, and there is no need to send any CLI
command to devices.

122
Ty u Wz yw y, …

➔ Create a new Firewall Policy for site1-H1 or site1-H2 that includes the new loopback interface
as incoming or outgoing interface
o What happened with loopback1 and loopback2
o Does it make sense?

Solving Conflicts
Be careful when creating Objects, because not all of them have Per-Device Mappings, for example the
Security Profiles. This can cause Conflicts when we try to import a working device into FortiManager.
Some conflicts can be fixed during imports; others need configuration changes.

We are using site2-1 device, because w ’ y y k yet

➔ Login to Site2-1 GUI in Read-Write mode

o Create a new Firewall Address with the following configuration:

123
config firewall address
edit "test123"
set type fqdn
set fqdn "*.test123.com"
next
end

This FW Address Object is slightly different than the one in FortiManager Policy & Object that we
created earlier. This will create a device mapping during policy import.

➔ We are also going to make changes to a Default Security Profile

o Still in site2-1 GUI go to Security Profiles → Antivirus → and Edit the default AV profile

➔ Change the default AV profile configuration like disabling Inspected Protocols, and click OK

➔ Since we generally import used policies and object, we are going to create a new Firewall Policy
that uses the test123 object and the default AV Profile
o Go to site2-1 GUI Policy and Objects → Firewall Policy and create the policy using the
screenshots as reference.

124
➔ Go back to FMG → Device Manager → Device & Groups → Managed FortiGates → Select site2-
1 from table view
o Import Configuration (Policy Package) from site2-1
o And check the conflicts (View Conflicts)

➔ FMG Is detecting that the default AV Profile is different between the new site and the one in the
Policy & Object DB. This could be dangerous because the AV Profile Object ’ w -
device mappings and if you “Use Values From FortiGate” it will affect every device using
that profile in FMG.

125
➔ If we select “Use Value from FortiManager” we will impact the new device only.
o Maybe the safest choice is using Value from FortiManager but be careful because ’ not the
default choice.

➔ After resolving the conflict, you select next you will find the following dynamic mapping

T w Obj “ ” y object, that means that allows dynamic mapping.

The import process automatically created a mapping to avoid conflicts.

➔ Complete the Import Policy task

➔ Browse to Policy & Objects → Firewall Objects → f “test” and click to Edit the object
o You will see the dynamic mapping in the Per-Device Mapping section

126
Ask yourself: Do we need to run the Install Wizard? Why?

The answer is yes! For two reasons: first we just imported the policy package from site2-1 and we
usually need to run the install wizard to synchronize all FMG Objects to the remote Device. Second, we
just imported the policy package and we chose to ignore the AV profile and use the FortiManagers one
to resolve the conflict. So is necessary to run the Install Wizard to push the AV profile to the remote
Device.

➔ Do it now, run the Install Wizard and check site2-1 AV default Profile to verify it has changed.

Policy Block
Policy Blocks are created to store multiple policies that can be appended to a Policy Package during
Policy creation or edition. This way the administrator can add multiple policies at once.

➔ Show Policy Blocks by going to Policy & Objects → select Tools from the upper menu → Click on
Feature Visibility

➔ Select Policy Block and click OK

127
➔ Browse to Policy Packages → Policy Blocks → and click + Create New
o Type the name: infra_policy_block

➔ Browse inside the Policy Block and create a new Firewall Policy
o For example, block Botnet-C&C.Server, telnet and any other service you want

➔ The Policy Block will look like this:

128
➔ Move to site2-1 Policy Package → Firewall Policy, right click on a firewall entry and select Insert
Policy Block Above

➔ Choose the Policy to insert and click OK

➔ The resulting site2-1 Firewall Policy will look like this

➔ W ’ x?Y u ! u Wz …
o Check the Preview, notice how the Wizard installs the FW Objects used in the FW policies and
also moves the old entries…

129
Using Metadata Variables
Metadata variables are dynamic properties that can be used in various templates, scripts, and objects in
FortiManager. In a metadata variable, you can specify a property value for individual devices, device
groups, or all devices in an ADOMs.

We will assign variables per device and per device groups. So First, make sure you have you devices
organized by region.

➔ O z y u by (fy u ’ y )

➔ Next, browse to Policy & Objects → Advanced → Metadata Variables

130
➔ Click + Create New to create a new Variable
o Variable Name: site_id
o No default Value
o Create Per-Device Mappings for all the lab devices

➔ Create two more Variables for Region1 and Region2

o Create per Device Group mapping

131
➔ The list of variables will look like this:

➔ Now go to Provisioning Templates and Edit the System Template for Region1
o Find the Host Name field and type the following value: site$(site_region1)-$(site_id)

132
➔ Do the same for the System Template for Region2
o Use Host Name value: site$(site_region2)-$(site_id)

➔ Assign the System Templates

o System_Template_Region1 assign to Device Group Region1
o System_Template_Region2 assign to Device Group Region2

➔ Before running the Install Wizard, check the Device Table View
o Notice the inconsistent hostnames

133
➔ Run the Install Wizard.
o Check the Previews

➔ And the resulting Table View will look like this

➔ If you need to adjust a variable mapping, you can right click on any device and select Edit Variable
Mapping from the menu

134
ADOM Revisions
ADOM revision history allows you to maintain a revision of the policy packages, objects, and VPN
console settings in an ADOM.

➔ Browse to Policy & Objects → Select ADOM Revisions from the upper menu

➔ Click on + Create New

➔ Type a Name and click OK

135
➔ You can select the Settings button at the bottom of the page to set the Auto-Delete settings

➔ And Edit the new ADOM to set the Lock from auto deletion.

➔ You can also select a revision to View Revision Diff and Restore it

SD-WAN Management (30 min)

SD-WAN Manager menu groups together all relevant SD-WAN related configurations under new
sections: Network, Templates, Overlay Orchestration, and Rules.

We are going to enable the new SD-WAN Management Feature. But First, back up your FortiManager,
like we did in the first section.

➔ Go to Dashboard → System Information → Select Backup

136
➔ Type a password and click OK
o Save the back up on your local computer.

➔ Now, we can enable SD-WAN Manager feature.

o Go to System Settings → Advanced → Misc Settings
o Enable Show SD-WAN Manager
o Click Apply

➔ Now the Left Menu has changed, and we see SD-WAN Manager. However, the sub-menus are
empty

137
➔ We need to select which devices will be managed by SD-WAN Manager
o Go to Table View and Edit site1-1, site1-2 and site2-1 to enable Managed by SD-WAN
Manager

➔ Now go back to SD-WAN Manager → Devices and you will see the sites are now visible from here
too.

➔ Change to the Monitor Tab to verify all information is correct

138
➔ The SD-WAN Manager → Templates menu shows all related templates except SD-WAN and
System Templates

➔ The SD-WAN Manager → Rules menu shows the SD-WAN Template

➔ The SD-WAN Manager → Overlay Orchestration menu shows the Overlay Template Wizard.

139
Questions:
• What happened with the traditional menus?
• In which scenarios would you use the SD-WAN Manager?
• Would you put site1-H1 and site1-H2 in the SD-WAN Manager? Why?

140
06 Global Database ADOM and Central Management (30 min)

Global Objects

➔ Go to Global Database ADOM → Policy and Objects → Firewall Objects → select the Services
Tab

➔ Select + Create New → Service → and complete the information for the QUIC protocol.
o Use Name: gquic
o Protocol: UDP
o Port: 443

This created a Global Object for the QUIC protocol

Header and Footer Policies

141
➔ Go to Global Database ADOM → Policy and Objects → Firewall Header Policy

➔ Create a new Header Policy blocking the QUIC protocol

➔ Go to Global Database ADOM → Policy and Objects → Firewall Footer Policy

➔ Create a new Footer Policy blocking the SMTP protocol

142
➔ Last, go to Assigment to add the ADOMs to which apply the Header and Footer policies.
o Assign to All Policy Packages

➔ Right Click the ADOM and select Assign

➔ Select the options to Assign and click Start to Assign

143
➔ Click Finish when complete

➔ The Policy Package should show Up to Date now

➔ To install the Header and Footer Policies, switch to the Normal ADOM and go to Policy & Objects
o Select Policy Packages and you will notice the menus have changed, to include the new
Header and Footer policies in all Packages.

➔ The Device Table View in Device Manager shows all devices have modified policy packages, which
means we have to install all Packages to apply the new Header and Footer policies.

144
➔ Run the Install Wizard from Policy Packages & Device Settings for all packages.
o Check the Install Previews to see what commands are being sent to the remote devices.

145
➔ Login to one of the devices GUI in READ ONLY MODE to check the results.

Questions:
• How would you use Header and Footer policies?
• W ’ ff b w b yB k ?

Central Management

Fabric View - Topology

You can see the Security Fabric topology in the FortiManager GUI, in the Fabric View menu.

➔ You need to enable Security Fabric to see the Topology in Fabric View.
o We are going to enable Security Fabric in Region2 sites only.

➔ Disable Automatic Firmware Upgrade in the Region2 System Template

o And Install the changes

➔ Then go to Device Manager → Managed FortiGate → select site2-1 → go to CLI Configurations

and set it as Fabric Root with the following configuration
o Search for csf in the search field to easily find the correct section.

Here is the cli for reference

config system csf
set status enable
set group-name "BAE_FMG"
set downstream-access enable
set downstream-accprofile "super_admin"
end

146
➔ Then go to Network Tab and enable Fabric in port10

➔ Run the Install Wizard and check the preview to verify the changes

➔ After this, you will start seeing the Fabric Topology in FortiManager → Fabric View → Physical
Topology and Logical Topology

147
➔ Now we are adding site2-H1 to the Fabric
o Go to Device Manager → Device & Groups → site2-H2 → select CLI Configurations Tab
o Search for csf

This is the CLI for reference

config system csf
set status enable
set saml-configuration-sync local
set downstream-access enable
set downstream-accprofile "super_admin"
set upstream "192.168.0.33"
end

➔ Do not enable Security Fabric in site2-H1 port10

➔ If you see an IPAM error during installation, ’ because there is a conflict in the lan pool after
enabling security fabric. Just remove all pools and roles

148
➔ You will have to authorize it from site2-1

➔ You should see both site2-1 and site2-H1 as members of the Fabric
o Go to the Table View in Device & Groups

➔ Finally, the Fabric View → Physical/Logical Topology will show the new added device

149
Fabric View – Security Rating
Nothing to change here, you use this section to review the Security Ratings from all devices

➔ Navigate to Fabric View → Security Rating and explore the Security Controls and Vulnerability
sections for All FortiGate or individual devices

150
07 Diagnostics and Troubleshooting (30 min)

Break the fgfm protocol communication

The objective of this section is to intentionally install a configuration change that breaks fgfm protocol
communication between FortiGate and FortiManager and see how the system reacts and recovers from
this situation.
This is to test the Recovery Logic that occurs when the remote device loses communication with
FortiManager after a configuration change.

➔ First, browse to Device Manager → Managed FortiGate → select site1-1 → Network:Interfaces

o Select and Edit port10
o Please, take note the original IP Address to revert this change.
o Change the IP address to 7.7.7.7/255.255.255.0

➔ Click OK to edit the device DB

o Do NOT run the Install Wizard yet!

➔ Then, login into FortiPOC portal

o Lab Dashboard from the lab tab

151
➔ Search the site1-1 FortiGate
o C k“ ” bu :D L Y( w w bw
emulation)

➔ Login into the site1-1 FortiGate.

o Execute these commands:
diagnose debug cli 8
diagnose debug enable

➔ Now install the Device Settings on site1-1

o You will see the installation process stop at 35%

➔ Review the site1-1 console

o Note: Use the keys Shift+pageUp and Shift+pageDown to scroll into the console.
o You will see the installation commands sent from FortiManager.

152
➔ Wait 15 minutes for FortiGate to reverse the installation changes.
o Note: The FortiManager installation process will fail
o ff …
o After 15 minutes you will see the following message in the Wizard

➔ Check the progress Report

➔ Then, review the site1-1 console

o You will notice the reverse commands executed from FortiGate itself to restore the original
configuration.
o It might take a couple minutes to see the rollback commands

153
➔ In about 1 minute, you will see the FortiGate connected to FortiManager again and the Config
Status of site1-1 in Modified state.
o From Device Manager, set the correct IP address in port10 and Install the changes.

Rollback-allow-reboot
The default behavior for FortiGate is to apply the set commands, test the FGFM connection and, if the
connection fails, apply the unset commands after 15 minutes.

We can add a second recovery step, to make FortiGate reboot and recover from the previous
configuration revision. For this to work, FortiManager must have the following configuration:

config system dm
set rollback-allow-reboot enable
end

Due to time constraints, we are not doing this lab, just keep in mind that you have this option available
for FortiGate recovery.

154
08 Additional Configurations (20 min)

In this section we are going to upgrade a FortiGate using FortiManager

Upgrade FortiGate Firmware Using FortiManager

➔ FortiManager will inform you every time there is an upgrade available.

o You can see this from the Table View

➔ Browse to Device Manager → Firmware Templates

➔ Click + Create New

o Complete the Name and Upgrade Details

155
➔ Complete the Install Window (Schedule) and Upgrade Options

➔ Once the Template is completed, Assign to device/device groups

o Select any Region2 device or group
o It will look like this:

➔ Check the More drop-down menu, for additional actions

➔ Y u ’ y u w, ju x

156
09 SD-WAN Challenge (90 min)

In this section we are going to build a complete and functional SD-WAN network using everything we
learned in this lab.

A few hints will be offered to guide you, but we are not providing a detailed step-by-step process to build
this SD-WAN network. You should be able to do it using what we learned so far.

Network Topology

Objective

The main objectives are:

• Restore the underlay communication in the lab
• Use the overlay template to build the SD-WAN overlay
• Create Policy Packages for the device groups
• Create an SD-WAN strategy
• Test connectivity between client devices

Winning conditions

• You must have ping connectivity between site1-1 client and site1-H1 client.
• The SD-WAN strategy should work, tested with the WAN Simulator.

157
Summary:

Notice that each device has two Internet connections (port1 and port2), one MPLS (private) connection
(port4), and connections to the LAN/Client side (port5); however, most of the devices lost their
configuration during the model device registration. So before starting the labs, you must restore the
interfaces IP addresses configurations and routing.

➔ You already have all devices registered in ADOM BAE_FMG

➔ Remove all policy packages and templates from all devices
➔ Run the scripts found in the Apendix to restore the devices configurations.
➔ Use the Overlay Template to create the overlay.
o You can use the Overlay Template for Region1 only. D ’ y f
Region2
o If you enable SD-WAN Manager, you can find the Overlay Template Wizard in the SD-
WAN Manager → Overlay Orchestration menu

158
➔ Create new Policy Packages for all devices. Remember that IPSEC tunnels do not come up unless
there is a Security Policy applied.
➔ Fix the routing strategy and check client connectivity
➔ Use the wan_simulator to test the SD-WAN strategy

Try to complete the challenge without using the following hints.

Hints

Overlay Template Hint 1:

159
Overlay Template Hint 2:
You must set the IPSEC gateways manually in the IPSEC Template for Branches.
Do you know why?

Policy Hint 3:
Import all policy packages and make sure you normalize/map all interfaces, especially the SD-WAN
Zones.
Fix all conflicts and install all policies after import, to make sure everything is synchronized.
Take your time to make sure everything is synchronized. You can leave each device with its own Policy

160
Package at this time. You can move to common policies later.

Policy Hint 4:
Remember, you must have security policies for the IPSEC tunnels to come up.
You must allow traffic to the loopback interfaces for the SD-WAN Health check and between LAN
interfaces.

Check the VPN Monitor

161
Routing Hint 5:
Check all devices routing table and fix any missing subnet.

SD-WAN Strategy Hint 6:

162
Appendix

Configuration Scripts

Site1-1
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
edit "port4"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 4
set defaultgw disable
next
edit "port5"
set vdom "root"
set ip 10.0.1.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 5
next
edit "port6"
set vdom "root"
set ip 10.0.101.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 6
next
end

Site1-2
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3

163
 next
edit "port4"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 4
set defaultgw disable
next
edit "port5"
set vdom "root"
set ip 10.0.2.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 5
next
edit "port6"
set vdom "root"
set ip 10.0.102.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 6
next
end

Site1-H1
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
edit "port4"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 4
set defaultgw disable
next
edit "port5"
set vdom "root"
set ip 10.1.0.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 5
next
edit "port6"
set vdom "root"
set ip 10.101.0.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 6
next
edit "port7"
set vdom "root"
set ip 10.12.0.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 7
next
end

164
Site1-H2
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
edit "port4"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 4
set defaultgw disable
next
edit "port5"
set vdom "root"
set ip 10.2.0.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 5
next
edit "port6"
set vdom "root"
set ip 10.102.0.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 6
next
end

Site2-1
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
edit "port4"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 4
set defaultgw disable

165
 next
edit "port5"
set vdom "root"
set ip 10.4.1.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 5
next
edit "port6"
set vdom "root"
set ip 10.4.101.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 6
next
end

Site2-H1
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
edit "port4"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set snmp-index 4
set defaultgw disable
next
edit "port5"
set vdom "root"
set ip 10.4.0.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 5
next
edit "port6"
set vdom "root"
set ip 10.104.0.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 6
next
end

FortiManager Guides
https://docs.fortinet.com/product/fortimanager/7.6
https://training.fortinet.com/local/staticpage/view.php?page=library_fortimanager-administrator

Jinja Documentation Wiki

https://github.com/fortinet-solutions-cse/sdwan-advpn-reference/wiki
166
Jinja Orchestrator
https://github.com/fortinet-solutions-cse/sdwan-advpn-reference/wiki/01-Basic-Operation

167