NSE 5 fortiManager 6.2
How to delete an admin session in the CLI
1) Diagnose sys admin-session list 2) look for session_id 3) diagnose sys admin-session kill *session_id*
What 5 things will cause fortimanager to create a revision history
1) fortigate is added to fortimanager 2) devices changes are installed 3) fortigate configuration is retrieved from fortimanager 4) a local change on fortigate causes an auto update 5) you revert to a previous revision and install changes
Steps to the import policy wizard
1) interface mapping 2) import policies and rename package
Steps to install wizard (4)
1) select either device settings only or device settings and polycarbonate package 2) device selection 3) validation (preview) 4) install
If the FMFG connection fails to reestablish after ____min when you apply a change to the FG what does FM do
15 min It applies the unset commands
What is the link level address that fortimanager assigns to the fortigate for FGFM and why does it ?
169.254.x.x is a link level address assigned for the management traffic for the FGFM tunnel
Port used for firmware image download, antivirus, IPS, web filtering, anti-spam updates from fortimanager to fortiguard Distribution servers
443
How many total devices can be in a FM HA cluster
5
How often are configuration and revision differences of managed devices checked and sent to FM
5 seconds
In backup ADOM mode, what is the only way fortimanager can make changes to a managed device
A script
Dynamic object
A single object name has different values depending on which device it is installed
Super_user
Access to all device and system permissions
Which management panes are available in normal ADOM mode
All of them
Set commands
Apply configuration changes
What must you specify when you configure sdwan
At least two interfaces and no policies associated with member interfaces
For command diagnose debug crashlog read where is the most recent crash log listed
At the bottom
Device manager changes on managed devices are _______on fortimanager in normal ADOM mode
Auto updated
Where should fortimanager be deployed
Behind a firewall on a trusted private network
Two type of scripts you can run
CLI Command line interface TCL tool command language
What type of scripts are supported on fortimanager
CLI and TCL
What are the advantages of security fabric on fortimanager
Can view network topology and important security ratings for each device
If an installation fail where can you look to see what stage the failure occurred in
Check the install log that's provided by the install wizard
What should you review after you upgrade a device or ADOM
Check the installation preview to identify if the changes caused by the upgrade are acceptable
Config system admin setting Set mgmt-addr <fmg NATed IP>
Configured the FM NATed ip do that FM sets this address on the fortigate during the discovery process so the fortigate can announce itself and reestablish the FMFG tunnel
Workspace mode workflow
Control the creation, configuration, and installation of firewall policies and objects Approval is required before any changes can be installed on a device. All modifications in a session must be sent for approval
What other options are there other than assigning the default admin profiles to admin accounts
Create your own admin profile and assign to account Edit the default profiles and assign to admin account
Header and footer policy rules
Created in the global ADOM layer of the management layer. Envelops each ADOMS policy and can be applied to multiple ADOMS that require the same policies and objects instead of maintain multiple copies amongst the different ADOMs
What log levels are there
Debug Information Notification Warning Error Critical Alert Emergency
What level should you increase the log level to if you need to work with fortinet technical support and where can you increase it
Debug level CLI
What are the FM administrator profiles for
Define administrative permissions and are required for each admin account
To delete an ADOM what must you do first
Delete all device groups first
To delete a device group what do you do first
Delete all devices from it
Where will the global policy packages appear once assigned
Depending on if it's a header or footer but they will be on the local fortigates policy and object pane
How to access sdwan configuration setup (which pane)
Device manager >sdwan
What does the crash log display
Device name and firmware Application process name and signal information (indicates why it crashed)
Command to check HA status
Diagnose HA stats
How can you watch real time status in the CLI of a fortigate device being added to FM (command that could be beneficial in identifying issues with device registration)
Diagnose debug application depmanager 255 Diagnose debug enable
Real time debug command for script execution
Diagnose debug application depmanager 255 Diagnose debug enable
Debug command on FG and FM to debug the FGFM tunnel keepalives
Diagnose debug application fgfmd 255 Diagnose debug enable
Command to run debug on HA
Diagnose debug application ha 255 Diagnose debug enable
Command to see crash logs
Diagnose debug crashlog read
Command to disable debug output
Diagnose debug disable
List the database integrity check commands
Diagnose dvm check-integrity Diagnose cdb check ADOM-integrity Diagnose cdb check ADOM-revision Diagnose cdb check policy-packages Diagnose cdb check update-devinfo
Command to get device ID for a managed device
Diagnose dvm device list
Command to force HA FM cluster resync
Diagnose ha force-resync
Packet sniffer command
Diagnose sniffer packet <interface> <filter> <verbose> <count> <time stamp>
What command can be used to sniffer the FGFM protocol communication between FM and FG devices
Diagnose sniffer packet any "port 541"
Command that may be useful in troubleshooting disk related issues
Diagnose system print df (disk format)
Command to troubleshoot reload failure
Diagnose test deploymanager reloadconf <device ID> Will show what stage the configuration is failing to update the device level database
What is workspace mode and elements to it
Disables concurrent ADOM access adds ADOM locking. Read/write access for the locker Read only for the lockee If enabled you cannot make changes to devices until you lock it
What are the two options for adding a device in the add device wizard
Discover Add model device
What are the two general steps that fortigate goes through when it is added to FM
Discovery Adding
Object import step of the device registration
Displays objects being imported from fortigate to FM. Shows updates to the existing Fm Objects and new objects to import. Also displays duplicates but does not import
In what formats can you view logs
Download Raw log Historical log
Reasons to configure FM as a local fortiguard server
Downloads all antivirus, ips packages, web filter, and email filter databases then updates the fortigates Reduces internet connection load
When do you apply system templates to devices
During registration
Where are all the revisions stored and how can you distinguish different revisions
Each revision gets an ID and they are stored in the revision repository
How do you move a registered device from one ADOM to another
Edit the destination ADOM in the system settings > all ADOMS > and add the new device under "select device"
If the NATed FM IP is configured on the fortigate, who can establish the FGFM tunnel if it it's torn down
Either FM or fortigate
How can you add a VDOM to a device under device manager
Either go to the device system dashboard or click managed devices and right click the device and click add vdom
What is the "restore in offline mode" setting when restoring a FM backup
Enabled by default and can't be disabled. Makes it so the communication channel between FM and the managed devices are temporarily disabled for safety measures (in other words fm disabled FGFM protocol)
Policy lock
Enables you to lock a policy package for editing instead of the whole ADOM
By default, what is enabled when you backup FM on the GUI
Encryption
Even though objects aren't copied from one ADOM to another what command can you use to copy objects from one ADOM to another
Execute fmpolicy copy-ADOM-object
Command to test device reach ability from FM
Execute ping <fortigate ip> Execute ssh <fortigate ip>
what protocol is used to send configuration and revision differences of managed devices to FM
FGFM
Which devices can discover eachother and which can reestablish the FGFM tunnel when the fortigate is behind a NATed device
FM can discover the fortigate through the NATed IP and fortigate can announce itself to FM
What two things are required for FM to manage devices (has to do with what the devices are connected to)
FM can manage any device connected to it's interfaces Static route- configure a static route on a interface so fortigate can manage devices not directly connected
What is chassis management for
FM can work with the shelf monitor in the fortigate data center 5000 series chassis and monitor the security and network blades within
Configuration status - unknown
FM is unable to determine the synch status because fortigate is not reachable or there was a partial install failure
If you disable the auto update feature for local config changes on the fortigate want wont be possible that will need to be done manually each time an update occurs
FM will no longer be able to tell if the policy package is the same so will return an out of sync error. You must run the import policy wizard
True or false a super_admin profile can approve changes for workspace workflow mode
False
True or false: an admin can only be assigned to one ADOM
False
True or false: fortimanager is aware of the HA clusters synch status
False
True or false: nested policy folders are not supported
False
True or false: you can't cancel an installation once it starts in the install wizard
False
True or false: you can't delete used objects
False
True or false: you can schedule FM backups on the GUI
False you can schedule in the CLI
True or false: in the install policy wizard you can schedule the install under the install device settings only
False you can under install policy package and device settings though
True or false- you can move header and footer policy packages assigned to an ADOM
False you can't
If a FG dies and you need to replace it you need to redo the whole discovery process again true or false
False you just replace the serial number manually with the serial number of the new one
True or false, security fabric ratings don't need to be enabled on the FortiOS before managing them in fortimanager
False you must generate the ratings before you can view the information in fortiOS
Which FGFM process runs on fortigate
Fgfmd
Which FGFM process runs on fortimanager
Fgfmsd
What objects are included in the ADOM database
Firewall objects Security profiles Users Devices
Import summary step of device registration
Firewall policies and objects are imported into FM. You can also download a report
What references dynamic interfaces and why should you use them
Firewall policies created in packages will reference the dynamic interfaces. Use them so FM knows how to apply the policies to each device
What is contained in policy packages
Firewall policies that link to the objects you define
What needs to match when restoring a FM back up file
Firmware version and model
How should you secure your FM hard drive if you plan on replacing it ?
Format the drive and use deep erase to overwrite with random data
What happens when you enable fortianalyzer features in the system settings dashboard
Fortianalyzer panes will be visible on the dashboard
What two things are required to configure two factor authentication with FM
Fortiauthenticator and FortiToken
When you use the discover option in the add device wizard what information is required
Fortigate IP Admin username and password with full read/write access
What is not synchronized between FMs in HA cluster
Fortiguard databases and logs Config settings for interface, HA, SNMP, routes, fortianalyzer
How is the FGFM tunnel authenticated
Fortimanager and fortigate SNs
Which statement about fortianalyzer features on fortimanager is true Fortimanager does not support the reports Fortimanager has logging rate restrictions as compared to fortianalyzer
Fortimanager has logging rate restrictions as compared to fortianalyzer
What does a policy package status of unknown indicate
Fortimanager is unable to determine the policy package status
Hahah is visible on the system settings dashboard
Fortimanager system information such as name, SN, platform type, firmware, configuration, uptime, license information, number of devices managed by fortimanager, system resources (ram cpu disk usage)
Commands to retrieve IPS signature info on a fortigate (3)
Get ips rule status Get ips decoder status Get application name status
Command to check hard disk changes on fortigate
Get mgmt-data status
Command to display how often FM synchs it's time with NTP server
Get system NTP
How can you check the cluster members in a FM HA from the fortigate
Get system central-management Shows all the FM serial numbers
What command does FM run on the fortigate during the discovery process
Get system status
What are the three management layers (GAD)
Global ADOM layer ADOM Layer Device manager layer
Which of the following are included in the fortimanager backup Logs and firmware images Global databases and all devices
Global databases and all devices
How are global objects identified
Global objects start with an "g" gall gtelnet
How can you track installation changes from a FM user
Go to log and report > system events on the managed fortigate device
How would you check the script history on a device
Go to the device dashboard and under script status click history
If you don't see a device that you want to install policy changes on what should you do
Go to the policy packages and add the device as an installation target
What are the three workspace mode lock colors
Gray=unlocked Green=locked by you Red=locked by user
How can you tell which revision the device is using currently
Green check mark
Where will a global header and footer policy appear in a fortigates firewall policy page
Header- top Footer- last
Policy folders
Help you manage policy packages so they can be organized based on your needs (organization, geography, security, legal requirements)
What issues would cause a failed reload
If the fortigate has inconsistent or corrupt configuration possibly from not following the upgrade path
Why would you as an approval admin discard a submitted session
If you don't agree with the changes
Import now vs import later options in the add device wizard
Import now- policy package is created and objects are added in the common ADOM database Import later - no policy package or objects are added. But they can be imported later using the import policy wizard
After you migrate a device from one ADOM to another what do you need to do
Import policy package and objects through the import wizard
After you import is complete in the import policy wizard what is that last thing displayed
Import summary and download import report
Policy package statuses (7)
Imported Installed Never installed Modified > < out of synch <conflict> <unknown>
How can you resolve most policy status issues
Importing a policy package or installing a policy package
What two options do you have for importing objects in the import policy wizard
Importing all Import only used objects
import policy wizard
Imports policies and objects from the fortigate to fortimanager
What does the import policy wizard do
Imports policies and objects into fortimanager from a device and creates a new policy package
Where are provisioning templates stored
In the ADOMS global object database
How can you apply changes to a managed device (several options)
In the FM ADOM GUI, then apply changes to the specified managed devices Directly on the managed device via the CLI offered in FM
How to access the global policy database
In the global database ADOM
Install device settings only
Install only device settings for a select set of devices Policy and object settings are not installed
To create or edit a firewall policy what should you select
Ipv4
What is the main benefit of creating an sdwan using fortimanager
It allows creating an SDWAN for multiple fortigate devices
What is the main benefit of the policy locking feature
It allows locking a single policy package instead of a whole ADOM
What does the match all feature do when configuring an admin with a remote authentication server
It allows you to authenticate all users configured on a remote server
How does fortimanager determine is sync status is a managed device is out- of -synch
It compares the current revision history with the fortigate configuration
What is the synch status and where can you view it
It compares the running device configuration with the current version in the revision history. can be viewed on the device dashboard
What is the point of offline mode (basically why does the FHFM protocol need to be disabled) and when would you use it (2 )
It enables you take change FM device settings without affecting the managed devices or load a backup on a second FM for testing. That way the second FM cannot automatically connect to your FG devices and start managing them
What is the create revision option when installing policy package and device settings in the install wizard
It is an ADOM revision that creates a snapshot of the entire ADOM and not the changes to the specific policy Incase you need to revert
Describe the physical configuration of fortimanager
It is made up of layers represented as panes in the GUI.
What does the FGFM-sock-timeout command do
It sets the idle timeout setting for communication between FM and FG
What happens to the device settings status if you execute a script using the remote fortigate directly(via CLI) option
It will be tagged as auto-updated
What happens if you assign more than 1 global policy package to an individual adom
It will remove the previously assigned policies
Why should all devices in an ADOM be on the same firmware version
It's best to organize by device type then firmware version because the different firmware versions have different CLI syntax which could affect script compatibility and other fetaures
What two APIs are available on FM
JSON (java script object notation) XML (extensible markup language)
What can you use if you want to use APIs to monitor your system or to set or get data using third party devices
JSON and XML APIs
JSON API
JavaScript object notation api allows you to do many of the same tasks as the GUI and allows MSSP and enterprises to create customized and branded web portals for policy and object administration
What can you filter through the logs data
Level Administrator Subtype Messages
How are sdwan rules evaluated
Like firewall policies from top to bottom
How to approve a session in workflow mode
Lock ADOM Under policy and objects session tab decide to approve, reject, discard, review diff
What do processes do to the database when they are using objects (kind of like what you do for ADOMS)
Lock and unlock the database
How can you prevent revisions from auto deletion
Lock them in the revisions tab
What will remove the lock on a device or policy package
Locking the ADOM
What fortianalyzer panes will be visible once the fortianalyzer features is enabled in the GUI or CLI
Log view Incidents and events Reports SOC
Fgdups
Main fortiguard process Responsible for database merging and consolidating smaller delta files into larger files
How to enable security fabric in FM
Managed devices Tools Global display options Security fabric
Device settings status - modified
Means the device level settings changed on fortimanager and changes need to be installed on the device to go back to unmodified
Common Cause for the script execution error- command parse error Common solution
Misspelled keyword or incorrect command format Check the script output
If you make configuration changes to a policy what will the policy package status be
Modified
Until changes are installed, the device setting status remains ______
Modified
If you are not satisfied with a devices configuration how can you change it
Modify on FM and install change to device Modify on the managed device and retrieve it from FM Revert to a previous config Import the fortigate configuration from a local computer
What to do if install failed because fortigate is not supported by ADOM version
Move fortigate to supported ADOM Perform install again
Objects can be used in only 1 or multiple policy packages?
Multiple
Unset commands
Needed to remove configuration changes
Is it recommended to move devices from one ADOM to another
No
What is the default ADOM mode
Normal
Why would you see a lot of changes on the first install you perform
Objects will be renamed during the import process and any unused objects will be removed so there could be a lot
Where can you enable/disable administrative domain and fortianalyzer features
On the system settings dashboard
What is recommended on the perimeter firewall when deploying fortimanager
Only allow the necessary ports in the firewall policy that allows access to fortimanager
If the fortigate is behind a NATed IP and the FGFM tunnel gets torn down which devices can re establish it
Only fortigate will attempt to re establish the connection if you configure the FM ip with command Config system central management Set fmg <fmg IP address> You still need to configure the fortigate with the FM IP. FM treats the device as unreachable and won't automatically attempt to reestablish the connection. You can manually attempt the connection from FM by clicking the refresh icon in the connection summary widget for the managed device in device manager
What color will the map icon be if the device configuration status or policy package configuration is out of sync or if there is no policy imported or no policy package installed
Orange
What are the four preinstalled default profiles that can be assigned to administrative users
Package_user Restricted_user Standard_user Super_user
Global ADOM layer
Part of the management layer Contains the global object database and all the header and footer policy packages which envelop each ADOMS policies. Here you create header and footer policy rules that can be assigned to multiple ADOMS that require the same policies and objects
If configuration status is unknown what should you do
Perform a retrieve
When the configuration status is out of sync what is recommended to update the revision history
Perform a retrieve from FM
If script is run on the device database or policy package (ADOM database) what must you do after
Perform an install
How to ensure database integrity
Perform graceful shut downs Enable ADOM locking to avoid change conflicts Make sure everyone is logged off before performing firmware upgrades
Two options when performing policy check
Perform policy check View last policy check results
Header policy
Placed at the top of the policy package in the individual ADOMS
Footer policy
Places at the Bottom of the policy package In the individual adom
How can you ensure that even if your network is down you will still have access to fortimanager
Plug a management computer directly into fortimanager or connect through a switch
What is not moved when you move a device from one ADOM to another
Policies and objectsv
How would you create an object to be added to the ADOM database for use in the policy packages
Policy & objects Left hand side under firewall objects
What are not imported into the ADOM database when a device is moved from one ADOM to another and how can you import them once the device moves over
Policy and objects Run the import policy wizard to import policy and objects into the ADOM database
Where is the only place to create sessions for workspace mode workflow
Policy and objects pane
Which database can the schedule script not run on
Policy package and ADOM database
Common cause for the script execution error - unknown action And common solution
Previous line of the script was not executed Check the script output
Backup ADOM mode
Purpose is to backup configuration changes made directly on the managed devices
When you enable fortianalyzer features oN FM what will the device or VM do
Reboot
What color will the map icon be if there is an error status, the copy had failed, installation has failed or device is hard down
Red
What must be done to the device before it moves ADOMS (besides upgrading if the other ADOM is a higher version)
Register the device
Trusted hosts for administrative users
Restricts admins to logins from specific IPs or subnets
What does a config revert in th revision history do
Reverts device database (device level settings) to previous revision but will not recent policies and objects
How do you lock a device or policy package
Right click and click lock
Reinstall policy option
Same installation except there are no prompts and you can preview changes
Requirements for FM HA
Same model and firmware
What MUST you do before making changes and then trying to install them within an ADOM
Save
How do you submit a session in workflow mode
Save the session Under session in policy and object pane click submit
Where can you check if the scripts were run successfully (3)
Script history Task monitor Event log
Where can you re run scripts
Script history table
Where can you monitor SDWAN interfaces and traffic status
Sdwan monitor on device manager pane
What is the security rating feature
Security checks that can help you secure your organizations network Check include things such as password security Recommended Login attempt thresholds Encourage two factor authentication
How do you configure the fortigate with the FMs IP in the GUI and what happens after you apply the settings
Security fabric > settings > central management You will be logged out fo the fortigate
Where can you customize a fortigates device level settings and how can you edit the tabs to your specifications
Select the device and use display options to customize the toolbar tabs with system, router, WAN, security profiles, VPN, query, CLI configurations etc
Purpose of cloning a policy or package and how to
Select the policy or package and under policy package click clone Could be used if you need to create a new policy package and only change a few values
FGFM-sock-time-out
Sent in a keep alive message by the FG. It is the maximum FM or FG communication socket idle time in seconds
FGFM_keepalive_itvl
Sent in the keep alive FGFM messages. It is the interval at which the FG will send keepalive signals to a FM to keep the FGFM protocol active
When replacing a standalone device you must manually change the _______and redeploy_____
Serial number configuration
What command script is only beneficial when run on the remote fortigate directly via CLI
Show commands to get device information
Command to display DNS server addresses
Show system dns
Command to display the network interface configuration such as configured ports and associated IP addresses as well as the enabled admin access protocols
Show system interface
Command to display automatic time setting using a NTP server
Show system ntp
Command to display static routing table entries on the FM device
Show system route
What is the revision history install log
Shows the name of the admin who made the change and shows what commands were sent to the device (almost like the install preview) will also show where and install failed
What must be created in order for sdwan member interfaces to route/pass traffic
Static route and firewall policy
What three options are under the "sessions" tab for workflow mode
Submit Discard View diff
What user profile is required to enable ADOMs
Super_prof
Which of the following statements are true regarding scheduled backups of fortimanager Supports FTP SCP SFTP can be configured using the CLI and GUI
Supports FTP SCP SFTP
Protocol and port number for HA heartbeat
TCP 5199
Ports used for remote management of a fortigate device
TCP 541 TCP542(ipv6)
Listening port for antivirus and IPS updates for forticlient
TCP 80
Listening port for web services
TCP 8080
Listening port for fortiguard antivirus or IPS update request from a fortigate device
TCP 8890
What two views can you view devices on the device manager dashboard
Table and map view
ADOM revisions
Takes a snapshot of the policy & objects database for an ADOM so you can revert back to the original version if needed
Why is it crucial to match the ADOM version to the devices that will be in it
The ADOM version determines the CLI syntax used to configure the devices
Which device sends the keepalive messages for the FGFM tunnel
The FG
What is the basis of authentication between the fortigate and fortimanager after the fortigates login credentials are provided and the fortigate is moved from unmanaged to managed
The SN
What should be the same for all FM members when configuring HA
The cluster ID and group password
Device level settings status - auto updated
The configuration changes are made directly on the fortigate and have automatically updated the device database
What is the first operation FM performs when you perform a policy package install
The copy operation where FM tries to copy the ADOM level object or policy to the device database
Where should you add a chassis if enabled
The default chassis ADOM
What kind of information is displayed in the task monitor
The i'd and source of the task, a description, the admin performing the task, the status (fail or success) and the time/date
Installation target
The intended device or devices for a policy package to be installed on
Give an example of a dynamically lapped firewall address
The logical ip on fortimanager is 192.168.1.0 but it is mapped to 10.10.10.0 on local fortigate and 10.10.11.0 on remote fortigate
What is the call home configuration
The minimum configuration needed on the fortigate in order for FM to be able to communicate with the device
To complete the addition of a new device in the discover option of the add device wizard what else do you need to provide (2 are optional)
The name of the fortigate Description System template
While you can clone a policy package, what does not get cloned that is used within a policy package
The objects
If you back up FM from the GUI what must you provide when restoring the backup
The password for encryption
What happens if you don't import all policies and later install a policy change through fortimanager
The policies that weren't added will be deleted
Where can you check what devices a provisioning template is applied to
The provisioning template tab next to the template "assigned to" The devices configuration and installation status widget next to system template
What fortigate is crucial to add as a managed device if you want to add an existing security fabric to fortimanager
The root fortigate
What is required to import a system template from one ADOMS to another
The same adom firmware
When a management connection request what is verified on the FG
The serial number
What is the ADOM type (2)
The types of devices that will be stored in the ADOM Forticarrier Fortigatev
Once devices are register where can you find them
They appear in device manager in the ADOM they were added
What does a green check mark mean next to an admins name
They are logged in
What does no check mark mean next to an admins name
They are logged out
What are the FG FGFM keep alive messages and what are contained in them
They are messages sent from fortigate at configured intervals to the FM Contain the configuration checksum and IPS version of the fortigate device. The messages include: FGFM-sock-time-out - the max FM or FG communication socket idle time in seconds FGFM_keepalive_itvl - the interval at which the FG will send a keepalive signal to a FM device to keep the Fm or FG communication protocol active
Purpose of fortimanager logs and where you can view them
They provide troubleshooting information about events that happen on FM Found in system settings > event log type
Normal ADOM mode
This mode provides full access to make configuration changes from FM to Adoms and managed devices
How else can FM validate admin logins besides locally
Through an external server such as LDAP, RADIUS, TACACS+, PKI
How do you enable FGFM access on fortigate
Through fortigate interfaces
How is the synchronized status calculated
Through revision checksum
Heartbeat interval
Time in seconds that a cluster member waits between sending heartbeat packets and expecting a packet from another member
What is the purpose of ADOMS on fortimanager To enable fortimanager as a local fortiguard distribution server To divide administration of devices and restrict administrator access
To divide administration of devices and restrict administrator access
Purpose of dynamic objects
To map a single logical object to a unique definition per device
Why should the ADOM version match the fortigate firmware version
To minimize CLI syntax issues between fortigate and fortimanager
What is the purpose of the global ADOM on FM
To push similar firewall policies universally to selected ADOMs
What is the # diagnose dvm device list command used for
To view individual cluster members on the HA cluster
How can you find unused objects
Tools > find unused objects
Where can you change ADOMs
Top right corner of GUI by your name
Five fortiguard statues
Up to date Never updated Pending Problem Unknown
If a value of an object is changed when you import a device policy what will show in the import report for the type of object (ie duplicate, new object....)
Update previous object
What is the sequence of upgrading an existing ADOM
Upgrade all the devices in the ADOM first and then the ADOM
Which of the following steps are the best practices after fortigate firmware upgrade Push policy package and run script to update objects Upgrade the ADOMs and retrieve configuration
Upgrade the ADOM and retrieve configuration
If you had an ADOM with version 5.4 devices and needed to upgrade only a few to 6.0 how would you do that since the 5.4 ADOM doesn't support 6.0
Upgrade the devices and then move them to a 6.0 ADOM
Three basic rules to prevent CLI scripts from failing (3)
Use complete FortiOS syntax instead of short version Don't start a command with # or it won't execute Ensure console output on fortigate CLI is set to standard
What can you do in the provisioning templates section of device manager
Use the default or create a custom template for system, threat weight, or certificates and assign them to devices within a single ADOM to create identical device level setting amongst managed devices
How can you sort through the task monitor for running, pending, cancelling, or aborting tasks?
Use the filter at the top
When should you do once you move a device from one ADOM to another
Use the import policy wizard
If you want to use web services to monitor your system what should you use
WSDL in the advanced settings
WSDL
Web Services Description Language Standards based, platform independent access method for hardware and software APIs. The file that you download defines the format of commands the fortimanager will accept and the expected responses
FGD
Web filter and email filter
Policy and object step of the FM device registration
Wizard searches for all policies to import into the FM database and into a new policy package under the policy & objects pane. You can name the new package and decide if you want all or some of the policy and objects to be imported.
Which of the following statements is true regarding workflow mode Workflow mode is enabled only on the FM CLI Workflow sessions can be created by locking an individual policy package
Workflow mode is enabled only on the FM CLI
Can you create multiple versions of a policy package in case you need to revert back to the old policies ?
Yea
If you have configured IPSec VPNs with VPN manager and move the managed device to a different ADOM will the VPNs need to be reconfigured
Yes
If you make configuration changes directly on a managed device, through the CLI or GUI, what happens within FM? Does FM document the changes made even though it was directly on the device?
Yes, a change locally on the device will trigger the managed device to to automatically update the fortigate revision history on FM
What is the main purpose of using APIs on FM
You can manage a FM device using third party hardware and software
System provision template
create and manage common system level settings for the managed device
Threat weight provisioning template
create threat weights which will track client behavior and report on behaviors you deem risky
Changes from the policy & objects pane are made to the ______
device database
Changes made from the device manager pane are made to the_______
device database
Command to export system template from an ADOM
execute fmprofile export-profile <ADOM name> <profile name> <output file name>
Steps to import provisioning template from one ADOM to another
execute fmprofile export-profile <ADOM name> <profile name> <output file name> Execute fmprofile import-profile <ADOM name> <profile name> <full path of exported file>
Each ADOM is associated with a specific ___________
firmware version
Where do you back up FM
on the system settings dashboard next to system configuration
Listening port for HA heartbeat (fortimanager HA cluster)
tcp 5199
What is the management module represented as in the GUI
the device manager pane
Why is an HA cluster counted as one device in FM
they share the same configuration
What should you do instead of moving a device from one ADOM to another
upgrade the device then upgrade the ADOM
What is each disk partition used for in FM /dev/shm /tmp /data /var /drive0 /storage
/dev/shm - shared memory /tmp - temporary file storage /data - flash disk /var - FM database storage /drive0 - fortianalyzer archives /storage - fortianalyzer log and report storage
How many devices does an HA cluster and an individual VDOM count as in device manager
1
How many global policy packages can be assigned to an individual ADOM
1
How many policy packages can a device use
1
What is the default management port, IP, protocols, and password
1 192.168.1.99/24 Ping, https, http, ssh Username admin password blank
What two methods can register a device in Fm
1) The device registration wizard 2) Request registration on the device
Requirements for sdwan configuration on fortigate (4)
1) at least two member interfaces 2) interfaces should not be referenced by any other configuration 3) interface must be either physical, aggregate, VLAN, ipsec interfaces 4) only on sdwan interface per vdom
How to assign a global policy package to an ADOM (8)
1) go to global ADOM database 2) select the policy package you want to assign 3) click assignment 4) add ADOM 5) choose ADOMS to add 6) exclude any of the ADOMs policies that you don't want to apply the global policy package do 7) click ok 8) status will be pending so click assign to finalize
Install wizard steps
1) select one of the two install types 2) select the device/s to install on 3) validation - install wizard checks device settings and compares with latest revision history 4) preview changes 5) installation
If there is an HA synch failure what four things can you do to resolve
1) use sniffer packet on port 5199 2) check alert messages and event logs for HA errors (system settings > dashboard, system settings > event log) 3) debug command on HA daemon on all members (Diagnose debug application ha 255 diagnose debug enable) 4) check for any pending synced data
Steps to create workflow approval group (4)
1)Select ADOM that the group applies to 2)Add the admins who can approve changes 3)Select which email to send notification to 4)Select a mail server that will be used to send it notifications on the mail server pane
How do you start a new session in workflow mode (3)
1)Select and lock the ADOM 2)Open session list on policy&object pane 3) create a new session
What verbosity levels does FM support for the packet sniffer
1,2,3
Verbosity 1,2,3
1- packet headers only 2- packet headers and IP data 3- packet header and ethernet data (MACs)
What are 4 ways to modify or define configuration for device level database
1. Assign a provisioning template 2. Using the device manager GUI 3. Using CLI scripts on the device database 4. Using revision history
What does the initial configuration of fortimanager involve
1. Choosing a management interface (default 1) 2. Setting an IP address for your management subnet or without the private network FM will reside 3. Choosing administrative access protocols 4. Enabking/disabling service access for fortiguard update requests and web filtering requests from managed devices on that interface 5. Default gateway 6. Primary and secondary DNS server
Four stages of the fortinet device management life cycle
1. Deployment - admin configured the fortinet devices 2 monitoring - admin monitored the status and health of the devices 3 maintenance - admin performs config updates to maintain the devices 4 upgrading - virus definitions, attack and DLP signatures, web and email filtering, firmware images can be kept up to date
Steps to replace a managed device (5)
1. Note original fortigate device name (use command diagnose dvm device list) 2. Update the serial number of the replaced fortigate (execute device replace <devname> <new serial number> 3. Verify the FM updated the serial number in the DB 4. Send a registration request from the replaced fortigate 5. If connection is down after updating serial number you may need to reclaim management tunnel (execute FGFM reclaim-dev-tunnel <optional device name>)
What are the 4 ADOM version types and which OS versions are supported in each
5.4 - 5.4 & 5.6 5.6 - 5.6 & 6.0 6.0 - 6.0 6.2 - 6.0 & 6.2
The same ADOM can manage different firmware versions if fortigate devices run:
5.4 and 5.6
Which port is used between fortimanager and fortigate for IPV4 remote configuration manager of fortigate devices TCP 541 TCP 514
541
What is sent from the fortigate to the fortimanager so FM knows the fortigate is online and configuration hasn't changed
A keep alive message containing the checksum of the fortigate configuration
Which one of the following statements is coerce for regarding a policy package A policy package can have multiple installation targets in an ADOM there can be only one policy package per ADOM
A policy package can have multiple installation targets in an ADOM
What is the pending Mondale data value for HA cluster status
A value under that column means there are updates that must be synched on the secondary devices. Value should be 0 which means synchronization is working
What should be assigned to the fortimanager if admins will be making in bound connections to the fortimanager over the internet
A virtual IP
An admin configured a new firewall policy on fortimanager and has not yet pushed the changes to the managed fortigate. In which database will the configuration be saved ADOM level database Device level database
ADOM level database
What database are policies and objects stored in
ADOM level database
Which statement about a large MSSP using FM is true Each customer must have a dedicated FM device ADOMS can be used to desperate customers
ADOMS can be used to desperate customers
How can you configure the FM HA cluster
Active passive or configured members to act independent local fortiguard servers
Four main wizards in device manager
Add device Install wizard Import policy Re install policy
What is used to link an offline device to fortimanager (2)
Add model device in the add device wizard Fortigate SN Predated key
What kind of features can you dynamically map
Addresses Interfaces Virtual IPs IP pools Etc
What does the common object database for ADOMS contain
Addresses Services Security profiles Etc
Add device wizard
Adds devices to central management and imports their configs: this includes importing policies and objects on the device
How can you control and restrict administrator access in FM (3)
Admin profile ADOMS Trusted hosts
When is policy lock automatically release
Admin timeout or if the session is closed without unlocking the policy package
When do you import the policy's into a new policy package when adding devices? Before during or after authorization
After
When and how can you upgrade ADOM versions
After all devices in the ADOM are upgraded System > all ADOMS > right click
What links does sdwan support
Aggregate Vlan Ipsec Physical
Global policies and objects are shared among______
All ADOMS
What is synchronized to the secondary FMs in HA cluster
All device Configs All revisions Device and policy databases
What happens if you revert to an old ADOM revision
All policy packages and objects will be reverted to that revision
When controlling administrative access through ADOMS on the admins user settings what three options do you have?
Allow access to all ADOMS Allow access to all ADOMS except ____ Allow access to only specific ADOMs
Sdwan template
Allow you to add sdwan components to a single template to apply to your devices. You can add interface members, performance SLAs, and sdWan rules
Sdwan rules
Allow you to configure which traffic you want to route through which interface based on latency jitter or packet loss
What is a provisioning template in device manager
Allow you to create profiles that contain device level settings such DNS and NTP server information, admin and SNMP settings. These Templates can be applied across many devices to facilitate identical device settings
What are dynamic objects and per device mapping
Allow you to map a single logical object (on FM) to a unique definition per device. There will be a common value in FM but when used it maps to a unique value per device so that you can use it with multiple devices and it will match the device specific value for each Basically allows you to use one object for multiple devices instead of making the same type of object for each device
System admin type (when creating a new admin profile)
Allows more options and granularity when choosing permissions. You can configure it so the admin can do as much or as little work as they're job requires. Some examples include: ADOM- read/write, read, none Fortiguard center Device manager Terminal access Sdwan Policy and objects Lock/unlock domain
Restricted admin type (when creating a new admin profile)
Allows the admin to make changes to the web filter profile or application filter or IPS sensor associated with their ADOM
What is the display options feature used for in policy and objects
Allows you to display specific features in the GUI You can show or hide the features you want
What is the quick install option
Allows you to perform a quick install of device level settings without launching the wizard. Does not allow you to preview changes or cancel the process of initiated
What should you do before running a new debug and why
Always reset the debug level so you don't view logs from debugs running in the background Diagnose debug reset
Cause of a failed install
An ADOM and fortigate version mismatch
In workflow mode you notice there are several sessions needing approval. You try to approve one but the action is denied. Why might this be (think about it, what option during review would cause this. It would be on the admin who submitted it's side)
An admin submitted a session and you rejected it. They have still not submitted repairs so you can approve any others submitted by them until repaired
Who can see the complete admins list
An admin with super_user or the default admin
Which of of the following statements about the copy failed is true An operation that fails to copy the device database from the revision history An operation that fails to copy the ADOM level policy or object to the device database
An operation that fails to copy the ADOM level policy or object to the device database
Failed reload
An operation that fails to update the device level database from the revision history database.
In the scripts section what does advanced filters do
And it so the script only executes on devices that match the specified critera
What is the OID for in the diagnose dvm device list command
And object ID used to reference the device in CLI commands
FDS
Antivirus and ips
Purpose of admin profiles
Applied to admin users Used to specifiy permissions within the given ADOM or ADOMS
When FM applies configuration changes to the FG how does it apply them so it can recover if the FGFM tunnel goes down
Applies them to FG memory without saving to configuration and then checks the tunnel connection to see if it doesn't change
If you have hundreds of policies and need to search for a specific one what should you do
Apply a filter in the search field
In workspace workflow mode what options does an admin have to decide what to do with changes submitted for approval (4)
Approve Reject Discard View changes
After you create a header policy what do you do next to apply it
Assign the policy to a policy package in an individual ADOM
What should you do before running database integrity commands (2)
Back up the config Unlock all Adoms
When backing up FM on the system dashboard, what will and won't be backed up
Backs up: All devices Global database Flash configuration Does not back up: Logs Fortiguard objects Firmware images
How do you migrate one FM backup to another FM 2 steps
Backup the original FM On the CLI of the second FM run the command: Exec migrate all-settings < ftp | scp | sftp > <server> <filepath> <user> <password>
Default implicit sdwan rule
Balances traffic among all available interface members
What does an administrator need to do to be able to approve session changes for workspace workflow mode
Become a part of an approval group under system settings > admin> workflow approval
What does the FGFM daemon run on fortigate or fortimanager?
Both Fortigate fgfmd Fortimanager fgfmsd
When neither device is behind NAT which device will reestablish the FGFM tunnel when it is torn down
Both of them will try
Similarities and Difference between fortianalyzer and fortimanager
Both run on on the same hardware and software platform and both can be used for logging and reporting. Fortimanager has a limit on the log rates and can't log as much as fortianalyzer. It needs to use system resources for it's other features such as configuration management
Find unused objects GUI tool
Built in to help admins locate any firewall objects in the database that aren't being used and allows you to delete them
How is the administration of devices divided
By ADOM
How do you identify the root fortigate in fortimanager security fabric
By an asterisk * at the end of the root fortigate
How can you restrict and admins access to only a few ADOMS on fortimanager
By assigning ADOMS to the admins account
How to see the CLI commands that will be pushed to a FG device by a specific provisioning template
CLI command Execute fmpolicy print-prov-templates <ADOM> <template type #> <package> <category>
Operational Difference between TCL and CLI script on FM
CLI script runs via the FGFM tunnel and TCL uses SSH
If secondary FM member fails what do you do
Can Reconfigure primary device to remove the peer ID of the failed secondary or leave the configuration for when the device comes back online
What Is the the CLI only objects menu in device manager and policy & objects pane for and how do you enable it
Can be enabled in display options and allows you to configure device settings that are normally only visible in the CLI. Some include: Antivirus Dnsfilter Ftp proxy WAF IPS
What question should you ask if fortimanager and fortigate cannot discover eachother
Can they contact eachother Does FM admin has sufficient privileges to add the FG Is FM in offline mode Is TCP 541 between FM and FG blocked? Are the IP and credentials correct Is FMGM access on the interface disabled Is the FG in the unauthorized device list
What can you do if a task is suspended and holding up other pending tasks
Cancel or delete
Explain the command Diagnose sniffer packet any "host 192.168.1.99 and port 541" 1 5 1
Capture any packets out any interface with host 192.168.1.99 coming on port 541 with verbosity 1(packet headers only) 5 count long and the local timestamp
What can an unexpected shutdown do to FM
Cause filesystem and database corruption
What are the default groupings of ADOMS on the ALL ADOM management page
Centralized management Backup mode Other device types
Key features of fortimanager (CCALLSPFF)
Centralized management Configuration revision control and tracking ADOMS Local fortiguard service Logging and reporting Scripting Pane managers - VPN, FortiAP, FortiSwitch and Fabric View Fortimeter- fortinet VM on demand Firmware management
How to check for failures when performing imports or installations
Check the logs and it will tell you why it failed
Retrieve config in the revision history button
Checks the current configuration on a device and compares to revision history. If there is a difference it updates fortimanager revision repository
If you do not see the security fabric group name after configuring the security fabric, what should you do when looking at the device manager
Click refresh
What information does the revision history display
Config Install log Revision difference Who revision Was Created by What type of installation (retrieved or installed)
If you configure backup ADOM mode, what specific requirements (4) must be meant in order for config revisions, made directly on the managed devices, to be sent back to FM
Config change and session timeout Config change and logout Config change and reboot Manual config backup from the managed device
Command to enable automatic registration of an unauthorized device in Fm
Config system admin setting Set allow_register enable/disable
Command to enable TCL scripting
Config system admin setting Set show_tcl_script_enable
Command to disable automatic updates from fortigate to FM
Config system admin settings Set auto-update disable End
CLI command to schedule FM backups
Config system backup all-settings Set status enable/disable Set server <IPv4 adr> <fqdn_str> Set protocol ftp | scp | sftp
How do you configure fortigate to use FM as a FDS server
Config system central-management Config server-list Edit 1 Set server-type update rating rating Set server-address <FM IP> Next End Set include-default-servers enable/disable (enable use public FDS if FM is unavailable disable use only FM FDS)
Command to configure fortigate with FM IP so it can announce itself to FM when it's behind a NAT device or if a FM version 6.0 and before is behind a NATed device
Config system central-management Set fmg <fmg IP>
If you use the preshared key to register a device with fortimanager what do you need to configure on the fortigate
Config system central-management Set type fortimanager Set fmg <FM ip> End Execute central-mgmt register-device <fmg-serial#> <fmg-register-passwd>
If you use the SN to register a device with FM what needs to be configured on the fortigate
Config system central-management Set type fortimanager Set fmg <fortimanager IP> End
Command to set console output to standard
Config system console Set output standard End
Command to configure the FGFM-sock-timeout and fgfm_keepalive_itvl on FG
Config system dm Set FGFM-sock-timeout [number in seconds] Set fgfm_keepalive_itvl [number in seconds]
FM command to reboot the FG and restore config file if the FGFM tunnel goes down and won't restore
Config system dm Set rollback-allow-reboot enable End
Enable ADOM in CLI command
Config system global Set ADOM-status enable/disable End
Command to enable workspace workflow mode
Config system global Set workspace-mode workflow End
How to disable concurrent access to the same ADOM
Config system global Set workspace-mode disabled End
Use case for a backup ADOM
Configuration changes will be made directly on the devices and you want to use FM to track changes and control revisions
When configuring sdwan in fortimanager what two things do you set up first (hint something to do with the link is one)
Configure Health check servers Create interface members
How do you finalize the security fabric settings (after installing to the devices)
Configure fortianalyzer settings on the root fortigate and authorize all devices
How can fortigate announce itself to a NATed FM or try and reestablish the FGFM tunnel
Configure the NATed FM IP on the fortigate with command: Config system central-management Set fmg <FMG_NATed IP>
If FM is behind a NAT device what is recommended to configure
Configure the NATed IP of FM with the set mgmt-addr under the config system admin setting
Config system central- management Ser fmg <FMG NATed IP>
Configured the fortigate with the FM NATed IP so that the fortigate can announce itself to the FM and reestablish the FMFG tunnel
Global adom
Contains global objects and header and footer policies
What is the global object database for the global ADOM layer
Database of global objects such as addresses, services, and security profiles that can be shared across multiple ADOMS
Security recommendations for deploying fortimanager
Deploy behind a firewall on a trusted private network and not on the internet Use secure communication methods (HTTPS and SSH) only Configure trusted hosts Secure passwords and use a password policy to ensure only a strong password can be used
What three ways van scripts be run and which is default
Device database (default) Policy package, ADOM database Remote fortigate directly
What does device settings status modified indicate configuration
Device level configuration changes are mode on fortimanager for the managed device
You do command diagnose dvm device list and see pkg: modified cond: ok What does this indicate
Device level settings stayed the same (config status in synchronized) and policy package was modified on fortimanager
Steps to configure root fortigate for security fabric settings on FM
Device manager System: Security fabric Enable security fabric Configure a group name Configure a password for the group
How to configure downstream fortigates for the security fabric in FM
Device manager System: security fabric Same group name as root Same password as group Connect to upstream fortigate Config upstream fortigate IP (Fortigate IP Management IP)
What two ways can you access the install wizard
Device manager Policy and objects
Where is the import policy wizard
Device manager > managed devices > select device > import policy
What are some options in deciding which devices go into which ADOM?
Device type (fortigate, fortimanager, fortiweb) Firmware version (5.6, 6.2) Geographic region Customer Administrator Organization aspect (test network, production network)
What can't you change in the default ADOMs
Device type or firmware version
What device can you add to a device group
Devices in the same ADOM
Describe map view and how you can add devices to the map
Devices will appear on google maps. You enter the location of the device manually, in device location settings, or drag the device to the accurate position. Map view will indicate the status of the device by color
Command to enable the debug output before specifying the debug
Diagnose debug enable
What are the two CLI commands for debugging ADOM upgrade issues
Diagnose debug enable Diagnose debug service cbd 255
How do you reset debug level on fortigate
Diagnose debug reset
Command that provides the list of all devices or VDOMS for managed and unregistered devices. It also provides SNs, IP, firmware, HA mode and statuses for device level and policy package hint (dvm = device manager)
Diagnose dvm device list
Command to see device members of an HA cluster
Diagnose dvm device list
Command to check for unexpected locked processes
Diagnose dvm lock
Command to check for any stuck processes/tasks so they don't hold up other processes
Diagnose dvm proc list
Command to list the status of FGFM tunnels for all managed devices (connecting IP, uptime, link-level address)
Diagnose fgfm session-list
What command script syntax is special for fortimanager
Dynamic mappings for objects and interfaces
TCL
Dynamic scripting language that extends functionality of CLI scripting. First line of the script is #!
1st step to create an SDWAN using fortimanager
Enable sdwan management in the ADOM System settings > all ADOMS > select ADOM > central management > sd wan
ADOM
Enable the admin to create grouping of devices (or VDOMS) to monitor and manager. They can be configured to separate based on geographic location or functionality (or customers). The purpose is to segment and control administrator access.
Which command is useful with troubleshooting ADOM level issues Execute fmpolicy print-device-object Execute fmpolicy print-ADOM-database
Execute fmpolicy print-ADOM-database
Command to display the enter ADOM database with all policy packages and objects
Execute fmpolicy print-ADOM-database <ADOm>
Command to display firewall policies contained in a specific policy package in the adom
Execute fmpolicy print-ADOM-package <ADOM> <package> <category>
Command to display firewall policies on a managed device
Execute fmpolicy print-ADOM-package <ADOM> <package> <category>
CLI command to view the whole configuration of a managed device (including any device level changes but not including system template changes)
Execute fmpolicy print-device-database <ADOM> <device name>
Command to import system template profile to a second ADOM
Execute fmprofile import-profile <ADOM name> <profile name> <full path of exported file>
Command to clean script schedule for all non existing devices
Execute fmscript Clean-sched
Command to copy scripts between ADOMs
Execute fmscript Copy
Command to comport script from fortimanager
Execute fmscript Import
Command to list scripts in adoms
Execute fmscript List <ADOM name>
Command to show a run script log for a device
Execute fmscript Showlog <devicename>
Command to format disk and erase all device settings and images, fortiguard databases, and log data on fortimanagers hard drive Bonus what can you add to secure the files left on the hard drive from being by accessed by forensic tools
Execute format {disk | disk-ext4} <RAID-level> deep-erase <erase-count> (Will overwrite the files on the hard disk with random data the specified number of time)
Command to display processes responsible for high i/o usage
Execute iotop
If you are experiencing communication issues between FM and fortigate what command should you execute first
Execute ping
Tests the network connection between FM and another network device
Execute ping
Command to reset all FM configuration except interface and routing configurations
Execute reset all-except-ip
Command to reset all settings and return FM to factory default
Execute reset all-settings
Command to perform a graceful shutdown
Execute shutdown
Command to determine if FGFM tunnel is up
Execute ssh <fortigate FGFM IP>
Command to test FM port 541 reach ability from device
Execute telnet <fortimanager ip> 541
Command to see processes with high resource utilization
Execute top
What should you not include at the end of a TCL script that will prevent the script from running
Exit
Explain how FM behind NAT, FG behind NAT, and both Behind NAT work with discovery and tunnel reestablishment
FM behind NAT- Only FM can discover the FG and only FM can reestablish the connection unless you configure the FG with the NATed FM IP or configure FM to set it's own NATed IP to the FG during the discovery process FG beHind NAT- FM can discover the fortigate with the FG NATed IP and fortigate can announce itself when you configure the FMG IP on the FG. If tunnel s seeet down only FG can reestablish the tunnel Both behind NAT- FM can discover FG through the FG NATed IP, FG can also announce itself with the NATed FMG IP configured on its central-management setting and only FG can reestablish if the FM IP is configured.
What happens in the object conflicts step of device registration
FM checks for object conflicts or duplicates between FM and fortigate and allows you to view details and pick if you want to use the value from FM or fortigate
How does fortimanager know when the fortigate comfiguration changes
FM compares the configuration stored in the revision history to the configuration on the fortigate (with checksums) it also uses statuses so it knows what action to take
What if both FM and FG are behind a NATed device? Who can discover/announce? And what if the FGFM tunnel goes down
FM discovers the fortigate through the fortigate NATed IP but FM cannot re establish the connections the tunnel goes down. If fortimanager IP is configured on the fortigate with the Config system central-management Set fmg <fmg NATed ip> Then the fortigate will try to re establish the FMFG connection if it's down
What type of commands does Fm send to FG to make configuration changes (think of syntax )
FM sends set and unset commands to the fortigate when making configuration changes
Describe the recovery logic of the FGFM tunnel and what FM does to ensure the connection remains established when making configuration changes to the fortigate
FM sends set and unset commands to the fortigate when making configuration changes If a set command is sent and the FGFM tunnel goes down, FM will try to recover the tunnel by unsetting the command that made it go down
What happens when you import a device into FM with an existing configuration
FM will import the fortigates firewall policies into a new policy package and saves the objects into the ADOM database
In order for fortigate to communicate with fortimanager what needs to be enabled on the fortimanager facing interface
FMG-Access
What FM panes are visible in the GUI
Fabric view Device manager Policy & objects AP manager VPN MANAGER FortiSwitch manager Fortiguard SOC System settings
What are the four manager planes available on fortimanager
Fabric view VPN manager AP manager FortiSwitch manager
Where can you view the security fabric ratings on FM
Fabric view pane
Where can you view the security fabric topology (2 spots two different panes)
Fabric view pane Physical or logical topology tab In device manager pane Right click the security group or device and click fabric topology
Which of the following is true regarding system templates: Facilitate identical device-level setting across many devices You can use them to install a common policy package across multiple devices
Facilitate identical device-level setting across many devices
True or false: policy check will allow you to make changes
False
True or false: you can't move system template profiles between ADOMs
False
True or false: when creating an ADOM of a fortigate type, the firmware version you specify for the ADOM does not need to match the version on the fortigate devices you add to the ADOM
False it needs to match the managed devices you add
True or false: even though you should make changes on the primary you can make changes on a secondary FM in HA
False it will not let you if it is a slve
True or false A user must start the session then lock the ADOM in workflow mode
False must lock ADOM then create session
True or false: you just create separate objects for each policy package
False objects can be shared between multiple policy packages in the same ADOM
True or false: all the management panes are available in backup ADOM mode
False only a few of them are
True or false: when you import address and service objects into a backup ADOM they are stored in the central database
False they are stored in the device manager database
True or false: you can only create one policy package per device
False you can create a package that applies to multiple devices
How can you force establish a connection form FM to a fortigate when the FGFM tunnel goes down and the fortigate is behind a NAT device
For to device manager Select device Go to connection summary widget Click refresh
If you see a device sitting in the unauthorized section of device manager in fortimanager, who initiated the request, fortigate or FM
Fortigate
When fortimanager is behind a NATed device how does device discovery work and what happens if the FGFM tunnel goes down (by default)
Fortimanager can only discover the fortigate and the fortigate cannot announce itself to the FM. Also only Fm can establish the FGFM tunnel if it is torn down and the fortigate cannot will not be able to try and re establish it
What is a useful feature that can help admins revert to previous revisions of a configuration or audit configuration changes
Fortimanager will detect configuration changes made locally or within fortimanager and compare the previous and updated versions which will then be logged
Which way is the FGFM tunnel initiated
Fortimanager, during discovery/add process Fortigate if a management request is sent by fortigate
What needs to be enabled on any interfaces facing a downstream or upstream fortigate for the security fabric
Fortitelemetry
What is the device settings status and where can you access it
Found under the configuration and installation widget on the device dashboard (under synch status) and it indicates the status of the device settings on fortimanager
Command to see overall resource utilization
Get system performance
Command that displays the serial number, firmware version, ADOM status, HA status
Get system status
Command to check current status including serial number firmware ADOM and HA status
Get system status
What command does FM run on the FG during the discovery and add process
Get system status Get system interface Get system interface physical Get hardware status Get mgmt-data status Config system central-management Set type fortimanager Unset serial-number Set serial-number "xxxxxxx" Set fmg "fmg IP" End Get ips rule status Get IPs decoder status Get application name status
What standard management ports does fortimanager use
HTTP 80 HTTPS 443 SSH 22
What do fortiguard services entail
IPS Antivirus Web filter and email filter
Which of the following features is available in the restricted admin profile Device registration IPS sensor
IPS sensor
Import policy wizard
Import interface mapping, policy database, and objects associated with the managed devices into a policy package under the policy and objects pane
Where would you find ADOM revisions
In the policy and objects tab
Where does fortimanager store fortigate configurations (remember the picture)
In the revision history
Downfall of having a lot of ADOM revisions
Increases the size of configuration backups
What does the import policy report show
Information about fortigate ADOM name on FM Policy packages name Objects added
By default what is the FM log setting severity set to
Informational
Install policy package and device settings option
Install a selected policy package and any device specific settings for devices are also installed
Before upgrading an ADOM what should you do? (Hint: pending installations)
Install any pending device settings or policy package changes After installation make sure policy package and configurations are all synchronized
Install wizard
Install configuration changes from device manager or polices & objects to the managed devices. It also allows you to preview the changes before applying
Which option should you select when installing policy package changes
Install policy package and device settings
What are the two installation types for the install wizard
Install policy package and device settings Install device settings only
Once you add a Vdom to a managed device what do you need to do to finalize the change
Install the Changes to the managed device
Installation target per policy purpose and how you select devices
Installation target allows you to apply multiple policies to all devices (installation targets) or per policy can allow you to install on only a select device in case you have some policies needed on all device and one policy only needed on one of the devices. To select which device or if you want on all installation targets go to the ipv4 policy package and scroll to "install on" to select devices or all
When fortimanager and fortigate are in sync what will the policy package status be
Installed
Examples of device level settings
Interface DHCP server HA SNMP fortiguard Static routes OSPF DNS ADMIN settings CA certificates Policy routes BGP IPSEC
Difference between dynamic interface and zone mapping
Interface will map one -to-one on the managed device and zone will be created locally on the fortigate
What Does FM discover about the device when you use the discover option in the add device wizard
Ip Hostname SN Model Firmware version HA status Admin user name
Which statement is true regarding locking an ADOM It automatically removes locks on devices and policy packages Other admins have read/write access
It automatically removes locks on devices and policy packages
How does fortimanager reduce wan usage
It can act as local fortiguard server to prevent fortigate from downloading updates over the internet
When a new configuration is installed, what does fortimanager do (installation process)
It compares the latest revision history running on the device with the changes made on fortimanager. Creates a new revision in the revision history and installs the changes on the managed device
What is the requirement for importing a configuration to FM from a local computer
It must be a configuration file downloaded from fortimanager
What is the limitation to the auto update feature that notifies FM of revision changes
It will only update device manager changes and not policy and object changes
If after 15 min and the unset command the FGFM tunnel still stays down what does Fm do to FG if the rollback-allow-reboot command is enabled on FM
It will reboot the FG and the FG will recover the previous configuration command from it's configuration file
What happens if your browsers crashes or pc dies while your ADOM is locked
It will remain locked until the admins session expires or until the session is delete
You configure the FM NATed ip on the fortigate and the fortigate won't announce itself to FM, FM is version 6.0 why won't the fortigate announce itself
It won't work if FM is version 6.0 and higher. You need to configure the NATed FM ip on the FM system admin settings to set on the fortigate during discovery
What is used for the management traffic tunneled between fortigate and fortimanager
Link level addressing 169.254.0.0/16 subnet
What are the steps FM goes through in registering a new device
Login Discovery Import options (now or later) Policy and object import Interface mapping Object conflicts Object import Import summary
fm fortiguard server override modes
Loose- default and allows fallback to the other public FDN server if FM can't communicate with the servers specified in the list (usually other HA members) Strict- FM can access only configured override servers
How are fortigates distributed among ADOMS in a MSSP (managed security service provider) use case
MSSP will manage and rent out fortigates. Each customer will get their own ADOM with read only access
Fgdlink
Main fortiguard process responsible for downloading web and filter and email filter database
Fgdsrv
Main fortiguard process that serve fortigate and forticlient for web filter and email filter requests
What is one way to avoid concurrent changes in an ADOM besides disabling workspace-mode
Make sure the admins that have access to the ADOM don't have overlapping permissions
describe a use case for implementing FM
Management of a large corporate network with many remote sites and several hubs and data centers That have firewall policies or objects common to many sites
Interface mapping step of device registration
Maps the device interface to the ADOM interface in order to create references for these interfaces in the FM database
ha Failover threshold
Maximum number of heartbeat intervals that can occur without a response before FM assumes the member is down
Health check servers (SdWAN)
Mechanism for detecting when a reputed along the path is stopped or degraded (periodically sends probing signals through each member link to a server that acts as a beacon) basically link health monitor on the fortigate
What is the default setting for concurrent ADOM access
Multiple admins can login to the same ADOM at the same time
When replacing a fortigate cluster member do you need to manually change the FG serial number
No it will be relearned through the FGFM tunnel
Difference between quick install and installation wizard
No option to preview changes or cancel the install once it starts
After you add a root fortigate to FM that is part of a security fabric do you need to add all other fortigates?
No, they will all be added to unmanaged devices automatically if the security fabric is set up correctly
If you delete a used object what will it be replaced with in the firewall policies
None object (null) any traffic that meets the firewall policy will be blocked
What workspace mode does policy lock work in conjunction with
Normal
Two ADOM DEVICE modes
Normal (default) and advanced
Two modes when creating an ADOM
Normal and backup
What workspace mode is policy lock available in
Normal only
What would cause an inconsistent or corrupt fortigate configuration
Not following the upgrade path
What different does the diagnose ha force-resync command on the primary vs a secondary FM cluster member
On the primary will force full sync with all cluster members On secondary will resync only that secondary
Whether you choose to import all objects or only objects tied to a firewall policy, the system will delete ____that are not tied to policies in the next installation
Orphaned objects
Device manager layer
Part of the management layer Records information on devices that are centrally managed by fortimanager such as the name, type, model, IP, firmware, revision history, real time status
ADOM layer
Part of the management layer Where policy packages are created, managed, and installed on devices and device groups Contains one common object database for each ADOM
When FM is discovering a new device in the add device wizard, and what is it retrieving from the device?
Policy and objects to create the device database Initialized the configuration database Retrieves the configuration Retrieves fortiguard support contract Retrieves HA configuration
What happens if auto push is enabled in the ADOM creation settings
Policy packages and device settings will be installed to offline devices when the come back online
What is the main benefit of the re install policy option
Policy push with a fewer steps for quick policy change
Common cause for the execute script error- device <name> failed -1 And common solution
Problem with the end of the script (no end statement) or fortigate is not in synch with fortimanager Check the script output And an end statement Resynch fortigate by retrieving configuration
What permissions are in backup ADOM mode
Read only
What permissions do you have over the fortigate HA in fortimanager from the Gui
Read only
Restricted_user
Read only access for all device permissions and no system permissions
What permissions are for normal ADOM mode
Read/write
Standard_user
Read/write access to device permission but no system permissions
Package_user
Read/write access to policy packages and objects Read only access to system and device permissions
How to use find and replace under ipv4 policy
Right click the object Find and replace
How do you revert to a previous revision and what do you need to do afterwards
Right click the revision in the revision history and click revert. Afterwards you will need to install the revision to the device.
You created a firewall policy but forgot to add an object to the source what can you do
Right click the source and click add object
What configuration setting for fortigate is part of a device level database on fortimanager Routing Firewall policies
Routing
What are the two options for executing scripts
Run now or schedule
When running a database integrity check command what are you advised to do if the command makes a change or correction to a database
Run the command again
When you authorize an unauthorized device in FM what do you need to do in order to import the devices policy's into a policy package
Run the import policy wizard
When you link the model device to the real device, what are the two methods you could use
Serial number and preshared key
What commands should you use to check if your having resource issues
Show system resource - shows overall system resources Execute top- Shows top process resources so you can see which processss are hogging resources
Find duplicate objects
Similar to find unused objects in that it searches fortimanager firewall object database and displays all objects with duplicate values and allows you to merge them together
Three types of policy filter searches and what are each
Simple search- will highlight any policy that matches the string you entered Column filter- allows you to search for values by column (source destination action users etc) Find and replace- you can find and replace objects used in the policies
What is fortimanager
Single pane of glass management Minimizes cost of large deployments Reduces WAN usage with local cache server Provides Centralized devices management for fortinet devices Automated mass device provisioning and policy management Provides logging and reporting
What does the chassis dashboard tell you and what can you configure
Slot number Slot information Current blade state Configure blade information PEM Fan tray Shelf manager SAP
When you are having resource issues what kind of issues may you experience
Slowness in managing devices from FM any adding devices or installing changes may be slow
Why does the admin username and password you provide in the discover option of the add device wizard need to be read/write
So FM can fully discover the device and add the full configuration. Write access will allow FM to install configurations to the fortigate
What is the purpose of creating a device group in device manager and what is a use case
So you can run an operation on multiple devices instead of one (Install device changes, run scripts on multiple devices) Useful when upgrading firmware
Three possible synch statuses
Synchronized Out-of-synch Unknown
Three types of provisioning templates
System Threat weight Certificate
After security fabric is enabled where can you configure security fabric settings
System > security fabric settings
How can you delete administrator sessions in the GUI (say ADOM gets locked accidentally)
System Settings System information widget Current administrators button (far right) Admin session list Delete
Event subtypes
System manager FGFM protocol Device configuration Deployment manager Real-time monitor Log and report manager Firmware manager Fortimanager manager Debug IO log Device manager Web service Fortianalyzer Log daemon FIPS CC device manager
Where do you configure FM Ha
System settings
How do you create a new ADOM
System settings All adoms Create new
Where can you check HA status (3)
System settings < Ha system settings < dashboard < system information widget CLI with command diagnose Ha Stat
Where can you enable the "show add multiple button" and what does it do
System settings > admin > admin settings It will allow you to authorize several devices at once
How to manually enable offline mode
System settings > advanced > advanced settings
Where is chassis management enabled
System settings > advanced > advanced settings
Where can you monitor the status of tasks you or other admins have performed
System settings > task monitor
Where do you enable ADOMs
System settings under system information
If you display an installation. Preview from the device dashboard it will display the device level configuration without two exceptions:
System templates ADOM configuration changes
Listening port for web GUI or JSON API
TCP 443
What port is used for FM to obtain updates from FDN
TCP 443
Listening and destination ports for fortimanager a in cascade mode
TCP 8891 8900 8901
When you upgrade an ADOM which two places can you check the status/ and or see a log entry
Task monitor or the CLI
How to unlock a process
Task monitor under system settings pane. Cancel or delete the process/task
What is included in the import report when registering a device
Tells which device was imported into which ADOM as well as the policy package that was frayed and all the objects imported.
Device setting status - unmodified
The fortigate config in the device level database is in synch with the current revision in the revision history (no changes to the device database and nothing to install)
Configuration status - pending / modified
The fortigate configuration is different from fortimanager and is pending an install in order to return to an unmodified state
Configuration status- synchronized / not modified /auto update
The latest revision history (whether install retrieve or auto update) is aligned with the configuration on the fortigate
Configuration status - out of sync
The latest revision history does not match the fortigate due to configuration changes made locally on the fortigate or partial install failure
Which statement about the global ADOM layer is true The same policy can be assigned to multiple ADOMs Global ADOM rules automatically installed on managed fortigate devices
The same policy can be assigned to multiple ADOMs
How does the performance sla and sdwan rules connect?
The sdwan rules that choose the where interface are based on the SLAs configured when checking for latency jitter and packet loss
True or false, the ADOM layer consists of a common object database so that the devices in the ADOM have access to the same objects and policy packages
True
True or false. Each ha cluster member must have a unique IP
True
True or false. They ADOM will automatically return to the unlocked state once a session is submitted in workflow mode
True
True or false. You only need to upgrade the firmware on the primary FM in an HA cluster
True
True or false: the FM system stores tasks in a separate task database instead of the global database
True
True or false: the task monitor is restored when you do a FM config backup and restore
True
True or false: the trusted hosts you define for an admin user apply to both the GUI and CLI when accessed through SSH
True
True or false: when importing a device with existing configuration FM will check for duplicate or conflicting objects so they are not imported into the object database
True
True or false: you can add and delete devices in backup up ADOM mode
True
True or false: you can apply Or or Not conditions to the search in the ipv4 policy filters
True
True or false: you can download install preview as a .txt
True
True or false: you can lock devices and policy packages too
True
true or false: you can assign individual VDOMS to different ADOMS even if they are logically assigned to the same physical device
True
What happens if there are no responses to the FG keepalive messages from FM for the sock timeout value
Tunnel is torn down and one or both ends will try to reestablish depending on if one of them is behind NAT or not
Port used for DNS lookup
UDP 53
Listening port for fortiguard anti spam or web filtering rating lookup from a forticlient or fortigate
UDP 53 or 8888
Listening port for fortiguard antivirus and ips updates
UDP 9443
Port used for syslog
Udp 514
Where do unauthorized devices requesting registration appear in FM
Under device manager in the root ADOM
Policy check and where to perform
Under policy package Provides recommendations on what improvements can be made to the firewall policies in order to reduce unnecessary policies, combine policies that shadow eachother, combine duplicate policies, remove policies that have orphaned objects Does not make any changes. Just evaluated policy package
How to check if there is pending data for HA that's needs to be synced
Under the pending module data on dashboard of use comma diagnose ha stats
Interface mapping and where to create one
Under zone/interface Dynamically maps an illogical interface to the physical interface on the managed device Useful when the devices have different interface names but same purpose
What are the three device setting statuses
Unmodified Modified Auto updated
If you made config changes locally on the managed device what do you do to import the new device level settings and polciies (2)
Use retrieve config for the device level settings and then use the import policies in the policy and objects pane.
Once you configure all the security fabric settings what do you need to do to apply the settings to the devices
Use the install wizard and select install device settings only to apply to both root and any downstream fortigates
Header and footer policies
Used to wrap policies in each individual adom
Use for packet sniffer
Useful for troubleshooting connectivity and traffic related issues
Why does FM retrieve the support contract during device registration
Useful in case the FM acts as the local fortiguard server for the managed fortigate
What can be enabled in central management ADOM settings and what do they allow you to do
VPN - centrally manage IP sec VPNs for all managed devices in that ADOM FortiSwitch FortiAP SDWAN - manage SDWAN for all managed devices in that ADOM
What is the maximum number of ADOMS supported
Varies by fortigate model or VM license
What does the fabric view pane allow you to do
View security fabric ratings of configurations for fortigate security fabric groups
When is a new revision history created
When Fm configuration is installed to fortigate or fortigate is locally updated
Configuration status - conflict
When changes are made locally on the fortigate and Fm does not perform a retrieve and then changes are made on FM too
How do you add per device mapping
When creating an object turn on "per device mapping"
What is the installation preview on the device manager device dashboard inter the configuration and installation statuses widget
When device settings status is set to modified you can preview the installation (the exact commands) that will be installed/pushed to the fortigate
When should an admin use event logs at debug level
When investing a FM issue with technical support
When should an admin consider using workspace mode
When multiple admins require access to the same devices and could potentially make changes to the same settings at the same time
when would you not be able to lock an individual device (hint: mode)
When the ADOMs are in advanced mode
When would you use the add model device in the add device wizard
When the device is not online yet
What does refreshing the connection with a device do? (Can be done on device dashboard)
When you refresh you attempt to establish the connection between the selected device and fortimanager. It retrieves basic information such as SN, firmware, support contracts and HA member information
What is the overwrite current IP, routing, and HA settings option when restoring a FM backup
When you restore the backup all of these settings will be overwritten by the back up. If you disabled this setting FM will still restore the configurations related to device information and global database information but will preserve HA and network settings
When are database integrity checks run automatically
When you schedule configuration backuos
If you lock a device or policy package, when will another admin be able to make changes to them
When you unlock it When you log out of FM If they lock the ADOM it will forcibly disconnect you and unlock the device
Will the managed fortigates know if there is a FM HA cluster
Yes FM will update fortigates central management configuration with the serial numbers of all cluster members
Does fortimanager support the security fabric
Yes it can see all devices that are part of the same security fabric and lets you manage them as one device. It also lets you see your topology map and will update if it changes
When you authorize a device it will initially appear in the root ADOM. Can you authorize it to a custom ADOM instead?
Yes it will give you the option to select the ADOM when authorizing
What happens immediately after you enable ADOMs
You are logged out so the system can reinitialize the settings
You are trying to create a new ADOM but do not see the ALL ADOMS settings. What could be the problem
You are not super_user
Describe advanced ADOM device mode and a use case
You can assign VDOMS on the same device to different ADOMS could be used if you are a MSSP/MSP and have different customers VDOMS on the same device
What is the main benefit of exporting a template from one ADOM to another
You can use the same template across device in multiple ADOMS without much effort
Describe normal ADOM DEVICE mode
You cannot assign different fortigate VDOMS to different FM ADOMs
Purpose of dynamic interface mapping
You map the local fortigate interfaces to the local ADOM interfaces so that FM can be aware what interfaces are being used for what. This comes in handy when applying policy packages to multiple devices. If multiple devices are using different ports, and the ports are dynamically mapped in the ADOM then FM will know what ports to apply policies to even if devices have a different set up.
What happens if the primary FM fails in a cluster
You must manually configure one of the secondary devices to become primary and then configure the other secondary to point to the new primary
Certificate provisioning template
allow you to create CA templates, add devices to them, and generate certificate for selected device. Once you generate and sign the certificate you can install them with the install wizard
What does enabling service access do during initial configurations of FM
allows FM to respond to requests from managed devices for fortiguard updates and web filtering on the choosen interface
XML API
allows you to retireve information about managed devices, execute scripts to modify device configurations and install the configuration on the devices
What information is recorded in the device manager layer for managed devices on fortimanager
name, type, model, IP, firmware, revision history, real time status
How do you apply sdwan to a device in FM
when creating an sdwan under device manager > sdwan > assigned devices select the devices, select the sdwan template, map ports
