NSE 5 fortiManager 6.2

Ace your homework & exams now with Quizwiz!

How to delete an admin session in the CLI

1) Diagnose sys admin-session list 2) look for session_id 3) diagnose sys admin-session kill *session_id*

What 5 things will cause fortimanager to create a revision history

1) fortigate is added to fortimanager 2) devices changes are installed 3) fortigate configuration is retrieved from fortimanager 4) a local change on fortigate causes an auto update 5) you revert to a previous revision and install changes

Steps to the import policy wizard

1) interface mapping 2) import policies and rename package

Steps to install wizard (4)

1) select either device settings only or device settings and polycarbonate package 2) device selection 3) validation (preview) 4) install

If the FMFG connection fails to reestablish after ____min when you apply a change to the FG what does FM do

15 min It applies the unset commands

What is the link level address that fortimanager assigns to the fortigate for FGFM and why does it ?

169.254.x.x is a link level address assigned for the management traffic for the FGFM tunnel

Port used for firmware image download, antivirus, IPS, web filtering, anti-spam updates from fortimanager to fortiguard Distribution servers

443

How many total devices can be in a FM HA cluster

5

How often are configuration and revision differences of managed devices checked and sent to FM

5 seconds

In backup ADOM mode, what is the only way fortimanager can make changes to a managed device

A script

Dynamic object

A single object name has different values depending on which device it is installed

Super_user

Access to all device and system permissions

Which management panes are available in normal ADOM mode

All of them

Set commands

Apply configuration changes

What must you specify when you configure sdwan

At least two interfaces and no policies associated with member interfaces

For command diagnose debug crashlog read where is the most recent crash log listed

At the bottom

Device manager changes on managed devices are _______on fortimanager in normal ADOM mode

Auto updated

Where should fortimanager be deployed

Behind a firewall on a trusted private network

Two type of scripts you can run

CLI Command line interface TCL tool command language

What type of scripts are supported on fortimanager

CLI and TCL

What are the advantages of security fabric on fortimanager

Can view network topology and important security ratings for each device

If an installation fail where can you look to see what stage the failure occurred in

Check the install log that's provided by the install wizard

What should you review after you upgrade a device or ADOM

Check the installation preview to identify if the changes caused by the upgrade are acceptable

Config system admin setting Set mgmt-addr <fmg NATed IP>

Configured the FM NATed ip do that FM sets this address on the fortigate during the discovery process so the fortigate can announce itself and reestablish the FMFG tunnel

Workspace mode workflow

Control the creation, configuration, and installation of firewall policies and objects Approval is required before any changes can be installed on a device. All modifications in a session must be sent for approval

What other options are there other than assigning the default admin profiles to admin accounts

Create your own admin profile and assign to account Edit the default profiles and assign to admin account

Header and footer policy rules

Created in the global ADOM layer of the management layer. Envelops each ADOMS policy and can be applied to multiple ADOMS that require the same policies and objects instead of maintain multiple copies amongst the different ADOMs

What log levels are there

Debug Information Notification Warning Error Critical Alert Emergency

What level should you increase the log level to if you need to work with fortinet technical support and where can you increase it

Debug level CLI

What are the FM administrator profiles for

Define administrative permissions and are required for each admin account

To delete an ADOM what must you do first

Delete all device groups first

To delete a device group what do you do first

Delete all devices from it

Where will the global policy packages appear once assigned

Depending on if it's a header or footer but they will be on the local fortigates policy and object pane

How to access sdwan configuration setup (which pane)

Device manager >sdwan

What does the crash log display

Device name and firmware Application process name and signal information (indicates why it crashed)

Command to check HA status

Diagnose HA stats

How can you watch real time status in the CLI of a fortigate device being added to FM (command that could be beneficial in identifying issues with device registration)

Diagnose debug application depmanager 255 Diagnose debug enable

Real time debug command for script execution

Diagnose debug application depmanager 255 Diagnose debug enable

Debug command on FG and FM to debug the FGFM tunnel keepalives

Diagnose debug application fgfmd 255 Diagnose debug enable

Command to run debug on HA

Diagnose debug application ha 255 Diagnose debug enable

Command to see crash logs

Diagnose debug crashlog read

Command to disable debug output

Diagnose debug disable

List the database integrity check commands

Diagnose dvm check-integrity Diagnose cdb check ADOM-integrity Diagnose cdb check ADOM-revision Diagnose cdb check policy-packages Diagnose cdb check update-devinfo

Command to get device ID for a managed device

Diagnose dvm device list

Command to force HA FM cluster resync

Diagnose ha force-resync

Packet sniffer command

Diagnose sniffer packet <interface> <filter> <verbose> <count> <time stamp>

What command can be used to sniffer the FGFM protocol communication between FM and FG devices

Diagnose sniffer packet any "port 541"

Command that may be useful in troubleshooting disk related issues

Diagnose system print df (disk format)

Command to troubleshoot reload failure

Diagnose test deploymanager reloadconf <device ID> Will show what stage the configuration is failing to update the device level database

What is workspace mode and elements to it

Disables concurrent ADOM access adds ADOM locking. Read/write access for the locker Read only for the lockee If enabled you cannot make changes to devices until you lock it

What are the two options for adding a device in the add device wizard

Discover Add model device

What are the two general steps that fortigate goes through when it is added to FM

Discovery Adding

Object import step of the device registration

Displays objects being imported from fortigate to FM. Shows updates to the existing Fm Objects and new objects to import. Also displays duplicates but does not import

In what formats can you view logs

Download Raw log Historical log

Reasons to configure FM as a local fortiguard server

Downloads all antivirus, ips packages, web filter, and email filter databases then updates the fortigates Reduces internet connection load

When do you apply system templates to devices

During registration

Where are all the revisions stored and how can you distinguish different revisions

Each revision gets an ID and they are stored in the revision repository

How do you move a registered device from one ADOM to another

Edit the destination ADOM in the system settings > all ADOMS > and add the new device under "select device"

If the NATed FM IP is configured on the fortigate, who can establish the FGFM tunnel if it it's torn down

Either FM or fortigate

How can you add a VDOM to a device under device manager

Either go to the device system dashboard or click managed devices and right click the device and click add vdom

What is the "restore in offline mode" setting when restoring a FM backup

Enabled by default and can't be disabled. Makes it so the communication channel between FM and the managed devices are temporarily disabled for safety measures (in other words fm disabled FGFM protocol)

Policy lock

Enables you to lock a policy package for editing instead of the whole ADOM

By default, what is enabled when you backup FM on the GUI

Encryption

Even though objects aren't copied from one ADOM to another what command can you use to copy objects from one ADOM to another

Execute fmpolicy copy-ADOM-object

Command to test device reach ability from FM

Execute ping <fortigate ip> Execute ssh <fortigate ip>

what protocol is used to send configuration and revision differences of managed devices to FM

FGFM

Which devices can discover eachother and which can reestablish the FGFM tunnel when the fortigate is behind a NATed device

FM can discover the fortigate through the NATed IP and fortigate can announce itself to FM

What two things are required for FM to manage devices (has to do with what the devices are connected to)

FM can manage any device connected to it's interfaces Static route- configure a static route on a interface so fortigate can manage devices not directly connected

What is chassis management for

FM can work with the shelf monitor in the fortigate data center 5000 series chassis and monitor the security and network blades within

Configuration status - unknown

FM is unable to determine the synch status because fortigate is not reachable or there was a partial install failure

If you disable the auto update feature for local config changes on the fortigate want wont be possible that will need to be done manually each time an update occurs

FM will no longer be able to tell if the policy package is the same so will return an out of sync error. You must run the import policy wizard

True or false a super_admin profile can approve changes for workspace workflow mode

False

True or false: an admin can only be assigned to one ADOM

False

True or false: fortimanager is aware of the HA clusters synch status

False

True or false: nested policy folders are not supported

False

True or false: you can't cancel an installation once it starts in the install wizard

False

True or false: you can't delete used objects

False

True or false: you can schedule FM backups on the GUI

False you can schedule in the CLI

True or false: in the install policy wizard you can schedule the install under the install device settings only

False you can under install policy package and device settings though

True or false- you can move header and footer policy packages assigned to an ADOM

False you can't

If a FG dies and you need to replace it you need to redo the whole discovery process again true or false

False you just replace the serial number manually with the serial number of the new one

True or false, security fabric ratings don't need to be enabled on the FortiOS before managing them in fortimanager

False you must generate the ratings before you can view the information in fortiOS

Which FGFM process runs on fortigate

Fgfmd

Which FGFM process runs on fortimanager

Fgfmsd

What objects are included in the ADOM database

Firewall objects Security profiles Users Devices

Import summary step of device registration

Firewall policies and objects are imported into FM. You can also download a report

What references dynamic interfaces and why should you use them

Firewall policies created in packages will reference the dynamic interfaces. Use them so FM knows how to apply the policies to each device

What is contained in policy packages

Firewall policies that link to the objects you define

What needs to match when restoring a FM back up file

Firmware version and model

How should you secure your FM hard drive if you plan on replacing it ?

Format the drive and use deep erase to overwrite with random data

What happens when you enable fortianalyzer features in the system settings dashboard

Fortianalyzer panes will be visible on the dashboard

What two things are required to configure two factor authentication with FM

Fortiauthenticator and FortiToken

When you use the discover option in the add device wizard what information is required

Fortigate IP Admin username and password with full read/write access

What is not synchronized between FMs in HA cluster

Fortiguard databases and logs Config settings for interface, HA, SNMP, routes, fortianalyzer

How is the FGFM tunnel authenticated

Fortimanager and fortigate SNs

Which statement about fortianalyzer features on fortimanager is true Fortimanager does not support the reports Fortimanager has logging rate restrictions as compared to fortianalyzer

Fortimanager has logging rate restrictions as compared to fortianalyzer

What does a policy package status of unknown indicate

Fortimanager is unable to determine the policy package status

Hahah is visible on the system settings dashboard

Fortimanager system information such as name, SN, platform type, firmware, configuration, uptime, license information, number of devices managed by fortimanager, system resources (ram cpu disk usage)

Commands to retrieve IPS signature info on a fortigate (3)

Get ips rule status Get ips decoder status Get application name status

Command to check hard disk changes on fortigate

Get mgmt-data status

Command to display how often FM synchs it's time with NTP server

Get system NTP

How can you check the cluster members in a FM HA from the fortigate

Get system central-management Shows all the FM serial numbers

What command does FM run on the fortigate during the discovery process

Get system status

What are the three management layers (GAD)

Global ADOM layer ADOM Layer Device manager layer

Which of the following are included in the fortimanager backup Logs and firmware images Global databases and all devices

Global databases and all devices

How are global objects identified

Global objects start with an "g" gall gtelnet

How can you track installation changes from a FM user

Go to log and report > system events on the managed fortigate device

How would you check the script history on a device

Go to the device dashboard and under script status click history

If you don't see a device that you want to install policy changes on what should you do

Go to the policy packages and add the device as an installation target

What are the three workspace mode lock colors

Gray=unlocked Green=locked by you Red=locked by user

How can you tell which revision the device is using currently

Green check mark

Where will a global header and footer policy appear in a fortigates firewall policy page

Header- top Footer- last

Policy folders

Help you manage policy packages so they can be organized based on your needs (organization, geography, security, legal requirements)

What issues would cause a failed reload

If the fortigate has inconsistent or corrupt configuration possibly from not following the upgrade path

Why would you as an approval admin discard a submitted session

If you don't agree with the changes

Import now vs import later options in the add device wizard

Import now- policy package is created and objects are added in the common ADOM database Import later - no policy package or objects are added. But they can be imported later using the import policy wizard

After you migrate a device from one ADOM to another what do you need to do

Import policy package and objects through the import wizard

After you import is complete in the import policy wizard what is that last thing displayed

Import summary and download import report

Policy package statuses (7)

Imported Installed Never installed Modified > < out of synch <conflict> <unknown>

How can you resolve most policy status issues

Importing a policy package or installing a policy package

What two options do you have for importing objects in the import policy wizard

Importing all Import only used objects

import policy wizard

Imports policies and objects from the fortigate to fortimanager

What does the import policy wizard do

Imports policies and objects into fortimanager from a device and creates a new policy package

Where are provisioning templates stored

In the ADOMS global object database

How can you apply changes to a managed device (several options)

In the FM ADOM GUI, then apply changes to the specified managed devices Directly on the managed device via the CLI offered in FM

How to access the global policy database

In the global database ADOM

Install device settings only

Install only device settings for a select set of devices Policy and object settings are not installed

To create or edit a firewall policy what should you select

Ipv4

What is the main benefit of creating an sdwan using fortimanager

It allows creating an SDWAN for multiple fortigate devices

What is the main benefit of the policy locking feature

It allows locking a single policy package instead of a whole ADOM

What does the match all feature do when configuring an admin with a remote authentication server

It allows you to authenticate all users configured on a remote server

How does fortimanager determine is sync status is a managed device is out- of -synch

It compares the current revision history with the fortigate configuration

What is the synch status and where can you view it

It compares the running device configuration with the current version in the revision history. can be viewed on the device dashboard

What is the point of offline mode (basically why does the FHFM protocol need to be disabled) and when would you use it (2 )

It enables you take change FM device settings without affecting the managed devices or load a backup on a second FM for testing. That way the second FM cannot automatically connect to your FG devices and start managing them

What is the create revision option when installing policy package and device settings in the install wizard

It is an ADOM revision that creates a snapshot of the entire ADOM and not the changes to the specific policy Incase you need to revert

Describe the physical configuration of fortimanager

It is made up of layers represented as panes in the GUI.

What does the FGFM-sock-timeout command do

It sets the idle timeout setting for communication between FM and FG

What happens to the device settings status if you execute a script using the remote fortigate directly(via CLI) option

It will be tagged as auto-updated

What happens if you assign more than 1 global policy package to an individual adom

It will remove the previously assigned policies

Why should all devices in an ADOM be on the same firmware version

It's best to organize by device type then firmware version because the different firmware versions have different CLI syntax which could affect script compatibility and other fetaures

What two APIs are available on FM

JSON (java script object notation) XML (extensible markup language)

What can you use if you want to use APIs to monitor your system or to set or get data using third party devices

JSON and XML APIs

JSON API

JavaScript object notation api allows you to do many of the same tasks as the GUI and allows MSSP and enterprises to create customized and branded web portals for policy and object administration

What can you filter through the logs data

Level Administrator Subtype Messages

How are sdwan rules evaluated

Like firewall policies from top to bottom

How to approve a session in workflow mode

Lock ADOM Under policy and objects session tab decide to approve, reject, discard, review diff

What do processes do to the database when they are using objects (kind of like what you do for ADOMS)

Lock and unlock the database

How can you prevent revisions from auto deletion

Lock them in the revisions tab

What will remove the lock on a device or policy package

Locking the ADOM

What fortianalyzer panes will be visible once the fortianalyzer features is enabled in the GUI or CLI

Log view Incidents and events Reports SOC

Fgdups

Main fortiguard process Responsible for database merging and consolidating smaller delta files into larger files

How to enable security fabric in FM

Managed devices Tools Global display options Security fabric

Device settings status - modified

Means the device level settings changed on fortimanager and changes need to be installed on the device to go back to unmodified

Common Cause for the script execution error- command parse error Common solution

Misspelled keyword or incorrect command format Check the script output

If you make configuration changes to a policy what will the policy package status be

Modified

Until changes are installed, the device setting status remains ______

Modified

If you are not satisfied with a devices configuration how can you change it

Modify on FM and install change to device Modify on the managed device and retrieve it from FM Revert to a previous config Import the fortigate configuration from a local computer

What to do if install failed because fortigate is not supported by ADOM version

Move fortigate to supported ADOM Perform install again

Objects can be used in only 1 or multiple policy packages?

Multiple

Unset commands

Needed to remove configuration changes

Is it recommended to move devices from one ADOM to another

No

What is the default ADOM mode

Normal

Why would you see a lot of changes on the first install you perform

Objects will be renamed during the import process and any unused objects will be removed so there could be a lot

Where can you enable/disable administrative domain and fortianalyzer features

On the system settings dashboard

What is recommended on the perimeter firewall when deploying fortimanager

Only allow the necessary ports in the firewall policy that allows access to fortimanager

If the fortigate is behind a NATed IP and the FGFM tunnel gets torn down which devices can re establish it

Only fortigate will attempt to re establish the connection if you configure the FM ip with command Config system central management Set fmg <fmg IP address> You still need to configure the fortigate with the FM IP. FM treats the device as unreachable and won't automatically attempt to reestablish the connection. You can manually attempt the connection from FM by clicking the refresh icon in the connection summary widget for the managed device in device manager

What color will the map icon be if the device configuration status or policy package configuration is out of sync or if there is no policy imported or no policy package installed

Orange

What are the four preinstalled default profiles that can be assigned to administrative users

Package_user Restricted_user Standard_user Super_user

Global ADOM layer

Part of the management layer Contains the global object database and all the header and footer policy packages which envelop each ADOMS policies. Here you create header and footer policy rules that can be assigned to multiple ADOMS that require the same policies and objects

If configuration status is unknown what should you do

Perform a retrieve

When the configuration status is out of sync what is recommended to update the revision history

Perform a retrieve from FM

If script is run on the device database or policy package (ADOM database) what must you do after

Perform an install

How to ensure database integrity

Perform graceful shut downs Enable ADOM locking to avoid change conflicts Make sure everyone is logged off before performing firmware upgrades

Two options when performing policy check

Perform policy check View last policy check results

Header policy

Placed at the top of the policy package in the individual ADOMS

Footer policy

Places at the Bottom of the policy package In the individual adom

How can you ensure that even if your network is down you will still have access to fortimanager

Plug a management computer directly into fortimanager or connect through a switch

What is not moved when you move a device from one ADOM to another

Policies and objectsv

How would you create an object to be added to the ADOM database for use in the policy packages

Policy & objects Left hand side under firewall objects

What are not imported into the ADOM database when a device is moved from one ADOM to another and how can you import them once the device moves over

Policy and objects Run the import policy wizard to import policy and objects into the ADOM database

Where is the only place to create sessions for workspace mode workflow

Policy and objects pane

Which database can the schedule script not run on

Policy package and ADOM database

Common cause for the script execution error - unknown action And common solution

Previous line of the script was not executed Check the script output

Backup ADOM mode

Purpose is to backup configuration changes made directly on the managed devices

When you enable fortianalyzer features oN FM what will the device or VM do

Reboot

What color will the map icon be if there is an error status, the copy had failed, installation has failed or device is hard down

Red

What must be done to the device before it moves ADOMS (besides upgrading if the other ADOM is a higher version)

Register the device

Trusted hosts for administrative users

Restricts admins to logins from specific IPs or subnets

What does a config revert in th revision history do

Reverts device database (device level settings) to previous revision but will not recent policies and objects

How do you lock a device or policy package

Right click and click lock

Reinstall policy option

Same installation except there are no prompts and you can preview changes

Requirements for FM HA

Same model and firmware

What MUST you do before making changes and then trying to install them within an ADOM

Save

How do you submit a session in workflow mode

Save the session Under session in policy and object pane click submit

Where can you check if the scripts were run successfully (3)

Script history Task monitor Event log

Where can you re run scripts

Script history table

Where can you monitor SDWAN interfaces and traffic status

Sdwan monitor on device manager pane

What is the security rating feature

Security checks that can help you secure your organizations network Check include things such as password security Recommended Login attempt thresholds Encourage two factor authentication

How do you configure the fortigate with the FMs IP in the GUI and what happens after you apply the settings

Security fabric > settings > central management You will be logged out fo the fortigate

Where can you customize a fortigates device level settings and how can you edit the tabs to your specifications

Select the device and use display options to customize the toolbar tabs with system, router, WAN, security profiles, VPN, query, CLI configurations etc

Purpose of cloning a policy or package and how to

Select the policy or package and under policy package click clone Could be used if you need to create a new policy package and only change a few values

FGFM-sock-time-out

Sent in a keep alive message by the FG. It is the maximum FM or FG communication socket idle time in seconds

FGFM_keepalive_itvl

Sent in the keep alive FGFM messages. It is the interval at which the FG will send keepalive signals to a FM to keep the FGFM protocol active

When replacing a standalone device you must manually change the _______and redeploy_____

Serial number configuration

What command script is only beneficial when run on the remote fortigate directly via CLI

Show commands to get device information

Command to display DNS server addresses

Show system dns

Command to display the network interface configuration such as configured ports and associated IP addresses as well as the enabled admin access protocols

Show system interface

Command to display automatic time setting using a NTP server

Show system ntp

Command to display static routing table entries on the FM device

Show system route

What is the revision history install log

Shows the name of the admin who made the change and shows what commands were sent to the device (almost like the install preview) will also show where and install failed

What must be created in order for sdwan member interfaces to route/pass traffic

Static route and firewall policy

What three options are under the "sessions" tab for workflow mode

Submit Discard View diff

What user profile is required to enable ADOMs

Super_prof

Which of the following statements are true regarding scheduled backups of fortimanager Supports FTP SCP SFTP can be configured using the CLI and GUI

Supports FTP SCP SFTP

Protocol and port number for HA heartbeat

TCP 5199

Ports used for remote management of a fortigate device

TCP 541 TCP542(ipv6)

Listening port for antivirus and IPS updates for forticlient

TCP 80

Listening port for web services

TCP 8080

Listening port for fortiguard antivirus or IPS update request from a fortigate device

TCP 8890

What two views can you view devices on the device manager dashboard

Table and map view

ADOM revisions

Takes a snapshot of the policy & objects database for an ADOM so you can revert back to the original version if needed

Why is it crucial to match the ADOM version to the devices that will be in it

The ADOM version determines the CLI syntax used to configure the devices

Which device sends the keepalive messages for the FGFM tunnel

The FG

What is the basis of authentication between the fortigate and fortimanager after the fortigates login credentials are provided and the fortigate is moved from unmanaged to managed

The SN

What should be the same for all FM members when configuring HA

The cluster ID and group password

Device level settings status - auto updated

The configuration changes are made directly on the fortigate and have automatically updated the device database

What is the first operation FM performs when you perform a policy package install

The copy operation where FM tries to copy the ADOM level object or policy to the device database

Where should you add a chassis if enabled

The default chassis ADOM

What kind of information is displayed in the task monitor

The i'd and source of the task, a description, the admin performing the task, the status (fail or success) and the time/date

Installation target

The intended device or devices for a policy package to be installed on

Give an example of a dynamically lapped firewall address

The logical ip on fortimanager is 192.168.1.0 but it is mapped to 10.10.10.0 on local fortigate and 10.10.11.0 on remote fortigate

What is the call home configuration

The minimum configuration needed on the fortigate in order for FM to be able to communicate with the device

To complete the addition of a new device in the discover option of the add device wizard what else do you need to provide (2 are optional)

The name of the fortigate Description System template

While you can clone a policy package, what does not get cloned that is used within a policy package

The objects

If you back up FM from the GUI what must you provide when restoring the backup

The password for encryption

What happens if you don't import all policies and later install a policy change through fortimanager

The policies that weren't added will be deleted

Where can you check what devices a provisioning template is applied to

The provisioning template tab next to the template "assigned to" The devices configuration and installation status widget next to system template

What fortigate is crucial to add as a managed device if you want to add an existing security fabric to fortimanager

The root fortigate

What is required to import a system template from one ADOMS to another

The same adom firmware

When a management connection request what is verified on the FG

The serial number

What is the ADOM type (2)

The types of devices that will be stored in the ADOM Forticarrier Fortigatev

Once devices are register where can you find them

They appear in device manager in the ADOM they were added

What does a green check mark mean next to an admins name

They are logged in

What does no check mark mean next to an admins name

They are logged out

What are the FG FGFM keep alive messages and what are contained in them

They are messages sent from fortigate at configured intervals to the FM Contain the configuration checksum and IPS version of the fortigate device. The messages include: FGFM-sock-time-out - the max FM or FG communication socket idle time in seconds FGFM_keepalive_itvl - the interval at which the FG will send a keepalive signal to a FM device to keep the Fm or FG communication protocol active

Purpose of fortimanager logs and where you can view them

They provide troubleshooting information about events that happen on FM Found in system settings > event log type

Normal ADOM mode

This mode provides full access to make configuration changes from FM to Adoms and managed devices

How else can FM validate admin logins besides locally

Through an external server such as LDAP, RADIUS, TACACS+, PKI

How do you enable FGFM access on fortigate

Through fortigate interfaces

How is the synchronized status calculated

Through revision checksum

Heartbeat interval

Time in seconds that a cluster member waits between sending heartbeat packets and expecting a packet from another member

What is the purpose of ADOMS on fortimanager To enable fortimanager as a local fortiguard distribution server To divide administration of devices and restrict administrator access

To divide administration of devices and restrict administrator access

Purpose of dynamic objects

To map a single logical object to a unique definition per device

Why should the ADOM version match the fortigate firmware version

To minimize CLI syntax issues between fortigate and fortimanager

What is the purpose of the global ADOM on FM

To push similar firewall policies universally to selected ADOMs

What is the # diagnose dvm device list command used for

To view individual cluster members on the HA cluster

How can you find unused objects

Tools > find unused objects

Where can you change ADOMs

Top right corner of GUI by your name

Five fortiguard statues

Up to date Never updated Pending Problem Unknown

If a value of an object is changed when you import a device policy what will show in the import report for the type of object (ie duplicate, new object....)

Update previous object

What is the sequence of upgrading an existing ADOM

Upgrade all the devices in the ADOM first and then the ADOM

Which of the following steps are the best practices after fortigate firmware upgrade Push policy package and run script to update objects Upgrade the ADOMs and retrieve configuration

Upgrade the ADOM and retrieve configuration

If you had an ADOM with version 5.4 devices and needed to upgrade only a few to 6.0 how would you do that since the 5.4 ADOM doesn't support 6.0

Upgrade the devices and then move them to a 6.0 ADOM

Three basic rules to prevent CLI scripts from failing (3)

Use complete FortiOS syntax instead of short version Don't start a command with # or it won't execute Ensure console output on fortigate CLI is set to standard

What can you do in the provisioning templates section of device manager

Use the default or create a custom template for system, threat weight, or certificates and assign them to devices within a single ADOM to create identical device level setting amongst managed devices

How can you sort through the task monitor for running, pending, cancelling, or aborting tasks?

Use the filter at the top

When should you do once you move a device from one ADOM to another

Use the import policy wizard

If you want to use web services to monitor your system what should you use

WSDL in the advanced settings

WSDL

Web Services Description Language Standards based, platform independent access method for hardware and software APIs. The file that you download defines the format of commands the fortimanager will accept and the expected responses

FGD

Web filter and email filter

Policy and object step of the FM device registration

Wizard searches for all policies to import into the FM database and into a new policy package under the policy & objects pane. You can name the new package and decide if you want all or some of the policy and objects to be imported.

Which of the following statements is true regarding workflow mode Workflow mode is enabled only on the FM CLI Workflow sessions can be created by locking an individual policy package

Workflow mode is enabled only on the FM CLI

Can you create multiple versions of a policy package in case you need to revert back to the old policies ?

Yea

If you have configured IPSec VPNs with VPN manager and move the managed device to a different ADOM will the VPNs need to be reconfigured

Yes

If you make configuration changes directly on a managed device, through the CLI or GUI, what happens within FM? Does FM document the changes made even though it was directly on the device?

Yes, a change locally on the device will trigger the managed device to to automatically update the fortigate revision history on FM

What is the main purpose of using APIs on FM

You can manage a FM device using third party hardware and software

System provision template

create and manage common system level settings for the managed device

Threat weight provisioning template

create threat weights which will track client behavior and report on behaviors you deem risky

Changes from the policy & objects pane are made to the ______

device database

Changes made from the device manager pane are made to the_______

device database

Command to export system template from an ADOM

execute fmprofile export-profile <ADOM name> <profile name> <output file name>

Steps to import provisioning template from one ADOM to another

execute fmprofile export-profile <ADOM name> <profile name> <output file name> Execute fmprofile import-profile <ADOM name> <profile name> <full path of exported file>

Each ADOM is associated with a specific ___________

firmware version

Where do you back up FM

on the system settings dashboard next to system configuration

Listening port for HA heartbeat (fortimanager HA cluster)

tcp 5199

What is the management module represented as in the GUI

the device manager pane

Why is an HA cluster counted as one device in FM

they share the same configuration

What should you do instead of moving a device from one ADOM to another

upgrade the device then upgrade the ADOM

What is each disk partition used for in FM /dev/shm /tmp /data /var /drive0 /storage

/dev/shm - shared memory /tmp - temporary file storage /data - flash disk /var - FM database storage /drive0 - fortianalyzer archives /storage - fortianalyzer log and report storage

How many devices does an HA cluster and an individual VDOM count as in device manager

1

How many global policy packages can be assigned to an individual ADOM

1

How many policy packages can a device use

1

What is the default management port, IP, protocols, and password

1 192.168.1.99/24 Ping, https, http, ssh Username admin password blank

What two methods can register a device in Fm

1) The device registration wizard 2) Request registration on the device

Requirements for sdwan configuration on fortigate (4)

1) at least two member interfaces 2) interfaces should not be referenced by any other configuration 3) interface must be either physical, aggregate, VLAN, ipsec interfaces 4) only on sdwan interface per vdom

How to assign a global policy package to an ADOM (8)

1) go to global ADOM database 2) select the policy package you want to assign 3) click assignment 4) add ADOM 5) choose ADOMS to add 6) exclude any of the ADOMs policies that you don't want to apply the global policy package do 7) click ok 8) status will be pending so click assign to finalize

Install wizard steps

1) select one of the two install types 2) select the device/s to install on 3) validation - install wizard checks device settings and compares with latest revision history 4) preview changes 5) installation

If there is an HA synch failure what four things can you do to resolve

1) use sniffer packet on port 5199 2) check alert messages and event logs for HA errors (system settings > dashboard, system settings > event log) 3) debug command on HA daemon on all members (Diagnose debug application ha 255 diagnose debug enable) 4) check for any pending synced data

Steps to create workflow approval group (4)

1)Select ADOM that the group applies to 2)Add the admins who can approve changes 3)Select which email to send notification to 4)Select a mail server that will be used to send it notifications on the mail server pane

How do you start a new session in workflow mode (3)

1)Select and lock the ADOM 2)Open session list on policy&object pane 3) create a new session

What verbosity levels does FM support for the packet sniffer

1,2,3

Verbosity 1,2,3

1- packet headers only 2- packet headers and IP data 3- packet header and ethernet data (MACs)

What are 4 ways to modify or define configuration for device level database

1. Assign a provisioning template 2. Using the device manager GUI 3. Using CLI scripts on the device database 4. Using revision history

What does the initial configuration of fortimanager involve

1. Choosing a management interface (default 1) 2. Setting an IP address for your management subnet or without the private network FM will reside 3. Choosing administrative access protocols 4. Enabking/disabling service access for fortiguard update requests and web filtering requests from managed devices on that interface 5. Default gateway 6. Primary and secondary DNS server

Four stages of the fortinet device management life cycle

1. Deployment - admin configured the fortinet devices 2 monitoring - admin monitored the status and health of the devices 3 maintenance - admin performs config updates to maintain the devices 4 upgrading - virus definitions, attack and DLP signatures, web and email filtering, firmware images can be kept up to date

Steps to replace a managed device (5)

1. Note original fortigate device name (use command diagnose dvm device list) 2. Update the serial number of the replaced fortigate (execute device replace <devname> <new serial number> 3. Verify the FM updated the serial number in the DB 4. Send a registration request from the replaced fortigate 5. If connection is down after updating serial number you may need to reclaim management tunnel (execute FGFM reclaim-dev-tunnel <optional device name>)

What are the 4 ADOM version types and which OS versions are supported in each

5.4 - 5.4 & 5.6 5.6 - 5.6 & 6.0 6.0 - 6.0 6.2 - 6.0 & 6.2

The same ADOM can manage different firmware versions if fortigate devices run:

5.4 and 5.6

Which port is used between fortimanager and fortigate for IPV4 remote configuration manager of fortigate devices TCP 541 TCP 514

541

What is sent from the fortigate to the fortimanager so FM knows the fortigate is online and configuration hasn't changed

A keep alive message containing the checksum of the fortigate configuration

Which one of the following statements is coerce for regarding a policy package A policy package can have multiple installation targets in an ADOM there can be only one policy package per ADOM

A policy package can have multiple installation targets in an ADOM

What is the pending Mondale data value for HA cluster status

A value under that column means there are updates that must be synched on the secondary devices. Value should be 0 which means synchronization is working

What should be assigned to the fortimanager if admins will be making in bound connections to the fortimanager over the internet

A virtual IP

An admin configured a new firewall policy on fortimanager and has not yet pushed the changes to the managed fortigate. In which database will the configuration be saved ADOM level database Device level database

ADOM level database

What database are policies and objects stored in

ADOM level database

Which statement about a large MSSP using FM is true Each customer must have a dedicated FM device ADOMS can be used to desperate customers

ADOMS can be used to desperate customers

How can you configure the FM HA cluster

Active passive or configured members to act independent local fortiguard servers

Four main wizards in device manager

Add device Install wizard Import policy Re install policy

What is used to link an offline device to fortimanager (2)

Add model device in the add device wizard Fortigate SN Predated key

What kind of features can you dynamically map

Addresses Interfaces Virtual IPs IP pools Etc

What does the common object database for ADOMS contain

Addresses Services Security profiles Etc

Add device wizard

Adds devices to central management and imports their configs: this includes importing policies and objects on the device

How can you control and restrict administrator access in FM (3)

Admin profile ADOMS Trusted hosts

When is policy lock automatically release

Admin timeout or if the session is closed without unlocking the policy package

When do you import the policy's into a new policy package when adding devices? Before during or after authorization

After

When and how can you upgrade ADOM versions

After all devices in the ADOM are upgraded System > all ADOMS > right click

What links does sdwan support

Aggregate Vlan Ipsec Physical

Global policies and objects are shared among______

All ADOMS

What is synchronized to the secondary FMs in HA cluster

All device Configs All revisions Device and policy databases

What happens if you revert to an old ADOM revision

All policy packages and objects will be reverted to that revision

When controlling administrative access through ADOMS on the admins user settings what three options do you have?

Allow access to all ADOMS Allow access to all ADOMS except ____ Allow access to only specific ADOMs

Sdwan template

Allow you to add sdwan components to a single template to apply to your devices. You can add interface members, performance SLAs, and sdWan rules

Sdwan rules

Allow you to configure which traffic you want to route through which interface based on latency jitter or packet loss

What is a provisioning template in device manager

Allow you to create profiles that contain device level settings such DNS and NTP server information, admin and SNMP settings. These Templates can be applied across many devices to facilitate identical device settings

What are dynamic objects and per device mapping

Allow you to map a single logical object (on FM) to a unique definition per device. There will be a common value in FM but when used it maps to a unique value per device so that you can use it with multiple devices and it will match the device specific value for each Basically allows you to use one object for multiple devices instead of making the same type of object for each device

System admin type (when creating a new admin profile)

Allows more options and granularity when choosing permissions. You can configure it so the admin can do as much or as little work as they're job requires. Some examples include: ADOM- read/write, read, none Fortiguard center Device manager Terminal access Sdwan Policy and objects Lock/unlock domain

Restricted admin type (when creating a new admin profile)

Allows the admin to make changes to the web filter profile or application filter or IPS sensor associated with their ADOM

What is the display options feature used for in policy and objects

Allows you to display specific features in the GUI You can show or hide the features you want

What is the quick install option

Allows you to perform a quick install of device level settings without launching the wizard. Does not allow you to preview changes or cancel the process of initiated

What should you do before running a new debug and why

Always reset the debug level so you don't view logs from debugs running in the background Diagnose debug reset

Cause of a failed install

An ADOM and fortigate version mismatch

In workflow mode you notice there are several sessions needing approval. You try to approve one but the action is denied. Why might this be (think about it, what option during review would cause this. It would be on the admin who submitted it's side)

An admin submitted a session and you rejected it. They have still not submitted repairs so you can approve any others submitted by them until repaired

Who can see the complete admins list

An admin with super_user or the default admin

Which of of the following statements about the copy failed is true An operation that fails to copy the device database from the revision history An operation that fails to copy the ADOM level policy or object to the device database

An operation that fails to copy the ADOM level policy or object to the device database

Failed reload

An operation that fails to update the device level database from the revision history database.

In the scripts section what does advanced filters do

And it so the script only executes on devices that match the specified critera

What is the OID for in the diagnose dvm device list command

And object ID used to reference the device in CLI commands

FDS

Antivirus and ips

Purpose of admin profiles

Applied to admin users Used to specifiy permissions within the given ADOM or ADOMS

When FM applies configuration changes to the FG how does it apply them so it can recover if the FGFM tunnel goes down

Applies them to FG memory without saving to configuration and then checks the tunnel connection to see if it doesn't change

If you have hundreds of policies and need to search for a specific one what should you do

Apply a filter in the search field

In workspace workflow mode what options does an admin have to decide what to do with changes submitted for approval (4)

Approve Reject Discard View changes

After you create a header policy what do you do next to apply it

Assign the policy to a policy package in an individual ADOM

What should you do before running database integrity commands (2)

Back up the config Unlock all Adoms

When backing up FM on the system dashboard, what will and won't be backed up

Backs up: All devices Global database Flash configuration Does not back up: Logs Fortiguard objects Firmware images

How do you migrate one FM backup to another FM 2 steps

Backup the original FM On the CLI of the second FM run the command: Exec migrate all-settings < ftp | scp | sftp > <server> <filepath> <user> <password>

Default implicit sdwan rule

Balances traffic among all available interface members

What does an administrator need to do to be able to approve session changes for workspace workflow mode

Become a part of an approval group under system settings > admin> workflow approval

What does the FGFM daemon run on fortigate or fortimanager?

Both Fortigate fgfmd Fortimanager fgfmsd

When neither device is behind NAT which device will reestablish the FGFM tunnel when it is torn down

Both of them will try

Similarities and Difference between fortianalyzer and fortimanager

Both run on on the same hardware and software platform and both can be used for logging and reporting. Fortimanager has a limit on the log rates and can't log as much as fortianalyzer. It needs to use system resources for it's other features such as configuration management

Find unused objects GUI tool

Built in to help admins locate any firewall objects in the database that aren't being used and allows you to delete them

How is the administration of devices divided

By ADOM

How do you identify the root fortigate in fortimanager security fabric

By an asterisk * at the end of the root fortigate

How can you restrict and admins access to only a few ADOMS on fortimanager

By assigning ADOMS to the admins account

How to see the CLI commands that will be pushed to a FG device by a specific provisioning template

CLI command Execute fmpolicy print-prov-templates <ADOM> <template type #> <package> <category>

Operational Difference between TCL and CLI script on FM

CLI script runs via the FGFM tunnel and TCL uses SSH

If secondary FM member fails what do you do

Can Reconfigure primary device to remove the peer ID of the failed secondary or leave the configuration for when the device comes back online

What Is the the CLI only objects menu in device manager and policy & objects pane for and how do you enable it

Can be enabled in display options and allows you to configure device settings that are normally only visible in the CLI. Some include: Antivirus Dnsfilter Ftp proxy WAF IPS

What question should you ask if fortimanager and fortigate cannot discover eachother

Can they contact eachother Does FM admin has sufficient privileges to add the FG Is FM in offline mode Is TCP 541 between FM and FG blocked? Are the IP and credentials correct Is FMGM access on the interface disabled Is the FG in the unauthorized device list

What can you do if a task is suspended and holding up other pending tasks

Cancel or delete

Explain the command Diagnose sniffer packet any "host 192.168.1.99 and port 541" 1 5 1

Capture any packets out any interface with host 192.168.1.99 coming on port 541 with verbosity 1(packet headers only) 5 count long and the local timestamp

What can an unexpected shutdown do to FM

Cause filesystem and database corruption

What are the default groupings of ADOMS on the ALL ADOM management page

Centralized management Backup mode Other device types

Key features of fortimanager (CCALLSPFF)

Centralized management Configuration revision control and tracking ADOMS Local fortiguard service Logging and reporting Scripting Pane managers - VPN, FortiAP, FortiSwitch and Fabric View Fortimeter- fortinet VM on demand Firmware management

How to check for failures when performing imports or installations

Check the logs and it will tell you why it failed

Retrieve config in the revision history button

Checks the current configuration on a device and compares to revision history. If there is a difference it updates fortimanager revision repository

If you do not see the security fabric group name after configuring the security fabric, what should you do when looking at the device manager

Click refresh

What information does the revision history display

Config Install log Revision difference Who revision Was Created by What type of installation (retrieved or installed)

If you configure backup ADOM mode, what specific requirements (4) must be meant in order for config revisions, made directly on the managed devices, to be sent back to FM

Config change and session timeout Config change and logout Config change and reboot Manual config backup from the managed device

Command to enable automatic registration of an unauthorized device in Fm

Config system admin setting Set allow_register enable/disable

Command to enable TCL scripting

Config system admin setting Set show_tcl_script_enable

Command to disable automatic updates from fortigate to FM

Config system admin settings Set auto-update disable End

CLI command to schedule FM backups

Config system backup all-settings Set status enable/disable Set server <IPv4 adr> <fqdn_str> Set protocol ftp | scp | sftp

How do you configure fortigate to use FM as a FDS server

Config system central-management Config server-list Edit 1 Set server-type update rating rating Set server-address <FM IP> Next End Set include-default-servers enable/disable (enable use public FDS if FM is unavailable disable use only FM FDS)

Command to configure fortigate with FM IP so it can announce itself to FM when it's behind a NAT device or if a FM version 6.0 and before is behind a NATed device

Config system central-management Set fmg <fmg IP>

If you use the preshared key to register a device with fortimanager what do you need to configure on the fortigate

Config system central-management Set type fortimanager Set fmg <FM ip> End Execute central-mgmt register-device <fmg-serial#> <fmg-register-passwd>

If you use the SN to register a device with FM what needs to be configured on the fortigate

Config system central-management Set type fortimanager Set fmg <fortimanager IP> End

Command to set console output to standard

Config system console Set output standard End

Command to configure the FGFM-sock-timeout and fgfm_keepalive_itvl on FG

Config system dm Set FGFM-sock-timeout [number in seconds] Set fgfm_keepalive_itvl [number in seconds]

FM command to reboot the FG and restore config file if the FGFM tunnel goes down and won't restore

Config system dm Set rollback-allow-reboot enable End

Enable ADOM in CLI command

Config system global Set ADOM-status enable/disable End

Command to enable workspace workflow mode

Config system global Set workspace-mode workflow End

How to disable concurrent access to the same ADOM

Config system global Set workspace-mode disabled End

Use case for a backup ADOM

Configuration changes will be made directly on the devices and you want to use FM to track changes and control revisions

When configuring sdwan in fortimanager what two things do you set up first (hint something to do with the link is one)

Configure Health check servers Create interface members

How do you finalize the security fabric settings (after installing to the devices)

Configure fortianalyzer settings on the root fortigate and authorize all devices

How can fortigate announce itself to a NATed FM or try and reestablish the FGFM tunnel

Configure the NATed FM IP on the fortigate with command: Config system central-management Set fmg <FMG_NATed IP>

If FM is behind a NAT device what is recommended to configure

Configure the NATed IP of FM with the set mgmt-addr under the config system admin setting

Config system central- management Ser fmg <FMG NATed IP>

Configured the fortigate with the FM NATed IP so that the fortigate can announce itself to the FM and reestablish the FMFG tunnel

Global adom

Contains global objects and header and footer policies

What is the global object database for the global ADOM layer

Database of global objects such as addresses, services, and security profiles that can be shared across multiple ADOMS

Security recommendations for deploying fortimanager

Deploy behind a firewall on a trusted private network and not on the internet Use secure communication methods (HTTPS and SSH) only Configure trusted hosts Secure passwords and use a password policy to ensure only a strong password can be used

What three ways van scripts be run and which is default

Device database (default) Policy package, ADOM database Remote fortigate directly

What does device settings status modified indicate configuration

Device level configuration changes are mode on fortimanager for the managed device

You do command diagnose dvm device list and see pkg: modified cond: ok What does this indicate

Device level settings stayed the same (config status in synchronized) and policy package was modified on fortimanager

Steps to configure root fortigate for security fabric settings on FM

Device manager System: Security fabric Enable security fabric Configure a group name Configure a password for the group

How to configure downstream fortigates for the security fabric in FM

Device manager System: security fabric Same group name as root Same password as group Connect to upstream fortigate Config upstream fortigate IP (Fortigate IP Management IP)

What two ways can you access the install wizard

Device manager Policy and objects

Where is the import policy wizard

Device manager > managed devices > select device > import policy

What are some options in deciding which devices go into which ADOM?

Device type (fortigate, fortimanager, fortiweb) Firmware version (5.6, 6.2) Geographic region Customer Administrator Organization aspect (test network, production network)

What can't you change in the default ADOMs

Device type or firmware version

What device can you add to a device group

Devices in the same ADOM

Describe map view and how you can add devices to the map

Devices will appear on google maps. You enter the location of the device manually, in device location settings, or drag the device to the accurate position. Map view will indicate the status of the device by color

Command to enable the debug output before specifying the debug

Diagnose debug enable

What are the two CLI commands for debugging ADOM upgrade issues

Diagnose debug enable Diagnose debug service cbd 255

How do you reset debug level on fortigate

Diagnose debug reset

Command that provides the list of all devices or VDOMS for managed and unregistered devices. It also provides SNs, IP, firmware, HA mode and statuses for device level and policy package hint (dvm = device manager)

Diagnose dvm device list

Command to see device members of an HA cluster

Diagnose dvm device list

Command to check for unexpected locked processes

Diagnose dvm lock

Command to check for any stuck processes/tasks so they don't hold up other processes

Diagnose dvm proc list

Command to list the status of FGFM tunnels for all managed devices (connecting IP, uptime, link-level address)

Diagnose fgfm session-list

What command script syntax is special for fortimanager

Dynamic mappings for objects and interfaces

TCL

Dynamic scripting language that extends functionality of CLI scripting. First line of the script is #!

1st step to create an SDWAN using fortimanager

Enable sdwan management in the ADOM System settings > all ADOMS > select ADOM > central management > sd wan

ADOM

Enable the admin to create grouping of devices (or VDOMS) to monitor and manager. They can be configured to separate based on geographic location or functionality (or customers). The purpose is to segment and control administrator access.

Which command is useful with troubleshooting ADOM level issues Execute fmpolicy print-device-object Execute fmpolicy print-ADOM-database

Execute fmpolicy print-ADOM-database

Command to display the enter ADOM database with all policy packages and objects

Execute fmpolicy print-ADOM-database <ADOm>

Command to display firewall policies contained in a specific policy package in the adom

Execute fmpolicy print-ADOM-package <ADOM> <package> <category>

Command to display firewall policies on a managed device

Execute fmpolicy print-ADOM-package <ADOM> <package> <category>

CLI command to view the whole configuration of a managed device (including any device level changes but not including system template changes)

Execute fmpolicy print-device-database <ADOM> <device name>

Command to import system template profile to a second ADOM

Execute fmprofile import-profile <ADOM name> <profile name> <full path of exported file>

Command to clean script schedule for all non existing devices

Execute fmscript Clean-sched

Command to copy scripts between ADOMs

Execute fmscript Copy

Command to comport script from fortimanager

Execute fmscript Import

Command to list scripts in adoms

Execute fmscript List <ADOM name>

Command to show a run script log for a device

Execute fmscript Showlog <devicename>

Command to format disk and erase all device settings and images, fortiguard databases, and log data on fortimanagers hard drive Bonus what can you add to secure the files left on the hard drive from being by accessed by forensic tools

Execute format {disk | disk-ext4} <RAID-level> deep-erase <erase-count> (Will overwrite the files on the hard disk with random data the specified number of time)

Command to display processes responsible for high i/o usage

Execute iotop

If you are experiencing communication issues between FM and fortigate what command should you execute first

Execute ping

Tests the network connection between FM and another network device

Execute ping

Command to reset all FM configuration except interface and routing configurations

Execute reset all-except-ip

Command to reset all settings and return FM to factory default

Execute reset all-settings

Command to perform a graceful shutdown

Execute shutdown

Command to determine if FGFM tunnel is up

Execute ssh <fortigate FGFM IP>

Command to test FM port 541 reach ability from device

Execute telnet <fortimanager ip> 541

Command to see processes with high resource utilization

Execute top

What should you not include at the end of a TCL script that will prevent the script from running

Exit

Explain how FM behind NAT, FG behind NAT, and both Behind NAT work with discovery and tunnel reestablishment

FM behind NAT- Only FM can discover the FG and only FM can reestablish the connection unless you configure the FG with the NATed FM IP or configure FM to set it's own NATed IP to the FG during the discovery process FG beHind NAT- FM can discover the fortigate with the FG NATed IP and fortigate can announce itself when you configure the FMG IP on the FG. If tunnel s seeet down only FG can reestablish the tunnel Both behind NAT- FM can discover FG through the FG NATed IP, FG can also announce itself with the NATed FMG IP configured on its central-management setting and only FG can reestablish if the FM IP is configured.

What happens in the object conflicts step of device registration

FM checks for object conflicts or duplicates between FM and fortigate and allows you to view details and pick if you want to use the value from FM or fortigate

How does fortimanager know when the fortigate comfiguration changes

FM compares the configuration stored in the revision history to the configuration on the fortigate (with checksums) it also uses statuses so it knows what action to take

What if both FM and FG are behind a NATed device? Who can discover/announce? And what if the FGFM tunnel goes down

FM discovers the fortigate through the fortigate NATed IP but FM cannot re establish the connections the tunnel goes down. If fortimanager IP is configured on the fortigate with the Config system central-management Set fmg <fmg NATed ip> Then the fortigate will try to re establish the FMFG connection if it's down

What type of commands does Fm send to FG to make configuration changes (think of syntax )

FM sends set and unset commands to the fortigate when making configuration changes

Describe the recovery logic of the FGFM tunnel and what FM does to ensure the connection remains established when making configuration changes to the fortigate

FM sends set and unset commands to the fortigate when making configuration changes If a set command is sent and the FGFM tunnel goes down, FM will try to recover the tunnel by unsetting the command that made it go down

What happens when you import a device into FM with an existing configuration

FM will import the fortigates firewall policies into a new policy package and saves the objects into the ADOM database

In order for fortigate to communicate with fortimanager what needs to be enabled on the fortimanager facing interface

FMG-Access

What FM panes are visible in the GUI

Fabric view Device manager Policy & objects AP manager VPN MANAGER FortiSwitch manager Fortiguard SOC System settings

What are the four manager planes available on fortimanager

Fabric view VPN manager AP manager FortiSwitch manager

Where can you view the security fabric ratings on FM

Fabric view pane

Where can you view the security fabric topology (2 spots two different panes)

Fabric view pane Physical or logical topology tab In device manager pane Right click the security group or device and click fabric topology

Which of the following is true regarding system templates: Facilitate identical device-level setting across many devices You can use them to install a common policy package across multiple devices

Facilitate identical device-level setting across many devices

True or false: policy check will allow you to make changes

False

True or false: you can't move system template profiles between ADOMs

False

True or false: when creating an ADOM of a fortigate type, the firmware version you specify for the ADOM does not need to match the version on the fortigate devices you add to the ADOM

False it needs to match the managed devices you add

True or false: even though you should make changes on the primary you can make changes on a secondary FM in HA

False it will not let you if it is a slve

True or false A user must start the session then lock the ADOM in workflow mode

False must lock ADOM then create session

True or false: you just create separate objects for each policy package

False objects can be shared between multiple policy packages in the same ADOM

True or false: all the management panes are available in backup ADOM mode

False only a few of them are

True or false: when you import address and service objects into a backup ADOM they are stored in the central database

False they are stored in the device manager database

True or false: you can only create one policy package per device

False you can create a package that applies to multiple devices

How can you force establish a connection form FM to a fortigate when the FGFM tunnel goes down and the fortigate is behind a NAT device

For to device manager Select device Go to connection summary widget Click refresh

If you see a device sitting in the unauthorized section of device manager in fortimanager, who initiated the request, fortigate or FM

Fortigate

When fortimanager is behind a NATed device how does device discovery work and what happens if the FGFM tunnel goes down (by default)

Fortimanager can only discover the fortigate and the fortigate cannot announce itself to the FM. Also only Fm can establish the FGFM tunnel if it is torn down and the fortigate cannot will not be able to try and re establish it

What is a useful feature that can help admins revert to previous revisions of a configuration or audit configuration changes

Fortimanager will detect configuration changes made locally or within fortimanager and compare the previous and updated versions which will then be logged

Which way is the FGFM tunnel initiated

Fortimanager, during discovery/add process Fortigate if a management request is sent by fortigate

What needs to be enabled on any interfaces facing a downstream or upstream fortigate for the security fabric

Fortitelemetry

What is the device settings status and where can you access it

Found under the configuration and installation widget on the device dashboard (under synch status) and it indicates the status of the device settings on fortimanager

Command to see overall resource utilization

Get system performance

Command that displays the serial number, firmware version, ADOM status, HA status

Get system status

Command to check current status including serial number firmware ADOM and HA status

Get system status

What command does FM run on the FG during the discovery and add process

Get system status Get system interface Get system interface physical Get hardware status Get mgmt-data status Config system central-management Set type fortimanager Unset serial-number Set serial-number "xxxxxxx" Set fmg "fmg IP" End Get ips rule status Get IPs decoder status Get application name status

What standard management ports does fortimanager use

HTTP 80 HTTPS 443 SSH 22

What do fortiguard services entail

IPS Antivirus Web filter and email filter

Which of the following features is available in the restricted admin profile Device registration IPS sensor

IPS sensor

Import policy wizard

Import interface mapping, policy database, and objects associated with the managed devices into a policy package under the policy and objects pane

Where would you find ADOM revisions

In the policy and objects tab

Where does fortimanager store fortigate configurations (remember the picture)

In the revision history

Downfall of having a lot of ADOM revisions

Increases the size of configuration backups

What does the import policy report show

Information about fortigate ADOM name on FM Policy packages name Objects added

By default what is the FM log setting severity set to

Informational

Install policy package and device settings option

Install a selected policy package and any device specific settings for devices are also installed

Before upgrading an ADOM what should you do? (Hint: pending installations)

Install any pending device settings or policy package changes After installation make sure policy package and configurations are all synchronized

Install wizard

Install configuration changes from device manager or polices & objects to the managed devices. It also allows you to preview the changes before applying

Which option should you select when installing policy package changes

Install policy package and device settings

What are the two installation types for the install wizard

Install policy package and device settings Install device settings only

Once you add a Vdom to a managed device what do you need to do to finalize the change

Install the Changes to the managed device

Installation target per policy purpose and how you select devices

Installation target allows you to apply multiple policies to all devices (installation targets) or per policy can allow you to install on only a select device in case you have some policies needed on all device and one policy only needed on one of the devices. To select which device or if you want on all installation targets go to the ipv4 policy package and scroll to "install on" to select devices or all

When fortimanager and fortigate are in sync what will the policy package status be

Installed

Examples of device level settings

Interface DHCP server HA SNMP fortiguard Static routes OSPF DNS ADMIN settings CA certificates Policy routes BGP IPSEC

Difference between dynamic interface and zone mapping

Interface will map one -to-one on the managed device and zone will be created locally on the fortigate

What Does FM discover about the device when you use the discover option in the add device wizard

Ip Hostname SN Model Firmware version HA status Admin user name

Which statement is true regarding locking an ADOM It automatically removes locks on devices and policy packages Other admins have read/write access

It automatically removes locks on devices and policy packages

How does fortimanager reduce wan usage

It can act as local fortiguard server to prevent fortigate from downloading updates over the internet

When a new configuration is installed, what does fortimanager do (installation process)

It compares the latest revision history running on the device with the changes made on fortimanager. Creates a new revision in the revision history and installs the changes on the managed device

What is the requirement for importing a configuration to FM from a local computer

It must be a configuration file downloaded from fortimanager

What is the limitation to the auto update feature that notifies FM of revision changes

It will only update device manager changes and not policy and object changes

If after 15 min and the unset command the FGFM tunnel still stays down what does Fm do to FG if the rollback-allow-reboot command is enabled on FM

It will reboot the FG and the FG will recover the previous configuration command from it's configuration file

What happens if your browsers crashes or pc dies while your ADOM is locked

It will remain locked until the admins session expires or until the session is delete

You configure the FM NATed ip on the fortigate and the fortigate won't announce itself to FM, FM is version 6.0 why won't the fortigate announce itself

It won't work if FM is version 6.0 and higher. You need to configure the NATed FM ip on the FM system admin settings to set on the fortigate during discovery

What is used for the management traffic tunneled between fortigate and fortimanager

Link level addressing 169.254.0.0/16 subnet

What are the steps FM goes through in registering a new device

Login Discovery Import options (now or later) Policy and object import Interface mapping Object conflicts Object import Import summary

fm fortiguard server override modes

Loose- default and allows fallback to the other public FDN server if FM can't communicate with the servers specified in the list (usually other HA members) Strict- FM can access only configured override servers

How are fortigates distributed among ADOMS in a MSSP (managed security service provider) use case

MSSP will manage and rent out fortigates. Each customer will get their own ADOM with read only access

Fgdlink

Main fortiguard process responsible for downloading web and filter and email filter database

Fgdsrv

Main fortiguard process that serve fortigate and forticlient for web filter and email filter requests

What is one way to avoid concurrent changes in an ADOM besides disabling workspace-mode

Make sure the admins that have access to the ADOM don't have overlapping permissions

describe a use case for implementing FM

Management of a large corporate network with many remote sites and several hubs and data centers That have firewall policies or objects common to many sites

Interface mapping step of device registration

Maps the device interface to the ADOM interface in order to create references for these interfaces in the FM database

ha Failover threshold

Maximum number of heartbeat intervals that can occur without a response before FM assumes the member is down

Health check servers (SdWAN)

Mechanism for detecting when a reputed along the path is stopped or degraded (periodically sends probing signals through each member link to a server that acts as a beacon) basically link health monitor on the fortigate

What is the default setting for concurrent ADOM access

Multiple admins can login to the same ADOM at the same time

When replacing a fortigate cluster member do you need to manually change the FG serial number

No it will be relearned through the FGFM tunnel

Difference between quick install and installation wizard

No option to preview changes or cancel the install once it starts

After you add a root fortigate to FM that is part of a security fabric do you need to add all other fortigates?

No, they will all be added to unmanaged devices automatically if the security fabric is set up correctly

If you delete a used object what will it be replaced with in the firewall policies

None object (null) any traffic that meets the firewall policy will be blocked

What workspace mode does policy lock work in conjunction with

Normal

Two ADOM DEVICE modes

Normal (default) and advanced

Two modes when creating an ADOM

Normal and backup

What workspace mode is policy lock available in

Normal only

What would cause an inconsistent or corrupt fortigate configuration

Not following the upgrade path

What different does the diagnose ha force-resync command on the primary vs a secondary FM cluster member

On the primary will force full sync with all cluster members On secondary will resync only that secondary

Whether you choose to import all objects or only objects tied to a firewall policy, the system will delete ____that are not tied to policies in the next installation

Orphaned objects

Device manager layer

Part of the management layer Records information on devices that are centrally managed by fortimanager such as the name, type, model, IP, firmware, revision history, real time status

ADOM layer

Part of the management layer Where policy packages are created, managed, and installed on devices and device groups Contains one common object database for each ADOM

When FM is discovering a new device in the add device wizard, and what is it retrieving from the device?

Policy and objects to create the device database Initialized the configuration database Retrieves the configuration Retrieves fortiguard support contract Retrieves HA configuration

What happens if auto push is enabled in the ADOM creation settings

Policy packages and device settings will be installed to offline devices when the come back online

What is the main benefit of the re install policy option

Policy push with a fewer steps for quick policy change

Common cause for the execute script error- device <name> failed -1 And common solution

Problem with the end of the script (no end statement) or fortigate is not in synch with fortimanager Check the script output And an end statement Resynch fortigate by retrieving configuration

What permissions are in backup ADOM mode

Read only

What permissions do you have over the fortigate HA in fortimanager from the Gui

Read only

Restricted_user

Read only access for all device permissions and no system permissions

What permissions are for normal ADOM mode

Read/write

Standard_user

Read/write access to device permission but no system permissions

Package_user

Read/write access to policy packages and objects Read only access to system and device permissions

How to use find and replace under ipv4 policy

Right click the object Find and replace

How do you revert to a previous revision and what do you need to do afterwards

Right click the revision in the revision history and click revert. Afterwards you will need to install the revision to the device.

You created a firewall policy but forgot to add an object to the source what can you do

Right click the source and click add object

What configuration setting for fortigate is part of a device level database on fortimanager Routing Firewall policies

Routing

What are the two options for executing scripts

Run now or schedule

When running a database integrity check command what are you advised to do if the command makes a change or correction to a database

Run the command again

When you authorize an unauthorized device in FM what do you need to do in order to import the devices policy's into a policy package

Run the import policy wizard

When you link the model device to the real device, what are the two methods you could use

Serial number and preshared key

What commands should you use to check if your having resource issues

Show system resource - shows overall system resources Execute top- Shows top process resources so you can see which processss are hogging resources

Find duplicate objects

Similar to find unused objects in that it searches fortimanager firewall object database and displays all objects with duplicate values and allows you to merge them together

Three types of policy filter searches and what are each

Simple search- will highlight any policy that matches the string you entered Column filter- allows you to search for values by column (source destination action users etc) Find and replace- you can find and replace objects used in the policies

What is fortimanager

Single pane of glass management Minimizes cost of large deployments Reduces WAN usage with local cache server Provides Centralized devices management for fortinet devices Automated mass device provisioning and policy management Provides logging and reporting

What does the chassis dashboard tell you and what can you configure

Slot number Slot information Current blade state Configure blade information PEM Fan tray Shelf manager SAP

When you are having resource issues what kind of issues may you experience

Slowness in managing devices from FM any adding devices or installing changes may be slow

Why does the admin username and password you provide in the discover option of the add device wizard need to be read/write

So FM can fully discover the device and add the full configuration. Write access will allow FM to install configurations to the fortigate

What is the purpose of creating a device group in device manager and what is a use case

So you can run an operation on multiple devices instead of one (Install device changes, run scripts on multiple devices) Useful when upgrading firmware

Three possible synch statuses

Synchronized Out-of-synch Unknown

Three types of provisioning templates

System Threat weight Certificate

After security fabric is enabled where can you configure security fabric settings

System > security fabric settings

How can you delete administrator sessions in the GUI (say ADOM gets locked accidentally)

System Settings System information widget Current administrators button (far right) Admin session list Delete

Event subtypes

System manager FGFM protocol Device configuration Deployment manager Real-time monitor Log and report manager Firmware manager Fortimanager manager Debug IO log Device manager Web service Fortianalyzer Log daemon FIPS CC device manager

Where do you configure FM Ha

System settings

How do you create a new ADOM

System settings All adoms Create new

Where can you check HA status (3)

System settings < Ha system settings < dashboard < system information widget CLI with command diagnose Ha Stat

Where can you enable the "show add multiple button" and what does it do

System settings > admin > admin settings It will allow you to authorize several devices at once

How to manually enable offline mode

System settings > advanced > advanced settings

Where is chassis management enabled

System settings > advanced > advanced settings

Where can you monitor the status of tasks you or other admins have performed

System settings > task monitor

Where do you enable ADOMs

System settings under system information

If you display an installation. Preview from the device dashboard it will display the device level configuration without two exceptions:

System templates ADOM configuration changes

Listening port for web GUI or JSON API

TCP 443

What port is used for FM to obtain updates from FDN

TCP 443

Listening and destination ports for fortimanager a in cascade mode

TCP 8891 8900 8901

When you upgrade an ADOM which two places can you check the status/ and or see a log entry

Task monitor or the CLI

How to unlock a process

Task monitor under system settings pane. Cancel or delete the process/task

What is included in the import report when registering a device

Tells which device was imported into which ADOM as well as the policy package that was frayed and all the objects imported.

Device setting status - unmodified

The fortigate config in the device level database is in synch with the current revision in the revision history (no changes to the device database and nothing to install)

Configuration status - pending / modified

The fortigate configuration is different from fortimanager and is pending an install in order to return to an unmodified state

Configuration status- synchronized / not modified /auto update

The latest revision history (whether install retrieve or auto update) is aligned with the configuration on the fortigate

Configuration status - out of sync

The latest revision history does not match the fortigate due to configuration changes made locally on the fortigate or partial install failure

Which statement about the global ADOM layer is true The same policy can be assigned to multiple ADOMs Global ADOM rules automatically installed on managed fortigate devices

The same policy can be assigned to multiple ADOMs

How does the performance sla and sdwan rules connect?

The sdwan rules that choose the where interface are based on the SLAs configured when checking for latency jitter and packet loss

True or false, the ADOM layer consists of a common object database so that the devices in the ADOM have access to the same objects and policy packages

True

True or false. Each ha cluster member must have a unique IP

True

True or false. They ADOM will automatically return to the unlocked state once a session is submitted in workflow mode

True

True or false. You only need to upgrade the firmware on the primary FM in an HA cluster

True

True or false: the FM system stores tasks in a separate task database instead of the global database

True

True or false: the task monitor is restored when you do a FM config backup and restore

True

True or false: the trusted hosts you define for an admin user apply to both the GUI and CLI when accessed through SSH

True

True or false: when importing a device with existing configuration FM will check for duplicate or conflicting objects so they are not imported into the object database

True

True or false: you can add and delete devices in backup up ADOM mode

True

True or false: you can apply Or or Not conditions to the search in the ipv4 policy filters

True

True or false: you can download install preview as a .txt

True

True or false: you can lock devices and policy packages too

True

true or false: you can assign individual VDOMS to different ADOMS even if they are logically assigned to the same physical device

True

What happens if there are no responses to the FG keepalive messages from FM for the sock timeout value

Tunnel is torn down and one or both ends will try to reestablish depending on if one of them is behind NAT or not

Port used for DNS lookup

UDP 53

Listening port for fortiguard anti spam or web filtering rating lookup from a forticlient or fortigate

UDP 53 or 8888

Listening port for fortiguard antivirus and ips updates

UDP 9443

Port used for syslog

Udp 514

Where do unauthorized devices requesting registration appear in FM

Under device manager in the root ADOM

Policy check and where to perform

Under policy package Provides recommendations on what improvements can be made to the firewall policies in order to reduce unnecessary policies, combine policies that shadow eachother, combine duplicate policies, remove policies that have orphaned objects Does not make any changes. Just evaluated policy package

How to check if there is pending data for HA that's needs to be synced

Under the pending module data on dashboard of use comma diagnose ha stats

Interface mapping and where to create one

Under zone/interface Dynamically maps an illogical interface to the physical interface on the managed device Useful when the devices have different interface names but same purpose

What are the three device setting statuses

Unmodified Modified Auto updated

If you made config changes locally on the managed device what do you do to import the new device level settings and polciies (2)

Use retrieve config for the device level settings and then use the import policies in the policy and objects pane.

Once you configure all the security fabric settings what do you need to do to apply the settings to the devices

Use the install wizard and select install device settings only to apply to both root and any downstream fortigates

Header and footer policies

Used to wrap policies in each individual adom

Use for packet sniffer

Useful for troubleshooting connectivity and traffic related issues

Why does FM retrieve the support contract during device registration

Useful in case the FM acts as the local fortiguard server for the managed fortigate

What can be enabled in central management ADOM settings and what do they allow you to do

VPN - centrally manage IP sec VPNs for all managed devices in that ADOM FortiSwitch FortiAP SDWAN - manage SDWAN for all managed devices in that ADOM

What is the maximum number of ADOMS supported

Varies by fortigate model or VM license

What does the fabric view pane allow you to do

View security fabric ratings of configurations for fortigate security fabric groups

When is a new revision history created

When Fm configuration is installed to fortigate or fortigate is locally updated

Configuration status - conflict

When changes are made locally on the fortigate and Fm does not perform a retrieve and then changes are made on FM too

How do you add per device mapping

When creating an object turn on "per device mapping"

What is the installation preview on the device manager device dashboard inter the configuration and installation statuses widget

When device settings status is set to modified you can preview the installation (the exact commands) that will be installed/pushed to the fortigate

When should an admin use event logs at debug level

When investing a FM issue with technical support

When should an admin consider using workspace mode

When multiple admins require access to the same devices and could potentially make changes to the same settings at the same time

when would you not be able to lock an individual device (hint: mode)

When the ADOMs are in advanced mode

When would you use the add model device in the add device wizard

When the device is not online yet

What does refreshing the connection with a device do? (Can be done on device dashboard)

When you refresh you attempt to establish the connection between the selected device and fortimanager. It retrieves basic information such as SN, firmware, support contracts and HA member information

What is the overwrite current IP, routing, and HA settings option when restoring a FM backup

When you restore the backup all of these settings will be overwritten by the back up. If you disabled this setting FM will still restore the configurations related to device information and global database information but will preserve HA and network settings

When are database integrity checks run automatically

When you schedule configuration backuos

If you lock a device or policy package, when will another admin be able to make changes to them

When you unlock it When you log out of FM If they lock the ADOM it will forcibly disconnect you and unlock the device

Will the managed fortigates know if there is a FM HA cluster

Yes FM will update fortigates central management configuration with the serial numbers of all cluster members

Does fortimanager support the security fabric

Yes it can see all devices that are part of the same security fabric and lets you manage them as one device. It also lets you see your topology map and will update if it changes

When you authorize a device it will initially appear in the root ADOM. Can you authorize it to a custom ADOM instead?

Yes it will give you the option to select the ADOM when authorizing

What happens immediately after you enable ADOMs

You are logged out so the system can reinitialize the settings

You are trying to create a new ADOM but do not see the ALL ADOMS settings. What could be the problem

You are not super_user

Describe advanced ADOM device mode and a use case

You can assign VDOMS on the same device to different ADOMS could be used if you are a MSSP/MSP and have different customers VDOMS on the same device

What is the main benefit of exporting a template from one ADOM to another

You can use the same template across device in multiple ADOMS without much effort

Describe normal ADOM DEVICE mode

You cannot assign different fortigate VDOMS to different FM ADOMs

Purpose of dynamic interface mapping

You map the local fortigate interfaces to the local ADOM interfaces so that FM can be aware what interfaces are being used for what. This comes in handy when applying policy packages to multiple devices. If multiple devices are using different ports, and the ports are dynamically mapped in the ADOM then FM will know what ports to apply policies to even if devices have a different set up.

What happens if the primary FM fails in a cluster

You must manually configure one of the secondary devices to become primary and then configure the other secondary to point to the new primary

Certificate provisioning template

allow you to create CA templates, add devices to them, and generate certificate for selected device. Once you generate and sign the certificate you can install them with the install wizard

What does enabling service access do during initial configurations of FM

allows FM to respond to requests from managed devices for fortiguard updates and web filtering on the choosen interface

XML API

allows you to retireve information about managed devices, execute scripts to modify device configurations and install the configuration on the devices

What information is recorded in the device manager layer for managed devices on fortimanager

name, type, model, IP, firmware, revision history, real time status

How do you apply sdwan to a device in FM

when creating an sdwan under device manager > sdwan > assigned devices select the devices, select the sdwan template, map ports


Related study sets

Diagnosis+Psychopathology- Exam Qs

View Set

Module 6: Investment Basics and Strategies

View Set