241 - fortimanager - managing devices.pdf
Post on 05-Nov-2015
295 Views
Preview:
TRANSCRIPT
-
Managing Devices
-
Adding Devices
Device is identified and configuration imported into device database
Organize devices into group to simplify management
Secure exchange of information between devices and FortiManager
system
-
Adding Device from FortiGate Unit
Used when the FortiManager system is on a public network, but the
FortiGate unit is behind a firewall
FortiGate unit will be listed in FortiManager system as an unregistered
device
Complete process in FortiManager Web Config
-
Adding Devices
Add a single device or add multiple devices at the same time
Auto Discover default for adding multiple devices
Unregistered devices have already been discovered
Only need to add the unregistered device to registered device list
-
FortiGate to FortiManager (FGFM) Protocol
Discovery of devices done in the one direction where the devices can
locate one another
Devices behind firewall
Communication channel created using FGFM protocol to secure
transfer
Internal link IP addresses used (using link local addressing)
FortiGate units maintain list of trusted FortiManager devices
-
FortiGate to FortiManager (FGFM) Protocol
Designed for FortiGate and FortiManager deployment scenarios
(especially where NAT is used)
FortiManager system is on public internet, FortiGate unit is behind NAT
FortiGate unit is on public internet, FortiManager system is behind NAT
Both FortiManager system and FortiGate unit have routable IP addresses
Mixed scenario from the above
-
FortiGate to FortiManager (FGFM) Protocol
On FortiGate unit get system central-management
status: enable
mode: normal
type: fortimanager
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable
allow-pushd-firmware: enable
allow-remote-firmware-upgrade: enable
allow-monitor: enable
serial-number: "FMG-3K2404200056
fmg: 172.18.3.36
fmg-source-ip: 0.0.0.0
vdom: root
enc-algorithm: default
-
FortiGate to FortiManager (FGFM) Protocol
On FortiManager unit diagnose debug enable
diagnose fgfm session-list
Session List
device()ip(0.0.0.0)tunnel(0.0.0.0)uptime:
device(FGT60C3G10004267)ip(172.20.181.12)tunnel(169.254.0.2)uptime
:Mon Aug 29 09:35:22 2011
-
FortiGate to FortiManager (FGFM) Protocol
Debugging FortiGate-to-FortiManager communication protocol
On FortiManager device diag deb application fgfmsd 255
diag sniff packet xxx 'port 541'
diag fgfm session-list
diag fgfm object-list
diag fmnetwork interface list
On FortiGate unit diag deb appl fgfmd -1
diag sniff packet xxx 'port 541'
-
FortiGate to FortiManager (FGFM) Protocol
diagnose fmnetwork interface list
svr_fgfm Link encap:UNSPEC HWaddr 00-00-00-
00-00-00-00-00-00-00-00-00-00-00-00-00 inet
addr:169.254.0.1 P-t-P:169.254.0.1
Mask:255.255.0.0UP POINTOPOINT RUNNING
NOARP MULTICAST MTU:1492 Metric:1RX
packets:35133 errors:0 dropped:0 overruns:0
frame:0TX packets:34866 errors:0 dropped:0
overruns:0 carrier:0collisions:0
txqueuelen:500 RX bytes:8578867 (8.1 MiB)
TX bytes:3642787 (3.4 MiB)
-
Configuring Devices
Devices
configured using
Device Manager
Configuration
interface similar
to the FortiGate
Web Config
Configuration
changes saved
and can be
applied to
all/selected
devices
-
Configuration Status
-
Configuration Status
-
Installing Configuration Changes
-
Installing Configuration Changes
-
Monitoring Tasks
-
Revision History Device Manager
View configuration file
Rename and add comments
Retrieve current device config as a new
revision and load into the device database
Import a device
configuration file
Diff
Revert
Delete
-
Revision History Device Manager
From the CLI the Revision History can be queried
execute dmserver
delrev (delete all revisions)
revlist (show revision list of specified device)
showconfig (display configuration of specified device)
showdev (display devices)
showrev (show revision configuration)
-
Device Configuration Objects
Configurable policy and device settings represented by objects
Provides centralized location where configurations and settings can be
identified and copied to Device Database
-
Device Configuration Objects
-
Dynamic Objects in GMS Mode
Objects that may vary from one device to another can be configured as
dynamic objects and mapped to individual devices
Interfaces
Firewall addresses
Dynamic NAT configuration
Dynamic objects selected when policies created in Policy Console
No dynamic objects in EMS mode
top related