FortiManager

 Reset:

exe reset all-settings

exe reset all-except-ip        !! keep interface and routing configuration


exe format{disk}  deep-erase  







ADOM:
 to devide administration of devices and control (restrict) access


ADOM Mode:
Normal: full access to make changes from FortiManager to ADOM and managed devices
Backup: backup changes always made directly on managed device, on FMG, only script can be used to make changes.

Device manager changes on managed devices are auto updated on FMG revision history
   Device manager change only, no Policy & Object changes.


ADOM device Mode:
Normal: A FG to a single ADOM
Advanced: Different VDOMs from the same FG to different ADOMs

Group (ADOM) based on device type, then FortiOS version then others.





new IPS Admin   (CLI only)




Workspace mode

disable concurrent ADOM access
can lock an ADOM, a device or a policy package
only one admin has Read/Write access, others have read-only access 

When workspace mode is enabled, Device Manager and Policy & Objects are read-only. You must lock the ADOM, a device, or a policy package before you can make any changes



with Per-ADOM, can be enabled in ADOM setting.




Moving devices to a different ADOM does not update the policies and objects in the ADOM database. You must import policies and objects into a new ADOM.













Policy change is made on FG
Config Status: Auto-Updated  (doesn't reflect the change in GUI Policy Package , but have a new (current) revision history)
Policy Package Status: Out of Synch

Policy change is made on FM:
Config Status: Synchronized  (no change)
Policy Package Status: Modified



Device setting change is made on FM
Config Status: Modified
Policy Package Status: Synchronized (Installed)


Device setting change is made on FG
Config Status: Auto-Updated   (FM GUI info get updated), if the device setting is from Previsioning Templated, Install will overwrite the change made on FG.  
Policy Package Status: Synchronized (Installed)


Device setting change is made on both FM and FG
Config Status: Modified (recent Auto-Updated) 
Policy Package Status: Synchronized (Installed)


Either device setting or policy change on FG will set FM Config Status to "Auto-update"


diag dvm device list
diag fgfm session-list


FGFM deamon:

FortiGate: fgfmd
FortiManager: fgfmsd

TCP/541  
Fortigate need FGM-Access enabled on the interface to FortiManager
169.254.0.0/24 for tunnels, 169.254.0.1 is FortiManager
use serial# for tunnel authc

diag dvm device list
diag fgfm session-list









Retrieve Config

  • Purpose: Downloads the current running or startup configuration from the FortiGate device.
  • Scope: Retrieves the full device configuration (system settings, interfaces, policies, etc.).
  • Use Case: Typically used to view or back up the current configuration without affecting the policy package.
  • Does Not Update: The policy package or objects in FortiManager.
  • Policy Package status: changes to Unknown, install policy will set status back to Synchronized.

Import Configuration

  • Purpose: Imports the FortiGate configuration into FortiManager and creates or updates a policy package.
  • Scope: Parses the retrieved config and maps it to FortiManager’s policy and object database.
  • Use Case: Used when you want FortiManager to take over management of a FortiGate or sync changes made directly on the FortiGate.
  • Updates: The policy package, objects, and mappings in FortiManager.


Revert config:


This step only affects the device-level configuration. The policy package is not updated yet.

Config Status: Modified
Policy Package Status: unknown.



























Comments