Adding Fortinet FortiManager Devices

TOS Aurora monitors FortiManager devices for revision changes. When you add a FortiManager device to TOS Aurora, you can select the devices and virtual domains (VDOMs) managed by the FortiManager that you want TOS Aurora to monitor by periodic polling.

By default, Fortinet devices define an "all" object that will represent "any." Making changes to this object may cause Provisioning to fail on the device.

Process Overview

To monitor a Fortinet FortiManager device (and its managed devices) in TOS Aurora, you must complete the following procedures:

  1. Add the Fortinet FortiManager device to TOS Aurora.

  2. Import the domains and/or devices managed by the Fortinet FortiManager device.

    When you select the Administrative Domains (ADOMs) and devices to be managed by the Fortinet FortiManager device, if you have configured Advanced monitoring mode, you can also select the Collect dynamic topology information option.

  3. Edit the configuration of a managed FortiManager firewall device, including enabling or disabling the option to Collect dynamic topology information.

    If you currently monitor your firewalls as standalone devices and you want to now monitor the firewall through the FortiManager device that manages them, add the FortiManager device and its firewalls as a new device and then disable your standalone firewalls (see Status). You can select the standalone devices from the device tree to see the historical device data. When the device data in the standalone firewalls is obsolete, you can remove the standalone firewall devices from TOS Aurora.

After you add the FortiManager and its managed devices, you can monitor the managed devices the same as when you add the managed devices directly to TOS Aurora. In addition, you can:

  • View and compare in graphical format the policy packages on the FortiManager device according to their administrative domains (ADOMs), including those that are not installed on a firewall device
  • View the global object database on the FortiManager device
  • Create New Revision and Advanced Change reports for the policy packages on the FortiManager device
TOS Aurora and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

To help you organize the information for your devices, you can use the device information worksheet.

Prerequisites

Read/Write Permissions

  • JSON API access with read/write permission

  • Create a device user with Read/Write permissions for all information on the FortiManager device.

    You can configure these permissions either in the Fortimanager command line interface, or in the user interface for the device.

Setting Permissions using the Command Line Interface

To configure Read/Write permissions for the FortiManager device, in the FortiManager command line interface run:

config system admin user
edit <username configured in TOS>
set rpc-permit read-write
end

Setting Permissions in FortiManager Interface

To configure Read/Write permissions for a FortiManager device, in the device user interface:

  1. Log into the device and select System Settings.

  2. In the navigation pane, select Admin > Profile.

  3. Create/Edit the device profile that is associated with a Tufin Orchestration Suite user account.

  4. Select Read-Write for all the profile settings.

Update the FortiManager List of Trusted Hosts

If you have enabled the Trusted Hosts setting in FortiManager, you will need to add the IP address of the TOS Aurora host to enable certificate retrieval and communication.

Add a SAN Signed Certificate to the FortiManager Device

See Adding SAN Signed Certificates to FortiManager Devices.

Monitor a FortiManager Device

  1. In TOS Aurora, go to Monitoring > Manage Devices.

  2. Select the appropriate device type:

    Add FortiManager

  3. Configure the device settings:

    • Name for Display

    • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

    • Get revisions from:

      • IP Address: Enter the IP address of the FortiManager device.

    • ST server: In a distributed deployment, select which TOS Aurora cluster monitors this device (not shown in image)

  4. Click Next.

  5. Configure the TOS Aurora connection to the FortiManager device, according to the parameters required by the device. To use a vault server that contains access credentials, select Use Vault and select the server. For more information, see Configuring a Vault Server.

  6. Enter the authentication details needed to connect to the FortiManager device.

    • Username and password: Enter the device username and password

    • Enable password: Enter the password to give TOS Aurora elevated privileges on the device

    • Connection configuration: Select whether to use SSH (preferred) or Telnet. To use default settings (recommended in most cases), leave the Port number blank.
      The device must be configured to use SSH version 2. For Advanced management, the connection type is JSON API.

    • Port number: Leave empty to use the default port (port 443 for Advanced management)

  7. Click Next.
  8. In Monitoring Settings, do one of the following:

    • To use real-time monitoring and timing settings from the Timing page, select Default.

    Otherwise, select Custom and configure the monitoring mode and settings.

    • Real-Time Monitoring: Applies only if syslogs (Configuring Devices to Send Logs) are configured. Select Custom settings and configure:

      • 'Save policy' interval: When a Save Policy event is followed within this time interval by an Install Policy event for the same policy, TOS Aurora tries to combine the two events into a single revision. The default value is 60 seconds.

      • 'Install policy' interval: When two or more Install Policy events for the same policy occur within this time interval, TOS Aurora combines the events into a single Install Policy revision (Default: 60 seconds)
      • Automatic fetch frequency: Frequency (in minutes) for automatic fetch 

    • Periodic Polling, select Custom settings and configure the Polling frequency: How often TOS Aurora fetches the configuration from each device.

      If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

  9. Click Next and then click Save.

    The FortiManager device now appears in the Monitored Devices tree.

  10. To complete the configuration, do one of the following:

    • Click Done.

    • Click Import Managed Devices (or Import Administrative Domains and Managed Devices/Import Device Groups and Managed Devices if available), select all the managed devices to be added, and click Save or Import.

      To import managed devices later, you can select the device and click Import Managed Devices (or Import Administrative Domains and Managed Devices/Import Device Groups and Managed Devices if available).

    • Add another device.

       

Topology options to collect routing information for building the network Interactive Map are configured when you import managed devices.

Import the Domains or Devices Managed by the FortiManager Device

  1. Select the FortiManager device from the device tree.
  2. Click Import Administrative Domains and Managed Devices.

  3. From the list of devices managed by the FortiManager device, select the devices to import.
  4. Configure the Topology options.

    Enable Topology: Collects routing information for building the network Interactive Map.
    Topology options for Advanced management mode are configured when you import managed devices.

    • Collect dynamic topology information when dynamic addressing (DHCP) or routing protocols (OSPF and BGP) are in use. (This option is available if you have configured Advanced monitoring mode).

  5. Configure the Usage Tracking options:

    • Enable Tracking of Rule Usage - Monitor last hit information for rules in the managed devices being imported.
    • Enable Tracking of Application and User Usage - Monitor last hit information for applications and users in the managed devices being imported.
  6. Click Import.
  7. Do one of the following:

    • Click Reset to update the list of managed devices.
    • Click Done to return to the device tree.

      The managed devices appear under the FortiManager device in the device tree.

For TOS Aurora to show full accountability details (who made the policy changes and when the changes were made) and rule and object usage, you must also configure the device to send syslogs.

Edit the Dynamic Topology Settings for Devices

Use this procedure to configure a Fortinet FortiManager device to retrieve Dynamic Topology information for its managed devices in TOS Aurora.

  1. Select the Fortinet FortiManager device from the device tree.
  2. Click Collect Dynamic Routing Information and click Collect.

    Collect dynamic topology information is enabled for all the managed devices.

    For Fortinet FortiManager devices, dynamic topology information is retrieved for Administrative Domains (ADOMs) from version 5.4 and above.

How Do I Get Here?

In SecureTrack, go to Monitoring > Manage Devices.