Monitoring Fortinet FortiManager Devices

TOS Aurora monitors FortiManager devices for revision changes. When you add a FortiManager device to TOS Aurora, you can select the devices and virtual domains (VDOMs) managed by the FortiManager that you want TOS Aurora to monitor by periodic polling.

By default, Fortinet devices define an "all" object that will represent "any." Making changes to this object may cause Provisioning to fail on the device.

To see which TOS features are supported for your device, review the feature support table.

Process Overview

To monitor a Fortinet FortiManager device (and its managed devices) in TOS Aurora, you must complete the following procedures:

1. Add the Fortinet FortiManager device to TOS Aurora.

2. Import the domains and/or devices managed by the Fortinet FortiManager device.

   When you select the Administrative Domains (ADOMs) and devices to be managed by the Fortinet FortiManager device, if you have configured Advanced monitoring mode, you can also select the Collect dynamic topology information option.

3. Edit the configuration of a managed FortiManager firewall device, including enabling or disabling the option to Collect dynamic topology information.

   If you currently monitor your firewalls as standalone devices and you want to now monitor the firewall through the FortiManager device that manages them, add the FortiManager device and its firewalls as a new device and then disable your standalone firewalls (see Status). You can select the standalone devices from the device tree to see the historical device data. When the device data in the standalone firewalls is obsolete, you can remove the standalone firewall devices from TOS Aurora.

After you add the FortiManager and its managed devices, you can monitor the managed devices the same as when you add the managed devices directly to TOS Aurora. In addition, you can:

• View and compare in graphical format the policy packages on the FortiManager device according to their administrative domains (ADOMs), including those that are not installed on a firewall device
• View the global object database on the FortiManager device
• Create New Revision and Advanced Change reports for the policy packages on the FortiManager device

TOS Aurora and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

Prerequisites

Read/Write Permissions

• JSON API access with read/write permission

• Create a device user with Read/Write permissions for all information on the FortiManager device.

  You can configure these permissions either in the Fortimanager command line interface, or in the user interface for the device.

Setting Permissions using the Command Line Interface

To configure Read/Write permissions for the FortiManager device, in the FortiManager command line interface run:

config system admin user
edit <username configured in TOS>
set rpc-permit read-write
end

Setting Permissions in FortiManager Interface

To configure Read/Write permissions for a FortiManager device, in the device user interface:

1. Log into the device and select System Settings.

2. In the navigation pane, select Admin > Profile.

3. Create/Edit the device profile that is associated with a Tufin Orchestration Suite user account.

4. Select Read-Write for all the profile settings.

   

Update the FortiManager List of Trusted Hosts

If you have enabled the Trusted Hosts setting in FortiManager, you will need to add the IP address of the TOS Aurora host to enable certificate retrieval and communication.

Add a SAN Signed Certificate to the FortiManager Device

See Adding SAN Signed Certificates to FortiManager Devices.

Add a Device

1. Select Fortinet > FortiManager:

   

2. Configure the device settings:

   

   • Name for Display

   • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

   • Get revisions from:

     • IP Address: Enter the IP address of the FortiManager device.

   • ST server: In a distributed deployment, select which TOS Aurora cluster monitors this device (not shown in image)

3. Click Next.

4. Configure the TOS Aurora connection to the FortiManager device, according to the parameters required by the device. To use a vault server that contains access credentials, select Use Vault and select the server. For more information, see Configuring a Vault Server.

   

5. Enter the authentication details needed to connect to the FortiManager device.

   • Username and password: Enter the device username and password

   • Enable password: Enter the password to give TOS Aurora elevated privileges on the device

   • Connection configuration: Select whether to use SSH (preferred) or Telnet. To use default settings (recommended in most cases), leave the Port number blank.
     The device must be configured to use SSH version 2. For Advanced management, the connection type is JSON API.

   • Port number: Leave empty to use the default port (port 443 for Advanced management)

6. Click Next.

7. In Monitoring Settings, do one of the following:

   

   • To use real-time monitoring and timing settings from the Timing page, select Default.

   Otherwise, select Custom and configure the monitoring mode and settings.

   • Real-Time Monitoring: Applies only if syslogs (Configuring Devices to Send Logs) are configured. Select Custom settings and configure:

     • 'Save policy' interval: When a Save Policy event is followed within this time interval by an Install Policy event for the same policy, TOS Aurora tries to combine the two events into a single revision. The default value is 60 seconds.

     • 'Install policy' interval: When two or more Install Policy events for the same policy occur within this time interval, TOS Aurora combines the events into a single Install Policy revision (Default: 60 seconds)

     • Automatic fetch frequency: Frequency (in minutes) for automatic fetch 

   • Periodic Polling, select Custom settings and configure the Polling frequency: How often TOS Aurora fetches the configuration from each device.

     If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

8. Click Next and then click Save.

   The FortiManager device now appears in the Monitored Devices tree.

9. To complete the configuration, do one of the following:

   • Click Done.

   • Click Import Managed Devices (or Import Administrative Domains and Managed Devices/Import Device Groups and Managed Devices if available), select all the managed devices to be added, and click Save or Import.

     To import managed devices later, you can select the device and click Import Managed Devices (or Import Administrative Domains and Managed Devices/Import Device Groups and Managed Devices if available).

   • Add another device.

     

Topology options to collect routing information for building the network Interactive Map are configured when you import managed devices.

Configure a Monitored Device

After you add a device, further configuration options are available.

Options vary depending on your environment.

Example

• Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

• Delete this device: Type yes to confirm that you want to delete the device.

• Import Administrative Domains and Managed Devices

• Migrate (ST servers): Available in distributed deployments. Select the server where the device will be monitored and click Migrate.

• Migrate (Domains): Available in multi-domain deployments. Select the domain where the device will be monitored and click Migrate.

• Collect Dynamic Routing Information: Initiates retrieval of the dynamic routing information for all the firewalls managed by this device. You can manually change the collection configuration for each firewall later.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices