article by Jetse Smeyers, Fortinet Presales at Exclusive Networks
Both the FortiManager and -Analyzer are, and have been since quite some time, some of the core components when deploying a Security Fabric, SD-WAN design or just to manage and follow up multiple devices from the same console. While there are still minor releases being added to the 7.0 branch (we’re now at 7.0.4), the new 7.2 mayor release already came looking around the corner. Since February, this 7.2 branch was available in beta but has recently been released for download through the Fortinet support portal. Our engineers had the opportunity to experience the new version in a live lab environment during the latest European Xperts Summit which was held at the end of June.
Here are some of their key findings concerning the youngest child in the family of FortiManager and FortiAnalyzer releases:
FortiManager: SD-WAN overlay templates
The SD-WAN orchestrator has been deprecated. This management extension on the FortiManager allowed you to configure, manage, and monitor FortiGates in an SD-WAN network. Unfortunately, granularity was not one of the strengths of this MEA (Management Extension Application) and we noticed that in the field the “normal” SD-WAN templates and CLI scripts were used in favor of this extra application. Therefore, Fortinet decided to choose a different path and introduced SD-WAN overlay templates.We must say that the naming is a bit misleading as this “template” as they call it, is actually a wizard. Firstly, you have to make sure that the underlay is properly configured. Then, the SD-WAN overlay templates can be used to sprinkle the SD-WAN magic over your install base and create the rules and overlays. The experience is very similar to using an IPsec VPN wizard on the FortiGate. As we noticed, you have quite some granularity available in the templates in terms of BGP config (on a loopback interface which is now best practice since this lowers the number of BGP updates once there is a link failover), route maps and network advertisements.
FortiManager: Device blueprints
In FortiManager 7.2.0, you can now create device blueprints to simplify configuration of certain device settings, including device groups, configuring pre-run templates, policy packages, provisioning templates, and more. Once a device blueprint has been created, it can be selected when adding a model device or when importing multiple model devices from a CSV file. You can see it as a package which simplifies the zero (or low) touch provisioning process. Per device model, you will be able to select which firmware version should be used, to what device group or folder the FortiGate needs to be added, assign pre-run CLI templates, provisioning templates and a policy package.Maybe also a nice to know: it should now be possible to export and import templates (although this feature was not yet fully functional while testing in the beta release).
FortiManager: CLI template enhancements
You probably already knew that you could now use Jinja templates to further enhance your Pre-Run and Post-Run CLI templates with logical flows. Now, you can also make use of validation or preview checks. Especially when you are using metadata, this feature can be really handy. Once you import a CLI template, it gets validated and you should be given the details to fix the error. We did a test with a CLI template which was using variables which were not defined as metafields yet and got an error which allowed us to create the missing metafields during the upload process. Some other enhancements for CLI template troubleshooting include: line numbering, detailed error report with line number, template name, and reason for the installation failure. By the way, you can now also define meta variables on an ADOM level instead of having to define those fields across the entire system. You will also be able to use these metadata variables in Firewall Objects configurations.
FortiAnalyzer: Device groups and added dashboards
A minor change but one which can be really handy: you can now create device groups on FortiAnalyzer. These device groups can then be used as filters in the Log View, FortiView, event handlers and Reports. If we stay within the GUI enhancements, you will also find some new dashboards. There is one for ZTNA which gives visibility in the device tags, posture checks and the number of blocked and allowed connections. Also, an IoT dashboard has been added to give visibility in what is being used in the network. (requires the IoT detection license on your FortiGates) It should also be able to detect anomalies, although we do not know yet what exactly we should expect from this feature. At last, we should also mention that you will now have information about the AD-VPN shortcuts in the SD-WAN dashboard together with the MOS score performances. There is now also a dashboard available which gives you insights in the global statistics of the event logs.
FortiAnalyzer: FortiSOC module and added reporting features
In the FortiSOC module (which is included in the subscription licenses since quite some time), you will discover some new event handlers: Reconnaissance events detection, Shadow IT events detection, a whole bunch of NOC events detections (like link failure, HA events, wireless and switch) and an IOC trigger on the local traffic of a FortiGate. If you include these in your playbooks, you will from 7.2 be able to automatically post incident change notices to the ServiceNow table because of the new ServiceNow connector.In terms of reporting, you will find a new rich text editor to edit the layout of your reports. It makes it easier to add tables, images and links, and to format text according to your needs. You will also be able to export reports in JSON format besides the ordinary HTML, PDF, XML and CSV options.
FortiManager and FortiAnalyzer: System level enhancements
This section includes some minor changes concerning the common system. On the FortiManager, for example, you now have automatic failover capabilities for HA set-ups. This adds the possibility to trigger a failover when a monitored interface goes down, instead of only being able to failover when the system becomes unstable as a whole. Furthermore, you can now use VLANs directly on the ports of both the FAZ and FMG. The FortiManager now also supports link aggregation. Lastly, we also noticed that French was added as a new management language.Altogether, we do not think that there are any groundbreaking features added to the new release, although some of them will prove to be very useful to ease the day to day management. There are of course plenty more features added than the ones we described over here, but the additions above were the ones which stood out the most for us. To get a full overview of all the new features, you can consult https://docs.fortinet.com/document/fortimanager/7.2.0/new-features/ and https://docs.fortinet.com/document/fortianalyzer/7.2.0/new-features/.
And to wrap up, we’ll end with a small but very important disclaimer: While the 7.2 releases are now available, we do not recommend introducing these in production yet. Just like a good wine, new Fortinet upgrades become better with time. Enjoy playing with the new features!