FortiManager

Policy and Objects

FortiManager 6.4
© Copyright Fortinet Inc. All rights reserved. Last Modified: 5 April 2023
Lesson Overview

Policy and Objects Management

Import and Install Wizards

ADOM Revision and Database Versions

Policy Locking and Workflow Mode

Policy and Objects Management
Objectives
• Describe policy workflow
• Create policy packages and objects
• Create installation targets for policies and policy packages
• Configure dynamic objects
• Use the policy check feature
• Clone a policy package
Overview
• You can perform the following tasks in each ADOM:
• Create or customize policy package(s) for each device or VDOM
• Create policy folders
• Point a policy package at a single device, multiple devices, all devices, a single VDOM, multiple
VDOMs, or all devices in a single ADOM
• Create objects that can be shared among policy packages in an ADOM
• Copy or clone existing policy packages
• Configure dynamic objects
• Configure display options
• Configure ADOM revisions

4
Policy Workflow

ADOM 1 ADOM 2

Objects Objects

ADOM Layer

Policy Package Policy Package

Device Device Device Device

Device Manager 1 2 1 2
Layer

Configuration Revision Configuration Revision

(per Device) (per Device)

Install on Import/retrieve Install on import/retrieve

Managed device configuration managed device configuration
5
Policy Packages
• ADOM > Policy & Objects > Policy Packages
• Create firewall policies in policy packages
• Displays all the policy packages for the ADOM

Expand the policy package name, and then click

Showing policies for Local-FortiGate policy package
Firewall Policy to view the policies it contains

6
Object Configurations
• ADOM > Policy & Objects > Object Configuration
• Firewall policies in policy packages refer to objects defined in the ADOM database

7
Display Options
• Policy & Objects > Display Options
• You can customize display options to view or hide available tabs on the Policy &
Objects pane on FortiManager

8
Policy Folders
• Manage and organize your policy packages
• Allows nesting of policy folders

Policy & Objects > Policy Packages

Policy folder

Nested policy folder

policy
policy
Policypackages
packages
packages

9
Creating and Modifying Firewall Policies
• In Policy Packages, select Firewall Policy & Objects > Policy Packages
Policy
• You can
• Create new policy
• Insert above or below existing policy
• Clone, cut, copy, and paste
• Move policy up or down
• Enable and disable policy
• Delete policy
Right-click the Seq# of an
existing policy

10
Adding and Removing Objects
• Click the column
• Used object in a policy is highlighted in yellow

Can add or remove objects

from the populated list

11
 Policy Search and Filter
• Use search field to search or filter policies for matching rules or objects
• Three types Column filter search
• Simple search (default)
• Column filter
• Find and Replace
Highlights
searched
searched string
word
Simple search
Can add multiple
filters

Switch between search

types by clicking
column filter icon

Find and Replace

12
Installation Target
• Policy Package > Installation Targets Name of policy package
• Target one or more devices or VDOMs previously assigned

• Install wizard provides warning message with name of previous policy package
assigned

13
Installation Target—Per Policy
• Per-rule installation targets allow per-device exceptions for a shared policy package
• Install On column allows you to target devices to add, remove, or set to defaults

Targeting individual
Targeting individual devices
devices

ClickInstall
Click Install
On On column
column to
to select
Targeting all devices devices select devices
14
 Dynamic Objects
• Configure dynamic object mappings at the device level

Devices without mapping

are mapped to this subnet
Mapping for Remote-FortiGate

Mapping for Local-FortiGate

15
Interface Mapping
• Defines mapping rules for interfaces
• Interfaces are mapped per-device and/or per platform
• When the normalized interface is used in a policy, the per-device mappings have
higher priority than per-platform mappings

Object Configurations > Normalized Interface

16
 Example: Firewall Policy
• Policy view of Interface and Zone on FortiManager

• Policy view of Interface and Zone on the managed FortiGate

Trusted Zone view on
managed FortiGate

LAN is mapped to port3 and Trusted (includes

WAN is mapped to port1 port5 and port6)
17
Used Objects
• You can delete a used object
• You can view where the object is used before deleting

• However, if you delete an object that is referenced in a firewall policy, FortiManager

replaces it with a none object
• none object is equal to null, which means any traffic that meets that firewall policy will be blocked

18
Find Unused Objects
• Built-in GUI tool can help administrators identify unused firewall objects
• Find Unused Objects tool displays all the firewall objects that are currently unused
• Example: Address, service, virtual IP, IPPOOL, and so on)
• Delete unused objects directly in the Unused Objects pop-up window

19
Duplicate Objects
• Find Duplicate Objects tool can help you locate duplicate firewall objects
• You can Merge duplicate objects

20
Policy Check
• Looks for consistency and conflicts in the policy package
• Helps you to optimize firewall rules to potentially reduce the size of policy package
database

21
Cloning an Existing Policy Package
• Clone initially has the same installation target as original
• You can modify installation target later
Warning: You should not point more than
one policy package at a target because that
increases the chance of user error

Original policy package

installation target

Cloned policy package

installation target

22
Knowledge Check
1. What is the purpose of dynamic objects?
A. To merge duplicate objects automatically
B. To map a single logical object to a unique definition per device

2. Which one of the following statements is correct regarding a policy package?

A. A policy package can have multiple installation targets in an ADOM
B. There can be only one policy package per ADOM

23
Lesson Progress

Policy and Objects Management

Import and Install Wizards

ADOM Revision and Database Versions

Policy Locking and Workflow Mode

Import and Install Wizards
Objectives
• Interpret the status of a device on FortiManager
• Use the Import Policy wizard
• Use the Install wizard
• Use the Re-install wizard
 Status of Policy Package on FortiManager
Policy package status
Imported
Installed Admin can take action based
Never Installed on the status
Modified Install changes
Import policy changes
Out-of-sync
Conflict
Unknown

Device Manager
Policy & Objects Install

Device level DB Revision history DB FortiGate

ADOM level DB
Import Policy Retrieve
Auto Update

26
 Policy Package Status

FMG-VM64 # diagnose dvm device list

--- There are currently 3 devices/vdoms managed ---
...
TYPE OID SN HA IP NAME ADOM IPS
fmgfaz enabled 160 FGVM010000065036 - 10.200.3.1 Remote-FortiGate root 6.00741
(regular) |- STATUS: dev-db: not modified; conf: in sync; cond: OK; dm: installed; conn: up
|- vdom:[3]root flags:0 adom:root pkg:[modified]Remote-FortiGate
...
--- End device list ---

Device Manager > Managed Devices

27
Import Policy Wizard
• Device Manager > Managed Devices
• Select the FortiGate device, and then click Import Policy
• Creates a new policy package, or can override existing one, and imports objects
• Objects imported are added to the ADOM object database

Use one of the two ways to open

the Import Policy wizard
28
Import Policy Wizard—Interface Map and Policy
• Maps the device interface to the
ADOM interface to create a reference
of the interfaces in the FortiManager
database
• Creates a policy package in Policy &
Objects > Policy Packages

Note: By default, the Add mappings for all

unused device interfaces checkbox is selected
and creates an automatic mapping for the new
interface. The FortiManager administrator
doesn’t need to create a manual mapping if this
option is enabled. This feature is very useful in
large deployments.

Interface mapping

29
Import Policy Wizard—Summary
• Imports objects into ADOM database, policies into policy package

• You can save import report in .txt format

Start to import config from device(Local-FortiGate) vdom(root) to adom(root),
package(Local-FortiGate)
"application list",SUCCESS,"(name=wifi-default, oid=2459, update previous object)"
...
"authentication setting",SUCCESS,"(name=, oid=3393, new object)"
...
"firewall address",SKIPPED,"(name=all, oid=2264, DUPLICATE)"
"firewall address",SKIPPED,"(name=none, oid=2265, DUPLICATE)"
"firewall address",SUCCESS,"(name=REMOTE_ETH1, oid=2266, new object)"
"firewall address",SUCCESS,"(name=REMOTE_SUBNET, oid=2267, new object)"
30
Install Wizard
• Multiple ways to launch
• On the Device Manager pane
• On the Policy & Objects pane
• If you make configuration changes to a policy package, the policy package status
changes to Modified

Two ways to launch Install Policy package configuration has been changed
Wizard in Device Manager Install to apply changes to remote device

31
Install Wizard—What to Install
• Install Policy Package & Device Settings allows administrators to install the policy
package and device settings changes
• Install Wizard also provides the options to:
• Create a configuration revision
• Schedule push to remote device

Select a policy package

• Select the device(s) to install the changes on

32
Install Wizard—Validation
• Verifies the policy and device settings that will be installed and prepares a preview
• Indicates which device(s) the changes were installed on and installation status

Updating source address

Deleting unused
objects

33
Re-Install
• Same as the Install Wizard without prompts but provides an option to preview the
installation
On Policy and Objects
pane

On Device Manager pane

Clicking Next will install the policy package

34
Knowledge Check
1. What does a policy package status of Unknown indicate?
A. FortiManager is unable to determine the policy package status.
B. The policy package was never installed from FortiManager.

2. What is the main benefit of the Re-install Policy option?

A. Policy push with fewer steps for quick policy change
B. Can schedule policy push

35
Lesson Progress

Policy and Objects Management

Import and Install Wizards

ADOM Revision and Database Versions

Policy Locking and Workflow Mode

ADOM Revision and Database Versions
Objectives
• Describe the purpose of ADOM revisions
• Identify the database version of an ADOM
• Understand how it affects the policy and objects configurations
ADOM Revisions
• Policy & Objects > ADOM Revisions
• Create a snapshot of all policy and objects configurations for the ADOM

• Settings provides access to auto-deletion setting

Warning: ADOM revisions
can significantly increase the
size of the configuration
backup

• You can lock revisions to prevent auto-deletion

38
Version of the ADOM Database
• Database version refers to valid syntax for that FortiOS version

39
Moving FortiGate From One ADOM to Another
• Considerations before moving devices:
• Policies and objects don’t move to the new ADOM
• If using a shared policy package, it is not moved to the new ADOM
• Unused objects don’t move from one ADOM to another
• When FortiGate devices are upgraded, it is best to keep them in the same ADOM and use ADOM
upgrade

• After moving the devices:

• Import a policy package
• Can use CLI to import unused objects if needed

execute fmpolicy copy-adom-object

40
Knowledge Check
1. What is the sequence of upgrading an existing ADOM?
A. Upgrade all the devices in the ADOM first and then the ADOM
B. Upgrade the ADOM first and then all the devices in the ADOM

2. Why should the ADOM version match the FortiGate firmware version?
A. To minimize CLI syntax issues between FortiGate and FortiManager
B. To keep the FortiGate licenses up to date

41
Lesson Progress

Policy and Objects Management

Import and Install Wizards

ADOM Revision and Database Versions

Policy Locking and Workflow Mode

Policy Locking and Workflow Mode
Objectives
• Describe the purpose of, and when to use:
• Policy locking
• Workflow mode
Policy Lock—Workspace Normal Mode
• Allows administrators to lock a single policy package instead of whole ADOM
• Works in conjunction with workspace-mode normal config system global
• Locks only a policy package, not entire object database set workspace-mode normal
end
• You can edit locked policy package in a private workspace
• Multiple administrators can lock and work on separate policy packages at the same time
• Policy lock is released automatically at administrator timeout, or if session is closed
gracefully without unlocking the policy package
ADOM remains unlocked

Policy package is now locked

44
Workflow Mode
• Sessions can be created only on the Policy & Objects pane
• Another global mode that works together with ADOM locking
• Controls the creation, configuration, and installation of firewall policies and objects
• Approval is required before changes can be installed on a device
• Modifications made during a workflow session must be discarded or submitted to
workflow approval administrator at the end of a workflow session
• Rejected sessions can be repaired and resubmitted as new sessions for approval
• These panes are initially read-only until an ADOM is locked: Enable workflow
mode from CLI or
GUI

System Settings > Admin > Workspace

config system global
set workspace-mode workflow
end

45
 How to Use Workflow Mode
Admin A locks ADOM and gains read-write access. Admin A changes configuration and submits request for approval to
Creates new session, changes policy and objects. Admin B, which unlocks the ADOM.

ADOM ADOM

1
Lock Read/Write 2
Submit unlocks ADOM

Admin A Admin B Admin A Admin B

Admin B now locks the ADOM and has read-write access.

Admin B opens the session list and can:
• Approve
• Reject
• Discard ADOM
• View Diff
3 Lock
Read/Write

Admin A Admin B

46
Workflow Permissions
• An administrator must be part of an approval group before they can approve a
session
• Regardless of which administrator profile an administrator account is part of
• Administrator will also need to have access to the ADOM in which the session was created in
order to approve it

• On GUI, approval matrix must be configured before workflow sessions are allowed

47
 Creating a New Workflow Session
• To start a session in workflow mode:
• Select and lock ADOM
• Open session list on Policy & Objects pane
• Create new session

Lock ADOM
Create a new
session

Open session list

48
Submitting Workflow Sessions
• Save session, then submit changes
• Session changes are discarded if
administrator logs out without saving them
• Saved sessions can be worked on at a
later time Save session, then submit
changes ,or, select Submit
• Sessions button has three options: to automatically save and
submit changes
• View Diff
• Submit
• Discard
• You can view a session diff
• After submitting changes for approval,
ADOM returns to unlocked state

49
Approving, Rejecting, or Repairing Workflow Sessions
• To approve a session:
• Administrator must have appropriate rights
required to approve a session
• Must lock the ADOM in which the changes
were made
• Open Session List
• Four options for approval administrator:
• Approve
• Reject
• Discard
• View Diff
• Rejected sessions can be resubmitted with
proposed changes

Administrator fortinet
who submitted the
request

50
Locked ADOMs
• If a session is not closed gracefully (PC crash or closed browser window),
FortiManager will not close the admin session
• Session will have to be deleted manually on the GUI or CLI
FMG-VM64 # diagnose sys admin-session list
*** entry 1 ***
session_id: 6671 (seq: 0) Use session_id
Click here
to end
username: admin the previous session
admin template: admin
from: GUI(10.0.1.10) (type 1)
profile: Super_User (type 3)
adom: root
session length: 1308 (seconds)
idle: 284 (seconds)
...
FMG-VM64 # diagnose sys admin-session kill 6671

Select the
Click previous session
here
and click Delete

51
Knowledge Check
1. Which of the following statements is true regarding workflow mode?
A. Workflow sessions that are rejected can be repaired and resubmitted for approval as new
sessions.
B. Workflow sessions can be created by locking an individual policy package.

2. What is the main benefit of the policy locking feature?

A. It allows locking a single policy package instead of the whole ADOM.
B. It allows locking multiple firewall policies in a policy package.

52
Lesson Progress

Policy and Objects Management

Import and Install Wizards

ADOM Revision and Database Versions

Policy Locking and Workflow Mode

Review
✓ Configuring firewall policies and objects
✓ Installation targets
✓ Dynamic objects
✓ Interface and zone mappings
✓ Importing firewall policies and objects
✓ Understand ADOM revisions
✓ Differences between the Install and Re-install wizards
✓ Policy check