Professional Documents
Culture Documents
FortiManager 05 Policy
FortiManager 05 Policy
FortiManager 6.4
© Copyright Fortinet Inc. All rights reserved. Last Modified: 5 April 2023
Lesson Overview
4
Policy Workflow
ADOM 1 ADOM 2
Objects Objects
ADOM Layer
6
Object Configurations
• ADOM > Policy & Objects > Object Configuration
• Firewall policies in policy packages refer to objects defined in the ADOM database
7
Display Options
• Policy & Objects > Display Options
• You can customize display options to view or hide available tabs on the Policy &
Objects pane on FortiManager
8
Policy Folders
• Manage and organize your policy packages
• Allows nesting of policy folders
Policy folder
9
Creating and Modifying Firewall Policies
• In Policy Packages, select Firewall Policy & Objects > Policy Packages
Policy
• You can
• Create new policy
• Insert above or below existing policy
• Clone, cut, copy, and paste
• Move policy up or down
• Enable and disable policy
• Delete policy
Right-click the Seq# of an
existing policy
10
Adding and Removing Objects
• Click the column
• Used object in a policy is highlighted in yellow
11
Policy Search and Filter
• Use search field to search or filter policies for matching rules or objects
• Three types Column filter search
• Simple search (default)
• Column filter
• Find and Replace
Highlights
searched
searched string
word
Simple search
Can add multiple
filters
12
Installation Target
• Policy Package > Installation Targets Name of policy package
• Target one or more devices or VDOMs previously assigned
• Install wizard provides warning message with name of previous policy package
assigned
13
Installation Target—Per Policy
• Per-rule installation targets allow per-device exceptions for a shared policy package
• Install On column allows you to target devices to add, remove, or set to defaults
Targeting individual
Targeting individual devices
devices
ClickInstall
Click Install
On On column
column to
to select
Targeting all devices devices select devices
14
Dynamic Objects
• Configure dynamic object mappings at the device level
15
Interface Mapping
• Defines mapping rules for interfaces
• Interfaces are mapped per-device and/or per platform
• When the normalized interface is used in a policy, the per-device mappings have
higher priority than per-platform mappings
16
Example: Firewall Policy
• Policy view of Interface and Zone on FortiManager
18
Find Unused Objects
• Built-in GUI tool can help administrators identify unused firewall objects
• Find Unused Objects tool displays all the firewall objects that are currently unused
• Example: Address, service, virtual IP, IPPOOL, and so on)
• Delete unused objects directly in the Unused Objects pop-up window
19
Duplicate Objects
• Find Duplicate Objects tool can help you locate duplicate firewall objects
• You can Merge duplicate objects
20
Policy Check
• Looks for consistency and conflicts in the policy package
• Helps you to optimize firewall rules to potentially reduce the size of policy package
database
21
Cloning an Existing Policy Package
• Clone initially has the same installation target as original
• You can modify installation target later
Warning: You should not point more than
one policy package at a target because that
increases the chance of user error
22
Knowledge Check
1. What is the purpose of dynamic objects?
A. To merge duplicate objects automatically
B. To map a single logical object to a unique definition per device
23
Lesson Progress
Device Manager
Policy & Objects Install
ADOM level DB
Import Policy Retrieve
Auto Update
26
Policy Package Status
27
Import Policy Wizard
• Device Manager > Managed Devices
• Select the FortiGate device, and then click Import Policy
• Creates a new policy package, or can override existing one, and imports objects
• Objects imported are added to the ADOM object database
Interface mapping
29
Import Policy Wizard—Summary
• Imports objects into ADOM database, policies into policy package
Two ways to launch Install Policy package configuration has been changed
Wizard in Device Manager Install to apply changes to remote device
31
Install Wizard—What to Install
• Install Policy Package & Device Settings allows administrators to install the policy
package and device settings changes
• Install Wizard also provides the options to:
• Create a configuration revision
• Schedule push to remote device
32
Install Wizard—Validation
• Verifies the policy and device settings that will be installed and prepares a preview
• Indicates which device(s) the changes were installed on and installation status
Deleting unused
objects
33
Re-Install
• Same as the Install Wizard without prompts but provides an option to preview the
installation
On Policy and Objects
pane
34
Knowledge Check
1. What does a policy package status of Unknown indicate?
A. FortiManager is unable to determine the policy package status.
B. The policy package was never installed from FortiManager.
35
Lesson Progress
38
Version of the ADOM Database
• Database version refers to valid syntax for that FortiOS version
39
Moving FortiGate From One ADOM to Another
• Considerations before moving devices:
• Policies and objects don’t move to the new ADOM
• If using a shared policy package, it is not moved to the new ADOM
• Unused objects don’t move from one ADOM to another
• When FortiGate devices are upgraded, it is best to keep them in the same ADOM and use ADOM
upgrade
40
Knowledge Check
1. What is the sequence of upgrading an existing ADOM?
A. Upgrade all the devices in the ADOM first and then the ADOM
B. Upgrade the ADOM first and then all the devices in the ADOM
2. Why should the ADOM version match the FortiGate firmware version?
A. To minimize CLI syntax issues between FortiGate and FortiManager
B. To keep the FortiGate licenses up to date
41
Lesson Progress
44
Workflow Mode
• Sessions can be created only on the Policy & Objects pane
• Another global mode that works together with ADOM locking
• Controls the creation, configuration, and installation of firewall policies and objects
• Approval is required before changes can be installed on a device
• Modifications made during a workflow session must be discarded or submitted to
workflow approval administrator at the end of a workflow session
• Rejected sessions can be repaired and resubmitted as new sessions for approval
• These panes are initially read-only until an ADOM is locked: Enable workflow
mode from CLI or
GUI
45
How to Use Workflow Mode
Admin A locks ADOM and gains read-write access. Admin A changes configuration and submits request for approval to
Creates new session, changes policy and objects. Admin B, which unlocks the ADOM.
ADOM ADOM
1
Lock Read/Write 2
Submit unlocks ADOM
Admin A Admin B
46
Workflow Permissions
• An administrator must be part of an approval group before they can approve a
session
• Regardless of which administrator profile an administrator account is part of
• Administrator will also need to have access to the ADOM in which the session was created in
order to approve it
• On GUI, approval matrix must be configured before workflow sessions are allowed
47
Creating a New Workflow Session
• To start a session in workflow mode:
• Select and lock ADOM
• Open session list on Policy & Objects pane
• Create new session
Lock ADOM
Create a new
session
48
Submitting Workflow Sessions
• Save session, then submit changes
• Session changes are discarded if
administrator logs out without saving them
• Saved sessions can be worked on at a
later time Save session, then submit
changes ,or, select Submit
• Sessions button has three options: to automatically save and
submit changes
• View Diff
• Submit
• Discard
• You can view a session diff
• After submitting changes for approval,
ADOM returns to unlocked state
49
Approving, Rejecting, or Repairing Workflow Sessions
• To approve a session:
• Administrator must have appropriate rights
required to approve a session
• Must lock the ADOM in which the changes
were made
• Open Session List
• Four options for approval administrator:
• Approve
• Reject
• Discard
• View Diff
• Rejected sessions can be resubmitted with
proposed changes
Administrator fortinet
who submitted the
request
50
Locked ADOMs
• If a session is not closed gracefully (PC crash or closed browser window),
FortiManager will not close the admin session
• Session will have to be deleted manually on the GUI or CLI
FMG-VM64 # diagnose sys admin-session list
*** entry 1 ***
session_id: 6671 (seq: 0) Use session_id
Click here
to end
username: admin the previous session
admin template: admin
from: GUI(10.0.1.10) (type 1)
profile: Super_User (type 3)
adom: root
session length: 1308 (seconds)
idle: 284 (seconds)
...
FMG-VM64 # diagnose sys admin-session kill 6671
Select the
Click previous session
here
and click Delete
51
Knowledge Check
1. Which of the following statements is true regarding workflow mode?
A. Workflow sessions that are rejected can be repaired and resubmitted for approval as new
sessions.
B. Workflow sessions can be created by locking an individual policy package.
52
Lesson Progress