Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aagrafi
Contributor II

Created on ‎01-17-2018 06:54 AM

Maintaining a common policy package

Hello,

Can we combine two (or more) policy packages in the same FG or group of FGs with FMG? My ultimate goal is to have the following functionality in the FMG, regarding the security policy management:

a. Have a common policy package for a group of FGs on my network and

b. Selectively add firewall policy lines to some FGs in the group.

 

I remember in FMG 5.2 that we could do that by using different device-targets per firewall policy line, but I don't see this in 5.6.

 

I hope I was clear in explaining my requirement. I consider this requirement very important for FMG, because otherwise we are forced to use different policy package per FG device.

 

Thanks

Andreas

 

5868
0 Kudos
1 Solution
neonbit
Valued Contributor
In response to chall_FTNT

Created on ‎01-17-2018 03:20 PM

You can still select which policies get installed no which Fortigates using 5.6. By default the column is not shown, to show it select Column Settings > Install On.

 

Once done you can see another column added where the default value is 'Installation Targets'.

 

You can now select which policies get installed on which FGTs. I'd recommend creating sections in your policies for easier management if possible. A section like 'Policies for all firewalls', 'FGT1 policies' 'FGT2 policies' etc.

 

View solution in original post

2241
0 Kudos
6 REPLIES 6
jsanders
New Contributor

Created on ‎01-17-2018 12:55 PM

We use ADOM's and Header Policies for this. However, we've been discouraged more than once from using Global Objects and header/footer policies as FTNT doesn't prefer us use those. Rumor has it b/c Global elements add so much complexity during upgrades and migrations. Could be total hearsay.

 

Would be very nice if there was a "device-targets" column or something like that.

2206
0 Kudos
chall_FTNT
Staff
Staff
In response to jsanders

Created on ‎01-17-2018 01:51 PM

jsanders wrote:

we've been discouraged more than once from using Global Objects and header/footer policies as FTNT doesn't prefer us use those. Rumor has it b/c Global elements add so much complexity during upgrades and migrations.

Jsanders, I am sorry you have that you received that impression from Fortinet.  On behalf of the TAC, I can say that we have no hesitation in use of global policy packages. 

 

Special Case Scenario:

Complications with global policy package assign/unassign can arise if global objects are subsequently used in ADOM-level policies but we are investigating the possibility of giving the global level full visibility into global object use across all ADOMs.   But if you do not use global objects when building policies at the ADOM level, you won't run into that complication.

 

Andreas,

We don't have any automated way of combining policy packages.  But you can copy & paste policies from 1 policy package to another in order to manually build a merged policy package.

Chris Hall
Fortinet Technical Support
2206
0 Kudos
neonbit
Valued Contributor
In response to chall_FTNT

Created on ‎01-17-2018 03:20 PM

You can still select which policies get installed no which Fortigates using 5.6. By default the column is not shown, to show it select Column Settings > Install On.

 

Once done you can see another column added where the default value is 'Installation Targets'.

 

You can now select which policies get installed on which FGTs. I'd recommend creating sections in your policies for easier management if possible. A section like 'Policies for all firewalls', 'FGT1 policies' 'FGT2 policies' etc.

 

2242
0 Kudos
aagrafi
Contributor II
In response to neonbit

Created on ‎01-18-2018 02:59 AM

Thanks neonbit, I think this answers my question.

2206
0 Kudos
jsanders
New Contributor
In response to chall_FTNT

Created on ‎01-18-2018 02:40 PM

chall - I should clarify as I've given the wrong impression. We were never discouraged from using Global Objects and/or Policies, but discouraged from using Global Objects at the ADOM level in Local Policy Packages. This was a common place usage in our previous firewall solution so to not have that full capability was something we needed to adjust too. I apologize for the confusion.

 

Also, this is AWESOME to know that there is an Install On column. We had no idea that column existed! This is great news. Thanks everyone!

2206
0 Kudos
chall_FTNT
Staff
Staff
In response to jsanders

Created on ‎01-22-2018 10:34 AM

> discouraged from using Global Objects at the ADOM level in Local Policy Packages.

 

My point is that I am not sure you should have been discouraged.  However, it is important to be aware of that complications can arise if those objects are at some later time deleted from the global level.

Chris Hall
Fortinet Technical Support
2205
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.