Using FortiManager to Manage FortiGate Firewall Policies – Part 1 – Dynamic Interfaces

This is the beginning of a three part series to explain how to use the FortiManager to manage firewall policies on the FortiGate.

FortiManager gets a bad rap by many of its users. Sure, it has its fair share of shortcomings, but when you understand the design principles behind it, it actually does its job quite well. The key to it performing as expected is using it in the way it is intended to be use. As with most products, if you go off the reservation, your mileage may vary.

The value of FortiManager is clearly evident when you have a distributed firewall environment where FortiGates at multiple sites within your enterprise. Typically in these sites, the firewalls should have similar security policies that enforce a consistent posture around the environment. The hope of this article is to give an explanation of how to use the FortiManager to manage the firewall policies on multiple FortiGate firewalls. Using it in this manner should increase the operational efficiency when managing FortiGates.

Overview

FortiManager is a management platform that manages all aspects of the FortiGate firewalls. It is intended to serve as a centralized repository of the configurations and policies that are used to instruct the FortiGate on how to implement its network and security enforcement. Its placement allows for fundamental management of FortiGate functions such as firmware upgrades, installing firewall policies and much more.

Figure. – Screenshot of a typical FortiManager/FortiGate Topology

While the FortiManager can manage a myriad of FortiGate features, it has a stand out capability when managing the firewall policy. The key to this is its centralized database that allows for object re-use among FortiGates that share common settings. In addition to that, it allows for simple replication of those settings across multiple FortiGates in parallel to expedite policy updates over the fleet of firewalls.

To manage the firewall policies, the FortiManager has a section dedicated to objects and policies.

Figure. – Screenshot of the policy and objects header in FortiManager

Objects

Objects are the components that are used together to create policies in the FortiManager. These consists of the addresses, services, intrusion prevention profiles, etc. These pieces are typically specific to the firewall they are applied to. For example, an address object called “n-inside” can be used to define the network that is behind the firewall.

Figure. – Screenshot of “n-inside” address object in FortiManager

These objects combined are used to describe how to enforce the security in the form of a policy.

Policies

Policies are a collection of rules composed of objects. These are the fundamental instruments used to effect security enforcement on network traffic flowing through the FortiGate. For example, if you were to create an IPv4 firewall rule, you would combine the following objects:

  • Interface
  • Address
  • Service
  • Schedule
Figure. – Screenshot of objects within firewall policy in FortiManager

It is common to see the same type of policies used across multiple firewalls to ensure consistent security enforcement across an organization. For example, if you were an administrator of a health care organization that had multiple doctor’s office, each of those doctor’s offices may need to have access to the same type of resource (such as a centralized healthcare database at the organization’s headquarters).

Figure. – Screenshot of the distributed site topology

However, each of the devices in its respective doctor’s office will have an IP address that is unique to that site. In this case, you would have to have a unique policy for each FortiGate that references the IP address specific to that site. That would equate to three separate policies because they reference different objects although the rules are the same. Luckily, there are dynamic objects within FortiManager that allows you to simply this so you can use one policy for different firewalls.

Dynamic Objects

Dynamic objects are one of the most powerful tools of the FortiManager. In their simplest form, they are logical objects that can be used to substitute values specific to a firewall at “apply time” of the firewall policy. There are a few types of dynamic objects supported on the FortiManager. The most common types are:

  • Dynamic Interfaces
  • Dynamic Firewall Objects

Dynamic Interfaces

Dynamic interfaces have a specific use case that allows you to leverage the same policy over different FortiGate platforms. For example, let’s say you have two doctor’s office, site 1 with a 100 Mbps connection and site 2 with a 500 Mbps connection. Based on these speeds, you install a FortiGate 60E-POE at site 1 and a FortiGate 300E at site 2.

Figure. – Screenshot of the port layout on a FortiGate 60E-POE
Figure. – Screenshot of the port layout on a FortiGate 300E

At site 1, you use WAN1 port on the FortiGate 60E-POE to connect to the Internet. At site 2, you use port1 on the FortiGate 300E (since it does not have a WAN1 port) to connect to the Internet. Prior to using dynamic objects, you could not share the same firewall policy across these two devices because the FortiGate uses the “interface” as part of its definition in the policy.

I know that there is likely a workaround to this using zones on the firewall, this however has its shortcomings too beyond the scope of discussion for this article.

Through the use of dynamic objects, you can create a “logical” interface that allows you to map each device specific interface to a common value. Subsequently, you can use that logical interface (instead of the device specific interface) within the firewall rule definition and the FortiManager will substitute the correct value during the “apply time” of the policy.

Creating Dynamic Interfaces

The dynamic interfaces are created in the FortiManager. In this case, you can create an interface called “outside” which will be referenced as the interface that is used to connect the firewalls to the Internet. The procedure to accomplish this is as follows:

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Click on “Object Configurations”

Figure. – Screenshot of the FortiManager navigation panel

4. Click on “Zone/Interface | Interface”

Figure. – Screenshot of the FortiManager navigation panel

5. Click “Create New | Dynamic Interface”

Figure. – Screenshot of the dynamic interface creation

6. Fill in the name with the value “outside” | Click “OK”

Figure. – Screenshot of the dynamic interface dialog creation

Assigning Dynamic Interface

Please note, since I do not have access to a FortiGate 60E-POE and FortiGate 300E, I will be using virtual FortiGates to simulate this functionality. In this case, the site-1 FortiGate will use port3 for its Internet connectivity and site-2 FortiGate will use port4.

Once the dynamic interface has been created, it can be assigned to the FortiGates. To accomplish this, follow the procedure below:

Site-1 FortiGate

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Click on “Object Configurations”

Figure. – Screenshot of the FortiManager navigation panel

4. Click on “Zone/Interface | Interface”

Figure. – Screenshot of the FortiManager navigation panel

5. Click the “outside” interface | Click “Edit”

Figure. – Screenshot of the dynamic objects section in FortiManager

6. Toggle on “Per-Device Mapping | Click “Create New”

Figure. – Screenshot of Dynamic Interface dialog

7. In the “Per-Device Mapping” dialog box, Select “site-1” (or your FortiGate) from the “Mapped Device” drop-down | Select “port3” (or your FortiGate’s physical interface) from the “Device Interface” drop-down | Click “OK”

Figure. – Screenshot of per-device mapping dialog

8. Click “OK” to confirm the settings

Figure. – Screenshot of the dynamic interface dialog
Site-2 FortiGate

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Click on “Object Configurations”

Figure. – Screenshot of the FortiManager navigation panel

4. Click on “Zone/Interface | Interface”

Figure. – Screenshot of the FortiManager navigation panel

5. Click the “outside” interface | Click “Edit”

Figure. – Screenshot of the dynamic objects section in FortiManager

6. Toggle on “Per-Device Mapping | Click “Create New”

Figure. – Screenshot of Dynamic Interface dialog

7. In the “Per-Device Mapping” dialog box, Select “site-2” (or your FortiGate) from the “Mapped Device” drop-down | Select “port3” (or your FortiGate’s physical interface) from the “Device Interface” drop-down | Click “OK”

Figure. – Screenshot of per-device mapping dialog

8. Click “OK” to confirm the settings

Figure. – Screenshot of Dynamic Interface dialog

After completing the steps above, the dynamic interface called “outside” can be referenced in the policy defined within the FortiManager. This should provide an explanation on the benefits of leveraging the dynamic interface functionality within the FortiManager. The next article in this series will focus on the use of dynamic firewall objects in the FortiManager.

I hope this helps. Please leave any questions or thoughts in the comments section below.

5 5 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments