This is the second installment of the three part series about using the FortiManager to manage the firewall policy of FortiGates. Review the first article about dynamic interfaces as a precursor to this one.
Dynamic Firewall Objects
Dynamic firewall objects have a specific use case that allows you to leverage the same logical object on multiple firewalls although each firewall may have site-specific settings. As similar with Dynamic Interfaces, the FortiManager will substitute a value for that specific firewall at “apply time” for a policy. While this is most commonly used for addresses, it can also be leveraged for NAT objects, authentication objects and much more.
Dynamic Addresses
Dynamic addresses are the most commonly used dynamic firewall object. The reason for this is due to the nature of distributed firewalls typically having the same logical name for a network behind its interface, but has unique addresses for that network.
For example, in the screenshot below, each firewall has an object called “n-inside”.
Site 1 has an address of 192.168.10.0/24, Site 2 has an address of 192.168.20.0/24 and Site 3 has an address of 192.168.30.0/24. Without the use of dynamic address objects, the FortiGate administrator would need to maintain three separate policies. However, since dynamic objects can be created on the FortiManager, the n-inside can be defined as a logical reference that will have the device specific network address substituted for the value at apply time.
Creating Dynamic Address Object
To create a dynamic address object, follow the procedure below:
1. In the FortiManager, log in as an administrative user
2. Click on “Policy & Objects”
3. Click on “Object Configurations”
4. Click “Firewall Objects | Addresses”
5. Click “Create New | Address”
6. Set Address name to “n-inside” | Set IP/netmask to “0.1.1.1/255.255.255.255” | Click “OK”
The reason for setting the IP/Netmask to an inaccurate value is so that you can easily run an audit against the firewalls in the event that the per-device mapping is not set.
7. Observe the newly created address object
Please note: The FortiManager has an indicator of whether or not the address object has “per-device mapping” assigned within the object.
Create Site-1 Dynamic Address Object
1. In the FortiManager, log in as an administrative user
2. Click on “Policy & Objects”
3. Click on “Object Configurations”
4. Click “Firewall Objects | Addresses”
5. Click the “n-inside” object | Click “Edit”
6. Toggle on the “Per-Mapping Device” | Click “Create New”
7. Select “site-1” from the drop-down in the Mapped Device field | Set the applicable IP/Netmask (192.168.10.0/255.255.255.0) | Click “OK”
8. Observe the new entry for the per-device mapping | Click “OK”
9. Observe the n-inside address
Please note: The icon of the n-inside object has changed to indicate it is now a dynamic object and a per-device mapping has been set within the object.
Create Site-2 Dynamic Address Object
1. In the FortiManager, log in as an administrative user
2. Click on “Policy & Objects”
3. Click on “Object Configurations”
4. Click “Firewall Objects | Addresses”
5. Click the “n-inside” object | Click “Edit”
6. Click “Create New”
7. Select “site-2” from the drop-down in the Mapped Device field | Set the applicable IP/Netmask (192.168.20.0/255.255.255.0) | Click “OK”
8. Observe the new entry for the per-device mapping | Click “OK”
9. Observe the n-inside address
Please note: The icon of the n-inside object has changed to indicate it is now a dynamic object and a per-device mapping has been set within the object.
Other Dynamic Objects
Although dynamic address objects are the most popular type of dynamic object within the FortiManager, there are many other firewall objects that support per-device mapping.
Address Group
The dynamic address group allows you to set per-device mapping members in a group based on the specific firewall they are being applied to.
Virtual IPs
The dynamic Virtual IP allows you to set all destination NAT settings pertaining to the virtual IP on a per-device mapping.
IP Pool
The IP pool allows you to set all source NAT settings pertaining to the IP Pool on a per-device mapping.
Virtual Server
The Virtual Server allows you to set all load-balancing settings pertaining to the Virtual Server on a per-device mapping.
Fortinet Single Sign-On Agent
The Fortinet Single Sign-On allows you to set all Fortinet Single Sign On parameters on a per-device mapping.
Authentication Servers
LDAP, RADIUS, and TACACS+ all support allowing you set their individual settings on a per-device mapping.
Local Certificate
Local certificate supports allowing you to set a certificate specific to a FortiGate firewall on a per-device mapping.
This concludes the second article regarding using the FortiManager to leverage the dynamic firewall objects to simplify the management of firewall policy on the FortiGate. Please review the final installment article to bring all of the components together necessary to leverage the FortiManager to its maximum potential in managing FortiGate firewall policy.
I hope this helps!