Using FortiManager to Manage FortiGate Firewall Policies – Part 2 – Dynamic Objects

This is the second installment of the three part series about using the FortiManager to manage the firewall policy of FortiGates. Review the first article about dynamic interfaces as a precursor to this one.

Dynamic Firewall Objects

Dynamic firewall objects have a specific use case that allows you to leverage the same logical object on multiple firewalls although each firewall may have site-specific settings. As similar with Dynamic Interfaces, the FortiManager will substitute a value for that specific firewall at “apply time” for a policy. While this is most commonly used for addresses, it can also be leveraged for NAT objects, authentication objects and much more.

Dynamic Addresses

Dynamic addresses are the most commonly used dynamic firewall object. The reason for this is due to the nature of distributed firewalls typically having the same logical name for a network behind its interface, but has unique addresses for that network.

For example, in the screenshot below, each firewall has an object called “n-inside”.

Figure. – Screenshot of distributed firewall topology

Site 1 has an address of 192.168.10.0/24, Site 2 has an address of 192.168.20.0/24 and Site 3 has an address of 192.168.30.0/24. Without the use of dynamic address objects, the FortiGate administrator would need to maintain three separate policies. However, since dynamic objects can be created on the FortiManager, the n-inside can be defined as a logical reference that will have the device specific network address substituted for the value at apply time.

Creating Dynamic Address Object

To create a dynamic address object, follow the procedure below:

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Click on “Object Configurations”

Figure. – Screenshot of the FortiManager navigation panel

4. Click “Firewall Objects | Addresses”

Figure. – Screenshot of the Firewall Objects navigation panel

5. Click “Create New | Address”

Figure. – Screenshot of the create new address setting in FortiManager

6. Set Address name to “n-inside” | Set IP/netmask to “0.1.1.1/255.255.255.255” | Click “OK”

The reason for setting the IP/Netmask to an inaccurate value is so that you can easily run an audit against the firewalls in the event that the per-device mapping is not set.

Figure. – Screenshot of the “Create New Address” dialog box

7. Observe the newly created address object

Please note: The FortiManager has an indicator of whether or not the address object has “per-device mapping” assigned within the object.

Figure. – Screenshot of the address objects listing in FortiManager

Create Site-1 Dynamic Address Object

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Click on “Object Configurations”

Figure. – Screenshot of the FortiManager navigation panel

4. Click “Firewall Objects | Addresses”

Figure. – Screenshot of the Firewall Objects navigation panel

5. Click the “n-inside” object | Click “Edit”

Figure. – Screenshot of the address objects in FortiManager

6. Toggle on the “Per-Mapping Device” | Click “Create New”

Figure. – Screenshot of the Edit Address dialog in FortiManager

7. Select “site-1” from the drop-down in the Mapped Device field | Set the applicable IP/Netmask (192.168.10.0/255.255.255.0) | Click “OK”

Figure. – Screenshot of the per-device mapping address dialog box

8. Observe the new entry for the per-device mapping | Click “OK”

Figure. – Screenshot of the edit address dialog in FortiManager

9. Observe the n-inside address

Please note: The icon of the n-inside object has changed to indicate it is now a dynamic object and a per-device mapping has been set within the object.

Figure. – Screenshot of the address object listing in FortiManager

Create Site-2 Dynamic Address Object

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Click on “Object Configurations”

Figure. – Screenshot of the FortiManager navigation panel

4. Click “Firewall Objects | Addresses”

Figure. – Screenshot of the Firewall Objects navigation panel

5. Click the “n-inside” object | Click “Edit”

This image has an empty alt attribute; its file name is image-54.png
Figure. – Screenshot of the address objects in FortiManager

6. Click “Create New”

Figure. – Screenshot of the Edit Address dialog in FortiManager

7. Select “site-2” from the drop-down in the Mapped Device field | Set the applicable IP/Netmask (192.168.20.0/255.255.255.0) | Click “OK”

Figure. – Screenshot of the per-device mapping address dialog box

8. Observe the new entry for the per-device mapping | Click “OK”

Figure. – Screenshot of the edit address dialog in FortiManager

9. Observe the n-inside address

Please note: The icon of the n-inside object has changed to indicate it is now a dynamic object and a per-device mapping has been set within the object.

Figure. – Screenshot of the address object listing in FortiManager

Other Dynamic Objects

Although dynamic address objects are the most popular type of dynamic object within the FortiManager, there are many other firewall objects that support per-device mapping.

Address Group

The dynamic address group allows you to set per-device mapping members in a group based on the specific firewall they are being applied to.

Figure. – Screenshot of the per-device mapping for Address Groups

Virtual IPs

The dynamic Virtual IP allows you to set all destination NAT settings pertaining to the virtual IP on a per-device mapping.

Figure. – Screenshot of the per-device mapping for Virtual IPs

IP Pool

The IP pool allows you to set all source NAT settings pertaining to the IP Pool on a per-device mapping.

Figure. – Screenshot of the per-device mapping for IP Pools

Virtual Server

The Virtual Server allows you to set all load-balancing settings pertaining to the Virtual Server on a per-device mapping.

Figure. – Screenshot of the per-device mapping for Virtual Server

Fortinet Single Sign-On Agent

The Fortinet Single Sign-On allows you to set all Fortinet Single Sign On parameters on a per-device mapping.

Figure. – Screenshot of the per-device mapping for Fortinet Single Sign On

Authentication Servers

LDAP, RADIUS, and TACACS+ all support allowing you set their individual settings on a per-device mapping.

Figure. – Screenshot of the per-device mapping for LDAP Server
Figure. – Screenshot of the per-device mapping for RADIUS Server
Figure. – Screenshot of the per-device mapping for TACACS+

Local Certificate

Local certificate supports allowing you to set a certificate specific to a FortiGate firewall on a per-device mapping.

Figure. – Screenshot of the per-device mapping for Local Certificate

This concludes the second article regarding using the FortiManager to leverage the dynamic firewall objects to simplify the management of firewall policy on the FortiGate. Please review the final installment article to bring all of the components together necessary to leverage the FortiManager to its maximum potential in managing FortiGate firewall policy.

I hope this helps!

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments