Using FortiManager to Manage FortiGate Firewall Policies – Part 3 – Single Policy for Multiple FortiGates
This is the third (and final) installment in the three part series regarding managing FortiGate firewalls with the FortiManager. Please review the previous articles on dynamic interfaces and dynamic firewall objects to provide the supporting information necessary for this article.
The policy package is a collection of policies in the FortiGate which defines how to enforce security constraints on traffic passing through the firewall. As mentioned in the post about dynamic interfaces, a policy is a collection of rules composed of objects. The FortiManager can manage the following policies for the FortiGate:
- Virtual Wire Pair
- Traffic Shaping
There are IPv6 versions of each of the policies above as well.
For the remainder of this article, the IPv4 Policy will be the main focus.
The key benefit of using the FortiManager is to leverage the capabilities of object re-use and templates. This is especially important in a distributed firewall deployment where multiple FortiGates can share the same policies. But what about the case when the policies are “similar”.
For example, in the previous example referenced in the previous post, we add a web-server at site 2 as reflected in the diagram below:
According to this diagram, site 1, site 2 and site 3 all need the same level of access to access the resource at HQ. However, only site 2 only has a need for a firewall rule to allow an inbound firewall rule to allow access to the web server. To accommodate this, the Installation Target feature of the Fortimanager can be utilized.
The installation target allows the same policy package to be applied to multiple FortiGates and selectively choose which rule to apply the FortiGate.
Assigning the FortiGate to the Policy Package
Before an Installation Target can be used, the FortiGate must be assigned to the policy package. Follow the procedure below to accomplish this task:
1. In the FortiManager, log in as an administrative user
2. Click on “Policy & Objects”
3. Locate the policy package (“Dynamic-Policy”) | Select “Installation Targets” | Click Add
4. In the “Add Installation Targets” dialog box | Select the FortiGates to assign to the policy package | Click “OK”
5. Validate the FortiGate listed under the Installation Targets for the policy package.
Best Practice: It is a best practice to use Device Groups as the installation target instead of the firewall itself. The reason behind this is that if you ever need to remove the FortiGate from FortiManager, it will not remove the Installation Target reference from the policy package.
Assigning Installation Targets with the Policy Package
After the FortiGate has been assigned to the policy package within the FortiManager, an individual rule within the policy can be applied to a specific FortiGate. To do this, the “Installation Target” field within the policy package needs to be exposed. To do this, follow the procedure below:
1. In the FortiManager, log in as an administrative user
2. Click on “Policy & Objects”
3. Expand the policy package | Click “IPv4 Policy”
4. If no policy exists, click “Create New” to add a rule to the policy package
5. Create a firewall rule specific to applied via the Installation Target
6. Go to the “Install On” column | Right-Click “Installation Target” | Click ” Add Object(s)”
Please note: Depending on the resolution of your screen, you may need to scroll to the right in order to see the “Install On” column in the policy
7. In the “Add Object” dialog box, select the firewall [site-2] (or device group) that the rule applies to| Click “OK”:
8. Observe that the “Install On” is set for the correct device in the rule
Single Policy – Multiple FortiGates
The goal in this series of articles were to increase your efficiencies by leveraging the FortiManager to manage multiple FortiGates via a single policy package. To do this, the tools of dynamic interfaces, dynamic objects and installation targets can be leveraged to accomplish this task. This section will leverage all of these tools to demonstrate this use case.
The remainder of these steps will be built off the information in the previous articles.
The topology is a simple representation of a distributed firewall deployment where there are multiple sites that have similar policies. As a reminder of visual representation, see the image below:
Applying the Policy Package
In the previous articles, we have created a “Dynamic-Policy” policy package and assigned multiple FortiGates to the policy as its installation target. Here’s a quick reminder of where this is set from the FortiManager:
Adding Rule to Policy
Within the IPv4 policy, there is a rule that exists that is specific to the site-2 FortiGate.
However, a rule to apply to all FortiGates is still needed. To accomplish this, we add a rule that allows the n-inside network to access the h-hqserver as shown in the screenshot below:
This policy references dynamic interfaces in the source and destination interface fields. It also references dynamic firewall address objects in the source address fields. These allow the fields specific to the FortiGates to be substituted during the application of these policies. Below is the resultant policy listed below:
Please note: The “Install On” column will show “Installation Targets” as its value as its default value. When this value is set, this rule is applicable to all FortiGates that are specified in the Installation Targets of the policy package.
Applying Policy Package to FortiGate
Once the policy has been configured from the FortiManager, it is ready to be applied to the FortiGates. To do this, you can follow the procedure below:
1. From the “Policy & Objects” | “Policy Packages” page | Click “Install | Install Wizard”
2. In the “Install Wizard” dialog box | Select “Install Policy Package & Device Settings” | Choose the correct policy package from the drop-down | Click “Next”
3. In the “Install Wizard – Policy Package…” dialog box | Ensure all applicable FortiGates are selected | Click “Next”
4. In the “Install Wizard – Policy Package…” dialog make sure there are no errors in the policy check | Ensure that the applicable FortiGates are selected | Click “Install”
5. In the “Install Wizard – Policy Package…” dialog box, check that the policy was applied successfully with no errors | Click “Finish”
At this point, the same policy package has been applied to both FortiGates from the FortiManager.
Now that the same policy has been applied to both FortiGates, it is important to validate that the settings that are unique to each firewall are indeed set correctly.
The first point of validation is to confirm that the FortiManager shows the correct policy package is applied to each FortiGate. The quickest and easiest way to confirm this is via the “Device Manager | Device & Groups” page.
Once you have confirmed that the correct policy is applied from the FortiManager, you can proceed with validating at each corresponding FortiGate that the policy is set correctly.
The first FortiGate in this example is site-1 which should only have a single rule applied to it.
As shown in the screenshot above, we see that the FortiManager applied the settings that are specific to this FortiGate. Specifically, we see that the policy is defined between the inside interface of “port2” going outside using the interface of “port3”. We also confirm that there is a single rule being applied in the outbound direction that allows the hosts behind the FortiGate to access the resources at HQ. The last part to confirm in this section is the IP address it has assigned to the “n-inside” address object. See the screenshot below for this assignment:
As shown above, the n-inside address object is correctly set to the network “192.168.10.0/24” as defined in the topology above.
The second FortiGate in this example is Site-2. We should see that it has two different rules applied to it.
As shown in the screenshot above, not only do you see that this FortiGate has two rules assigned to it, but it also references a different outside interface of “port4”. This shows that the dynamic interface reference in the FortiManager correctly substituted the proper interface during the application of the policy package. Lastly, you just need to confirm that the address object for “n-inside” reflects “192.168.20.0/24” as defined in the diagram at the beginning of this article.
Please note: The h-site2_server object was not present on site-1 FortiGate because the rule that references it was not installed on site-1 FortiGate.
As you can see, the correct value has been substituted on the Site-2 FortiGate. This concludes this three part series on managing your firewalls with the FortiManager. Hopefully this information was helpful. Please leave a comment below with your thoughts.