Using FortiManager to Manage FortiGate Firewall Policies – Part 3 – Single Policy for Multiple FortiGates

This is the third (and final) installment in the three part series regarding managing FortiGate firewalls with the FortiManager. Please review the previous articles on dynamic interfaces and dynamic firewall objects to provide the supporting information necessary for this article.

Policy Package

The policy package is a collection of policies in the FortiGate which defines how to enforce security constraints on traffic passing through the firewall. As mentioned in the post about dynamic interfaces, a policy is a collection of rules composed of objects. The FortiManager can manage the following policies for the FortiGate:

  • IPv4
  • Virtual Wire Pair
  • Proxy
  • Interface
  • Local-In
  • Traffic Shaping

There are IPv6 versions of each of the policies above as well.

Figure. – Screenshot of the listing of policies included in FortiManager Policy Package

For the remainder of this article, the IPv4 Policy will be the main focus.

Managing Policies

The key benefit of using the FortiManager is to leverage the capabilities of object re-use and templates. This is especially important in a distributed firewall deployment where multiple FortiGates can share the same policies. But what about the case when the policies are “similar”.

For example, in the previous example referenced in the previous post, we add a web-server at site 2 as reflected in the diagram below:

Figure. – Diagram of topology containing one off firewall rule for Site 2

According to this diagram, site 1, site 2 and site 3 all need the same level of access to access the resource at HQ. However, only site 2 only has a need for a firewall rule to allow an inbound firewall rule to allow access to the web server. To accommodate this, the Installation Target feature of the Fortimanager can be utilized.

Installation Targets

The installation target allows the same policy package to be applied to multiple FortiGates and selectively choose which rule to apply the FortiGate.

Assigning the FortiGate to the Policy Package

Before an Installation Target can be used, the FortiGate must be assigned to the policy package. Follow the procedure below to accomplish this task:

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Locate the policy package (“Dynamic-Policy”) | Select “Installation Targets” | Click Add

Figure. – Screenshot of the Policy Package in FortiManager

4. In the “Add Installation Targets” dialog box | Select the FortiGates to assign to the policy package | Click “OK”

Figure. – Screenshot of the Add Installation Targets dialog

5. Validate the FortiGate listed under the Installation Targets for the policy package.

Figure. – Screenshot of the Installation Targets applied to the policy package

Best Practice: It is a best practice to use Device Groups as the installation target instead of the firewall itself. The reason behind this is that if you ever need to remove the FortiGate from FortiManager, it will not remove the Installation Target reference from the policy package.

Assigning Installation Targets with the Policy Package

After the FortiGate has been assigned to the policy package within the FortiManager, an individual rule within the policy can be applied to a specific FortiGate. To do this, the “Installation Target” field within the policy package needs to be exposed. To do this, follow the procedure below:

1. In the FortiManager, log in as an administrative user

Figure. – Screenshot of the FortiManager logon screen

2. Click on “Policy & Objects”

Figure. – Screenshot of the Policy & Objects selection in FortiManager

3. Expand the policy package | Click “IPv4 Policy”

Figure. – Screenshot of the IPv4 Policy within the Policy Package

4. If no policy exists, click “Create New” to add a rule to the policy package

Figure. – Scerenshot of the “Create New”

5. Create a firewall rule specific to applied via the Installation Target

Figure. – Screenshot of the creation of the firewall rule in FortiManager

6. Go to the “Install On” column | Right-Click “Installation Target” | Click ” Add Object(s)”

Figure. – Screenshot of the Install On column in FortiManager policy package

Please note: Depending on the resolution of your screen, you may need to scroll to the right in order to see the “Install On” column in the policy

7. In the “Add Object” dialog box, select the firewall [site-2] (or device group) that the rule applies to| Click “OK”:

Figure. – Screenshot of the Add Object(s) dialog box

8. Observe that the “Install On” is set for the correct device in the rule

Figure. – Screenshot of policy with Install On set

Single Policy – Multiple FortiGates

The goal in this series of articles were to increase your efficiencies by leveraging the FortiManager to manage multiple FortiGates via a single policy package. To do this, the tools of dynamic interfaces, dynamic objects and installation targets can be leveraged to accomplish this task. This section will leverage all of these tools to demonstrate this use case.

The remainder of these steps will be built off the information in the previous articles.

The Topology

The topology is a simple representation of a distributed firewall deployment where there are multiple sites that have similar policies. As a reminder of visual representation, see the image below:

Figure. – Diagram of topology containing one off firewall rule for Site 2

Applying the Policy Package

In the previous articles, we have created a “Dynamic-Policy” policy package and assigned multiple FortiGates to the policy as its installation target. Here’s a quick reminder of where this is set from the FortiManager:

Figure. – Screenshot of the Installation Targets for the policy package

Adding Rule to Policy

Within the IPv4 policy, there is a rule that exists that is specific to the site-2 FortiGate.

Figure. – Screenshot of policy with firewall rule specific to site-2

However, a rule to apply to all FortiGates is still needed. To accomplish this, we add a rule that allows the n-inside network to access the h-hqserver as shown in the screenshot below:

Figure. – Screenshot of the firewall policy referencing dynamic objects

This policy references dynamic interfaces in the source and destination interface fields. It also references dynamic firewall address objects in the source address fields. These allow the fields specific to the FortiGates to be substituted during the application of these policies. Below is the resultant policy listed below:

Figure. – Screenshot of the policy

Please note: The “Install On” column will show “Installation Targets” as its value as its default value. When this value is set, this rule is applicable to all FortiGates that are specified in the Installation Targets of the policy package.

Applying Policy Package to FortiGate

Once the policy has been configured from the FortiManager, it is ready to be applied to the FortiGates. To do this, you can follow the procedure below:

1. From the “Policy & Objects” | “Policy Packages” page | Click “Install | Install Wizard”

Figure. – Screenshot of the Policy & Objects install action

2. In the “Install Wizard” dialog box | Select “Install Policy Package & Device Settings” | Choose the correct policy package from the drop-down | Click “Next”

Figure. – Screenshot of the Install Wizard for policy and configuration dialog box

3. In the “Install Wizard – Policy Package…” dialog box | Ensure all applicable FortiGates are selected | Click “Next”

Figure. – Screenshot of the Install Wizard dialog box with FortiGates selected

4. In the “Install Wizard – Policy Package…” dialog make sure there are no errors in the policy check | Ensure that the applicable FortiGates are selected | Click “Install”

Figure. – Screenshot of the Policy Package dialog showing no errors on policy check

5. In the “Install Wizard – Policy Package…” dialog box, check that the policy was applied successfully with no errors | Click “Finish”

At this point, the same policy package has been applied to both FortiGates from the FortiManager.

Validation

Now that the same policy has been applied to both FortiGates, it is important to validate that the settings that are unique to each firewall are indeed set correctly.

FortiManager

The first point of validation is to confirm that the FortiManager shows the correct policy package is applied to each FortiGate. The quickest and easiest way to confirm this is via the “Device Manager | Device & Groups” page.

Figure. – Screenshot from the Device Manager showing policy packages applied to FortiGates

Once you have confirmed that the correct policy is applied from the FortiManager, you can proceed with validating at each corresponding FortiGate that the policy is set correctly.

Site-1 FortiGate

The first FortiGate in this example is site-1 which should only have a single rule applied to it.

Figure. – Screenshot of the site-1 FortiGate with one rule in its policy

As shown in the screenshot above, we see that the FortiManager applied the settings that are specific to this FortiGate. Specifically, we see that the policy is defined between the inside interface of “port2” going outside using the interface of “port3”. We also confirm that there is a single rule being applied in the outbound direction that allows the hosts behind the FortiGate to access the resources at HQ. The last part to confirm in this section is the IP address it has assigned to the “n-inside” address object. See the screenshot below for this assignment:

Figure. – Screenshot of site-1 FortiGate highlighting the n-inside address object

As shown above, the n-inside address object is correctly set to the network “192.168.10.0/24” as defined in the topology above.

Site-2 FortiGate

The second FortiGate in this example is Site-2. We should see that it has two different rules applied to it.

Figure. – Screenshot of the site-2 FortiGate with two rules in its policy

As shown in the screenshot above, not only do you see that this FortiGate has two rules assigned to it, but it also references a different outside interface of “port4”. This shows that the dynamic interface reference in the FortiManager correctly substituted the proper interface during the application of the policy package. Lastly, you just need to confirm that the address object for “n-inside” reflects “192.168.20.0/24” as defined in the diagram at the beginning of this article.

Figure. – Screenshot of the site-2 FortiGate address objects

Please note: The h-site2_server object was not present on site-1 FortiGate because the rule that references it was not installed on site-1 FortiGate.

As you can see, the correct value has been substituted on the Site-2 FortiGate. This concludes this three part series on managing your firewalls with the FortiManager. Hopefully this information was helpful. Please leave a comment below with your thoughts.

5 1 vote
Article Rating
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Azhar

Hi Jonathan, Thank you very much for your time in making this article. This article has given me a lot of information about FTM. I have a question for you. let’s say I have 1000 FortiGates already imported/connected into the FortiManager and each of the device has it’s own policy package imported into the FortiManager. My requirement is to add a single firewall rule on all 1000 FortiGate devices to allow Local-LAN to access a new service on the HQ end without deleting the already available firewall rules on all the 1000 FortiGate. is that possible with the combination of… Read more »