Skip to main content
insurgent3
insurgent3
New Member
April 24, 2021
Question

Best practices for policy package design

  • April 24, 2021
  • 1 reply
  • 4735 views
What is the best way to create a generic policy package that applies to multiple sites but still allows each site have their own custom configs as well without causing conflicts in Fortimanager?

 

For example I'd like a policy package that has our standard firewall template but then each site will have its own private /21 10.x.x.x network, custom vpn tunnels, port forwards rules, 1:1 nats, etc. I've tried this but it's been difficult to keep FortiManager from giving warnings about modified configs and being out of sync.

 

Any design tips on this? I'm a Cisco guy and learning the fortigates has been nice, looking forward to implementing a solid fortinet setup.

1 reply

SankaraNarayanan_S
SankaraNarayanan_S
New Member
April 25, 2021

To answer the first part of your question:

 

Assumptions for a best generic access policies design from forti manager please make sure the below are constant:

[ol]
  • Ensure Sub Interface selection. VLAN ID, VLAN name are finalized, this is a pre-request required for the creation of Dynamic Interface mapping used on forti manager access policies.
  •  Ensure Destination address and Destination Specific ports needs to be constant.
  • Ensure Firewall Device model selection is constant across region.[/ol]

    Note:

    [ul]
  • Source address can vary based on VLAN or sub-interfaces.[/ul]
    • SankaraNarayanan_S
    SankaraNarayanan_S
    New Member
    April 25, 2021

    To answer the second part of your question

    The conflict is shown on the Forti manager:

    Please ensure all device & access policies deployment changes are performed from the 

    Forti manager only such that it could prevent to avoid conflicts.

     

    Also please answer below :

    Is this conflict error shown on the Device manager or on the access policy package on the fortimanager ?

     

    sw2090
    SuperUser
    sw2090
    SuperUser
    April 27, 2021

    I do here this way with 21 Sites:

     

    All FGT are in FortiManager in an ADOM.

    All FGt in adom use the same default policy package so there is no FGT specific policy packages.

    If I need some policy to be deployed to only specific FGT I set those as installation target(s) for the policy.

     

    Just Device config is FGT specific (execpt from the thingys that can be set in provisioning template in FGT).

    Things I need in more than one adom (like Webfilter profiles) are in global adom in FMG.

     

    FMG will not show live conflicts during configuration but it will prompt you upon deploying device config or policy package.

     

    Once FGt are in FMG you should not change or create anything directly on them that is in policy package since FMG deployment will overwrite that.

    If you change device config directly on  a FGT that is in FMG make sure to perform a retrieve config in FMG before you deploy anything to that FGT from within FMG!

     

    Works fine here so far...

    Terms & ConditionsAccessibility statement