FortiManager 6.0.4

Forum|Forum|7 years ago
April 22, 2019
1 reply
4108 views

Hello,

Wondering if anyone has a good way for dealing with policies that may exist only on a single FortiGate target in policy package? I have two clusters, which can share a common policy package. I have it set up for one and I have been building the extra policies that are on the second cluster. Problem is, the interface for the required policies only exist on one set of FortiGates. Wondering how some of you may have gotten around this issue. I have seen some thread talking about using loopback interfaces to map to. That doesn't seem to be working on the Fortigates right now, regardless. Tickets opened for that. That method seems a little dirty. I like the possibility of having a common policy for the organization. It's just that there are a handful of rules that differ. I don't know why Fortinet doesn't have a per device on the rules themselves, just like objects and mappings. Would make it simpler if I could select this policy is only mapped to a single device. Any advice is appreciated.

Thanks

ergotherego

New Member

Create a dummy interface. If loopback's don't work, try a sub-interface going to a bogus VLAN.

In our case, all interfaces are zoned. So I identified an unused physical interface, created dummy sub-interfaces under that, and then put those into zones using the proper names. If you don't use zones, should just be able to create a named sub-interface matching what the other firewall uses (or just map appropriately in FMG).

cyaneshAuthor

New Member

Thank you. Creating an empty vlan interface off an unused port seemed to do that trick. Seems really dirty to me with the rule set. This was the last real step to fully integrating the two sites. Honestly, I don't know why Fortinet doesn't create a per-device mapping for rules, just like they have with just about everything else. That way I can say on those handful of rules, you only apply here. And FMG will ensure the right objects/interfaces exists for that one FG. So, one thing I didn't ask you may know...I am doing this ahead of time so when I add my second cluster, I can flip it's installation policy package and the extra rules are prebuilt. IF it was already in this policy package, what would happen if I created the rule? Right now I am creating it with the current FG and no mapping for the interface. What would happen if there was at least one with the mapping? From what I can tell online, it would be the same result. But just wanted to make sure I am not shooting my own foot off.

Again, thanks.

ergotherego

New Member

cyanesh wrote:
What would happen if there was at least one with the mapping?

Depends on if that firewall contains references to that interface.

If you just map it, and the Policy Package you push down has no references to that interface, there will be no change. This is because interfaces themselves are device-level settings. If however, you actually created zones (mapped inside of FMG or not) and these were not referenced by a PP or other settings, FMG will want to purge them since it treats zones as policy-level objects. A zone that has no references is not needed sayeth the FMG, and will be deleted. In that case, I have created dummy rules against the dummy zones to hold them down.

I would probably just create the mapping dynamic interface mapping inside of FMG now, since it shouldn't hurt anything.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded