Best practice approach to mange fortigate with fortimanager

debabratamajhi · ‎08-19-2020

Hello

How to manage more than 150 FW with a global policy template for most of the FW and use a 'per FW policy' only when FW has some specificity with best best practice approach through fortimanager

FW is located across different location

Like two ADOM, one for Global Policy and One for Per FW -Seeking help ,Idea

Do we need any fortinate tool to mange compliance in terms of security threat and other service in fortigate Firewalls.

Thanks in advance

RobertEvans · ‎08-20-2020

ADOM is an administrative domain, or a logical grouping of firewalls, you would, for single vdom firewalls typically have 1 firewall to an adom.

If you are a single enterprise, you could have one ADOM, or if you want to split up by business unit you can, its up to you.

As for policy management, you would have a global policy for standard configuration items that would apply to all firewalls such as:
standard acls
standard global firewall config items
standard connectors (TACACS, LDAP, radius, etc)
Standard AV, Web Profiles
Any enterprise or msp wide firewall policies

This would be the header or footer policies applied uniform to all 150. You would then define your local policy package that applies to only that firewall, e.g. site specific firewall policies, acls, objects, etc.

In general some operational discipline is needed for a team to effectively use FortiManager. Its a great tool, but the team should make as much changes FMGR side and push to the firewall, vs making firewall local changes, and having to import the config and have policy package conflicts.

The goal is central management, you can define in one location your general security policies, and push them to your appliances, as well as have a single reference for per-firewall configurations.

For multi-vdom firewalls, VDOM -> ADOM mapping is possible as well.

-Rob