FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
cborgato_FTNT
Description
This article describes how to use WorkFlow mode.
It provides a quick review about WorkFlow terms and some example using ‘auto-approve’ method.

Solution
WorkFlow Introduction.

Work Flow mode.


Workflow mode is used to control the creation, configuration, and installation of policies and objects.
It helps to ensure all changes are reviewed and approved before there are applied.
When workflow mode is enabled, the ADOM has to be locked and a session has to be started before policy, object, or units changes can be made in an ADOM.
Workflow approvals has to be configured for an ADOM before any sessions can be started in it.
WorkFlow is applied to ADOM-Level DB only (see previous slides).

Note.
Depending by the admin profile assigned to the user-admin, it can change, approve/reject or not.
Once the required changes have been made, the session can either be discarded and the changes deleted, or it can be submitted for approval.
The session can also be saved and continued later, but no new sessions can be created until the saved session has been submitted or discarded.

Work Flow mode Approval.

When a session is submitted for approval, email messages are sent to the approvers, who can then approve or reject the changes directly from the email message.
Sessions can also be approved or rejected by the approvers from within the ADOM itself.
If one approver from each approval group approves the changes, then another email message is sent, and the changes are implemented.
If any of the approvers reject the changes, then the session can be repaired and resubmitted as a new session, or discarded.
When a session is discarded, all later sessions are also discarded.
After multiple sessions have been approved, a previous session can be reverted to, undoing all the later sessions.
The changes made in a session can be viewed at any time from the session list in the ADOM by selecting View Diff.
The ADOM does not have to be locked to view the differences.

This case example particularity (‘auto-approve’ method).
Same user approves what he has modified and submitted himself.
The goal is to avoid as much as possible common mistakes and cosmetic errors forcing the user to check multiple time the same group of changes.

Note.
This article will not explain how to configure the flow-mode.

Work Flow Session State.

Starting a workflow session.

1) Loging to FortiManager and ensure that you are in the correct ADOM.
2) Go to Policy & Objects.
3) Select 'Lock' in the banner. The padlock icon changes to a locked state and the ADOM is locked.
4) If not opened automatically after locking, from the Sessions menu, select 'Session List'. The Session List dialog box opens
5) Select 'Create New Session'.






Apply Modification.

1) For example, Clone a Policy on Policy Package.

Note.
Workspace is still locked and 'Save' button is red.





Continue a saved Session.

1) Ensure to be in the correct ADOM.
2) Go to Policy & Objects and lock the ADOM.
3) If not done automatically, Go to Sessions -> Session List. The 'Session List' dialog box opens.
4) Select ‘Continue Session In Progress’ to continue the session.





Discard Session.

A session can be discarded at any time before it is approved.
A session cannot be recovered after it is discarded.

Note.
When a session is discarded, all sessions after it in the session list will also be discarded.





To discard saved, submitted, or rejected sessions.

1) Ensure to be in the correct ADOM.
2) Go to Policy & Objects and lock the ADOM.
3) Go to Sessions -> Session List. The 'Session List' dialog box opens.
4) Select the session that is to be discarded, then select 'Discard'.
5) Select 'OK' in the Discard Session pop-up.



Submitting a Session.

When all the required changes have been made, the session can be submitted for approval.
A session has to be open to be submitted for approval.
When the session is submitted, email messages are sent to all of the approvers and other administrators defined in the approval matrix (see Workflow approval), and the ADOM is automatically unlocked.




Approving or rejecting a session.

Sessions can be approved or rejected by the members of the approval groups either directly from the email message that is generated when the session is submitted, or from the session list.
A session that has been rejected has to be repaired or discarded before the next session can be approved.
When a session is approved or rejected, new email messages are sent out.

To approve/reject a session from the session list.


1) Login with same user and ensure to be in the correct ADOM.
2) Go to Policy & Objects and lock the ADOM.
3) Go to Sessions -> Session List. The 'Session List' dialog box opens
4) Select a session that can be approved.





5) Optionally, select 'View Diff' to view the changes approved/rejected.




6) Select 'Approve' or 'Reject'.
Enter a comment in the Approve/Reject Session pop-up, then select 'OK'.

To approve/reject a session from the email message.


1) If the configuration changes HTML file is attached to the email message, open the file to review the changes.
2) Select 'Approve' this request or reject this request to approve or reject the request.
Select 'Login FortiManager' to process this request to log in to the FortiManager and approve or reject the session from the session list.

A web page will open showing the basic information, approval matrix, and session log for the session, highlighting if the session was approved or rejected.
A new email message will also be sent containing the same information.

1) On the last line of the session log on the web page, select 'Click here' to add comments to add a comment about why the session was approved or rejected.

Note.
This is not covered in details on this presentation.

Repairing a rejected session.

When a session is rejected, it can be repaired to correct the problems with it.

To repair a workflow session.

1) Login/stay with same user and ensure you are in the correct ADOM.
2) Go to Policy & Objects and lock the ADOM.
3) Go to Sessions -> Session List. The 'Session List' dialog box opens.
4) Select a rejected session, then select 'Repair'.





5) Modify the previous reject session and save/submit/discard again is possible.

Reverting a session.

A session can be reverted to after other sessions have been submitted or approved.
If this session is approved, it will undo all the changes made by later sessions, though those sessions have to be approved before the reverting session can be approved.
Revert to any of those sessions without losing their changes is still possible.
When a session is reverted, a new session is created and automatically submitted for approval.





To revert a workflow session.

1) Login/stay with same user and ensure you are in the correct ADOM.
2) Go to Policy & Objects and lock the ADOM.
3) Go to Sessions -> Session List. The Session List dialog box opens
Select the session (it can be the previous session approved), then select 'Revert'.

Install Approved Changes.

Once a session has been Approved, user can install the changes to the FortiGate.
Check 'Config Status' and 'Policy Package status'.




1) Login/stay with same user and ensure to be in the correct ADOM.
2) Go to Policy & Objects and lock the ADOM.
3) Go to Install -> Install Wizard.





4) Select 'Install Policy Package & Device Settings', add comment and select 'next' and 'next' again.





5) [optional] Install Preview and / or Policy Package.





6) Select 'Install'.
7) [optional] View History and /or Log.
8) Select 'Finish'.
Check 'Config Status' and 'Policy Package status'.




FlowChart Summary with WorkFlow mode on Policy Package.





Related link.

Related Articles

Technical Tip: Unable to import policy when enabling workflow mode

Technical Tip: How to use WorkFlow mode using ‘auto-approve’ method with scripts

Technical Tip: How to rollback using WorkFlow mode with ‘auto-approve’ method

Contributors