A Policy Block is essentially a set of policies, particularly useful when there are multiple Policy Packages that may have different Firewall Policies but share a common set of them.

Any changes made to a Policy Block are inherited by every Policy Package to which the Policy Block is appended.

Policy Blocks is a hidden feature and must be activated on feature visibility:
Policy & Objects -> Policy Packages -> Tools -> Feature Visibility.

Once done, the Policy Blocks menu shows up in the Global Database ADOM.

Policy Block enabled.

How to use Policy Blocks:

Policy Blocks consists of two different sets of firewall policies: Firewall Header Policies and Firewall Footer Policies.

Policy Block example, with Header and Footer Firewall Policies configured.

These two sets are independent and can be assigned separately to a Global Policy Package. For example, it is possible to apply only the Firewall Header Policy set of a Policy Block to a Global Policy Package.

On "All_customer_blocks" Global Policy Package, only Firewall Header Policy of Policy Block called "Protocols to block" are applied.

On the Firewall Footer Policy a different set of Foooter Policy is applied, which belongs to the Policy Block called "Private traffic to negate".

The next step is to assign the Global Policy Package a Local ADOM.

Important note: the Global Database ADOM and local ADOMs:

• Global ADOM: Global ADOM layer.
• Local ADOMs: all others, including the root.

Step 1:

Select the Global Policy Package Assignment section, then select Add ADOM.

A Global Policy Package must be assigned to an ADOM.

It is possible to assign the Global Policy Package:

• To every Policy Package.
• To every Policy Package, except the specified ones.
• To the specified Policy Packages, which is the option chosen in the example.

Global Policy Package is now assigend to a Policy Package and its status is "Up to date".

This assignment procedure must be done whenever a Policy Block is appended or removed from a Global Policy Package. The Global Policy Package must be reassigned to synchronize the status.

Step 2: 

To synchronize the new changes, click on action and follow the instructions to assign the Global Policy Package to the needed Policy Packages (in the example, SPOKES Policy Package in SD-WAN ADOM).

Notice the "Pending change" Status. Firewall Policies are not synchronized on "SPOKES" Policy Package at this time, even if the Global Policy Package was already assigned previously to it.

Once done, the status changes to 'Up to date', and the new Firewall Policies show up on the Policy Package in local ADOM.

Notice the status has changed to "Up to date".

Install the policies on the firewall:

To push the Firewall Policies on FortiGates, use the Install wizard tool with the option Install Policy Package.

Known Issues:

In a scenario where a Policy Block is appended to two or more Global Policy Packages, both assigned to two or more Local Policy Packages of the same Local ADOM, the Header or Footer Firewall Policies of the Policy Block will not be added to the Local Policy Package associated with the Global Policy Package. With the Assignment done for the second step (Step 2). 

A symptom of the problem is that in the Second Global Policy Package Assignment Page, the Status of the Assignment remains 'Up to Date' after a Policy Block is appended or removed.

The problem is tracked with the bug id 1244194 and is solved starting from the firmware release v7.4.9, v7.6.6, and v8.0.1.

Related documents:

• Info about Policy Blocks: Using Policy Blocks.
• Info about Policy Packages: Managing policy packages.
• How to install policies on FortiGates using the Install wizard tool: Install wizard.
• Policy Block versus Global Policy Packages: Using Policy Blocks versus Global Policy Packages.