Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Toshi_Esumi
Esteemed Contributor II

Dynamic (per-device) Policies in FMG

Our Fortimanager(FMG) is running 6.4.7. We encountered a situation we had to add one VIP policy at only one location/FGT (so far) of this customer while all other policies (60+ of them) are the same with other locations.

I kind of know the answer already but I have to ask because my current option I'm thinking is to clone the current policy package and change the name then add a VIP policy with VIP objects, which is not so smart because every time we need to add/change one thing to any other policies, we have to remember to add the same change to this policy package as well.

And similar cases might grow when we add more this retail-chain customer's location (so far 100+, but expected to grow much bigger) and the number of policy packages would grow.

 

So, I want to ask if I can somehow add one policy only for one location/FGT in one policy package.

 

Thanks,

 

 

Toshi

1 Solution
amouawad
Staff
Staff

The FortiManager allows you to select the installation target for an individual policy rule (as well as for the entire policy package).

 

If you scroll to the right you'll see the installation target column in the policies. You can select this and change from 'Installation Targets' to an individual FortiGate. If you can't see the column select Column Settings and enable it there.

 

So in the below example, the first policy will be installed to the devices specified in my policy package installation targets (ie all spokes), but my second policy will only be installed to the Branch1 firewall.

 

2022-03-03_11-08.png

View solution in original post

3 REPLIES 3
amouawad
Staff
Staff

The FortiManager allows you to select the installation target for an individual policy rule (as well as for the entire policy package).

 

If you scroll to the right you'll see the installation target column in the policies. You can select this and change from 'Installation Targets' to an individual FortiGate. If you can't see the column select Column Settings and enable it there.

 

So in the below example, the first policy will be installed to the devices specified in my policy package installation targets (ie all spokes), but my second policy will only be installed to the Branch1 firewall.

 

2022-03-03_11-08.png

Toshi_Esumi
Esteemed Contributor II

I didn't know that. I quite thoroughly read FMG admin guide originally when we deployed, but I didn't notice this feature existed.

 

Thanks,

 

Toshi

Toshi_Esumi
Esteemed Contributor II

I just tested this with three test FGTs in an ADOM. Of course it works as intended, but the GUI to select devices in the entire group is a little unintuitive so took me some time to understand what those tool icons at the bottom were for.
I also found a page of the admin guide I must have overlooked or ignored when I read through. There is not much explanation about the GUI detail.
https://docs.fortinet.com/document/fortimanager/6.4.6/administration-guide/478072/install-policies-o...

Toshi