Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Best practices for policy package design

What is the best way to create a generic policy package that applies to multiple sites but still allows each site have their own custom configs as well without causing conflicts in Fortimanager?


For example I'd like a policy package that has our standard firewall template but then each site will have its own private /21 10.x.x.x network, custom vpn tunnels, port forwards rules, 1:1 nats, etc. I've tried this but it's been difficult to keep FortiManager from giving warnings about modified configs and being out of sync.


Any design tips on this? I'm a Cisco guy and learning the fortigates has been nice, looking forward to implementing a solid fortinet setup.

New Contributor

To answer the first part of your question:


Assumptions for a best generic access policies design from forti manager please make sure the below are constant:

  • Ensure Sub Interface selection. VLAN ID, VLAN name are finalized, this is a pre-request required for the creation of Dynamic Interface mapping used on forti manager access policies.
  •  Ensure Destination address and Destination Specific ports needs to be constant.
  • Ensure Firewall Device model selection is constant across region.[/ol]


  • Source address can vary based on VLAN or sub-interfaces.[/ul]
  • SankaraNarayanan_S

    To answer the second part of your question

    The conflict is shown on the Forti manager:

    Please ensure all device & access policies deployment changes are performed from the 

    Forti manager only such that it could prevent to avoid conflicts.


    Also please answer below :

    Is this conflict error shown on the Device manager or on the access policy package on the fortimanager ?



    I do here this way with 21 Sites:


    All FGT are in FortiManager in an ADOM.

    All FGt in adom use the same default policy package so there is no FGT specific policy packages.

    If I need some policy to be deployed to only specific FGT I set those as installation target(s) for the policy.


    Just Device config is FGT specific (execpt from the thingys that can be set in provisioning template in FGT).

    Things I need in more than one adom (like Webfilter profiles) are in global adom in FMG.


    FMG will not show live conflicts during configuration but it will prompt you upon deploying device config or policy package.


    Once FGt are in FMG you should not change or create anything directly on them that is in policy package since FMG deployment will overwrite that.

    If you change device config directly on  a FGT that is in FMG make sure to perform a retrieve config in FMG before you deploy anything to that FGT from within FMG!


    Works fine here so far...


    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Top Kudoed Authors