Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ac1
Contributor II

Create shared policy to two different FGT

Hi,

I have imported 2 FGT with their policy package in one ADOM. The policy and other was already configured.

In this scenario there is 2 different policy package, one for FGT. The physical interface or zone of FGTs are different name from each other.

 

How do I configured a shared policy for web navigation unique for both?

1 Solution
aagrafi
Contributor II

Hi,

 

Select one of these two packages as the master package. In this package you have to do two things:

1. Go to the "Installation targets" and add both fortigates as targets (one FG should be already a target).

2. Go to "Objects configurations" and make interface mappings for all interfaces engaged in policies for both FGs. An interface mapping should be like:

FMG interface object A <-> FG-1 interface X

FMG interface object A <-> FG-2 interface Y

FMG interface object B <-> FG-1 interface XX

FMG interface object B <-> FG-2 interface YY

and so on...

(2b. You might also need address objects mappings or other mappings as well, for example if one address object has different value in one FG than the other). 

 

When you finish with all this, you'll have a single policy package with both FGs as installation targets and interface mappings for all interfaces of all FGs. Any change you make in this policy package during installation will be installed to both FGs.

 

You must remember this: Having a single policy package for many FGs is a very good practice, but you need to keep an order in many things: like the naming convention, in maintaining a common policy for all FGs, in the addressing, etc. If you cannot maintain this order, then you'll end up with a complex and impossible to manage policy package.

 

Cheers

View solution in original post

2 REPLIES 2
aagrafi
Contributor II

Hi,

 

Select one of these two packages as the master package. In this package you have to do two things:

1. Go to the "Installation targets" and add both fortigates as targets (one FG should be already a target).

2. Go to "Objects configurations" and make interface mappings for all interfaces engaged in policies for both FGs. An interface mapping should be like:

FMG interface object A <-> FG-1 interface X

FMG interface object A <-> FG-2 interface Y

FMG interface object B <-> FG-1 interface XX

FMG interface object B <-> FG-2 interface YY

and so on...

(2b. You might also need address objects mappings or other mappings as well, for example if one address object has different value in one FG than the other). 

 

When you finish with all this, you'll have a single policy package with both FGs as installation targets and interface mappings for all interfaces of all FGs. Any change you make in this policy package during installation will be installed to both FGs.

 

You must remember this: Having a single policy package for many FGs is a very good practice, but you need to keep an order in many things: like the naming convention, in maintaining a common policy for all FGs, in the addressing, etc. If you cannot maintain this order, then you'll end up with a complex and impossible to manage policy package.

 

Cheers

sw2090
Honored Contributor

I use the default policy package for this. This is deployed to all our FGT so all have the same policies (at least if they match the installation target(s) of the policy). So I just need dynamic objects/interfaces with corresponding mappings per device. Some objects I also maintain in the global adom's default policy package.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors