Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-02-2022 01:51 PM Edited on ‎03-02-2022 02:11 PM

Dynamic (per-device) Policies in FMG

Our Fortimanager(FMG) is running 6.4.7. We encountered a situation we had to add one VIP policy at only one location/FGT (so far) of this customer while all other policies (60+ of them) are the same with other locations.

I kind of know the answer already but I have to ask because my current option I'm thinking is to clone the current policy package and change the name then add a VIP policy with VIP objects, which is not so smart because every time we need to add/change one thing to any other policies, we have to remember to add the same change to this policy package as well.

And similar cases might grow when we add more this retail-chain customer's location (so far 100+, but expected to grow much bigger) and the number of policy packages would grow.

 

So, I want to ask if I can somehow add one policy only for one location/FGT in one policy package.

 

Thanks,

 

 

Toshi

Labels:
1903
0 Kudos
1 Solution
amouawad
Staff
Staff

Created on ‎03-02-2022 04:11 PM

The FortiManager allows you to select the installation target for an individual policy rule (as well as for the entire policy package).

 

If you scroll to the right you'll see the installation target column in the policies. You can select this and change from 'Installation Targets' to an individual FortiGate. If you can't see the column select Column Settings and enable it there.

 

So in the below example, the first policy will be installed to the devices specified in my policy package installation targets (ie all spokes), but my second policy will only be installed to the Branch1 firewall.

 

2022-03-03_11-08.png

View solution in original post

1880
3 REPLIES 3
amouawad
Staff
Staff

Created on ‎03-02-2022 04:11 PM

The FortiManager allows you to select the installation target for an individual policy rule (as well as for the entire policy package).

 

If you scroll to the right you'll see the installation target column in the policies. You can select this and change from 'Installation Targets' to an individual FortiGate. If you can't see the column select Column Settings and enable it there.

 

So in the below example, the first policy will be installed to the devices specified in my policy package installation targets (ie all spokes), but my second policy will only be installed to the Branch1 firewall.

 

2022-03-03_11-08.png

1881
Toshi_Esumi
SuperUser
SuperUser
In response to amouawad

Created on ‎03-02-2022 04:30 PM Edited on ‎03-02-2022 04:31 PM

I didn't know that. I quite thoroughly read FMG admin guide originally when we deployed, but I didn't notice this feature existed.

 

Thanks,

 

Toshi

1814
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-04-2022 05:23 PM

I just tested this with three test FGTs in an ADOM. Of course it works as intended, but the GUI to select devices in the entire group is a little unintuitive so took me some time to understand what those tool icons at the bottom were for.
I also found a page of the admin guide I must have overlooked or ignored when I read through. There is not much explanation about the GUI detail.
https://docs.fortinet.com/document/fortimanager/6.4.6/administration-guide/478072/install-policies-o...

Toshi

1770
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.