How to use global database webfilters in ADOMs?

FlavioB · ‎03-15-2019

Hi there.

Anybody can help understanding how to use the global database for webfilter profiles?

I want to have some sort of "repository" in the global database, where I store my different webfilter profiles. Then I'd like to be able to pick/use them in the policy packages in each individual ADOM.

Is this possible? If so, how?

Thanks,

Flavio.

rowan_kaag · ‎07-02-2019

Tested in FMG 6.0.4, 3 ADOM's: root (6.0), test (6.0), Global Database (6.0)

- Create profile in Global Database

- Go to Policy Packages -> Assignment (might need to add it via 'Tools > Display Options')

- Add ADOM -> Status will be 'Pending Changes' (in our case, might be due to Workflow-mode)

- Choose desired assignment, we went for 'Assign ALL Objects'

- Profit from Global Database profiles in all assigned ADOM's

MSSP Security Engineer

View solution in original post

chall_FTNT · ‎03-15-2019

You have to Assign a global policy package. Click on "Assign Selected" and check the "Assign all objects" option to copy profiles to the target ADOMs.

Chris Hall
Fortinet Technical Support

FlavioB · ‎03-20-2019

Hi.

This is not working, or at least not like I'd wish it to work.

I would like to only copy the objects (wf profiles, for example). It does not work, unless I create some header and/or footer policies which use the objects I want to have in the ADOMs.

Or do you know a trick to achieve my goal without those annoying footer/header policies?

Also: when a global object is pushed into an ADOM, it is editable in that ADOM - which is completely agains the concept of using global objects!

gabyrossi · ‎03-20-2019

I think that to do what you need you have to use mapping objects.

regards

FlavioB · ‎03-20-2019

gabyrossi wrote:
I think that to do what you need you have to use mapping objects.

regards

Hi Gaby. Can you explain?

F.

gabyrossi · ‎03-21-2019

Hi, I misunderstood. To apply UTM profiles in different devices / adom you use footer / header policies. And assign it to the ADOM you want If I find another way, I'll comment again.

The Fortimanager guide says very briefly:

The global ADOM layer contains two key pieces: the global object database and all header and footer policies. Header and footer policies are used to envelop policies within each individual ADOM. These are typically invisible to users and devices in the ADOM layer. An example of where this would be used is in a carrier environment, where the carrier would allow customer traffic to pass through their network but would not allow the customer to have access to the carrier’s network assets.

FlavioB · ‎03-21-2019

Hi Gaby - thanks.

This is exactly what I do not want - having to use policies to just inject global ADOM objects into all other ADOMs... and in FMG 6.2 this is also not (yet) implemented! :(

F.

rowan_kaag · ‎07-02-2019

Tested in FMG 6.0.4, 3 ADOM's: root (6.0), test (6.0), Global Database (6.0)

- Create profile in Global Database

- Go to Policy Packages -> Assignment (might need to add it via 'Tools > Display Options')

- Add ADOM -> Status will be 'Pending Changes' (in our case, might be due to Workflow-mode)

- Choose desired assignment, we went for 'Assign ALL Objects'

- Profit from Global Database profiles in all assigned ADOM's

MSSP Security Engineer

FlavioB · ‎07-08-2019

rowan.kaag wrote:
Tested in FMG 6.0.4, 3 ADOM's: root (6.0), test (6.0), Global Database (6.0)

Hi Rowan - thanks, you're right! I've tested it with FMG 6.0.5 and it works indeed!

Fortinet TAC has not told me this (and I was already using 6.0.4) :(

I saw this feature presented on FMG 6.2.0 and so I thought it would only be available on the newer FMG version...

Thanks,

Flavio.

How to use global database webfilters in ADOMs?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website