Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
atos_network
New Contributor

Implicit policy remediation with help of FAZ reporting

Hello,

 

I have an FortiGate with an implicit allow all policy:

ANY srcintf to ANY dstintf with ALL sources to ALL dest and ALL services.

I am looking for a way to leverage FortiAnalyzer to extract unique connections, and based on that create explicit firewall policies above.

Any ideas on how to use the reporting feature in FAZ?

 

Thank you!

Cosmin

3 REPLIES 3
vraev
Staff
Staff

Hi,
The reports are made to summarize. Instead use the LogView and Download option there.

Best,

V.R.
Debbie_FTNT
Staff
Staff

Hey atos_network,

I'm not sure what FortiGate firmware version you have, but you could check out the Learn Mode option (this requires both FortiAnalyzer AND FortiManager):

- If the FortiGate (or specific VDOM) is in NGFW mode (policy-based instead of profile-based), then you can enable the learn mode in policies
- this essentially allows all traffic and monitors everything

- this feeds logs to FortiAnalyzer
- FortiManager Policy Analyzer collects the logs from FortiAnalyzer to provide analyse and provide policy recommendations

Learn Mode on FortiGate:
https://docs.fortinet.com/document/fortigate/7.4.6/administration-guide/243446/ngfw-policy#Introduce...

If you don't have a FortiManager, depending on your FortiGate firmware version (and if it has disk logging and reporting enabled), you should be able to generate a 'Learning Report' locally.

 

Is this at least in the direction you're looking for advice?

 

Regarding reporting on FortiAnalyzer, in principle FortiAnalyzer CAN provide an overview of whatever is logged on the FortiGate. The question is what you mean with 'unique connections'.
You could simply create a report that shows you every single traffic session, or a report that shows you unique source/destination IPs and how many sessions each saw, or you could use one of the webfilter/bandwidth reports to get an overview of what domains saw the most traffic, etc.
A more detailed outline of what you want to see on the report would be helpful :)

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
atos_network

Hello,

Thank you for you reply.

I will look into the FAZ-FM-FG combination for Learn Mode option, that sounds like the automatic way to do what I am trying to achieve.

Basically I am looking to extract rows with 3-tuple (srcip/dstip/dstport) from the policy.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors