Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rc179
New Contributor

web filter changes via Fortimanager

I want to set all the category's in one group to Block, that isn't difficult as long as all the firewalls are using the exact same web policy name and all the other category settings are identical across all the firewalls. BUT, even where the policies are named the same the category settings differ, and some firewalls have many more policies that others.

I can look up the category numbers that make up the group and set them based on that if it helps. And I can write a CLI script that will do all I need for the default policies.

The problem comes when the firewall has many more, or differently named policies. Is there any kind of command line wildcard that would apply my change to all web policies? Or maybe there is a better approach? Going through each firewall individually would be a solid week of work and wouldn't give me anything I can add to Fortimanager for future use.

Any ideas?

3 REPLIES 3
distillednetwork
Contributor III

When you say "some firewalls have many more policies that others" are you talking about firewall policies or security profiles?

 

For fort manager to be an effective tool, you will need to standardize security profiles so they can be reused across many different policy packages and firewalls.  

 

You could create a script in FMG that can be reused later, but depending on the number of policy packages/adoms you have you may still find yourself running it many times.  

fmg-script.png

 

I think the best approach is still to try to standardize on policies across the locations if possibe.

rc179

Policies or profiles, well both actually.

 

I do have a standard that most of our commercial clients get, then there is another standard our Gov clients and that is broken down to  basically 3 standards dept-A, dept-B, and other. But even then there are individual departments with widely varying approaches to who gets what access. I wish I could just say "everyone get this". In the end I can make a number of groups but nothing close to a global standard.

 

I already use scrips like you show, but that means many scripts. 

What I was hoping for was a script that would query the web profile names and stor them as a list of variables. Then use those variables in the "edit "variable-x" command, thus applying all the changes to all the profiles known or unknown. 

 

But it doesn't look like this is possible. 

distillednetwork
Contributor III

You can create a meta field (System Settings > Advanced > Meta Fields) for the webfilter.  Then for each unit, you can put the webfilter profile name in this field.  The metafield can then be used in a cli script as long as you are pushing the script to the device database instead of the policy package.  

 

It should run this way, then you would have to do an install of the device database settings to the device.  The only downfall to this is since it is pushed from the device database, the policy package is going to probably become out of sync and you would need to re-import that to sync it up again.  I have not tried it so I am not 100% sure.

Labels
Top Kudoed Authors