Policy and Objects – FortiManager 5.2

Policy

The section describes how to create a new IPv4 policy.

The following instructions are specific to FortiOS v5.2 ADOMs. For information on creating policies in v5.0 ADOMs, see the FortiOS Handbook, available in the Fortinet Document Library.

To create a new IPv4 policy:

  1. Select the ADOM from the drop-down list in the toolbar.
  2. Select the policy package where you will be creating the new policy from the tree menu.
  3. Right-click on the sequence number of a current policy, or in an empty area of the content pane, and select Create New from the menu.
  4. If you are creating a global policy, select Create New > HeaderPolicy or Create New > FooterPolicy. The Create New Policy dialog box opens.
Create new policy
  1. Enter the following information:

 

Source Interface Select the source interface.

Select the add icon to add multiple values for this field. Select the remove icon to remove values.

Source Address Select to add source addresses or address groups.Select the add icon to add multiple values for this field. Select the remove icon to remove values.

Addresses and address groups can also be created by selecting Create New in the dialog box. See Create a new object for more information.

Source User(s) Select source users.

Select the add icon to add multiple values for this field. Select the remove icon to remove values.

This option is only available if the Action is set to ACCEPT or DENY.

Source Groups(s) Select source groups.

Select the add icon to add multiple values for this field. Select the remove icon to remove values.

This option is only available if the Action is set to ACCEPT or DENY.

Source Device Type Select device types.

Select the add icon to add multiple values for this field. Select the remove icon to remove values.

This option is only available if the Action is set to ACCEPT or DENY.

Destination Interface Select the destination interface.

Select the add icon to add multiple values for this field. Select the remove icon to remove values.

Destination Address Select to add destination addresses or address groups.

Select the add icon to add multiple values for this field. Select the remove icon to remove values.

Addresses, address group, virtual IP, and virtual IP groups can also be created by selecting Create New in the dialog box. See Create a new object for more information.

Schedule Select a schedule or schedules for the policy. Schedules (one time, recurring, and schedule group) can also be created by selecting Create New in the dialog box. See Create a new object for more information.

 

Service Select services or service groups for the policy.

Select the add icon to add multiple values for this field. Select the remove icon to remove values.

Services and service groups can also be created by selecting Create New in the dialog box. See Create a new object for more information.

Action Select an action for the policy to take, whether ACCEPT, DENY, or IPSEC.
NAT Select to enable NAT. If enabled, select Use Destination Interface Address (with or without Fixed Port) or Dynamic IP Pool (select the pool from the list, or a new pool can be created).

This option is only available if the Action is set to ACCEPT.

Compliant with Endpoint Profile Select to enforce compliance with the FortiClient Profile. This option is only available when selecting to add a device type to the Source Device Type field.
Logging Options Select one of the following options: l No Log

l Log Security Events l Log All Sessions

You can select to generate logs when the session starts and to capture packets.

This option is only available if the Action is set to ACCEPT.

Log Violation Traffic Select to log violation traffic.

This option is only available if the Action is set to DENY.

Enable Web Cache Select to enable web cache.

This option is only available if the Action is set to ACCEPT.

Enable WAN Optimization Select to enable WAN optimization.

If enabled, select active or passive from the drop down list, and select a profile to use for the optimization.

This option is only available if the Action is set to ACCEPT.

Certificate Select the certificate from the drop-down list.

This option is only available if the Action is set to ACCEPT.

Customize Authentication Messages Select the authentication message from the drop-down list.

This option is only available if the Action is set to ACCEPT.

Resolve User Names Using FSSO Agent Select to enable this feature.

This option is only available if the Action is set to ACCEPT.

Enable Disclaimer Select to enable the disclaimer, and type the redirect URL.

This option is only available if the Action is set to ACCEPT.

 

VPN Tunnel Select the VPN from the drop down list. Select to allow traffic to be initiated from the remote site.

This option is only available if the Action is set to IPSEC.

Security Profiles This option is only available if the Action is set to ACCEPT or IPSEC.
Enable AntiVirus Select to enable antivirus and select the profile from the drop-down list.
Enable Web Filter Select to enable Web Filter and select the profile from the dropdown list.
Enable Application Control Select to enable Application Control and select the profile from the drop-down list.
Enable IPS Select to enable IPS and select the profile from the drop-down list.
Enable Email Filter Select to enable Email Filter and select the profile from the dropdown list.
Enable DLP Sensor Select to enable DLP Sensor and select the profile from the dropdown list.
Enable VoIP Select to enable VoIP and select the profile from the drop-down list.
Enable ICAP Select to enable ICAP and select the profile from the drop-down list.
Enable SSL/SSH Inspection This feature is enabled by default. Select the profile from the dropdown list.
Proxy Options Select to enable Proxy Options and select the profile from the dropdown list.

This option is only available when Web Filter, Email Filter, or DLP Sensor is enabled.

Traffic Shaping Select to enable traffic shaping and select the traffic shaper object from the drop-down list.

These options are only available if the Action is set to ACCEPT or IPSEC.

Reverse Direction Traffic Shaping Select to enable reverse direction traffic shaping and select the traffic shaper object from the drop-down list.
Per-IP Traffic Shaping Select to enable per-IP traffic shaping and select the traffic shaper object from the drop-down list.

This option is only available if the Action is set to ACCEPT or IPSEC.

Tags View the tags currently applied to the policy and add new tags.

 

Comments Type a comment.
Advanced Options For more information on advanced option, see the FortiOS CLI Reference.

The available options are dependent on the policy action.

auth-path Enable or disable authentication-based routing.
auth-redirect-addr HTTP-to-HTTPS redirect address for firewall authentication.
auto-asic-offload Enable or disable policy traffic ASIC offloading.
captive-portal-exempt Enable or disable exemption of captive portal.
custom-log-fields Select the custom log fields from the drop-down list.
diffserv-forward Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.
diffserv-reverse Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcoderev.
diffservcode-forward Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.
diffservcode-rev Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.
fall-through-unauthenticated Enable to allow an unauthenticated user to skip authentication rules and possibly match another policy.
fsso-agent-for-ntlm Select the FSSO agent for NTLM from the drop-down list.
log-unmatched-traffic Enable or disabling logging dropped traffic for policies with identity-based enabled.
match-vip Enable or disable match DNATed packet.
natip Type the NAT IP address in the text field.
ntlm-enabled-browsers Type a value in the text field.
ntlm-guest Enable or disable NTLM guest.
permit-any-host Enable to accept UDP packets from any host.
permit-stun-host Enable to accept UDP packets from any STUN host.
profile-type Select the profile type from the drop-down list.
rtp-addr Select the RTP address from the drop-down list.
rtp-nat Enable to apply source NAT to RTP packets received by the firewall policy.
schedule-timeout Enable to force session to end when policy schedule end time is reached.
send-deny-packet Enable to send a packet in reply to denied TCP, UDP or ICMP traffic.
session-ttl Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.
tcp-mss-receiver Type a value for the receiver’s TCP MSS.
tcp-mss-sender Type a value for the sender’s TCP MSS.
timeout-send-rst Enable sending a TCP reset when an application session times out.
transaction-based Enable or disable this feature.
vlan-cos-fwd Type the VLAN forward direction user priority.
vlan-cos-rev Type the VLAN reverse direction user priority.
wccp Enable or disable Web Cache Communication Protocol (WCCP).
webcache-https Enable or disable web cache for HTTPS.
  1. Select OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the # column to the left of the number.

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

9 thoughts on “Policy and Objects – FortiManager 5.2

  1. Richard Lopez

    Question about ADOMs. In previous versions of FortiOS 4.3 maybe earlier. When you had multiple devices under an ADOM the policies and objects were clearly separated per device being managed. With the newer FortiOS it seems as though there is overlapping and my policies and objects seem to be cross contaminated between devices. What is your perspective on this and/or work around? Thank you in advance – Richard

    Reply
    1. Mike Post author

      I always keep my devices separated by Firmware version. ADOM 4.3 ADOM 5.2 ADOM 5.4 etc to keep things nice and neat.

      Reply
  2. simbhu

    I have an issue for deleting the V4.2 ADOMs from FMG V5.2 getting the below error.

    Some ADOM(s) were not deleted successfully because they are not empty

    But those ADOMs are not used anywhere. How to find out where it is used?

    No admin accounts having access to the ADOM, No policy package for the ADOM.

    Reply
    1. Mike Post author

      Usually, it experiences this issue because something somewhere is still referencing it. Whether that item be a policy package as you mentioned before or a group etc.

      Reply
  3. Thierry

    Hi Mike,

    We use fortimanager v5.4.1-build1082 160629 (GA) FMG-VM64 but we cant drag and drop within the rule base. (drag en drop from the object side plain does work) I have seen a instruction video were they lock the adom but also that future is non exsistent in our GUI.

    You have any idea what this could be ? I did not see any issues on this subject on the fortinet site. We have upgraded from a older version FM.

    kind regards and thanks for this great support site, i look here first!

    Reply
      1. Thierry

        Not sure ( I was not involved and there is no change history) but i did found this in the “alert message console”

        Upgrade image from v5.2.7-build0757-160408(GA) to v5.4.1-build1082-160629

        Reply
  4. linaab

    Hello,

    HELP !! we have multiple firewalls we would like to upload on our Fortimanager in the same ADOM.

    The problem is that some objects have the same names but different IPs adresses. i read that the only solution is mapping the objects. if we do so we will have to it manually on every object (more than ~200) which is not an option for me. Can you please help me with this problem ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.