Policy and Objects – FortiManager 5.2

Policy package lock status

The following options are available:

Lock ADOM | Unlock ADOM Select to lock or unlock the ADOM.
Sessions Select to access the sessions menu. Select to save, submit, or discard changes made during the session.
Policy Package Select to access the policy package menu. The menu options are the same as the the right-click menu options.
Policy Select to create a new policy.
Tools Select and then select either ADOM Revisions or Display Options from the menu. ADOM Revisions is not available when the ADOM is locked.
Collapse All | Expand

All

Select to collapse or expand all policies.

About policies

FortiManager provides administrators the ability to customize policies within their organization as they see fit. Typically, administrators may want to customize access and policies based on factors such as geography, specific security requirements, or legal requirements.

About policies

Within a single ADOM, administrators can create multiple policy packages. FortiManager provides you the ability to customize policy packages per device or VDOM within a specific ADOM, or to apply a single policy package for all devices within an ADOM. These policy packages can be targeted at a single device, multiple devices, all devices, a single VDOM, multiple VDOMs, or all devices within a single ADOM. By defining the scope of a policy package, an administrator can modify or edit the policies within that package and keep other policy packages unchanged.

FortiManager can help simplify provisioning of new devices, ADOMs, or VDOMs by allowing you to copy or clone existing policy packages.

Policy theory

Security policies control all traffic attempting to pass through a unit between interfaces, zones, and VLAN subinterfaces.

Security policies are instructions that units use to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and service (by port number), and attempts to locate a security policy matching the packet.

Security policies can contain many instructions for the unit to follow when it receives matching packets. Some instructions are required, such as whether to drop or accept and process the packets, while other instructions, such as logging and authentication, are optional.

Policy instructions may include Network Address Translation (NAT), or Port Address Translation (PAT), or they can use virtual IPs or IP pools to translate source and destination IP addresses and port numbers.

Policy instructions may also include Security Profiles, which can specify application-layer inspection and other protocolspecific protection and logging, as well as IPS inspection at the transport layer.

You configure security policies to define which sessions will match the policy and what actions the device will perform with packets from matching sessions.

Sessions are matched to a security policy by considering these features of both the packet and policy:

  • Policy Type and Subtype l Incoming Interface l Source Address l Outgoing Interface l Destination Address l Schedule and time of the session’s initiation l Service and the packet’s port numbers.

If the initial packet matches the security policy, the device performs the configured action and any other configured options on all packets in the session.

Packet handling actions can be ACCEPT, DENY, IPSEC, or SSL-VPN.

  • ACCEPT policy actions permit communication sessions, and may optionally include other packet processing instructions, such as requiring authentication to use the policy, or specifying one or more Security Profiles to apply features such as virus scanning to packets in the session. An ACCEPT policy can also apply interface-mode IPsec VPN traffic if either the selected source or destination interface is an IPsec virtual interface. l DENY policy actions block communication sessions, and you can optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped, therefore it is not required to configure a DENY security policy in Policy workflow

denied traffic, also called “violation traffic”.

  • IPSEC and SSL VPN policy actions apply a tunnel mode IPsec VPN or SSL VPN tunnel, respectively, and may optionally apply NAT and allow traffic for one or both directions. If permitted by the firewall encryption policy, a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface, destined for the local private network.

Create security policies based on traffic flow. For example, in a policy for POP3, where the email server is outside of the internal network, traffic should be from an internal interface to an external interface rather than the other way around. It is typically the user on the network requesting email content from the email server and thus the originator of the open connection is on the internal port, not the external one of the email server. This is also important to remember when viewing log messages, as the source and destination of the packets can seem backwards.

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

9 thoughts on “Policy and Objects – FortiManager 5.2

  1. Richard Lopez

    Question about ADOMs. In previous versions of FortiOS 4.3 maybe earlier. When you had multiple devices under an ADOM the policies and objects were clearly separated per device being managed. With the newer FortiOS it seems as though there is overlapping and my policies and objects seem to be cross contaminated between devices. What is your perspective on this and/or work around? Thank you in advance – Richard

    Reply
    1. Mike Post author

      I always keep my devices separated by Firmware version. ADOM 4.3 ADOM 5.2 ADOM 5.4 etc to keep things nice and neat.

      Reply
  2. simbhu

    I have an issue for deleting the V4.2 ADOMs from FMG V5.2 getting the below error.

    Some ADOM(s) were not deleted successfully because they are not empty

    But those ADOMs are not used anywhere. How to find out where it is used?

    No admin accounts having access to the ADOM, No policy package for the ADOM.

    Reply
    1. Mike Post author

      Usually, it experiences this issue because something somewhere is still referencing it. Whether that item be a policy package as you mentioned before or a group etc.

      Reply
  3. Thierry

    Hi Mike,

    We use fortimanager v5.4.1-build1082 160629 (GA) FMG-VM64 but we cant drag and drop within the rule base. (drag en drop from the object side plain does work) I have seen a instruction video were they lock the adom but also that future is non exsistent in our GUI.

    You have any idea what this could be ? I did not see any issues on this subject on the fortinet site. We have upgraded from a older version FM.

    kind regards and thanks for this great support site, i look here first!

    Reply
      1. Thierry

        Not sure ( I was not involved and there is no change history) but i did found this in the “alert message console”

        Upgrade image from v5.2.7-build0757-160408(GA) to v5.4.1-build1082-160629

        Reply
  4. linaab

    Hello,

    HELP !! we have multiple firewalls we would like to upload on our Fortimanager in the same ADOM.

    The problem is that some objects have the same names but different IPs adresses. i read that the only solution is mapping the objects. if we do so we will have to it manually on every object (more than ~200) which is not an option for me. Can you please help me with this problem ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.