Tag Archives: fortimanager administrative guide

Workflow Mode – FortiManager 5.2

Workflow Mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy or object changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, an administrator with the appropriate workflow permissions will be able to approve or reject workflow sessions before they are implemented to the database.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button. You can then proceed to make changes to policies and objects. When you are done making changes, select the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

Enable or disable workflow mode

You can enable or disable workflow mode from the CLI only.

To enable or disable workflow mode:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command lines:

config system global set workspace-mode {workflow | disabled}

end

  1. The FortiManager session will end and you must log back into the FortiManager system.

sessions                                                                                                                        Workflow Mode

When workspace-mode is workflow, the Device Manager tab and Policy & Objects tab are readonly. You must lock the ADOM to create a new workflow session.

Optionally, you can select to enable or disable ADOM lock override. When this feature is enabled, an administrator can select to unlock an ADOM that is locked by another administrator.

To enable or disable ADOM lock override:

  1. Select the System Settings tab in the navigation pane.
  2. Go to System Settings > Dashboard.
  3. In the CLI Console widget type the following CLI command lines:

config system global set lock-prempt {enable | disable}

end

Workflow sessions

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and select the Create New Session button in the Session List dialog box. Type a name for the session and select OK. You can then proceed to make changes to policy packages and objects. When you are done making changes, select the Save button and then the Submit button in the toolbar. In the Submit forApproval dialog box, type a comment and the notification email. Once the session is submitted, the lock is released and other administrators may initiate a session.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the administrator that submitted the session. If the session was approved, no further action is required. If the session was rejected, the administrator will need to log on and repair their changes. Once they create a session, the administrator will make their repair on top of the last session changes.

To start a workflow session:

  1. Select the Policy & Objects tab in the navigation pane.
  2. Select the ADOM from the drop-down list.
  3. Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed.
  4. Select the Create New Session button, type a name for new session, type optional comments, and select OK to start the session.
  5. Make the required changes to Policy Package and Objects and select Sessions > Submit in the toolbar to submit changes for approval. The Submit forApproval dialog box is displayed.

Enter the following:

Comments Type a comment for the session.
Attach configuration change details Select to attach configuration change details to the email.

 

Mode                                                                                                                      Workflow sessions

  1. Select OK to send submit the session for approval.

The session is submitted for approval, an email is sent to the approver, and the ADOM is returned to an unlocked state. An ADOM revision is created for the workflow session.

To approve, reject, or repair a workflow session:

  1. Select the Policy & Objects tab in the navigation pane.
  2. Select the ADOM from the drop-down list.
ID   The session identifier.
Status   The session status. One of the following:

Waiting Approval: The session is waiting to be reviewed and approved.

Approved: The workflow session was approved by the approver. l Rejected: The workflow session was rejected by the approver.

Repaired: The rejected workflow session was repaired. When a rejected session is repaired, a new session ID is created for this repaired session.

Name   The user defined name to identify the session.
User   The administrator name who created the session.
Date Submitted   The date and time that the session was submitted for approval.
  1. Select Lock ADOM in the toolbar. The lock icon changes to a locked state and the Session List window is displayed. Alternatively, select Sessions > Session List from the toolbar.

The following information is displayed:

sessions                                                                                                                      Workflow Mode

Comments Select a policy in the list to view or add comments to the session. The comments box displays comments from the session creator. The session approver can add comments.
Create New Session Select to create a new workflow session.
Continue Without Session Select to continue without starting a new session. When a new session is not started, all policy and objects are read-only.

Right-clicking on a session in the list opens a pop-up menu with the following options:

Approve Select Approve when the session status is Waiting Approval.
Reject Select Reject when the session status is Waiting Approval. A rejected session must be repaired before the next session in the list can be approved.
Repair Select Repair when the session status is Rejected. A repaired session results in a new session being created for the repair. This session is added after the last session in the list.
View Diff Select View Diff to view the difference between the two revisions. You can select to download the revision in a CSV file to your management computer.
  1. Select to Approve, Reject, Repair, or View Diff.