DO NOT REPRINT

FORTINET

Policy & Objects

In this lesson, we will examine FortiGate configuration changes that you can apply using
FortiManagers Policy & Objects tab.

DO NOT REPRINT
FORTINET

Policy & Objects

After completing this lesson, you should have these practical skills that will allow you to manage your
FortiGate on FortiManager. This includes understanding the functionality of the Policy & Objects tab,
such as ADOM-level firewall policies, ADOM revisions, dynamic objects, and installation targets.

DO NOT REPRINT
FORTINET

Policy & Objects

It also includes importing/creating policy packages; installing policy and object settings as well as
device level settings; zones and interface mappings; VPN management; and policy and objects at the
global ADOM level.

DO NOT REPRINT
FORTINET

Policy & Objects

Before FortiManager can start managing policies and objects for managed security devices, we need
to understand the functionality of the Policy & Objects tab, which is used to customize policies within
an organization. Typically, administrators may want to customize access and policies based on factors
such as geography, specific security requirements, or legal requirements. Let's start exploring the
Policy & Objects tab on FortiManager.

DO NOT REPRINT
FORTINET

Policy & Objects

Within a single ADOM, administrators can create multiple policy packages. FortiManager allows you
to customize policy packages per device or VDOM within a specific ADOM, or apply a single policy
package for all devices within an ADOM. These policy packages can be targeted at a single device,
multiple devices, all devices, a single VDOM, multiple VDOMs, or all devices within a single ADOM.
By defining the scope of a policy package, an administrator can modify or edit the policies within that
package and keep other policy packages unchanged. FortiManager helps simplify provisioning of new
devices, ADOMs, or VDOMs by allowing you to copy or clone existing policy packages. You can also
create the ADOM revision, which allows you to maintain a revision of the policy packages, objects,
and VPN console settings in an ADOM, and also configure display options to customize the policy and
objects that are displayed in the Policy & Objects tab.

DO NOT REPRINT
FORTINET

Policy & Objects

Policy packages simplify centralized firewall policy management by providing a useful container for
your firewall ruleset. Policy packages contain firewall policies which, in turn, link to objects defined in
the Policy & Objects tab. Objects share the common object database per ADOM and can be shared
among multiple policy packages within the ADOM.
You may manage a common policy package for many devices within a ADOM or have a separate
policy package for each device. Policy packages allow you to maintain multiple versions of the rule
set. For example, you can clone a policy package prior to making changes, thereby allowing you to
preserve the previous ruleset.
A word of caution: while policy packages allow for multiple versions of a firewall policy ruleset, the
objects referenced in those packages do not have multiple versionsthey only use a current value.
For example, lets say you clone a policy package, add a new rule, and change the value of a shared
object. If you roll back to the previous policy package, you will back out of the rule you added, but not
the modification to the shared object. The only way to achieve that level of rollback is using ADOM
revisions, which take a snapshot of the Policy & Objects database for that ADOM.

DO NOT REPRINT
FORTINET

Policy & Objects

Policy packages are located under Policy & Objects > ADOM > Policy Package.
Within a single ADOM, administrators can create multiple policy packages. FortiManager allows you
to customize policy packages per device or VDOM within a specific ADOM, or apply a single policy
package for multiple devices within an ADOM. By defining the scope of a policy package, an
administrator can modify or edit the policies within that package and keep other policy packages
unchanged. To view the policies in a policy package, click the policy package name to view the
policies contained in that policy package.
In this example, clicking the Student policy package shows the policies in that policy package.

DO NOT REPRINT
FORTINET

Policy & Objects

Objects can be created, modified, or deleted under Policy & Objects > Objects.
All objects within an ADOM are managed by a single database unique to that ADOM. Objects inside
that database include firewall objects, security profiles, users, and devices.
Objects are shared within the ADOM and can be used among multiple policy packages. For example,
a security profile can be created once and attached to multiple policy packages for installation on
multiple FortiGate devices. This simplifies the job of the administrator, as the object only needs to be
created once, but can be used multiple times for multiple FortiGate devices.

DO NOT REPRINT
FORTINET

Policy & Objects

ADOM revision saves the policy package and objects locally on FortiManager and can be created,
edited, and deleted under Policy & Objects > Tools > ADOM Revisions.
To create a new ADOM revision, go to Tools > ADOM Revisions and configure the settings in the
Create New ADOM Revision dialog box that appears. Revisions can be automatically deleted based
on given variables, and individual revisions can be locked to prevent them being automatically
deleted. Click Details for access to the auto-deletion settings.
The ADOM database can be reverted to a particular ADOM revision by right-clicking the revision. As a
word of caution, if you choose to revert to a particular ADOM revision, it will revert all the policy
packages and objects based on that revision. A revision diff can be performed between revisions in
the right-click menu.

DO NOT REPRINT
FORTINET

Policy & Objects

The display options can be configured under Policy & Objects > Tools > Display Options.
The Display Options feature allows certain feature options to display in the Web-based manager,
including those under the Policy & Objects tab. Display options are dependent on the ADOM version.
These display options will vary from one ADOM to another.
The most common options are displayed by default and illustrated by a green ON. The default option
cannot be turned off. You can turn various options on or off (visible or hidden, respectively) by clicking
the ON or OFF button next to the feature name. You can turn on all of the options in a category by
selecting All On under the category name, or turn on all of the categories on by selecting All On at the
bottom of the window.
Also additional firewall policy types such as NAT64, IPv6, and interface policies can be enabled from
here.

DO NOT REPRINT
FORTINET

Policy & Objects

Now that we understand the functionality of the Policy & Objects tab, the next step is to examine the
various options to configure and manage firewall policies from the Policies & Objects tab.

DO NOT REPRINT
FORTINET

Policy & Objects

Right-click a policy package to access the Policy Package menu or click the Policy Package menu
option directly. We will look at creating and installing policy packages first and then look at other
features, such as policy checking and exporting later.

DO NOT REPRINT
FORTINET

Policy & Objects

Policy folders help you manage your policy packages. You can customize policies based on
organization, geography, specific security requirements, or legal requirements for example, and
organize them into specific policy folders.
You can create a new policy folder by right-clicking the existing policy package or by clicking the
Policy Package menu option directly.
You can create sub-folders within existing policy folders to help you better organize your policy
packages. You can also drag a policy package to a policy folder.

DO NOT REPRINT
FORTINET

Policy & Objects

If the policy package does not contain any policies, you will be presented with a section in the GUI
called local domain polices, which is where you create your rules in your policy package. If your
ADOM receives rules from the global ADOM, which well discuss later, then they are presented
outside of the local domain as header or footer policies.
Select your policy package and click Policy > Create New or right-click the local domain policies area
and click Create New to create your first policy rule.

DO NOT REPRINT
FORTINET

Policy & Objects

You can create a new policy by right-clicking the sequence number of an existing policy or by clicking
the Policy menu directly. When creating a new policy, it can be inserted above or below the existing
policy.
If you have not selected any policy in the policy package, Insert Policy Above or Below is grayed
out in the menu.
Existing policies can be modified from this menu. We will look at other features such as clone, copy,
cut, and paste later in this training.

DO NOT REPRINT
FORTINET

Policy & Objects

Objects can be added, removed, and edited by right-clicking the objects. If a new service needs to be
added in the policy, right-click the existing object in that column and click Add Object(s). A pop-up
menu appears providing a selection of services. Select the objects that needed to be added and click
OK to save the changes.
In this example, policy has HTTP and HTTPS for services and we added two more services: PING
and POP3. Also notice that when you right-click the existing object in the Service column, a menu
appears that is only applicable to service-related objects. For example, if you want to change the
source interface in the policy, right-click the object under the Source Interface column (port2) to see
the menu related to interfaces.

DO NOT REPRINT
FORTINET

Policy & Objects

Each ADOM is associated with a specific FortiOS version, based on the firmware version of the
devices that are managed in that ADOM. This is the CLI syntax that must be used to configure the
devices. Objects created in the Policy & Objects tab will use the CLI syntax of this version of FortiOS.
This version is selected when creating a new ADOM, but it can be modified if all of the devices within
the ADOM have been updated to the latest FortiOS firmware version.
For example, lets say an ADOM is running firmware version 5.0 and all the managed devices are
running firmware version 5.0.x. Once all the devices have been upgraded to 5.2.x firmware, you can
upgrade the ADOM to 5.2 by right-clicking that ADOM in System Settings > All ADOMs.
The next slide shows a firewall policy object, one for a 5.0 GA ADOM and one for a 5.2 GA ADOM.

DO NOT REPRINT
FORTINET

Policy & Objects

As you can see, in ForitOS 5.0 GA on the left side, the policy type and subtype can be selected when
creating a new policy or modifying an existing policy.
In version 5.2 GA on the right side, the CLI command syntax has changed and is therefore configured
differently. So it is very important to make sure the FortiGate device is added to an ADOM based on
its specific FortiOS firmware version.

DO NOT REPRINT
FORTINET

Policy & Objects

A policy package has an installation target that can be on one or more devices or VDOMs. Policy
packages may share the same installation target, however only one policy package can be active on a
device/VDOM. The active policy package is listed in the Device Manager tab.
An installation target can be added, edited, or deleted by selecting Policy Package > Installation.
In this example, we are adding three installation targets for a policy package named
CommonPackage. To add a installation target, select the policy package, go to Installation, and click
Add. From the Add Installation Target dialog box, select the devices that you will be targeting for this
policy package. Once added, these devices will show in the Installation Target window. If this new
policy package is installed to the devices, it will show in the Device Manager tab under the Policy
Package Status column. If the installation target is configured, but not yet installed, it will show as
Never Installed in the Policy Package Status column.
Once the policy package is installed, CommonPackage appears as the active policy package for these
devices/VDOMs in the Policy Package Status column.
The next slide shows how a single firewall policy may have fewer targets than the policy package.
This allows a general policy package to be shared by several devices with exceptions per device.

DO NOT REPRINT
FORTINET

Policy & Objects

In the previous slide, we selected an installation target for multiple devices/VDOMs. You can perform
granular installation targets per rule from the actual policy by right-clicking Installation Target in the
Install On column. This allows you to target devices to be added, removed, or set to default.
In this example, rule 1 has an installation target of BranchOffice(Devtest) and rule 4 an installation
target of HeadOffice. So when the install is performed, rule1 will be installed only on the
BranchOffice(Devtest) device and rule 4 will be installed only on HeadOffice.
Rule 2 and 3 have a default installation target that will be installed on all three devices/VDOMs.
So by using an installation target, a policy package can be shared among multiple devices and rules
can also be defined per-device from the actual policy. This is helpful in environments where many
devices need to share common policies (with the exception of a few policies that can be targeted perdevice) and eliminate the need for multiple policy packages.

DO NOT REPRINT
FORTINET

Policy & Objects

All objects within an ADOM are managed by a single database unique to that ADOM. Many objects
now include the option to enable dynamic mapping. Dynamic objects are used to map a single logical
object to a unique definition per device. Common features such as addresses, interfaces, virtual IPs,
and IP pools, can be dynamically mapped. Objects and dynamic objects are managed in the lower
frame of the Policy & Objects tab.
A common example is a firewall address. You may have a common name for an address object, but
have a different value depending on which device it is installed.
In this example, the dynamic address object LocalLan refers to the internal network address of the
managed firewalls. The object has a default value of 192.168.1.0/24. The mapping rules are defined
per device. On the BranchOffice FortiGate device, the object LocalLan refers to 10.10.10.0/24,
whereas on the HeadOffice FortiGate device the same object refers to 10.10.11.0/24. The devices in
the ADOM that do not have dynamic mapping for LocalLan will have a default value of
192.168.1.0/24.
To add more devices for dynamic mapping, click Create New in the Dynamic Mapping field. A pop-up
window appears where you can select the device and set the IP range/subnet.
Dynamic objects are represented by a computer icon with an arrow.

DO NOT REPRINT
FORTINET

Policy & Objects

Interface mapping on the Policy & Objects tab dynamically maps to interfaces on the managed device.
Firewall policies created in policy packages refer to these mappings. When the policy packages are
installed, the interface mapping is translated to the local interfaces on the managed device.
Interface mapping defined in the Policy & Objects tab have two types: zone and interface. The type
defines how the rule is translated to the device. If zone is selected, then that zone is created locally on
the FortiGate. If zone is not selected, then it is created as the interface type and the name used has a
one-to-one mapping to an interface configured on the managed device.
In this example, a DMZ zone has been created for HeadOffice FortiGate, which includes port8,
port9, and port10. Accordingly, when a policy package is installed, it will create zone DMZ with
interfaces port8, port9 and port10 locally on the FortiGate. Also, an External interface has been
created, which includes mapping for port1 on HeadOffice FortiGate. When installing the policy
package, it will install a policy for port1 and will not create a zone.
Also in this example, Enable Zone is selected for DMZ but not for External. This means it will
create a DMZ zone locally on the FortiGate, but for the External interface. It just translates the local
interface, which is equivalent to port1.

DO NOT REPRINT
FORTINET

Policy & Objects

Previously, we configured interface mappings. In this example, the policy package HeadOffice was
created with two policies (port3 DMZ and port2 External), and installed to the managed device.
Locally on the FortiGate it created a zone type named DMZ, which include interfaces port8, port9, and
port10. Policy is represented as port3 DMZ.
The interface mapping for External was configured as an interface type, which is just a local mapping
for port1 for HeadOffice FortiGate on FortiManager. Locally on the FortiGate the policy is
represented as port2 port1.

DO NOT REPRINT
FORTINET

Policy & Objects

Now that we understand the various options for configuring and managing firewall policies from the
Policies & Objects tab, we will examine the wizards used to manage devices from FortiManager. This
section explains the 2 wizards: Import Policy and Install.

DO NOT REPRINT
FORTINET

Policy & Objects

It is common for the FortiGate device to already have a running configuration. The Import Policy
wizard guides you through importing policies and objects into FortiManager. When you import a
device, you create a new policy package that does not interfere with other packages. However,
objects you import will add to, or update, existing objects. You may want to create a new ADOM
revision prior to an import.
The next few slides step through the various stages of the wizard.
You may run the Import Policy wizard from Device Manager by right-clicking the device, or when first
adding a device using the Add Device wizard. If you promote an unregistered device this does not run
the Import Policy wizard. You will need to run the Import Policy wizard after the device is promoted.

DO NOT REPRINT
FORTINET

Policy & Objects

The first step of the wizard is Interface Map. Interface mappings are created for interfaces configured
on the firewall. This allows the device interfaces to be referenced in policy packages. You can rename
the ADOM interface mapping in this wizard.
In this example, we are renaming port1 to External and port2 to Internal. Actual policies on the local
FortiGate are on port1 and port2, but locally on the FortiManager they will be referenced as External
and Internal.
The Add mappings for all unused device interfaces option is enabled by default and creates automatic
mapping for the new interface when enabled. The FortiManager administrator doesnt need to create
manual mapping if this option is enabled. This is useful in large deployments, where administrators
can map different interfaces to logical interfaces on FortiManager, which helps the administrator to
view and track them easily on FortiManager.

DO NOT REPRINT
FORTINET

Policy & Objects

The next step of the wizard is Policy. Here, the wizard performs a policy search to find all policies in
preparation for import into FortiManagers database. Policies are imported into a new policy package
on the Policy & Objects tab. When you import, you can choose the folder location and the name of the
new policy package. You may chose to import all firewall policies or select specific ones to import.
Also, you can chose whether to import all configured objects or only those referenced by the current
firewall policies.
Import All and Import only policy dependent objects are selected by default when running the Import
Policy wizard.
In the Policy Selection section, if you choose to import only selective policies into the policy package
and later install policy changes, the policies that were not imported will be deleted locally on the
FortiGate. This is because FortiManager does not have those policies in the policy package. For
example, if there are five policies in total and you select only three to import, on the next install the
missing two policies will be deleted locally from the FortiGate. As a best practice, it is recommended
that all policies are imported.
In the Object Selection section, if you choose to import only policy-dependent objects, the orphan
(unused) objects that are not tied to policies locally on the FortiGate will be deleted on next install. If
you choose to import all objects, then all used and unused objects in the FortiManager ADOM object
database are imported, but it will still delete orphan (unused) objects locally on the FortiGate on next
install. In the latter scenario, as all unused objects are imported into the ADOM object database, they
can be used by referencing the policies on FortiManager and installing to the managed devices.
As a word of caution, if you are managing multiple devices in an ADOM (for example, 500 devices)
and choose Import all objects for all devices, the object database will be too big with all these unused
objects and can be overwhelming for an administrator.

DO NOT REPRINT
FORTINET

Policy & Objects

The next step of the wizard is Object. When importing objects, FortiManager will check its existing
definitions. If you attempt to import an object with the same name as an existing object, then a
duplicate or conflict is detected and some action may be necessary to resolve the conflict. If you
import an address object, where an existing object of the same is already present, then a dynamic
mapping is added and this becomes a dynamic object. If however, you import address groups, their
membership may be different and a new object will need to be created and renamed. FortiManager
can check the membership of groups to see if they have the same membership or not. If not, the
object is indexed and a new instance with different values is created.
Always note the changes that are made as you import a device. Moving from per-device to central
management may require some level of modification to object naming.

DO NOT REPRINT
FORTINET

Policy & Objects

The final step of the wizard is Import. Here the firewall policies and objects are imported into
FortiManager.

DO NOT REPRINT
FORTINET

Policy & Objects

Once the import is complete, the wizard provides a summary of the tasks completed in Download
Import Report. You can also download the import report, which is only available on this page and can
be viewed with any text editor.
As a best practice, it is recommended that you download the report.
The import report provides information about FortiGate, the ADOM name on FortiManager, and the
policy package name.
The report also provides additional information, such as the objects that have been added as new
objects. Existing objects with the same values on the local FortiGate and FortiManager are referred to
as DUPLICATE. If the value of an existing object is changed, FortiManager updates that in its
database and shows update previous object in the import report.
The option to download the report is only available on this page. As a best practice, it is recommended
to download the import report.

DO NOT REPRINT
FORTINET

Policy & Objects

Once you have made configuration changes to the policy package, the Policy Package Status is
flagged as Modified under the Device Manager. Now lets go through the process of installing policy
configuration changes through the Install wizard. During this process, the policy and device
configuration items are installed on the managed device. Once complete, FortiManager and FortiGate
are in sync and the Policy Package Status changes from Modified to Installed.
There are multiple ways to launch the installation wizard: under the Device Manager tab as well as the
Policy & Objects tab. If you are using ADOMs, ensure you select the ADOM from the ADOM dropdown menu first.
From the Device Manager tab:
Right-click Managed FortiGates in the left tree menu under Devices & Groups, or
Click Install from the toolbar menu
By default, Install Device Settings (only) is selected when launching the Install wizard from the Device
Manager tab. Make sure to change it to Install Policy Package & Device Settings.
From the Policy & Object tab:
Right-click the policy package name, or
Click Policy Package from the toolbar menu and select Install
By default, only the Install Policy Package & Device Settings is available when launching the Install
wizard from the Policy & Objects tab. In this example, we will launch the Install wizard through the
Policy & Objects tab.

DO NOT REPRINT
FORTINET

Policy & Objects

The first step in the wizard is What to Install. Here, you are prompted by default to select Install Policy
Package & Device Settings. This installs the policy package and any pending device-level changes.
The policy package you select is displayed and you have the option to create a new ADOM revision
with this install. Note that an ADOM revision is a snapshot of the entire ADOM and not the changes
specific to this policy package.
You can also enable Schedule Install, which allows you to specify the date and time to install the latest
policy package changes. When a scheduled install has been configured and is active, a clock icon
appears beside the policy package name. Select this icon to edit or cancel the schedule. Once the
scheduled install is complete, the icon disappears.
The wizard also provides a comment section where you can optionally add a comment about the
installation for future reference.

DO NOT REPRINT
FORTINET

Policy & Objects

The next step is Device Selection. Here, the wizard displays the devices selected in the installation
target for the specific policy package. However, you may override this by deselecting a device.

DO NOT REPRINT
FORTINET

Policy & Objects

The next step of the wizard is Validation. Here, the wizard checks that the policy package selected is
suitable for the installation targets selected, such as whether the interface mapping reference in the
policy package is configured on the installation targets. If the validation fails, the install will stop.
Prior to the install you may preview the changes. Click Preview to view the configuration changes that
will be installed on the managed FortiGate. You can also click Download to open or save the preview
file in .txt format. As a best practice, always preview and verify the changes that will be committed to
the FortiGate.
If this is the first install you may see many changes, as objects may have been renamed during the
import process and unused objects are removed from the device configuration. If you do not want to
proceed with the install you may cancel the install at this step of the wizard.

DO NOT REPRINT
FORTINET

Policy & Objects

The last step is Install, which is the actual installation. The wizard lists the devices on which
configuration changes were installed and also shows you the progress bar for the install. Any errors or
warnings that occur during installation appear here as well.
If the installation fails, the installation history indicates the stage at which the install failed. You can
also check the installation history for the successful install too.
In this example, the wizard indicates that the configuration changes have been successfully installed
to the FortiGate and that FortiManager has created a new revision history for this install.

DO NOT REPRINT
FORTINET

Policy & Objects

FortiManager also provide a Re-install option. A re-install is the same as the install except there are
no prompts and it doesnt give the ability to preview the changes that will be installed to the managed
device. It will create a new revision history and apply to all selected installation targets.
You can right-click any policy package to access the menu or select the policy package and click the
Policy Package menu directly.

DO NOT REPRINT
FORTINET

Policy & Objects

Now we have learned how to import policies from the managed devices and install Policies & Objects
configuration changes, the next step is to explore the advanced operations, such as:

Drag-and-drop to move
Cut, copy and paste
Cloning policies and policy folders
Exporting policies
Policy check

DO NOT REPRINT
FORTINET

Policy & Objects

You can drag and drop both firewall polices and objects in order to configure your ruleset. As soon as
the firewall polices and objects are moved, the changes are saved to the policy package and the
modified policy package must then be installed to the managed device.
Click drag and drop.mp4 in the slide to open and play this short video.

DO NOT REPRINT
FORTINET

Policy & Objects

Use the cut and paste options to copy and move policies in the same policy package and between
policy packages.
Policies can be copied and cut using the requisite selection from the menu found by right-clicking the
policy sequence number cell. When pasting a copied or cut policy, the policy can be inserted above or
below the current selected policy. The menu also provides the option to cancel in the event you need
to undo the copy or cut that you just performed.

DO NOT REPRINT
FORTINET

Policy & Objects

You can also clone policies. This function is similar to creating a new policy, but the fields are prepopulated with the settings of the cloned policy.
To clone a policy, right-click the policy sequence number cell and select Clone from the menu. The
Clone Policy dialog box opens with all of the settings of the original policy. You can edit the settings as
required.
The next slide demonstrates how to create a new policy package by cloning the existing one.

DO NOT REPRINT
FORTINET

Policy & Objects

You can clone a policy package by selecting the policy package and clicking Create New under the
Policy Package menu or alternatively, by right-clicking the policy package and clicking Create New. In
the Create New Policy Package dialog box you can specify a name for the new policy package.
Because its a clone, it will also have the same installation target, but this can be edited. The progress
bar indicates the cloning of the policy package.
In this example, the existing policy package CommonPackage is cloned and named Training. The
newly created policy package has the same installation target for devices as CommonPackage.
If you recall, we previously set the installation target for CommonPackage to three devices/VDOMs.
So when cloning the policy package, Training has the same installation targets.

DO NOT REPRINT
FORTINET

Policy & Objects

You can export polices into CSV format, which can then be imported into Microsoft Office applications.
To export policies, right-click an existing policy package or click the Policy Package menu and select
Export.
Alternatively, you may dump the policy packages in FortiOS CLI format:
execute fmpolicy print-global-database <ADOM_name>
The output from this command can be used in scripting in Device Manager. You can override these
scripts to the ADOM level in order to create many objects. This command is useful for firewall policy
management.

DO NOT REPRINT
FORTINET

Policy & Objects

The Policy Check performs the following checks:

Duplication, where two objects have identical definitions

Shadowing, where one object completely shadows another object of the same type
Overlap, where one object partially overlaps another object of the same type
Orphaning, where an object has been defined, but has not been used anywhere.

To perform a policy check, right-click an existing policy package and select Policy Check from the
menu. In the Consistency Check dialog box you can select two options:
Perform Policy Consistency Check: This performs a policy check for consistency and provides
any conflicts that may prevent your devices from passing traffic.
View Last Policy Consistency Check Result: This allows you to view the results of the most
recent consistency check.
The policy check only provides recommendations on what improvements can be madeit does not
actually perform any changes. It uses an algorithm to evaluate policy objects, based on:
Source and destination interface policy objects
Source and destination address policy objects
Service and schedule policy objects

DO NOT REPRINT
FORTINET

Policy & Objects

In this example, policy ID 3 and 8 are from Internal -> External and are completely shadowed. Policy
ID 3 has the source address all and the services are set to HTTP, HTTPS. Policy ID 8 has the
source address MyLan and services are set to FTP, PING.
By default, address object all has value 0.0.0.0/0.0.0.0, which includes any IP subnet/range, so
address object MyLan is shadowed by all. These two policies can therefore be combined by adding
all the services into one policy.
Remember, the policy check only provides recommendations on what improvements can be made
it does not actually perform any changes.

DO NOT REPRINT
FORTINET

Policy & Objects

Now we know how to configure, manage, and install Policy & Object configuration changes, the next
step is to understand the options available when configuring a FortiGate IPsec VPN via FortiManager.
FortiManager has 2 ways to configure FortiGate for IPsec VPN:
Policy & Device VPNs
Central VPN Console

DO NOT REPRINT
FORTINET

Policy & Objects

The default VPN management mode is Policy & Device VPNs. In this mode, the IPsec phase 1, phase
2, and routes are configured per device and the firewall policies referencing IPsec interfaces are
created in the policy package. The legacy mode of IPsec VPN configuration, policy-based, is
supported in this management mode.
The VPN configuration settings are disabled (hidden) in Display Options and can be turned on under
Device Manager > Display Options. Once enabled, you can configure the IPsec Phase 1 and Phase 2
setting by selecting your device in Device Manager and clicking Menu > VPN.

DO NOT REPRINT
FORTINET

Policy & Objects

In Policy and Device VPNs, IPsec Phase 1 and IPsec Phase 2 are configured in the same way as
performed locally on the FortiGate. Once the IPsec Phase 1, IPsec Phase 2, and routes are
configured, you can configure the firewall policies for IPsec VPN in the policy package under the
Policy & Objects tab.
As in Policy & Device VPNs, the IPsec Phase 1, IPsec Phase 2, and routes are configured per device.
What if you have hundreds of managed FortiGate devices and need to create VPNs between them?
You can use the Central VPN Console, which allows you to create IPsec Phase 1 and IPsec Phase 2
once and target to multiple devices. Also, FortiManager can create automatic routing for the VPN.
The next few slides demonstrate the Central VPN Console configuration steps.

DO NOT REPRINT
FORTINET

Policy & Objects

When you set VPN Management to Central VPN Console for an ADOM, a VPN console tree menu
appears in the Policy & Objects tab under Policy Package.
If this does not show up, you will need to enable the Show VPN Console option in System Settings >
Admin > Admin Settings.

DO NOT REPRINT
FORTINET

Policy & Objects

There are 3 topologies that you can configure from VPN Console. Choose the topology which suits
your network. Options include:
Full Meshed: Each gateway has a tunnel to every other gateway.
Star: Each gateway has one tunnel to a central hub gateway. Each FortiGate is defined as either a
hub or spoke.
Dial Up: Some gateways, often for mobile users, have dynamic IP addresses and contact the main
gateway to establish a tunnel. Similar to Star topology, VPN gateway is defined as either a hub or a
spoke. Peer options are configured similar to the dial-up tunnel as configured directly on the
FortiGate.
From the Policy & Objects tab select VPN Console and click Create New to create a VPN topology
and define IKE Phase 1 and 2 settings. These Phase 1 and phase 2 settings only need to be
configured once and can be applied to multiple FortiGate devices.
The next few slides demonstrate the configuration steps required for the VPN Console using the full
meshed topology. In it, the phase 2 configuration does not include protected networks, which are
configured when configuring managed or external gateways.

DO NOT REPRINT
FORTINET

Policy & Objects

Once you have selected the VPN topology and configured phase1 and phase2 settings, the next step
is to configure gateways. The settings for configuring gateways are dependent on the VPN topology
selected.
Right-click the name of the VPN topology and click Config Gateways in order to enter the VPN
gateway configuration. Click Create New in order to configure managed and external gateways.
Managed Gateway refers to an IPsec tunnel to a device that is managed by FortiManager.
External Gateway refers to an IPsec tunnel to a device that is not managed by FortiManager. In
this configuration, you provision one-side of the VPN, entering parameters that match the remote
peer configuration.

DO NOT REPRINT
FORTINET

Policy & Objects

Once you select Managed Gateway, you need to configure the following:
Device: Select the managed FortiGate from the drop down list
Default VPN Interface: Usually it is the egress interface for the device, so that it can communicate
with other FortiGate devices to negotiate IKE information.
Routing: For managed devices, routing can be configured automatically or manually from Device
Manager. The default option is Automatic, as the device is already managed by FortiManager and
it knows the existing routing table and can add the routes for the IPsec tunnel as a result.
Protected Subnets: Subnets behind the device to which you would like to allow access over VPN.

DO NOT REPRINT
FORTINET

Policy & Objects

Once you have added all managed and external gateways, you need to add firewall policies. Firewall
policies can be configured in the policy package located under the Policy & Objects tab.
The slide shows VPN policies being added to the HeadOffice and BranchOffice policy packages
referencing the special IPsec interface names (vpnmgr_MyVPN_mesh) used for a full mesh topology.
Install the respective policy package to each managed device. On install, preview the configuration
changes and note the IPsec and routing configuration objects that have been created by the VPN
Console configuration. After the install, these special IPsec interfaces will be created locally on the
FortiGate devices.
There are many limitations with VPN Console, which is why it is not the default method. The main
restriction is that you cannot import an existing VPN configuration and it only supports interface-mode.
That said, interface mode is the preferred IPsec configuration and many organizations are happy to
build a new VPN topology within the console because it standardized the VPN object configuration.

DO NOT REPRINT
FORTINET

Policy & Objects

Now we know the IPsec VPN configuration options on FortiManager, so the next step is to understand
the purpose of the global ADOM.

DO NOT REPRINT
FORTINET

Policy & Objects

Header and footer policies are used to envelop policies within each individual ADOM. These are
typically invisible to users and devices in the ADOM layer. An example of where this would be used is
in a carrier environment, where the carrier would allow customer traffic to pass through their network,
but would not allow the customer to have access to the carriers network assets.
This diagram illustrates how global policies and objects are assigned to ADOM policy packages.
The next few slides show how a global header policy is applied to deny all ICMP ping to a public IP
address and assigned to an ADOM.

DO NOT REPRINT
FORTINET

Policy & Objects

Header policies are the policies that are placed at the top of the policy package in the individual
ADOM. Footer policies are the policies that are placed at the bottom of the policy package in the
individual ADOM.
To create a new header or footer policy, click the Policy tab or right-click Local Domain Policies (or the
existing policy in the Global ADOM) and select Header Policy or Footer Policy.

DO NOT REPRINT
FORTINET

Policy & Objects

In this example, we have created a header policy to block ICMP ping to address object gPingblock
and service set to gPiNG and action as Deny. The next step is to assign this policy to one policy
package in an individual ADOM.

DO NOT REPRINT
FORTINET

Policy & Objects

Select the global policy package that you would like to assign and click Assignment > Add ADOM. You
can specify the targeted policy package on the individual ADOM.
In this example, the default global policy package is added to the HeadOffice policy package in the
root ADOM by excluding the other three policy packages in that ADOM. Once the policy package is
added, the status appears as Pending changes, as it is not assigned to the policy package. Under the
ADOM Policy Packages column, it also shows only one policy package is selected out of four
packages available in the root ADOM. Assignment can be done by clicking Assign or Assign
Selected.
The Assign option commits the global policy package and used objects to the individual ADOM policy
package.
Assign Selected, on the other hand, gives some more advanced options, including:
Assign USED Objects Only
Assign ALL Objects
Automatically Install Policies to ADOM Devices
Once assigned, the status changes to Up to date.

DO NOT REPRINT
FORTINET

Policy & Objects

Once the global ADOM objects are assigned, it will appear in the Policy & Objects tab for that
particular ADOM. In this example, the header policy is added to the HeadOffice policy package in
the root ADOM.
Only one global policy package can be assigned to an individual ADOM policy package, and assigning
a new global policy package to same individual ADOM policy package will remove previously
assigned policies. Also, the header and footer policies cannot be edited and moved between the rules
in an individual ADOM policy package.

DO NOT REPRINT
FORTINET

Policy & Objects

To review, these are the topics we covered in this lesson. After this lesson, you should be able to:
Create ADOM revisions
Create policy folders and policy packages
Create policies and firewall objects
Configure installation targets
Configure and use dynamic objects
Understand and configure interface and zone mappings
Use the Import Policy wizard and Install wizards
Configure IPsec VPNs
Understand and use of Global ADOM policies