Support for FortiOS Next Generation Firewall VDOM Implementations
FortiManager now supports FortiOS Next Generation Firewall (NGFW) VDOM implementations.
To configure NGFW VDOM implementation:
- Change the ngfw-mode from profile based to policy based:
FGT60E4Q16030265 (vdom) # edit policy current vf=policy:1 FGT60E4Q16030265 (policy) # config sys settings FGT60E4Q16030265 (settings) # FGT60E4Q16030265 (settings) # show config system settings set ngfw-mode policy-based end FGT60E4Q16030265 (profile) # config system settings FGT60E4Q16030265 (settings) # set ngfw-mode
- In the policy-based NGFW mode, configure the new firewall policy and security policy:
config firewall consolidated policy edit 1 set name "1" set uuid 272900ec-9f6f-51e9-ca7a-c3ca7250921d set srcintf "internal5" set dstintf "internal6" set srcaddr4 "all" set dstaddr4 "all" set service "ALL" next end config firewall security-policy edit 1 set uuid f50fd6da-9eab-51e9-1065-7b37a4a17268 set name "2" set srcintf "internal5" set dstintf "internal6" set srcaddr4 "all" set dstaddr4 "all" set enforce-default-app-port disable set service "ALL" set action accept set schedule "always" set logtraffic-start enable set av-profile "g-default" set emailfilter-profile "default" set dlp-sensor "Content_Archive" set ips-sensor "default" set application 36481 set app-category 28 set url-category 64 next end
- Import the FortiGate/VDOM policy to FortiManager. The imported policy package setting has the same ngfw-mode configuration. And it also has the same firewall policies and security policies.
- Create a new policy package that supports a different NGFW mode.
- Policy block also has the same support. Policy package can only add policy block in the same mode. After adding the policy package and policy block, both cannot be changed.