Fortinet white logo
Fortinet white logo

Administration Guide

Creating policies based on logged traffic

Creating policies based on logged traffic

When FortiManager has a managed FortiAnalyzer device, administrators can create new policies based on Policy Hit traffic in FortiView using the policy creation wizard. This feature is only available when FortiAnalyzer is added to FortiManager as a managed device; it is not supported on a FortiManager with FortiAnalyzer features enabled.

To create policies from policy hits:
  1. Add a managed FortiAnalyzer to FortiManager. See Add FortiAnalyzer or FortiAnalyzer BigData

  2. Go to FortiView > Traffic > Policy Hits.

  3. Create a new policy from the Policy Hits table or from the Log View drilldown view, after which the policy creation wizard opens.

    1. Policy Hits table: Right-click on a policy hit in the table, and click Create Policy.

    2. Log View drilldown: Double click on a log in the Policy Hits table to drilldown to Log View, and click Create Policy.

  4. In the wizard, you can explore policy elements using text filters and Group By categorization.

  5. Select one or more entries in the log table, and click Create.

  6. In the Add Policies & Policy Template dialog, configure your policy options, and then click Next:

    Add Policies By

    Select one of the following options for adding the policy:

    • Create New Policy Block: Policies are added to a new Policy Block. When this option is selected, you must enter a name for the Policy Block or use the default name provided.
    • Add to Existing Policy Block: Policies are added to an existing Policy Block. Select the existing Policy Block from the Policy Block dropdown menu.
    • Insert Before Package Policy: Policies are inserted above the policy that it originated from.
    Policy Block Visibility

    The Policy Block feature must be enabled in Policy & Objects > Feature Visibility in order to manage Policy Blocks in the GUI.

    This field is displayed when the Add Policies By setting is configured to Create New Policy Block or Add to Existing Policy Block, and the Policy Block feature visibility is not enabled in the ADOM.

    Enable this setting to enable Policy Block feature visibility for the current ADOM. Disable this setting (default) to leave Policy Block visibility disabled.

    Policy Type Displays the type of policy that will be created.

    Use Interface From

    Select where the Incoming Interface and Outgoing Interface are from:

    • Traffic Log
    • Policy
    • Custom

    Schedule

    Displays the schedule.

    Action

    Displays the policy action.

    Update Template

    Manually update the policy template by clicking Open Edit Page.

  7. In the Preview Objects dialog, review the objects that will be used by the policy, and then click Next. Objects will be automatically created if FortiManager cannot find a match in the current ADOM.

  8. In the Preview Policies dialog, review the policies that will be created, and then click Next.

  9. Click Next to generate the policies. The results of the policy creation wizard are displayed.

    Once created, policies can be viewed in Policy & Objects.

To view policy details from Log View:
  1. Go to Log View.

  2. Click a policy ID number in the Policy ID column.

    A new window opens displaying the full policy details.

To view logs filtered by policy UUID:
  1. Go to Policy & Objects > Policy Packages.

  2. Right-click on a policy UUID in the UUID column, and click View Log in the context menu.

    A new window opens displaying logs filtered by the selected policy UUID.

Creating policies based on logged traffic

Creating policies based on logged traffic

When FortiManager has a managed FortiAnalyzer device, administrators can create new policies based on Policy Hit traffic in FortiView using the policy creation wizard. This feature is only available when FortiAnalyzer is added to FortiManager as a managed device; it is not supported on a FortiManager with FortiAnalyzer features enabled.

To create policies from policy hits:
  1. Add a managed FortiAnalyzer to FortiManager. See Add FortiAnalyzer or FortiAnalyzer BigData

  2. Go to FortiView > Traffic > Policy Hits.

  3. Create a new policy from the Policy Hits table or from the Log View drilldown view, after which the policy creation wizard opens.

    1. Policy Hits table: Right-click on a policy hit in the table, and click Create Policy.

    2. Log View drilldown: Double click on a log in the Policy Hits table to drilldown to Log View, and click Create Policy.

  4. In the wizard, you can explore policy elements using text filters and Group By categorization.

  5. Select one or more entries in the log table, and click Create.

  6. In the Add Policies & Policy Template dialog, configure your policy options, and then click Next:

    Add Policies By

    Select one of the following options for adding the policy:

    • Create New Policy Block: Policies are added to a new Policy Block. When this option is selected, you must enter a name for the Policy Block or use the default name provided.
    • Add to Existing Policy Block: Policies are added to an existing Policy Block. Select the existing Policy Block from the Policy Block dropdown menu.
    • Insert Before Package Policy: Policies are inserted above the policy that it originated from.
    Policy Block Visibility

    The Policy Block feature must be enabled in Policy & Objects > Feature Visibility in order to manage Policy Blocks in the GUI.

    This field is displayed when the Add Policies By setting is configured to Create New Policy Block or Add to Existing Policy Block, and the Policy Block feature visibility is not enabled in the ADOM.

    Enable this setting to enable Policy Block feature visibility for the current ADOM. Disable this setting (default) to leave Policy Block visibility disabled.

    Policy Type Displays the type of policy that will be created.

    Use Interface From

    Select where the Incoming Interface and Outgoing Interface are from:

    • Traffic Log
    • Policy
    • Custom

    Schedule

    Displays the schedule.

    Action

    Displays the policy action.

    Update Template

    Manually update the policy template by clicking Open Edit Page.

  7. In the Preview Objects dialog, review the objects that will be used by the policy, and then click Next. Objects will be automatically created if FortiManager cannot find a match in the current ADOM.

  8. In the Preview Policies dialog, review the policies that will be created, and then click Next.

  9. Click Next to generate the policies. The results of the policy creation wizard are displayed.

    Once created, policies can be viewed in Policy & Objects.

To view policy details from Log View:
  1. Go to Log View.

  2. Click a policy ID number in the Policy ID column.

    A new window opens displaying the full policy details.

To view logs filtered by policy UUID:
  1. Go to Policy & Objects > Policy Packages.

  2. Right-click on a policy UUID in the UUID column, and click View Log in the context menu.

    A new window opens displaying logs filtered by the selected policy UUID.