Fortinet black logo

Administration Guide

Home FortiPolicy 7.2.0 Administration Guide
7.2.0
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0

Introduction

Introduction

This section introduces FortiPolicy and provides an overview of how FortiPolicy facilitates application security using the Fortinet Security Fabric.

This section covers the following topics:

Intent-based cybersecurity

The cybersecurity landscape is filled with threats. Networks of all types face challenges in the visibility and understanding of appropriate communications verses possible threats. The need to implement important zero-trust concepts such as “least privilege” segmentation and microsegmentation policies is paramount in limiting the impact of possible breaches to the network. Network administrators require tools that enable them to automate and enforce intent-based cybersecurity.

FortiPolicy delivers comprehensive and consistent controls to protect on-premises data centers and OT environments, their applications, and their data. It leverages agentless machine-learning (ML) technology, and, through the Fortinet Security Fabric, enforces intention with a set of comprehensive controls including microsegmentation, firewalling, and more.

This powerful, agentless, ML platform enhances the microsegmentation and intent-based networking segmentation capabilities of the Security Fabric. It enables end-to-end visibility and connection-mapping of north-south and east-west traffic flows for on-premises data centers. FortiPolicy then applies ML to provide context to these workflows, enabling it to suggest security policies to the Security Fabric.

Data-center administrators are then able to learn relationships among workloads and applications and make decisions to allow or block that communication. These machine-learning-enabled policies can be automated, which reduces complexity and improves efficiency in their implementation. This process of discovery, security, and automation offers a truly adaptive solution to protect your most sensitive assets. FortiPolicy meshes seamlessly into the Security Fabric and is integrated into all layers of the infrastructure.

FortiPolicy microservices-based adaptive security

FortiPolicy software-defined security is deployed into your Security Fabric. FortiPolicy provides uniquely intelligent and extremely high levels of automated security policy orchestration. These data-aware services discover and monitor entire infrastructure network topologies, protocols, applications, security policies, and active workloads, and they can protect active workloads across your Security Fabric.

By providing complete, centralized visibility into your fabric, FortiPolicy software-based security delivers the next generation of data center protection.

FortiPolicy enables organizations to natively, automatically segment and secure workloads at scale. It provides visibility, policy management, and enforcement at scale. Organizations can implement on-demand security policies, based on the following:

  • Microsegmentation: Application-aware access control; security enforcement between workloads even on the same subnet

  • Flows: East/west

Primary components and containerized microservices

The following table lists the primary components and containerized microservices in FortiPolicy, including usage descriptions and links to more detailed information.

Software component or microservice

Usage

FortiPolicy software

FortiPolicy software OVF (VMware)

Continuous discovery

Following initial discovery with a simple Infrastructure Connector configuration, FortiPolicy’s continuous discovery continues to identify all changes throughout your Security Fabric. The FortiPolicy factory then automatically updates protections for all infrastructure objects that FortiPolicy is configured to protect. FortiPolicy technology also visualizes the continuous discovery results in a map view (available from the FortiPolicy maps).

Connection discovery

The automated FortiPolicy policy generation secures your environments by allowing FortiPolicy to automate discovery, analysis and organization of all connections and workloads into application groups, for you, with security policy recommendations for connections between those groups.

Connection discovery is distinct from FortiPolicy’s infrastructure-assets discovery/continuous discovery technologies. Following FortiPolicy connection discovery, FortiPolicy proposes security groupings of applications with suggested ACLs for implementation between proposed application groups—with policy granularity to the level of the tier. You can verify, modify, and test grouping, policy proposals, and compliance before deploying and enforcing security policies with microsegmentation.

FortiPolicy fabric connector

The FortiPolicy fabric connector connects to a Security Fabric for fabric provisioning information exchange and security orchestration as part of FortiPolicy continuous discovery and continuous monitoring.

FortiPolicy resource group

A collection of workloads or networks, proposed by FortiPolicy, that share identical security requirements. Also sometimes referred to as an application tier. The automated policy generation feature proposes application tiers as sources and destinations in its proposed ACL rules.

FortiPolicy data plane

The data plane is where security policy is enforced. The scope of a data plane is to observe and propose policies specific to a VDOM.

Automated Policy Generation

FortiPolicy option that allows FortiPolicy to automate discovery, analysis, and organization of all connections and workloads in your infrastructures into application groups, for you, with security policy recommendations for connections between those groups.

FortiPolicy access control (ACL)

Access control policy is an ordered set of rules that govern the ability of workloads to make connections. FortiPolicy provides dynamic grouping of ACLs for granular security of segments and microsegments. Assigning an ACL policy to a fabric connector is required; this allows you to create ACLs between workloads in different data planes.

FortiPolicy management plane

The management plane is needed for communicating between FortiPolicy services and the management console, and to connect to the outside world for software updates and so on.

Tooltip

No ACLs are allowed on the FortiPolicy management network.
Previous
Next

Introduction

This section introduces FortiPolicy and provides an overview of how FortiPolicy facilitates application security using the Fortinet Security Fabric.

This section covers the following topics:

Intent-based cybersecurity

The cybersecurity landscape is filled with threats. Networks of all types face challenges in the visibility and understanding of appropriate communications verses possible threats. The need to implement important zero-trust concepts such as “least privilege” segmentation and microsegmentation policies is paramount in limiting the impact of possible breaches to the network. Network administrators require tools that enable them to automate and enforce intent-based cybersecurity.

FortiPolicy delivers comprehensive and consistent controls to protect on-premises data centers and OT environments, their applications, and their data. It leverages agentless machine-learning (ML) technology, and, through the Fortinet Security Fabric, enforces intention with a set of comprehensive controls including microsegmentation, firewalling, and more.

This powerful, agentless, ML platform enhances the microsegmentation and intent-based networking segmentation capabilities of the Security Fabric. It enables end-to-end visibility and connection-mapping of north-south and east-west traffic flows for on-premises data centers. FortiPolicy then applies ML to provide context to these workflows, enabling it to suggest security policies to the Security Fabric.

Data-center administrators are then able to learn relationships among workloads and applications and make decisions to allow or block that communication. These machine-learning-enabled policies can be automated, which reduces complexity and improves efficiency in their implementation. This process of discovery, security, and automation offers a truly adaptive solution to protect your most sensitive assets. FortiPolicy meshes seamlessly into the Security Fabric and is integrated into all layers of the infrastructure.

FortiPolicy microservices-based adaptive security

FortiPolicy software-defined security is deployed into your Security Fabric. FortiPolicy provides uniquely intelligent and extremely high levels of automated security policy orchestration. These data-aware services discover and monitor entire infrastructure network topologies, protocols, applications, security policies, and active workloads, and they can protect active workloads across your Security Fabric.

By providing complete, centralized visibility into your fabric, FortiPolicy software-based security delivers the next generation of data center protection.

FortiPolicy enables organizations to natively, automatically segment and secure workloads at scale. It provides visibility, policy management, and enforcement at scale. Organizations can implement on-demand security policies, based on the following:

  • Microsegmentation: Application-aware access control; security enforcement between workloads even on the same subnet

  • Flows: East/west

Primary components and containerized microservices

The following table lists the primary components and containerized microservices in FortiPolicy, including usage descriptions and links to more detailed information.

Software component or microservice

Usage

FortiPolicy software

FortiPolicy software OVF (VMware)

Continuous discovery

Following initial discovery with a simple Infrastructure Connector configuration, FortiPolicy’s continuous discovery continues to identify all changes throughout your Security Fabric. The FortiPolicy factory then automatically updates protections for all infrastructure objects that FortiPolicy is configured to protect. FortiPolicy technology also visualizes the continuous discovery results in a map view (available from the FortiPolicy maps).

Connection discovery

The automated FortiPolicy policy generation secures your environments by allowing FortiPolicy to automate discovery, analysis and organization of all connections and workloads into application groups, for you, with security policy recommendations for connections between those groups.

Connection discovery is distinct from FortiPolicy’s infrastructure-assets discovery/continuous discovery technologies. Following FortiPolicy connection discovery, FortiPolicy proposes security groupings of applications with suggested ACLs for implementation between proposed application groups—with policy granularity to the level of the tier. You can verify, modify, and test grouping, policy proposals, and compliance before deploying and enforcing security policies with microsegmentation.

FortiPolicy fabric connector

The FortiPolicy fabric connector connects to a Security Fabric for fabric provisioning information exchange and security orchestration as part of FortiPolicy continuous discovery and continuous monitoring.

FortiPolicy resource group

A collection of workloads or networks, proposed by FortiPolicy, that share identical security requirements. Also sometimes referred to as an application tier. The automated policy generation feature proposes application tiers as sources and destinations in its proposed ACL rules.

FortiPolicy data plane

The data plane is where security policy is enforced. The scope of a data plane is to observe and propose policies specific to a VDOM.

Automated Policy Generation

FortiPolicy option that allows FortiPolicy to automate discovery, analysis, and organization of all connections and workloads in your infrastructures into application groups, for you, with security policy recommendations for connections between those groups.

FortiPolicy access control (ACL)

Access control policy is an ordered set of rules that govern the ability of workloads to make connections. FortiPolicy provides dynamic grouping of ACLs for granular security of segments and microsegments. Assigning an ACL policy to a fabric connector is required; this allows you to create ACLs between workloads in different data planes.

FortiPolicy management plane

The management plane is needed for communicating between FortiPolicy services and the management console, and to connect to the outside world for software updates and so on.

Tooltip

No ACLs are allowed on the FortiPolicy management network.
Previous
Next