Fortinet black logo

FortiPolicy Getting Started Guide

Home FortiPolicy 7.2.1 FortiPolicy Getting Started Guide
7.2.1
7.2.3
7.2.2
7.2.1
7.2.0

Setting up Policy Generation

Setting up Policy Generation

Automated Policy Generation provides the automated discovery of connections, tiers, applications, and network services.

To set up Policy Generation:

  1. In FortiPolicy, go to Workspace > Applications.

  2. In the Action Steps pane, click SETUP POLICY GENERATION.

  3. For the Security Policy Set dropdown list, keep the default setting of Discover.

  4. From the Access Control Policy dropdown list, select Default ACL Policy.

  5. Select the checkbox for the Fortinet Security Fabric.

  6. Click Next.

  7. Enter any public IP addresses that you want to be analyzed as part of the network you are securing.

  8. Click Next.

  9. If you do not want all workloads and subnets defined in the Scope and Public IPs tabs to be examined, create filters for which workloads and subnets to include and exclude.

  10. Click Next.

  11. Policy Generation will automatically examine the names of all workloads. If your workload naming convention follows the supported delimiter-based or positional format and contains any of the following data, Policy Generation can automatically label your applications, their tiers, and the sources and destinations in the policy rules. If your workload naming convention does not fit the supported formats or you want to manually name the proposed applications and tiers, select None of these fit my configuration.

  12. Click Next.

  13. If you selected Tags on the Names tab, FortiPolicy derives tags from the workload naming convention used for existing applications, deployment environments, and tier functions. If you want to add more tags for applications, deployment environments, and tier functions, enter the value and full name for each tag.

  14. Click Next to go through the three tag groups and then to the Services tab.

  15. Review the list of standard network services that interconnect your workloads. Edit or add any services in your network that use nonstandard ports and protocols. Delete any services not used in your network.

    Tooltip

    Extremely important: An accurate list of network services allows FortiPolicy to identify all common network services and to distinguish between business application tiers and service tiers.

  16. Click DONE.

    During Policy Generation, FortiPolicy gathers data on your network, learns its interconnections, and begins to propose security policies. The default connection discovery time is 2 hours. After additional analysis time, the proposed applications are listed in the Applications page.

For the next steps of FortiPolicy configuration, see the FortiPolicy Automated Policy Generation Guide.

Troubleshooting discovery

During discovery, you can view the real-time progression of infrastructure discovery events from the FortiPolicy Workspace > Logs > Jobs page and then troubleshoot any issues.

Click the “i” information icon at the beginning of a Job row in the Jobs table to display any error details.

FortiPolicy discovers the data necessary for Policy Generation by connecting FortiPolicy data planes to the FortiGate and FortiSwitch devices in the Security Fabric. FortiPolicy discovers the Security Fabric endpoints and subscribes to the endpoints to receive traffic logs from the FortiGate devices and flow exports from the FortiSwitch units. FortiGate and FortiSwitch devices have a limit on the number of data collectors that can subscribe to receive this data (In FortiOS 7.0.x, the limit is four syslog data collectors for traffic logs and one data collector for flow export.). If FortiPolicy tries to subscribe to a device that is already at its subscription limit, data discovery will fail.

If connection discovery fails, FortiPolicy displays a red fault icon in the header bar, and the discovery status is shown as FAILED under the Ended tab on the Workspace > Logs > Jobs page. If connection discovery fails, FortiPolicy cannot get the necessary data to generate valid proposals. A common cause of discovery failure is that a device has reached its limit of subscribed clients.

To solve this problem, the FortiPolicy administrator must go to any oversubscribed FortiGate or FortiSwitch devices and remove an existing subscribed client. Then, the administrator can return to FortiPolicy, go to Configuration > Data Planes, click the vertical ellipsis menu at the left side of the page, and select Sync for each data plane to register it with its Fortinet devices. After synchronizing the data planes, the Ended tab on the Jobs page should show a status of PASSED for discovery.

You can also check the following settings if you are having trouble with connection discovery:

  • Go to Configuration > Security Fabric and verify that the icon under Security Fabric Connection Status is green, which indicates that the connection is active.

  • Before you created the data planes, you needed to enable NetFlow on each FortiGate device where a data plane is created with the following commands:

    config system csf

    config fabric-connector

    edit <FortiPolicy_serial_number>

    set configuration-write-access enable

    set accprofile super_admin

    next

    end

    end

  • Go to Workspace > Logs > Jobs and check for errors in discovering the Security Fabric.

    • If there are compatibility errors, make certain that you are using FortiOS 7.0.6.

    • In the root FortiGate device, go to Network > Interfaces, select the WAN port, and click Edit. Make certain that the Security Fabric Connection checkbox is selected.

  • Go to Workspace > Logs > Jobs and check for any errors from when you created the data planes.

    • For each FortiGate device in the Security Fabric, go to Security Fabric > Fabric Connectors, right-click Security Fabric Setup, and select Edit. Check that Allow downstream device REST API access is enabled and that the management port is set to 8013.

    • Check that logs are enabled with the set logtraffic command under config firewall policy in the FortiOS CLI.

  • Check that the proxy ARP was configured on the primary NAC segment interface on the FortiGate devices. For example:

    config system proxy-arp

    edit 1

    set interface “nac_segment”

    set ip 10.255.13.2

    set end-ip 10.255.13.5

    next

    end

Previous
Next

Setting up Policy Generation

Automated Policy Generation provides the automated discovery of connections, tiers, applications, and network services.

To set up Policy Generation:

  1. In FortiPolicy, go to Workspace > Applications.

  2. In the Action Steps pane, click SETUP POLICY GENERATION.

  3. For the Security Policy Set dropdown list, keep the default setting of Discover.

  4. From the Access Control Policy dropdown list, select Default ACL Policy.

  5. Select the checkbox for the Fortinet Security Fabric.

  6. Click Next.

  7. Enter any public IP addresses that you want to be analyzed as part of the network you are securing.

  8. Click Next.

  9. If you do not want all workloads and subnets defined in the Scope and Public IPs tabs to be examined, create filters for which workloads and subnets to include and exclude.

  10. Click Next.

  11. Policy Generation will automatically examine the names of all workloads. If your workload naming convention follows the supported delimiter-based or positional format and contains any of the following data, Policy Generation can automatically label your applications, their tiers, and the sources and destinations in the policy rules. If your workload naming convention does not fit the supported formats or you want to manually name the proposed applications and tiers, select None of these fit my configuration.

  12. Click Next.

  13. If you selected Tags on the Names tab, FortiPolicy derives tags from the workload naming convention used for existing applications, deployment environments, and tier functions. If you want to add more tags for applications, deployment environments, and tier functions, enter the value and full name for each tag.

  14. Click Next to go through the three tag groups and then to the Services tab.

  15. Review the list of standard network services that interconnect your workloads. Edit or add any services in your network that use nonstandard ports and protocols. Delete any services not used in your network.

    Tooltip

    Extremely important: An accurate list of network services allows FortiPolicy to identify all common network services and to distinguish between business application tiers and service tiers.

  16. Click DONE.

    During Policy Generation, FortiPolicy gathers data on your network, learns its interconnections, and begins to propose security policies. The default connection discovery time is 2 hours. After additional analysis time, the proposed applications are listed in the Applications page.

For the next steps of FortiPolicy configuration, see the FortiPolicy Automated Policy Generation Guide.

Troubleshooting discovery

During discovery, you can view the real-time progression of infrastructure discovery events from the FortiPolicy Workspace > Logs > Jobs page and then troubleshoot any issues.

Click the “i” information icon at the beginning of a Job row in the Jobs table to display any error details.

FortiPolicy discovers the data necessary for Policy Generation by connecting FortiPolicy data planes to the FortiGate and FortiSwitch devices in the Security Fabric. FortiPolicy discovers the Security Fabric endpoints and subscribes to the endpoints to receive traffic logs from the FortiGate devices and flow exports from the FortiSwitch units. FortiGate and FortiSwitch devices have a limit on the number of data collectors that can subscribe to receive this data (In FortiOS 7.0.x, the limit is four syslog data collectors for traffic logs and one data collector for flow export.). If FortiPolicy tries to subscribe to a device that is already at its subscription limit, data discovery will fail.

If connection discovery fails, FortiPolicy displays a red fault icon in the header bar, and the discovery status is shown as FAILED under the Ended tab on the Workspace > Logs > Jobs page. If connection discovery fails, FortiPolicy cannot get the necessary data to generate valid proposals. A common cause of discovery failure is that a device has reached its limit of subscribed clients.

To solve this problem, the FortiPolicy administrator must go to any oversubscribed FortiGate or FortiSwitch devices and remove an existing subscribed client. Then, the administrator can return to FortiPolicy, go to Configuration > Data Planes, click the vertical ellipsis menu at the left side of the page, and select Sync for each data plane to register it with its Fortinet devices. After synchronizing the data planes, the Ended tab on the Jobs page should show a status of PASSED for discovery.

You can also check the following settings if you are having trouble with connection discovery:

  • Go to Configuration > Security Fabric and verify that the icon under Security Fabric Connection Status is green, which indicates that the connection is active.

  • Before you created the data planes, you needed to enable NetFlow on each FortiGate device where a data plane is created with the following commands:

    config system csf

    config fabric-connector

    edit <FortiPolicy_serial_number>

    set configuration-write-access enable

    set accprofile super_admin

    next

    end

    end

  • Go to Workspace > Logs > Jobs and check for errors in discovering the Security Fabric.

    • If there are compatibility errors, make certain that you are using FortiOS 7.0.6.

    • In the root FortiGate device, go to Network > Interfaces, select the WAN port, and click Edit. Make certain that the Security Fabric Connection checkbox is selected.

  • Go to Workspace > Logs > Jobs and check for any errors from when you created the data planes.

    • For each FortiGate device in the Security Fabric, go to Security Fabric > Fabric Connectors, right-click Security Fabric Setup, and select Edit. Check that Allow downstream device REST API access is enabled and that the management port is set to 8013.

    • Check that logs are enabled with the set logtraffic command under config firewall policy in the FortiOS CLI.

  • Check that the proxy ARP was configured on the primary NAC segment interface on the FortiGate devices. For example:

    config system proxy-arp

    edit 1

    set interface “nac_segment”

    set ip 10.255.13.2

    set end-ip 10.255.13.5

    next

    end

Previous
Next