Fortinet black logo

Automated Policy Generation Guide

Home FortiPolicy 7.2.2 Automated Policy Generation Guide
7.2.2
7.2.3
7.2.2
7.2.0

Assigning tiers

Assigning tiers

In some cases, Policy Generation may group two or more separate applications together, if they talk to each other. The Assign Tiers panel lets you divide such a proposal into separate application proposals.

In other cases, Policy Generation may propose two applications, but you think of them as being one bigger application. The Assign Tiers panel lets you merge them together.

Divide Proposal Example:

Your Scheduling and Inventory applications each have their own web servers and business logic servers, but they share the same database, and both are connected to the Internet.

The logic severs in Scheduling need to talk with the logic severs in Inventory. They operate together in your Production environment, but you manage them as separate applications.

To identify and control traffic for each application, as well as the traffic between applications, you want to group the servers into tiers and name the tiers and their applications appropriately.

Take the following actions:

  1. Examine the tiers in the proposed Application Details page and determine that the tiers belong to more than one application.

  2. On the toolbar, under Actions, click the Assign Tiers icon button to display the Assign Tiers panel.

  3. If the New Proposal panel is not open, click . Enter the Application Name and Environment, Inventory / Production, and click SAVE.

  4. Click the Inventory Web tier, a workload tier.

  5. In the tier table header, Assigned Proposal dropdown, click Inventory / Production. The tier moves into the new Inventory / Production proposal.

  6. Subnet tiers, like Any IP Address, are children of the workload tiers they connect to. They move where their parent moves. A copy of Any IP Address moves to the new proposal.

  7. Click the Inventory Logic tier, another workload tier. In the Assigned Proposal dropdown, again click Inventory /Production. The logic tier moves to the new proposal.

  8. Workload tiers only belong to one application, but they may talk to tiers in other applications.

  9. The database workload tier can be left in Scheduling, moved to Inventory, or click again to assign it to an application all by itself.

  10. Click SAVE at the bottom of the panel. Policy Generation will divide the original proposal into two applications with the appropriate interapplication connections.

  11. Now approve and deploy the two applications separately.

Merge Proposals Example:

Your Sales Accounting and Revenue Recognition applications are managed by the same team and work closely together. You think of them as one big application, even though they run on different sets of servers. Based on its initial setup and discovered data, Policy Generation proposed them as two separate applications.

You want to group all the tiers together in one application and manage their security as one application.

Take the following actions:

  1. From the Applications table or topology, click the proposal with the smallest number of tiers: Revenue Recognition.

  2. In its resulting Application Details page, on the toolbar under Actions, click the Assign Tiers icon button to display the Assign Tiers panel.

  3. The other application that you want to merge may already appear in the panel. If not, and if the New Proposal panel is not open already, click ADD APPLICATION.

  4. Enter the Application Name and Environment, Sales Accounting / Production, and click SAVE.

  5. Click a workload tier in Revenue Recognition.

  6. In the tier table header, Assigned Proposal dropdown, click Sales Accounting / Production. The workload tier and any child subnet tiers will move into Sales Accounting / Production.

  7. Repeat steps 5 and 6 until all the tiers are moved into Sales Accounting / Production.

  8. Click SAVE at the bottom of the panel. Policy Generation will merge all the tiers into one application proposal.

  9. Now approve and deploy Sales Accounting / Production as one application.

Previous
Next

Assigning tiers

In some cases, Policy Generation may group two or more separate applications together, if they talk to each other. The Assign Tiers panel lets you divide such a proposal into separate application proposals.

In other cases, Policy Generation may propose two applications, but you think of them as being one bigger application. The Assign Tiers panel lets you merge them together.

Divide Proposal Example:

Your Scheduling and Inventory applications each have their own web servers and business logic servers, but they share the same database, and both are connected to the Internet.

The logic severs in Scheduling need to talk with the logic severs in Inventory. They operate together in your Production environment, but you manage them as separate applications.

To identify and control traffic for each application, as well as the traffic between applications, you want to group the servers into tiers and name the tiers and their applications appropriately.

Take the following actions:

  1. Examine the tiers in the proposed Application Details page and determine that the tiers belong to more than one application.

  2. On the toolbar, under Actions, click the Assign Tiers icon button to display the Assign Tiers panel.

  3. If the New Proposal panel is not open, click . Enter the Application Name and Environment, Inventory / Production, and click SAVE.

  4. Click the Inventory Web tier, a workload tier.

  5. In the tier table header, Assigned Proposal dropdown, click Inventory / Production. The tier moves into the new Inventory / Production proposal.

  6. Subnet tiers, like Any IP Address, are children of the workload tiers they connect to. They move where their parent moves. A copy of Any IP Address moves to the new proposal.

  7. Click the Inventory Logic tier, another workload tier. In the Assigned Proposal dropdown, again click Inventory /Production. The logic tier moves to the new proposal.

  8. Workload tiers only belong to one application, but they may talk to tiers in other applications.

  9. The database workload tier can be left in Scheduling, moved to Inventory, or click again to assign it to an application all by itself.

  10. Click SAVE at the bottom of the panel. Policy Generation will divide the original proposal into two applications with the appropriate interapplication connections.

  11. Now approve and deploy the two applications separately.

Merge Proposals Example:

Your Sales Accounting and Revenue Recognition applications are managed by the same team and work closely together. You think of them as one big application, even though they run on different sets of servers. Based on its initial setup and discovered data, Policy Generation proposed them as two separate applications.

You want to group all the tiers together in one application and manage their security as one application.

Take the following actions:

  1. From the Applications table or topology, click the proposal with the smallest number of tiers: Revenue Recognition.

  2. In its resulting Application Details page, on the toolbar under Actions, click the Assign Tiers icon button to display the Assign Tiers panel.

  3. The other application that you want to merge may already appear in the panel. If not, and if the New Proposal panel is not open already, click ADD APPLICATION.

  4. Enter the Application Name and Environment, Sales Accounting / Production, and click SAVE.

  5. Click a workload tier in Revenue Recognition.

  6. In the tier table header, Assigned Proposal dropdown, click Sales Accounting / Production. The workload tier and any child subnet tiers will move into Sales Accounting / Production.

  7. Repeat steps 5 and 6 until all the tiers are moved into Sales Accounting / Production.

  8. Click SAVE at the bottom of the panel. Policy Generation will merge all the tiers into one application proposal.

  9. Now approve and deploy Sales Accounting / Production as one application.

Previous
Next