Fortinet black logo

Administration Guide

Configuring FortiPolicy

Configuring FortiPolicy

FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can grant permission to FortiPolicy to perform firewall address and policy changes.

FortiPolicy requires REST API access to FortiGate.

To add FortiPolicy to the Security Fabric in the GUI:
  1. In FortiOS, ensure that FortiGate is prepared to add FortiPolicy to the Security Fabric. See Preparing FortiGate for supported Security Fabric devices.

  2. (Optional) In FortiOS, configure pre-authorization of FortiPolicy to enable the device to join the Security Fabric as soon as it connects. See Configuring pre-authorization of supported Security Fabric devices.

  3. In FortiPolicy, edit the Security Fabric settings.

    FortiPolicy instructions are included for convenience. For the latest FortiPolicy instructions, see the FortiPolicy Administration Guide.

    1. Go to Configuration > Security Fabric and select Edit current security fabric settings.

    2. Enter the root FortiGate's IP address.

    3. Set the Port (the default is 8013).

    4. Select a FortiPolicy security policy.

    5. Click UPDATE. The connection status is Not Connected (Authorization Pending).

  4. In FortiOS, authorize the FortiPolicy. See Authorizing supported connectors.

    If FortiPolicy is pre-authorized, you can skip this step.

  5. In FortiPolicy, refresh the Configuration > Security Fabric page, and verify that the connection status is Connected (Authorized).

  6. In FortiOS, grant FortiPolicy write access permission in the CLI:

    config system csf
        config fabric-connector
            edit "FPLVM1TM23000000"
                set configuration-write-access enable
            next
        end
    end
  7. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology to view more information.

    Physical topology view:

    Logical topology view:

To deploy firewall policies from FortiPolicy to the root FortiGate:
  1. Create a policy in FortiPolicy (see Customizing policies in the FortiPolicy Administration Guide).

    In this example, a default security policy rule called PC71O_External_2 is created. Since the FortiPolicy is integrated in the Security Fabric, it will use the REST API to push the static policy, dynamic firewall objects, and service objects to the root FortiGate.

  2. In FortiOS, go to Policy & Objects > Firewall Policy to view the policy named PC71O_External_2.

  3. Go to Policy & Objects > Addresses to view the dynamic firewall address associated with the policy (FPLVM1TM23000000_Oth_Default_PC71).

  4. Go to Policy & Objects > Services to view the service objects associated with the policy (seg_DNS_UDP, seg_UDP_443, seg_HTTPS, and seg_TCP_8013).

Configuring FortiPolicy

FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can grant permission to FortiPolicy to perform firewall address and policy changes.

FortiPolicy requires REST API access to FortiGate.

To add FortiPolicy to the Security Fabric in the GUI:
  1. In FortiOS, ensure that FortiGate is prepared to add FortiPolicy to the Security Fabric. See Preparing FortiGate for supported Security Fabric devices.

  2. (Optional) In FortiOS, configure pre-authorization of FortiPolicy to enable the device to join the Security Fabric as soon as it connects. See Configuring pre-authorization of supported Security Fabric devices.

  3. In FortiPolicy, edit the Security Fabric settings.

    FortiPolicy instructions are included for convenience. For the latest FortiPolicy instructions, see the FortiPolicy Administration Guide.

    1. Go to Configuration > Security Fabric and select Edit current security fabric settings.

    2. Enter the root FortiGate's IP address.

    3. Set the Port (the default is 8013).

    4. Select a FortiPolicy security policy.

    5. Click UPDATE. The connection status is Not Connected (Authorization Pending).

  4. In FortiOS, authorize the FortiPolicy. See Authorizing supported connectors.

    If FortiPolicy is pre-authorized, you can skip this step.

  5. In FortiPolicy, refresh the Configuration > Security Fabric page, and verify that the connection status is Connected (Authorized).

  6. In FortiOS, grant FortiPolicy write access permission in the CLI:

    config system csf
        config fabric-connector
            edit "FPLVM1TM23000000"
                set configuration-write-access enable
            next
        end
    end
  7. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology to view more information.

    Physical topology view:

    Logical topology view:

To deploy firewall policies from FortiPolicy to the root FortiGate:
  1. Create a policy in FortiPolicy (see Customizing policies in the FortiPolicy Administration Guide).

    In this example, a default security policy rule called PC71O_External_2 is created. Since the FortiPolicy is integrated in the Security Fabric, it will use the REST API to push the static policy, dynamic firewall objects, and service objects to the root FortiGate.

  2. In FortiOS, go to Policy & Objects > Firewall Policy to view the policy named PC71O_External_2.

  3. Go to Policy & Objects > Addresses to view the dynamic firewall address associated with the policy (FPLVM1TM23000000_Oth_Default_PC71).

  4. Go to Policy & Objects > Services to view the service objects associated with the policy (seg_DNS_UDP, seg_UDP_443, seg_HTTPS, and seg_TCP_8013).