Fortinet black logo

FortiOS NGFW mode supported

Copy Link
Copy Doc ID 97ad1787-8bb4-11e9-81a4-00505692583a:544854
Download PDF

FortiOS NGFW mode supported

FortiManager 6.2 policy package now supports the policy-based Next Generation Firewall (NGFW) mode that is available with FortiOS 6.2.1 and later.

To configure NGFW mode in a FortiManager 6.2 ADOM:
  1. On FortiGate, change ngfw-mode from default profile based to policy-based using the following command line:
    FGT60E4Q16030265 (vdom) # edit policy
    					current vf=policy:1
    					FGT60E4Q16030265 (policy) # config sys settings
    					FGT60E4Q16030265 (settings) #
    					FGT60E4Q16030265 (settings) # show
    					config system settings
    					set ngfw-mode policy-based
    					end
    					FGT60E4Q16030265 (profile) # config system settings
    					FGT60E4Q16030265 (settings) # set ngfw-mode
    					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
    					policy-based     Application and web-filtering are configured as policy match conditions.
    					
    				
  2. In the policy-based NGFW mode on FortiGate, use the new Firewall Policy and Security Policy as below CLI examples:

    Firewall Policy:

    FGT60E4Q16030265 (vdom) # edit policy
    					current vf=policy:1
    					FGT60E4Q16030265 (policy) # config sys settings
    					FGT60E4Q16030265 (settings) #
    					FGT60E4Q16030265 (settings) # show
    					config system settings
    					set ngfw-mode policy-based
    					end
    
    					FGT60E4Q16030265 (profile) # config system settings
    					FGT60E4Q16030265 (settings) # set ngfw-mode
    					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
    					policy-based     Application and web-filtering are configured as policy match conditions.
    				

    Security Policy:

    config firewall security-policy
    					edit 1
    					set uuid f50fd6da-9eab-51e9-1065-7b37a4a17268
    					set name "2"
    					set srcintf "internal5"
    					set dstintf "internal6"
    					set srcaddr4 "all"
    					set dstaddr4 "all"
    					set enforce-default-app-port disable
    					set service "ALL"
    					set action accept
    					set schedule "always"
    					set logtraffic-start enable
    					set av-profile "g-default"
    					set emailfilter-profile "default"
    					set dlp-sensor "Content_Archive"
    					set ips-sensor "default"
    					set application 36481
    					set app-category 28
    					set url-category 64
    					next
    				end

  3. After importing this FortiGate/VDOM policy to FortiManager, imported policy package settings has same ngfw-mode configuration, and also has the same firewall policies, and security policies.

  4. For creating new policy packages, there is support for different NGFW modes.

  5. Policy block also has same support. And policy package can only add policy block with same mode. After adding, both policy package and policy block cannot change mode.

FortiOS NGFW mode supported

FortiManager 6.2 policy package now supports the policy-based Next Generation Firewall (NGFW) mode that is available with FortiOS 6.2.1 and later.

To configure NGFW mode in a FortiManager 6.2 ADOM:
  1. On FortiGate, change ngfw-mode from default profile based to policy-based using the following command line:
    FGT60E4Q16030265 (vdom) # edit policy
    					current vf=policy:1
    					FGT60E4Q16030265 (policy) # config sys settings
    					FGT60E4Q16030265 (settings) #
    					FGT60E4Q16030265 (settings) # show
    					config system settings
    					set ngfw-mode policy-based
    					end
    					FGT60E4Q16030265 (profile) # config system settings
    					FGT60E4Q16030265 (settings) # set ngfw-mode
    					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
    					policy-based     Application and web-filtering are configured as policy match conditions.
    					
    				
  2. In the policy-based NGFW mode on FortiGate, use the new Firewall Policy and Security Policy as below CLI examples:

    Firewall Policy:

    FGT60E4Q16030265 (vdom) # edit policy
    					current vf=policy:1
    					FGT60E4Q16030265 (policy) # config sys settings
    					FGT60E4Q16030265 (settings) #
    					FGT60E4Q16030265 (settings) # show
    					config system settings
    					set ngfw-mode policy-based
    					end
    
    					FGT60E4Q16030265 (profile) # config system settings
    					FGT60E4Q16030265 (settings) # set ngfw-mode
    					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
    					policy-based     Application and web-filtering are configured as policy match conditions.
    				

    Security Policy:

    config firewall security-policy
    					edit 1
    					set uuid f50fd6da-9eab-51e9-1065-7b37a4a17268
    					set name "2"
    					set srcintf "internal5"
    					set dstintf "internal6"
    					set srcaddr4 "all"
    					set dstaddr4 "all"
    					set enforce-default-app-port disable
    					set service "ALL"
    					set action accept
    					set schedule "always"
    					set logtraffic-start enable
    					set av-profile "g-default"
    					set emailfilter-profile "default"
    					set dlp-sensor "Content_Archive"
    					set ips-sensor "default"
    					set application 36481
    					set app-category 28
    					set url-category 64
    					next
    				end

  3. After importing this FortiGate/VDOM policy to FortiManager, imported policy package settings has same ngfw-mode configuration, and also has the same firewall policies, and security policies.

  4. For creating new policy packages, there is support for different NGFW modes.

  5. Policy block also has same support. And policy package can only add policy block with same mode. After adding, both policy package and policy block cannot change mode.