Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiManager 6.2.1 New Features
    6.2.1
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.7
    6.2.3
    6.2.2
    6.2.1
    6.2.0

    FortiOS NGFW mode supported

    FortiOS NGFW mode supported

    FortiManager 6.2 policy package now supports the policy-based Next Generation Firewall (NGFW) mode that is available with FortiOS 6.2.1 and later.

    To configure NGFW mode in a FortiManager 6.2 ADOM:
    1. On FortiGate, change ngfw-mode from default profile based to policy-based using the following command line: 
      FGT60E4Q16030265 (vdom) # edit policy
					current vf=policy:1
					FGT60E4Q16030265 (policy) # config sys settings
					FGT60E4Q16030265 (settings) #
					FGT60E4Q16030265 (settings) # show
					config system settings
					set ngfw-mode policy-based
					end
					FGT60E4Q16030265 (profile) # config system settings
					FGT60E4Q16030265 (settings) # set ngfw-mode
					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
					policy-based     Application and web-filtering are configured as policy match conditions.
    2. In the policy-based NGFW mode on FortiGate, use the new Firewall Policy and Security Policy as below CLI examples:

      Firewall Policy:

      FGT60E4Q16030265 (vdom) # edit policy
					current vf=policy:1
					FGT60E4Q16030265 (policy) # config sys settings
					FGT60E4Q16030265 (settings) #
					FGT60E4Q16030265 (settings) # show
					config system settings
					set ngfw-mode policy-based
					end

					FGT60E4Q16030265 (profile) # config system settings
					FGT60E4Q16030265 (settings) # set ngfw-mode
					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
					policy-based     Application and web-filtering are configured as policy match conditions.

      Security Policy:

      config firewall security-policy
					edit 1
					set uuid f50fd6da-9eab-51e9-1065-7b37a4a17268
					set name "2"
					set srcintf "internal5"
					set dstintf "internal6"
					set srcaddr4 "all"
					set dstaddr4 "all"
					set enforce-default-app-port disable
					set service "ALL"
					set action accept
					set schedule "always"
					set logtraffic-start enable
					set av-profile "g-default"
					set emailfilter-profile "default"
					set dlp-sensor "Content_Archive"
					set ips-sensor "default"
					set application 36481
					set app-category 28
					set url-category 64
					next
				end

    3. After importing this FortiGate/VDOM policy to FortiManager, imported policy package settings has same ngfw-mode configuration, and also has the same firewall policies, and security policies.

    4. For creating new policy packages, there is support for different NGFW modes.

    5. Policy block also has same support. And policy package can only add policy block with same mode. After adding, both policy package and policy block cannot change mode.

    Previous
    Next

    FortiOS NGFW mode supported

    FortiOS NGFW mode supported

    FortiManager 6.2 policy package now supports the policy-based Next Generation Firewall (NGFW) mode that is available with FortiOS 6.2.1 and later.

    To configure NGFW mode in a FortiManager 6.2 ADOM:
    1. On FortiGate, change ngfw-mode from default profile based to policy-based using the following command line: 
      FGT60E4Q16030265 (vdom) # edit policy
					current vf=policy:1
					FGT60E4Q16030265 (policy) # config sys settings
					FGT60E4Q16030265 (settings) #
					FGT60E4Q16030265 (settings) # show
					config system settings
					set ngfw-mode policy-based
					end
					FGT60E4Q16030265 (profile) # config system settings
					FGT60E4Q16030265 (settings) # set ngfw-mode
					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
					policy-based     Application and web-filtering are configured as policy match conditions.
    2. In the policy-based NGFW mode on FortiGate, use the new Firewall Policy and Security Policy as below CLI examples:

      Firewall Policy:

      FGT60E4Q16030265 (vdom) # edit policy
					current vf=policy:1
					FGT60E4Q16030265 (policy) # config sys settings
					FGT60E4Q16030265 (settings) #
					FGT60E4Q16030265 (settings) # show
					config system settings
					set ngfw-mode policy-based
					end

					FGT60E4Q16030265 (profile) # config system settings
					FGT60E4Q16030265 (settings) # set ngfw-mode
					profile-based    Application and web-filtering are configured using profiles applied to policy entries.
					policy-based     Application and web-filtering are configured as policy match conditions.

      Security Policy:

      config firewall security-policy
					edit 1
					set uuid f50fd6da-9eab-51e9-1065-7b37a4a17268
					set name "2"
					set srcintf "internal5"
					set dstintf "internal6"
					set srcaddr4 "all"
					set dstaddr4 "all"
					set enforce-default-app-port disable
					set service "ALL"
					set action accept
					set schedule "always"
					set logtraffic-start enable
					set av-profile "g-default"
					set emailfilter-profile "default"
					set dlp-sensor "Content_Archive"
					set ips-sensor "default"
					set application 36481
					set app-category 28
					set url-category 64
					next
				end

    3. After importing this FortiGate/VDOM policy to FortiManager, imported policy package settings has same ngfw-mode configuration, and also has the same firewall policies, and security policies.

    4. For creating new policy packages, there is support for different NGFW modes.

    5. Policy block also has same support. And policy package can only add policy block with same mode. After adding, both policy package and policy block cannot change mode.

    Previous
    Next