Fortinet Document Library

Version:

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

New management extension - Policy Analyzer 7.0.2

This feature adds the Policy Analyzer application as a management extension application (MEA).

Policy Analyzer MEA is an automated tool with a wizard. It works with Security Policies in learning mode from a managed FortiGate to analyze logs sent to FortiAnalyzer. Based on the analyzed traffic, administrators can choose to automatically create a policy block to:

  • Block malicious traffic
  • Allowed learned traffic - permissive mode
  • Allowed learned traffic - restricted mode

A policy block is automatically created and inserted in the policy package, and the policy package is installed to the target FortiGate.

Policy Analyzer MEA is included with FortiManager and does not require a license.

By default, Policy Analyzer is disabled. You can enable Policy Analyzer by using the GUI or the CLI.

For information about minimum system resources recommended for FortiManager when using Policy Analyzer, see the FortiManager Release Notes.

For information about using Policy Analyzer, see the Policy Analyzer Administration Guide.

The following CLI commands are available for Policy Analyzer:

  • config system docker
  • diagnose docker status
  • diagnose docker upgrade policyanalyzer

This topic contains the following sections:

Enabling Policy Analyzer MEA

To enable Policy Analyzer MEA by using the GUI:
  1. On FortiManager, ensure you are logged in by using an administrator account that is assigned a Super_User profile.
  2. Go to Management Extensions, and click Policy Analyzer.

    A confirmation dialog box is displayed.

  3. In the confirmation dialog box, click OK.

    As long as FortiManager has access to the Internet, Policy Analyzer MEA is downloaded from the Fortinet registry (registry.fortinet.com). A progress bar displays under the Policy Analyzer tile.

    After Policy Analyzer is downloaded, the Policy Analyzer tile is available.

  4. Click Policy Analyzer.

    Policy Analyzer opens.

  5. Prepare to use Policy Analyzer MEA.

Preparing to use Policy Analyzer MEA

Before you can use Policy Analyzer MEA, you must complete some configuration on FortiGate, FortiAnalyzer, and FortiManager.

To prepare to use Policy Analyzer:
  1. On FortiGate, complete the following configuration:
    1. Set NFGW to policy-based.
    2. Configure a Security Policy with Learning Mode enabled.
    3. Enable logging to FortiAnalyzer.

    For details, see Policy Analyzer Administration Guide > Configuring FortiGate.

  2. On FortiAnalyzer, complete the following configuration:
    1. Authorize logging from FortiGate.
    2. Ensure that the administrative account has JSON API access set to a minimum of READ to enable API communication between the products.

    For details, see Policy Analyzer Administration Guide > Configuring FortiAnalyzer.

  3. On FortiManager, add the FortiGate for management.

    For details, see Policy Analyzer Administration Guide > Configuring FortiManager.

Using Policy Analyzer MEA

After you have prepared to use Policy Analyzer MEA, you are ready to use the following Policy Analyzer MEA modes to create policies:

New management extension - Policy Analyzer 7.0.2

This feature adds the Policy Analyzer application as a management extension application (MEA).

Policy Analyzer MEA is an automated tool with a wizard. It works with Security Policies in learning mode from a managed FortiGate to analyze logs sent to FortiAnalyzer. Based on the analyzed traffic, administrators can choose to automatically create a policy block to:

  • Block malicious traffic
  • Allowed learned traffic - permissive mode
  • Allowed learned traffic - restricted mode

A policy block is automatically created and inserted in the policy package, and the policy package is installed to the target FortiGate.

Policy Analyzer MEA is included with FortiManager and does not require a license.

By default, Policy Analyzer is disabled. You can enable Policy Analyzer by using the GUI or the CLI.

For information about minimum system resources recommended for FortiManager when using Policy Analyzer, see the FortiManager Release Notes.

For information about using Policy Analyzer, see the Policy Analyzer Administration Guide.

The following CLI commands are available for Policy Analyzer:

  • config system docker
  • diagnose docker status
  • diagnose docker upgrade policyanalyzer

This topic contains the following sections:

Enabling Policy Analyzer MEA

To enable Policy Analyzer MEA by using the GUI:
  1. On FortiManager, ensure you are logged in by using an administrator account that is assigned a Super_User profile.
  2. Go to Management Extensions, and click Policy Analyzer.

    A confirmation dialog box is displayed.

  3. In the confirmation dialog box, click OK.

    As long as FortiManager has access to the Internet, Policy Analyzer MEA is downloaded from the Fortinet registry (registry.fortinet.com). A progress bar displays under the Policy Analyzer tile.

    After Policy Analyzer is downloaded, the Policy Analyzer tile is available.

  4. Click Policy Analyzer.

    Policy Analyzer opens.

  5. Prepare to use Policy Analyzer MEA.

Preparing to use Policy Analyzer MEA

Before you can use Policy Analyzer MEA, you must complete some configuration on FortiGate, FortiAnalyzer, and FortiManager.

To prepare to use Policy Analyzer:
  1. On FortiGate, complete the following configuration:
    1. Set NFGW to policy-based.
    2. Configure a Security Policy with Learning Mode enabled.
    3. Enable logging to FortiAnalyzer.

    For details, see Policy Analyzer Administration Guide > Configuring FortiGate.

  2. On FortiAnalyzer, complete the following configuration:
    1. Authorize logging from FortiGate.
    2. Ensure that the administrative account has JSON API access set to a minimum of READ to enable API communication between the products.

    For details, see Policy Analyzer Administration Guide > Configuring FortiAnalyzer.

  3. On FortiManager, add the FortiGate for management.

    For details, see Policy Analyzer Administration Guide > Configuring FortiManager.

Using Policy Analyzer MEA

After you have prepared to use Policy Analyzer MEA, you are ready to use the following Policy Analyzer MEA modes to create policies: