Fortinet white logo
Fortinet white logo

Allowing learned traffic with permissive mode

Allowing learned traffic with permissive mode

This example describes how to use the Policy Analyzer MEA wizard to create a policy block and an implicit policy. During the wizard, you must choose whether to configure the implicit policy to deny or allow all traffic.

You can use the Allow Learned Traffic - Permissive Mode setting to combine and allow traffic learned from different users and their detected applications. This method is based on Least Common Multiple concept. The wizard automatically creates a policy block with one policy to allow this traffic, and the policy block is followed by an implicit deny or allow policy. The policy block is inserted in the policy package above the Security Policy with Learn Mode enabled, and the updated policy package is automatically installed to the device.

Note

Only good, learned traffic is allowed. The malware and high-risk traffic is filtered out first.

To allow learned traffic with permissive mode:
  1. Open Policy Analyzer MEA to access the first step in the wizard.

    Policy Analyzer opens, and the first pane of the wizard is displayed. The name of the first pane is 1. Select One device.

  2. On the 1. Select One device pane, select a FortiGate.

    Option

    Description

    DeviceSelect a managed FortiGate that uses a Security Policy with Learn Mode enabled.
    Policy packageAfter selecting a FortiGate, the policy package for the selected FortiGate is displayed.
    FortiAnalyzer statusDisplays whether logging from FortiGate to FortiAnalyzer is enabled.
    FortiAnalyzer IPAfter selecting a FortiGate, the IP address for the FortiAnalyzer that is receiving logs from the selected FortiGate is displayed.
  3. On the 1. Select One device pane, complete the following options to validate credentials for FortiAnalyzer and select a date range of logs to analyze, and then click Next.

    Option

    Description

    FortiAnalyzer username

    Type the username for the administrator account for FortiAnalyzer.

    The administrator account must have JSON API set to a minimum of Read. See also Configuring FortiAnalyzer.

    FortiAnalyzer passwordType the password for the administrator account.
    Validate CredentialsAfter typing in the FortiAnalyzer username and password, click Validate Credentials to authenticate access to the logs on FortiAnalyzer.
    FortiAnalyzer ADOM

    Available after you validate the username and password for FortiAnalyzer.

    Select the ADOM on FortiAnalyzer that contains the logs for the selected FortiGate.

    Log date range

    Available after you validate the username and password for FortiAnalyzer.

    Click the calendar icon to select a date range of logs for analysis.

    Policy Analyzer MEA needs to access online logs indexed in the FortiAnalyzer SQL database. Policy Analyzer MEA cannot analyze archived logs. For more information, see the FortiAnalyzer 7.0.2 Administration Guide.

    The 2. Select Learning-Mode Policies pane is displayed.

  4. On the 2. Select Learning-Mode Policies pane, select a Security Policy with Learn Mode enabled, and click Next.

    Policies are available for selection when they have Learn Mode enabled and have hit counts.

    The 3. Select One Policy Mode pane is displayed.

  5. On the 3. Select One Policy Mode pane, select Allow Learned Traffic - Permissive Mode, and click Next.

    The Review Discovered Traffic pane is displayed.

  6. On the Review Discovered Traffic pane, review discovered traffic, and then click Next.

    In the following example, the Top Applications tab shows the high-risk applications in the logs. Click the Top Users, Top Web Categories, and Top Threats tabs to review traffic on each tab.

    The Create Policy Block pane is displayed.

  7. On the Create Policy Block pane, choose one of the following settings for the implicit policy, and click OK:

    Option

    Description

    Deny Any - AnySelect to deny traffic on all source and destination ports.
    Permit Any - AnySelect to permit traffic on all source and destination ports.
  8. In the confirmation dialog box, click OK.

    Policy Analyzer MEA automatically creates the policy block, inserts the policy block in to the policy package, and the policy package is installed to the FortiGate.

  9. Go to Policy & Objects > Policy Packages > Security Policy to view the policy block created by Policy Analyzer MEA.

    The policy block and implicit policy are added above the rules in the policy package.

Allowing learned traffic with permissive mode

Allowing learned traffic with permissive mode

This example describes how to use the Policy Analyzer MEA wizard to create a policy block and an implicit policy. During the wizard, you must choose whether to configure the implicit policy to deny or allow all traffic.

You can use the Allow Learned Traffic - Permissive Mode setting to combine and allow traffic learned from different users and their detected applications. This method is based on Least Common Multiple concept. The wizard automatically creates a policy block with one policy to allow this traffic, and the policy block is followed by an implicit deny or allow policy. The policy block is inserted in the policy package above the Security Policy with Learn Mode enabled, and the updated policy package is automatically installed to the device.

Note

Only good, learned traffic is allowed. The malware and high-risk traffic is filtered out first.

To allow learned traffic with permissive mode:
  1. Open Policy Analyzer MEA to access the first step in the wizard.

    Policy Analyzer opens, and the first pane of the wizard is displayed. The name of the first pane is 1. Select One device.

  2. On the 1. Select One device pane, select a FortiGate.

    Option

    Description

    DeviceSelect a managed FortiGate that uses a Security Policy with Learn Mode enabled.
    Policy packageAfter selecting a FortiGate, the policy package for the selected FortiGate is displayed.
    FortiAnalyzer statusDisplays whether logging from FortiGate to FortiAnalyzer is enabled.
    FortiAnalyzer IPAfter selecting a FortiGate, the IP address for the FortiAnalyzer that is receiving logs from the selected FortiGate is displayed.
  3. On the 1. Select One device pane, complete the following options to validate credentials for FortiAnalyzer and select a date range of logs to analyze, and then click Next.

    Option

    Description

    FortiAnalyzer username

    Type the username for the administrator account for FortiAnalyzer.

    The administrator account must have JSON API set to a minimum of Read. See also Configuring FortiAnalyzer.

    FortiAnalyzer passwordType the password for the administrator account.
    Validate CredentialsAfter typing in the FortiAnalyzer username and password, click Validate Credentials to authenticate access to the logs on FortiAnalyzer.
    FortiAnalyzer ADOM

    Available after you validate the username and password for FortiAnalyzer.

    Select the ADOM on FortiAnalyzer that contains the logs for the selected FortiGate.

    Log date range

    Available after you validate the username and password for FortiAnalyzer.

    Click the calendar icon to select a date range of logs for analysis.

    Policy Analyzer MEA needs to access online logs indexed in the FortiAnalyzer SQL database. Policy Analyzer MEA cannot analyze archived logs. For more information, see the FortiAnalyzer 7.0.2 Administration Guide.

    The 2. Select Learning-Mode Policies pane is displayed.

  4. On the 2. Select Learning-Mode Policies pane, select a Security Policy with Learn Mode enabled, and click Next.

    Policies are available for selection when they have Learn Mode enabled and have hit counts.

    The 3. Select One Policy Mode pane is displayed.

  5. On the 3. Select One Policy Mode pane, select Allow Learned Traffic - Permissive Mode, and click Next.

    The Review Discovered Traffic pane is displayed.

  6. On the Review Discovered Traffic pane, review discovered traffic, and then click Next.

    In the following example, the Top Applications tab shows the high-risk applications in the logs. Click the Top Users, Top Web Categories, and Top Threats tabs to review traffic on each tab.

    The Create Policy Block pane is displayed.

  7. On the Create Policy Block pane, choose one of the following settings for the implicit policy, and click OK:

    Option

    Description

    Deny Any - AnySelect to deny traffic on all source and destination ports.
    Permit Any - AnySelect to permit traffic on all source and destination ports.
  8. In the confirmation dialog box, click OK.

    Policy Analyzer MEA automatically creates the policy block, inserts the policy block in to the policy package, and the policy package is installed to the FortiGate.

  9. Go to Policy & Objects > Policy Packages > Security Policy to view the policy block created by Policy Analyzer MEA.

    The policy block and implicit policy are added above the rules in the policy package.