Fortinet Document Library

Version:


Table of Contents

7.0.2
Download PDF
Copy Link

Configuring FortiGate

FortiGate must be configured with a Security Policy that has Learn Mode enabled. The Security Policy allows all services from all source and destination ports and logs all traffic for analysis. Learn Mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and Policy Analyzer MEA. After configuring FortiGate, allow the device to run for several days to capture traffic in logs.

The following FortiGate limitations apply when Learn Mode is enabled in a Security Policy:

  • Only interfaces with device-identification enable can be used as source interfaces in a Security Policy with Learn Mode enabled.
  • Incoming and outgoing interfaces do not support any.
  • Internet service is not supported.
  • NAT46 and NAT64 are not supported.
  • Users and groups are not supported.
  • Some negate options are not supported.

The logs are sent to FortiAnalyzer, and then used by Policy Analyzer MEA to learn about the traffic needs of the FortiGate.

Following is an overview of how to configure FortiGate:

  1. Set NGFW to policy-based. See Setting NGFW to policy-based.
  2. Configure a Security Policy with Learn Mode enabled.
  3. Enable logging to FortiAnalyzer. See Enabling logging to FortiAnalyzer.

Although this section describes how to use FortiOS to configure FortiGate, you can also use FortiManager to configure FortiGate for Policy Analyzer MEA.

Setting NGFW to policy-based

On the FortiGate, NGFW must be set to policy-based.

To set NGFW to policy-based:
  1. Go to System > Settings.
  2. Set NGFW Mode to Policy-based, and click Apply.

Configuring a Security Policy with Learn Mode enabled (7.2)

On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

Starting with FortiOS 7.2.0, you can enable Learn Mode in the GUI. In earlier releases of FortiOS, you must use the CLI to enable learning-mode after creating a Security Profile.

config firewall security-policy

edit <policy name>

set learning-mode enable

end

To configure a Security Policy with Learn Mode enabled:
  1. Enable advanced policy options.
    1. Go to System > Feature Visibility.
    2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

      Advanced policy options are enabled.

  2. Create a Security Policy.
    1. Go to Policy & Objects > Security Policy, and click Create New.
    2. Set the following options:

      Name

      Type a name, such as Learning Policy.

      Policy Mode

      Select Learn Mode.

      Incoming Interface

      Select a port.

      Outgoing Interface

      Select a port.

    3. Click OK.

      A Security Policy is created.

    A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

Configuring a Security Policy with Learn Mode enabled (7.0)

On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

To configure a Security Policy with Learn Mode enabled:
  1. Enable advanced policy options.
    1. Go to System > Feature Visibility.
    2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

      Advanced policy options are enabled.

  2. Create a Security Policy.
    1. Go to Policy & Objects > Security Policy, and click Create New.
    2. Set the following options:

      Name

      Type a name, such as Learning Policy.

      Incoming Interface

      Select a port.

      Outgoing Interface

      Select a port.

      Source

      Select all.

      Destination

      Select all.

    3. Use the default settings for the remaining options, and click OK.

      A Security Policy is created.

  3. Edit the Security Policy to enable learning-mode by using the CLI.

    config firewall security-policy

    edit <policy name>

    set learning-mode enable

    end

    A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

Enabling logging to FortiAnalyzer

FortiGate must be configured to send logs to FortiAnalyzer. Policy Analyzer MEA will retrieve log data from FortiAnalyzer.

To enable logging to FortiAnalyzer:
  1. In FortiAnalyzer, configure the authorization address and port.
    1. Go to System Settings > Admin > Admin Settings.
    2. In the Fabric Authorization section, enter an Authorization Address and Authorization Port. FortiOS uses this information to access the FortiAnalyzer login screen.
  2. In FortiOS, go to Security Fabric > Fabric Connectors, and double-click the FortiAnalyzer Logging card.
  3. In the Server box, type the FortiAnalyzer IP, and click OK. The FortiAnalyzer Status (in the right-side gutter) is Unauthorized.
  4. Click Authorize. You are redirected to a login screen.
  5. Enter the username and password, and click Login.
  6. Select Approve, and click OK to authorize the FortiGate.
  7. In FortiOS, refresh the FortiAnalyzer Logging page. The FortiAnalyzer Status is Authorized.
  8. In FortiAnalyzer, go to FortiView > Applications & Websites > Top Applications to view log details.

    The following example identifies top applications and whether the risk level for the application is High, Medium, or Elevated.

Configuring FortiGate

FortiGate must be configured with a Security Policy that has Learn Mode enabled. The Security Policy allows all services from all source and destination ports and logs all traffic for analysis. Learn Mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and Policy Analyzer MEA. After configuring FortiGate, allow the device to run for several days to capture traffic in logs.

The following FortiGate limitations apply when Learn Mode is enabled in a Security Policy:

  • Only interfaces with device-identification enable can be used as source interfaces in a Security Policy with Learn Mode enabled.
  • Incoming and outgoing interfaces do not support any.
  • Internet service is not supported.
  • NAT46 and NAT64 are not supported.
  • Users and groups are not supported.
  • Some negate options are not supported.

The logs are sent to FortiAnalyzer, and then used by Policy Analyzer MEA to learn about the traffic needs of the FortiGate.

Following is an overview of how to configure FortiGate:

  1. Set NGFW to policy-based. See Setting NGFW to policy-based.
  2. Configure a Security Policy with Learn Mode enabled.
  3. Enable logging to FortiAnalyzer. See Enabling logging to FortiAnalyzer.

Although this section describes how to use FortiOS to configure FortiGate, you can also use FortiManager to configure FortiGate for Policy Analyzer MEA.

Setting NGFW to policy-based

On the FortiGate, NGFW must be set to policy-based.

To set NGFW to policy-based:
  1. Go to System > Settings.
  2. Set NGFW Mode to Policy-based, and click Apply.

Configuring a Security Policy with Learn Mode enabled (7.2)

On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

Starting with FortiOS 7.2.0, you can enable Learn Mode in the GUI. In earlier releases of FortiOS, you must use the CLI to enable learning-mode after creating a Security Profile.

config firewall security-policy

edit <policy name>

set learning-mode enable

end

To configure a Security Policy with Learn Mode enabled:
  1. Enable advanced policy options.
    1. Go to System > Feature Visibility.
    2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

      Advanced policy options are enabled.

  2. Create a Security Policy.
    1. Go to Policy & Objects > Security Policy, and click Create New.
    2. Set the following options:

      Name

      Type a name, such as Learning Policy.

      Policy Mode

      Select Learn Mode.

      Incoming Interface

      Select a port.

      Outgoing Interface

      Select a port.

    3. Click OK.

      A Security Policy is created.

    A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

Configuring a Security Policy with Learn Mode enabled (7.0)

On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

To configure a Security Policy with Learn Mode enabled:
  1. Enable advanced policy options.
    1. Go to System > Feature Visibility.
    2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

      Advanced policy options are enabled.

  2. Create a Security Policy.
    1. Go to Policy & Objects > Security Policy, and click Create New.
    2. Set the following options:

      Name

      Type a name, such as Learning Policy.

      Incoming Interface

      Select a port.

      Outgoing Interface

      Select a port.

      Source

      Select all.

      Destination

      Select all.

    3. Use the default settings for the remaining options, and click OK.

      A Security Policy is created.

  3. Edit the Security Policy to enable learning-mode by using the CLI.

    config firewall security-policy

    edit <policy name>

    set learning-mode enable

    end

    A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

Enabling logging to FortiAnalyzer

FortiGate must be configured to send logs to FortiAnalyzer. Policy Analyzer MEA will retrieve log data from FortiAnalyzer.

To enable logging to FortiAnalyzer:
  1. In FortiAnalyzer, configure the authorization address and port.
    1. Go to System Settings > Admin > Admin Settings.
    2. In the Fabric Authorization section, enter an Authorization Address and Authorization Port. FortiOS uses this information to access the FortiAnalyzer login screen.
  2. In FortiOS, go to Security Fabric > Fabric Connectors, and double-click the FortiAnalyzer Logging card.
  3. In the Server box, type the FortiAnalyzer IP, and click OK. The FortiAnalyzer Status (in the right-side gutter) is Unauthorized.
  4. Click Authorize. You are redirected to a login screen.
  5. Enter the username and password, and click Login.
  6. Select Approve, and click OK to authorize the FortiGate.
  7. In FortiOS, refresh the FortiAnalyzer Logging page. The FortiAnalyzer Status is Authorized.
  8. In FortiAnalyzer, go to FortiView > Applications & Websites > Top Applications to view log details.

    The following example identifies top applications and whether the risk level for the application is High, Medium, or Elevated.