Fortinet white logo
Fortinet white logo

Key concepts

Key concepts

This section describes the following key concepts for using Policy Analyzer MEA:

Device and logging requirements

FortiGate must have NGFW set to policy-based and be configured to use a Security Policy with Learn Mode enabled. FortiGate must also send the logs to FortiAnalyzer. Allow the Security Policy to run for several days to generate traffic for analysis.

FortiGate must be managed by FortiManager in a version 7.0 or later ADOM, with a synchronized configuration status. FortiManager must have Policy Analyzer MEA enabled.

FortiManager must be able to communicate with FortiAnalyzer by its IP address, and the FortiManager administrator requires valid FortiAnalyzer credentials to authorize access to the logs.

Policy Analyzer wizard process

In Policy Analyzer MEA, you use a wizard to identify what FortiGate, FortiAnalyzer, and Security Policy to use for traffic analysis. Policy Analyzer MEA analyzes the traffic, and presents you with several options to handle the traffic. You choose an option, and Policy Analyzer MEA automatically creates a policy block. Policy Analyzer MEA also works with FortiManager to automatically insert the policy block into the Security Policy, and install the updated policy package to FortiGate.

Note

You cannot edit the policy block in Policy Analyzer MEA. However after the policy block is automatically installed to the FortiGate, you can edit the policy block on the FortiManager > Policy & Objects pane, and then install the changes to FortiGate.

Types of policies generated by Policy Analyzer wizard

When using Policy Analyzer MEA wizard, you can choose one of the following modes:

  • Block malicious traffic
  • Allowed learned traffic - permissive mode
  • Allowed learned traffic - restricted mode
Note

Both Allow learned traffic modes also generate an implicit policy, and you must specify whether the implicit policy accepts or denies all traffic.

After you choose a mode, Policy Analyzer MEA automatically generates policies based on the selected mode. The following table summarizes the modes:

Mode

Description

Implicit Policy Generated?

Block malicious traffic

When the Policy Analyzer MEA wizard detects malware and applications rated high-risk, you can select the Block Malicious Traffic mode to create a policy block that will block the traffic on the FortiGate. Even though malicious traffic is leaned on a specific port, the policy block generated by Policy Analyzer MEA will block malicious traffic on all FortiGate interfaces.

No
Allowed learned traffic - permissive mode

You can use the Allow Learned Traffic - Permissive Mode setting to combine and allow traffic learned from different users and their detected applications. This method is based on Least Common Multiple concept. The wizard automatically creates a policy block with one policy to allow this traffic, and the policy block is followed by an implicit deny or allow policy. The policy block is inserted in the policy package above the Security Policy with Learn Mode enabled, and the updated policy package is automatically installed to the device.

Yes, and you choose whether the implicit policy denies or allows all traffic.

Allowed learned traffic - restricted mode

You can use the Allow Learned Traffic - Restricted Mode setting to allow the traffic learned for each user with their specific applications only. This method is based on Largest Common Denominator concept. The Policy Analyzer wizard automatically creates a policy block with one policy for each distinctive user, and the policy block is followed by an implicit deny or allow policy. The policy block is inserted in the policy package above the Security Policy with Learn Mode enabled, and the updated policy package is automatically installed to the device.

Yes, and you choose whether the implicit policy denies or allows all traffic.

Key concepts

Key concepts

This section describes the following key concepts for using Policy Analyzer MEA:

Device and logging requirements

FortiGate must have NGFW set to policy-based and be configured to use a Security Policy with Learn Mode enabled. FortiGate must also send the logs to FortiAnalyzer. Allow the Security Policy to run for several days to generate traffic for analysis.

FortiGate must be managed by FortiManager in a version 7.0 or later ADOM, with a synchronized configuration status. FortiManager must have Policy Analyzer MEA enabled.

FortiManager must be able to communicate with FortiAnalyzer by its IP address, and the FortiManager administrator requires valid FortiAnalyzer credentials to authorize access to the logs.

Policy Analyzer wizard process

In Policy Analyzer MEA, you use a wizard to identify what FortiGate, FortiAnalyzer, and Security Policy to use for traffic analysis. Policy Analyzer MEA analyzes the traffic, and presents you with several options to handle the traffic. You choose an option, and Policy Analyzer MEA automatically creates a policy block. Policy Analyzer MEA also works with FortiManager to automatically insert the policy block into the Security Policy, and install the updated policy package to FortiGate.

Note

You cannot edit the policy block in Policy Analyzer MEA. However after the policy block is automatically installed to the FortiGate, you can edit the policy block on the FortiManager > Policy & Objects pane, and then install the changes to FortiGate.

Types of policies generated by Policy Analyzer wizard

When using Policy Analyzer MEA wizard, you can choose one of the following modes:

  • Block malicious traffic
  • Allowed learned traffic - permissive mode
  • Allowed learned traffic - restricted mode
Note

Both Allow learned traffic modes also generate an implicit policy, and you must specify whether the implicit policy accepts or denies all traffic.

After you choose a mode, Policy Analyzer MEA automatically generates policies based on the selected mode. The following table summarizes the modes:

Mode

Description

Implicit Policy Generated?

Block malicious traffic

When the Policy Analyzer MEA wizard detects malware and applications rated high-risk, you can select the Block Malicious Traffic mode to create a policy block that will block the traffic on the FortiGate. Even though malicious traffic is leaned on a specific port, the policy block generated by Policy Analyzer MEA will block malicious traffic on all FortiGate interfaces.

No
Allowed learned traffic - permissive mode

You can use the Allow Learned Traffic - Permissive Mode setting to combine and allow traffic learned from different users and their detected applications. This method is based on Least Common Multiple concept. The wizard automatically creates a policy block with one policy to allow this traffic, and the policy block is followed by an implicit deny or allow policy. The policy block is inserted in the policy package above the Security Policy with Learn Mode enabled, and the updated policy package is automatically installed to the device.

Yes, and you choose whether the implicit policy denies or allows all traffic.

Allowed learned traffic - restricted mode

You can use the Allow Learned Traffic - Restricted Mode setting to allow the traffic learned for each user with their specific applications only. This method is based on Largest Common Denominator concept. The Policy Analyzer wizard automatically creates a policy block with one policy for each distinctive user, and the policy block is followed by an implicit deny or allow policy. The policy block is inserted in the policy package above the Security Policy with Learn Mode enabled, and the updated policy package is automatically installed to the device.

Yes, and you choose whether the implicit policy denies or allows all traffic.