Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Policy Analyzer 1.0.0 Beta Administration Guide

    Home FortiManager 7.6.0 Policy Analyzer 1.0.0 Beta Administration Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.2

    Configuring FortiGate

    Configuring FortiGate

    FortiGate must be configured with a Security Policy that has Learn Mode enabled. The Security Policy allows all services from all source and destination ports and logs all traffic for analysis. Learn Mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and Policy Analyzer MEA. After configuring FortiGate, allow the device to run for several days to capture traffic in logs.

    The following FortiGate limitations apply when Learn Mode is enabled in a Security Policy:

    • Only interfaces with device-identification enable can be used as source interfaces in a Security Policy with Learn Mode enabled.
    • Incoming and outgoing interfaces do not support any.
    • Internet service is not supported.
    • NAT46 and NAT64 are not supported.
    • Users and groups are not supported.
    • Some negate options are not supported.

    The logs are sent to FortiAnalyzer, and then used by Policy Analyzer MEA to learn about the traffic needs of the FortiGate.

    Following is an overview of how to configure FortiGate:

    1. Set NGFW to policy-based. See Setting NGFW to policy-based.
    2. Configure a Security Policy with Learn Mode enabled.
    3. Enable logging to FortiAnalyzer. See Enabling logging to FortiAnalyzer.

    Although this section describes how to use FortiOS to configure FortiGate, you can also use FortiManager to configure FortiGate for Policy Analyzer MEA.

    Setting NGFW to policy-based

    On the FortiGate, NGFW must be set to policy-based.

    To set NGFW to policy-based:
    1. Go to System > Settings.
    2. Set NGFW Mode to Policy-based, and click Apply.

    Configuring a Security Policy with Learn Mode enabled (7.2)

    On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

    Starting with FortiOS 7.2.0, you can enable Learn Mode in the GUI. In earlier releases of FortiOS, you must use the CLI to enable learning-mode after creating a Security Profile.

    config firewall security-policy

    edit <policy name>

    set learning-mode enable

    end

    To configure a Security Policy with Learn Mode enabled:
    1. Enable advanced policy options.
      1. Go to System > Feature Visibility.
      2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

        Advanced policy options are enabled.

    2. Create a Security Policy.
      1. Go to Policy & Objects > Security Policy, and click Create New.
      2. Set the following options:

        Name

        Type a name, such as Learning Policy.

        Policy Mode

        Select Learn Mode.

        Incoming Interface

        		Select a port.

        Outgoing Interface

        		Select a port.

      3. Click OK.

        A Security Policy is created.

      A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

    Configuring a Security Policy with Learn Mode enabled (7.0)

    On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

    To configure a Security Policy with Learn Mode enabled:
    1. Enable advanced policy options.
      1. Go to System > Feature Visibility.
      2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

        Advanced policy options are enabled.

    2. Create a Security Policy.
      1. Go to Policy & Objects > Security Policy, and click Create New.
      2. Set the following options:

        Name

        Type a name, such as Learning Policy.

        Incoming Interface

        		Select a port.

        Outgoing Interface

        		Select a port.

        Source

        Select all.

        Destination

        Select all.

      3. Use the default settings for the remaining options, and click OK.

        A Security Policy is created.

    3. Edit the Security Policy to enable learning-mode by using the CLI.

      config firewall security-policy

      edit <policy name>

      set learning-mode enable

      end

      A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

    Enabling logging to FortiAnalyzer

    FortiGate must be configured to send logs to FortiAnalyzer. Policy Analyzer MEA will retrieve log data from FortiAnalyzer.

    To enable logging to FortiAnalyzer:
    1. In FortiAnalyzer, configure the authorization address and port.
      1. Go to System Settings > Admin > Admin Settings.
      2. In the Fabric Authorization section, enter an Authorization Address and Authorization Port. FortiOS uses this information to access the FortiAnalyzer login screen.
    2. In FortiOS, go to Security Fabric > Fabric Connectors, and double-click the FortiAnalyzer Logging card.
    3. In the Server box, type the FortiAnalyzer IP, and click OK. The FortiAnalyzer Status (in the right-side gutter) is Unauthorized.
    4. Click Authorize. You are redirected to a login screen.
    5. Enter the username and password, and click Login.
    6. Select Approve, and click OK to authorize the FortiGate.
    7. In FortiOS, refresh the FortiAnalyzer Logging page. The FortiAnalyzer Status is Authorized.
    8. In FortiAnalyzer, go to FortiView > Applications & Websites > Top Applications to view log details.

      The following example identifies top applications and whether the risk level for the application is High, Medium, or Elevated.

    Previous
    Next

    Configuring FortiGate

    Configuring FortiGate

    FortiGate must be configured with a Security Policy that has Learn Mode enabled. The Security Policy allows all services from all source and destination ports and logs all traffic for analysis. Learn Mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and Policy Analyzer MEA. After configuring FortiGate, allow the device to run for several days to capture traffic in logs.

    The following FortiGate limitations apply when Learn Mode is enabled in a Security Policy:

    • Only interfaces with device-identification enable can be used as source interfaces in a Security Policy with Learn Mode enabled.
    • Incoming and outgoing interfaces do not support any.
    • Internet service is not supported.
    • NAT46 and NAT64 are not supported.
    • Users and groups are not supported.
    • Some negate options are not supported.

    The logs are sent to FortiAnalyzer, and then used by Policy Analyzer MEA to learn about the traffic needs of the FortiGate.

    Following is an overview of how to configure FortiGate:

    1. Set NGFW to policy-based. See Setting NGFW to policy-based.
    2. Configure a Security Policy with Learn Mode enabled.
    3. Enable logging to FortiAnalyzer. See Enabling logging to FortiAnalyzer.

    Although this section describes how to use FortiOS to configure FortiGate, you can also use FortiManager to configure FortiGate for Policy Analyzer MEA.

    Setting NGFW to policy-based

    On the FortiGate, NGFW must be set to policy-based.

    To set NGFW to policy-based:
    1. Go to System > Settings.
    2. Set NGFW Mode to Policy-based, and click Apply.

    Configuring a Security Policy with Learn Mode enabled (7.2)

    On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

    Starting with FortiOS 7.2.0, you can enable Learn Mode in the GUI. In earlier releases of FortiOS, you must use the CLI to enable learning-mode after creating a Security Profile.

    config firewall security-policy

    edit <policy name>

    set learning-mode enable

    end

    To configure a Security Policy with Learn Mode enabled:
    1. Enable advanced policy options.
      1. Go to System > Feature Visibility.
      2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

        Advanced policy options are enabled.

    2. Create a Security Policy.
      1. Go to Policy & Objects > Security Policy, and click Create New.
      2. Set the following options:

        Name

        Type a name, such as Learning Policy.

        Policy Mode

        Select Learn Mode.

        Incoming Interface

        		Select a port.

        Outgoing Interface

        		Select a port.

      3. Click OK.

        A Security Policy is created.

      A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

    Configuring a Security Policy with Learn Mode enabled (7.0)

    On the FortiGate, a Security Policy must be configured with Learn Mode enabled to provide the information that Policy Analyzer MEA requires to analyze traffic in logs.

    To configure a Security Policy with Learn Mode enabled:
    1. Enable advanced policy options.
      1. Go to System > Feature Visibility.
      2. In the Additional Features column, toggle on Policy Advanced Options, and click Apply.

        Advanced policy options are enabled.

    2. Create a Security Policy.
      1. Go to Policy & Objects > Security Policy, and click Create New.
      2. Set the following options:

        Name

        Type a name, such as Learning Policy.

        Incoming Interface

        		Select a port.

        Outgoing Interface

        		Select a port.

        Source

        Select all.

        Destination

        Select all.

      3. Use the default settings for the remaining options, and click OK.

        A Security Policy is created.

    3. Edit the Security Policy to enable learning-mode by using the CLI.

      config firewall security-policy

      edit <policy name>

      set learning-mode enable

      end

      A Security Policy with Learn Mode enabled automatically sets the action for all Security Policies to Monitor Only.

    Enabling logging to FortiAnalyzer

    FortiGate must be configured to send logs to FortiAnalyzer. Policy Analyzer MEA will retrieve log data from FortiAnalyzer.

    To enable logging to FortiAnalyzer:
    1. In FortiAnalyzer, configure the authorization address and port.
      1. Go to System Settings > Admin > Admin Settings.
      2. In the Fabric Authorization section, enter an Authorization Address and Authorization Port. FortiOS uses this information to access the FortiAnalyzer login screen.
    2. In FortiOS, go to Security Fabric > Fabric Connectors, and double-click the FortiAnalyzer Logging card.
    3. In the Server box, type the FortiAnalyzer IP, and click OK. The FortiAnalyzer Status (in the right-side gutter) is Unauthorized.
    4. Click Authorize. You are redirected to a login screen.
    5. Enter the username and password, and click Login.
    6. Select Approve, and click OK to authorize the FortiGate.
    7. In FortiOS, refresh the FortiAnalyzer Logging page. The FortiAnalyzer Status is Authorized.
    8. In FortiAnalyzer, go to FortiView > Applications & Websites > Top Applications to view log details.

      The following example identifies top applications and whether the risk level for the application is High, Medium, or Elevated.

    Previous
    Next