Allowing learned traffic with restrictive mode
This example describes how to use the Policy Analyzer MEA wizard to create a policy block and an implicit policy. During the wizard, you must choose whether to configure the implicit policy to deny or allow all traffic.
You can use the Allow Learned Traffic - Restricted Mode setting to allow the traffic learned for each user with their specific applications only. This method is based on Largest Common Denominator concept. The Policy Analyzer wizard automatically creates a policy block with one policy for each distinctive user, and the policy block is followed by an implicit deny or allow policy. The policy block is inserted in the policy package above the Security Policy with Learn Mode enabled, and the updated policy package is automatically installed to the device.
Only good, learned traffic is allowed. The malware and high-risk traffic is filtered out first. |
To allow learned traffic with restrictive mode:
- Open Policy Analyzer MEA to access the first step in the wizard.
Policy Analyzer opens, and the first pane of the wizard is displayed. The name of the first pane is 1. Select One device.
- On the 1. Select One device pane, select a FortiGate.
Option
Description
Device Select a managed FortiGate that uses a Security Policy with Learn Mode enabled. Policy package After selecting a FortiGate, the policy package for the selected FortiGate is displayed. FortiAnalyzer status Displays whether logging from FortiGate to FortiAnalyzer is enabled. FortiAnalyzer IP After selecting a FortiGate, the IP address for the FortiAnalyzer that is receiving logs from the selected FortiGate is displayed. - On the 1. Select One device pane, complete the following options to validate credentials for FortiAnalyzer and select a date range of logs to analyze, and then click Next.
Option
Description
FortiAnalyzer username Type the username for the administrator account for FortiAnalyzer.
The administrator account must have JSON API set to a minimum of Read. See also Configuring FortiAnalyzer.
FortiAnalyzer password Type the password for the administrator account. Validate Credentials After typing in the FortiAnalyzer username and password, click Validate Credentials to authenticate access to the logs on FortiAnalyzer. FortiAnalyzer ADOM Available after you validate the username and password for FortiAnalyzer.
Select the ADOM on FortiAnalyzer that contains the logs for the selected FortiGate.
Log date range
Available after you validate the username and password for FortiAnalyzer.
Click the calendar icon to select a date range of logs for analysis.
Policy Analyzer MEA needs to access online logs indexed in the FortiAnalyzer SQL database. Policy Analyzer MEA cannot analyze archived logs. For more information, see the FortiAnalyzer 7.0.2 Administration Guide.
The 2. Select Learning-Mode Policies pane is displayed.
- On the 2. Select Learning-Mode Policies pane, select a Security Policy with Learn Mode enabled, and click Next.
Policies are available for selection when they have Learn Mode enabled and have hit counts.
The 3. Select One Policy Mode pane is displayed.
- On the 3. Select One Policy Mode pane, select Allow Learned Traffic - Restricted Mode, and click Next.
The Review Discovered Traffic pane is displayed.
- On the Review Discovered Traffic pane, review discovered traffic, and then click Next.
In the following example, the Top Applications tab shows the high-risk applications in the logs. Click the Top Users, Top Web Categories, and Top Threats tabs to review traffic on those tabs.
The Create Policy Block pane is displayed.
- On the Create Policy Block pane, choose one of the following settings for the implicit policy, and click OK:
Option
Description
Deny Any - Any Select to deny traffic on all source and destination ports. Permit Any - Any Select to permit traffic on all source and destination ports. A confirmation dialog box is displayed.
- In the confirmation dialog box, click OK.
Policy Analyzer MEA automatically creates the policy block, inserts the policy block in to the policy package, and the policy package is installed to the FortiGate.
- Go to Policy & Objects > Policy Packages > Security Policy to view the policy block created by Policy Analyzer MEA.
The policy block and implicit policy are added above the rules in the policy package.