Fortinet black logo

Administration Guide

Using Policy Blocks versus Global Policy Packages

The use of Policy Blocks over Global Policy Packages simplifies the process of upgrading your ADOMs in order to use policy features or objects introduced in later versions.

To upgrade a Global Database ADOM with Global Header and Footer policies, all of the local ADOMs that the Global Policy Package is assigned to must first be upgraded to the same version or one version higher than the desired Global Database ADOM version.

For example, to upgrade the Global Database ADOM to version 7.0, all of the local ADOMs and their managed devices making use of the Global Policy Package must be on version 7.0 or 7.2 before upgrading the Global Database ADOM. For more information, see Global database version.

In cases where some of the local ADOMs cannot be upgraded to a later version (for example, they include FortiGate devices that are unsupported on later versions), the Global Database ADOM would not be able to be upgraded.

Policy Blocks store multiple policies so they can be appended to a local Policy Package together to simplify the administration of a large number of policies. Because local Policy Blocks are configured per-ADOM, you only need to update the local ADOM where the Policy Blocks are stored. This means you don't need to worry about other ADOMs which may not be upgradable.

Policy Blocks are also supported in the Global Database ADOM, however, using Global Policy Blocks introduces the same upgrade limitations that exist when using Global Header and Footer Policies.

Example of upgrading the Global Database ADOM with Global Policy Packages:
  1. Upgrade each local ADOM and its managed devices to the same or higher version as the desired Global Database ADOM version.
  2. Upgrade the Global Database ADOM version.
  3. Edit the Global Header and Footer policies
  4. Re-assign the policies to the relevant ADOMs and then install the changes to your managed devices.
Example of upgrading local ADOMs with Policy Blocks:
  1. Upgrade your local ADOM and its managed devices to the desired version.
  2. Edit the policies included in the Policy Block as desired.
  3. Install the changes to your managed devices.

To limit who is able to edit Policy Blocks, you can enable role-based access control settings for Policy and Objects in the desired ADOM. See Role-based access control for Policy Blocks

Migrating Global Policies to local Policy Blocks

Direct migration of Global Header and Footer policies to local policy blocks is not currently supported. To migrate Global Header and Footer policies from the Global Database ADOM into local policy blocks, you must manually recreate the policies in the local ADOM and then group them into a Policy Block. See Creating policies and Creating Policy Blocks

The use of Policy Blocks over Global Policy Packages simplifies the process of upgrading your ADOMs in order to use policy features or objects introduced in later versions.

To upgrade a Global Database ADOM with Global Header and Footer policies, all of the local ADOMs that the Global Policy Package is assigned to must first be upgraded to the same version or one version higher than the desired Global Database ADOM version.

For example, to upgrade the Global Database ADOM to version 7.0, all of the local ADOMs and their managed devices making use of the Global Policy Package must be on version 7.0 or 7.2 before upgrading the Global Database ADOM. For more information, see Global database version.

In cases where some of the local ADOMs cannot be upgraded to a later version (for example, they include FortiGate devices that are unsupported on later versions), the Global Database ADOM would not be able to be upgraded.

Policy Blocks store multiple policies so they can be appended to a local Policy Package together to simplify the administration of a large number of policies. Because local Policy Blocks are configured per-ADOM, you only need to update the local ADOM where the Policy Blocks are stored. This means you don't need to worry about other ADOMs which may not be upgradable.

Policy Blocks are also supported in the Global Database ADOM, however, using Global Policy Blocks introduces the same upgrade limitations that exist when using Global Header and Footer Policies.

Example of upgrading the Global Database ADOM with Global Policy Packages:
  1. Upgrade each local ADOM and its managed devices to the same or higher version as the desired Global Database ADOM version.
  2. Upgrade the Global Database ADOM version.
  3. Edit the Global Header and Footer policies
  4. Re-assign the policies to the relevant ADOMs and then install the changes to your managed devices.
Example of upgrading local ADOMs with Policy Blocks:
  1. Upgrade your local ADOM and its managed devices to the desired version.
  2. Edit the policies included in the Policy Block as desired.
  3. Install the changes to your managed devices.

To limit who is able to edit Policy Blocks, you can enable role-based access control settings for Policy and Objects in the desired ADOM. See Role-based access control for Policy Blocks

Migrating Global Policies to local Policy Blocks

Direct migration of Global Header and Footer policies to local policy blocks is not currently supported. To migrate Global Header and Footer policies from the Global Database ADOM into local policy blocks, you must manually recreate the policies in the local ADOM and then group them into a Policy Block. See Creating policies and Creating Policy Blocks