Fortinet black logo

Administration Guide

Home FortiPolicy 7.2.2 Administration Guide
7.2.2
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0

Grouping

Grouping

The Grouping page has two tabs:

  • Groups

    The goal of grouping is to collect infrastructure workloads that share similar security requirements into defined groups.

  • Insertion staging

    FortiPolicy organizes all grouping configurations in the Insertion Staging tab for you. When you click COMMIT ALL CHANGES, the insertion changes are deployed to the data planes, and segmentation or microsegmentation takes place.

Groups

Resource groups are discovered workloads or subnets with members selected according to their shared or similar security requirements. When workloads enter or leave your environment, the resource groups are automatically updated to reflect the changes.

You can use resource groups as sources and destinations in ACL rules or as filters in Setup Policy Generation.

Deployed application tiers are also resource groups, and they too will appear in the Resource Groups table. Tiers can also respond dynamically to changes in the workload members of your Security Fabric. If new workloads appear and you have used FortiPolicy API endpoints to tag those workloads, they will automatically join any existing tiers with that tag set, and the tier’s ACL rules will be applied to the new workload tier members.

There are two types of resource groups:

  • Dynamic resource groups

    When FortiPolicy discovers a workload that meets a resource group membership rule, FortiPolicy will dynamically segment or microsegment the port group, thus protecting the workloads.

  • Static resource groups

    The FortiPolicy administrator determines where and when to perform segmentation and microsegmentation.

The two types of resource groups can be combined as necessary. For example: an administrator can set up FortiPolicy to perform continuous monitoring and dynamic insertions in inline microsegmentation mode for every resource group, except for a specified set of networks that are configured with No Insertion.

Microsegmentation, segmentation, and ACL rules are defined per resource group.

Security controls (threat prevention, malware, and URL filtering) are collected into security policy sets and then applied to resource groups after grouping and insertion. ACL rules are applied to resource groups; security policy sets are bound to resource groups; and the security policy sets are enacted during segmentation and microsegmentation in a deployed data plane.

You can create a new resource group or edit, copy, or delete existing resource groups.

FortiPolicy provides a dynamic accounting of all workloads discovered in the infrastructure. As resource group assignments are configured, you can track your progress using this accounting bar at the top of the page.

All workloads from all infrastructures are displayed when the Groups page loads. By default, 50 rows are displayed. To adjust the number of rows displayed, select the number of rows from the Items Per Page dropdown list at the bottom of the Groups page.

To create a dynamic resource group:

  1. Go to Workspace > Grouping > Groups.

  2. Click the + icon in the upper right corner of the Groups page.

  3. In the Add Resource Group dialog, enter a name and description for the new group.

    The name and description might describe the role of this group as a particular tier of a production instance of a particular application in your network. Enter a name that will help you choose this resource group when you are creating ACL rules.

  4. Use the Membership Rules options to create logical filters to define groups of workloads or IP addresses. The membership of resource groups is not static. When there are changes in your environment, membership is adjusted automatically, based on your rules.

    Use the Category filter to select one of the following categories:

    • Workload Name

      Select this category if you want to explicitly create a static list the workloads in the resource group or if your naming convention corresponds to the security-related roles of each workload.

    • Port Group/Subnet

      Select this category if all workloads on a port group perform exactly the same role.

    • Subnet

      Select this category if you are specifying endpoints outside the examined network, and no Workloads table is presented.

    • FortiPolicy Tag

      This category is not supported in FortiPolicy 7.2.0.

    • Native Tag

      This category is not supported in FortiPolicy 7.2.0.

  5. Select an operator and enter a value:

    • is specifies matching the exact name

    • contains specifies matching all names with the entered value in any position

    • begins with specifies matching all names that begin with the entered value

  6. Create as many rules as you need to define all the members of the resource group.

    Click the plus sign in the Membership Rules area to create another filter setting rule.

  7. Select the Enable checkbox to select the type of insertion and then click Microsegment, Segment, or No Insertion.

    See Segmentation versus microsegmentation for details.

  8. Click PREVIEW to see if your rules return all the current members of the resource group you are defining. Edit the rules as necessary and click PREVIEW again until you are satisfied. If new members that meet these rules arise in the future, they will automatically be included in the resource group and will automatically receive the configurations and protections you have assigned to the group.

  9. Click SAVE.

    Any resource group with Segment or Microsegment insertion is sent to the Insertion Staging page to await your further insertion action. View the configured resource groups in the Insertion Staging page and then commit the insertion changes by clicking COMMIT ALL CHANGES.

To create a static resource group:

  1. Go to Workspace > Grouping > Groups page, click the vertical ellipsis in one of the rows, and select Edit.

  2. Enter the values in the fields for the members of the resource group.

  3. Click the plus sign to add another row.

  4. Click SAVE.

Segmentation versus microsegmentation

Insertion is the process of configuring the Security Fabric to monitor and regulate an application’s traffic. You have three insertion choices:

  • Segment—Segmentation puts a firewall around an application tier or resource group. When the security policies are enforced on the FortiGate device, the FortiGate device monitors and controls all traffic among tiers. Traffic within tiers is not monitored or controlled by the FortiGate device. Segmentation is less secure than microsegmentation, but your system will perform better.

  • Microsegment—Microsegmentation secures each workload, even workloads on the same subnet or in the same application tier or resource group. When the security policies are enforced on the FortiGate device, the FortiGate device monitors and controls all traffic among workloads. Microsegmentation is more secure than segmentation, but your system's performance will be slower because more traffic is being examined.

  • No Insertion—This setting prevents segmentation and microsegmentation on the workloads within the resource group. The No Insertion option is the default insertion setting for a new resource group.

Note

Subnet service applications are a special case. If you use an outside service for DNS, NTP, and so on, Policy Generation will propose these services as applications with tiers that are only IP addresses on one or more subnets and not as workloads within your managed network. These subnet service applications can be approved and deployed, but they cannot be segmented, microsegmented, tested, or secured. They are only secured to the extent that the workload tiers they connect to directly are segmented, microsegmented, tested, and secured. After they are deployed, they are marked as stage 3, and there are no further actions to take on them in FortiPolicy, except to view their details and delete them if you are no longer using them.

If any case should arise where the insertion type of one resource group overlaps with other types, the setting with the first priority prevails and determines the insertion type for that port group.

Priority

Description

First

Microsegmentation has the first priority.

Second

Segmentation has the second priority.

Third

No Insertion has the third priority and applies when no other insertion mode preempts it.

When you create resource groups, the object itself is created immediately. However, any insertion actions specified are saved into Insertion Staging so that you can carefully review network changes and pick when you want to commit batch processing of those changes.

Troubleshooting: Job tracking

To see the real-time progress of a job, go to Workspace > Logs > Jobs and click Running.

To see jobs that have completed, go to Workspace > Logs > Jobs and click Ended.

Insertion staging

After reviewing all insertion actions, click COMMIT ALL CHANGES. This will queue multiple jobs to run, which will configure each affected data plane to support the insertion actions you have specified.

After the data planes are configured, they will automatically respond dynamically to changes in your Security Fabric and enforce your security policy assignments.

Previous
Next

Grouping

The Grouping page has two tabs:

  • Groups

    The goal of grouping is to collect infrastructure workloads that share similar security requirements into defined groups.

  • Insertion staging

    FortiPolicy organizes all grouping configurations in the Insertion Staging tab for you. When you click COMMIT ALL CHANGES, the insertion changes are deployed to the data planes, and segmentation or microsegmentation takes place.

Groups

Resource groups are discovered workloads or subnets with members selected according to their shared or similar security requirements. When workloads enter or leave your environment, the resource groups are automatically updated to reflect the changes.

You can use resource groups as sources and destinations in ACL rules or as filters in Setup Policy Generation.

Deployed application tiers are also resource groups, and they too will appear in the Resource Groups table. Tiers can also respond dynamically to changes in the workload members of your Security Fabric. If new workloads appear and you have used FortiPolicy API endpoints to tag those workloads, they will automatically join any existing tiers with that tag set, and the tier’s ACL rules will be applied to the new workload tier members.

There are two types of resource groups:

  • Dynamic resource groups

    When FortiPolicy discovers a workload that meets a resource group membership rule, FortiPolicy will dynamically segment or microsegment the port group, thus protecting the workloads.

  • Static resource groups

    The FortiPolicy administrator determines where and when to perform segmentation and microsegmentation.

The two types of resource groups can be combined as necessary. For example: an administrator can set up FortiPolicy to perform continuous monitoring and dynamic insertions in inline microsegmentation mode for every resource group, except for a specified set of networks that are configured with No Insertion.

Microsegmentation, segmentation, and ACL rules are defined per resource group.

Security controls (threat prevention, malware, and URL filtering) are collected into security policy sets and then applied to resource groups after grouping and insertion. ACL rules are applied to resource groups; security policy sets are bound to resource groups; and the security policy sets are enacted during segmentation and microsegmentation in a deployed data plane.

You can create a new resource group or edit, copy, or delete existing resource groups.

FortiPolicy provides a dynamic accounting of all workloads discovered in the infrastructure. As resource group assignments are configured, you can track your progress using this accounting bar at the top of the page.

All workloads from all infrastructures are displayed when the Groups page loads. By default, 50 rows are displayed. To adjust the number of rows displayed, select the number of rows from the Items Per Page dropdown list at the bottom of the Groups page.

To create a dynamic resource group:

  1. Go to Workspace > Grouping > Groups.

  2. Click the + icon in the upper right corner of the Groups page.

  3. In the Add Resource Group dialog, enter a name and description for the new group.

    The name and description might describe the role of this group as a particular tier of a production instance of a particular application in your network. Enter a name that will help you choose this resource group when you are creating ACL rules.

  4. Use the Membership Rules options to create logical filters to define groups of workloads or IP addresses. The membership of resource groups is not static. When there are changes in your environment, membership is adjusted automatically, based on your rules.

    Use the Category filter to select one of the following categories:

    • Workload Name

      Select this category if you want to explicitly create a static list the workloads in the resource group or if your naming convention corresponds to the security-related roles of each workload.

    • Port Group/Subnet

      Select this category if all workloads on a port group perform exactly the same role.

    • Subnet

      Select this category if you are specifying endpoints outside the examined network, and no Workloads table is presented.

    • FortiPolicy Tag

      This category is not supported in FortiPolicy 7.2.0.

    • Native Tag

      This category is not supported in FortiPolicy 7.2.0.

  5. Select an operator and enter a value:

    • is specifies matching the exact name

    • contains specifies matching all names with the entered value in any position

    • begins with specifies matching all names that begin with the entered value

  6. Create as many rules as you need to define all the members of the resource group.

    Click the plus sign in the Membership Rules area to create another filter setting rule.

  7. Select the Enable checkbox to select the type of insertion and then click Microsegment, Segment, or No Insertion.

    See Segmentation versus microsegmentation for details.

  8. Click PREVIEW to see if your rules return all the current members of the resource group you are defining. Edit the rules as necessary and click PREVIEW again until you are satisfied. If new members that meet these rules arise in the future, they will automatically be included in the resource group and will automatically receive the configurations and protections you have assigned to the group.

  9. Click SAVE.

    Any resource group with Segment or Microsegment insertion is sent to the Insertion Staging page to await your further insertion action. View the configured resource groups in the Insertion Staging page and then commit the insertion changes by clicking COMMIT ALL CHANGES.

To create a static resource group:

  1. Go to Workspace > Grouping > Groups page, click the vertical ellipsis in one of the rows, and select Edit.

  2. Enter the values in the fields for the members of the resource group.

  3. Click the plus sign to add another row.

  4. Click SAVE.

Segmentation versus microsegmentation

Insertion is the process of configuring the Security Fabric to monitor and regulate an application’s traffic. You have three insertion choices:

  • Segment—Segmentation puts a firewall around an application tier or resource group. When the security policies are enforced on the FortiGate device, the FortiGate device monitors and controls all traffic among tiers. Traffic within tiers is not monitored or controlled by the FortiGate device. Segmentation is less secure than microsegmentation, but your system will perform better.

  • Microsegment—Microsegmentation secures each workload, even workloads on the same subnet or in the same application tier or resource group. When the security policies are enforced on the FortiGate device, the FortiGate device monitors and controls all traffic among workloads. Microsegmentation is more secure than segmentation, but your system's performance will be slower because more traffic is being examined.

  • No Insertion—This setting prevents segmentation and microsegmentation on the workloads within the resource group. The No Insertion option is the default insertion setting for a new resource group.

Note

Subnet service applications are a special case. If you use an outside service for DNS, NTP, and so on, Policy Generation will propose these services as applications with tiers that are only IP addresses on one or more subnets and not as workloads within your managed network. These subnet service applications can be approved and deployed, but they cannot be segmented, microsegmented, tested, or secured. They are only secured to the extent that the workload tiers they connect to directly are segmented, microsegmented, tested, and secured. After they are deployed, they are marked as stage 3, and there are no further actions to take on them in FortiPolicy, except to view their details and delete them if you are no longer using them.

If any case should arise where the insertion type of one resource group overlaps with other types, the setting with the first priority prevails and determines the insertion type for that port group.

Priority

Description

First

Microsegmentation has the first priority.

Second

Segmentation has the second priority.

Third

No Insertion has the third priority and applies when no other insertion mode preempts it.

When you create resource groups, the object itself is created immediately. However, any insertion actions specified are saved into Insertion Staging so that you can carefully review network changes and pick when you want to commit batch processing of those changes.

Troubleshooting: Job tracking

To see the real-time progress of a job, go to Workspace > Logs > Jobs and click Running.

To see jobs that have completed, go to Workspace > Logs > Jobs and click Ended.

Insertion staging

After reviewing all insertion actions, click COMMIT ALL CHANGES. This will queue multiple jobs to run, which will configure each affected data plane to support the insertion actions you have specified.

After the data planes are configured, they will automatically respond dynamically to changes in your Security Fabric and enforce your security policy assignments.

Previous
Next