Fortinet black logo

Automated Policy Generation Guide

Home FortiPolicy 7.2.2 Automated Policy Generation Guide
7.2.2
7.2.3
7.2.2
7.2.0

Policy Generation advanced settings

Policy Generation advanced settings

Policy Generation advanced settings

With the guidance of Fortinet support, you can change some default settings. Go to Workspace > Applications > Edit Setup ( or Setup Policy Generation) > Scope. Select the Advanced Settings link in the upper right corner of the page. The Advanced Settings dialog appears.

Discover Connections

This is set to RUN when you finish the Setup Policy Generation wizard. If you anticipate network disruptions or you want to stop Policy Generation from learning for a period, you can manually stop discovery. To manually stop connection discovery:

  1. Click the checkbox to set it to STOP.

  2. Click CLOSE on the Policy Generation Advanced Settings dialog.

  3. Click the SAVE and CLOSE buttons on the setup wizard.

  4. To manually RUN again, repeat these same three steps, setting Discover Connections to RUN.

Discovery Cycle Duration

The default duration of each discovery cycle is two hours. Policy Generation needs this time to listen to all the workload-to-workload connections. It then takes additional time to learn by analyzing the data and makes its proposals. Typically, you should let Policy Generation run through many two-hour cycles, until it is no longer discovering many new unique connections. However, sometimes for demonstration purposes, an advanced user might shorten the discovery cycle down to its shortest duration of 15 minutes.

Grouping Rules

Most users will benefit from the default grouping rules setting, which groups by function and by connections. In this way, the system can distinguish between the different types of tiers and the different applications. Some users only want to group certain types of assets, for example, grouping all databases. To group your workloads into functional groups, deselect the default checkbox: Also group by the connections that each workload makes.

Similarity Index

The 91% default similarity setting has worked well for most users.

If you find that this setting creates groups that include many workloads that should not be included, deselect the checkbox and set the similarity setting a little higher.

If you find that this setting creates groups that do not include all the workloads they should, deselect the checkbox and set the similarity setting a little lower.

If you do not make any edits while connection discovery is happening, then you can make these adjustments afterward, and the proposals will be recomputed at the end of the next discovery cycle.

If you have started to approve and deploy applications but you are not happy with the results, you can DELETE ALL deployed applications. You can delete individual deployed applications that you are not happy with from the Applications table. Then adjust the similarity index. The next data analysis will continue at the new similarity setting.

The above Advanced Settings actions on the left side of the panel will take effect upon selecting CLOSE and then selecting Next or SAVE.

Data File

The EXPORT JSON button will download a file of all the connections and proposal data that Policy Generation has accumulated. Fortinet support might request this data to help you.

Deployed Applications

The DELETE ALL button will remove all the applications that were deployed to the FortiGate using Policy Generation in case you want to start over again. This action will take effect upon selecting the YES button on the confirmation dialog.

Reset

The PURGE DATA button will leave any deployed applications in place but will delete existing connection data and proposals and will set connection discovery to RUN. This action will take effect upon selecting the YES button on the confirmation dialog.

Previous
Next

Policy Generation advanced settings

Policy Generation advanced settings

With the guidance of Fortinet support, you can change some default settings. Go to Workspace > Applications > Edit Setup ( or Setup Policy Generation) > Scope. Select the Advanced Settings link in the upper right corner of the page. The Advanced Settings dialog appears.

Discover Connections

This is set to RUN when you finish the Setup Policy Generation wizard. If you anticipate network disruptions or you want to stop Policy Generation from learning for a period, you can manually stop discovery. To manually stop connection discovery:

  1. Click the checkbox to set it to STOP.

  2. Click CLOSE on the Policy Generation Advanced Settings dialog.

  3. Click the SAVE and CLOSE buttons on the setup wizard.

  4. To manually RUN again, repeat these same three steps, setting Discover Connections to RUN.

Discovery Cycle Duration

The default duration of each discovery cycle is two hours. Policy Generation needs this time to listen to all the workload-to-workload connections. It then takes additional time to learn by analyzing the data and makes its proposals. Typically, you should let Policy Generation run through many two-hour cycles, until it is no longer discovering many new unique connections. However, sometimes for demonstration purposes, an advanced user might shorten the discovery cycle down to its shortest duration of 15 minutes.

Grouping Rules

Most users will benefit from the default grouping rules setting, which groups by function and by connections. In this way, the system can distinguish between the different types of tiers and the different applications. Some users only want to group certain types of assets, for example, grouping all databases. To group your workloads into functional groups, deselect the default checkbox: Also group by the connections that each workload makes.

Similarity Index

The 91% default similarity setting has worked well for most users.

If you find that this setting creates groups that include many workloads that should not be included, deselect the checkbox and set the similarity setting a little higher.

If you find that this setting creates groups that do not include all the workloads they should, deselect the checkbox and set the similarity setting a little lower.

If you do not make any edits while connection discovery is happening, then you can make these adjustments afterward, and the proposals will be recomputed at the end of the next discovery cycle.

If you have started to approve and deploy applications but you are not happy with the results, you can DELETE ALL deployed applications. You can delete individual deployed applications that you are not happy with from the Applications table. Then adjust the similarity index. The next data analysis will continue at the new similarity setting.

The above Advanced Settings actions on the left side of the panel will take effect upon selecting CLOSE and then selecting Next or SAVE.

Data File

The EXPORT JSON button will download a file of all the connections and proposal data that Policy Generation has accumulated. Fortinet support might request this data to help you.

Deployed Applications

The DELETE ALL button will remove all the applications that were deployed to the FortiGate using Policy Generation in case you want to start over again. This action will take effect upon selecting the YES button on the confirmation dialog.

Reset

The PURGE DATA button will leave any deployed applications in place but will delete existing connection data and proposals and will set connection discovery to RUN. This action will take effect upon selecting the YES button on the confirmation dialog.

Previous
Next