Setting up Policy Generation
Policy Generation will discover all the traffic between all the workloads and endpoints in the network. Using that data, Policy Generation will automatically organize your workloads into proposed applications, application tiers, and ACL rules. The more you complete on the setup page form, the more work Policy Generation can do for you. The six tabs let you specify:
-
Scope: Where to look for connections and how to process the data.
-
Filters: Logical rules to limit the scope specified on tabs 1 and 2.
-
Services: The names of Common Network Service applications that support networks and the ports and protocols they use. Identification of network services is crucial to deriving the optimal set of business applications.
-
Names: Your workload naming convention so the system can name applications, tiers, and deployment environments for you.
-
Tags: How to name Applications, Application Tiers, and Deployment Environments and how to tag workloads.
Select the information icons on each tab to view detailed instructions.
When all five of the setup tabs are completed as best you can, click DONE on the SERVICES tab.
Click the Setup Policy Generation button in the Action Steps panel on the right side of the Workspace > Applications page to fill out the form on the wizard and start the setup process.
Scope
Here you specify from where and how Policy Generation should gather data on the connections with and between workloads and where to store the policy rules that will result from your review and deployment of the automated policy proposals.
-
Public IP Addresses: Enter any public IP addresses that you want to be analyzed as part of the security fabric.
This completes the first page of Setup Policy Generation. When finished, select the Save & Nextbutton or the Filters tab.
Filters
Policy Generation will examine all workloads defined on the Scope tab, unless you add one or more filters.
Add Include filters to specify which of the defined workloads and subnets to examine. This is a way to narrow the scope.
To further narrow the scope, add Exclude filters to specify which of the defined or included workloads and subnets already specified, should NOT be examined.
When finished, select the Save & Next button or the Services tab.
Services
It is vitally important to help Policy Generation identify all Common Network Service applications, like DNS and NTP, that tend to interconnect all the Business Application tiers in your environment.
The Services page presents a list of many of the most common such services with their standard names, ports, and protocols. If your network uses nonstandard ports and protocols for any of the listed services, you need to edit each such service to include all its ports and protocols.
Add any custom services in your network that are not already on the standard list.
In this way, Policy Generation will be able to better distinguish between the following:
-
Business application tiers that are connecting within a business application or to other business applications
-
Service tiers that are speaking to each other and to most of the business application tiers
Names
Policy Generation proposes names for application workload tiers based on the following:
-
Function: For example, Web, Database, Application Logic
-
Environment: For example, Production, Development, Testing
-
Application Name: For example, CRM, Accounting.
If applicable, select one of the two naming convention patterns that best fits your workload naming configuration.
If your workload names do not provide any of these three data values, in a pattern that Policy Generation can read, then select the None encoded radio button.
FortiGates do not currently support a native tagging system.
When finished, select the Save & Next button or the Tags tab.
Tags
Policy Generation uses its own Key/Value tags to identify the membership of workloads in applications, tiers, deployment environments, and their functions. FortiPolicy groups workloads by their function and connections. It proposes applications, tiers, and policy rules that support the examined traffic.
On this page there are three sub-tabs, one for each of these three categories of data.
If your naming convention provided Policy Generation with Application Name data, you will see the values for all your applications pre-populated in double columns on the first of the three sub-tabs.
If all your users are comfortable using the strings in your naming convention, you do not need to change anything. Many companies have so many applications that some users will not know all the application tag values. You can help those users by supplying full names as well as briefer tag values.
For any data that cannot be derived from your naming convention, manually enter the Tag Values and Full Names you will use to identify your applications, deployment environments, and functions.
Each tier is typically defined by a set of three workload tags. For example:
|
Tag Key |
Values |
Full Name |
|---|---|---|
|
SX_Application |
Acnt |
Accounting Software |
|
Inv |
Inventory Management |
|
|
SX_Environment |
Prod |
Production |
|
Test |
Test |
|
|
Dev |
Development |
|
|
SX_Tier |
Web |
Web |
|
Logic |
Business Logic |
|
|
DB |
Database |
If your workload naming convention provides any of this data in a supported format, Policy Generation will automatically read all the workload names and populate the Tags forms. All you might want to do is edit the Full Names for each of the tag values. If you do, the Full Names will be used in dropdowns and table labels instead of the typical brief naming convention values.
For any data that cannot be derived from your naming convention, on each of the three sub-tabs you can enter the Tag Values and Full Names you will use to identify your applications, deployment environments, and tier functions.
If you have completed all the other tabs in the Setup Policy Generation wizard, select Save & Done to submit any edits, close the wizard, and return to the Applications main page, where you will see that connection discovery has started.