Saturday, April 5, 2014

FortiManager - Import Policy from Device

Why do I need this?

Sometimes it is easier to make change locally on Fortigate.    In my case, I want to create a “ftp-proxy” rule on Fortigate because I seems that the rule cause a problem when install to the device if it is implemented on FortiManager.  

Step by Step

First, lock ADOM

Then, right click on device, select “Import Policy”

Then, select on the VDOM that change has been made, and skip the rest.   Place the policy in a new TEMP POLICY PACKAGE so that it doesn’t mix up with our existing POLICY PACKAGE.  To save space, I won’t show the screen shot of every screen.   I just click next through until finish and click “Skip Remaining”.

After that we can change it the way we like.

If you have created new objects locally on the Fortigate VDOM, it will be imported at this step.

Now, rule #5 is imported as I wish.

From a temporary POLICY PACKAGE “VUFG1_VUWF101” , I just need to COPY & PASTE it into my production POLICY PACKAGE “VU-WEBFILTER-PACKAGE”.

Clean up steps

Now, we need to clean up a few things.

First, place the VDOM back to production POLICY PACKAGE.

Click on Policy & Objects -> YOUR TEMPORARY POLICY PACKAGE -> ‘Install’ Tab -> Right click on your VDOM, then Edit

Select the VDOMs that will use this POLICY PACKAGE.

Remove the VDOM from this temporary POLICY PACKAGE.

And, it will be removed from the list

Check the production POLICY PACKAGE, ‘Install’ Tab, it should be there.

Push to device

Now, the next step is to click on SAVE and then push the revise POLICY PACKAGE to the VDOMs using “Install Wizard”.

Then, on Device tab, it should display “SYNCHRONIZED”

The last step is to simply Unlock VDOM.