05. Policy And Objects Flashcards
What is the limitation of objects used in multiple policy versions?
while policy packages allow for multiple versions of a firewall policy rule set, the objects referenced in those packages do not have multiple versions—they use only a current value.
How to restore old object values?
The only way to return to a previous version of the policy package, including backing out of the rule that you added and the modification to the shared object, is to use ADOM revisions, which takes a snapshot of the Policy & Objects database for that ADOM.
How All objects in ADOM are managed?
All objects in an ADOM are managed by a single database that is unique to that ADOM. Objects inside the database include firewall objects, security profiles, users, and devices.
Dynamic object mapping
You can use dynamic objects to map a single logical object to a unique definition per device.
You can dynamically map:
- addresses
- interfaces
- virtual IPs
- IP pools.
A common example is a firewall address. You may have a common name for an address object, but have a different value depending on the device it is installed on.
How to add devices to dynamic mapping
turn on the Per-Device Mapping switch, and then, in the Per-Device Mapping section, click Create New. In the pop-up window that opens, select the device and set the IP range/subnet
What is Normalized interface?
Default normalized interfaces are created when ADOMs are created. Default normalized interfaces contain a number of per-platform mapping rules for all FortiGate models.
You can map normalized interface names to different physical interface names on different FortiGate models.
You can also select normalized interfaces when you create virtual wire pairs.
What happens when you delete object that is used in policy?
FMG replaces it with none object.
The none object is equal to null, which means any traffic that meets that firewall policy will be blocked
What is possible to do with Duplicate objects
Duplicate objects Can be merged
Policy Check
provides recommendations only on what improvements can be made—it does not perform any changes.
Policy Check checks for:
• Duplication, where two objects have identical definitions
• Shadowing, where one object completely shadows another object of the same type
• Overlap, where one object partially overlaps another object of the same type
• Orphaning, where an object has been defined, but has not been used anywhere
What is Installation target of cloned policy
Because the policy package is a clone, it will have the same installation target as the original policy package, but you can edit this.
Warning: You should not point more than one policy package at a target because that increases the chance of user error.
What is the purpose of dynamic objects?
A. To merge duplicates automatically
B. To map single logical object to a unique definition per device
B. To map single logical object to a unique definition per device
Which statement about policy package is true
A. A policy package may have multiple installation targets in ADOM
B. There can be only one policy package per ADOM
A. A policy package may have multiple installation targets in ADOM
Statuses of policy packages
- Imported: Indicates that a policy package was successfully imported for a managed device.
- Synchronized: Indicates that a policies and objects are synchronized between FortiManager and the managed device.
- Never Installed: Policy package was never created, hence it was never imported for a managed device
- Modified: Policy package configuration is changed on FortiManager and changes have not yet pushed to the managed device.
- Out-of-sync: The latest policy package does not match the policies and objects configuration on the latest revision history because of configuration changes made locally on FortiGate or a previous partial installation failure. You should perform a retrieve, and then import policies from FortiManager.
- Conflict: If you make policy configuration changes locally on FortiGate and don’t import the changes into the policy package, and you also made the changes on FortiManager, the status enters conflict state. Depending on the configuration changes, you can either import a policy package or install the changes from FortiManager.
- Unknown: FortiManager is unable to determine the policy package status
Re-install
A re-installation is the same as an installation except there are no prompts and it provides the ability to preview the changes that will be installed on the managed device.
The re-install Policy will create a new revision history and apply it to all selected installation targets.
What does policy package status of unknown indicate
A. FMG is not able to determine policy package status
B. The policy package was never installed from FMG
A. FMG is not able to determine policy package status