05. Policy And Objects

Question 1

What is the limitation of objects used in multiple policy versions?

Answer 1

while policy packages allow for multiple versions of a firewall policy rule set, the objects referenced in those packages do not have multiple versions—they use only a current value.

Question 2

How to restore old object values?

Answer 2

The only way to return to a previous version of the policy package, including backing out of the rule that you added and the modification to the shared object, is to use ADOM revisions, which takes a snapshot of the Policy & Objects database for that ADOM.

Question 3

How All objects in ADOM are managed?

Answer 3

All objects in an ADOM are managed by a single database that is unique to that ADOM. Objects inside the database include firewall objects, security profiles, users, and devices.

Question 4

Dynamic object mapping

Answer 4

You can use dynamic objects to map a single logical object to a unique definition per device.
You can dynamically map:
- addresses
- interfaces
- virtual IPs
- IP pools.
A common example is a firewall address. You may have a common name for an address object, but have a different value depending on the device it is installed on.

Question 5

How to add devices to dynamic mapping

Answer 5

turn on the Per-Device Mapping switch, and then, in the Per-Device Mapping section, click Create New. In the pop-up window that opens, select the device and set the IP range/subnet

Question 6

What is Normalized interface?

Answer 6

Default normalized interfaces are created when ADOMs are created. Default normalized interfaces contain a number of per-platform mapping rules for all FortiGate models.

You can map normalized interface names to different physical interface names on different FortiGate models.

You can also select normalized interfaces when you create virtual wire pairs.

Question 7

What happens when you delete object that is used in policy?

Answer 7

FMG replaces it with none object.

The none object is equal to null, which means any traffic that meets that firewall policy will be blocked

Question 8

What is possible to do with Duplicate objects

Answer 8

Duplicate objects Can be merged

Question 9

Policy Check

Answer 9

provides recommendations only on what improvements can be made—it does not perform any changes.

Policy Check checks for:
• Duplication, where two objects have identical definitions
• Shadowing, where one object completely shadows another object of the same type
• Overlap, where one object partially overlaps another object of the same type
• Orphaning, where an object has been defined, but has not been used anywhere

Question 10

What is Installation target of cloned policy

Answer 10

Because the policy package is a clone, it will have the same installation target as the original policy package, but you can edit this.

Warning: You should not point more than one policy package at a target because that increases the chance of user error.

Question 11

What is the purpose of dynamic objects?

A. To merge duplicates automatically
B. To map single logical object to a unique definition per device

Answer 11

B. To map single logical object to a unique definition per device

Question 12

Which statement about policy package is true

A. A policy package may have multiple installation targets in ADOM
B. There can be only one policy package per ADOM

Answer 12

A. A policy package may have multiple installation targets in ADOM

Question 13

Statuses of policy packages

Answer 13

• Imported: Indicates that a policy package was successfully imported for a managed device.
• Synchronized: Indicates that a policies and objects are synchronized between FortiManager and the managed device.
• Never Installed: Policy package was never created, hence it was never imported for a managed device
• Modified: Policy package configuration is changed on FortiManager and changes have not yet pushed to the managed device.
• Out-of-sync: The latest policy package does not match the policies and objects configuration on the latest revision history because of configuration changes made locally on FortiGate or a previous partial installation failure. You should perform a retrieve, and then import policies from FortiManager.
• Conflict: If you make policy configuration changes locally on FortiGate and don’t import the changes into the policy package, and you also made the changes on FortiManager, the status enters conflict state. Depending on the configuration changes, you can either import a policy package or install the changes from FortiManager.
• Unknown: FortiManager is unable to determine the policy package status

Question 14

Re-install

Answer 14

A re-installation is the same as an installation except there are no prompts and it provides the ability to preview the changes that will be installed on the managed device.
The re-install Policy will create a new revision history and apply it to all selected installation targets.

Question 15

What does policy package status of unknown indicate

A. FMG is not able to determine policy package status
B. The policy package was never installed from FMG

Answer 15

A. FMG is not able to determine policy package status

Question 16

What is the main benefit of Re-Install option

A. Can push policy with fewer steps for quick policy change
B. Can schedule policy push

Answer 16

A. Can push policy with fewer steps for quick policy change

Question 17

ADOM revision

Answer 17

ADOM revision saves the policy package and objects locally on FortiManager.

Question 18

How ADOM revisions influence config backups

Answer 18

ADOM revisions can significantly increase the size of the configuration backup.

Question 19

What happens to policies and objects when you move device from one ADOM to another

Answer 19

When you move a device from one ADOM to another, policies and objects (used and unused) don’t move to the new ADOM.
If you need to move a device from one ADOM to another, run the import policy wizard to import the policy package into the new ADOM

Question 20

Import unused objects after device move to new ADOM CLI command

Answer 20

Exe fmpolicy copy-adom-object

Question 21

Most recommended sequence of existing ADOM upgrade

A. Upgrade all devices in ADOM then upgrade ADOM to new version
B. Upgrade ADOM first then devices in this ADOM

Answer 21

A. Upgrade all devices in ADOM then upgrade ADOM to new version

Question 22

Why should ADOM version match FGT FortiOS version

A. To minimize CLI syntax issue between FGT and FMG
B. To keep FGT licenses up to date

Answer 22

A. To minimize CLI syntax issue between FGT and FMG

Question 23

Where policy locking is available

Answer 23

Policy locking is available in workspace normal mode only.

Question 24

When policy lock is released

Answer 24

When session timeout of admin session gracefully closed without unlocking the policy package or policy.

Question 25

When admin can’t lock individual policy?

Answer 25

You cannot lock an individual policy when the policy is used in a policy block.

Question 26

What are the features of Workflow mode

Answer 26

Approval is required before changes can be installed on a device.
All the modifications made in a workflow mode session must be discarded or submitted for approval at the end of the session.
Sessions that are rejected can be repaired and resubmitted for approval as new sessions.
All sessions must be approved in the same order in which they were created to prevent any conflicts.

In workflow mode, panes related to FortiGate configuration are read-only at first

Question 27

Enable workflow mode

Answer 27

From gui
System settings > admin > workspace > workflow

From CLI
Config sys global
Set workspace-mode workflow
End

Question 28

Workflow permissions

Answer 28

Doesn’t matter what profile assigned to admin
Admin must be defined as approver before he can approve changes
On the GUI, approval matrix must be completed to allow admin approve changes
1. Select ADOM
2. Add admin to Approval Group #1
3. Select admin to receive notifications when changes are made under Send email notification to
4. Select mail server that will send notifications under Mail Server

Question 29

How to create new Workflow session

Answer 29

1. Lock ADOM
2. Open session list from Policy & Objects > Policy Packages > Session List
3. Create New

Question 30

Submitting workflow sessions procedure steps

Answer 30

1. Save session
2. From Sessions Drop down select Submit (other options View Diff and Discard)
3. After Submit the ADOM automatically returns to the unlocked state

Question 31

Workflow session approval procedure steps

Answer 31

1. Lock ADOM
2. open the session list.
3. Select session
4. Choose
   
   • approve
   • reject The approver administrator has the option to repair the changes. A session that is rejected must be fixed before the next session can be approved
   • discard
   • view diff

Question 32

Delete session

Answer 32

If admin didn’t logout gracefully session must be deleted before next one will be created or session must time out

delete administrator sessions on the GUI or CLI.

GUI:
1. Select ADOM
2. Open System settings
3. Open admin session list from system information widget
4. Delete required session

CLI
Diag sys admin-session list
Look for session_id value in the output

Diag sys admin-session kill {session_id}

Question 33

Which statement about workflow mode is true

A. Workflow session that are rejected can be repaired and resubmitted for approval as new session
B. Workflow session can be created by locking an individual policy package

Answer 33

A. Workflow session that are rejected can be repaired and resubmitted for approval as new session

Question 34

What is the main benefit of policy locking feature

A. It allows to lock single policy package instead of locking entire ADOM
B. It allows to lock multiple firewall policies in policy package

Answer 34

A. It allow to lock single policy instead of locking entire ADOM

Question 35

Who has higher priority per device mapping or per platform mapping?

Answer 35

When normalized interface is used in policy, per device mapping have higher priority than per platform mapping

Question 36

Is it possible to copy policy between different policy packages?

Answer 36

Yes. you can copy a policy from one policy package to another policy package within the same ADOM.