Tuesday, 1 September 2015

How-to: Configure a workflow in FortiManager to enforce change management policies

The FortiManager allows you to enforce change management policies so that while junior members are able to make configuration changes, they will not be applied until management approves them.

This blog will go through the steps on how-to set this up.

Firstly workflow mode is disabled by default on FMG so we'll need to enable this via the CLI using the following command:

config system global
set workspace-mode workflow
end




This will log you out of the FMG. Once we log back in we can see there's a new 'Lock ADOM' button available to us which we'll use later.


For now we want to configure which administrators have the permission to approve configuration changes. To do this goto System Settings > Admin > Workflow Approval. Click 'Create New' then select the ADOM and the admin/group that you want to have approval permission. Optionally you can also add an email notification so that your change managers will automatically receive an email alert when a change request has been made.


In this example we're going to use an account named 'junior' who has permission to create policies but not approve them. The user 'admin' has full access and is able to approve policy that can be applied.

First login with the junior account:




Now we goto Policy & Objects and click on 'Lock ADOM':





Next we click on 'Create New Session'. From here we can enter the change name and comments. You can enter change request numbers here for reference. Click OK to save.



Now we can begin making our changes to config. Once you've finished making changes select Session > Submit:



Now enter a message for the change manager:


Once this is done we can log out of the junior account and login with the admin account:


Now we goto Policy & Objects and click on 'Lock ADOM' like we did before.

This time we can see the existing session awaiting approval (watch icon). Clicking on it lets us see the comment history. Right clicking the change will give us the option to approve, reject, discard and view the difference between the current config and the proposed changes.


Click on 'View Diff' to bring up the changes. We can click on 'Details' to view the exact changes that are being requested:


Once we're happy with the changes, go back to the session list, right click the session and select 'Approve'. Enter a comment if you'd like:


Once saved we can now see a green icon next to the config showing that it's been approved



Lastly goto Device Manager and we should see that 'Policy Package Status' is orange meaning that there's a change difference between the config on the FGT and the FMG. To push the FMG changes to the FGT we need to right click the firewall and select 'Re-install Policy'

 
We should now see healthy green under 'Policy Package Status' which means the config on the FGT is synced with the FMG!






No comments: