Fortinet

FortiGate (standalone)

Access Requests
Manual target selection
Device object selection
Modify Group
Create/modify group
Add Access
Risk Analysis
Designer
Verifier
Authorization and documentation
Auto close
Remove Access
Verifier
Decommission Network Object
Impact Analysis
Verifier
Rule Recertification
Update metadata

FortiManager Advanced (managing FortiGate)

Advanced means device management mode in SecureTrack is Advanced management

Access Requests
Manual target selection
Device object selection
User Identity (Supported for user groups but not for FSSO groups)
Modify Group
Designer
Syntax-based change
Provisioning + Committing
Provisioning + Committing in automatic step
Create/modify group
Add Access
Risk Analysis
Verifier
Designer
Provisioning + Committing
Provisioning + Committing in automatic step
Authorization and documentation
Auto close
Remove Access
Auto close
Verifier (topology mode only)
Designer
Provisioning
Provisioning in automatic step
Decommission Network Object
Impact Analysis
Designer
Provisioning + Committing
Verifier
Authorization and documentation
Clone Network Object Policy
Designer
Provisioning (or) Provisioning and CommittingVerifier
Rule Decommission
Designer
Provisioning + Committing
Provisioning + Committing in automatic step
Verifier
Authorization and documentation
Auto close
Rule Modification
Provisioning + Committing
Provisioning + Committing in automatic step
Rule Recertification
Update metadata

Notes for FortiManager Advanced:

  • In SecureChange, you can leverage automation tools, such as target selection, Verifier, and Designer to automate access requests that contain FQDNs.

  • In SecureTrack, there is visibility for FQDNs in security rules and change tracking, assessment, path analysis, and matching rules.

  • You can define the default for Security Profile Group (ContentID) in stconf. Once these profiles are set, Designer for Access Request will create new rules accordingly. For details, see Configuring Log Forwarding and Security Profile Groups.

  • “Dynamic assignment” and “Skip this step if” options do not list targets when topology is disabled.

    Workaround: Enter these targets manually, using free text.

  • Support for Fortinet FortiManager Web Filters.

  • New objects in a Rule Modification workflow can only be created on the policy where the rule is located. It is not possible to create a global object in a hierarchical environment and add the object to a rule on a sibling policy.

  • In a Rule Modification workflow there is no zone validation for Fortinet FortiManager devices. While it is possible for a request to include adding objects from address books or adding zones to rules on other zones, validation will fail on provisioning.

  • Access Requests support IPv6 objects, including Designer recommendations and Provisioning.

  • Designer gives priority to service objects that have a default timeout set in the firewall.