Fortinet

FortiGate (non-management device)

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Full Accountability (Details of the revision, including who made the revision and when)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Removes selected rules from supported devices)

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Topology

Static Topology

Dynamic Topology

Calculate impact of VPN policies

Offline Analysis

Not supported when device is configured for high availability

FortiManager Advanced (managing FortiGate)

Advanced means device management mode in SecureTrack is Advanced management

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Full Accountability (Details of the revision, including who made the revision and when)

Display IPv6 objects, routes, and interfaces

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Change Window (see View and Update a Change Window)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Global configuration visibility
Topology

Static Topology

Dynamic Topology

Calculate impact of NAT rules

IPv6 routes

Path analysis with IPv6 addresses in source and destination

SD-WAN: Supported for FortiManager 7.0 and later. The SD-WAN rules must be created using the SD-WAN templates and the ADOM version must be 7.0 or later.

Connectivity via VPN

User Identity (Supported for user groups but not FSSO groups)

Notes for FortiManager Advanced (5.4 or later):

  • API for fetching dynamic topology is not supported for ADOM 5.2 and earlier.

  • These features are not supported: Regulations report, Risks, Policy Analysis, dynamic objects (treated as static object with the "default" as its value)

  • Support for “Collect dynamic topology information” feature, when dynamic addressing (DHCP) or routing protocols (OSPF and BGP) are in use.

  • Support for Fortinet FortiManager Web Filters.

  • For Fortinet FortiManager Global Rules that are assigned to ADOM policies, the following features are not supported:

    • Automatic Policy Generator (APG)

    • Last hit for rules in Rule Viewer

    • Rule and object usage

  • If you have IPv6 policies and upgrade to FortiManager 6.4 from an earlier version, all IPv6 policies will be deleted and recreated. In SecureTrack, it will appear as a diff in the Change Report.

  • Destination NAT using Services as optional filters is not currently supported.

  • Source NAT is not supported for Fortimanagers 6.4 and below with Policy-based Policies that do not have the Central NAT Check box selected.

  • Calculating the impact of Central NAT rules is supported for FortiManager 6.0.5 and later.

  • Virtual routing and forwarding information is part of the firewall revision and is supported in the Topology Map.

  • In Fortinet scripts, rule names need to be within quotation marks. For example: "Escalation Rule"