FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssriswadpong
Staff
Staff
Article Id 192367

Description

 

This article explains why security profiles such as AV, Webfilter, Email filter and File filter are missing after the upgrade to v6.4.x on a newly created firewall policy.

 

vpalli_0-1639416058979.png


Solution


Starting from FortiOS v6.2, Inspection mode is configured per firewall policy. You can enable Flow-based or Proxy-based Inspection Mode on a firewall policy.

And from FortiOS v6.4, there is a new enhancement to choose Flow-based or Proxy-based inspection mode on individual security profiles.

It is possible to select the appropriate feature set option (flow-based/ proxy-based) on the security profile based on the inspection mode you chose in the firewall policy.

vpalli_1-1639416058985.png


If  flow-based inspection mode is chosen on a newly created firewall policy,
It is advisable to select Flow-based feature set in order to enable this security profile in the firewall policy. And for a firewall policy in proxy-based inspection mode, select Proxy-based feature set.

Note:
After the firmware upgrade to v6.4.x if FortiGate converted a Security Profile to Proxy-based feature set, the profile will not be available/visible for use on the Flow-based firewall policies. In such cases, create a new security profile with flow-based feature-set and apply to the Flow-based firewall policy.

To learn how FortiGate converts the feature set of security profiles on the existing firewall policies post upgrade from v6.2.x to v6.4.x, please refer to the release notes.

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/857402/security-profiles-enhancement...

Upgrade support.


Upgrading from 6.2.x to 6.4.0 causes the following changes to security profiles.

Upgrade scenario

Result after upgrade

Profile was assigned exclusively to flow-base firewall policies in 6.2.x.

feature-set = flow

Profile was assigned exclusively to proxy-base firewall policies in 6.2.x.

feature-set = proxy

Profile was assigned to both flow-base and proxy-base firewall policies in 6.2.x.

feature-set = proxy

Profile was not assigned to any firewall policies in 6.2.x.

feature-set = flow