FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 195816

Description

 

This article describes common behaviors and sets better expectations when choosing between profile-based and policy-based operations.

This is one of the first decisions to make when setting up the FortiGate.
This expected behavior will be found when converting the policy-based unit to a profile-based operation, or the other way around.
Ideally, this conversion has to be planned in advance and not be performed on a production unit.


Solution

 

Profile-based (traditional, default).
Each policy will have its own set of profiles. More flexibility in customization.

 
Note.
Security profile groups can be used (see above policy ID#2:  Security Profiles 'GRP').
It has to be configured, enabled, and used from CLI.
There is no option to enable from GUI.
 
# config firewall profile-group
    edit test-group    <- Add members to the group: set profile-protocol-options default.
end
 
On a policy, it can be used only after utm-status is 'enable'.
    set utm-status enable
    set profile-type group

    set profile-group #name#
 
Related document:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/44682/security-profile-groups

Policy-based (newer mode; allows access to applications and URL categories directly in policies; operates only in flow-based mode).
Easier access to applications or URL categories (avoiding separate customization and application of different App Control and Webfilter profiles; less customizable; does not allow to change the policy or operation mode to proxy-based mode).
 
Due to the similarities in approach to other vendors’ firewalls, it is preferred for a faster config migration from a different device to FortiGate but may become more difficult to manage as the number of policies grows. It is important to note, that all the traffic will be inspected by IPSEngine even if no security-profiles or web-filter is applied. So higher utilization is expected. No proxy-based inspection mode is available.
 
 
Important Note.
(Conversion from default).
GUI warning: Changing to policy-based mode will remove all firewall IPv4 and IPv6 policies and Central SNAT will be enabled.

Cookbook wrongly mentions a conversion: 'Switching from profile-based to policy-based mode converts your policies to policy-based.
To avoid issues, create a new VDOM for the policy-based mode '– There is no conversion. All the policies are deleted.
 
Some of the results:
IPv4 policy - will not be visible in GUI or CLI anymore. All existing policies were deleted.
Security policy - will become the default way to apply security profiles. Central SNAT is enabled by default.
SSL Inspection & Authentication – this is the place where the SSL inspection is applied per source/destination interfaces and services (less granular than per policy).
 
The default inspection-mode is flow; can not change the mode to proxy-based per policy.

(Reverting to default).
GUI warning: Changing to profile-based mode will remove all firewall and security policies.

Central SNAT remains by default enabled. Central SNAT policies are not deleted. Central SNAT can be disabled manually, thus hiding and the system skipping/disabling the central-snat policies. The central-snat policies are kept under '# config firewall central-snat-map' and are restored if/when central-SNAT is enabled again.
 
# config sys setting
    set central-nat disable
end
 
Note.
SNAT table only controls the NAT.
To allow a specific flow of traffic, one must configure a Security policy.

Related document:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/978598/profile-based-ngfw-vs-policy-base...