FortiOS 5.6 Beta 2 NGFW Policy

NGFW Policy mode is going to make a bunch of engineers smile ear to ear. There are a lot of cool features coming in 5.6 that includes a much improved security fabric (with audit capabilities) as well as dashboard tweaks, source and destination NAT on the same policy etc. The one feature I have been adamantly submitting to Fortinet over the past few years has been NGFW style policy. Check out the video below where I go into detail!

 

This entry was posted in FortiGate, FortiOS, FortiOS 5.6 and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

6 thoughts on “FortiOS 5.6 Beta 2 NGFW Policy

  1. jon

    Are you able to now block specific file types by URL category? Like I want to allow EXEs to come from windowsupdate.com, but I want to block EXEs coming from facebook or other social media sites…

    Reply
    1. Mike Post author

      I will look and see when I’m back at my lab. I know you can set a hard block at the top for web categories in general. Haven’t tried to do the exception by file type though.

      Reply
  2. matt

    I don’t like that you have to choose one or the other, at all. There are some FW policies where I’d like to select a profile so that I can allow several categories, block some, have static URL filters, etc. for a single subnet or user group. So I want to block all Social Media, except Facebook. I can do that with a profile. But with NGFW policy mode you can’t do that in a single rule – you have to select a category to block or allow, period. So I’d have to create one profile that says allow Facebook, then create another that blocks all the other Social Media. With the web filtering, you can NOT do URL filtering in policy mode, not that I’ve seen. So if you have 1000 rules where only ONE needs a static URL blocked or allowed, you can’t run policy mode. Also, once you get into policy mode, the Web Filtering and App Control configs go away, so under Web Filtering it says “Custom Category 1″…how do you configure what’s in that custom category??? There’s no Web Filtering configuration under Security Profiles. CLI?

    Reply
    1. Mike Post author

      They basically had to re-write the OS to read a packet differently for NGFW mode. It has to allow just enough packets to identify the app before it can proceed. I understand where you are coming from though and that would be awesome to see.

      Reply
  3. matt

    You also have to choose between deep inspection and cert inspection for everything in policy mode. So you can’t have a policy for a group of managed desktops with deep inspection, then a policy for your BYOD devices running cert inspection. I assume the road map is to be able to use both policy and profile modes simultaneously, which would be the ultimate in flexibility and granularity…but its just not there yet.

    Reply
    1. Mike Post author

      I could see someone using device type for the source or perhaps reserved IP addresses for the DPI machines and then applying the inspection to that policy specifically.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.