Security profile groups
It may seem counter intuitive to have a topic on security profile groups in the Firewall Chapter/Handbook when there is already a chapter/handbook on Security Profiles, but there are reasons.
- Security profile groups are used exclusively in the configuration of a firewall policy, which is described in the Firewall Chapter/Handbook.
- The CLI commands for creating and using security profile groups are in the firewall configuration context of the command line structure of settings.
The purpose of security profile groups is just the same as other groups such as Address, Service, and VIP groups. They are used to save time and effort in the administration of the FortiGate when there are a lot of policies with a similar pattern of Security Profile use. In a fairly basic network setup with a handful of policies it doesn’t seem like it would be worth the effort to set up groups of security profiles but if you have a large complex configuration with hundreds of policies where many of them use the same security profiles it can definitely save some effort and help prevent missing adding an important profile from a policy. As an added benefit, when it comes time to add or change the profiles for the policies that use the Security Profile Groups, the changes only have to be made to the group, not each policy.
The most difficult part about using security profile groups is making them visible in the GUI.
Making security profile groups visible in the GUI
By default, the Security Profile Groups are not visible in the GUI. Neither the ability to assign one to a policy nor the ability to configure the members of a group are available by default. You will not find the option to enable Security Profile Groups under System > Feature Visibility either. Instead, they only become visible in the GUI once one has been created and assigned to a policy. This must be done the first time through the CLI using the following syntax:
config system settings set gui-dynamic-profile-display enable
Step 1 – Create a security profile group:
Enter the command: config firewall profile-group
Use the edit command to give a name to and create a new Security Profile Group
(profile-group) # edit test-group
Configure the members of the group by setting the name of the desired profile in the field for the related profile/sensor/list. The options are:
|av-profile||Name of an existing Antivirus profile.|
|webfilter-profile||Name of an existing Web filter profile.|
|dnsfilter-profile||Name of an existing DNS filter profile.|
|spamfilter-profile||Name of an existing Spam filter profile.|
|dlp-sensor||Name of an existing DLP sensor.|
|ips-sensor||Name of an existing IPS sensor.|
|application-list||Name of an existing Application list.|
|voip-profile||Name of an existing VoIP profile.|
|icap-profile||Name of an existing ICAP profile.|
|waf-profile||Name of an existing Web application firewall profile.|
|profile-protocoloptions||Name of an existing Protocol options profile.|
|ssl-ssh-profile||Name of an existing SSL SSH profile.|
set av-profile default
set profile-plrotocol-options default
node_check_object fail! for profile-protocol-options Attribute ‘profile-protocol-options’ MUST be set.
Command fail. Return code -56
Step 2 – Add a security profile to a policy
Now that there is group to add to a policy we can configure a policy to allow the use of a Security Policy group. This is also done in the CLI.
In the following example only the command necessary to enable the use and pick of a Security Policy group have been listed.
config firewall policy edit 0 set utm-status enable set profile-type group set profile-group test-group
Step 3 – The appearance in the GUI of the security profile group configuration features
- Under Security Profiles there is a menu item called Profile Groups that can be used to create new and edit existing profile groups.
- In the Edit Policy window for IPv4 and IPv6 policies there is a Use Security Profile Group field to enable or disable the use of the groups.
- In the window, policy groups can be created or edited by clicking on the appropriate icons next to or in the drop down menu l In the policy listing window there is a Security Profiles column.
- Right or left clicking on the icon for the group brings up editing options either via a slide out window or a drop down menu, respectively.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU