Policy Introduction – Profile-based NGFW vs policy-based NGFW – FortiOS 6.2

Profile-based NGFW vs policy-based NGFW

From version 5.6, we added a new policy mode called Next Generation Firewall (NGFW). This mode is only available when the VDOM inspection-mode is flow. This model is divided into two working modes — profile-based and policybased. Profile-based NGFW is the traditional mode where a user needs to create an AV/web/IPS profile which is applied to the policy.

Policy-based mode is new. In this mode, users can add applications and web filtering categories directly to a policy without having to first create and configure Application Control or Web Filtering profiles. If a URL category is set, the applications that are added to the policy must be within the browser-based technology category. NGFW is per VDOM setting. This means users can operate their FortiGate or individual VDOMs on their FortiGate in NGFW policy-based mode when they select flow-based inspection.

Switching NGFW mode from profile-based to policy-based converts your profile-based security policies to policy-based security policies. If you don’t want this to happen or you just want to experiment with policy-based NGFW mode, consider creating a new VDOM for policy-based NGFW mode. You can also backup your configuration before switching modes.

NGFW policy-based firewall policies might have unintended consequences to the passing or blocking of traffic. For example, if you add new firewall policies that are designed to DENY social media traffic based on applications or URLs, having a traditional “catch all” firewall policy to DENY all other traffic at the bottom of the firewall policy list may have the unintended consequence of blocking legitimate traffic. Also note that NGFW policy-based mode applies the NAT settings from matching Central SNAT policies. If you don’t already have a Central SNAT policy in place, you must create one.

After version 6.2, we removed the inspection-mode from VDOM to firewall policy, and the default inspection-mode is flow so we can change NGFW mode from profile-based (default) to policy-based directly in the VDOM’s System > Settings.

To enable policy-based NGFW mode using the GUI:

You can operate your FortiGate or individual VDOMs in Next Generation Firewall (NGFW) policy mode.

  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. In SSL/SSH Inspection, select the SSL/SSH inspection mode to be applied to all policies.

To enable policy-based NGFW mode using the CLI:

config system settings set ngfw-mode {profile-based | policy-based} end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Policy Introduction – Profile-based NGFW vs policy-based NGFW – FortiOS 6.2

  1. Jon

    If you were to get a new Fortigate today which NGFW mode would you use? My 60E is in profile based mode and whilst I’m happy with it, I am confused as to what the benefits would be if i were to change to policy based.

    Reply
  2. Donovan

    I like Jon am a little confused at why I would choose policy-based over profile-based. I’m looking at this now in 6.4.4 and I don’t see the benefit. I’m sure the answer is probably about use case, but I’m not seeing the bigger picture I guess. Can you explain why someone would use this? I’ve personally never been a fan of Central-NAT, which this forces you to use AND it feels a little like it’s a different way of doing things just because. I’m sure I’m just not grasping the things completely.

    Reply
  3. Esam

    Actually, we have purchased a brand new 601E, and we are thinking about applying policy based mode for the options that it provides in security policies. In the other hand I have the following observations:
    – Is D-NAT supported in policy mode?
    – I think profile mode is more granular and customizable in terms or NATing

    Reply
    1. Mike Post author

      Policy mode is growing on me. My comfort and familiarity still leans profile mode though. Fortinet needs to tweak a few things to make policy mode a little more refined (behave more like Palo) in order for me to make the switch full time.

      Reply

Leave a Reply to Mike Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.