Technical Tip: How to identify firewall and security policies in a policy based NGFW mode
| Description | This article describes how to identify the firewall and security policies in a policy-based NGFW mode |
| Scope | FortiGate |
| Solution | Profile-based NGFW mode FortiGates are more common than policy-based. There are a few operations that are routine on a profile-based NGFW mode FortiGate, but are more difficult to perform on a policy-based one. On a profile-based based, whatever change needs to be done on a policy itself, it is done with a 'right-click' on the Policy -> Edit in CLI.
However, in policy-based NGFW FortiGates, it is a bit different. The outlook is as in the picture below:
One of the challenges of a profile-based NGFW mode firewall is disabling hardware acceleration. Disabling hardware acceleration to users used to profile-based might add more confusion, as the usual step would be to identify the firewall policy for which you need advanced troubleshooting, and easily right click on the Policy -> edit in CLI, and the command to be issued is 'set auto-asic offload disable'..
NPU offload cannot be turned off in a firewall security policy:
As the command for the interesting traffic is issued, policy_id=2 and ngwfid=3 can be noticed. 'ngwfid' refers to the security policy, where 'policy_id' refers to the SSL Inspection & Authentication policy.
As per the SSL Inspection & Authentication policies, there are two polices configured:
For this firewall policy, the offload can be disabled, so policy_id refers to SSL Inspection & Authentication policy:
The result: offload is disabled.
More information regarding the NGFW policy can be found in the document below: |
