Technical Tip: How to use security profile groups

Depending upon the mode of operation of the firewall whether it is operating on Profile-based NGFW which is also treated as the traditional way of creating and defining the different UTM profiles and then applying them directly to the policy (either firewall ipv4 policy or proxy policy) or if the firewall is operating on Policy-based NGFW mode (gives more granular control in terms of Central NAT and SSL inspection and Auth policy apart from normal security policy section), in both cases, consolidated use of profile groups comes very handy and administratively gives more control and saves time.

These profile groups also assist in implementing specific network design and access methods depending upon the security posture of the company.

For example:

• In Enterprise-level business groups where the fault segmentation element in terms of Layer 3 devices/VDOMS is quite high, and their traffic is terminating on the perimeter firewall.
• The case of more granular usage of SD-WAN traffic flow from multiple branches.
• In a College/School environment, where the number of students is high, they are more prone to security breaches.

As illustrated below:

By default, the security profile group is not visible in the GUI. This option should be enabled from the CLI.

Before v6.4:

config system settings
    set gui-dynamic-profile-display enable
end

After v6.4 and later:

config system settings
    set gui-security-profile-group enable
end

Once the above step is done, the option for the profile group will be visible as below.

After this, simply enable the profile group under the desired firewall policy as below:

Checking the configuration of security profile groups from the GUI and CLI.

GUI:

CLI:

FG # config firewall profile-group

FG(profile-group) # edit "TEST"

FG (TEST) # show
config firewall profile-group
edit "TEST"
set av-profile "default"
set webfilter-profile "default"
set ips-sensor "default"
set application-list "default"
next
end

Notes: 

• Security Profile Groups are not available in FortiOS v7.4.9 (FortiGate only). The feature is reintroduced in FortiOS v7.6.0 and later.

• In FortiOS v7.4.9, Security Profile Groups may still be visible on existing firewall policies that were created previously; however, they cannot be selected or added to newly created firewall policies: Technical Tip: Security profile groups no longer available after an upgrade to v7.4.9.

• From CLI, it is not possible to observe the configuration of the SSL/SSH Inspection profile and Protocol Options when the default configuration of these profiles has been used. This can lead to confusion.

Once these profiles have been cloned or modified, it is possible to observe them in the CLI.

FG # config firewall profile-group

FG (profile-group) # edit "TEST"

FG (TEST) # show
config firewall profile-group
    edit "TEST"
        set profile-protocol-options "Clone of default" --->
        set ssl-ssh-profile "Clone of certificate-inspection" --->
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "default"
        set application-list "default"
    next
end