Skip to main content
gmanea
Staff
gmanea
Staff
March 9, 2021

Technical Tip: Profile-based policies vs Policy-based policies

  • March 9, 2021
  • 0 replies
  • 15206 views

Description

 

This article describes common behaviors and sets better expectations when choosing between profile-based and policy-based operations.

This is one of the first decisions to make when setting up the FortiGate. This expected behavior will be found when converting the policy-based unit to a profile-based operation, or the other way around.

 

Ideally, this conversion has to be planned in advance and not be performed on a production unit.

 

Scope

 

FortiGate.

Solution

 

  1. Profile-based (traditional, default).

Each policy will have its own set of profiles. More flexibility in customization.

 
Note:
Security profile groups can be used (see above policy ID#2:  Security Profiles 'GRP').
It has to be configured, enabled, and used from the CLI.
There is no option to enable from the GUI.
 
config firewall profile-group
    edit test-group    <- Add members to the group: set profile-protocol-options default.
end
 
On a policy, it can be used only after the utm-status is 'enable'.
 
    set utm-status enable
    set profile-type group
    set profile-group #name#
 
Related document:
Cookbook: Security Profile Groups
  1. Policy-based (newer mode; allows access to applications and URL categories directly in policies; operates only in flow-based mode).
Easier access to applications or URL categories (avoiding separate customization and application of different App Control and Webfilter profiles; less customizable; does not allow changing the policy or operation mode to proxy-based mode).
 
Due to the similarities in approach to other vendors’ firewalls, it is preferred for a faster config migration from a different device to FortiGate, but it may become more difficult to manage as the number of policies grows. It is important to note that all the traffic will be inspected by IPSEngine even if no security-profiles or web-filter is applied. So, higher utilization is expected. No proxy-based inspection mode is available.
 
 
  1. Converting from default to NGFW policy-based, important notes:
GUI warning: Changing to policy-based mode will remove all firewall IPv4 and IPv6 policies, and Central SNAT will be enabled.

The v6 cookbook 'Profile-based NGFW vs policy-based NGFW' incorrectly mentions a conversion:
'Switching from profile-based to policy-based mode converts your policies to policy-based. To avoid issues, create a new VDOM for the policy-based mode'.
There is no conversion. All the policies are deleted.
 
Some of the results:
IPv4 policy: It will not be visible in the GUI or CLI anymore. All existing policies were deleted.
Security policy: It will become the default way to apply security profiles. The inspection-mode is flow; it cannot be changed the mode to proxy-based per policy.
SSL Inspection & Authentication: SSL inspection is applied per source/destination interfaces and services (less granular than per policy).
Central SNAT: Enabled and cannot be disabled. NAT is performed according to the Central SNAT policies.
 
For traffic to pass in policy-based mode, it must match both a Security Policy and an SSL Inspection & Authentication Policy. A basic SSL Inspection & Authentication Policy is created by default.

If the FortiGate is situated on a NAT boundary, such as between a private network and public Internet, a Central SNAT policy is required for outbound traffic.
 
  1. Reverting from NGFW policy-based to profile-based, important notes:
GUI warning: Changing to profile-based mode will remove all firewall and security policies.

Depending on how the configuration was originally applied, Central SNAT may be initially enabled or disabled when setting NGFW mode to profile-based from policy-based. Any existing Central SNAT policies are not deleted, but they do not apply if central-nat is disabled.
 
The central-snat policies are kept under 'config firewall central-snat-map' and only used if central-SNAT is enabled. For best results, specify the desired central-nat setting after changing to profile-based mode.
 
system_settings.PNG
 
config system settings

    set ngfw-mode profile-based
Changing to profile-based mode will remove all firewall policy/security-policy in this VDOM
Do you want to continue? (y/n)y

    set central-nat { enable | disable }
end
 
  1. The difference in the firewall policy path structure.
  1. In policy-based mode:

‘Security Policy’ has its configuration path = ...ng/firewall/policy/security-policy/standard

In CLI, it is represented by CLI 'config firewall security-policy'.

 8.png
 
'SSL Inspection and Authentication' has its configuration path = ...ng/firewall/policy/policy/standard.
In CLI, it is represented by CLI 'config firewall policy'.
 
9.png
 
10.png

 

  1. In profile-based mode.
After changing the mode (to profile-based), only the CLI option 'config firewall policy' is available, representing ‘Firewall policy’.
 
11.png

 

Refresh the GUI (no need to reboot/restart the Firewall) to see the change.
‘Firewall policy’ has its configuration path = ...ng/firewall/policy/policy/standard.

 

 

12.png

 

    Terms & ConditionsAccessibility statement