| Solution |
FortiGates support two modes for Next Generation Firewall (NGFW) functionality, which in-turn impact how security inspection and policy matching operate:
- NGFW profile-based mode is the default mode, where security profiles (such as Antivirus, Web Filter, Application Control, etc.) are created and then attached to Firewall Policies.
- Notably, Firewall Policies must be matched first (via Source/Destination IP and Service port matching) before security inspection is executed (i.e., match a policy and then apply inspection based on the assigned profiles).
- NGFW policy-based mode is an alternative mode where traffic always undergoes flow-based inspection during session setup (via the IPS Engine's Policy Match Engine, or PME). Because inspection is always taking place, NGFW policy-mode FortiGates can utilize Application- and URL Category-based matching directly in Security Policies.
- The FortiGate can scan traffic to determine what Application signature and/or FortiGuard URL Category it belongs to, then it can use that information to determine which Security Policy should match to this traffic. Once the Security Policy is matched, follow-up inspection can take place (such as IPS, Antivirus, File Filtering, etc.).
This functionality serves as a notable advantage for NGFW policy-based mode, where it becomes possible to have more granular policy matching, though at the slight cost of slower policy matching (the FortiGate must allow some traffic through so that it can scan, identify, and subsequently take action on that traffic). For example, an administrator could create Security Policies for traffic matching the Microsoft.Teams and Zoom Application signatures, rather than needing to whitelist based on IP ranges, FQDNs, and network ports. Note as well that this functionality does not require the administrator to apply a Web Filter profile to the Security Policy.
Note that Blocked sessions are currently not re-evaluated after security policy changes. This is by design in this mode: changing the action from 'deny' to 'allow' will not affect a blocked session as long as it remains in the kernel session table.
To change the FortiGate's NGFW mode use the following command:
config system settings
set ngfw-mode [profile-based | policy-based]
end
Note: changing the mode on an existing FortiGate/VDOM will result in all existing policies being deleted/removed, as the policy structure is significantly different between the two modes. It may also be necessary to log out and log back in to the FortiGate GUI to reflect the new mode's layout.
Once in NGFW policy-based mode, navigate to Policy & Objects -> Security Policy, then select Create New. In the policy creation page, the options for Application and URL category will be present.
Important: take note of the following notable behaviors/limitations for these filtering options:
- Adding Application- and/or URL category-based filtering to Security Policies implicitly enables the functionality within the IPS Engine PME (i.e., adding Application filtering implicitly enables Application Control, adding URL categories enables Web Filter lookups to FortiGuard).from a licensing/feature-usage standpoint, particularly for Web Filtering since it requires an active license to make category rating requests to FortiGuard.
- Certain Applications will not be available for usage in Security Policies due to a limitation called ngfw-max-scan-range. In these cases, a error message stating 'Application XXXXX is incompatible with NGFW Policy mode due to large scan-range detection requirements' will be produced for .
- When combining URL categories with Application filtering, the list of allowed Applications becomes limited to those that support HTTP (TCP/80) and HTTPS (TCP/443) web traffic. The GUI will warn of 'Invalid entries' when URL categories are added to Security Policies that have non-web Application signatures, and it will also prevent administrators from selecting those signatures for new policies (e.g., disallowed Applications will be hidden):
- When using Application and URL category filtering, the order of Security Policies can have an impact on how exactly the FortiGate will handle the traffic and log it. This occurs because the PME is dynamically scanning traffic to match Security Policies and and can therefore be impacted by scan times and Security Policy priority order. Some examples of this are documented in the following KB articles:
- URL Category groups are supported in Security Policies as of FortiOS 7.2.0 and later (see also: Allow web filter category groups to be selected in NGFW policies).
Related documents:
Technical Tip: Profile-based policies vs Policy-based policies
FortiGate Admin Guide - NGFW policy
To capture the PME debug output to verify the reason for the block: diagnose ips pme debug
Troubleshooting Tip: IPS engine new debug commands
|
