Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Atul_S
Staff
Staff

Created on ‎05-12-2022 12:35 AM Edited on ‎04-22-2025 07:51 AM By Moderator

Article Id 211837

Technical Tip: How to use Security Profile Groups

Description This article describes the method to create and implement a security profile group in the policy.
Scope FortiGate and FortiProxy.
Solution

Depending upon the mode of operation of the firewall whether it is operating on Profile-based NGFW which is also treated as the traditional way of creating and defining the different UTM profiles and then applying them directly to the policy (either firewall ipv4 policy or proxy policy) or if the firewall is operating on Policy-based NGFW mode (gives more granular control in terms of Central NAT and SSL inspection and Auth policy apart from normal security policy section), in both cases, consolidated use of profile groups comes very handy and administratively gives more control and saves time.

 

These profile groups also assist in implementing specific network design and access methods depending upon the security posture of the company.

For example:

  • In Enterprise-level business groups where the fault segmentation element in terms of Layer 3 devices/VDOMS is quite high, and their traffic is terminating on the perimeter firewall
  • The case of more granular usage of SD-WAN traffic flow from multiple branches
  • In a College/School environment where the number of students is high and they are more prone to security breaches

 

As illustrated below:

 

Atul_S_0-1652337128575.png

 

By default, the security profile group is not visible in GUI. This option should be enabled from CLI.

 

Before v6.4:

 

config system settings
    set gui-dynamic-profile-display enable
end

 

After v6.4 and later:

 

config system settings
    set gui-security-profile-group enable
end


Once the above step is done, the option for the profile group will be visible as below.

 

Atul_S_1-1652337206136.png

 

After this, simply enable the profile group under the desired firewall policy as below:

 

Atul_S_2-1652337237359.png

 

Checking the configuration of security profile groups from the GUI and CLI.

GUI:

 

profile group.png

 

CLI:

 

FG # config firewall profile-group

FG(profile-group) # edit "TEST"

FG (TEST) # show
config firewall profile-group
edit "TEST"
set av-profile "default"
set webfilter-profile "default"
set ips-sensor "default"
set application-list "default"
next
end

 

Note: 

From CLI, it is not possible to observe the configuration of the SSL/SSH Inspection profile and Protocol Options when the default configuration of these profiles has been used. This can lead to confusion.

 

Once these profiles have been cloned or modified, it is possible to observe them in the CLI.

 

modified.png

 

FG # config firewall profile-group

FG (profile-group) # edit "TEST"

FG (TEST) # show
config firewall profile-group
    edit "TEST"
        set profile-protocol-options "Clone of default" --->
        set ssl-ssh-profile "Clone of certificate-inspection" --->
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "default"
        set application-list "default"
    next
end
13077
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.