FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Atul_S
Staff
Staff
Article Id 211837
Description This article describes the method to create and implement a security profile group inside the policy.
Scope FortiGate.
Solution

Depending upon the mode of operation of the firewall whether it is operating on Profile-based NGFW which is also treated as the traditional way of creating and defining the different UTM profiles and then applying them directly to the policy (either firewall ipv4 policy or proxy policy) or if the firewall is operating on Policy-based NGFW mode (gives more granular control in terms of Central NAT and SSL inspection and Auth policy apart from normal security policy section), In both cases, consolidated use of profile groups comes very handy and administratively gives more control and saves time.

 

These profile groups also assist in implementing specific network design and access methods depending upon the security posture of the company.

For example, in Enterprise-level business groups where the fault segmentation element in terms of Layer 3 devices/VDOMS is quite high and their traffic is terminating on the perimeter firewall or be the case of more granular use of SD-WAN traffic flow from multiple branches or if its a Collage/School environment where the number of students is high and are more prone to security breaches, security posture matric in terms of UTM profiles play a major role.

 

As illustrated below:

 

Atul_S_0-1652337128575.png

 

The way to configure this is as below:

 

By default, these security profile group is not visible and there is no option to activate them from the feature visibility section of the firewall under the system setting in GUI.

 

Initially, this feature has to be enable from the CLI first:

 

Prior to FortiOS 6.4.

 

# config system settings
    set gui-dynamic-profile-display enable
end

 

After 6.4 and later:

 

# config system settings
    set gui-security-profile-group enable
end


Once the above step is done, the option for the security group will be visible as below.

This also helps in creating the individual UTM profiles as per the pre-defined threat matrix chart:

 

Atul_S_1-1652337206136.png

 

After this simply enable the profile group under the desired security policy as below:

 

Atul_S_2-1652337237359.png
Contributors