Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: NGFW policy-based mode Resource Lis...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article provides lists of KB articles, documentation, and other resources related to Next-Generation Firewall (NGFW) policy-based mode on the FortiGate. It has been organized into several categories, including:
- Documentation & Basic Guidance
- Troubleshooting NGFW Policy-based Mode
- Known Behaviors
- Feature Differences with NGFW Policy-based vs. Profile-based Mode
Scope
FortiGate; NGFW policy-based mode
Solution
The FortiGate supports two NGFW operational modes that can be set on a per-VDOM basis (or globally, for FortiGates not using multiple VDOMs), and the largest differences are down to how the FortiGate assesses traffic to match against firewall policies.
The default mode is NGFW profile-based mode, which has the following key characteristics regarding policy assessment:
- Administrators authorize/manage traffic flows using Firewall Policies.
- Firewall Policies are matched based on network session tuples (Source/Destination IP, ports, and protocol).
- Security Inspection is handled by creating inspection profiles and subsequently assigning them to Firewall Policies. Notably, security inspection only occurs after the Firewall Policy is matched, and traffic matching Firewall Policies without assigned inspection profiles do not undergo any inspection.
- Central SNAT may optionally be enabled, otherwise, it is handled on a per-Firewall Policy basis.
The alternative mode (which this KB article focuses on) is NGFW policy-based mode. This mode has some notable differences compared to the profile-based mode:
- Traffic flows are separated from a single stage (e.g., Firewall Policies) into two stages:
- SSL Inspection & Authentication Policies are largely similar to Firewall Policies (including offering policy-specific options like TCP MSS adjustments and disabling auto-asic-offload), but a key difference is that the only inspection profile that can be set here is the SSL inspection profile (certificate-inspection, deep-inspection, etc.)
- Meanwhile, Security Policies now handle all security inspection profiles (Antivirus, Web Filter, etc.). However, a notable advantage of Security Policies is that they can scan and match traffic based on the detected Application and/or URL category, in addition to the network session tuple. Notably, Security Policy assessment is handled by the Policy Match Engine, a new sub-component of the IPS Engine only present when using NGFW policy-based mode.
- Note that Application Control profiles no longer exist and Web Filter profiles no longer handle category-based filtering (since their functionality is handled directly in Security Policies).
- All traffic is inspected in a flow-only manner by the IPS Engine; there are no proxy-based features available in this mode.
- Central SNAT is always enabled in this mode (no option to disable).
The key advantage of NGFW policy-based mode is how flow-based IPS Engine inspection is integrated into the policy assessment process (as opposed to occurring after a policy is matched). Since inspection begins at an earlier point in the process, it becomes possible for administrators to define policies where certain Applications or web traffic destined for particular URL categories can be handled on a more granular level. For example, administrators might make policies to allow traffic specifically detected as belonging to Zoom or Microsoft.Teams, rather than needing to filter based on IP ranges and FQDNs associated with those services.
For more information on NGFW policy-based mode, including explanations of expected behaviors, as well as guidance for configuration and troubleshooting, refer to the following list of resources:
| Documentation & Basic Guidance |
|
Title |
Description |
| Admin Guide entry providing an overview of NGFW policy-based mode. | |
|
Technical Tip: Implement Basic policy for Policy Based NGFW Mode |
Describes how to implement a basic policy set for NGFW policy-based mode. |
|
Technical Tip: How to block URL Category and Application in NGFW policy-based mode |
Describes how FortiGuard URL Category- and Application-based Filtering works when operating in NGFW policy-based mode. |
|
Technical Tip: Enabling Application Control and Web Filter logs in NGFW policy-based mode |
Describes how traffic logging works on the FortiGate when running in NGFW policy-based mode, including when and where Application and URL category rating information will be logged. |
| Describes how to configure a Web Filter profile in NGFW policy-mode, as well as a walkthrough for applying the Web Filter profile to a Security Policy. |
|
| Described the expected behavior that FortiGuard Category-Based Filter option is missing in the Web Filter profile while the FortiGate is in NGFW policy-based mode. | |
|
Technical Tip: Supported security profiles in policy-based NGFW mode |
Discusses the security inspection profiles that are available in NGFW policy-based mode (compared to profile-based mode) |
|
Technical Tip: Support for dynamic addresses to security-policy in NGFW Policy mode |
Discusses support for dynamic address objects (such as those that use external connectors) in NGFW Security Policies. |
|
Technical Tip: Configuring NAT46/NAT64 with NGFW Policy-Mode enabled (FortiOS 7.0.1 and later) |
Discusses changes to how FortiOS 7.0 and later implement NAT46/NAT64 and offers guidance on how to configure it while in NGFW policy-based mode. |
|
Technical Tip: How to configure port forwarding/Virtual IPs when using NGFW policy-based mode |
Discusses how to configure port forwarding/Virtual IPs for NGFW policy-based mode |
|
Technical Tip: How to configure FortiClient IPSec to FortiGate in NGFW Mode: policy-based. |
Describes how to configure dialup IPsec VPNs for FortiClient on an NGFW policy-mode FortiGate. |
| Troubleshooting NGFW Policy-based Mode |
|
Title |
Description |
|
Technical Tip: Basic command for investigating firewall policy based mode traffic |
Discusses basic commands for investigating traffic flows in NGFW policy-based mode. |
| Discusses how policy matching works in NGFW policy-based mode, as well as how to verify which policies are being matched for a given traffic flow. | |
|
Technical Tip: Troubleshooting port forwarding/Virtual IPs when using NGFW policy-based mode |
Discusses troubleshooting port forwarding/Virtual IPs for NGFW policy-based mode. |
|
Troubleshooting Tip: VIP troubleshooting in Policy-Based Mode (NGFW) |
Provides a step-by-step guide on how to verify and troubleshoot a VIP in NGFW policy-based mode. |
|
Technical Tip: SSL VPN user authentication issue when firewall is in NGFW policy-based mode |
Discusses common issues with SSL VPN connection and authentication when the FortiGate is in NGFW policy-based mode. |
| Known Behaviors |
|
Title |
Description |
| Discusses how the order of Security Policies (especially when mixing Application- and URL Category-based matching) can result in web traffic being denied with a TCP RST rather than an expected block page. | |
| Discusses an expected behavior where certain Application signatures may not be used in Security Policies due to exceeding the non-configurable scan-range setting ('Application XXXXX is incompatible with NGFW Policy mode due to large scan-range detection requirements'). | |
| Discusses a known behavior where the FortiGate (in a certain Security Policy scenario) may generate logs indicating that traffic is blocked by Web Filtering when it is in-fact allowed through. |
| Feature Differences with NGFW Policy-based vs. Profile-based Mode |
|
Title |
Description |
|
Technical Tip: Profile-based policies vs Policy-based policies |
Describes common behaviors and sets better expectations when choosing between profile-based and policy-based operations (especially when planning conversions/new deployments). |
| Discusses the http-redirect option and how it is not available when using NGFW policy-based mode. |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.