Description
This article describes common behaviors and sets better expectations when choosing between profile-based and policy-based operations.
This is one of the first decisions to make when setting up the FortiGate. This expected behavior will be found when converting the policy-based unit to a profile-based operation, or the other way around.
Ideally, this conversion has to be planned in advance and not be performed on a production unit.
Scope
FortiGate.
Solution
Profile-based (traditional, default).
Each policy will have its own set of profiles. More flexibility in customization.
Note.
Security profile groups can be used (see above policy ID#2: Security Profiles 'GRP').
It has to be configured, enabled, and used from CLI.
Security profile groups can be used (see above policy ID#2: Security Profiles 'GRP').
It has to be configured, enabled, and used from CLI.
There is no option to enable from GUI.
config firewall profile-group
edit test-group <- Add members to the group: set profile-protocol-options default.
end
On a policy, it can be used only after utm-status is 'enable'.
set utm-status enable
set profile-type group
set profile-group #name#
set profile-type group
set profile-group #name#
Related document:
Cookbook: Security Profile Groups
Policy-based (newer mode; allows access to applications and URL categories directly in policies; operates only in flow-based mode).
Easier access to applications or URL categories (avoiding separate customization and application of different App Control and Webfilter profiles; less customizable; does not allow to change the policy or operation mode to proxy-based mode).
Cookbook: Security Profile Groups
Policy-based (newer mode; allows access to applications and URL categories directly in policies; operates only in flow-based mode).
Easier access to applications or URL categories (avoiding separate customization and application of different App Control and Webfilter profiles; less customizable; does not allow to change the policy or operation mode to proxy-based mode).
Due to the similarities in approach to other vendors’ firewalls, it is preferred for a faster config migration from a different device to FortiGate but may become more difficult to manage as the number of policies grows. It is important to note, that all the traffic will be inspected by IPSEngine even if no security-profiles or web-filter is applied. So higher utilization is expected. No proxy-based inspection mode is available.
Converting from default to NGFW policy-based, important notes:
GUI warning: Changing to policy-based mode will remove all firewall IPv4 and IPv6 policies and Central SNAT will be enabled.
GUI warning: Changing to policy-based mode will remove all firewall IPv4 and IPv6 policies and Central SNAT will be enabled.
The v6 cookbook 'Profile-based NGFW vs policy-based NGFW' incorrectly mentions a conversion:
'Switching from profile-based to policy-based mode converts your policies to policy-based.
To avoid issues, create a new VDOM for the policy-based mode'
There is no conversion. All the policies are deleted.
There is no conversion. All the policies are deleted.
Some of the results:
IPv4 policy - will not be visible in GUI or CLI anymore. All existing policies were deleted.
Security policy - will become the default way to apply security profiles. The inspection-mode is flow; cannot change the mode to proxy-based per policy.
SSL Inspection & Authentication - SSL inspection is applied per source/destination interfaces and services (less granular than per policy).
IPv4 policy - will not be visible in GUI or CLI anymore. All existing policies were deleted.
Security policy - will become the default way to apply security profiles. The inspection-mode is flow; cannot change the mode to proxy-based per policy.
SSL Inspection & Authentication - SSL inspection is applied per source/destination interfaces and services (less granular than per policy).
Central SNAT - enabled and cannot be disabled. NAT is performed according the Central SNAT policies.
For traffic to pass in policy-based mode, it must match both a Security Policy and a SSL Inspection & Authentication Policy. A basic SSL Inspection & Authentication Policy is created by default.
If the FortiGate is situated on a NAT boundary such as between a private network and public Internet, a Central SNAT policy is required for outbound traffic.
If the FortiGate is situated on a NAT boundary such as between a private network and public Internet, a Central SNAT policy is required for outbound traffic.
Reverting from NGFW policy-based to profile-based, important notes:
GUI warning: Changing to profile-based mode will remove all firewall and security policies.
Depending on how the configuration was originally applied, Central SNAT may be initially enabled or disabled when setting NGFW mode to profile-based from policy-based. Any existing Central SNAT policies are not deleted, but they do not apply if central-nat is disabled.
The central-snat policies are kept under 'config firewall central-snat-map' and only used if central-SNAT is enabled. For best results, specify the desired central-nat setting after changing to profile-based mode.
config system settings
set ngfw-mode profile-based
Changing to profile-based mode will remove all firewall policy/security-policy in this VDOM
Do you want to continue? (y/n)y
end
