We want to enable deep-inspection for different saas applications for different users. This is really painful from a firewall perspective that does not provide that granularity which was possible in the profile mode where we could have different SSL inspection policies on a per rule basis. Which is clearly not possible in the policy based NGFW mode.
Then you shouldn't use NGFW mode maybe?
The usecase for NGFW mode would most likely be an enterprise, which wants to deep inspect everything and only does exempts on what not to scan. In this way this is built and this can be done. You still can use the exempt function in your deep inspection profile to choose what to scan and what not....
not sure why you mentioned there are only few minor issues with 5.6 NGFW mode.
I did mention, there are minor issues with 5.6.3 (meaning standard policy mode!!)... Look in my earlier postings, where I cleary state, that NGFW fireall mode in 5.6.3 is more like a tech-preview and in my opinion not built for production right now....
This mode sets the device in flow mode and doesn't allow to set DLP either from GUI or even from CLI. DLP is neither visible in the feature visibility section under system.
URL-Filtering would work but there are no logs for the same, how useful do you think that is to use.
The application lookup goes all the way till the deny rule even though the application is matched in a another rule. This bug has been since 5.6 is all the way up to the new 6.0 release as well.
With these limitations and bugs the policy based NGFW mode is clearly not usable at all. Hence I mentioned it's a release that one should stay away from. Unless I am wrong then please correct me.
I never said, that one should use NGFW firewall mode. And I don't understand why you do use it... I am sure no one from Fortinet told you to do so and an experienced system integrator would also try to put this not into prodution.... You are using an tech preview feature and therefore blaming the whole release not to be production ready - and here I totally disagree with you -> Because things work out in the traditional mode (be it proxy or flow) as they should (with minor issues to be fixed...)