Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pany
New Contributor

Created on ‎09-24-2019 01:07 AM

Grouping for Policy and security profiles

We have many policy and security profile need to manage, please add grouping feature in both feature.

13086
0 Kudos
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-24-2019 09:20 AM

At least security profile grouping feature already exists under "config firewall profile-group".

10151
0 Kudos
Pany
New Contributor
In response to Toshi_Esumi

Created on ‎09-24-2019 07:18 PM

I can not found "config firewall profile-group" on my firewall, only can search some result online can enable on CLI, but after Enable, no any change on my firewall, please help.

Feature.JPG
Preview file
106 KB
10151
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Pany

Created on ‎09-24-2019 07:31 PM

Follow this to enable it in GUI. Then "Profile Groups" sub-menu shows up under "Security Profiles" menu.

https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Mak...

Be aware that "config sys settings" is per vdom config, in case your in multi-vdom environment.

10151
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎09-25-2019 10:37 AM

Depending on the version of FortiOS, sometimes you need to put in the group commands in CLI in one policy before it shows up in the GUI.

I've even had the case where I knew I had inserted the CLI commands and it never showed in the GUI.

Example:

config firewall profile-group
    edit "win_clients"
        set av-profile "scan"
        set dnsfilter-profile "default"
        set ips-sensor "anti-ransom"
        set application-list "block-botnet&P2P"
        set profile-protocol-options "custom-default"
        set ssl-ssh-profile "my_certificate-inspection"
    next
end
config firewall policy
    edit 3
        set srcintf "WLAN-Gast"
        set dstintf "wan1"
        set srcaddr "WLAN-Gast"
        set dstaddr "all"
        set action accept
        set schedule "workinghours"
        set service "Gast-Services"
        set utm-status enable
        set profile-type group
        set profile-group "win_clients"
        set nat enable
    next
end

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
10151
0 Kudos
KPS
New Contributor III

Created on ‎09-25-2019 02:42 PM

There are already "sequences" for policies, but I totally agree: groups, chains, etc. would help a lot for larger rule-sets.

10151
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.