Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Raker
New Contributor

Policy based vs. Profile Based Questions

 

Hello Fortinet Community,

 

I'm delving into the configurations of Fortinet and am in need of your expertise. Here are some areas where I’m looking for guidance:

Preference for Policy-Based Mode: My preference leans towards the policy-based mode for the following reasons:

It aligns with the methodologies of other firewall manufacturers.
Application-Based Firewall implementation seems most straightforward in this mode.
It simplifies management by integrating individual NAT rulebooks.
I would love to hear your thoughts on this and any nuances in logging capabilities that might differ from other modes.

Log Management in Different Rule Sets: A crucial area I'm struggling with is understanding where exactly on the FortiGate I can view logs from different rule sets. How can I efficiently troubleshoot the rulebook if I can't easily correlate the logs with their respective rule sets? Any insights into navigating the log system for better rule set management would be immensely helpful.

Sequence of SSL Authentication vs. Security Rule Processing: I'm also trying to understand the sequence in which the SSL authentication and security rulebooks are processed. Is there a standard procedure in which one is prioritized over the other? Understanding this sequencing could significantly impact how I configure and troubleshoot my settings.

Thank you for your time and insights. Your advice and experiences will be invaluable in enhancing my understanding of these topics.

 

Best regards,

2 REPLIES 2
AEK
Honored Contributor II

Hello

I configured few FG in policy mode and I found the following limitations.

  • Policy based mode supports fewer application signatures than profile based mode
  • In policy based mode you have only Central NAT, while in profile based you can use Central NAT or in-policy NAT
  • As far as I remember, WAF is not available in policy based mode (please double check)
AEK
AEK
srajeswaran
Staff
Staff

I always felt profile based is easy to manage . When the number of policies are high, using the profiles makes it easier to apply changes to group of policies using same profiles.

Regarding logs matching specific rules, right click on policy name and use "show matching logs" .

image.png

Regarding SSL authentication part, do you mean the authentication on firewall policies and the UTM/IPS profiles processing order? Ideally the authentication check should happen first to confirm policy match and then the additional inspections takes place .

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Labels
Top Kudoed Authors