Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Profile Based vs Policy Based in 2024

Hi everyone,

I'm seeking some advice regarding the use of policy mode in FortiGate. Coming from a background of Cisco and Checkpoint environments, I'm quite familiar with their systems, but relatively new to FortiGate. I've come across several discussions suggesting that one should stay away from policy mode due to potential bugs. Can anyone share their experiences or insights about this? Is policy mode a viable option, or should it be avoided? Any advice or perspectives, especially from those who have transitioned from Cisco or Checkpoint, would be greatly appreciated!

Also, do you use central SNAT or no :)


router login 192.168.l.l

Hi Bart

I integrated many FortiGates in both profile based mode and policy based mode and both worked fine in critical production.

Below I can give you some comparison that may interest you.

  • In policy based mode you define Applications and Web Categories directly in the policy
  • Policy based mode supports fewer application signatures than profile based mode (I'd say it supports about 90 to 95% of the total)
  • In policy based mode you have only Central NAT, while in profile based you can use Central SNAT or in-policy NAT
  • As far as I remember the WAF is not available in policy based mode

That said, personally I prefer and recommend profile based mode.


Regarding Central SNAT, I generally enable it even in profile based mode, because I am more comfortable with central management & NAT rules.

Note that some NAT operations can be done with Central SNAT but are difficult or even probably not available in non-central mode (sorry I don't remember the operations). I also know that some other operations available in non-central mode are not possible in central SNAT (e.g.: NAT by service), but it was never an issue for me.

Top Kudoed Authors