Security profile groups
You can create security profile groups, which allow you to group different security profile settings together. You can then configure the profile group as part of a policy.
This topic covers the following use cases:
- Security profile groups for VPN users
- Security profile groups for SWG users
- Security profile groups for agentless ZTNA users
Security profile groups for VPN users
For example, consider the RemoteHomeOffice-AllowFortinet example policy from Adding policies to perform granular firewall actions and inspection, which allows remote employees (members of the Remote-Home-Office VPN user group) to access *.fortinet.com. Consider that you also want to monitor these employees' access to Cloud/IT applications using Application Control With Inline-CASB, while disabling Application Control With Inline-CASB for all other employees. You can achieve this by creating a new security profile group with the desired Application Control With Inline-CASB settings, and configuring this profile group as part of the RemoteHomeOffice-AllowFortinet policy. Application Control With Inline-CASB remains disabled for policies that have another security profile group applied.
The following provides for configuring the described scenario.
To create a security profile group and configure it in a VPN policy:
- Go to Configuration > Security. By default, the Internet Access tab is selected in the top right corner.
If you have configured secure private access, you can select between the Internet Access or Private Access tabs to select which traffic the security profile group applies to.
Currently, when a security profile group is configured for Private Access, it applies to private access traffic in both directions, that is, in the To hubs and the From hubs directions.
- From the Profile Group dropdown list in the top right corner, click Create.
- In the Name field, enter the desired name. This example uses "Cloud IT" as the group name.
- In the Initial Configuration field, do one of the following:
- Select Default to configure the new group with the same settings as the default security profile group.
- Select Based On to configure the new group with the same settings as an existing non-default security profile group. From the dropdown list, select the desired group.
- Click OK.
- Configure Application Control With Inline-CASB to monitor employees' access of Cloud/IT applications by enabling Application Control With Inline-CASB. By default, once enabled, Application Control With Inline-CASB monitors access of Cloud/IT applications.
- Configure the profile group in a VPN policy:
- Go to Configuration > Policies.
- Select the RemoteHomeOffice-AllowFortinet policy.
- In the Profile Group field, select Specify. From the dropdown list, select Cloud IT. The Profile Group field is only available for policies where the Action is configured as Accept.
- Click OK.
Security profile groups for SWG users
For SWG users, the process for configuring a security profile group and policy is similar to the process for configuring these settings for VPN users.
The only difference is that these steps are required if SSO authentication is used for SWG users:
- You must configure SSL inspection in Configure SSL ensuring that Deep Inspection is selected.
- You will need to download the CA certificate and install it on endpoints. See Installing a certificate for deep inspection mode.
Prerequisites and considerations
Prerequisites
For SWG SSO users, at least one SWG policy using SSO authentication must have deep inspection enabled in the configured security profile group. SSO authentication requires deep inspection to work.
- Any traffic from SWG SSO users that is destined for hosts or URL categories defined as deep inspection exemptions does not work.
- You must not configure SWG policies using SSO authentication with certificate inspection.
- If a SWG policy requires certificate inspection, you must not configure SSO authentication in that policy.
Considerations
SSO authentication is strongly recommended for SWG users.
Security profile groups for agentless ZTNA users
For agentless ZTNA users, the process for configuring a security profile group and policy is similar to the process for configuring these settings for SWG users, without the need to install a certificate for deep inspection.
For agentless ZTNA users, you must ensure that in Configuration > Security, you select the Private Access tab in the top right corner. Only Private Access security groups are selectable from within agentless ZTNA application policies.