NGFW policy mode
You can operate your FortiGate or individual VDOMs in Next Generation Firewall (NGFW) Policy Mode.
You can enable NGFW policy mode by going to System > Settings, setting the Inspection mode to Flow-based and setting the NGFW mode to Policy-based. When selecting NGFW policy-based mode you also select the SSL/SSH Inspection mode that is applied to all policies
Flow-based inspection with profile-based NGFW mode is the default.
Or use the following CLI command:
config system settings
set inspection-mode flow
set ngfw-mode {profile-based | policy-based}
end
NGFW policy mode and NAT
If your FortiGate is operating in NAT mode, rather than enabling source NAT in individual NGFW policies you go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases you may only need one SNAT policy for each interface pair. For example, if you allow users on the internal network (connected to port1) to browse the Internet (connected to port2) you can add a port1 to port2 Central SNAT policy similar to the following:
Application control in NGFW policy mode
You configure Application Control simply by adding individual applications to security policies. You can set the action to accept or deny to allow or block the applications.
Web filtering in NGFW mode
You configure Web Filter by adding URL categories to security policies. You can set the action to accept or deny to allow or block the applications.
Other NGFW policy mode options
You can also combine both application control and web filtering in the same NGFW policy mode policy. Also if the policy accepts applications or URL categories you can also apply Antivirus, DNS Filtering, and IPS profiles in NGFW mode policies as well a logging and policy learning mode.