Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Handbook

    6.0.0
    6.0.0

    Making security profile groups visible

    Making security profile groups visible

    By default, the Security Profile Groups are not visible in the GUI. Neither the ability to assign one to a policy nor the ability to configure the members of a group are available by default. You will not find the option to enable Security Profile Groups under System > Feature Visibility either. Instead, they only become visible in the GUI once one has been created and assigned to a policy. This must be done the first time through the CLI using the following syntax:

    config system settings

    set gui-dynamic-profile-display enable

    end

    Step 1 - Create a security profile group:

    Enter the command:

    config firewall profile-group

    Use the edit command to give a name to and create a new Security Profile Group

    (profile-group) # edit test-group

    Configure the members of the group by setting the name of the desired profile in the field for the related profile/sensor/list. The options are:

    av-profile

    Name of an existing Antivirus profile.
    webfilter-profile

    Name of an existing Web filter profile.
    dnsfilter-profile

    Name of an existing DNS filter profile.
    spamfilter-profile

    Name of an existing Spam filter profile.
    dlp-sensor

    Name of an existing DLP sensor.
    ips-sensor

    Name of an existing IPS sensor.
    application-list

    Name of an existing Application list.
    voip-profile

    Name of an existing VoIP profile.
    icap-profile

    Name of an existing ICAP profile.
    waf-profile

    Name of an existing Web application firewall profile.
    profile-protocol-options

    Name of an existing Protocol options profile.
    ssl-ssh-profile

    Name of an existing SSL SSH profile.

    Example:

    config firewall profile-group

    set av-profile default

    set profile-protocol-options default

    end

    caution icon

    Always set the profile-protocol-options setting before attempting to save the profile group. If this is not set, you will get the error:

    node_check_object fail! for profile-protocol-options

    Attribute 'profile-protocol-options' MUST be set.

    Command fail. Return code -56
    Step 2 - Add a security profile to a policy

    Now that there is group to add to a policy we can configure a policy to allow the use of a Security Policy group. This is also done in the CLI.

    In the following example only the command necessary to enable the use and pick of a Security Policy group have been listed.

    config firewall policy

    edit 0

    set utm-status enable

    set profile-type group

    set profile-group test-group

    end

    Step 3 - The appearance in the GUI of the security profile group configuration features
    • Under Security Profiles there is a menu item called Profile Groups that can be used to create new and edit existing profile groups.
    • In the Edit Policy window for IPv4 and IPv6 policies there is a Use Security Profile Group field to enable or disable the use of the groups.
      • In the window, policy groups can be created or edited by clicking on the appropriate icons next to or in the drop down menu
    • In the policy listing window there is a Security Profiles column.
      • Right or left clicking on the icon for the group brings up editing options either via a slide out window or a drop down menu, respectively.
    Previous
    Next

    Making security profile groups visible

    Making security profile groups visible

    By default, the Security Profile Groups are not visible in the GUI. Neither the ability to assign one to a policy nor the ability to configure the members of a group are available by default. You will not find the option to enable Security Profile Groups under System > Feature Visibility either. Instead, they only become visible in the GUI once one has been created and assigned to a policy. This must be done the first time through the CLI using the following syntax:

    config system settings

    set gui-dynamic-profile-display enable

    end

    Step 1 - Create a security profile group:

    Enter the command:

    config firewall profile-group

    Use the edit command to give a name to and create a new Security Profile Group

    (profile-group) # edit test-group

    Configure the members of the group by setting the name of the desired profile in the field for the related profile/sensor/list. The options are:

    av-profile

    Name of an existing Antivirus profile.
    webfilter-profile

    Name of an existing Web filter profile.
    dnsfilter-profile

    Name of an existing DNS filter profile.
    spamfilter-profile

    Name of an existing Spam filter profile.
    dlp-sensor

    Name of an existing DLP sensor.
    ips-sensor

    Name of an existing IPS sensor.
    application-list

    Name of an existing Application list.
    voip-profile

    Name of an existing VoIP profile.
    icap-profile

    Name of an existing ICAP profile.
    waf-profile

    Name of an existing Web application firewall profile.
    profile-protocol-options

    Name of an existing Protocol options profile.
    ssl-ssh-profile

    Name of an existing SSL SSH profile.

    Example:

    config firewall profile-group

    set av-profile default

    set profile-protocol-options default

    end

    caution icon

    Always set the profile-protocol-options setting before attempting to save the profile group. If this is not set, you will get the error:

    node_check_object fail! for profile-protocol-options

    Attribute 'profile-protocol-options' MUST be set.

    Command fail. Return code -56
    Step 2 - Add a security profile to a policy

    Now that there is group to add to a policy we can configure a policy to allow the use of a Security Policy group. This is also done in the CLI.

    In the following example only the command necessary to enable the use and pick of a Security Policy group have been listed.

    config firewall policy

    edit 0

    set utm-status enable

    set profile-type group

    set profile-group test-group

    end

    Step 3 - The appearance in the GUI of the security profile group configuration features
    • Under Security Profiles there is a menu item called Profile Groups that can be used to create new and edit existing profile groups.
    • In the Edit Policy window for IPv4 and IPv6 policies there is a Use Security Profile Group field to enable or disable the use of the groups.
      • In the window, policy groups can be created or edited by clicking on the appropriate icons next to or in the drop down menu
    • In the policy listing window there is a Security Profiles column.
      • Right or left clicking on the icon for the group brings up editing options either via a slide out window or a drop down menu, respectively.
    Previous
    Next