Fortinet black logo

Handbook

Making security profile groups visible

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:605370
Download PDF

Making security profile groups visible

By default, the Security Profile Groups are not visible in the GUI. Neither the ability to assign one to a policy nor the ability to configure the members of a group are available by default. You will not find the option to enable Security Profile Groups under System > Feature Visibility either. Instead, they only become visible in the GUI once one has been created and assigned to a policy. This must be done the first time through the CLI using the following syntax:

config system settings

set gui-dynamic-profile-display enable

end

Step 1 - Create a security profile group:

Enter the command:

config firewall profile-group

Use the edit command to give a name to and create a new Security Profile Group

(profile-group) # edit test-group

Configure the members of the group by setting the name of the desired profile in the field for the related profile/sensor/list. The options are:

av-profile

Name of an existing Antivirus profile.

webfilter-profile

Name of an existing Web filter profile.

dnsfilter-profile

Name of an existing DNS filter profile.

spamfilter-profile

Name of an existing Spam filter profile.

dlp-sensor

Name of an existing DLP sensor.

ips-sensor

Name of an existing IPS sensor.

application-list

Name of an existing Application list.

voip-profile

Name of an existing VoIP profile.

icap-profile

Name of an existing ICAP profile.

waf-profile

Name of an existing Web application firewall profile.

profile-protocol-options

Name of an existing Protocol options profile.

ssl-ssh-profile

Name of an existing SSL SSH profile.

Example:

config firewall profile-group

set av-profile default

set profile-protocol-options default

end

caution icon

Always set the profile-protocol-options setting before attempting to save the profile group. If this is not set, you will get the error:

node_check_object fail! for profile-protocol-options

Attribute 'profile-protocol-options' MUST be set.

Command fail. Return code -56

Step 2 - Add a security profile to a policy

Now that there is group to add to a policy we can configure a policy to allow the use of a Security Policy group. This is also done in the CLI.

In the following example only the command necessary to enable the use and pick of a Security Policy group have been listed.

config firewall policy

edit 0

set utm-status enable

set profile-type group

set profile-group test-group

end

Step 3 - The appearance in the GUI of the security profile group configuration features
  • Under Security Profiles there is a menu item called Profile Groups that can be used to create new and edit existing profile groups.
  • In the Edit Policy window for IPv4 and IPv6 policies there is a Use Security Profile Group field to enable or disable the use of the groups.
    • In the window, policy groups can be created or edited by clicking on the appropriate icons next to or in the drop down menu
  • In the policy listing window there is a Security Profiles column.
    • Right or left clicking on the icon for the group brings up editing options either via a slide out window or a drop down menu, respectively.

Making security profile groups visible

By default, the Security Profile Groups are not visible in the GUI. Neither the ability to assign one to a policy nor the ability to configure the members of a group are available by default. You will not find the option to enable Security Profile Groups under System > Feature Visibility either. Instead, they only become visible in the GUI once one has been created and assigned to a policy. This must be done the first time through the CLI using the following syntax:

config system settings

set gui-dynamic-profile-display enable

end

Step 1 - Create a security profile group:

Enter the command:

config firewall profile-group

Use the edit command to give a name to and create a new Security Profile Group

(profile-group) # edit test-group

Configure the members of the group by setting the name of the desired profile in the field for the related profile/sensor/list. The options are:

av-profile

Name of an existing Antivirus profile.

webfilter-profile

Name of an existing Web filter profile.

dnsfilter-profile

Name of an existing DNS filter profile.

spamfilter-profile

Name of an existing Spam filter profile.

dlp-sensor

Name of an existing DLP sensor.

ips-sensor

Name of an existing IPS sensor.

application-list

Name of an existing Application list.

voip-profile

Name of an existing VoIP profile.

icap-profile

Name of an existing ICAP profile.

waf-profile

Name of an existing Web application firewall profile.

profile-protocol-options

Name of an existing Protocol options profile.

ssl-ssh-profile

Name of an existing SSL SSH profile.

Example:

config firewall profile-group

set av-profile default

set profile-protocol-options default

end

caution icon

Always set the profile-protocol-options setting before attempting to save the profile group. If this is not set, you will get the error:

node_check_object fail! for profile-protocol-options

Attribute 'profile-protocol-options' MUST be set.

Command fail. Return code -56

Step 2 - Add a security profile to a policy

Now that there is group to add to a policy we can configure a policy to allow the use of a Security Policy group. This is also done in the CLI.

In the following example only the command necessary to enable the use and pick of a Security Policy group have been listed.

config firewall policy

edit 0

set utm-status enable

set profile-type group

set profile-group test-group

end

Step 3 - The appearance in the GUI of the security profile group configuration features
  • Under Security Profiles there is a menu item called Profile Groups that can be used to create new and edit existing profile groups.
  • In the Edit Policy window for IPv4 and IPv6 policies there is a Use Security Profile Group field to enable or disable the use of the groups.
    • In the window, policy groups can be created or edited by clicking on the appropriate icons next to or in the drop down menu
  • In the policy listing window there is a Security Profiles column.
    • Right or left clicking on the icon for the group brings up editing options either via a slide out window or a drop down menu, respectively.