Making security profile groups visible
By default, the Security Profile Groups are not visible in the GUI. Neither the ability to assign one to a policy nor the ability to configure the members of a group are available by default. You will not find the option to enable Security Profile Groups under System > Feature Visibility either. Instead, they only become visible in the GUI once one has been created and assigned to a policy. This must be done the first time through the CLI using the following syntax:
config system settings
set gui-dynamic-profile-display enable
end
Step 1 - Create a security profile group:
Enter the command:
config firewall profile-group
Use the edit command to give a name to and create a new Security Profile Group
(profile-group) # edit test-group
Configure the members of the group by setting the name of the desired profile in the field for the related profile/sensor/list. The options are:
av-profile
|
Name of an existing Antivirus profile. |
webfilter-profile
|
Name of an existing Web filter profile. |
dnsfilter-profile
|
Name of an existing DNS filter profile. |
spamfilter-profile
|
Name of an existing Spam filter profile. |
dlp-sensor
|
Name of an existing DLP sensor. |
ips-sensor
|
Name of an existing IPS sensor. |
application-list
|
Name of an existing Application list. |
voip-profile
|
Name of an existing VoIP profile. |
icap-profile
|
Name of an existing ICAP profile. |
waf-profile
|
Name of an existing Web application firewall profile. |
profile-protocol-options
|
Name of an existing Protocol options profile. |
ssl-ssh-profile
|
Name of an existing SSL SSH profile. |
Example:
config firewall profile-group
set av-profile default
set profile-protocol-options default
end
Always set the node_check_object fail! for profile-protocol-options Attribute 'profile-protocol-options' MUST be set. Command fail. Return code -56 |
Step 2 - Add a security profile to a policy
Now that there is group to add to a policy we can configure a policy to allow the use of a Security Policy group. This is also done in the CLI.
In the following example only the command necessary to enable the use and pick of a Security Policy group have been listed.
config firewall policy
edit 0
set utm-status enable
set profile-type group
set profile-group test-group
end
Step 3 - The appearance in the GUI of the security profile group configuration features
- Under Security Profiles there is a menu item called Profile Groups that can be used to create new and edit existing profile groups.
- In the Edit Policy window for IPv4 and IPv6 policies there is a Use Security Profile Group field to enable or disable the use of the groups.
- In the window, policy groups can be created or edited by clicking on the appropriate icons next to or in the drop down menu
- In the policy listing window there is a Security Profiles column.
- Right or left clicking on the icon for the group brings up editing options either via a slide out window or a drop down menu, respectively.