Fortinet Document Library

Version:


Table of Contents

New Features

6.2.1
Download PDF
Copy Link

NGFW policy mode

NGFW policy-based mode allows applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.

Security policies work with firewall (or consolidated) policies to inspect traffic. To allow traffic from a specific user or user group, both firewall and security policies must be configured. Traffic will match the firewall policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

Firewall policies are used to pre-match traffic before sending the packets to the IPS engine.

  • There is no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL Inspection, formerly configured in the VDOM settings, is configured in a firewall policy.
  • Users and user groups that require authentication must be configured in a firewall policy.

Security policies work with firewall policies to inspect traffic.

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications. See NGFW policy mode application default service for details.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access is the CLI:
  1. Configure a firewall policy:
    config firewall consolidated policy
        edit 1
            set name "Policy-1"
            set uuid b740d418-8ed3-51e9-5a7b-114e99ab6370
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set uuid 364594a2-8ef1-51e9-86f9-32db9c2634b6
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set uuid a2035210-8ef1-51e9-8b28-5a87b2cabcfa
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end

Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486

NGFW policy mode

NGFW policy-based mode allows applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.

Security policies work with firewall (or consolidated) policies to inspect traffic. To allow traffic from a specific user or user group, both firewall and security policies must be configured. Traffic will match the firewall policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

Firewall policies are used to pre-match traffic before sending the packets to the IPS engine.

  • There is no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL Inspection, formerly configured in the VDOM settings, is configured in a firewall policy.
  • Users and user groups that require authentication must be configured in a firewall policy.

Security policies work with firewall policies to inspect traffic.

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications. See NGFW policy mode application default service for details.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access is the CLI:
  1. Configure a firewall policy:
    config firewall consolidated policy
        edit 1
            set name "Policy-1"
            set uuid b740d418-8ed3-51e9-5a7b-114e99ab6370
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set uuid 364594a2-8ef1-51e9-86f9-32db9c2634b6
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set uuid a2035210-8ef1-51e9-8b28-5a87b2cabcfa
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end

Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486