Fortinet Document Library

Version:

Version:


Table of Contents

More Links

Security profiles
Download PDF
Copy Link

Security profiles

Security profiles define what to inspect in the traffic that the FortiGate is passing. When traffic matches the profile, it is either allowed, blocked, or monitored (allowed and logged).

The protection that a profile provides, and the information that it monitors, can be configured to your requirements, but increased inspection uses more of the FortiGate's resources. Assess your policies' traffic matching, and then apply the necessary level of protection. You might consider implementing denial of service (DoS) security policies to detect and drop illegitimate traffic before it reaches the more resource intensive security profiles (see Denial of service for more information).

Security profiles can use flow or proxy mode inspection. Apply flow mode inspection to policies that prioritize traffic throughput, and proxy mode when thoroughness is more important than performance. Under normal traffic conditions, the throughput difference between the two modes is insignificant. For resource optimization, using one mode uniformly across all of the policies is recommended.

Each security profile generates its own log type that contains some log fields that are not present in other logs. This can be important when reviewing or analyzing the logs to assess or troubleshoot user traffic. For example, if no web filtering is applied, then you will not have insight or control of users' browsing information.

The following table lists some basic examples of how a security profile could be used on an edge FortiGate, where inbound traffic goes from the internet to an internal resource using a VIP, and outbound traffic goes from your network to an internet resource:

Security profile

Inbound traffic

Outbound traffic

Antivirus

Protect external resources from malware, such as HTTP PUT requests or FTP uploads.

Scan requested user traffic for malware.

Web filter

Not usually applied to inbound traffic.

Monitor and block user web traffic based on categories and domains.

Video filter

Not usually applied to inbound traffic.

Monitor and restrict YouTube videos based on categories or channels.

DNS filter

Not usually applied to inbound traffic.

Monitor and filter DNS lookups based on domain ratings.

Block requests for known compromised domains.

Application control

Make sure that specific protocols are used to access specific ports.

For example, only allow SSH traffic to be sent and received over port 22.

Monitor and filter applications on any port.

Intrusion prevention

Protect external services from known exploits and protocol anomalies.

Block connections to botnet sites.

File filter

Prevent uploading files based on the file type and the protocol that is used.

Prevent downloading files based on the file type and the protocol that is used.

Email filter

Perform spam detection and filtering.

Prevent specific IP address or subnets from sending and receiving email messages.

Block messages that contain specific words.

Data leak prevention

Prevent sensitive data from entering your network.

Prevent sensitive data, such as credit card numbers or SSNs, from leaving your network.

VoIP

Allow SIP and SCCP traffic, and protect your network from SIP and SCCP based attacks.

Secure clients that are connecting to external SIP servers.

ICAP

Offload tasks to separate, specialized servers.

Offload tasks to separate, specialized servers.

Web application firewall

Detect and block known web application attacks, such as SQL injection, XSS, and known exploits.

Not usually applied to outbound traffic.

More Links

Security profiles

Security profiles define what to inspect in the traffic that the FortiGate is passing. When traffic matches the profile, it is either allowed, blocked, or monitored (allowed and logged).

The protection that a profile provides, and the information that it monitors, can be configured to your requirements, but increased inspection uses more of the FortiGate's resources. Assess your policies' traffic matching, and then apply the necessary level of protection. You might consider implementing denial of service (DoS) security policies to detect and drop illegitimate traffic before it reaches the more resource intensive security profiles (see Denial of service for more information).

Security profiles can use flow or proxy mode inspection. Apply flow mode inspection to policies that prioritize traffic throughput, and proxy mode when thoroughness is more important than performance. Under normal traffic conditions, the throughput difference between the two modes is insignificant. For resource optimization, using one mode uniformly across all of the policies is recommended.

Each security profile generates its own log type that contains some log fields that are not present in other logs. This can be important when reviewing or analyzing the logs to assess or troubleshoot user traffic. For example, if no web filtering is applied, then you will not have insight or control of users' browsing information.

The following table lists some basic examples of how a security profile could be used on an edge FortiGate, where inbound traffic goes from the internet to an internal resource using a VIP, and outbound traffic goes from your network to an internet resource:

Security profile

Inbound traffic

Outbound traffic

Antivirus

Protect external resources from malware, such as HTTP PUT requests or FTP uploads.

Scan requested user traffic for malware.

Web filter

Not usually applied to inbound traffic.

Monitor and block user web traffic based on categories and domains.

Video filter

Not usually applied to inbound traffic.

Monitor and restrict YouTube videos based on categories or channels.

DNS filter

Not usually applied to inbound traffic.

Monitor and filter DNS lookups based on domain ratings.

Block requests for known compromised domains.

Application control

Make sure that specific protocols are used to access specific ports.

For example, only allow SSH traffic to be sent and received over port 22.

Monitor and filter applications on any port.

Intrusion prevention

Protect external services from known exploits and protocol anomalies.

Block connections to botnet sites.

File filter

Prevent uploading files based on the file type and the protocol that is used.

Prevent downloading files based on the file type and the protocol that is used.

Email filter

Perform spam detection and filtering.

Prevent specific IP address or subnets from sending and receiving email messages.

Block messages that contain specific words.

Data leak prevention

Prevent sensitive data from entering your network.

Prevent sensitive data, such as credit card numbers or SSNs, from leaving your network.

VoIP

Allow SIP and SCCP traffic, and protect your network from SIP and SCCP based attacks.

Secure clients that are connecting to external SIP servers.

ICAP

Offload tasks to separate, specialized servers.

Offload tasks to separate, specialized servers.

Web application firewall

Detect and block known web application attacks, such as SQL injection, XSS, and known exploits.

Not usually applied to outbound traffic.