Profile-based NGFW vs policy-based NGFW

Profile-based next-generation firewall (NGFW) mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.

If your FortiGate operates in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only need one SNAT policy for each interface pair.

The NGFW mode is set per VDOM, and it is only available when the VDOM inspection mode is flow-based. You can operate your entire FortiGate or individual VDOMs in NGFW policy mode.


Switching from profile-based to policy-based mode converts your policies to policy-based. To avoid issues, you could create a new VDOM for the policy-based mode. We recommend backing up your configuration before switching modes. See Configuration backups for information.

Enabling policy-based NGFW mode

To enable policy-based NGFW mode without VDOMs in the GUI:
  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. Click Apply.
To enable policy-based NGFW mode with VDOMs in the GUI:
  1. Go to System > VDOM .
  2. Double-click a VDOM to edit the settings.
  3. In NGFW Mod