Fortinet white logo
Fortinet white logo

Administration Guide

Profile-based NGFW vs policy-based NGFW

Profile-based NGFW vs policy-based NGFW

Profile-based next-generation firewall (NGFW) mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.
  • The IPsec wizard is not supported.

If your FortiGate operates in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only need one SNAT policy for each interface pair.

The NGFW mode is set per VDOM, and it is only available when the VDOM inspection mode is flow-based. You can operate your entire FortiGate or individual VDOMs in NGFW policy mode.

Enabling policy-based NGFW mode

To enable policy-based NGFW mode without VDOMs in the GUI:
  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. Click Apply.
To enable policy-based NGFW mode with VDOMs in the GUI:
  1. Go to System > VDOM .
  2. Double-click a VDOM to edit the settings.
  3. In NGFW Mode, select Policy-based.
  4. Click OK.
To enable policy-based NGFW mode without VDOMs in the CLI:
config system settings
    set ngfw-mode policy-based
end
To enable policy-based NGFW mode with VDOMs in the CLI:
config vdom
    edit <vdom>
        config system settings
            set ngfw-mode policy-based
        end
    next
end

Security and SSL Inspection & Authentication policies

Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic from a specific user or user group, both Security and SSL Inspection & Authentication policies must be configured. A default SSL Inspection & Authentication policy with the certificate-inspection SSL Inspection profile is preconfigured. Traffic will match the SSL Inspection & Authentication policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

SSL Inspection & Authentication policies are used to pre-match traffic before sending the packets to the IPS engine:

  • There are no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL inspection, formerly configured in the VDOM settings, is configured in an SSL Inspection & Authentication policy.
  • Users and user groups that require authentication must be configured in an SSL Inspection & Authentication policy.

Security policies work with SSL Inspection & Authentication policies to inspect traffic:

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications. See NGFW policy mode application default service for details.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access in the CLI:
  1. Configure an SSL Inspection & Authentication policy:
    config firewall policy
        edit 1
            set name "Policy-1"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end
Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486

Other NGFW policy-based mode options

You can combine Application Control and Web Filter in the same NGFW mode policy.

The following security profiles can be used in NGFW policy-based mode:

  • AntiVirus
  • Web Filter
  • Intrusion Prevention
  • File Filter
  • Email Filter

Logging can also be enabled in security policies.

Profile-based NGFW vs policy-based NGFW

Profile-based NGFW vs policy-based NGFW

Profile-based next-generation firewall (NGFW) mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.
  • The IPsec wizard is not supported.

If your FortiGate operates in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only need one SNAT policy for each interface pair.

The NGFW mode is set per VDOM, and it is only available when the VDOM inspection mode is flow-based. You can operate your entire FortiGate or individual VDOMs in NGFW policy mode.

Enabling policy-based NGFW mode

To enable policy-based NGFW mode without VDOMs in the GUI:
  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. Click Apply.
To enable policy-based NGFW mode with VDOMs in the GUI:
  1. Go to System > VDOM .
  2. Double-click a VDOM to edit the settings.
  3. In NGFW Mode, select Policy-based.
  4. Click OK.
To enable policy-based NGFW mode without VDOMs in the CLI:
config system settings
    set ngfw-mode policy-based
end
To enable policy-based NGFW mode with VDOMs in the CLI:
config vdom
    edit <vdom>
        config system settings
            set ngfw-mode policy-based
        end
    next
end

Security and SSL Inspection & Authentication policies

Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic from a specific user or user group, both Security and SSL Inspection & Authentication policies must be configured. A default SSL Inspection & Authentication policy with the certificate-inspection SSL Inspection profile is preconfigured. Traffic will match the SSL Inspection & Authentication policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

SSL Inspection & Authentication policies are used to pre-match traffic before sending the packets to the IPS engine:

  • There are no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL inspection, formerly configured in the VDOM settings, is configured in an SSL Inspection & Authentication policy.
  • Users and user groups that require authentication must be configured in an SSL Inspection & Authentication policy.

Security policies work with SSL Inspection & Authentication policies to inspect traffic:

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications. See NGFW policy mode application default service for details.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access in the CLI:
  1. Configure an SSL Inspection & Authentication policy:
    config firewall policy
        edit 1
            set name "Policy-1"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end
Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486

Other NGFW policy-based mode options

You can combine Application Control and Web Filter in the same NGFW mode policy.

The following security profiles can be used in NGFW policy-based mode:

  • AntiVirus
  • Web Filter
  • Intrusion Prevention
  • File Filter
  • Email Filter

Logging can also be enabled in security policies.