Fortinet white logo
Fortinet white logo

Administration Guide

Profile groups

Profile groups

Security profiles can be organized into groups. They are useful when there are multiple policies that use the same security profiles, helping save time and preventing missing profiles when configuring policies. When changes need to be made, only the group has to be changed and not the individual policies.

By default, Security Profiles > Profile Groups is not visible in the GUI. It can only be enabled using the CLI.

To show profile groups in the GUI:
config system settings
    set gui-security-profile-group enable
end
To configure a profile group in the GUI:
  1. Go to Security Profiles > Profile Groups and click Create New.

  2. Enter a name for the group.

  3. Enable the required profile types and select the profile that will be included in the group.

    A Protocol Option must be selected.

  4. Click OK.

To configure a profile group in the CLI:
config firewall profile-group
    edit <name>
        set application-list <string>
        set av-profile <string>
        set casb-profile <string> 
        set cifs-profile <string>
        set diameter-filter-profile <string>
        set dlp-profile <string>
        set dnsfilter-profile <string>
        set emailfilter-profile <string>
        set file-filter-profile <string>
        set icap-profile <string>
        set ips-sensor <string>
        set profile-protocol-options <string>
        set sctp-filter-profile <string>
        set ssh-filter-profile <string>
        set ssl-ssh-profile <string>
        set videofilter-profile <string>
        set virtual-patch-profile <string>
        set voip-profile <string>
        set waf-profile <string>
        set webfilter-profile <string>
    next
end

application-list <string>

Name of an existing application list.

av-profile <string>

Name of an existing antivirus profile.

casb-profile <string>

Name of an existing CASB profile.

cifs-profile <string>

Name of an existing CIFS profile.

diameter-filter-profile <string>

Name of an existing Diameter filter profile.

dlp-profile <string>

Name of an existing DLP profile.

dnsfilter-profile <string>

Name of an existing DNS filter profile.

emailfilter-profile <string>

Name of an existing email filter profile.

file-filter-profile <string>

Name of an existing file-filter profile.

icap-profile <string>

Name of an existing ICAP profile.

ips-sensor <string>

Name of an existing IPS sensor profile.

profile-protocol-options <string>

Name of an existing protocol options profile (default = default).

sctp-filter-profile <string>

Name of an existing SCTP filter profile.

ssh-filter-profile <string>

Name of an existing SSH filter profile.

ssl-ssh-profile <string>

Name of an existing SSL SSH profile (default = certificate-inspection).

videofilter-profile <string>

Name of an existing video filter profile.

virtual-patch-profile <string>

Name of an existing virtual-patch profile.

voip-profile <string>

Name of an existing VOIP profile.

waf-profile <string>

Name of an existing WAF profile.

webfilter-profile <string>

Name of an existing web filter profile.

To use the profile group in a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and edit an existing policy or create a new one.

  2. In the Security Profiles section, enable Use Security Profile Group and select a group.

    No individual profiles can be selected if using a profile group.

  3. Click OK.

To use the profile group in a policy in the CLI:
config firewall policy
    edit <policyid>
        set name <string>
        set srcintf <interface(s)>
        set dstintf <interface(s)>
        set action {accept | deny | ipsec}
        set srcaddr <address(es)>
        set dstaddr <address(es)>
        set schedule <schedule>
        set service <service(s)>
        set utm-status enable
        set profile-type group
        set profile-group <group>
    next
end

Profile groups

Profile groups

Security profiles can be organized into groups. They are useful when there are multiple policies that use the same security profiles, helping save time and preventing missing profiles when configuring policies. When changes need to be made, only the group has to be changed and not the individual policies.

By default, Security Profiles > Profile Groups is not visible in the GUI. It can only be enabled using the CLI.

To show profile groups in the GUI:
config system settings
    set gui-security-profile-group enable
end
To configure a profile group in the GUI:
  1. Go to Security Profiles > Profile Groups and click Create New.

  2. Enter a name for the group.

  3. Enable the required profile types and select the profile that will be included in the group.

    A Protocol Option must be selected.

  4. Click OK.

To configure a profile group in the CLI:
config firewall profile-group
    edit <name>
        set application-list <string>
        set av-profile <string>
        set casb-profile <string> 
        set cifs-profile <string>
        set diameter-filter-profile <string>
        set dlp-profile <string>
        set dnsfilter-profile <string>
        set emailfilter-profile <string>
        set file-filter-profile <string>
        set icap-profile <string>
        set ips-sensor <string>
        set profile-protocol-options <string>
        set sctp-filter-profile <string>
        set ssh-filter-profile <string>
        set ssl-ssh-profile <string>
        set videofilter-profile <string>
        set virtual-patch-profile <string>
        set voip-profile <string>
        set waf-profile <string>
        set webfilter-profile <string>
    next
end

application-list <string>

Name of an existing application list.

av-profile <string>

Name of an existing antivirus profile.

casb-profile <string>

Name of an existing CASB profile.

cifs-profile <string>

Name of an existing CIFS profile.

diameter-filter-profile <string>

Name of an existing Diameter filter profile.

dlp-profile <string>

Name of an existing DLP profile.

dnsfilter-profile <string>

Name of an existing DNS filter profile.

emailfilter-profile <string>

Name of an existing email filter profile.

file-filter-profile <string>

Name of an existing file-filter profile.

icap-profile <string>

Name of an existing ICAP profile.

ips-sensor <string>

Name of an existing IPS sensor profile.

profile-protocol-options <string>

Name of an existing protocol options profile (default = default).

sctp-filter-profile <string>

Name of an existing SCTP filter profile.

ssh-filter-profile <string>

Name of an existing SSH filter profile.

ssl-ssh-profile <string>

Name of an existing SSL SSH profile (default = certificate-inspection).

videofilter-profile <string>

Name of an existing video filter profile.

virtual-patch-profile <string>

Name of an existing virtual-patch profile.

voip-profile <string>

Name of an existing VOIP profile.

waf-profile <string>

Name of an existing WAF profile.

webfilter-profile <string>

Name of an existing web filter profile.

To use the profile group in a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and edit an existing policy or create a new one.

  2. In the Security Profiles section, enable Use Security Profile Group and select a group.

    No individual profiles can be selected if using a profile group.

  3. Click OK.

To use the profile group in a policy in the CLI:
config firewall policy
    edit <policyid>
        set name <string>
        set srcintf <interface(s)>
        set dstintf <interface(s)>
        set action {accept | deny | ipsec}
        set srcaddr <address(es)>
        set dstaddr <address(es)>
        set schedule <schedule>
        set service <service(s)>
        set utm-status enable
        set profile-type group
        set profile-group <group>
    next
end