Fortinet black logo

SIA Agent-based Deployment Guide

Home FortiSASE SIA Agent-based Deployment Guide

Configuring a security profile group and applying it to a policy

Copy Link
Copy Doc ID 1947280d-c519-11ee-8c42-fa163e15d75b:62239
Download PDF

Configuring a security profile group and applying it to a policy

You can create security profile groups, which allow you to group different security profile settings together. You can then configure the profile group as part of a policy.

For example, consider the RemoteHomeOffice-AllowFortinet example policy above, which allows remote employees (members of the Remote-Home-Office VPN user group) to access *.fortinet.com. Consider that you also want to monitor these employees' access to Cloud/IT applications using Application Control, while disabling Application Control for all other employees. You can achieve this by creating a new security profile group with the desired Application Control settings, and configuring this profile group as part of the RemoteHomeOffice-AllowFortinet policy. Application Control remains disabled for policies that have another security profile group applied.

The following provides steps for configuring the described scenario.

Note

This scenario assumes that Application Control is disabled for policies that have another security profile group applied. Therefore, before proceeding with the following steps, you must disable Application Control on the default profile group if you followed the steps in Configuring Application Control.

This example assumes that the Remote-Home-Office VPN user group has been created and one or more of your users have been added to this group already using the steps provided in Defining a user group of Entra ID SAML SSO users .

Note

For proper group matching, ensure that you follow the steps in Defining a user group of Entra ID SAML SSO users and specify group IDs in the Remote Groups section of the Create New User Group and Edit User Group dialogs. You should not specify group IDs using the SAML Group Matching option in Configuration > VPN User SSO > Configure Service Provider.
To create a security profile group and configure it in a policy:
  1. Go to Configuration > Security.
  2. From the Profile Group dropdown list in the top right corner, click Create.
  3. In the Name field, enter the desired name. This example uses "Cloud IT" as the group name.
  4. In the Initial Configuration field, do one of the following:
    1. Select Basic to configure the new group with basic security settings (File Filter, Data Leak Prevention, and Application Control disabled while other features are enabled)
    2. Select Based On to configure the new group with the same settings as an existing security profile group. From the dropdown list, select the desired group.
  5. Click OK.
  6. Configure Application Control to monitor employees' access of Cloud/IT applications by enabling Application Control. By default, once enabled, Application Control monitors access of Cloud/IT applications.
  7. Configure the profile group in a policy:
    1. Go to Configuration > Traffic > Policies.
    2. Select the RemoteHomeOffice-AllowFortinet policy.
    3. In the Profile Group field, select Specify. From the dropdown list, select Cloud IT. The Profile Group field is only available for policies where the Action is configured as Accept.
    4. Click OK.
Previous
Next

Configuring a security profile group and applying it to a policy

You can create security profile groups, which allow you to group different security profile settings together. You can then configure the profile group as part of a policy.

For example, consider the RemoteHomeOffice-AllowFortinet example policy above, which allows remote employees (members of the Remote-Home-Office VPN user group) to access *.fortinet.com. Consider that you also want to monitor these employees' access to Cloud/IT applications using Application Control, while disabling Application Control for all other employees. You can achieve this by creating a new security profile group with the desired Application Control settings, and configuring this profile group as part of the RemoteHomeOffice-AllowFortinet policy. Application Control remains disabled for policies that have another security profile group applied.

The following provides steps for configuring the described scenario.

Note

This scenario assumes that Application Control is disabled for policies that have another security profile group applied. Therefore, before proceeding with the following steps, you must disable Application Control on the default profile group if you followed the steps in Configuring Application Control.

This example assumes that the Remote-Home-Office VPN user group has been created and one or more of your users have been added to this group already using the steps provided in Defining a user group of Entra ID SAML SSO users .

Note

For proper group matching, ensure that you follow the steps in Defining a user group of Entra ID SAML SSO users and specify group IDs in the Remote Groups section of the Create New User Group and Edit User Group dialogs. You should not specify group IDs using the SAML Group Matching option in Configuration > VPN User SSO > Configure Service Provider.
To create a security profile group and configure it in a policy:
  1. Go to Configuration > Security.
  2. From the Profile Group dropdown list in the top right corner, click Create.
  3. In the Name field, enter the desired name. This example uses "Cloud IT" as the group name.
  4. In the Initial Configuration field, do one of the following:
    1. Select Basic to configure the new group with basic security settings (File Filter, Data Leak Prevention, and Application Control disabled while other features are enabled)
    2. Select Based On to configure the new group with the same settings as an existing security profile group. From the dropdown list, select the desired group.
  5. Click OK.
  6. Configure Application Control to monitor employees' access of Cloud/IT applications by enabling Application Control. By default, once enabled, Application Control monitors access of Cloud/IT applications.
  7. Configure the profile group in a policy:
    1. Go to Configuration > Traffic > Policies.
    2. Select the RemoteHomeOffice-AllowFortinet policy.
    3. In the Profile Group field, select Specify. From the dropdown list, select Cloud IT. The Profile Group field is only available for policies where the Action is configured as Accept.
    4. Click OK.
Previous
Next