Configuring security profiles and SWG policies

FortiSASE has a default security profile configured, which is applied to the Allow-All Secure Web Gateway (SWG) policy. When all users, sources, and destinations require the same scanning and protection, maintaining only one default security profile suffices. However, if different users, sources, or destinations require different protection, create different profile groups for each group of users.

The default SWG policies block any traffic destined for Botnet and C&C servers but allow the rest. Consider your user base and design your SWG policies carefully. FortiSASE matches policies from top down, so add more restrictive policies at the top and less restrictive policies at the bottom.

To configure a new security profile:

1. Go to Configuration > Security.
2. On the top-right, click the dropdown list beside Profile Group, then click Create.
3. In the Create Profile Group slide-in, enter a name for the new profile.
4. In Initial Configuration, select whether to use a basic initial configuration or base the profile on an existing profile.
5. Click OK.
6. On the top-right, click the dropdown list again, and select your newly created profile.
7. Edit the profile as desired. See Security for details.

To create an SWG policy:

1. Go to Configuration > SWG Policies.
2. Click Create.
3. Configure the SWG policy:
   1. In the Name field, enter the desired policy name.
   2. For Action, select ACCEPT.
   3. In the Source field, specify source subnet(s) as desired.
   4. In the User field, specify the user group used for your remote users.
   5. In the Destination field, specify destination subnet(s) as desired.
   6. In the Profile Group field, specify the profile that you created.
   7. In the Log Allow Traffic field, select All Sessions.
4. Click OK.
5. Move the new policy above the Allow-All policy.