Fortinet white logo
Fortinet white logo

Configuring security profiles and policies

Configuring security profiles and policies

FortiSASE has a default security profile configured, which is applied to the Allow-All VPN policy. When all users, sources, and destinations require the same scanning and protection, maintaining only one default security profile suffices. However, if different users, sources, or destinations require different protection, create different profile groups for each group of users.

The default VPN policies block any traffic destined for Botnet and C&C servers but allow the rest. Consider your user base and design your VPN policies carefully. FortiSASE matches policies from top down, so add more restrictive policies at the top and less restrictive policies at the bottom.

To configure a new security profile:
  1. Go to Configuration > Security.
  2. On the top-right, click the dropdown list beside Profile Group, then click Create.
  3. In the Create Profile Group slide-in, enter a name for the new profile.
  4. In Initial Configuration, select whether to use a basic initial configuration or base the profile on an existing profile.
  5. Click OK.
  6. On the top-right, click the dropdown list again, and select your newly created profile.
  7. Edit the profile as desired. See Security for details.
To create a VPN policy:
  1. Go to Configuration > Policies.
  2. Click Create.
  3. Configure the VPN policy:
    1. In the Name field, enter the desired policy name.
    2. For Source Scope, select VPN Users.
    3. For Action, select ACCEPT.
    4. In the Source field, specify source subnet(s) as desired.
    5. In the User field, specify the user group used for your remote users.
    6. In the Destination field, specify destination subnet(s) as desired.
    7. In the Profile Group field, specify the profile that you created.
    8. In the Log Allow Traffic field, select All Sessions.
  4. Click OK.
  5. Move the new policy above the Allow-All policy.

Configuring security profiles and policies

Configuring security profiles and policies

FortiSASE has a default security profile configured, which is applied to the Allow-All VPN policy. When all users, sources, and destinations require the same scanning and protection, maintaining only one default security profile suffices. However, if different users, sources, or destinations require different protection, create different profile groups for each group of users.

The default VPN policies block any traffic destined for Botnet and C&C servers but allow the rest. Consider your user base and design your VPN policies carefully. FortiSASE matches policies from top down, so add more restrictive policies at the top and less restrictive policies at the bottom.

To configure a new security profile:
  1. Go to Configuration > Security.
  2. On the top-right, click the dropdown list beside Profile Group, then click Create.
  3. In the Create Profile Group slide-in, enter a name for the new profile.
  4. In Initial Configuration, select whether to use a basic initial configuration or base the profile on an existing profile.
  5. Click OK.
  6. On the top-right, click the dropdown list again, and select your newly created profile.
  7. Edit the profile as desired. See Security for details.
To create a VPN policy:
  1. Go to Configuration > Policies.
  2. Click Create.
  3. Configure the VPN policy:
    1. In the Name field, enter the desired policy name.
    2. For Source Scope, select VPN Users.
    3. For Action, select ACCEPT.
    4. In the Source field, specify source subnet(s) as desired.
    5. In the User field, specify the user group used for your remote users.
    6. In the Destination field, specify destination subnet(s) as desired.
    7. In the Profile Group field, specify the profile that you created.
    8. In the Log Allow Traffic field, select All Sessions.
  4. Click OK.
  5. Move the new policy above the Allow-All policy.