Fortinet white logo
Fortinet white logo

Cookbook

Profile-based NGFW vs policy-based NGFW

Profile-based NGFW vs policy-based NGFW

Profile-based next-generation firewall (NGFW) mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.

If your FortiGate operates in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only need one SNAT policy for each interface pair.

The NGFW mode is set per VDOM, and it is only available when the VDOM inspection mode is flow-based. You can operate your entire FortiGate or individual VDOMs in NGFW policy mode.

Note

Switching from profile-based to policy-based mode converts your policies to policy-based. To avoid issues, you could create a new VDOM for the policy-based mode. We recommend backing up your configuration before switching modes. See Configuration backups for information.

Enabling policy-based NGFW mode

To enable policy-based NGFW mode without VDOMs in the GUI:
  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. Click Apply.
To enable policy-based NGFW mode with VDOMs in the GUI:
  1. Go to System > VDOM .
  2. Double-click a VDOM to edit the settings.
  3. In NGFW Mode, select Policy-based.
  4. Click OK.
To enable policy-based NGFW mode without VDOMs in the CLI:
config system settings
    set ngfw-mode {profile-based | policy-based}
end
To enable policy-based NGFW mode with VDOMs in the CLI:
config vdom
    edit <vdom>
        config system settings
            set ngfw-mode policy-based
        end
    next
end

Security and firewall policies

Security policies work with firewall (or consolidated) policies to inspect traffic. To allow traffic from a specific user or user group, both firewall and security policies must be configured. Traffic will match the firewall policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

Firewall policies are used to pre-match traffic before sending the packets to the IPS engine:

  • There are no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL inspection, formerly configured in the VDOM settings, is configured in a firewall policy.
  • Users and user groups that require authentication must be configured in a firewall policy.

Security policies work with firewall policies to inspect traffic:

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications. See NGFW policy mode application default service for details.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access is the CLI:
  1. Configure a firewall policy:
    config firewall consolidated policy
        edit 1
            set name "Policy-1"
            set uuid b740d418-8ed3-51e9-5a7b-114e99ab6370
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set uuid 364594a2-8ef1-51e9-86f9-32db9c2634b6
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set uuid a2035210-8ef1-51e9-8b28-5a87b2cabcfa
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end
Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486

Other NGFW policy-based mode options

You can combine Application Control and Web Filter in the same NGFW mode policy. If the policy accepts applications or URL categories, you can also apply AntiVirus, DNS Filter, IPS profiles, and logging options.

Profile-based NGFW vs policy-based NGFW

Profile-based NGFW vs policy-based NGFW

Profile-based next-generation firewall (NGFW) mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.

If your FortiGate operates in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only need one SNAT policy for each interface pair.

The NGFW mode is set per VDOM, and it is only available when the VDOM inspection mode is flow-based. You can operate your entire FortiGate or individual VDOMs in NGFW policy mode.

Note

Switching from profile-based to policy-based mode converts your policies to policy-based. To avoid issues, you could create a new VDOM for the policy-based mode. We recommend backing up your configuration before switching modes. See Configuration backups for information.

Enabling policy-based NGFW mode

To enable policy-based NGFW mode without VDOMs in the GUI:
  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. Click Apply.
To enable policy-based NGFW mode with VDOMs in the GUI:
  1. Go to System > VDOM .
  2. Double-click a VDOM to edit the settings.
  3. In NGFW Mode, select Policy-based.
  4. Click OK.
To enable policy-based NGFW mode without VDOMs in the CLI:
config system settings
    set ngfw-mode {profile-based | policy-based}
end
To enable policy-based NGFW mode with VDOMs in the CLI:
config vdom
    edit <vdom>
        config system settings
            set ngfw-mode policy-based
        end
    next
end

Security and firewall policies

Security policies work with firewall (or consolidated) policies to inspect traffic. To allow traffic from a specific user or user group, both firewall and security policies must be configured. Traffic will match the firewall policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

Firewall policies are used to pre-match traffic before sending the packets to the IPS engine:

  • There are no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL inspection, formerly configured in the VDOM settings, is configured in a firewall policy.
  • Users and user groups that require authentication must be configured in a firewall policy.

Security policies work with firewall policies to inspect traffic:

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications. See NGFW policy mode application default service for details.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access is the CLI:
  1. Configure a firewall policy:
    config firewall consolidated policy
        edit 1
            set name "Policy-1"
            set uuid b740d418-8ed3-51e9-5a7b-114e99ab6370
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set uuid 364594a2-8ef1-51e9-86f9-32db9c2634b6
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set uuid a2035210-8ef1-51e9-8b28-5a87b2cabcfa
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end
Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486

Other NGFW policy-based mode options

You can combine Application Control and Web Filter in the same NGFW mode policy. If the policy accepts applications or URL categories, you can also apply AntiVirus, DNS Filter, IPS profiles, and logging options.