Security Profiles enhancements
Feature set option
To more clearly show the features specific to proxy-based mode, use the new Feature set option to select Flow-based or Proxy-based. When you select Flow-based or Proxy-based, only the features for that mode are available.
The following pages have the Feature set option:
- Security Profiles > AntiVirus
- Security Profiles > Web Filter
- Security Profiles > Email Filter
- Security Profiles > Data Leak (CLI only)
- Policy & Objects > Protocol Options
Example of the Feature set option in Security Profiles > AntiVirus:
If you select Proxy-based, a red P icon indicates the proxy-only features. FortiOS.
When you configure firewall policies:
- If the inspection mode is flow-based, dropdown menus only display profiles with flow-based feature sets.
- If the inspection mode is proxy-based, dropdown menus display profiles with flow-based or proxy-based feature sets.
If a flow-based inspection policy has a proxy-based profile assigned, a warning icon and tooltip informs you that proxy features do not work in a flow-based policy. This warning also appears when you use the CLI to assign security profiles.
Upgrade support
Upgrading from 6.2.x to 6.4.0 causes the following changes to security profiles.
|
Upgrade scenario |
Result after upgrade |
|---|---|
| Profile was assigned exclusively to flow-base firewall policies in 6.2.x. | feature-set = flow |
| Profile was assigned exclusively to proxy-base firewall policies in 6.2.x. | feature-set = proxy |
| Profile was assigned to both flow-base and proxy-base firewall policies in 6.2.x. | feature-set = proxy |
| Profile was not assigned to any firewall policies in 6.2.x. | feature-set = flow |
Configure security profiles using CLI
To configure the Antivirus security profile using the CLI:
config antivirus profile
edit new-av-profile
set comment <string>
set feature-set {flow | proxy}
set ftgd-analytics {disable | suspicious | everything}
...
next
end
See Configure Antivirus profiles in the FortiOS CLI Reference for more information.
To configure the Web Filter security profile using the CLI:
config webfilter profile
edit "new-wf-profile"
set comment <string>
set feature-set {flow | proxy}
...
config ftgd-wf
unset options
config filters
...
end
end
next
end
See Configure Web filter profiles in the FortiOS CLI Reference for more information.
To configure the Email Filter security profile using the CLI:
config emailfilter profile
edit "new-ef-profile"
set comment <string>
set feature-set {flow | proxy}
...
next
end
See Configure Email filter profiles in the FortiOS CLI Reference for more information.
To configure the DLP security profile using the CLI:
config dlp sensor
edit "new-dlp-profile"
set comment <string>
set feature-set {flow | proxy}
...
next
end
See Configure DLP sensors in the FortiOS CLI Reference for more information.
To configure Protocol Options in Policy & Objects using the CLI:
config firewall profile-protocol-options
edit "new-protocol-options"
set feature-set {flow | proxy}
config http
set ports 80
unset options
unset post-lang
end
config ftp
set ports 21
set options splice
end
config imap
set ports 143
set options fragmail
end
...
next
end
See Configure protocol options in the FortiOS CLI Reference for more information.
Antivirus profiles use hybrid scanning as default
In flow-based Antivirus profiles, the scan-mode option is removed. Flow-based Antivirus profiles use the default hybrid scanning method to process traffic. Legacy mode is available for diagnostics only.
|
When upgrading from 6.2.x to 6.4.0, Antivirus profiles assigned to flow-based firewall policies only operate in the default hybrid mode regardless of the previous scan-mode setting. |
In CLI, scan-mode options are only available for proxy-based Antivirus profiles. The scan-mode options are not available for flow-based Antivirus profiles.
config antivirus profile
edit "new-av-profile"
set comment ''
set replacemsg-group ''
set feature-set proxy
set mobile-malware-db enable
config http
unset options
unset archive-block
unset archive-log
set emulator enable
set outbreak-prevention disabled
end
...
set av-virus-log enable
set av-block-log enable
set extended-log disable
set scan-mode default
next
end
set ?
comment Comment.
replacemsg-group Replacement message group customized for this profile.
feature-set Flow/proxy feature set.
mobile-malware-db Enable/disable using the mobile malware signature database.
av-virus-log Enable/disable AntiVirus logging.
av-block-log Enable/disable logging for AntiVirus file blocking.
extended-log Enable/disable extended logging for antivirus.
scan-mode Choose between default scan mode and legacy scan mode.
Diagnostics
The following diagnostic commands are meant for troubleshooting only.
diagnose ips av mode ?
hybrid Enable/disable hybrid scan mode.
show Show status of hybrid scan mode.
To check flow-base AV scan mode status:
diagnose ips av mode show
Flow-av hybrid scan: Enabled
Flow-av hybrid scan: Enabled
Flow-av hybrid scan: Enabled
Flow-av hybrid scan: Enabled
To disable hybrid scan for flow-base AV and enable full scan:
|
This command does not persist over a reboot. |
diagnose ips av mode hybrid disable
diagnose ips av mode show
Flow-av hybrid scan: Disabled
Flow-av hybrid scan: Disabled
Flow-av hybrid scan: Disabled
Flow-av hybrid scan: Disabled
To enable hybrid scan for flow-base AV and disable full scan to go back to default:
diagnose ips av mode hybrid enable
diagnose ips av mode show
Flow-av hybrid scan: Enabled
Flow-av hybrid scan: Enabled
Flow-av hybrid scan: Enabled
Flow-av hybrid scan: Enabled