NGFW Policy mode is going to make a bunch of engineers smile ear to ear. There are a lot of cool features coming in 5.6 that includes a much improved security fabric (with audit capabilities) as well as dashboard tweaks, source and destination NAT on the same policy etc. The one feature I have been adamantly submitting to Fortinet over the past few years has been NGFW style policy. Check out the video below where I go into detail!
Are you able to now block specific file types by URL category? Like I want to allow EXEs to come from windowsupdate.com, but I want to block EXEs coming from facebook or other social media sites…
I will look and see when I’m back at my lab. I know you can set a hard block at the top for web categories in general. Haven’t tried to do the exception by file type though.
I don’t like that you have to choose one or the other, at all. There are some FW policies where I’d like to select a profile so that I can allow several categories, block some, have static URL filters, etc. for a single subnet or user group. So I want to block all Social Media, except Facebook. I can do that with a profile. But with NGFW policy mode you can’t do that in a single rule – you have to select a category to block or allow, period. So I’d have to create one profile that says allow Facebook, then create another that blocks all the other Social Media. With the web filtering, you can NOT do URL filtering in policy mode, not that I’ve seen. So if you have 1000 rules where only ONE needs a static URL blocked or allowed, you can’t run policy mode. Also, once you get into policy mode, the Web Filtering and App Control configs go away, so under Web Filtering it says “Custom Category 1″…how do you configure what’s in that custom category??? There’s no Web Filtering configuration under Security Profiles. CLI?
They basically had to re-write the OS to read a packet differently for NGFW mode. It has to allow just enough packets to identify the app before it can proceed. I understand where you are coming from though and that would be awesome to see.
You also have to choose between deep inspection and cert inspection for everything in policy mode. So you can’t have a policy for a group of managed desktops with deep inspection, then a policy for your BYOD devices running cert inspection. I assume the road map is to be able to use both policy and profile modes simultaneously, which would be the ultimate in flexibility and granularity…but its just not there yet.
I could see someone using device type for the source or perhaps reserved IP addresses for the DPI machines and then applying the inspection to that policy specifically.
Are you able to now block specific file types by URL category? Like I want to allow EXEs to come from windowsupdate.com, but I want to block EXEs coming from facebook or other social media sites…
I will look and see when I’m back at my lab. I know you can set a hard block at the top for web categories in general. Haven’t tried to do the exception by file type though.
I don’t like that you have to choose one or the other, at all. There are some FW policies where I’d like to select a profile so that I can allow several categories, block some, have static URL filters, etc. for a single subnet or user group. So I want to block all Social Media, except Facebook. I can do that with a profile. But with NGFW policy mode you can’t do that in a single rule – you have to select a category to block or allow, period. So I’d have to create one profile that says allow Facebook, then create another that blocks all the other Social Media. With the web filtering, you can NOT do URL filtering in policy mode, not that I’ve seen. So if you have 1000 rules where only ONE needs a static URL blocked or allowed, you can’t run policy mode. Also, once you get into policy mode, the Web Filtering and App Control configs go away, so under Web Filtering it says “Custom Category 1″…how do you configure what’s in that custom category??? There’s no Web Filtering configuration under Security Profiles. CLI?
They basically had to re-write the OS to read a packet differently for NGFW mode. It has to allow just enough packets to identify the app before it can proceed. I understand where you are coming from though and that would be awesome to see.
You also have to choose between deep inspection and cert inspection for everything in policy mode. So you can’t have a policy for a group of managed desktops with deep inspection, then a policy for your BYOD devices running cert inspection. I assume the road map is to be able to use both policy and profile modes simultaneously, which would be the ultimate in flexibility and granularity…but its just not there yet.
I could see someone using device type for the source or perhaps reserved IP addresses for the DPI machines and then applying the inspection to that policy specifically.