Security profile groups

Security profile groups

It may seem counter intuitive to have a topic on security profile groups in the Firewall Chapter/Handbook when there is already a chapter/handbook on Security Profiles, but there are reasons.

  • Security profile groups are used exclusively in the configuration of a firewall policy, which is described in the Firewall Chapter/Handbook.
  • The CLI commands for creating and using security profile groups are in the firewall configuration context of the command line structure of settings.

The purpose of security profile groups is just the same as other groups such as Address, Service, and VIP groups. They are used to save time and effort in the administration of the FortiGate when there are a lot of policies with a similar pattern of Security Profile use. In a fairly basic network setup with a handful of policies it doesn’t seem like it would be worth the effort to set up groups of security profiles but if you have a large complex configuration with hundreds of policies where many of them use the same security profiles it can definitely save some effort and help prevent missing adding an important profile from a policy. As an added benefit, when it comes time to add or change the profiles for the policies that use the Security Profile Groups, the changes only have to be made to the group, not each policy.

The most difficult part about using security profile groups is making them visible in the GUI.

Making security profile groups visible in the GUI

By default, the Security Profile Groups are not visible in the GUI. Neither the ability to assign one to a policy nor the ability to configure the members of a group are available by default. You will not find the option to enable Security Profile Groups under System > Feature Visibility either. Instead, they only become visible in the GUI once one has been created and assigned to a policy. This must be done the first time through the CLI using the following syntax:

config system settings set gui-dynamic-profile-display enable

end

Step 1 – Create a security profile group:

Enter the command: config firewall profile-group

Use the edit command to give a name to and create a new Security Profile Group

(profile-group) # edit test-group

Configure the members of the group by setting the name of the desired profile in the field for the related profile/sensor/list. The options are:

av-profile Name of an existing Antivirus profile.
webfilter-profile Name of an existing Web filter profile.
dnsfilter-profile Name of an existing DNS filter profile.
spamfilter-profile Name of an existing Spam filter profile.
dlp-sensor Name of an existing DLP sensor.
ips-sensor Name of an existing IPS sensor.
application-list Name of an existing Application list.
voip-profile Name of an existing VoIP profile.
icap-profile Name of an existing ICAP profile.
waf-profile Name of an existing Web application firewall profile.
profile-protocoloptions Name of an existing Protocol options profile.
ssl-ssh-profile Name of an existing SSL SSH profile.

Example:

set av-profile default

set profile-plrotocol-options default

node_check_object fail! for profile-protocol-options Attribute ‘profile-protocol-options’ MUST be set.

Command fail. Return code -56

Step 2 – Add a security profile to a policy

Now that there is group to add to a policy we can configure a policy to allow the use of a Security Policy group. This is also done in the CLI.

In the following example only the command necessary to enable the use and pick of a Security Policy group have been listed.

config firewall policy edit 0 set utm-status enable set profile-type group set profile-group test-group

Step 3 – The appearance in the GUI of the security profile group configuration features

  • Under Security Profiles there is a menu item called Profile Groups that can be used to create new and edit existing profile groups.
  • In the Edit Policy window for IPv4 and IPv6 policies there is a Use Security Profile Group field to enable or disable the use of the groups.
  • In the window, policy groups can be created or edited by clicking on the appropriate icons next to or in the drop down menu l In the policy listing window there is a Security Profiles column.
  • Right or left clicking on the icon for the group brings up editing options either via a slide out window or a drop down menu, respectively.
This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.