Other Security Profiles considerations
The following topics are included in this section:
- Profile Groups
- Security Profiles and Virtual domains (VDOMs)
- Conserve mode
- SSL content scanning and inspection
- Monitoring Security Profiles activity
- Using wildcards and Perl regular expressions
- Monitor interface reference
Profile Groups
One of the options when adding Security profiles to policies is the use of the Profile Groups feature. This works much the same way as an address group or a service group. You assign a selection of Security profiles to the Group and assign the group to a policy. This can be very convenient in an environment that has a large number of policies because instead of deciding each time you make a policy which Security profiles are going to be used you can have a small selection of Profile groups and every policy is assigned one of those groups. If changes need to be make, rather than going into each policy to make individual changes you only have to make changes to the group and the changes automatically propagate through to all of the policies that are using the Profile Group. It makes Security Profiles administration much simpler to implement, simpler to administrate and simpler to remember what Security Profiles features are being assigned to policies.
To refine the application of Security Profiles even further you can use the Profile Group in combination with Identity based policies and User Groups so that depending upon which User group a person belongs to that can be assigned a common set of Security profiles. A good example of this would a school environment. Staff and students are going to have significantly different permissions and restrictions associated with them. Staff will be allow access to websites that children are not (Web Filter). Staff will be allowed to transmit certain data under certain circumstances while students cannot transmit that type of data at all (DLP). Staff might have access to applications to communicate with colleagues in real time while students might be denied social networking access to get them from being distracted from their studies (Application Control). There are a number of permutations and possibilities made simpler and easier to administrate using these features together.
Page 160
Creating a new group
Security profiles that can be grouped
When setting up a Profile Group you can assign to a group, or not as you want, the following Profile types:
- AntiVirus
- Web Filter
- Application Control
- IPS
- Email Filter
- DLP Sensor
- VoIP
- ICAP
Because the Security profiles need to use one, if you are assigning a Security profile to a policy you must assign a Proxy Option profile.
Using the Web-based Manager
To keep the interface simpler and less cluttered, by default, some versions of the firmware only display a default profile for each of the profile types and a default Profile Group. By going into the Admin Settings section and enabling the display of Multiple Security Profiles the option to have multiple Profile Groups in the Web Based Manager is also enabled.
- Go to Security Profiles –> Profile Group –> Profile Group
- Select Create New
- Give the New Profile group a name.
- Select the Security Profiles.
- Use the check-boxes to determine whether or not a particular Security profile will be assigned.
- Use the drop-down menu to determine which Security profile will be used.
- Select a Proxy Option profile.
The Default Proxy Option Profile will be added by default if another profile is not selected.
- Select OK.
Using the CLI
In the CLI enter the commands:
config firewall profile-group
edit <profile_group_name>
set profile-protocol-options <protocol_options_name> set av-profile <name_of_av-profile> set webfilter-profile <name_of_webfilter-profile> set spamfilter-profile <name_of_spamfilter-profile> set dlp-sensor <name_of_dlp-sensor> set ips-sensor <name_of_ips-sensor> set application-list <name_of_application-list> set voip-profile <name_of_voip-profile> set icap-profile <name_of_icap-profile> set deep-inspection-options <name_of_deep-inspection-options> next
end
Adding a Profile Group to a policy
Using the CLI
- Go to the Firewall policy that you wish to associate the Profile Group
- For an Address Firewall policy: config firewall policy edit <policyID>
- For an Identity based policy
config firewall policy
edit <policyID>
config identity-based-policy
edit <policy_id>
- To assign a Profile Group to a security policy the following additional settings need to be added to the policy configuration. set utm-status enable set profile-type group set profile-group <name of the profile group> end
When adding a Profile Group to a policy there are 2 potential points of confusion:
- Depending on your interpretation, there may be some confusion on the profile-type setting.
- group indicates the use of a profile group.
- single indicates the use of individual Security profiles.
- In the CLI, the context, or placement in the “syntax tree” of configuration settings, can make some options available or unavailable depending on other settings.
In an Address Policy you only have to go down 2 “levels” to have the options for configuring the Profile Groups available.
When an Identity policy is being used the Profile Group options are not available at the same level. You have to go down a further 2 levels, to inside the Authentication rule that is nested within the overall umbrella of the Firewall Policy. This is where the Profile Group settings will be available to you.
Security Profiles and Virtual domains (VDOMs)
If you enable virtual domains (VDOMs) on your FortiGate unit, all Security Profiles configuration is limited to the VDOM in which you configure it.
While configuration is not shared, the various databases used by Security Profiles features are shared. The FortiGuard antivirus and IPS databases and database updates are shared. The FortiGuard web filter and spam filter features contact the FortiGuard distribution network and access the same information when checking email for spam and web site categories and classification.
Conserve mode
FortiGate units perform all Security Profiles processing in physical RAM. Since each model has a limited amount of memory, conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service. While conserve mode is active, the AV proxy does not accept new sessions.
The AV proxy
Most content inspection the FortiGate unit performs requires that the files, email messages, URLs, and web pages be buffered and examined as a whole. The AV proxy performs this function, and because it may be buffering many files at the same time, it uses a significant amount of memory. Conserve mode is designed to prevent all the component features of the FortiGate unit from trying to use more memory than it has. Because the AV proxy uses so much memory, conserve mode effectively disables it in most circumstances. As a result, the content inspection features that use the AV proxy are also disabled in conserve mode.
All of the Security Profiles features use the AV proxy with the exception of IPS, application control, DoS as well as flow-based antivirus, DLP, and web filter scanning. These features continue to operate normally when the FortiGate unit enters conserve mode.
Entering and exiting conserve mode
A FortiGate unit will enter conserve mode because it is nearly out of physical memory, or because the AV proxy has reached the maximum number of sessions it can service. The memory threshold that triggers conserve mode varies by model, but it is about 20% free memory. When memory use rises to the point where less than 20% of the physical memory is free, the FortiGate unit enters conserve mode.
The FortiGate unit will leave conserve mode only when the available physical memory exceeds about 30%. When exiting conserve mode, all new sessions configured to be scanned with features requiring the AV proxy will be scanned as normal, with the exception of a unit configured with the one-shot option.
Conserve mode effects
What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen configured. There are four options:
off
The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.
For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.
Use the off setting when security is more important than a loss of access while the problem is rectified.
pass
The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.
Use the pass setting when access is more important than security while the problem is rectified.
Pass is the default setting.
one-shot
The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen setting is changed or the unit is restarted.
idledrop
The idledrop setting will recover memory and session space by terminating all the sessions associated with the host that has the most sessions open. The FortiGate may force this session termination a number of times, until enough memory is available to allow it to leave conserve mode.
The idledrop setting is primarily designed for situations in which malware may continue to open sessions until the AV proxy cannot accept more new sessions, triggering conserve mode. If your FortiGate unit is operating near capacity, this setting could cause the termination of valid sessions. Use this option with caution.
Configuring the av-failopen command
You can configure the av-failopen command using the CLI.
config system global set av-failopen {off | pass | one-shot | idledrop}
end
The default setting is pass.