FortiGate Profile Vs Policy Based Mode
HTML-код
- Опубликовано: 9 июл 2024
- I get asked frequently what the main differentiation is between profile based and policy based mode on the FortiGate. I always explain it that Policy based mode is the Palo style of doing things while the profile based mode is the original fortigate style of doing things.
Either way, they both provide great functionality with various pros and cons for each.
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
What are your favorite things about Profile Mode? What about Policy Mode? Comment Below!
Great content, as always! A good follow up might be flow-based vs proxy inspection. Thanks for all the hard work you put into these videos. Keep 'em coming!
Thanks for spending time to make a great video. (clear and easy to understand). I'm doing my nse4... this was EXACTLY what I was looking 4. :)
Profile-Based was easier than Policy-Based for deployment. I will test on Policy-Based. Thanks for creating videos.
Thank you for always giving up useful info .
More power fortiguru
More to come!
Learned firewalling myself on profile mode and since has always been my preferred mode on Fortigate. But really short but sweet video, mate. Keep it up! 👍
Thanks Ravi!
Thank’s for the vidéo I test the policy based mode now 😉
Coming from profile based, policy based gets a bit of getting used to. Central NAT has it's own perks and downsides. Great video again. Thanks!
Thanks for the easy explanation. Working on the NSE4. Some of Fortinet's NSE4 content is more complicated than it needs to be.
Glad it helped!
Thank you
Hey Mike, i wonder if you could make a video for a "initial setup" of a fortigate doing policy mode?
I've started right away with Policy Mode and changed for a training to Profile Mode (the trainer was a profile one).
I must say, I like the idea to use Firewall Policies on Application base, not applying an Application filter to a Firewall Policy.
I think, I will go back to Policy Mode again. ;-)
We started a month ago with Fortinet by purchasing a Fortigate 81F (running FortiOS 7.01 GA at the moment). As Policy-mode looked very nice we put our Fortigate in Policy-mode. That turned out to be a big mistake! Alltough Policy-mode works very nice it turned out (after contacting Fortinet Support) that Spamfiltering is NOT possible in Policy-mode because Policy-mode works Flow-based and the Spamfilter only works Proxy-based (in Policy-mode you cannot select a Feature-set, it simply isn't there anymore, also on the CLI it is not possible anymore). Serious? Yes, unfortunately this is serious. According to Fortinet Support we have two options: switch NGFW-mode back to Profile-mode or leave it in Policy-mode and issue a NFR (New Feature Request) to get is (hopefully) working in future firmware updates. Yes people, it is a feature not a bug... I expected more from one of the market-leaders and am very disappointed.
Yesterday (11/08/2021) I had a chat with an engineer of Fortinet. It turned out that Policy-mode is not developed anymore because customer adaption and use seems to be minimal. Also, all documentation is written from a Profile-based point-of-view. So the advise is not to enable Policy-mode anymore. So we are forced to switch back to Profile-mode and reconfigure the FortiGate because all rules will be deleted when switching back.
@@UnifiedMessenger I ran into an issue when attempting to move over to Policy mode (in a "test" VDOM). Firewall is on version 6.4.7. When defining policies and adding applications to the policy, I get the following error: "Application xxxxx is incompatible with NGFW Policy mode due to large scan-range detection requirements." (where xxxxx varies based on the application(s) I am attempting to add).
Fortinet advised me that: "The error message is expected behavior. Per internal engineering ticket 651019, this error message is to notify user that the given application they're trying to set for security policy cannot be detected due to it's large scan range.
If they must detect this app, for now they would need to use profile-based mode instead of policy based mode."
Seriously, Fortinet? !!!
@@UnifiedMessenger Wow, thx for the tip Arjan. I was looking into the WAF capabilities of the FG and also to switching the policy-based for better inspection, but I will refrain from that. It seems the best mode it still proxy-based (in the policy itself) and then you can use the WAF profiles. Oh well!
still using Profile Mode as right now the fortiOS still 6.0.9.
But, I can see that sometimes policy mode is doing better if you apply same things to different interface, then this can be easy.
I hope can see more info about SSL inspection.
Thanks for sharing
No problem. I am in the process of transitioning over to Policy mode on my lab. Once I verify everything I will probably run all production that way. It just makes sense for the way my brain thinks about things.
I have a question. Looks like the only advantage of Policy Based mode is that it has application filtering included in the policy. But we have an application filtering profile option in the Profile Based mode too right? So what's the difference? Is the Policy Based mode's app filtering better or something?
Have you used Fortigate as proxy server ? I have a client of mine who has a Fortigate behind a Microtik router .The Fortigate is in transparent mode and i cannot filter P2P traffic for the vpn users witch come trough Microtik router . Maybe you can help with an ideea on this.I was thinking of migrating the Open VPn from Microtik to the Fortigate or just forward the Open Vpn ports to the Fortigate .
I have had deployments where the FortiGate operated as a proxy server for folks on site and off
Please video on SSL VPN Vs IPsec VPN
Hello everybody, I am Zoran and Come from Belgrade, Serbia. I am new in FortiGate world, can somebody tell me what is Central SNAT, what is goal for that. Because Now I have four FortiGate devices: one of them is model 101E and other three is 81E.Those devices currently works in Profile-based mode, and I need to change in Policy-based mode. What is direction about that, what I need first to do.Can somebody help me about that.
switching to policy based mode from profile based can be done anytime, or is it one time option that must be selected upon vdom creation? Can I migrate or do I have to recreate all policies from the scratch?
You can do it anytime.
@@FortinetGuru tested in lab and all policies went away, so not a simple hotcut...
Can you have both Profile & Policy based running at the same time? What would be the pro/cons of that?
It is one or the other
Selecting profile / policy mode is done on a per-VDOM basis, so you (probably) could run both if you needed to.
Yeah. I took the question as on a single VDOM. Pete is right, you can do it per VDOM. You could make it work doing multiple VDOMs though the configuration may be a little cumbersome.
Yeah, as with so many things in life, just because you can, doesn't mean that you should. 😀
Hay guru, it is possible to use policy based security rules using globally Profile Based mode in setings?
Have to choose one or the other
@@FortinetGuru get it. But if you choose globally in settings "the old ond" you arent able to use policy based on individual policy rules? Ty man
Does it support for LDAP authetication
Yes fortigates do
To me policy based mode is not usable as long as Fortinet is not able to manage PAT in Central SNAT based on destination port, e.g. to always use a dedicated IP for SMTP or DNS connections. Every other firewall I know of is able to do this. I couldn't believe it as I saw that Fortinet misses here. So profile based mode will be the way to go for me...
Fortinet misses a lot these days.
Yes, this too was surprising to me as you always need to specify IPs for anything and you can't wildcard based on port for traffic interception.
+ policy mode (if it worked)
fo sho