Grouping for Policy and security profiles

Pany · ‎09-24-2019

We have many policy and security profile need to manage, please add grouping feature in both feature.

Toshi_Esumi · ‎09-24-2019

At least security profile grouping feature already exists under "config firewall profile-group".

Pany · ‎09-24-2019

I can not found "config firewall profile-group" on my firewall, only can search some result online can enable on CLI, but after Enable, no any change on my firewall, please help.

Toshi_Esumi · ‎09-24-2019

Follow this to enable it in GUI. Then "Profile Groups" sub-menu shows up under "Security Profiles" menu.

https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/Mak...

Be aware that "config sys settings" is per vdom config, in case your in multi-vdom environment.

ede_pfau · ‎09-25-2019

Depending on the version of FortiOS, sometimes you need to put in the group commands in CLI in one policy before it shows up in the GUI.

I've even had the case where I knew I had inserted the CLI commands and it never showed in the GUI.

Example:

config firewall profile-group
    edit "win_clients"
        set av-profile "scan"
        set dnsfilter-profile "default"
        set ips-sensor "anti-ransom"
        set application-list "block-botnet&P2P"
        set profile-protocol-options "custom-default"
        set ssl-ssh-profile "my_certificate-inspection"
    next
end
config firewall policy
    edit 3
        set srcintf "WLAN-Gast"
        set dstintf "wan1"
        set srcaddr "WLAN-Gast"
        set dstaddr "all"
        set action accept
        set schedule "workinghours"
        set service "Gast-Services"
        set utm-status enable
        set profile-type group
        set profile-group "win_clients"
        set nat enable
    next
end

Ede

"Kernel panic: Aiee, killing interrupt handler!"

KPS · ‎09-25-2019

There are already "sequences" for policies, but I totally agree: groups, chains, etc. would help a lot for larger rule-sets.