Fortinet black logo

Handbook

Security profile groups

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:44682
Download PDF

Security profile groups

It may seem counter intuitive to have a topic on security profile groups in the Firewall Chapter/Handbook when there is already a chapter/handbook on Security Profiles, but there are reasons.

  • Security profile groups are used exclusively in the configuration of a firewall policy, which is described in the Firewall Chapter/Handbook.
  • The CLI commands for creating and using security profile groups are in the firewall configuration context of the command line structure of settings.

The purpose of security profile groups is just the same as other groups such as Address, Service, and VIP groups. They are used to save time and effort in the administration of the FortiGate when there are a lot of policies with a similar pattern of Security Profile use. In a fairly basic network setup with a handful of policies it doesn't seem like it would be worth the effort to set up groups of security profiles but if you have a large complex configuration with hundreds of policies where many of them use the same security profiles it can definitely save some effort and help prevent missing adding an important profile from a policy. As an added benefit, when it comes time to add or change the profiles for the policies that use the Security Profile Groups, the changes only have to be made to the group, not each policy.

The most difficult part about using security profile groups is making them visible in the GUI.

Security profile groups

It may seem counter intuitive to have a topic on security profile groups in the Firewall Chapter/Handbook when there is already a chapter/handbook on Security Profiles, but there are reasons.

  • Security profile groups are used exclusively in the configuration of a firewall policy, which is described in the Firewall Chapter/Handbook.
  • The CLI commands for creating and using security profile groups are in the firewall configuration context of the command line structure of settings.

The purpose of security profile groups is just the same as other groups such as Address, Service, and VIP groups. They are used to save time and effort in the administration of the FortiGate when there are a lot of policies with a similar pattern of Security Profile use. In a fairly basic network setup with a handful of policies it doesn't seem like it would be worth the effort to set up groups of security profiles but if you have a large complex configuration with hundreds of policies where many of them use the same security profiles it can definitely save some effort and help prevent missing adding an important profile from a policy. As an added benefit, when it comes time to add or change the profiles for the policies that use the Security Profile Groups, the changes only have to be made to the group, not each policy.

The most difficult part about using security profile groups is making them visible in the GUI.