Fortinet white logo
Fortinet white logo

Security profiles

Security profiles

Security profiles define what to inspect in the traffic that the FortiGate is passing. When traffic matches the profile, it is either allowed, blocked, or monitored (allowed and logged).

The protection that a profile provides, and the information that it monitors, can be configured to your requirements, but increased inspection uses more of the FortiGate's resources. Assess your policies' traffic matching, and then apply the necessary level of protection. You might consider implementing denial of service (DoS) security policies to detect and drop illegitimate traffic before it reaches the more resource intensive security profiles (see Denial of service for more information).

Security profiles can use flow or proxy mode inspection. Apply flow mode inspection to policies that prioritize traffic throughput, and proxy mode when thoroughness is more important than performance. Under normal traffic conditions, the throughput difference between the two modes is insignificant. For resource optimization, using one mode uniformly across all of the policies is recommended.

Each security profile generates its own log type that contains some log fields that are not present in other logs. This can be important when reviewing or analyzing the logs to assess or troubleshoot user traffic. For example, if no web filtering is applied, then you will not have insight or control of users' browsing information.

The following table lists some basic examples of how a security profile could be used on an edge FortiGate, where inbound traffic goes from the internet to an internal resource using a VIP, and outbound traffic goes from your network to an internet resource:

Security profile

Inbound traffic

Outbound traffic

Antivirus1

Protect external resources from malware, such as HTTP PUT requests or FTP uploads.

Scan requested user traffic for malware.

Web filter

Not usually applied to inbound traffic.

Monitor and block user web traffic based on categories and domains.

Video filter

Not usually applied to inbound traffic.

Monitor and restrict YouTube videos based on categories or channels.

DNS filter

Not usually applied to inbound traffic.

Monitor and filter DNS lookups based on domain ratings.

Block requests for known compromised domains.

Application control

Make sure that specific protocols are used to access specific ports.

For example, only allow SSH traffic to be sent and received over port 22.

Monitor and filter applications on any port.

Intrusion prevention

Protect external services from known exploits and protocol anomalies.

Block connections to botnet sites.

File filter

Prevent uploading files based on the file type and the protocol that is used.

Prevent downloading files based on the file type and the protocol that is used.

Email filter

Perform spam detection and filtering.

Prevent specific IP address or subnets from sending and receiving email messages.

Block messages that contain specific words.

Data leak prevention

Prevent sensitive data from entering your network.

Prevent sensitive data, such as credit card numbers or SSNs, from leaving your network.

VoIP

Allow SIP and SCCP traffic, and protect your network from SIP and SCCP based attacks.

Secure clients that are connecting to external SIP servers.

ICAP

Offload tasks to separate, specialized servers.

Offload tasks to separate, specialized servers.

Web application firewall

Detect and block known web application attacks, such as SQL injection, XSS, and known exploits.

Not usually applied to outbound traffic.

1 Antivirus profiles can submit files to FortiSandbox for further inspection. This enables the detection of zero-day malware, and threat intelligence that is learned from submitted malicious and suspicious files supplements the FortiGate’s antivirus database and protection with the Inline Block feature (see Understanding Inline Block feature).

Opened ports for Authentication Override in Web Filter Replacement Messages

When a firewall policy is configured with a web filter, AV or application control, or other UTM security profiles, the policy may open up one or more of ports 8008, 8010, 8015 or 8020 for authentication override and data retrieval for replacement messages, depending on the inspection mode.

When a port is open and you try to access the port on HTTP, this may result in the following behavior:

  • FortiGate replies and then redirects to the port with a block message.

  • FortiGate sends a TCP RST to close the connection.

  • FortiGate doesn’t respond.

  • FortiGate does a TCP 3-way handshake, then sends a FIN to close the connection.

Traffic does not leak through the policy. However, in some scenarios such as testing the FortiGate for open ports against PCI compliance, this may result in failure of the test case.

To work around the issue, you can close the above ports by doing the following:

config webfilter fortiguard
    set close-ports enable
end  
Note

When close-ports is enabled:

  • FortiGuard web filter actions Warning and Authenticate in proxy and flow inspection mode will not work.

  • Allow users to override blocked categories will not work.

  • The replacement message will not display the Fortinet logo.

FortiGuard and Local URL Filter blocking will not be affected.

When VDOM is enabled, edit the settings in global:

config global
    config webfilter fortiguard
        set close-ports enable
    end
end  

In the case of Application Control, use the following to disable the use of replacement messages and port 8008:

config application list
    edit <list>
        set app-replacemsg disable
    next
end

If it is acceptable to simply change the ports to a high ephemeral port, the override ports can be changed from here:

  • Default:

    config webfilter fortiguard
        set ovrd-auth-port-http 8008
        set ovrd-auth-port-https 8010
        set ovrd-auth-port-https-flow 8015
        set ovrd-auth-port-warning 8020
    end
  • Update:

    config webfilter fortiguard
        set ovrd-auth-port-http <high port>
        set ovrd-auth-port-https <high port>
        set ovrd-auth-port-https-flow <high port>
        set ovrd-auth-port-warning <high port>
    end

More Links

Security profiles

Security profiles

Security profiles define what to inspect in the traffic that the FortiGate is passing. When traffic matches the profile, it is either allowed, blocked, or monitored (allowed and logged).

The protection that a profile provides, and the information that it monitors, can be configured to your requirements, but increased inspection uses more of the FortiGate's resources. Assess your policies' traffic matching, and then apply the necessary level of protection. You might consider implementing denial of service (DoS) security policies to detect and drop illegitimate traffic before it reaches the more resource intensive security profiles (see Denial of service for more information).

Security profiles can use flow or proxy mode inspection. Apply flow mode inspection to policies that prioritize traffic throughput, and proxy mode when thoroughness is more important than performance. Under normal traffic conditions, the throughput difference between the two modes is insignificant. For resource optimization, using one mode uniformly across all of the policies is recommended.

Each security profile generates its own log type that contains some log fields that are not present in other logs. This can be important when reviewing or analyzing the logs to assess or troubleshoot user traffic. For example, if no web filtering is applied, then you will not have insight or control of users' browsing information.

The following table lists some basic examples of how a security profile could be used on an edge FortiGate, where inbound traffic goes from the internet to an internal resource using a VIP, and outbound traffic goes from your network to an internet resource:

Security profile

Inbound traffic

Outbound traffic

Antivirus1

Protect external resources from malware, such as HTTP PUT requests or FTP uploads.

Scan requested user traffic for malware.

Web filter

Not usually applied to inbound traffic.

Monitor and block user web traffic based on categories and domains.

Video filter

Not usually applied to inbound traffic.

Monitor and restrict YouTube videos based on categories or channels.

DNS filter

Not usually applied to inbound traffic.

Monitor and filter DNS lookups based on domain ratings.

Block requests for known compromised domains.

Application control

Make sure that specific protocols are used to access specific ports.

For example, only allow SSH traffic to be sent and received over port 22.

Monitor and filter applications on any port.

Intrusion prevention

Protect external services from known exploits and protocol anomalies.

Block connections to botnet sites.

File filter

Prevent uploading files based on the file type and the protocol that is used.

Prevent downloading files based on the file type and the protocol that is used.

Email filter

Perform spam detection and filtering.

Prevent specific IP address or subnets from sending and receiving email messages.

Block messages that contain specific words.

Data leak prevention

Prevent sensitive data from entering your network.

Prevent sensitive data, such as credit card numbers or SSNs, from leaving your network.

VoIP

Allow SIP and SCCP traffic, and protect your network from SIP and SCCP based attacks.

Secure clients that are connecting to external SIP servers.

ICAP

Offload tasks to separate, specialized servers.

Offload tasks to separate, specialized servers.

Web application firewall

Detect and block known web application attacks, such as SQL injection, XSS, and known exploits.

Not usually applied to outbound traffic.

1 Antivirus profiles can submit files to FortiSandbox for further inspection. This enables the detection of zero-day malware, and threat intelligence that is learned from submitted malicious and suspicious files supplements the FortiGate’s antivirus database and protection with the Inline Block feature (see Understanding Inline Block feature).

Opened ports for Authentication Override in Web Filter Replacement Messages

When a firewall policy is configured with a web filter, AV or application control, or other UTM security profiles, the policy may open up one or more of ports 8008, 8010, 8015 or 8020 for authentication override and data retrieval for replacement messages, depending on the inspection mode.

When a port is open and you try to access the port on HTTP, this may result in the following behavior:

  • FortiGate replies and then redirects to the port with a block message.

  • FortiGate sends a TCP RST to close the connection.

  • FortiGate doesn’t respond.

  • FortiGate does a TCP 3-way handshake, then sends a FIN to close the connection.

Traffic does not leak through the policy. However, in some scenarios such as testing the FortiGate for open ports against PCI compliance, this may result in failure of the test case.

To work around the issue, you can close the above ports by doing the following:

config webfilter fortiguard
    set close-ports enable
end  
Note

When close-ports is enabled:

  • FortiGuard web filter actions Warning and Authenticate in proxy and flow inspection mode will not work.

  • Allow users to override blocked categories will not work.

  • The replacement message will not display the Fortinet logo.

FortiGuard and Local URL Filter blocking will not be affected.

When VDOM is enabled, edit the settings in global:

config global
    config webfilter fortiguard
        set close-ports enable
    end
end  

In the case of Application Control, use the following to disable the use of replacement messages and port 8008:

config application list
    edit <list>
        set app-replacemsg disable
    next
end

If it is acceptable to simply change the ports to a high ephemeral port, the override ports can be changed from here:

  • Default:

    config webfilter fortiguard
        set ovrd-auth-port-http 8008
        set ovrd-auth-port-https 8010
        set ovrd-auth-port-https-flow 8015
        set ovrd-auth-port-warning 8020
    end
  • Update:

    config webfilter fortiguard
        set ovrd-auth-port-http <high port>
        set ovrd-auth-port-https <high port>
        set ovrd-auth-port-https-flow <high port>
        set ovrd-auth-port-warning <high port>
    end