FCSS_EFW_AD-7.4 Security profiles
Security profiles
Detailed list of FCSS_EFW_AD-7.4 knowledge points
Security Profiles Detailed Explanation
Security Profiles are critical for protecting your network from various threats. Below is a step-by-step guide for each aspect of Security Profiles.
3.1 Web Filtering
Web filtering allows administrators to control access to web content by blocking malicious or inappropriate websites.
3.1.1 Configure Category-Based and URL Filtering
Category-Based Filtering:
FortiGate uses FortiGuard services to classify websites into categories (e.g., Gambling, Social Media, Malware).
Steps to enable:
config webfilter profile edit <profile_name> # e.g., Office_Web_Filter set webfilter-category enable config categories edit <category_id> # e.g., 52 (Gambling) set action block end end
URL Filtering:
Block or allow specific URLs or patterns:
config webfilter urlfilter edit 1 set url <website_URL> # e.g., www.example.com set type wildcard # Match partial URLs. set action block end
3.1.2 Flow-Based vs Proxy-Based Inspection
Flow-Based Mode:
- Faster, uses less memory.
- Inspects traffic in real-time without buffering.
- Best for high-performance networks.
Proxy-Based Mode:
- Fully buffers web traffic for deep inspection.
- Provides advanced features like SSL decryption.
- Use when detailed content inspection is required.
Configure inspection mode:
config webfilter profile edit <profile_name> set inspection-mode <flow|proxy> end
3.2 Application Control
Application Control identifies and manages applications on the network, even if they use non-standard ports.
3.2.1 Use Application Signatures
Enable Application Control:
Create a new profile and enable application detection:
config application list edit <profile_name> # e.g., App_Control_Profile set application-category enable end
Block or Allow Specific Applications:
FortiGate uses a signature database to identify applications like Skype or BitTorrent.
config application list edit <profile_name> config entries edit 1 set category <category_id> # e.g., Social.Media set action block end end
3.2.2 Granular Policies
Restrict specific features of an application (e.g., file sharing in Skype):
config application custom edit <app_signature_name> set protocol TCP set port 443 set action deny end
3.3 Intrusion Prevention System (IPS)
The IPS module detects and prevents exploitation of vulnerabilities in real-time.
3.3.1 Apply Predefined IPS Signatures
Enable IPS in a Security Profile:
Apply an existing IPS profile to a firewall policy:
config firewall policy edit 1 set ips-sensor <sensor_name> # e.g., Default end
Update IPS Database:
Ensure the IPS signature database is updated regularly:
execute update-now
3.3.2 Custom IPS Signatures
Create custom signatures for unique threats:
config ips custom edit <signature_name> set signature "alert tcp any any -> any any (msg:'Custom Alert'; content:'malicious_string';)" end
3.4 SSL/SSH Inspection
SSL/SSH Inspection decrypts encrypted traffic (SSL/TLS or SSH) for threat inspection.
3.4.1 Perform Man-in-the-Middle Decryption
Enable SSL Inspection:
Create an SSL/SSH inspection profile:
config firewall ssl-ssh-profile edit <profile_name> set ssl-client-inspection enable set ssl-server-inspection enable end
Apply the Profile to a Firewall Policy:
Attach the inspection profile to the relevant policy:
config firewall policy edit 1 set ssl-ssh-profile <profile_name> end
3.4.2 Manage Certificates
Import Certificates:
- Upload trusted CA certificates to FortiGate for HTTPS inspection.
Generate Certificates:
Use FortiGate as a certificate authority for SSL inspection:
config vpn certificate local edit <certificate_name> set key-size 2048 set common-name <FortiGate> end
3.5 Antivirus and Anti-Malware
FortiGate provides robust antivirus and anti-malware capabilities to detect and prevent threats in traffic.
3.5.1 Scan Modes
- Proxy-Based Scanning:
- Deeply inspects full files and emails.
- Best for comprehensive malware analysis.
- Flow-Based Scanning:
- Scans files as they are being downloaded.
- Optimized for performance.
3.5.2 Integration with FortiSandbox
Enable FortiSandbox:
Forward suspicious files to FortiSandbox for deeper inspection:
config antivirus profile edit <profile_name> set scan-mode sandbox set inspection-mode proxy end
Monitor FortiSandbox Results:
- View malware analysis reports in the FortiGate GUI or CLI.
3.6 Data Leak Prevention (DLP)
DLP identifies and prevents unauthorized transmission of sensitive data.
3.6.1 Predefined Patterns
Enable DLP Profile:
Apply a DLP profile to firewall policies:
config dlp sensor edit <sensor_name> set traffic all config filter edit 1 set name "Credit Card Numbers" set action block end end
Customize Patterns:
Add custom patterns for proprietary data:
config dlp sensor edit <sensor_name> config filter edit 2 set name "Custom Pattern" set regex "Confidential|Internal Only" set action block end end
3.6.2 Set Thresholds and Alerts
Threshold Configuration:
Block or log based on predefined thresholds:
config dlp sensor edit <sensor_name> set threshold 100 # Block after 100 matches end
Enable Alerts:
Notify administrators of violations:
config alertemail setting set server <SMTP_Server_IP> set from <Email_Address> set to <Admin_Email> end
Security Profiles (Additional Content)
1. Binding Security Profiles to Firewall Policies
While Security Profiles such as Web Filter, Application Control, Antivirus, and IPS are configured independently, they only take effect when applied to a firewall policy. Understanding how this binding works is essential for both deployment and exam success.
1.1 Why It Matters
Profiles define what to inspect, but firewall policies define when and how to inspect.
Without linking a Security Profile to a policy, it has no effect.
Frequently tested on the exam (e.g., “Which command applies an IPS sensor to a policy?”).
1.2 Example Configuration (CLI)
config firewall policy
edit 1
set name "Secure_Internet_Access"
set srcintf "port3"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set webfilter-profile "Office_Web_Filter"
set application-list "App_Control_Profile"
set antivirus-profile "AV_Profile"
set ips-sensor "Default"
set ssl-ssh-profile "SSL_Inspect_Profile"
set logtraffic all
set nat enable
end
Each set command attaches a profile to the policy, enabling active inspection for threats or violations.
2. Security Profile Logging Settings
Enabling logging within Security Profiles is crucial for visibility, analysis, and compliance. FortiAnalyzer and other monitoring tools rely on this data for reporting and alerting.
2.1 Why It Matters
Without logging, blocked or inspected events are invisible.
Logging supports forensic analysis and helps troubleshoot policies.
Frequently assessed on the exam in context of FortiAnalyzer or event detection.
2.2 Examples
Web Filtering (log all visited URLs):
config webfilter profile
edit "Office_Web_Filter"
set log-all-url enable
end
Application Control (log application usage or blocking):
config application list
edit "App_Control_Profile"
config entries
edit 1
set application "Skype"
set action block
set log enable
end
end
3. Flow-Based vs. Proxy-Based Inspection Modes
Different Security Profiles operate in either flow-based or proxy-based modes, or both. Knowing which mode supports what is frequently tested, especially with regard to deep inspection or performance needs.
3.1 Why It Matters
Proxy mode provides full content buffering and advanced inspection but uses more resources.
Flow mode is faster and lightweight, suitable for high-throughput networks.
Some features are only available in proxy mode (e.g., full SSL inspection).
3.2 Profile Mode Support Table
| Profile Type | Flow Mode Support | Proxy Mode Support | Notes |
|---|---|---|---|
| Web Filter | Y | Y | Proxy enables deeper content analysis |
| Application Control | Y | N | Works only in flow mode |
| Antivirus | Y | Y | Proxy offers full file scanning |
| IPS | Y | N | Designed as flow-based for inline performance |
| SSL Inspection | Y | Y | Proxy supports full SSL decryption and re-encrypt |
4. FortiGuard Subscription and Signature Updates
FortiGuard Services provide real-time threat intelligence and updates for Security Profiles such as Web Filter, IPS, and Antivirus.
4.1 Why It Matters
Without updated signatures, profiles cannot detect new threats.
Misconfigured or disconnected FortiGuard results in reduced protection.
Common exam questions involve updating failure consequences or CLI triggers.
4.2 CLI Example
Enable and configure FortiGuard services:
config system fortiguard
set webfilter-force-off disable
set antispam-force-off disable
set update-server-location automatic
end
Manually trigger updates:
execute update-now
This forces the FortiGate to contact FortiGuard and download the latest signatures.
5. GUI Configuration Awareness
While CLI is the primary exam focus, GUI-based questions may appear, often referencing menu paths or screenshots.
Key GUI Locations
Web Filter:
Security Profiles > Web Filter > Create NewAttach Profile to Policy:
Policy & Objects > IPv4 Policy > Edit > Security Profiles TabAntivirus, IPS, etc.:
Located underSecurity Profilesmenu for profile creation and assignment.
Understanding where to find and apply settings in the GUI strengthens exam readiness and practical use.
Summary Table
| Topic | Why It Matters | Example or CLI Support |
|---|---|---|
| Profile Binding to Policy | Profiles must be linked to policies to be effective | set webfilter-profile, etc. |
| Logging in Profiles | Enables visibility and FortiAnalyzer analysis | set log-all-url, set log enable |
| Flow vs. Proxy Mode | Impacts inspection depth and performance | Know which profiles support which modes |
| FortiGuard Update Mechanism | Ensures up-to-date protection; required for many features | execute update-now |
| GUI Path Awareness | May be asked in GUI image-based questions | Security Profiles > Web Filter, etc. |
Frequently Asked Questions
Why do users see certificate warnings after enabling SSL deep inspection on FortiGate?
The firewall presents its own certificate to decrypt HTTPS traffic, which may not be trusted by client devices.
SSL deep inspection allows FortiGate to decrypt encrypted HTTPS traffic so security profiles such as antivirus, IPS, and web filtering can inspect the content. To accomplish this, the firewall intercepts the TLS session and generates a new certificate signed by its own certificate authority. If the client device does not trust the FortiGate CA certificate, the browser displays a security warning. To resolve this issue, administrators must install the FortiGate CA certificate in the trusted root certificate store of client devices. Without this step, users will continue to receive certificate warnings when accessing encrypted websites.
Demand Score: 90
Exam Relevance Score: 92
Why might IPS block legitimate traffic in a FortiGate deployment?
False positives occur when IPS signatures incorrectly identify legitimate traffic as malicious.
Intrusion Prevention System (IPS) signatures detect patterns associated with known attacks. However, some signatures may match legitimate traffic patterns, resulting in false positives. This can cause applications or services to be blocked unexpectedly. Administrators should review IPS logs to identify the triggered signature and determine whether it represents a real threat. If the traffic is legitimate, the signature can be disabled or modified within the IPS profile. Proper tuning of IPS profiles helps balance security protection with network usability.
Demand Score: 80
Exam Relevance Score: 87
Why is SSL inspection considered critical for modern network security?
Because a large portion of internet traffic is encrypted and cannot be inspected without decryption.
Most web applications and services use HTTPS encryption to protect data privacy. While encryption improves security, it also hides malicious content from traditional security inspection methods. Without SSL inspection, threats such as malware downloads, command-and-control communication, and data exfiltration can occur inside encrypted sessions. SSL inspection allows the firewall to decrypt traffic, analyze it using security profiles, and then re-encrypt it before forwarding it to the destination. This capability enables comprehensive threat detection while maintaining secure communications.
Demand Score: 77
Exam Relevance Score: 90
What advantage is gained by combining web filtering and application control in a firewall policy?
It provides multiple layers of security enforcement for both websites and application behavior.
Web filtering categorizes websites and blocks or allows access based on content categories such as social media, malware sites, or adult content. Application control identifies specific applications regardless of the port or protocol used. When these two security profiles are applied together, the firewall can enforce policies that control both web destinations and application usage. This layered approach improves security visibility and helps enforce organizational policies regarding acceptable network usage.
Demand Score: 73
Exam Relevance Score: 86
What is the role of security profiles in FortiGate firewall policies?
Security profiles provide advanced threat protection beyond basic firewall filtering.
Traditional firewall policies control traffic based on IP addresses, ports, and protocols. Security profiles extend this capability by inspecting traffic for threats and enforcing content policies. Examples include antivirus scanning, IPS detection, web filtering, application control, and SSL inspection. When attached to a firewall policy, these profiles analyze traffic that matches the policy and apply security rules accordingly. This allows FortiGate devices to function as next-generation firewalls that provide deep security inspection and threat prevention.
Demand Score: 71
Exam Relevance Score: 88
