cyber-101

What's the difference between "firewall policies" and "security profiles" on FortiGate?

Clarifying the difference between some popular FortiGate terms.

Mike Berggren

Mike Berggren

3 min read
What's the difference between "firewall policies" and "security profiles" on FortiGate?
Photo by FlyD / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

For today's topic, I'd like to clarify on the differences between "firewall policies" and "security profiles" on FortiGates. I often hear these terms used interchangeably and that's not quite correct. Let's break it down...

Firewall policies (sometimes called "security policies") help determine what traffic is allowed to pass through the fortigate device. Think of firewall policies as traffic directors -- they determine whether a specific flow of network traffic is allowed or denied.

Firewall policies are primarily focused on the "who, what, where, when" of the data that's trying to go through. I mentioned this in another article, but some example of objects used for matching include:

  • Source address
  • Destination address
  • Services (ports and protocols)
  • Schedule

That's all well and good, but what about security profiles? How are they different?

Security profiles go deeper. They are inspection engines that work within a firewall policy once traffic has been provisionally allowed. They define what to look for as part of deeper inspection/analysis; things like threats, vulnerabilities, and compliance violations. Examples of security profiles include:

  • Antivirus (AV)
  • Web Filtering
  • Intrusion Prevention System (IPS)
  • Application Control
  • DNS Filter
  • Etc.

OK, but this begs a question: why would the firewall wait until the traffic has been provisionally allowed? One reason: efficiency. Performing a deeper analysis of network traffic can be resource intensive. So if the firewall can easily block/dismiss some traffic before it has to do anything intensive, that can save time and cycles.

💡
I'm describing the general flow in high-level terms. Technically speaking though, FortiGates have some optimized flows and parallel-processing logic at deeper parts in the workflow/architecture. That's a little out of scope for this article so let's save that topic for another day.

Sometimes analogies can help. Let's consider something like airport security. Firewall policies are like an initial boarding pass check. The agent checks to confirm that you have a valid ticket for a specific flight, your destination is allowed, and you're at the correct terminal. If there's an issue with any of those pre-checks, there's no need to proceed further. Security profiles are like a security checkpoint after the boarding pass check. At this point in the travel journey, the preliminary access seems fine, so now personal belongings are inspected (x-rayed, etc) for any concerns.

For more information on the topic, check out these resources:

Firewall policy | Administration Guide
Fortinet docs logo
Security Profiles | Administration Guide
Fortinet docs logo
Address objects | Administration Guide
Fortinet docs logo

Read more