Fortinet’s FortiGate firewall offers a feature called NGFW mode (Next-Generation Firewall mode), designed to make Firewall Policy administration more flexible and intuitive by offering advanced control options. There are two FortiGate NGFW modes available – administrators can choose between Profile-based and Policy-based modes, each with distinct configurations and capabilities.

To control the NGFW mode go to System -> Settings and search for “System Operation Settings”:

Profile-based NGFW Mode

Profile-based mode is the traditional, widely used mode on FortiGate firewalls. In this mode, security features are set up as separate profiles — such as antivirus, web filtering, and application control — which are then applied to firewall policies (rules) as needed. Key characteristics of the Profile-based mode are as follows:

• Security Profiles: Each security profile (like web filtering or antivirus) is created independently and linked to specific firewall policies. This setup allows to separate all security profile configurations from the policy definitions:

• NAT: Profile-based mode provides a lot of flexibility with NAT configurations. Administrators can choose between traditional FortiOS NAT implementation (per firewall policy rule) and Central NAT (dedicated NAT policy table) depending on their personal preferences or company’s Security Policy

• Traffic Inspection Modes: Profile-based mode supports both Flow-based and Proxy-based traffic inspection in a granular fashion – per firewall policy rule. Flow-based inspection checks traffic flow in real-time and is generally faster, while proxy-based inspection allows more in-depth analysis but requires more processing power

• URL Category Filtering: Web Filter profiles in this mode control URL categories, allowing fine-grained access control for specific types of web content:

Policy-based NGFW Mode

Policy-based mode, introduced as a streamlined option, simplifies policy management by allowing administrators to directly apply some security features within each firewall policy, without the need for defining all security settings outside a given rule. This mode is often beneficial for organizations migrating from other firewall platforms or seeking more intuitive, centralized policy control. Key characteristics of the Policy-based mode are as follows:

• Security Profiles: In Policy-based mode, Application Control and Web Filtering can be added directly to the security policy itself, without setting up separate security profiles. This means URL Categories and Application rules are defined at the policy level, Application control option is gone from the Security Profiles section and even that Web Filter Profile can be still attached, it offers limited options (note: all other profiles are *still* defined separately from the policy):

• Pre-Match Rules: SSL Inspection and Authentication settings are configured separately from the main security policies. This separation adds flexibility but requires that traffic must match both a security policy and an SSL inspection/authentication policy for access

• NAT: Policy-based mode works exclusively with Central NAT (automatically enables it), streamlining NAT policies but limiting some of the flexibility available in Profile-based mode

• Traffic Inspection Modes: Deep inspection capabilities seem to be limited since Proxy-mode cannot be selected. The default Inspection Mode is Flow-based
• Other: In Policy-based mode, applications are allowed only on their default ports unless otherwise specified. Traffic from non-standard ports is blocked by default, with violations logged for security monitoring. Also, this mode allows the administrators to make a given policy work in “Learn Mode” which effectively monitors and logs the traffic matching the rule for further analysis

What NGFW mode should I choose?

The choice between NGFW modes depends mostly on personal administrative preferences and/or network deployment scenario:

• Profile-based mode is ideal for environments requiring advanced customization, flexibility in inspection modes, and granular control over security profiles. It’s also beneficial for organizations with complex NAT needs and… some people say it is just less buggy 😊
• Policy-based mode offers simplicity and is suited for those who want centralized NAT and easier policy management. It’s particularly helpful for organizations with simpler networks or for teams migrating from other firewall systems where Policy-based approaches are common

Relevant Training

Check out our Traffic Control with FortiGate video series to learn more about FortiGate NGFW modes and other Firewall Policy related topics.

—

Overall, FortiGate’s NGFW mode options provide versatility to fit various network security demands, allowing administrators to tailor their firewall policies to balance between usability, performance, and security control​.