NGFW policy-based mode


You can operate your FortiGate or individual VDOMs on your FortiGate in Next Generation Firewall (NGFW) policy-based mode when you select flow-based inspection. In the new FortiOS 5.6 NGFW policy-based mode, you can add applications and web filtering categories directly to a policy without having to first create and configure Application Control or Web Filtering profiles. If a URL category is set, the applications that are added to the policy must be within the browser-based technology category.

Switching NGFW mode from Profile-based to Policy-based converts your profile-based security policies to Policy-based security policies. If you don’t want this to happen or you just want to experiment with Policy-based NGFW mode, consider creating a new VDOM for Policy-based NGFW mode. You could also backup your configuration before switching modes.

NGFW policy-based firewall policies may have unintended consequences to the passing or blocking of traffic. For example, if you add new firewall policies that are designed to DENY social media traffic based on applications or URLs, having a traditional “catch all” firewall policy to DENY all other traffic at the bottom of the firewall policy list may have the unintended consequence of blocking legitimate traffic.

NGFW policy-based mode applies the NAT settings from matching Central SNAT policies. If you don’t already have a Central SNAT policy in place, you will have to create one.

This recipe demonstrates a basic configuration of blocking Facebook using the new NGFW policy-based mode.

1. Configuring your FortiGate for NGFW policy-based mode

Go to the System > Settings page and scroll down to Operations Settings. Select Flow-based Inspection Mode.

Select Policy-based as the NGFW mode.

Select an SSL/SSH Inspection certificate.


2. Creating a Central SNAT Policy

Under Policy & Objects, go to Central SNAT and select Create New.

Set Incoming Interface to the local network interface. Set Outgoing Interface to your Internet-facing interface.

Set IP Pool Configuration to Use Outgoing Interface Address and Protocol to ANY.


3. Creating an IPv4 policy to block Facebook

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to the local network interface. Set Outgoing Interface to your Internet-facing interface. 


Under Application, click on the plus sign. Type Facebook in the search field.



Add all the Facebook applications to the policy. Set the Action to DENY. 

Enable Log Violation Traffic to see results later. You can disable this feature later to conserve network resources.

4. Ordering the policy table

Go to Policy & Objects > IPv4 Policy to view the policy table.

In order to have the correct traffic flowing through each policy, they must be arranged so that the more specific policies are located at the top.


To rearrange the policies, select the column on the far left (in the example, Seq.#) and drag the policy to the desired position.

5. Results

Browse to Your connection will time out.

Go to FortiView >  Threats.

You can see the traffic blocked by the firewall policy.


For further reading, check out What’s New in FortiOS 5.6 and Central SNAT in the FortiOS 5.6 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney
NGFW profile-based mode operates like the standard flow mode under FortiOS 5.4.