FortiGate Deep Inspection Security Profiles
Slide 1: Introduction to Security Profiles
Security Profiles are a set of advanced security features used in firewalls to inspect, monitor, and control network traffic. They provide an additional layer of protection by detecting and blocking cyber threats such as malware, viruses, ransomware, phishing attacks, and unauthorized access attempts. Security profiles analyze traffic at the application, content, and user levels to ensure that only safe and legitimate data passes through the network.
By applying security profiles to firewall policies, organizations can enhance their overall security posture, protect sensitive data, enforce security policies, and reduce the risk of cyberattacks. Security profiles are commonly used in enterprise networks, data centers, educational institutions, healthcare organizations, and financial institutions to maintain a secure and compliant environment.
Slide 2: Types of Security Profiles
- Antivirus Profile – Scans network traffic, files, and downloads to detect and block viruses, worms, trojans, and ransomware before they can infect systems and compromise business operations.
- Anti-Spyware Profile – Identifies and prevents spyware, keyloggers, botnets, and command-and-control communications that attackers use to steal sensitive information and gain unauthorized access.
- Vulnerability Protection Profile – Protects against known software vulnerabilities, exploits, buffer overflow attacks, and intrusion attempts by inspecting network traffic for malicious patterns and signatures.
- URL Filtering Profile – Controls user access to websites by blocking malicious, phishing, gambling, adult, or other inappropriate content that could introduce security risks to the organization.
- DNS Security Profile – Detects and blocks connections to malicious domains, prevents DNS tunneling attacks, and stops users from accessing known command-and-control servers used by cybercriminals.
- File Blocking Profile – Restricts the transfer of high-risk file types such as executable files, scripts, and unauthorized documents to reduce the risk of malware infections and data leaks.
- Data Filtering Profile – Monitors and prevents sensitive information such as customer records, financial data, passwords, and confidential documents from leaving the organization without authorization.
- SSL/TLS Inspection Profile – Decrypts and inspects encrypted traffic to identify hidden malware, phishing attempts, and other threats that may bypass traditional security controls.
Slide 3 - Antivirus (AV)
Antivirus (AV) is a security profile that scans, detects, blocks, and removes viruses, malware, trojans, worms, ransomware, and other malicious software before they can infect systems or compromise network security. It continuously monitors files, applications, email attachments, and network traffic to identify known threats using signature-based detection and advanced threat analysis techniques.
By inspecting incoming and outgoing traffic, an Antivirus profile helps prevent malware infections, protects sensitive data, and reduces the risk of system downtime caused by cyberattacks. In enterprise environments, Antivirus security profiles are commonly deployed on firewalls, endpoints, servers, and email gateways to provide real-time protection against evolving threats.
Key Functions of Antivirus (AV):
- Detects and Blocks Malware – Identifies viruses, trojans, worms, spyware, and other malicious software before they can infect systems or spread across the network.
- Provides Real-Time Protection – Continuously monitors files, applications, and network activity to stop threats immediately when they are detected.
- Scans Files and Email Attachments – Examines downloaded files, shared documents, and email attachments to prevent malware from entering the organization.
- Prevents Ransomware Attacks – Detects and blocks ransomware before it can encrypt files, disrupt operations, or demand payment from victims.
- Quarantines and Removes Threats – Automatically isolates infected files and removes malicious content to protect devices and sensitive business data
Example:
If an employee downloads an infected file from the internet, the Antivirus profile scans the file, detects the malware signature, and blocks or quarantine
Slide 4 - Web Filter
Web Filtering is a security profile that monitors, controls, and restricts access to websites based on predefined security policies and content categories. It helps organizations protect users from malicious websites, phishing attacks, malware downloads, and inappropriate online content by allowing or blocking access to specific web categories.
Web filtering analyzes web traffic in real time and enforces browsing policies to ensure employees access only safe and business-relevant websites. It improves security, enhances productivity, and helps organizations comply with regulatory requirements.
Key Functions of Web Filtering:
- Blocks Malicious Websites – Prevents users from accessing websites known to distribute malware, ransomware, spyware, or other cyber threats.
- Protects Against Phishing Attacks – Detects and blocks fraudulent websites designed to steal usernames, passwords, financial information, and sensitive data.
- Controls Access to Web Content – Restricts access to non-business-related or inappropriate websites such as gambling, adult content, and high-risk categories.
- Enforces Browsing Policies – Applies organizational internet usage policies to ensure secure and productive web access.
- Monitors and Logs User Activity – Tracks website usage and generates reports to improve visibility, compliance, and security management.
Example:
If an employee clicks on a phishing link in an email, the Web Filtering profile identifies the malicious website category and blocks access before the user can enter credentials or download harmful content.
Slide 5 - DNS Filter
DNS Filtering is a security profile that protects users and networks by inspecting DNS requests and blocking access to malicious, phishing, malware, and unauthorized domains before a connection is established. It acts as the first line of defense by preventing users from reaching harmful websites and command-and-control servers used by cybercriminals.
DNS filtering helps organizations improve security, enforce internet usage policies, and reduce the risk of malware infections, data breaches, and phishing attacks.
Key Functions of DNS Filtering:
- Blocks Malicious Domains – Prevents users from accessing known malware, ransomware, and phishing websites.
- Stops Command-and-Control Communication – Blocks infected devices from communicating with attacker-controlled servers.
- Prevents DNS-Based Attacks – Detects and blocks suspicious DNS queries, tunneling, and other DNS-related threats.
- Enforces Internet Usage Policies – Restricts access to unauthorized or inappropriate websites based on organizational policies.
- Provides Real-Time Threat Protection – Uses continuously updated threat intelligence to identify and block newly discovered malicious domains.
Example:
If a user clicks a malicious phishing link, the DNS Filtering profile checks the domain against threat intelligence databases and blocks the DNS request before the website can load, preventing credential theft and malware infection.
Slide 6 - Content Filtering
Content Filtering is a security profile that monitors and controls the transfer of files and sensitive information across the network. It helps organizations prevent data leakage, block unauthorized file transfers, and enforce security policies by inspecting web traffic, email attachments, and file uploads/downloads.
Key Functions of Content Filtering:
- Blocks Unauthorized File Types – Restricts the transfer of high-risk files such as .exe, .bat, .vbs, .zip, .rar, and other executable files that may contain malware.
- Controls Document Sharing – Monitors and filters sensitive document formats such as .pdf, .doc, .docx, .xls, and .xlsx to prevent unauthorized data sharing.
- Manages Media File Transfers – Allows or blocks media files such as .mp3, .mp4, .wav, and .avi based on organizational policies.
- Prevents Data Leakage – Detects and blocks confidential information from being transmitted outside the organization.
- Enforces Security Policies – Ensures only approved file types and content can be uploaded, downloaded, or shared.
Example:
A company may block .exe files to prevent malware infections, allow .pdf files for business documents, and restrict .mp3 downloads to reduce bandwidth usage and improve productivity.
Slide 7 - Application Control
Application Control is a security profile that identifies, monitors, and controls the applications running on a network. Instead of relying only on ports and protocols, it recognizes specific applications and allows organizations to permit, restrict, prioritize, or block them based on security and business requirements.
Application Control helps prevent unauthorized application usage, reduces security risks, improves productivity, and ensures that network resources are used for legitimate business purposes.
Key Functions of Application Control:
- Identifies Network Applications – Detects applications such as Facebook, YouTube, WhatsApp, Zoom, BitTorrent, and Microsoft Teams regardless of the port being used.
- Blocks Unauthorized Applications – Prevents the use of high-risk, non-business, or potentially dangerous applications that may introduce security threats.
- Controls Application Usage – Allows, blocks, or limits applications based on users, groups, departments, or security policies.
- Reduces Security Risks – Prevents malware, unauthorized remote-access tools, and risky applications from compromising the network.
- Optimizes Network Performance – Prioritizes business-critical applications while limiting bandwidth-intensive applications such as video streaming and file-sharing services.
Example:
A company may allow Microsoft Teams, Zoom, and Office 365 for business communication, while blocking BitTorrent, unauthorized remote-access tools, online gaming applications, and non-business streaming services to improve security and productivity.
OR
Application Control is a Layer 7 (Application Layer) security profile that identifies, monitors, and controls applications running across the network. Unlike traditional firewalls that rely on ports and protocols, Application Control performs Layer 7 protocol filtering to recognize the actual application being used, even when it uses common ports such as HTTP (80) or HTTPS (443).
This enables organizations to enforce granular security policies, block unauthorized applications, and ensure that network resources are used only for legitimate business purposes.
Key Functions of Application Control:
- Layer 7 Protocol Filtering – Inspects application-layer traffic to identify and control applications regardless of ports, protocols, or encryption methods.
- Identifies Network Applications – Detects applications such as Facebook, YouTube, WhatsApp, Zoom, Microsoft Teams, Dropbox, and BitTorrent.
- Blocks Unauthorized Applications – Prevents the use of risky, non-business, or potentially malicious applications.
- Controls User and Application Access – Allows, denies, or restricts applications based on users, groups, departments, or security policies.
- Optimizes Network Performance – Prioritizes business-critical applications while limiting bandwidth-heavy applications such as streaming and file sharing.
Example:
Even if a user accesses YouTube over HTTPS (port 443), Application Control using Layer 7 protocol filtering can identify the traffic as YouTube and apply the organization’s security policy to allow, restrict, or block it. This provides much greater visibility and control than traditional port-based filtering.
Slide 8 - IPS (Intrusion Prevention System)
Intrusion Prevention System (IPS) is a security profile that continuously monitors and analyzes network traffic to detect and block malicious activities, cyberattacks, and exploit attempts in real time. IPS uses threat signatures, behavioral analysis, and vulnerability protection techniques to identify suspicious traffic before it reaches servers, applications, or end-user devices.
By actively preventing attacks, IPS helps organizations protect their networks from hackers, malware, ransomware, denial-of-service attacks, and known software vulnerabilities.
Key Functions of IPS:
- Detects and Blocks Network Attacks – Identifies malicious traffic patterns and prevents cyberattacks before they can compromise systems.
- Prevents Exploit Attempts – Protects vulnerable applications and operating systems from known exploits and security weaknesses.
- Stops Malware and Ransomware Delivery – Detects malicious payloads and blocks them before they reach endpoints or servers.
- Provides Real-Time Threat Prevention – Continuously inspects network traffic and automatically blocks suspicious activities.
- Protects Critical Business Systems – Safeguards servers, databases, applications, and user devices from unauthorized access and attacks.
Example:
If a hacker attempts an SQL Injection attack against a web application, the IPS detects the malicious payload within the network traffic and blocks the connection before the attack reaches the server, preventing unauthorized access to sensitive data.
Common Attacks Blocked by IPS (Intrusion Prevention System):
- SQL Injection (SQLi) – Blocks attempts to manipulate database queries and steal sensitive information.
- Cross-Site Scripting (XSS) – Prevents attackers from injecting malicious scripts into web applications.
- Remote Code Execution (RCE) – Stops attackers from executing unauthorized commands on servers.
- Buffer Overflow Attacks – Prevents exploits targeting software vulnerabilities to gain system access.
- Denial-of-Service (DoS/DDoS) Attacks – Detects and mitigates traffic floods designed to disrupt services.
- Brute Force Attacks – Blocks repeated login attempts used to guess passwords.
- Port Scanning and Network Reconnaissance – Detects attackers probing the network for open ports and vulnerabilities.
- Malware and Ransomware Exploits – Prevents malicious payloads from reaching endpoints and servers.
- SMB and Windows Exploits – Blocks attacks targeting Windows file-sharing services and operating system vulnerabilities.
- DNS Attacks – Detects and prevents malicious DNS requests and tunneling activities.
- Command and Control (C2) Traffic – Stops infected devices from communicating with attacker-controlled servers.
- Web Application Attacks – Protects websites and applications from known exploitation techniques.
- SSH and RDP Attack Attempts – Detects unauthorized remote access and password-guessing attacks.
- Zero-Day Exploit Behavior – Identifies suspicious behavior patterns associated with previously unknown threats.
- Botnet Activity – Detects and blocks compromised devices attempting to participate in botnet operations.
Real Examples:
- A hacker sends an SQL Injection request to a banking website to steal customer data. IPS detects the malicious query and blocks it instantly.
- An attacker launches a Brute Force Attack against a company’s VPN login portal. IPS identifies repeated failed login attempts and blocks the attacker’s IP address.
- A ransomware exploit attempts to spread through a vulnerable Windows server. IPS detects the exploit signature and prevents the malicious traffic from reaching the server.
- An attacker performs a Port Scan to discover open services on the network. IPS detects the reconnaissance activity and blocks further scanning attempts.
- A compromised computer tries to connect to a botnet Command-and-Control (C2) server. IPS identifies the malicious communication and blocks the connection before data can be exfiltrated.
Slide 9 - SSL/SSH Inspection
SSL/SSH Inspection is a security profile that decrypts, analyzes, and re-encrypts encrypted traffic to detect threats hidden inside SSL/TLS (HTTPS) and SSH communications. Since most modern web traffic is encrypted, cybercriminals often use encrypted channels to deliver malware, ransomware, phishing content, and command-and-control traffic. SSL/SSH Inspection allows security devices to inspect this traffic and apply security policies before it reaches users or servers.
Key Functions of SSL/SSH Inspection:
- Decrypts Encrypted Traffic – Inspects HTTPS (SSL/TLS) and SSH traffic that would otherwise be hidden from security controls.
- Detects Malware and Ransomware – Identifies malicious files, payloads, and threats embedded within encrypted connections.
- Prevents Phishing Attacks – Blocks access to phishing websites and fraudulent content delivered over HTTPS.
- Enables Layer 7 Security Inspection – Allows Antivirus, IPS, Application Control, Web Filtering, and Content Filtering to inspect encrypted traffic.
- Monitors SSH Connections – Detects unauthorized SSH access, SSH tunneling, and suspicious remote administration activities.
Real Examples:
- An employee visits an HTTPS website that unknowingly hosts malware. SSL Inspection decrypts the traffic, detects the malicious file, and blocks the download before infection occurs.
- A phishing website uses HTTPS encryption to appear legitimate. SSL Inspection analyzes the encrypted session and prevents users from accessing the fraudulent site.
- A compromised device attempts to communicate with a hacker’s Command-and-Control (C2) server over HTTPS. SSL Inspection detects the malicious communication and blocks the connection.
- An attacker uses SSH tunneling to bypass security controls and access internal resources. SSH Inspection identifies the unauthorized tunnel and terminates the session.
SSL/SSH Inspection Example (Company Employee):
A company employee receives an email containing a link to an HTTPS website that appears legitimate. Because the website uses SSL encryption, the malicious content is hidden from normal network monitoring.
With SSL Inspection enabled, the firewall decrypts the HTTPS traffic, scans the website content, and detects malware embedded in the download. The firewall immediately blocks the connection and prevents the employee’s computer from becoming infected.
Short Example:
“An employee downloads a file from an HTTPS website. SSL Inspection decrypts the traffic, detects malware inside the encrypted download, and blocks the threat before it reaches the employee’s device.“
Slide 10 - Anti-Spam
Anti-Spam is a security profile that detects, filters, and blocks unwanted, fraudulent, and malicious emails before they reach users’ inboxes. It protects organizations from spam emails, phishing attacks, malware delivery, business email compromise (BEC), and other email-based threats that can lead to data breaches and financial losses.
By analyzing email content, sender reputation, attachments, links, and email behavior, Anti-Spam solutions help ensure that only legitimate emails are delivered to employees.
Key Functions of Anti-Spam:
- Blocks Spam Emails – Prevents unwanted bulk emails from reaching user inboxes.
- Detects Phishing Attempts – Identifies fraudulent emails designed to steal passwords, banking information, and sensitive data.
- Filters Malicious Attachments – Scans email attachments for malware, ransomware, viruses, and other threats.
- Blocks Suspicious Links – Detects and prevents access to malicious websites linked within emails.
- Protects Against Email Fraud – Helps prevent spoofing, impersonation, and business email compromise (BEC) attacks.
Company Employee Example:
An employee receives an email that appears to be from the company’s bank, asking them to click a link and verify their account details. The Anti-Spam system analyzes the sender, detects phishing indicators, and blocks the email before it reaches the employee’s inbox, preventing credential theft.
Another Example:
An attacker sends a fake invoice containing a malicious .exe attachment. The Anti-Spam system scans the attachment, identifies it as malicious, and quarantines the email before the employee can open it.
Slide 10 - Data Loss Prevention (DLP)
Data Loss Prevention (DLP) is a security profile that monitors, detects, and prevents sensitive information from being shared, transferred, or accessed without authorization. DLP helps organizations protect confidential data such as customer information, financial records, intellectual property, employee data, and business documents from accidental or intentional leakage.
By inspecting emails, web uploads, cloud applications, USB devices, and file transfers, DLP ensures that sensitive information remains secure and compliant with organizational policies and regulatory requirements.
Key Functions of Data Loss Prevention (DLP):
- Prevents Sensitive Data Leakage – Detects and blocks unauthorized transmission of confidential information.
- Monitors Data Transfers – Inspects emails, web uploads, cloud storage, and file-sharing activities for sensitive content.
- Protects Customer and Financial Data – Prevents exposure of account numbers, credit card details, personal information, and financial records.
- Controls File Sharing – Restricts the transfer of sensitive files to unauthorized users, devices, or external services.
- Supports Compliance Requirements – Helps organizations meet data protection regulations and security standards.
Company Employee Example:
An employee attempts to email a confidential customer database to a personal Gmail account. The DLP system detects sensitive customer information within the attachment and automatically blocks the email, preventing a potential data breach.
Another Example:
An employee tries to upload a company financial report to a personal cloud storage service such as Google Drive or Dropbox. The DLP solution identifies the confidential content and prevents the upload according to company security policies.
Data Loss Prevention (DLP):
DLP policies inspect outbound traffic and can block file uploads containing sensitive data or specific file types.
Example DLP Rules:
- Block uploads of .pdf, .docx, .xlsx, .csv files to external websites.
- Prevent users from uploading confidential company documents to Google Drive, Dropbox, or personal email accounts.
- Block uploads containing customer information, bank account details, or financial records.
- Restrict file sharing to approved business applications only.
- Generate alerts when users attempt to upload sensitive data.
Result: When a user tries to upload a PDF, Excel, or Word document to any website, the firewall detects the upload and blocks it according to the security policy
Slide 11 - Sandboxing
Sandboxing is an advanced security technology that analyzes suspicious or unknown files in an isolated virtual environment before they are allowed into the network. The sandbox safely executes files and observes their behavior to determine whether they contain malware, ransomware, spyware, or other malicious code.
Unlike traditional antivirus solutions that rely on known signatures, sandboxing can detect zero-day threats, advanced malware, and previously unseen attacks by analyzing how a file behaves when executed.
Key Functions of Sandboxing:
- Analyzes Unknown Files – Examines files that have not been previously identified as safe or malicious.
- Detects Zero-Day Threats – Identifies new and unknown malware that traditional antivirus may miss.
- Prevents Ransomware Infections – Detects ransomware behavior before the file reaches users or servers.
- Monitors File Behavior – Observes actions such as file modifications, registry changes, process creation, and network connections.
- Provides Advanced Threat Protection – Blocks sophisticated attacks before they can compromise the organization.
Company Employee Example:
An employee receives an email with a PDF attachment. Although the file appears legitimate, it contains hidden malware. The sandbox opens the PDF in a secure virtual environment, detects malicious behavior, and blocks the file before it reaches the employee’s computer.
Another Example:
A user downloads an unknown .exe file from the internet. The firewall sends the file to the sandbox for analysis. The sandbox detects that the file attempts to encrypt documents and contact a malicious server. The file is identified as ransomware and blocked immediately.
Short Definition
“Sandboxing is a security technology that executes suspicious files in an isolated environment to detect and block malware, ransomware, and zero-day threats before they can affect the network.“
Slide 11 - Firewall Policy
A Firewall Policy is a set of security rules that determines whether network traffic should be allowed, denied, or inspected when passing through a firewall. These rules control communication between users, devices, applications, and networks to protect the organization from unauthorized access and cyber threats.
Firewall policies are based on criteria such as source address, destination address, user identity, application, service, port, protocol, and security profiles. When traffic matches a policy, the firewall applies the configured action and security controls.
Key Functions of a Firewall Policy:
- Allow Legitimate Traffic – Permits authorized users and applications to access required resources.
- Block Unauthorized Access – Prevents unwanted or malicious connections from entering the network.
- Apply Security Profiles – Uses Antivirus, IPS, Web Filtering, DNS Filtering, and other protections on traffic.
- Control Application Usage – Allows or blocks specific applications based on company policies.
- Log and Monitor Activity – Records network events for security monitoring and auditing.
Company Network Firewall Policy Example:
A company may create a firewall policy that allows employees to access only approved business websites and internet services while blocking all other unnecessary or unauthorized traffic. For example, employees can browse work-related websites, use email services, and access cloud applications required for their jobs. At the same time, the firewall blocks social media platforms, online gaming, peer-to-peer file sharing, unauthorized remote access tools, and other non-business applications.
The firewall can also apply security profiles such as Antivirus, IPS, Web Filtering, DNS Security, and Application Control to inspect all internet traffic and protect users from malware, phishing attacks, ransomware, and malicious websites. By allowing only required internet access and blocking everything else, the company reduces security risks, improves employee productivity, conserves bandwidth, and ensures compliance with organizational security policies.
Simple Definition:
“A Firewall Policy is a rule that controls how network traffic is allowed, blocked, inspected, and logged to protect an organization’s network and data.“
How Firewall Policy Works
A firewall policy works in a rule-based order system where each incoming or outgoing network traffic is checked against a list of security rules from top to bottom. When a user tries to access a website or application, the data packet first enters the firewall, and then the firewall starts comparing it with the defined policies.
Each rule is checked one by one in sequence. If the traffic matches a rule, the firewall immediately applies the action defined in that rule, such as allow or block, and stops further checking. If the traffic does not match the first rule, it moves to the next rule and continues this process until a match is found.
This behavior is called “first match wins”, meaning the first matching rule decides whether the traffic is allowed or denied. If no rule matches the traffic, the firewall applies the default rule, which is usually set to block all unknown or unauthorized traffic.
For example, if Rule 1 allows Microsoft 365 traffic and a user accesses it, the firewall allows it immediately. If a user tries to access a blocked social media site and no allow rule matches, the firewall continues checking until it reaches a block rule or the default deny rule, and then blocks the traffic.
In summary, firewall policies work step by step from top to bottom, and the first matching rule determines whether the traffic is allowed or blocked.