FortiGate Security Profiles Explained: Web Filtering, Antivirus, and App Control

Vaibhavi Kadam -

Picture this. Your firewall policies are working perfectly. Traffic flows where it should. Users can access what they need. 

Everything seems fine.

But then,  someone in your organization downloads ransomware through a legitimate website. 

Or maybe you discover during an audit that users have been accessing prohibited content for months.

The problem here isn't your firewall policies, as that simply controls where traffic can go. The real issue is not inspecting what's actually taking place out of sight inside that traffic.

This is one reason why having security profiles transforms your FortiGate from a traffic cop into an actual security platform. 

Today we're building up on our firewall policies blog series and exploring three profiles that determine whether you're protecting your organization or just shuffling around packets.

Let’s take a closer look.

SSL Inspection Basics

Here's an uncomfortable truth. Most web traffic is encrypted and without decryption your FortiGate is blind to threats hiding in HTTPS.

However, when you enable SSL/TLS inspection under Security Profiles > SSL/SSH Inspection, your FortiGate now decrypts traffic, inspects it against security profiles, then re-encrypts before forwarding.

The tradeoff, of course, is CPU overhead, which brings us to a critical decision point: does every policy need to apply to all profiles?. 

The short answer is no. Internet-bound user traffic should merit full inspection while internal server traffic requires a lighter touch. This way you can match your inspection depth to actual risk.

Web Filtering Basics

Here’s how to get started:

Navigate to Security Profiles > Web Filter and create a profile. 

FortiGuard's database covers billions of websites across categories like malware, phishing, gambling, social networking, streaming media, file sharing.

The beauty of category-based filtering is automatic protection. Whenever new malicious sites start appearing,  FortiGuard identifies them and your FortiGate blocks them without manual updates.

But note that categories are broad. For instance, if you block "Social Networking," you will stop both Facebook and LinkedIn. 

The solution to this is to have precision layering: block social media broadly, then create exceptions for linkedin.com and twitter.com that business development needs.

Features Worth Considering

  • SafeSearch Enforcement forces Google, Bing, and YouTube into restricted modes. Completely transparent to users, but explicit content gets filtered automatically.
  • Video filtering prevents bandwidth problems without being draconian. Block streaming categories or throttle bandwidth instead of complete blocks.

Antivirus Basics

Network-level antivirus stops threats before they reach endpoints. By the time malware hits endpoint antivirus, it's already on your network.

To get going, navigate to Security Profiles > Antivirus and choose your scanning mode:

  • Flow-based inspection is fast and lightweight which can scan traffic as it flows without buffering. Perfect for high-throughput environments.
  • Proxy-based inspection buffers complete files for deep analysis including heuristics. Higher CPU cost but maximum protection.

Most organizations use flow-based for standard traffic, proxy-based for high-risk scenarios like external email attachments and guest network downloads.

Key Protocols to Scan

For this one, enable scanning across every relevant protocol:

  • SMTP/POP3/IMAP for email ( it’s a top malware vector so definitely non-negotiable)
  • FTP to prevent malware uploads/downloads
  • SMB to protect file shares and stop ransomware spread
  • HTTP/HTTPS for web traffic

Yes, this does increase CPU load but it is generally far more affordable than incident response costs.

Also, enable archive scanning with reasonable limits. For example: 10MB max size, 3-level recursion to prevent "archive bombs" from overwhelming resources. 

You can also turn on outbreak prevention to catch zero-day threats before confirmed signatures exist.

Controlling Apps Beyond Port

You might have noticed that applications don't respect ports anymore. For instance, when BitTorrent ports are blocked, users switch to web-based clients over port 443. Similarly for Facebook, which can be accessed through proxy sites.

To deal with this, navigate to Security Profiles > Application Control. 

These signatures use behavioral analysis like packet patterns, protocol behaviors, encryption characteristics. This way, Skype looks like Skype regardless of port.

Your firewall policy says "allow HTTPS." Your application control profile says "within that HTTPS, block Facebook, allow Salesforce, monitor Dropbox."

  • Start with category-based controls by block P2P, Proxy.Avoidance, and Game categories entirely. 
  • Monitor Cloud IT, Remote Access, and File Transfer because they mix legitimate tools with risks. Then add specific overrides such as block File.Transfer but allow sanctioned box.com and dropbox.com.
  • Monitor logs traffic without blocking which is essential for understanding actual usage before making decisions.
  • Block all "Critical" risk applications automatically like known malware vectors.. Monitor or block "High" risk based on business needs.

Putting It All Together: Maintain, Monitor, and Optimize

Once your security profiles are configured, the real strength comes from layering them effectively. 

Use Security Profile Groups to apply consistent protection across policies.Create a group such as “Internet-Standard-Users” that includes Web Filter, Antivirus, Application Control, and SSL Inspection

Apply this group to user internet policies with a single click. Any updates you make to the group automatically apply to all linked policies  ensuring consistent security at scale.

Keep an eye on System > Dashboard > System Resources to monitor performance. 

If CPU usage regularly exceeds 80%, it’s time to optimize configurations or consider a hardware upgrade. SSL inspection is resource-intensive but critical  attackers rely on organizations disabling it to save CPU cycles. Always size your hardware to handle decryption at your network’s throughput.

Also, avoid common missteps.For instance:

  • Don’t enable every profile everywhere  for example, internal server traffic doesn’t need web filtering. 
  • Start with monitor mode to understand normal behavior before blocking. 
  • Review your logs regularly to catch recurring malicious activity, and reassess your profiles quarterly to keep pace with evolving threats and changing business needs.

The Bottom Line

Firewall policies control where traffic goes. Security profiles control what's inside that traffic. Without both, you're just moving packets around.

Effective security isn't about blocking everything, it's about intelligent filtering that stops real threats while enabling legitimate operations.

Ready to implement FortiGate security profiles properly? 

Metron's integration service ensures your security infrastructure operates as unified protection. 

If you are looking to strengthen your security ecosystem connect with us at connect@metronlabs.com. Our team would be happy to assist!