So what is the way the go? Profile based or policy based mode?
I set up a new 120g in policy based mode and I finally figured it out…
But am having a couple issues with application control.
Can’t find a psiphon proxy signature to block
99% of people are running profile. I’d run profile.
I did a couple projects last year migrating Cisco and Palo Alto configs to policy mode, while I think this should be the default mode, sadly Fortinet hasn’t really improved on it, many things are different, like Palo Alto you can’t apply profiles to policies, you are basically forced to use applications and URL categories on the policy level vs other vendors who let you control applications on policies but still let you apply various profiles. SSL decryption is also a pain to troubleshoot. Finding support from tac on policy mode is also difficult, once you do it’s a knowledgeable person but it’s tough to find a person.
In short, like others have said, stick to profile mode, the support from the community and tac is great. Except for proper application control on each policy, you can accomplish pretty much everything in profile mode.
I started with Policy Based NGFW because it seemed to be more intuitive.
All other FortiPeople convinced me to use Profile Based NGFW mode because of available support and documentation. So I changed to Profile Based.
Intersting because the youtube video I watched comparing the two the tech said its 2023 just use policy mode.
But I agree with you… Will switch it over
I learned the policy based Mode is Like the „paloalto-Mode“. So if you switched from Palo Alto and youre a god in These, Chose policy based Mode.
For a newbie maybe it’s a question of which to use. Most of us have been dealing with Fortinets since 5.0 or earlier though. Policy mode has existed since back then for Sonicwall and PAN users to try to simulate a pan / Sonicwall, but has had very little development. And when it comes out of the box, it’s in profile mode. That should tell you something about what Fortinet thinks everyone should be running.
Even then…stay profile mode and do it the right way…especially since 99% of anyone that uses Fortinet does profile, so make it easy on yourself and learn the new method so that the majority of documentation and the community aligns with your mode of operatiob.