FortiGate UTM and Security Profiles: Antivirus, IPS, Web Filtering
FortiGate UTM security profiles are modules added to firewall policies to scan traffic for threats: antivirus, IPS, web filtering, application control, DNS filtering, and file filtering. Once a profile is attached to a policy, it applies automatically to that traffic.
What Are UTM and Security Profiles?
UTM (Unified Threat Management) is the approach of consolidating multiple security functions in one device; on FortiGate these functions are added as 'security profiles' to firewall policies and scan traffic as it passes.
A security profile does nothing on its own; to take effect it must be assigned to a firewall policy. While the policy permits traffic with an accept action, the attached profiles inspect that same traffic for threats.
FortiGate offers two scanning approaches: flow-based inspection scans packets in the flow with low latency; proxy-based inspection buffers content and analyzes it more deeply. The choice balances security depth against performance.
Before attaching profiles to a rule, you must design the rule itself correctly; see our firewall policy management guide.
Core UTM Security Profiles
Core profiles comprise antivirus (malware), IPS (intrusion prevention), web filtering (URL category), application control (app recognition), and DNS filtering (domain reputation).
Each profile addresses a different threat layer. Using them together provides defense in depth.
| Profile | Function |
|---|---|
| Antivirus | Detects malware in files and streams |
| IPS | Blocks known exploit and attack signatures |
| Web Filter | Controls web access by URL category |
| Application Control | Recognizes and restricts applications |
| DNS Filter | Blocks malicious/unwanted domains |
| File Filter | Controls transfers by file type |
These profiles should be used with logging to see which traffic is blocked and why; see logging and monitoring with FortiAnalyzer.
SSL/TLS Inspection and Encrypted Traffic
SSL inspection is critical because most web traffic is encrypted; FortiGate provides shallow control via certificate inspection and full control by opening content via deep inspection.
Certificate inspection only looks at certificate/SNI data and does not open content, offering limited control. Deep inspection lets FortiGate decrypt, scan, and re-encrypt traffic, enabling antivirus/IPS to work on encrypted content too.
Deep inspection requires distributing FortiGate's CA certificate to clients; otherwise users get certificate warnings. For privacy and compliance, some categories (e.g., healthcare, banking) may be exempt from inspection.
When encrypted traffic is not scanned, the effectiveness of profiles such as antivirus and IPS drops significantly; that is why an SSL inspection strategy is integral to UTM design.
FortiGuard Dependency
FortiGuard is the threat-intelligence service that keeps UTM profiles current; antivirus signatures, IPS signatures, and web/DNS categories are updated through this subscription.
If antivirus and IPS signatures are not continuously updated, protection against new threats weakens quickly. Likewise, web and DNS filtering depend on the FortiGuard category database.
We detail which profile requires which subscription and the license planning in our FortiGuard subscriptions guide.
Best Practices in UTM Configuration
Best practices are to apply profiles only to the policies that need them, use deep inspection deliberately, monitor performance, and review profile logs regularly.
- Attach each profile to narrow, purpose-fit policies.
- Use deep inspection on encrypted traffic where possible.
- Balance flow/proxy mode by workload for performance.
- Tune the IPS signature set to your environment; disable unneeded signatures.
- Review profile logs regularly and weed out false positives.
To manage performance drops with UTM enabled, see our performance optimization guide, and for overall architecture our what is FortiGate guide.
Frequently Asked Questions
Does a UTM profile work on its own?
No. A security profile only takes effect when assigned to a firewall policy. While the policy permits traffic, the attached profiles scan that traffic.
What is the difference between flow-based and proxy-based inspection?
Flow-based inspection scans packets in the flow with low latency; proxy-based inspection buffers content for deeper analysis but uses more resources.
What is needed to scan encrypted traffic?
SSL/TLS deep inspection is required. FortiGate's CA certificate must be distributed to clients; otherwise users see certificate warnings.
Which profiles require a FortiGuard subscription?
Antivirus and IPS signatures and the web and DNS category databases are updated via a FortiGuard subscription. Without it, these profiles cannot stay current.
What does application control do?
Application control recognizes applications (e.g., messaging, file sharing) independent of port and lets you monitor, restrict, or block them.
Should I add every profile to every policy?
No. Apply profiles only to the relevant traffic. Attaching unnecessary profiles lowers performance and increases the risk of false positives.
Conclusion
FortiGate UTM security profiles provide multi-layered defense from antivirus to IPS and web filtering. With the right scan mode, effective SSL inspection, and current FortiGuard subscriptions, these profiles deliver real protection.
To tune your UTM profiles to your organization's risk profile, talk to the Sora Yazılım security team.