FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

Policy Learning Mode

Learning mode for Firewall policies (310544 365727)

The learning mode feature is a quick and easy method for setting a policy to allow everything but to log it all so that it can later be used to determine what restrictions and protections should be applied. The objective is to monitor the traffic not act upon it while in Learning mode.

Once the Learn action is enabled, functions produce hard coded profiles that will be enabled on the policy. The following profiles are set up:

  • AntiVirus (av-profile)
  • Web Filter ( webfilter-profile)
  • Anti Spam( spamfilter-profile )
  • Data Leak Prevention (dlp-sensor )
  • Intrusion Protection (ips-sensor )
  • Application Control (application-list )
  • Proxy Options (profile-protocol-options)
note icon
  • These UTM profiles are all using Flow mode
  • SSL inspection is always disable for the Learn option
  • These profiles are static and cannot be edited.

Profiles that are not being used are:

  • DNS Filter (Does not have a Flow mode)
  • Web Application Firewall(Does not have a Flow mode)
  • CASI(Almost all signatures in CASI require SSL deep inspection. Without SSL inspection, turning on CASI serves little purpose)

The ability to allow policies to be set to a learning mode is enabled on a per VDOM basis.

config system settings

set gui-policy-learning [enable | disable]


Once the feature is enabled on the VDOM, Learn is an available Action option when editing a policy.

caution icon Because this feature requires a minimum level of logging capabilities, it is only available on FortiGates with hard drives. Smaller models may not be able to use this feature.

Once the Learning policy has been running for a sufficient time to collect needed information a report can be looked at by going to Log & Report > Learning Report.

The Report can be either a Full Report or a Report Summary

The time frame of the report can be 5 minutes, 1 hour, or 24 hours.

The Learning Report includes:

Deployment Methodology

  • Test Details
  • Start time
  • End time
  • Model
  • Firmware
  • Policy List

Executive Summary

  • Total Attacks Detected
  • Top Application Category
  • Top Web Category
  • Top Web Domain
  • Top Host by Bandwidth
  • Host with Highest Session Count

Security and Threat Prevention

  • High Risk Applications
  • Application Vulnerability Exploits
  • Malware, botnets and Spyware/Adware
  • At-Risk Devices and Hosts

User Productivity

  • Application Usage
  • Top Application Categories
  • Top Social Media Applications
  • Top Video/Audio Streaming Applications
  • Top Peer to Peer Applications
  • Top Gaming Applications
  • Web Usage
  • Top Web Categories
  • Top Web Applications
  • Top Web Domains