Skip to main content
sebastan_bach
sebastan_bach
New Member
March 23, 2016
Solved

Mix of Flow & Proxy mode Security Profile

  • March 23, 2016
  • 2 replies
  • 43484 views

Hi, 

 

I am finding the new 5.4 documentation little confusing. So I am not sure if can we use mix of security profiles in flow & proxy mode. Like we would like to use App-Control,IPS in Flow mode but web-filtering & AV scanning in proxy mode for maximum security. 

 

Is this configuration supported. 

 

Kindly please let me know. 

 

Regards

 

Sebastan

Best answer by tanr

There is some good information in the 5.4 documentation on Parallel Path Processing (Life of a Packet).  

Specifically, the UTM/NGFW flows for:

[ul]
  • Flow based, which is *only* flow http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-life-of-packet-54/lop-packet-flow-flow.htm
  • Proxy based, which can include a mix of proxy and flow http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-life-of-packet-54/lop-packet-flow-proxy.htm[/ul]

    Each time the proxy diagram includes the "IPS Engine" block, (I think) it is representing a copy of almost the entire diagram from the flow-based UTM, though with the SSL Inspection decryption being done by the proxy engine, instead of the flow one.  So definitely more resource intensive.

     

    I'd really like to see how that diagram changes with, for instance, a FortiGate in Proxy mode and a security policy that uses flow-mode AntiVirus, flow-mode Web Filter, App Control (flow-mode only), IPS (flow-mode only) and SSL Inspection.  Is the proxy engine still being used to decrypt and encrypt the SSL in that case, even though nothing else is using it?  Or do I still have the extra cost of the proxy engine encrypting and decrypting in this situation.

    • 2 replies

    sebastan_bach
    sebastan_bachAuthor
    New Member
    April 4, 2016

    Hi Team,

     

    Any confirmation on the same.

     

    Regards

     

    Sebastan

    borderland
    borderland
    New Member
    April 4, 2016

    I inadvertently had mine setup with mixed modes and it cause weird issues. Some sites would not load, or would have problems, had one android phone that could not get office 365 email. once all modules were the same everything worked fine.

    sebastan_bach
    sebastan_bachAuthor
    New Member
    April 6, 2016

    Thanks for your feedback. So practically based on your experience I feel though it's supported but not recommended.

    Regards

    Sebastan

    AndreaSoliva
    AndreaSoliva
    New Member
    April 12, 2016

    Hi

     

    actually I do not know if it helps you but to have no confiusion here me view and some official details:

     

    - From my perspective I would use always proxy mode because it is the comment of the art. Some of the UTM can not be proxy mode because as an example IPS and Application Control can only be used in flow mode which makes sense from technology point of view.

     

    The question and important to know is following: If you use in one policy a mix of security profiles meaning flow and proxy mode the mode would change for this UTM feature to flow if the UTM feature is supporting both modes. Example: If you use AV in proxy and WebFilter in flow in one Policy the FortiOS changes in the background the WebFilter also in flow mode even the security profile is in proxy mode.

     

    This behaviour is described in the document "Life of a Packet" (http://docs.fortinet.com/d/fortigate-life-of-a-packet-5.4). In this document is also described what UTM is supporting which mode etc. This behaviour is for FortiOS 5.x and not only 5.4.

     

    hope this helps

     

    have fun

     

    Andrea

    boneyard
    boneyard
    Valued Contributor
    August 14, 2016

    @Andrea

     

    i don't quite understand that remark for 5.4, specially there you designate the whole FortiGate or VDOM to either flow or proxy. so you can't even select a AV flow provide and a proxy Webfilter profile right?

     

    as for the remark on it switching to flow, could you please point out the exact place in any document, im aware of the behaviour but have a hard time finding the documentation.

     

    thank you

    tanr
    tanr
    New Member
    August 14, 2016

    @Andrea

     

    I'd like to get more clarification on this as well.

     

    The "Life of a Packet" PDF that you linked to above says on page 21:

    "Packets initially encounter the IPS engine, which uses the same steps described in UTM/NGFW packet flow: flow-based inspection on page 19 to apply single-pass IPS, Application Control and CASI if configured in the firewall policy accepting the traffic.  The packets are then sent to the FortiOS UTM/NGFW proxy for proxy-based inspection."

     

    This seems to imply that the flow based profiles run, then hand off to the proxy based profiles.  The diagram on page 22 shows this.

     

    @boneyard

     

    Regarding not being able to select an AV flow profile for a VDOM in proxy mode:

    With 5.4.0 (haven't tried 5.4.1) I could use the CLI to create an AV flow profile and set it to be used for a specific policy, even though the VDOM is set to proxy.  The flow AV profile then shows up in the GUI for that policy and appears to work.  However, you can't do this in the (5.4.0) GUI.  Also, the only FGT crash I ran into occurred while I had the flow based AV profile set on an active policy with the (root) VDOM in proxy mode.

    Terms & ConditionsAccessibility statement