Security Profiles Precedence

I believe this is wrong - The Application Control will execute first, so packets will likely just be blocked.. got a similar issue myself!

In this case I believe app-control will hot first but diag debug flow is your friend

First would be Web filtering. Logic is, say we have a URL exempted on the Webfilter and you will see it will exempt all the scanning.

Also, a URL which is blocked at first place, scanning for all the application control signatures makes no sense.

Only if the URL is allowed, then the scanning of it with all the signatures for that URL is a worth

Are we 100% sure on that?

What if the  url wasn't categorized to begin with ( yes or in  the wrong category ) ?  ( assuming no manual or static entries where include the web-filter )?

We know in the flow or life of the packet, it has to look at layer3 route, policy, and security profile to determine what we inspect, but if you had app-control and url filtering and use a mask url, I think app-control would be the  final trump.

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/life_of_packet.170.11.html#ww1064381

My understanding was wrong.

The correct flow of the UTM sequence is :

IPS > App Control > Email Filtering > Web Filtering > AV

Hi,

 The Fortigate Documents about traffic flow  indicate that Webfilter acts before Applifilter...but this in only truth in firewall mode, if you use the Fortigate in explicit proxy mode the applifilter goes first.

I Opened a ticket to the support and after show them i was completely right, i suggested to modify the Official Documentation but i think they are not going to to that.

Regards