What flow-based inspection do with packets?

Forum|Forum|5 years ago
December 9, 2020
1 reply
10250 views

Hi all,

FYI : I am new here, and this is my 1st post on this forum. I am preparing for NSE4 and one thing is unclear for me.

I rly need to understand how is FTG handling packets in flow-base mode. FORTINET documentation is not clear and

a) once claims that FTG doesn't buffer packets and only forward it

b) and in the same pdf in another section claims that it forward to client (without any delay) but at the same time buffer it.

Documentation is course for NSE4 exam.

a) The flow-based inspection mode examines the file as it passes through FortiGate => without any buffering.

[ul]

As each packet arrives, it is processed and forwarded without waiting for the complete file or web page.

Packets are analyzed and forwarded as they are received.

Original traffic is not altered. Therefore, advanced features that modify content, such as safe search enforcement, are not supported.

versus

b)

As you can see on this slide,

the client sends a request and starts receiving packets immediately from server

FortiGate also caches those packets at the same time When the last packet arrives, FortiGate caches it and puts it on hold.

Then, it sends the whole cached file to the IPS engine where rule match is checked and passed to the AV engine for scanning after that.

If the AV scan does not detect any viruses, and the result comes back clean, the last cached packet is regenerated and delivered to the client.However, if a virus is found, the last packet is dropped. Even if the client has received most of the file, the file will be truncated and the client will be not able to open a truncated file[/ul]

Thank you for explanation.

pepso

IM.jpg

lobstercreed

New Member

Looks pretty straight forward to me. It simultaneously buffers and forwards. So the client experiences no delay as the buffering only serves to allow the AV scanning to see the whole file at once. I'm not sure it can be explained much better honestly.

pepsoAuthor

New Member

lobstercreed wrote:
Looks pretty straight forward to me. It simultaneously buffers and forwards. So the client experiences no delay as the buffering only serves to allow the AV scanning to see the whole file at once. I'm not sure it can be explained much better honestly.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/659145/flow-mode-inspection-default-mode

very first sentence ..."When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. "

I also thought (all the time) that packets are simultaneously buffered and forwarded, but now I am not sure.

lobstercreed

New Member

You're overthinking it. Read this: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/969330/proxy-mode-inspection

At a high level, the two inspection modes are different in the sense that one buffers (without sending the packets on to the client until it has completed inspection) while the other does not (it immediately sends packets on to the client). Yes, technically they both buffer to perform A/V inspection, but as observed from the client side one does not buffer while the other does.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded