FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssudhakar
Staff
Staff

Description
This article describes the changes in the inspection mode In policies and UTM profiles from version 6.0 to 6.2.

Solution
In 6.0 version.

- The inspection mode is set per VDOM.

- UTM profiles can be set in flow or proxy mode.

- When applying the UTM profiles, user can mix and match the UTM profiles with different inspection modes(flow/proxy) within the same firewall policy. This caused unexpected behavior when upgrading to 6.2 code version.

In 6.2 version, There were changes made to the inspection mode settings.

-The inspection mode is set per policy.

- If there is a mix and match in the UTM profiles inspection mode, if at least one UTM profile on the policy was in proxy mode on 6.0, then the policy’s inspection mode will be set as 'proxy' after the upgrade to 6.2.
• Example: If AV profile is set to Proxy and Web Filter profile is set to flow , then the policy’s inspection mode will be set as 'proxy' after the upgrade to 6.2.

-If all the assigned UTM profiles on the policy mode were in flow mode on 6.0, then the policy’s inspection mode will automatically be set as 'flow' after the upgrade to 6.2 and same goes for proxy mode as well.

-If UTM was disabled or not UTM was assigned on 6.0, then the policy’s inspection mode will be set as 'Flow' (Default) after the upgrade to 6.2.

-After upgrade to 6.2, you might see few of the websites throwing certificate errors. There are 2 workarounds to fix this issue.
• Change the policy inspection mode from proxy mode to flow mode.
• set 'invalid-server-cert allow' under ssh certificate-inspection profile, Example as shown below:



 
 
 
 
Related document.

 

Related Articles

Technical Tip: Changes to security profiles

Contributors