Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎05-13-2020 03:23 AM Edited on ‎08-06-2025 07:35 AM By Moderator

Article Id 193983

Technical Tip: Changing the inspection mode of the firewall

Description

 

This article describes how to change the inspection mode of the firewall. The FortiGate firewall can operate in two different modes: flow mode and proxy mode.

 
  • Proxy-based: the proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. The process of having the entire dataset to analyze allows for the examination of more data points than the flow-based approach.
  • Flow-based: the flow-based inspection method examines the data packets as they pass through the FortiGate without any buffering.  Each packet that arrives is processed and forwarded without waiting for the complete file or web page.
 
Scope
 
FortiGate.


Solution

 

V6.2 to v7.0.x.

 

From GUI:

To control the FortiGate's security profile inspection mode per policy, select 'Flow-based' or 'Proxy-based' modes from IPv4 Policy -> Edit (a particular policy).


 
From the CLI: 
Use the command below to change the inspection mode:
 
config firewall policy
    edit # (ID of the policy)
       set inspection-mode <flow or proxy>  
end
 
V7.2.4+:
After upgrading Firmware 7.2.4, some devices cannot see inspection mode on GUI.
 Inspection mode.png

 

By default, the inspection mode of the new firewall policy is set to Flow Based. To have this option to be available in GUI, enter the following commands in CLI:

 

config system global
    set proxy-and-explicit-proxy enable
end


config system settings
    set gui-proxy-inspection enable

end

 

 

Also, from CLIUse the command below to change the inspection mode to proxy mode:

 

config firewall policy

    edit <firewall policy ID>

           set inspection-mode proxy

end

 
Once these changes are performed, the inspection mode in GUI will be shown:

 

Inspection mode 1.png

 

This is an expected behavior, and this feature is placed for a reason.

 

It is possible to review this document for the new feature enhancement of v7.2.4:

New features or enhancements.

 

It is also possible to change the inspection-mode of Security Profiles such as AntiVirus and Web Filter to match the inspection-mode of the firewall policy. 

 

Antivirus.PNG

 

web filter proxy.PNG

 

Example in the CLI: 

 

config antivirus profile
    edit <name>

 

        set feature-set flow/proxy 

end 

 

config webfilter profile
    edit <name>

        set feature-set flow/proxy 

end 

 

Note:
When the firewall is running in NGFW policy-based mode, the operational mode is limited to 'flow', with no possible option to change to 'proxy'.
When the VDOMs are enabled on the firewall, there will not be any option available to change the firewall mode globally it has to be changed per VDOM.
 
Special Note:
Starting from v7.4.4, Proxy-related features are no longer supported in FortiOS. This change affects models 30G, 40F, 50G, 60E, 60F, 80E, and 90E series devices, including their variants (FortiWifi, FortiGate-3G4G, FortiGate-5G, FortiGate-POE), as well as the FortiGate-Rugged 60F (2 GB versions only).
 
Refer to this document for more information: Proxy-related features not supported on FortiGate 2 GB RAM models.
 
65334
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.