Description

This article describes how to change the inspection mode of the firewall. The FortiGate firewall can operate in two different modes: flow mode and proxy mode.

• Proxy-based: the proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allows for the examination of more data points than the flow-based.
• Flow-based: the flow-based inspection method examines the data packets as they pass through the FortiGate without any buffering.  Each packet that arrives is processed and forwarded without waiting for the complete file or web page.

Solution

V6.0:

From GUI:

To control the FortiGate's security profile inspection mode in FortiOS, select 'Flow-based' or 'Proxy-based' modes from System -> Settings.

    set inspection-mode <flow or proxy>
end

Use the below command to change the inspection mode when the VDOMs are enabled:

config vdom
    edit <vdom>
        config system settings
            set ngfw-mode <policy-based | profile-based>
        end
    next
end

V6.2 to v7.0.x.

From GUI:

To control the FortiGate's security profile inspection mode per policy, select 'Flow-based' or 'Proxy-based' modes from IPv4 Policy -> Edit (a particular policy).

V7.2.4+:

After upgrading Firmware 7.2.4, some devices cannot see inspection mode on GUI.

 

 

By default, the inspection mode of the new firewall policy is set to Flow Based. To have this option to be available in GUI, enter the following commands in CLI:

 

config system global
    set proxy-and-explicit-proxy enable
end

config system settings
    set gui-proxy-inspection enable

end

 

 

Also from CLI. Use the below command to change the inspection mode to proxy mode:

 

config firewall policy

    edit <firewall policy ID>

           set inspection-mode proxy

end

 

Once these changes are performed, the inspection mode in GUI will be shown:

 

 

This is an expected behavior, and this feature is placed for a reason.

 

It is possible to review this document for the new feature enhancement of v7.2.4:

New features or enhancements

 

Note:

When the firewall is running in NGFW policy-based mode, the operational mode is limited to 'flow', with no possible option to change to 'proxy'.

When the VDOMs are enabled on the firewall, there will not be any option available to change the firewall mode globally it has to be changed per VDOM.

 

Special Note:

Starting from v7.4.4, Proxy-related features are no longer supported in FortiOS. This change affects models 30G, 40F, 50G, 60E, 60F, 80E, and 90E series devices, including their variants (FortiWifi, FortiGate-3G4G, FortiGate-5G, FortiGate-POE), as well as the FortiGate-Rugged 60F (2 GB versions only).

 

Related document:

Profile based NGFW vs policy-based NGFW