FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pradeepb
Staff
Staff
Article Id 191526
Description
This article describes the effects of changing Fortigate’s inspection mode between Flow mode and proxy mode.

Solution
Proxy-based: The proxy-based inspection involves buffering traffic and examining it as a whole before determining an action.
The process of having the whole of the data to analyze allows for the examination of more points of data than the flow-based.

Flow-based: The flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering.
As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or web page.

Changing from Flow mode to Proxy mode:
Making the change from flow mode to proxy mode may increase memory and CPU usage a bit as proxy-mode inspection buffers the packets for inspection while flow-based inspection inspects packets on the fly.
But this cannot cause any impact as it is a minimal expected increase of resource utilization.


Also proxy mode changes the way UTM profiles are inspecting traffic through policies that have UTM profiles applied so that all files are buffered and then inspected while in flow-based the incoming packet is inspected as it reaches the FortiGate.
But there would not be any impact on working policies.

Changing from Proxy mode to Flow mode:
When it is changed to Flow-based inspection, all proxy mode profiles are converted to flow mode, and proxy settings are removed.
In addition, proxy-mode only features (for example, Web Application Profile) are removed from the GUI.

NOTE.
Till FortiOS 6.0.x version, the inspection mode change can only be made globally or per VDOM basis.
This change applies for all the traffic passing through Fortigate (without VDOM) and if enabled on specific VDOM then applies to all traffic handled by that VDOM.

On 6.2.x and 6.4.x, the inspection mode is moved to per-policy, enabling more flexible setup for different policies.
Hence changing inspection mode on a policy applies only to the traffic handled by that policy.

Verify respective version’s feature list for knowing more about supported features in proxy and flow mode.

Related Articles

Technical Tip: Changing the inspection mode of the firewall

Technical Tip: How to set policy, protocol and UTM to flow base or proxy based

Contributors