FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 203732
Description This article describes the differences between these concepts and how they are reflected on the operation of a FortiGate, or on its resource usage.

Proxy = by definition, is the authority to represent someone else.

This definition is very close to the operation of Explicit Proxy or Transparent Proxy.


In this context, the FortiGate will forward the traffic on behalf of someone else (in the networking context that means IP and MAC address).
What is the difference between proxy and NAT? one may ask. The main difference is that NAT only changes the IP header (Layer 3/4) and no change or check is done in the content, or application level (Layer 7).


Explicit proxy vs Transparent Proxy.

Explicit proxy
needs to be explicitly configured in the host browser / Internet options, or the configuration to be received in form of a .pac file (that for example, instructs the host to send specific traffic to a proxy, and other traffic to bypass the proxy).


The transparent proxy operates almost like explicit proxy but it is not visible to the host (no host-config needed), and is designed to proxy all the traffic that is received.


Both of these modes are resource-demanding, because the traffic needs to be decrypted, altered, and re-encrypted, in order to properly change the content at the Application level. As opposed to regular NAT which only changes the packet headers to accommodate a change of networks: private to public, without altering the payload.


Which means that network units operating as Proxy need to have dedicated processors, or be specifically designed to perform this operation.


The complete range of FortiGate firewalls is able to perform the explicit proxy function through the OS.

However, the speed and bandwidth is reduced on those units that lack a powerful processor to help with the load (CP8/CP9) – mentioning here the low-end series (under 200 Series).


The correct size of the FortiGate that is expected to be used as Explicit proxy needs to be established in advance with a Fortinet Distributor or Sales Representative.

Changing the usage of a FortiGate from a regular NAT firewall to an Explicit proxy may result in high resource usage or conserve mode, and reduced bandwidth if not properly sized.


NGFW proxy-mode is an inspection mode that can be changed in the firewall policy. The choice you have at policy level is between flow-mode and proxy-mode.

The differences between these modes are described here.


How is this related to 'proxy'? Well, in NGFW proxy-mode, the firewall is reassembling the packets, (can decrypt them if set with deep-inspection profile), and is able to inspect the traffic at the application level, thus performing better when it is needed to recognize threats, or specific traffic (AV, App Control, DLP, ICAP, WAF).


The resource usage is not as high as running an Explicit/Transparent Proxy because there is no need to perform changes inside the payload, but it is slightly higher than the same policy in flow-based mode.