Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Abin_FTNT
Staff
Staff

Created on ‎03-23-2017 06:36 AM Edited on ‎03-05-2025 01:43 AM By Staff

Article Id 196780

Technical Tip: No replacement message for application control when web filter is applied in proxy mode on same firewall policy

Description

 

This article describes that when the same firewall policy is applied with application control along with web-filter in a proxy mode no replacement message will be generated for application control.

Application control works only on flow-based and web filters can be proxy or flow-based.  Whenthe  web filter is proxy-based, the proxy will do SSL inspection, and decoded data will be sent to IPS for application control.
 
Scope
 
FortiGate.


Solution

 

Configure web filter in flow-based instead of proxy-based.  When the web filter is flow-based, together with AppCtrl, traffic will be processed inside the IPS engine, including SSL inspection.
 
config webfilter profile
 edit <profile name>
    set inspection-mode flow-based
   end
end
 

Note:

The command to change the inspection mode is different in higher versions.


Related article:

Technical Tip: Changing inspection mode

 

4113
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.