Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

About inspection modes on FortiGate

Hi community,

 

I know the inspection mode is how FortiGate scans the traffic in a firewall policy. Flow-based is like looking at the TCP flow or taking snapshots of the traffic, and in proxy-based mode FortiGate intercepts the traffic like a man-in-the-middle scenario. But why I have to define flow-based or proxy-based mode in the firewall policy if after that I also have to define flow-based or proxy-based mode in a security profile, e. g. antivirus or web filtering. It is like I am configured the same thing twice?

 

Regards,

Julián

4 REPLIES 4
jangelis
Staff
Staff

Hello Julián,

Yes, it seems you must configure the profile twice, but the reason is the features available in flow mode might be different from those available in proxy mode.

And after you select the mode of your choice, you should not be able to select the profiles for the other mode

Regards,

Jakub

Jakub Angelis
fjulianom
New Contributor III

Hi,

 

I know the features are different, but it makes no sense to configure the same thing in different sections. In other words, what does it mean “inspection mode proxy-based”? And what does it mean ”antivirus profile proxy-based”? And what’s the difference between them?

 

Regards,

Julian

jangelis

Hello,

I will try to put in a different way.

Generally when you setting up policy (a firewall rule), you have some expectation what inspections should be there and what should be filtered.

Let's have an example that you want to use the Antivirus with CDR.

This is exclusive to proxy-mode.

So you set-up the AV profile for use in proxy inspection mode with CDR turned on.

Then you create a policy for such traffic and you know you need to use the proxy inspection mode, in order to be able to use the configured AV profile.

You cannot use AV profile in proxy in a policy that is configured in flow inspection mode and vice versa.

 

Regards,

Jakub

Jakub Angelis
fjulianom
New Contributor III

Hi,

 

I agree, then why isn’t this done automatic? Why inspection mode configuration exists? I mean, it should be, if you configure a firewall policy with proxy-based AV the firewall policy would be set to proxy-based inspection automatically. If you configure a firewall policy with proxy-based web filtering the firewall policy would be set to proxy-based inspection automatically. If you configure a firewall policy with app control (which is always flow-based) the firewall policy would be set to flow-based inspection automatically. If you configure a firewall policy with flow-based AV (because the less features are enough for you) the firewall policy would be set to flow-based inspection automatically, and so on.

Having two points to configure the same thing is more difficult and can lead to mistakes (e. g. AV profile in proxy in a policy configured in flow inspection mode as you said).

 

Best regards,

Julian