Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Inspection modes and security profiles

Hi community,

 

I know the inspection mode is how FortiGate scans the traffic in a firewall policy. Flow-based is like looking at the TCP flow or taking snapshots of the traffic, and in proxy-based mode FortiGate intercepts the traffic like a man-in-the-middle scenario.

But how is the inspection mode related to security profiles. Can you configure a firewall policy in flow-based inspection mode, and apply a proxy-based AV security profile? Or can you configure a firewall policy in proxy-mode inspection mode, and apply a flow-based web filtering profile?

 

Regards,

Julián

6 REPLIES 6
fjulianom
New Contributor III

Hi guys,

 

Any idea?

 

Regards,

Julián

Anonymous
Not applicable

Hello,

As per your query, if you would add a flow-based inspection profile to the proxy-based policy you will see the warning sign on the policy saying that some of the features would not work or the Security profile needs to be configured to proxy-based. or based upon the inspection mode.
So to answer your question, yes you configure a firewall policy in proxy-mode inspection mode and apply a flow-based web filtering profile. However, the inspection might not work as the way it should

fjulianom
New Contributor III

Hi Mohit,

 

Ok, I understand. But my actual question is, why do you need to set a flow-based or proxy-based inspection mode if you can set a flow-based or proxy-based web filtering (for example) profile? It seems you are setting the same twice. It seems they are the same. You are actually setting the inspection mode in the security profile. For me setting the inspection mode is redundant since you choose the mode when you configure the security profile. Or am I missing anything?

 

Regards,

Julian

Debbie_FTNT

Hey fjulianom,

the proxy/flow-mode inspection is per policy, I believe, because different processes will handle the inspection (and security profiles) based on that setting.

This policy setting decides which overall process takes responsibility for the packet/inspection, and loads according AV/IPS/webfilter/etc modules.

There is a fixed order how the traffic is inspected; and the first decision needs to be proxy or flow-based inspection, before the packet(s) is/are checked against the different profiles.

 

The profiles have different inspection options because some underlying settings in the profile may depend on inspection mode - like inspecting MAPI in AntiVirus settings.

-> That is also why you get warnings when having a mismatch between policy inspection and UTM profile inspection mode.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
fjulianom

Hi Debbie,

 

Ok, understood. I was configuring a FortiGate v5.2.x just yesterday and realized in this version the inspection mode is set under the security profiles:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Changing-inspection-mode/ta-p/189750

 

In this version you configure the inspection mode just once, more clear and simple! What a pity this configuration setting has changed...

 

Regards,

Julián

Debbie_FTNT

Hey Julián,

I believe the changes to how inspection mode is set were due to the fact that in 5.2 (and earlier versions) it could only be set in the profiles; there are known perfomance issues if profiles with different inspection modes are set in the same policy, and FortiOS moved to set inspection mode for the entire unit/per-VDOM (6.0) and then per policy.

It does make it a bit trickier to understand the logic behind it, I agree :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++