Hi community,
I know the inspection mode is how FortiGate scans the traffic in a firewall policy. Flow-based is like looking at the TCP flow or taking snapshots of the traffic, and in proxy-based mode FortiGate intercepts the traffic like a man-in-the-middle scenario. But why I have to define flow-based or proxy-based mode in the firewall policy if after that I also have to define flow-based or proxy-based mode in a security profile, e. g. antivirus or web filtering. It is like I am configured the same thing twice?
Regards,
Julián
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Julián,
Yes, it seems you must configure the profile twice, but the reason is the features available in flow mode might be different from those available in proxy mode.
And after you select the mode of your choice, you should not be able to select the profiles for the other mode
Regards,
Jakub
Hi,
I know the features are different, but it makes no sense to configure the same thing in different sections. In other words, what does it mean “inspection mode proxy-based”? And what does it mean ”antivirus profile proxy-based”? And what’s the difference between them?
Regards,
Julian
Hello,
I will try to put in a different way.
Generally when you setting up policy (a firewall rule), you have some expectation what inspections should be there and what should be filtered.
Let's have an example that you want to use the Antivirus with CDR.
This is exclusive to proxy-mode.
So you set-up the AV profile for use in proxy inspection mode with CDR turned on.
Then you create a policy for such traffic and you know you need to use the proxy inspection mode, in order to be able to use the configured AV profile.
You cannot use AV profile in proxy in a policy that is configured in flow inspection mode and vice versa.
Regards,
Jakub
Created on 02-04-2022 03:15 PM Edited on 02-06-2022 11:44 PM
Hi,
I agree, then why isn’t this done automatic? Why inspection mode configuration exists? I mean, it should be, if you configure a firewall policy with proxy-based AV the firewall policy would be set to proxy-based inspection automatically. If you configure a firewall policy with proxy-based web filtering the firewall policy would be set to proxy-based inspection automatically. If you configure a firewall policy with app control (which is always flow-based) the firewall policy would be set to flow-based inspection automatically. If you configure a firewall policy with flow-based AV (because the less features are enough for you) the firewall policy would be set to flow-based inspection automatically, and so on.
Having two points to configure the same thing is more difficult and can lead to mistakes (e. g. AV profile in proxy in a policy configured in flow inspection mode as you said).
Best regards,
Julian
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
224 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.