Solved! Go to Solution.
You didn't mention what firmware you're running or what security services you're using. The answer really depends on your configuration.
It's worth noting that Inspection mode in FortiOS 6.4 and later is no longer a global setting but instead is a per-policy setting, so you can technically use both simultaneously, switching, mixing and matching as needed.
Assuming you're running FortiOS 6.2 or earlier, Inspection mode differences are covered in detail here:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes
Going from Flow Mode to Proxy mode is generally safe because Proxy Mode supports all of the Flow mode inspection policies (see second link). Generally, the only downside is that it will reduce the performance of your FortiGate a bit. The more polices and security filtering you're doing the bigger the impact will be.
Going from Proxy Mode to Flow mode is trickier. Flow mode doesn't support features like ICAP inspection or Web Application firewall, and only partially supports e-mail inspection (spam), so if you were already using these features they could get disabled by switching from Proxy to Flow.
Changing the inspection mode on 6.2 or earlier interrupts traffic.
If you upgrade to 6.4+ (obviously this interrupts traffic), you can change the inspection mode of a policy with minimal disruption (e.g. just change the mode of the policy, or clone the policy, switch the mode on the copy, then move the copy above the original policy).
Russ
NSE7
In theory, there is no problem. But as a precaution, I advise you that in case of HA, break the HA, and make the change. In case of a problem, just switch traffic to the second box.
NSE-4
You didn't mention what firmware you're running or what security services you're using. The answer really depends on your configuration.
It's worth noting that Inspection mode in FortiOS 6.4 and later is no longer a global setting but instead is a per-policy setting, so you can technically use both simultaneously, switching, mixing and matching as needed.
Assuming you're running FortiOS 6.2 or earlier, Inspection mode differences are covered in detail here:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes
Going from Flow Mode to Proxy mode is generally safe because Proxy Mode supports all of the Flow mode inspection policies (see second link). Generally, the only downside is that it will reduce the performance of your FortiGate a bit. The more polices and security filtering you're doing the bigger the impact will be.
Going from Proxy Mode to Flow mode is trickier. Flow mode doesn't support features like ICAP inspection or Web Application firewall, and only partially supports e-mail inspection (spam), so if you were already using these features they could get disabled by switching from Proxy to Flow.
Changing the inspection mode on 6.2 or earlier interrupts traffic.
If you upgrade to 6.4+ (obviously this interrupts traffic), you can change the inspection mode of a policy with minimal disruption (e.g. just change the mode of the policy, or clone the policy, switch the mode on the copy, then move the copy above the original policy).
Russ
NSE7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.