Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JeffreyMik
New Contributor

Created on ‎04-09-2024 06:30 AM

Flow-based and proxy-based inspection explanation needed

Hello,

 

I have a number of questions regarding flow and proxy-based inspection on the Fortigate firewall. As far as I understand, the inspection modes can be set at both the policy and security profile levels (for some profiles).

 

1. Why should I opt for flow-based inspection within a policy, instead of proxy-based?

 

2. Why is it possible to set flow-based inspection at the policy level and then set a proxy-based inspection at the security profile level and add t his profile to the flow-based policy?

 

3. Which SSL inspection (Certificate inspection / DPI) should be used for the specific security profiles?

 

I've done some research on the various inspection possibilities, but it's still not clear to me how it works. Does anyone have tips and/or answers to my questions?

 


Thank you in advance,

 

Jeffrey

2312
0 Kudos
5 REPLIES 5
hbac
Staff
Staff

Created on ‎04-09-2024 06:49 AM

Hi @JeffreyMik,

 

Please refer to the admin guide: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/721410/inspection-modes

 

Regards, 

2293
ozkanaltas
Valued Contributor III

Created on ‎04-09-2024 06:56 AM Edited on ‎04-09-2024 06:59 AM

Hello @JeffreyMik ,

 

1- Flow mode uses less resources rather than proxy mode. Because of that, my choice is flow mode. 

2-You can't use different types of policy and security profiles together. If you select proxy mode in the security profile you should enable proxy mode in policy.

3-You can use SSL deep-inspection for web filters, AV,ips, etc.. In summary, you need to use deep-inspection, if traffic uses SSL encryption. 

 

These images explain clearly the differenties between proxy mode and flow mode. 

 

Flow ModeFlow ModeProxy ModeProxy Mode

 

 

If you wan to get more information about flow and proxy-based inspection mode, you can review these articles and also you can find a lot of discussion in the community. 

 

 

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/922096/inspection-mode-featu...

 

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/659145/flow-mode-inspection-...

 

 

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/969330/proxy-mode-inspection

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
2287
JeffreyMik
New Contributor
In response to ozkanaltas

Created on ‎04-10-2024 12:55 AM

So for my understanding. When I configure my policy using flow-based inspection and I configure an antivirus profile with flow-based, I need to use deep-packet inspection in order to inspect SSL-encrypted traffic?

And when I use flow-based, packets are checked packet-by-packet and when a vulnerability is found by the Fortigate, the connection gets closed between the server and the client?

Is it true that no replacement message can't be shown to the client when using flow-based inspection, because the Fortigate isn't in between the host and the server as shown in your proxy-based picture? 

2205
0 Kudos
akumar02
Staff
Staff

Created on ‎04-09-2024 07:00 AM

Hello Jeffrey,

 

Flow-based inspection takes a snapshot of content packets and uses pattern matching to identify security threats in the content.

Proxy-based inspection reconstructs content that passes through the FortiGate and inspects the content for security threats.

 

Ref: https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/721410/about-inspection-modes#:~:text=F....

 

This Forum post is also useful:

https://community.fortinet.com/t5/Support-Forum/Proxy-based-vs-Flow-based-Inspection-Mode-for-Web-Fi...

 

The default mode is Flow mode in Fortigate policies and Proxy mode can be used if you are using any proxy options. (e.g. Proxy policy)

Differences between SSL Certificate Inspection and Full SSL Inspection

 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspe...

 

........

Arun

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: 1,2,3,4,5,7
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
2284
Maerre
Contributor

Created on ‎04-10-2024 01:05 AM

Hi,

 

here you can find all your answers:

 

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/721410/about-inspection-modes

2201
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.