Hello,
I have a number of questions regarding flow and proxy-based inspection on the Fortigate firewall. As far as I understand, the inspection modes can be set at both the policy and security profile levels (for some profiles).
1. Why should I opt for flow-based inspection within a policy, instead of proxy-based?
2. Why is it possible to set flow-based inspection at the policy level and then set a proxy-based inspection at the security profile level and add t his profile to the flow-based policy?
3. Which SSL inspection (Certificate inspection / DPI) should be used for the specific security profiles?
I've done some research on the various inspection possibilities, but it's still not clear to me how it works. Does anyone have tips and/or answers to my questions?
Thank you in advance,
Jeffrey
Hi @JeffreyMik,
Please refer to the admin guide: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/721410/inspection-modes
Regards,
Hello @JeffreyMik ,
1- Flow mode uses less resources rather than proxy mode. Because of that, my choice is flow mode.
2-You can't use different types of policy and security profiles together. If you select proxy mode in the security profile you should enable proxy mode in policy.
3-You can use SSL deep-inspection for web filters, AV,ips, etc.. In summary, you need to use deep-inspection, if traffic uses SSL encryption.
These images explain clearly the differenties between proxy mode and flow mode.
If you wan to get more information about flow and proxy-based inspection mode, you can review these articles and also you can find a lot of discussion in the community.
https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/969330/proxy-mode-inspection
So for my understanding. When I configure my policy using flow-based inspection and I configure an antivirus profile with flow-based, I need to use deep-packet inspection in order to inspect SSL-encrypted traffic?
And when I use flow-based, packets are checked packet-by-packet and when a vulnerability is found by the Fortigate, the connection gets closed between the server and the client?
Is it true that no replacement message can't be shown to the client when using flow-based inspection, because the Fortigate isn't in between the host and the server as shown in your proxy-based picture?
Hello Jeffrey,
Flow-based inspection takes a snapshot of content packets and uses pattern matching to identify security threats in the content.
Proxy-based inspection reconstructs content that passes through the FortiGate and inspects the content for security threats.
This Forum post is also useful:
The default mode is Flow mode in Fortigate policies and Proxy mode can be used if you are using any proxy options. (e.g. Proxy policy)
Differences between SSL Certificate Inspection and Full SSL Inspection
........
Arun
Hi,
here you can find all your answers:
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/721410/about-inspection-modes
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.