Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JeffreyMik
New Contributor

Flow-based and proxy-based inspection explanation needed

Hello,

 

I have a number of questions regarding flow and proxy-based inspection on the Fortigate firewall. As far as I understand, the inspection modes can be set at both the policy and security profile levels (for some profiles).

 

1. Why should I opt for flow-based inspection within a policy, instead of proxy-based?

 

2. Why is it possible to set flow-based inspection at the policy level and then set a proxy-based inspection at the security profile level and add t his profile to the flow-based policy?

 

3. Which SSL inspection (Certificate inspection / DPI) should be used for the specific security profiles?

 

I've done some research on the various inspection possibilities, but it's still not clear to me how it works. Does anyone have tips and/or answers to my questions?

 


Thank you in advance,

 

Jeffrey

5 REPLIES 5
hbac
Staff
Staff
ozkanaltas
Valued Contributor III

Hello @JeffreyMik ,

 

1- Flow mode uses less resources rather than proxy mode. Because of that, my choice is flow mode. 

2-You can't use different types of policy and security profiles together. If you select proxy mode in the security profile you should enable proxy mode in policy.

3-You can use SSL deep-inspection for web filters, AV,ips, etc.. In summary, you need to use deep-inspection, if traffic uses SSL encryption. 

 

These images explain clearly the differenties between proxy mode and flow mode. 

 

Flow ModeFlow ModeProxy ModeProxy Mode

 

 

If you wan to get more information about flow and proxy-based inspection mode, you can review these articles and also you can find a lot of discussion in the community. 

 

 

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/922096/inspection-mode-featu...

 

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/659145/flow-mode-inspection-...

 

 

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/969330/proxy-mode-inspection

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
JeffreyMik

So for my understanding. When I configure my policy using flow-based inspection and I configure an antivirus profile with flow-based, I need to use deep-packet inspection in order to inspect SSL-encrypted traffic?

And when I use flow-based, packets are checked packet-by-packet and when a vulnerability is found by the Fortigate, the connection gets closed between the server and the client?

Is it true that no replacement message can't be shown to the client when using flow-based inspection, because the Fortigate isn't in between the host and the server as shown in your proxy-based picture? 

akumar02
Staff
Staff

Hello Jeffrey,

 

Flow-based inspection takes a snapshot of content packets and uses pattern matching to identify security threats in the content.

Proxy-based inspection reconstructs content that passes through the FortiGate and inspects the content for security threats.

 

Ref: https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/721410/about-inspection-modes#:~:text=F....

 

This Forum post is also useful:

https://community.fortinet.com/t5/Support-Forum/Proxy-based-vs-Flow-based-Inspection-Mode-for-Web-Fi...

 

The default mode is Flow mode in Fortigate policies and Proxy mode can be used if you are using any proxy options. (e.g. Proxy policy)

Differences between SSL Certificate Inspection and Full SSL Inspection

 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspe...

 

........

Arun

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
Maerre
Contributor

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors