Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
usmansa1
New Contributor II

Flow based inspection packet snapshot ?

Hi,

 

While studying flow-based inspection, I read that FGT takes the snapshot of the packet ? I am confused that what is the snapshot of the packet ? and how the packet is processed using the flow-based inspection ? 

 

Because taking snapshot is taking the copy of the packet and the copy of the packet is buffered and the whole traffic stream needs to be captured to match against the signature so how this mode is efficient ?

 

What i read is that FGT takes the snapshot of the packet and compare it against the pre-existing signature database and held the last packet ? Now this approach may be valid for TCP because TCP always sends the connection termination request but UDP doesnt send the connection termination request so last packet may not be known, therefore in case of UDP how the FGT realize that this is the last packet in the stream ?

3 REPLIES 3
amrit
Staff
Staff

1. What is packet snapshot in fortigate 

A packet snapshot is nothing but inspecting random packets from the payload. When a firewall policy's inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/659145/flow-mode-inspection-...

 

2. How firewall tracks UDP packets 

    Even though UDP is a stateless protocol, FortiGate still keeps track of 2 different 'states'.
 

State

Value

UDP Reply not seen

0

UDP Reply seen

1

 

UDP time to live (TTL) - Expire Timer, is by default 180 seconds.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/...

 

Amritpal Singh
usmansa1
New Contributor II

hey mate thanks for answering the question but then there is another question comes into my mind, that for example if an attack vector comes in and the packets are encrypted then how does the flow based inspection will detect because those packets are encrypted and only visible information is layer 3 ?

amrit
Staff
Staff

We recommend using deep inspection for the SSL encrypted traffic https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/122078/deep-inspection.  

Amritpal Singh
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors