Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeff_Roback
Contributor

Flow vs proxy based UTM best practices

I'm curious what people are doing / finding in terms of flow based vs. proxy based antivirus at this point. 

 

I noticed in the 5.6.3 release notes that for new installs they're hiding the option for proxy based services from the GUI and you have to go to the CLI to even turn it on.  But I'm wondering if this is a marketing thing about driving people who do performance tests to use it in flow mode... or if they truly think most customers should be using flow mode at this point.  

 

The documentation hedges the bets a bit by implying that if you really really need good protection you should probably use proxy mode but otherwise flow mode is just super.

 

I tried out flow mode when it first came out and had really bad results... so I'm a bit hesitant at this point.   I know it's a completely rewritten feature at this point... but  overall I'm wondering what the tradeoff is for performance/security/lack of problems for proxy vs. flow.

 

Anyone have any experience they can share?

 

Thanks!

Jeff Roback

Jeff Roback
12 REPLIES 12
tanr
Valued Contributor II

The docs for 5.4 and 5.6 explicitly state that Web Filter in flow mode can't block youtube searches. 5.4 docs: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Inspection%20Mod....  5.6 docs: http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-security-profiles/Inspection%20Modes/...

 

Which FortiOS version are you running?

 

I changed a 5.4.x 300D from proxy to flow, then back again, but that was a testing scenario, not production, and quite a while back.  Before you jump into this, I would definitely read through the docs for security profiles inspection modes, and the Parallel Path Processing / Life of a Packet section to get a feel for what will change.

terry_miesse

We've been able to block Facebook (and most other social sites) successfully in proxy mode.  The key for us was to turn on SSL handshake checking, since all of these sites have gone to HTTPS.  It doesn't do a full MITM on the https session, it just checks the hostname portion of the certificate that the server uses to negotiate TLS to see if it maps to a blocked category.

forti_ogg
New Contributor

According to this doc, blocking facebook should work fine in both proxy and flow:

http://cookbook.fortinet.com/blocking-facebook-56/

We're running FortiOs 5.6.3

 

And we'we tried whats in the doc, and it doesn't work. You'll bypass it as long as you use an android mobile device with chrome browser.

 

If you try to access facebook from a computer, the firewall will block you. But not from a phone...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors