I'm curious what people are doing / finding in terms of flow based vs. proxy based antivirus at this point.
I noticed in the 5.6.3 release notes that for new installs they're hiding the option for proxy based services from the GUI and you have to go to the CLI to even turn it on. But I'm wondering if this is a marketing thing about driving people who do performance tests to use it in flow mode... or if they truly think most customers should be using flow mode at this point.
The documentation hedges the bets a bit by implying that if you really really need good protection you should probably use proxy mode but otherwise flow mode is just super.
I tried out flow mode when it first came out and had really bad results... so I'm a bit hesitant at this point. I know it's a completely rewritten feature at this point... but overall I'm wondering what the tradeoff is for performance/security/lack of problems for proxy vs. flow.
Anyone have any experience they can share?
Thanks!
Jeff Roback
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The docs for 5.4 and 5.6 explicitly state that Web Filter in flow mode can't block youtube searches. 5.4 docs: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Inspection%20Mod.... 5.6 docs: http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-security-profiles/Inspection%20Modes/...
Which FortiOS version are you running?
I changed a 5.4.x 300D from proxy to flow, then back again, but that was a testing scenario, not production, and quite a while back. Before you jump into this, I would definitely read through the docs for security profiles inspection modes, and the Parallel Path Processing / Life of a Packet section to get a feel for what will change.
We've been able to block Facebook (and most other social sites) successfully in proxy mode. The key for us was to turn on SSL handshake checking, since all of these sites have gone to HTTPS. It doesn't do a full MITM on the https session, it just checks the hostname portion of the certificate that the server uses to negotiate TLS to see if it maps to a blocked category.
According to this doc, blocking facebook should work fine in both proxy and flow:
http://cookbook.fortinet.com/blocking-facebook-56/
We're running FortiOs 5.6.3
And we'we tried whats in the doc, and it doesn't work. You'll bypass it as long as you use an android mobile device with chrome browser.
If you try to access facebook from a computer, the firewall will block you. But not from a phone...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1522 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.