- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate Inspection mode used on the policy
Hello,
I am very new to FortiGate and I am studying for the Network Security Certification.
I have the following question, which I am not able to confirm my answer on the internet.
FortiGate - version 7.4.3
Say I configure a Firewall rule with:
- Inspection Mode as: Flow-based
- In the same Rule I add security profile >> Antivirus >> In the antivirus profile, feature set is configured as Proxy based.
Does the above means that now the firewall rule will use Proxy-based mode for all the traffic?
Thanks for your assistance.
Aaron Olguin
Solved! Go to Solution.
- Labels:
-
Firewall policy
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @aolguin ,
In my opinion, this is related to the default profile. If you create a custom profile you will see can't use this profile with a not-matched policy.
In my lab, I tried also that scenario. I think policy resumes working with flow mode. Because the antivirus profile warned me.
Some features (MAPI, SSH, CDR) need to proxy mode in the antivirus profile. If you resume with this configuration, these features will not work.
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @aolguin ,
If you configure a proxy based on an antivirus profile, you can't use this profile with a flow-based policy. They should match.
If you create a proxy-based policy. Yes, your matched all traffic with the rule, will processed in proxy mode.
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ozkanaltas
Thank you for the reply. That is what I thought, but unfortunately the FortiGate allows it:
I am using a FortiGate 60F, version v7.4.3 build2573
I have the following:
for the antivirus profile
Maybe a bug then?
But questions remains on the scenario above, does that mean that inspection mode is using Flow-based or proxy-based (as override by Antivirus profile)?
Thanks,
Aaron Olguin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @aolguin ,
In my opinion, this is related to the default profile. If you create a custom profile you will see can't use this profile with a not-matched policy.
In my lab, I tried also that scenario. I think policy resumes working with flow mode. Because the antivirus profile warned me.
Some features (MAPI, SSH, CDR) need to proxy mode in the antivirus profile. If you resume with this configuration, these features will not work.
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, indeed with a custom antivirus profile I see we cannot mix, inspection mode and feature set under security profiles. They have to match
Now it make sense.
Note: this behavior on the default profile was confusing !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So that means your policy will remain in flow-mode and it just will not use proxy features that are configured in the used AV profile.