Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aolguin
New Contributor II

FortiGate Inspection mode used on the policy

Hello,

 

I am very new to FortiGate and I am studying for the Network Security Certification.  

I have the following question, which I am not able to confirm my answer on the internet. 

FortiGate - version 7.4.3

 

Say I configure a Firewall rule with:

  • Inspection Mode as: Flow-based 
  • In the same Rule I add security profile >> Antivirus >> In the antivirus profile, feature set is configured as Proxy based. 

Does the above means that now the firewall rule will use Proxy-based mode for all the traffic? 

 

Thanks for your assistance. 

Aaron Olguin 

 

 

 

1 Solution
ozkanaltas
Valued Contributor III

Hello @aolguin ,

 

In my opinion, this is related to the default profile. If you create a custom profile you will see can't use this profile with a not-matched policy. 

 

In my lab, I tried also that scenario. I think policy resumes working with flow mode. Because the antivirus profile warned me.

 

image.png

 

Some features (MAPI, SSH, CDR) need to proxy mode in the antivirus profile. If you resume with this configuration, these features will not work. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
5 REPLIES 5
ozkanaltas
Valued Contributor III

Hello @aolguin ,

 

If you configure a proxy based on an antivirus profile, you can't use this profile with a flow-based policy. They should match. 

 

If you create a proxy-based policy. Yes, your matched all traffic with the rule, will processed in proxy mode.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
aolguin
New Contributor II

Hello @ozkanaltas 

 

Thank you for the reply. That is what I thought, but unfortunately the FortiGate allows it:

I am using a FortiGate 60F, version v7.4.3 build2573 

I have the following: 

image.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

for the antivirus profile 

image.png

 

 

 

 

 

Maybe a bug then?

But questions remains on the scenario above, does that mean that inspection mode is using Flow-based or proxy-based (as override by Antivirus profile)? 

 

Thanks,

Aaron Olguin 

ozkanaltas
Valued Contributor III

Hello @aolguin ,

 

In my opinion, this is related to the default profile. If you create a custom profile you will see can't use this profile with a not-matched policy. 

 

In my lab, I tried also that scenario. I think policy resumes working with flow mode. Because the antivirus profile warned me.

 

image.png

 

Some features (MAPI, SSH, CDR) need to proxy mode in the antivirus profile. If you resume with this configuration, these features will not work. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
aolguin
New Contributor II

Thank you, indeed with a custom antivirus profile I see we cannot mix, inspection mode and feature set under security profiles. They have to match 

Now it make sense. 

 

Note: this behavior on the default profile was confusing !  

AEK

So that means your policy will remain in flow-mode and it just will not use proxy features that are configured in the used AV profile.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors