Hi Experts
Please answer my below query.
I found that in both the flow based and the Proxy based inspection does not terminate the session in the firewall and it shows in flow mode it checks packet by packet and in proxy mode it check bunch of packets at a time. My question is how the ssl inspection works without terminating the session in the firewall like BIG-IP F5 full proxy.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Inspection (once the traffic is decrypted) on the device in flow-based inspection mode is always performed by the IPS engine, which works only in the flow-based inspection mode. Inspection on the device in proxy-based inspection mode is performed by proxy (AV, Web Filtering, etc.) or by IPS engine: Application Control, IPS -> they are scanned by IPS engine, which works always in flow-based inspection mode even on FG, which works in the proxy-based inspection mode.
It means the device in flow-based inspection mode can perform inspection only in flow mode.
The device which works in proxy-based inspection mode performs inspection in proxy mode and only inspection performed by IPS engine is done in the flow-based mode (IPS, App Control).
SSL decryption - interesting question indeed. It looks like the decryption in flow and proxy inspection mode is performed (initiated) by different processes but at the end in both cases it is offloaded to CP.
Proxy based:
“The packets are then sent to the FortiOS UTM/NGFW proxy for proxy-based inspection. The proxy first determines if the traffic is SSL traffic that should be decrypted for SSL inspection. SSL traffic to be inspected is decrypted by the proxy. SSL decryption is offloaded to and accelerated by CP8 or CP9 processors.”
“Decrypted SSL traffic is sent to the IPS engine (where IPS and Application Control can be applied) before re-entering the proxy where actual proxy-based inspection is applied to the decrypted SSL traffic. Once decrypted SSL traffic has been inspected it is re-encrypted and forwarded to its destination. SSL encryption is offloaded to and accelerated by CP8 or CP9 processors. If a threat is found the proxy can block the threat and replace it with a replacement message.”
Flow based:
"Before flow-based inspection can be applied the IPS engine uses a series of decoders to determine the appropriate security modules to be applied depending on the protocol of the packet and on policy settings. In addition, if SSL inspection is configured, the IPS engine also decrypts SSL packets. SSL decryption is offloaded and accelerated by CP8 or CP9 processors."
Source:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.