Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Muhammad_Umer
New Contributor

Inspection Mode

Dear Guys...Need Help

My firewall is in Proxy mode inspection, i just want to edit some of my IPv4 Policies from proxy mode to flow mode. This can be possible through CLI only. Can you people guide me the exact syntax of commands to perform this task.

6 REPLIES 6
Ashik_Sheik
Contributor II

To control your FortiGate's security profile inspection mode in FortiOS 5.6, you can select Flow-based or Proxy inspection modes from System > Settings. Having control over flow and proxy mode is helpful if you want to ensure that only flow inspection mode is used.

In most cases proxy mode is preferred because more security profile features are available along with more configuration options for these individual features. Some implementations, however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used.

CLI syntax

The following CLI command can be used to configure inspection and policy modes:

config system settings

set inspection-mode {proxy | flow}

set policy-mode {standard | ngfw}

end

 

Regds,

 

Ashik

Ashu 

 

Ashu
Muhammad_Umer

I had also studied this whole article.

You did not get my point.

I said that i just want to change a single ipv4 policy...not whole of the inspection mode from proxy to flow base.

Example:- I have policies from 1-20, and i just want to change inspection mode of policy 10 from proxy to flow mode...how can i do so?

 

Thank you.

tanr
Valued Contributor II

In general Fortinet hasn't recommended mixing proxy and flow profiles (at least in one policy), though it was possible, at least in 5.4.x.  Here's a discussion of this: https://forum.fortinet.com/tm.aspx?m=135666.  My guess is that it's a case they don't fully test.

 

Toshi_Esumi

tanr,

 

Did you happen to figure out if this big conversation with 5.4 still applies to 5.6, then 6.0?

 

Toshi

Ashik_Sheik

Hi,

 

Proxy based Inspection mode is recommended for Deep packet inspection ...

 

For AV Cli syntax will be ...as follows

 

config antivirus profile edit AV-Flow set inspection-mode flow-based

 

Likewise you can get other Security filteres as well .

 

Regds,

 

Ashik

Ashu 

 

Ashu
tanr
Valued Contributor II

Hi Toshi,

 

No, I haven't gotten official or unofficial word on this yet.

 

Under 5.6.5 I briefly tried running the policies I had used for testing mixed proxy and flow.  They didn't break, but I didn't leave them running long enough to call that a valid test.  My guess would be that we're still in a similar state - where it works but might not have been fully tested. 

 

That said, per https://docs.fortinet.com/uploaded/files/4287/fortigate-parallel-life-60.pdf IPS is still only flow, and AV and Web Filter will be Proxy if you're in proxy inspection mode, so we're getting some mixed by default.  From that document: 

 

"IPS and Application Control are only applied using flow-based inspection. Web Filtering, DLP and Antivirus can also be applied using proxy-based inspection."

Labels
Top Kudoed Authors