Hi,
I am finding the new 5.4 documentation little confusing. So I am not sure if can we use mix of security profiles in flow & proxy mode. Like we would like to use App-Control,IPS in Flow mode but web-filtering & AV scanning in proxy mode for maximum security.
Is this configuration supported.
Kindly please let me know.
Regards
Sebastan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There is some good information in the 5.4 documentation on Parallel Path Processing (Life of a Packet).
Specifically, the UTM/NGFW flows for:
[ul]Each time the proxy diagram includes the "IPS Engine" block, (I think) it is representing a copy of almost the entire diagram from the flow-based UTM, though with the SSL Inspection decryption being done by the proxy engine, instead of the flow one. So definitely more resource intensive.
I'd really like to see how that diagram changes with, for instance, a FortiGate in Proxy mode and a security policy that uses flow-mode AntiVirus, flow-mode Web Filter, App Control (flow-mode only), IPS (flow-mode only) and SSL Inspection. Is the proxy engine still being used to decrypt and encrypt the SSL in that case, even though nothing else is using it? Or do I still have the extra cost of the proxy engine encrypting and decrypting in this situation.
Hi Team,
Any confirmation on the same.
Regards
Sebastan
I inadvertently had mine setup with mixed modes and it cause weird issues. Some sites would not load, or would have problems, had one android phone that could not get office 365 email. once all modules were the same everything worked fine.
Thanks for your feedback. So practically based on your experience I feel though it's supported but not recommended.
Regards
Sebastan
Hi
actually I do not know if it helps you but to have no confiusion here me view and some official details:
- From my perspective I would use always proxy mode because it is the comment of the art. Some of the UTM can not be proxy mode because as an example IPS and Application Control can only be used in flow mode which makes sense from technology point of view.
The question and important to know is following: If you use in one policy a mix of security profiles meaning flow and proxy mode the mode would change for this UTM feature to flow if the UTM feature is supporting both modes. Example: If you use AV in proxy and WebFilter in flow in one Policy the FortiOS changes in the background the WebFilter also in flow mode even the security profile is in proxy mode.
This behaviour is described in the document "Life of a Packet" (http://docs.fortinet.com/d/fortigate-life-of-a-packet-5.4). In this document is also described what UTM is supporting which mode etc. This behaviour is for FortiOS 5.x and not only 5.4.
hope this helps
have fun
Andrea
@Andrea
i don't quite understand that remark for 5.4, specially there you designate the whole FortiGate or VDOM to either flow or proxy. so you can't even select a AV flow provide and a proxy Webfilter profile right?
as for the remark on it switching to flow, could you please point out the exact place in any document, im aware of the behaviour but have a hard time finding the documentation.
thank you
@Andrea
I'd like to get more clarification on this as well.
The "Life of a Packet" PDF that you linked to above says on page 21:
"Packets initially encounter the IPS engine, which uses the same steps described in UTM/NGFW packet flow: flow-based inspection on page 19 to apply single-pass IPS, Application Control and CASI if configured in the firewall policy accepting the traffic. The packets are then sent to the FortiOS UTM/NGFW proxy for proxy-based inspection."
This seems to imply that the flow based profiles run, then hand off to the proxy based profiles. The diagram on page 22 shows this.
@boneyard
Regarding not being able to select an AV flow profile for a VDOM in proxy mode:
With 5.4.0 (haven't tried 5.4.1) I could use the CLI to create an AV flow profile and set it to be used for a specific policy, even though the VDOM is set to proxy. The flow AV profile then shows up in the GUI for that policy and appears to work. However, you can't do this in the (5.4.0) GUI. Also, the only FGT crash I ran into occurred while I had the flow based AV profile set on an active policy with the (root) VDOM in proxy mode.
I just run my FortiGates in Proxy mode. In 5.4.x you can set the whole device to proxy or flow. Proxy gives you substantially more options for your UTM. I have had instances where it caused some weird issues though.
Mike Pruett
For reference, from the 5.4.1 documentation:
Flow Only
[ul]Proxy Only
[ul]Flow and Proxy Versions
[ul]
One thing I'm still confused about is using CASI, when the FGT is in proxy mode. From the documentation:
Unfortunately CASI does not work when using Proxy-based profiles for AV or Web filtering for example. Make sure to only use Flow-based profiles in combination with CASI on a specific policy.
This implies that to use CASI, I can't use the DNS filter for that policy, which seems problematic since that can catch a lot. Similarly, I can't add AV or Web Filter profiles from the GUI, since they default to proxy mode. Supposedly, I can create, edit, and add flow based AV or Web Filter profiles from the CLI, though. Because of the way policies are evaluated, I can't (as far as I know) break a policy into two policies so I can do CASI in one and use the proxy based profiles in the other.
Has anybody used CASI in 5.4.0 or 5.4.1, when their FGT (or the VDOM) is set in proxy mode? How did it go?
Hi, Basically the idea of not to mix both flow and proxy mode is to reduce the load on the device. When you have mixed config with both flow and proxy, the traffic has to be redirected back and forth between kernel <=> proxy, kernel <=> IPS, proxy <=> IPS which will spike the CPU indirectly causing performance issues. This is more evident on a low end device.
Cheers!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.