Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pepso
New Contributor

What flow-based inspection do with packets?

Hi all,

 

FYI : I am new here, and this is my 1st post on this forum. I am preparing for NSE4 and one thing is unclear for me.

 

I rly need to understand how is FTG handling packets in flow-base mode. FORTINET documentation is not clear and

a) once claims that FTG doesn't buffer packets and only forward it

b) and in the same pdf in another section claims that it forward to client (without any delay) but at the same time buffer it.

 

Documentation is course for NSE4 exam.

 

 

a)  The flow-based inspection mode examines the file as it passes through FortiGate =>  without any buffering.

[ul]
  • As each packet arrives, it is processed and forwarded without waiting for the complete file or web page.

           Packets are analyzed and forwarded as they are received.

    Original traffic is not altered. Therefore, advanced features that modify content, such as safe search enforcement, are not supported.

    versus

    b)

    As you can see on this slide,

     the client sends a request and starts receiving packets immediately from server
  • FortiGate also caches those packets at the same time When the last packet arrives, FortiGate caches it and puts it on hold.
  • Then, it sends the whole cached file to the IPS engine where rule match is checked and passed to the AV engine for scanning after that.
  • If the AV scan does not detect any viruses, and the result comes back clean, the last cached packet is regenerated and delivered to the client.However, if a virus is found, the last packet is dropped. Even if the client has received most of the file, the file will be truncated and the client will be not able to open a truncated file[/ul]

     

    Thank you for explanation.

    pepso

  • 3 REPLIES 3
    lobstercreed
    Valued Contributor

    Looks pretty straight forward to me.  It simultaneously buffers and forwards.  So the client experiences no delay as the buffering only serves to allow the AV scanning to see the whole file at once.  I'm not sure it can be explained much better honestly.

    pepso

    lobstercreed wrote:

    Looks pretty straight forward to me.  It simultaneously buffers and forwards.  So the client experiences no delay as the buffering only serves to allow the AV scanning to see the whole file at once.  I'm not sure it can be explained much better honestly.

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/659145/flow-mode-inspection-default-mode

    very first sentence ..."When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. "

     

    I also thought (all the time) that packets are simultaneously buffered and forwarded, but now I am not sure.

    lobstercreed
    Valued Contributor

    You're overthinking it.  Read this: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/969330/proxy-mode-inspection

     

    At a high level, the two inspection modes are different in the sense that one buffers (without sending the packets on to the client until it has completed inspection) while the other does not (it immediately sends packets on to the client).  Yes, technically they both buffer to perform A/V inspection, but as observed from the client side one does not buffer while the other does.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors