Hello All, could anyone tell me that why I enable AV profile on policy, but two other options (Proxy Options and SSL Inspection) are also be enabled ? Thanks.
Here is my FortiGate setting:
FortiOS: 5.6.4
Solved! Go to Solution.
Proxy Options label in GUI are mapped in CLI to: config firewall profile-protocol-options
SSL Inspection label in GUI are mapped to CLI: config firewall ssl-ssh-profile
I think the GUI Proxy Options label are confusing. The CLI labels are more accurate.
The 2 configs are used by both flow-based and proxy-based utm profiles. Both contains different/important layer 7 protocols options so are required by either flow/proxy-based utm(s) to handle each protocol. Flow-based utm are handled by ipsengine daemon. Proxy-based utm are handled by wad daemon. As far as I know, not recommended to mix both utm profile modes (proxy vs flow) because the packet from kernel would be copied twice to different daemon queues. The resulting setup are also more complicated due to more ipc, etc.
Can verify a session if its packet is being forward to ipsengine or wad daemon by doing 'diag sys session list' in CLI. Then check field state= for either bits: ndr or redir. ndr is forward packet to ipsengine. redir forward packet to proxy wad. See for more info: http://kb.fortinet.com/kb....do?externalId=FD30042
Proxy Options label in GUI are mapped in CLI to: config firewall profile-protocol-options
SSL Inspection label in GUI are mapped to CLI: config firewall ssl-ssh-profile
I think the GUI Proxy Options label are confusing. The CLI labels are more accurate.
The 2 configs are used by both flow-based and proxy-based utm profiles. Both contains different/important layer 7 protocols options so are required by either flow/proxy-based utm(s) to handle each protocol. Flow-based utm are handled by ipsengine daemon. Proxy-based utm are handled by wad daemon. As far as I know, not recommended to mix both utm profile modes (proxy vs flow) because the packet from kernel would be copied twice to different daemon queues. The resulting setup are also more complicated due to more ipc, etc.
Can verify a session if its packet is being forward to ipsengine or wad daemon by doing 'diag sys session list' in CLI. Then check field state= for either bits: ndr or redir. ndr is forward packet to ipsengine. redir forward packet to proxy wad. See for more info: http://kb.fortinet.com/kb....do?externalId=FD30042
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.