Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aolguin
New Contributor II

Created on ‎04-22-2024 01:57 AM

FortiGate Inspection mode used on the policy

Hello,

 

I am very new to FortiGate and I am studying for the Network Security Certification.  

I have the following question, which I am not able to confirm my answer on the internet. 

FortiGate - version 7.4.3

 

Say I configure a Firewall rule with:

  • Inspection Mode as: Flow-based 
  • In the same Rule I add security profile >> Antivirus >> In the antivirus profile, feature set is configured as Proxy based. 

Does the above means that now the firewall rule will use Proxy-based mode for all the traffic? 

 

Thanks for your assistance. 

Aaron Olguin 

 

 

 

Labels:
239
0 Kudos
1 Solution
ozkanaltas
Contributor III
In response to aolguin

Created on ‎04-22-2024 03:08 AM

Hello @aolguin ,

 

In my opinion, this is related to the default profile. If you create a custom profile you will see can't use this profile with a not-matched policy. 

 

In my lab, I tried also that scenario. I think policy resumes working with flow mode. Because the antivirus profile warned me.

 

image.png

 

Some features (MAPI, SSH, CDR) need to proxy mode in the antivirus profile. If you resume with this configuration, these features will not work. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
201
5 REPLIES 5
ozkanaltas
Contributor III

Created on ‎04-22-2024 02:05 AM Edited on ‎04-22-2024 02:05 AM

Hello @aolguin ,

 

If you configure a proxy based on an antivirus profile, you can't use this profile with a flow-based policy. They should match. 

 

If you create a proxy-based policy. Yes, your matched all traffic with the rule, will processed in proxy mode.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
229
0 Kudos
aolguin
New Contributor II
In response to ozkanaltas

Created on ‎04-22-2024 02:54 AM

Hello @ozkanaltas 

 

Thank you for the reply. That is what I thought, but unfortunately the FortiGate allows it:

I am using a FortiGate 60F, version v7.4.3 build2573 

I have the following: 

image.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

for the antivirus profile 

image.png

 

 

 

 

 

Maybe a bug then?

But questions remains on the scenario above, does that mean that inspection mode is using Flow-based or proxy-based (as override by Antivirus profile)? 

 

Thanks,

Aaron Olguin 

207
0 Kudos
ozkanaltas
Contributor III
In response to aolguin

Created on ‎04-22-2024 03:08 AM

Hello @aolguin ,

 

In my opinion, this is related to the default profile. If you create a custom profile you will see can't use this profile with a not-matched policy. 

 

In my lab, I tried also that scenario. I think policy resumes working with flow mode. Because the antivirus profile warned me.

 

image.png

 

Some features (MAPI, SSH, CDR) need to proxy mode in the antivirus profile. If you resume with this configuration, these features will not work. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
202
aolguin
New Contributor II
In response to ozkanaltas

Created on ‎04-22-2024 03:32 AM

Thank you, indeed with a custom antivirus profile I see we cannot mix, inspection mode and feature set under security profiles. They have to match 

Now it make sense. 

 

Note: this behavior on the default profile was confusing !  

189
0 Kudos
AEK
SuperUser
SuperUser
In response to aolguin

Created on ‎04-22-2024 03:22 AM

So that means your policy will remain in flow-mode and it just will not use proxy features that are configured in the used AV profile.

AEK
AEK
195
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.