Inspection modes
This topic briefly discusses proxy and flow-based inspection modes. See Security profiles and different modes for more details on flow vs. proxy inspection modes on your FortiGate.
Proxy-based inspection
Proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allows for the examination of more points of data than the flow-based or DNS methods.
The advantage of a proxy-based method is that the inspection can be more thorough than the other methods, yielding fewer false positive or negative results in the data analysis.
Flow-based inspection
The flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering. As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or web page.
The advantage of the flow-based method is that the user sees a faster response time for HTTP requests and there is less chance of a time-out error due to the server at the other end responding slowly.
The disadvantages of this method are: (1) there is a higher probability of a false positive or negative in the analysis of the data; and, (2) a number of security features that can be used in the proxy-based method are not available in the flow-based inspection method. There are also fewer actions available based on the categorization of the website by FortiGuard services.
In flow mode, Web Filter profiles only include flow-mode features. Web filtering is still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode.
Configuring Web Filter profiles in flow-mode is different depending on the NGFW mode selected.