Inspection mode
To control your FortiGate's security profile inspection mode in FortiOS 6.0, you can select Flow-based or Proxy inspection modes from System > Settings. Having control over flow and proxy mode is helpful if you want to ensure that only flow inspection mode is used.
In most cases proxy mode is preferred because more security profile features are available along with more configuration options for these individual features. Some implementations, however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used.
Setting up the FortiGate to operate in these new modes (or to operate in the other available operating modes) involves going to System > Settings and changing the Inspection Mode and NGFW Mode.
NGFW mode simplifies applying application control and web filtering to traffic by allowing you to add applications and web filtering profiles directly to policies.
Transparent proxy allows you to apply web authentication to HTTP traffic without using the explicit proxy.
Changing inspection and policy modes
To change inspection modes, go to System > Settings. You can select Flow-based or Proxy inspection modes.
NGFW mode
When you select Flow-based as the Inspection Mode, you have the option to select an NGFW Mode. In NGFW Profile-based mode, you configure Application Control and Web-Filtering profiles in Security Profiles and then apply them to a policy.
In Policy-based mode, you add applications and web filtering profiles directly to a policy without having to first create and configure Application Control or Web Filtering profiles.
When you change to Flow-based inspection, all proxy mode profiles are converted to flow mode, and proxy settings are removed. In addition, proxy-mode only features (for example, Web Application Profile) are removed from the GUI.
If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Go to System > VDOM. Click Edit for the VDOM you want to change and select the Inspection Mode.
CLI syntax
You can use the following CLI command to configure NGFW mode:
config system settings
set inspection-mode flow
set ngfw-mode {profile-based | policy-based}
set ssl-ssh-profile "certificate-inspection"
end
Security profile features mapped to inspection mode
The table below lists FortiOS security profile features and shows whether they are available in flow-based or proxy-based inspection modes.
Security Profile Feature |
Flow-based inspection |
Proxy-based inspection |
---|---|---|
AntiVirus |
x |
x |
Web Filter |
x |
x |
DNS Filter |
x |
x |
Application Control |
x |
x |
Intrusion Protection |
x |
x |
Anti-Spam |
|
x |
Data Leak Protection |
|
x |
VoIP |
x |
x |
ICAP |
|
x |
Web Application Firewall |
|
x |
FortiClient Profiles |
x |
x |
Proxy Options |
x |
x |
SSL Inspection |
x |
x |
SSH Inspection |
|
x |
Web Rating Overrides |
x |
x |
Web Profile Overrides |
|
x |
From the GUI, you can only configure antivirus and web filter security profiles in proxy mode. From the CLI, you can configure flow-based antivirus profiles, web filter profiles, and DLP profiles and they will appear on the GUI and include their inspection mode setting. Flow-based profiles created when in flow mode are still available when you switch to proxy mode.
In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning is still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.
Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).
Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you can't save security profiles that are set to proxy mode.
You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will not be visible from the GUI.
Proxy mode and flow mode antivirus and web filter profile options
The following tables list the antivirus and web filter profile options available in proxy and flow modes.
Antivirus features in proxy and flow mode
Feature | Proxy | Flow |
---|---|---|
Scan Mode (Quick or Full) |
|
x |
Detect viruses (Block or Monitor) |
x |
x |
Inspected protocols |
x |
(all relevant protocols are inspected) |
Inspection Options |
x |
x (not available for quick scan mode) |
Treat Windows Executables in Email Attachments as Viruses |
x |
x |
Send Files to FortiSandbox Appliance for Inspection |
x |
x |
Use FortiSandbox Database |
x |
x |
Include Mobile Malware Protection |
x |
x |
Web filter features in proxy and flow mode
Feature |
Proxy | Flow | |
---|---|---|---|
FortiGuard category based filter |
x |
x (show, allow, monitor, block) |
|
Category Usage Quota |
x |
|
|
Allow users to override blocked categories (on some models) |
x |
|
|
Search Engines |
x |
|
|
|
Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex |
x |
|
Restrict YouTube Access |
x |
|
|
Log all search keywords |
x |
|
|
Static URL Filter |
x |
x |
|
|
Block invalid URLs |
x |
|
URL Filter |
x |
x |
|
Block malicious URLs discovered by FortiSandbox |
x |
x |
|
Web Content Filter |
x |
x |
|
Rating Options |
x |
x |
|
|
Allow websites when a rating error occurs |
x |
x |
Rate URLs by domain and IP Address |
x |
x |
|
Block HTTP redirects by rating |
x |
|
|
Rate images by URL |
x |
|
|
Proxy Options |
x |
|
|
|
Restrict Google account usage to specific domains |
x |
|
Provide details for blocked HTTP 4xx and 5xx errors |
x |
|
|
HTTP POST Action |
x |
|
|
Remove Java Applets |
x |
|
|
Remove ActiveX |
x |
|
|
Remove Cookies |
x |
|
|
Filter Per-User Block/Allowlist |
x |
|