Fortinet black logo

Cookbook

Inspection mode per policy

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:366651
Download PDF

Inspection mode per policy

Inspection mode is configured on a per-policy basis in NGFW mode. This gives you more flexibility when setting up different policies.

When configuring an IPv4 or IPv6 policy, you can select a Flow-based or Proxy-basedInspection Mode. The default setting is Flow-based.

To configure inspection mode in a policy:
  1. Go to Policy & Objects > IPv4 Policy or IPv6 Policy.
  2. Create a new policy, or edit an existing policy.
  3. Configure the policy as needed.
    1. If you change the Inspection Mode to Proxy-based, the Proxy HTTP(S) traffic option displays.

    2. In the Security Profiles section, if no security profiles are enabled, the default SSL Inspection is no-inspection.

    3. In the Security Profiles section, if you enable any security profile, the SSL Inspection changes to certificate-inspection.

To see the inspection mode changes using the CLI:
config firewall policy
    edit 1
        set uuid 05d88354-4817-51e9-7494-06cb70accbf0
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end		
To see the HTTP and SSH policy redirect settings when inspection mode is set to proxy using the CLI:
config firewall policy
    edit 1
        set uuid 05d88354-4817-51e9-7494-06cb70accbf0
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set ssh-policy-redirect enable
        set nat enable
    next
end
To see the default SSL-SSH policy set to no inspection using the CLI:
config firewall policy
    edit 1
       show fu | grep ssl-ssh-profile
        set ssl-ssh-profile "no-inspection"
    next
end

Inspection mode per policy

Inspection mode is configured on a per-policy basis in NGFW mode. This gives you more flexibility when setting up different policies.

When configuring an IPv4 or IPv6 policy, you can select a Flow-based or Proxy-basedInspection Mode. The default setting is Flow-based.

To configure inspection mode in a policy:
  1. Go to Policy & Objects > IPv4 Policy or IPv6 Policy.
  2. Create a new policy, or edit an existing policy.
  3. Configure the policy as needed.
    1. If you change the Inspection Mode to Proxy-based, the Proxy HTTP(S) traffic option displays.

    2. In the Security Profiles section, if no security profiles are enabled, the default SSL Inspection is no-inspection.

    3. In the Security Profiles section, if you enable any security profile, the SSL Inspection changes to certificate-inspection.

To see the inspection mode changes using the CLI:
config firewall policy
    edit 1
        set uuid 05d88354-4817-51e9-7494-06cb70accbf0
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end		
To see the HTTP and SSH policy redirect settings when inspection mode is set to proxy using the CLI:
config firewall policy
    edit 1
        set uuid 05d88354-4817-51e9-7494-06cb70accbf0
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set ssh-policy-redirect enable
        set nat enable
    next
end
To see the default SSL-SSH policy set to no inspection using the CLI:
config firewall policy
    edit 1
       show fu | grep ssl-ssh-profile
        set ssl-ssh-profile "no-inspection"
    next
end