A FortiGate inspects network traffic from the IP layer up through the application layer of the TCP/IP stack. The FortiGate uses security policies to do this inspection. Inspection steps depend on the FortiGate hardware such as whether the FortiGate has network processors like the NP6 and content processors like the CP8 and CP9. It also depends on the Unified Threat Management (UTM)/Next Generation Firewall (NGFW) inspection mode (flow-based or proxy-based).
Before FortiOS 6.2.0, the inspection mode is based on the FortiGate or VDOM.
In FortiOS 6.2.0 and higher, the inspection mode is based on the security policy so you can set a different inspection mode for each security policy.
This guide describes what happens to a packet as it travels through a FortiGate running FortiOS 6.4 and higher.
The FortiGate performs the following types of security inspection:
- Kernel-based stateful inspection, that provides individual packet-based security within a basic session state.
- Flow-based inspection, that takes a snapshot of content packets and uses pattern matching to identify security threats in the content.
- Proxy-based inspection, that reconstructs content passing through the FortiGate and inspects the content for security threats.
Each inspection component plays a role in the processing of a packet as it traverses the FortiGate en route to its destination.
This guide contains the following sections:
- Parallel Path Processing introduces the concept of Parallel Path Processing.
- Packet flow ingress and egress: FortiGates without network processor offloading describes the overall packet flow through a FortiGate with no network offloading (NP) hardware.
- Packet flow: NP6 and NP6lite sessions similar to the previous section, the first packet in a new session that can be offloaded is processed in much the same way as on a FortiGate with no network processors.
- Packet flow: NP6 and NP6lite offloaded session describes the much simpler packet flow for a packet from an offloaded session.
- UTM/NGFW packet flow: flow-based inspection describes how single pass UTM/NGFW processing occurs in a flow-based firewall policy.
- UTM/NGFW packet flow: proxy-based inspection describes how UTM/NGFW processing occurs in a proxy-based firewall policy.
- UTM/NGFW packet flow: explicit web proxy describes how Explicit web proxy processing occurs.
- Comparison of inspection types shows how different security functions map to different inspection types.