In a proxy-based policy, the TCP connection is proxied by the FortiGate. A TCP 3-way handshake can be established with the client even though the server did not complete the handshake.
This option uses IPS to handle the initial TCP 3-way handshake. It rebuilds the sockets and redirects the session back to proxy only when the handshake with the server is established.
config firewall ssl-ssh-profile edit "test" config https set ports 443 set status certificate-inspection set proxy-after-tcp-handshake enable end ..... next end
config firewall profile-protocol-options edit "test" config http set ports 80 set proxy-after-tcp-handshake enable unset options unset post-lang end .... next end