Fortinet black logo

Administration Guide

Inspection mode per policy

Inspection mode per policy

Inspection mode is configured on a per-policy basis in NGFW mode. This gives you more flexibility when setting up different policies.

When configuring a firewall policy, you can select a Flow-based or Proxy-basedInspection Mode. The default setting is Flow-based.

To configure inspection mode in a policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Create a new policy, or edit an existing policy.
  3. Configure the policy as needed.
    1. If you change the Inspection Mode to Proxy-based, the Proxy HTTP(S) traffic option displays.

    2. In the Security Profiles section, if no security profiles are enabled, the default SSL Inspection is no-inspection.
    3. In the Security Profiles section, if you enable any security profile, the SSL Inspection changes to certificate-inspection.

To see the inspection mode changes using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end		
To see the HTTP and SSH policy redirect settings when inspection mode is set to proxy using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set ssh-policy-redirect enable
        set nat enable
    next
end
To see the default SSL-SSH policy set to no inspection using the CLI:
config firewall policy
    edit 1
       show fu | grep ssl-ssh-profile
        set ssl-ssh-profile "no-inspection"
    next
end

Inspection mode per policy

Inspection mode is configured on a per-policy basis in NGFW mode. This gives you more flexibility when setting up different policies.

When configuring a firewall policy, you can select a Flow-based or Proxy-basedInspection Mode. The default setting is Flow-based.

To configure inspection mode in a policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Create a new policy, or edit an existing policy.
  3. Configure the policy as needed.
    1. If you change the Inspection Mode to Proxy-based, the Proxy HTTP(S) traffic option displays.

    2. In the Security Profiles section, if no security profiles are enabled, the default SSL Inspection is no-inspection.
    3. In the Security Profiles section, if you enable any security profile, the SSL Inspection changes to certificate-inspection.

To see the inspection mode changes using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end		
To see the HTTP and SSH policy redirect settings when inspection mode is set to proxy using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set ssh-policy-redirect enable
        set nat enable
    next
end
To see the default SSL-SSH policy set to no inspection using the CLI:
config firewall policy
    edit 1
       show fu | grep ssl-ssh-profile
        set ssl-ssh-profile "no-inspection"
    next
end