Fortinet white logo
Fortinet white logo

Administration Guide

Proxy mode inspection

Proxy mode inspection

When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS finishes the inspection, the payload is either released to the destination (if the traffic is clean) or dropped and replaced with a replacement message (if the traffic contains violations).

To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prevent the receiving end user from timing out, you can apply client comforting. This allows small portions of the payload to be sent while it is undergoing inspection.

In proxy-based antivirus scanning, certain techniques are used to streamline scanning with either in-process or stream-based scanning. For more information, see Proxy mode stream-based scanning.

Proxy mode provides some security profile capabilities that are not available to flow-based scanning:

  • Video Filter

  • Inline CASB

  • Web Application Firewall (WAF)

  • Content Disarm and Reconstruction (CDR)

  • Web quota

  • Sandbox Inline Scanning

For a complete list, see Inspection mode feature comparison.

Some features are exclusively proxy-based:

  • SSL Offloading

  • Explicit Web Proxy

  • ZTNA

Verify the capabilities that you need when deciding to use proxy-based or flow-based policy. Applying the same type of scan mode in all your policies also helps optimize your performance.

FortiOS supports the Zstandard (ZSTD) compression algorithm for web content. FortiOS can use proxy-based policies to decode ZSTD-encoded web content, scan it, and forward the web content to a browser. Then the web content can be passed to the user or blocked from the user based on UTM profile settings, ensuring a seamless and secure browsing experience.

This feature is not supported on FortiGate models with 2 GB RAM or less. See Proxy-related features not supported on FortiGate 2 GB RAM models for more information.

Proxy mode inspection

Proxy mode inspection

When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS finishes the inspection, the payload is either released to the destination (if the traffic is clean) or dropped and replaced with a replacement message (if the traffic contains violations).

To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prevent the receiving end user from timing out, you can apply client comforting. This allows small portions of the payload to be sent while it is undergoing inspection.

In proxy-based antivirus scanning, certain techniques are used to streamline scanning with either in-process or stream-based scanning. For more information, see Proxy mode stream-based scanning.

Proxy mode provides some security profile capabilities that are not available to flow-based scanning:

  • Video Filter

  • Inline CASB

  • Web Application Firewall (WAF)

  • Content Disarm and Reconstruction (CDR)

  • Web quota

  • Sandbox Inline Scanning

For a complete list, see Inspection mode feature comparison.

Some features are exclusively proxy-based:

  • SSL Offloading

  • Explicit Web Proxy

  • ZTNA

Verify the capabilities that you need when deciding to use proxy-based or flow-based policy. Applying the same type of scan mode in all your policies also helps optimize your performance.

FortiOS supports the Zstandard (ZSTD) compression algorithm for web content. FortiOS can use proxy-based policies to decode ZSTD-encoded web content, scan it, and forward the web content to a browser. Then the web content can be passed to the user or blocked from the user based on UTM profile settings, ensuring a seamless and secure browsing experience.

This feature is not supported on FortiGate models with 2 GB RAM or less. See Proxy-related features not supported on FortiGate 2 GB RAM models for more information.