UTM packet flow: proxy-based inspection

When a FortiProxy unit is configured for proxy-based inspection, packets initially encounter the IPS engine, which applies single-pass IPS and Application Control if configured in the firewall policy accepting the traffic.

The packets are then sent to the FortiProxy UTM/NGFW proxy for proxy-based inspection. The proxy first determines if the traffic is SSL traffic that should be decrypted for SSL inspection. SSL traffic to be inspected is decrypted by the proxy. SSL decryption is offloaded to and accelerated by CP8 or CP9 processors.

Proxy-based inspection extracts and caches content, such as files and web pages, from content sessions and inspects the cached content for threats. Content inspection happens in the following order:

1. DLP

2. Anti-Spam

3. Web Filtering

4. ICAP

5. Antivirus and Image Analyzer

6. Web caching and WAN optimization

If no threat is found, the proxy relays the content to its destination. If a threat is found, the proxy can block the threat and replace it with a replacement message.

Decrypted SSL traffic is sent to the IPS engine (where IPS and Application Control can be applied) before reentering the proxy where actual proxy-based inspection is applied to the decrypted SSL traffic. After decrypted SSL traffic has been inspected, it is re-encrypted and forwarded to its destination. SSL encryption is offloaded to and accelerated by CP8 or CP9 processors. If a threat is found, the proxy can block the threat and replace it with a replacement message.

ICAP intercepts HTTP and HTTPS traffic and forwards it to an ICAP server. The FortiProxy unit is the surrogate, or “middle-man”, and carries the ICAP responses from the ICAP server to the ICAP client; the ICAP client then responds back, and the FortiProxy unit determines the action that should be taken with these ICAP responses and requests.