Fortinet black logo

UTM Packet Flow

Home FortiProxy 7.2.0 UTM Packet Flow
7.2.0
7.4.0
7.2.0
7.0.0

UTM packet flow: explicit web proxy

UTM packet flow: explicit web proxy

If the explicit web proxy is enabled on a FortiProxy unit, proxy-based inspection occurs. One or more interfaces configured to listen for web browser sessions on the configured explicit web proxy port (by default 8080) accept all HTTP and HTTPS sessions on the explicit proxy port that match an explicit web proxy policy.

Plain text explicit web proxy HTTP traffic passes in parallel to both the IPS engine and the explicit web proxy for content scanning. The IPS engine applies IPS and application control content scanning. The explicit web proxy applies DLP, web filtering, and Antivirus content scanning.

If the IPS engine and the explicit proxy do not detect any security threats, the FortiProxy unit relays the content to a destination interface. If the IPS engine or the explicit proxy detect a threat, the FortiProxy unit can block the threat and replace it with a replacement message.

Encrypted explicit web proxy HTTPS traffic passes to the explicit web proxy for decryption. Decrypted traffic once again passes in parallel to the IPS engine and the explicit web proxy for content scanning.

If the IPS engine and the explicit proxy do not detect any security threats, the explicit proxy re-encrypts the traffic and the FortiProxy unit relays the content to its destination. If the IPS engine or the explicit proxy detect a threat, the FortiProxy unit can block the threat and replace it with a replacement message. The explicit proxy offloads HTTPS decryption and encryption to CP8 or CP9 processors.

The FortiProxy unit uses routing to route explicit web proxy sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. A FortiProxy unit operating in transparent mode changes the source address to the transparent mode management IP address. You can also configure the explicit web proxy to keep the original client IP address.

Previous
Next

UTM packet flow: explicit web proxy

If the explicit web proxy is enabled on a FortiProxy unit, proxy-based inspection occurs. One or more interfaces configured to listen for web browser sessions on the configured explicit web proxy port (by default 8080) accept all HTTP and HTTPS sessions on the explicit proxy port that match an explicit web proxy policy.

Plain text explicit web proxy HTTP traffic passes in parallel to both the IPS engine and the explicit web proxy for content scanning. The IPS engine applies IPS and application control content scanning. The explicit web proxy applies DLP, web filtering, and Antivirus content scanning.

If the IPS engine and the explicit proxy do not detect any security threats, the FortiProxy unit relays the content to a destination interface. If the IPS engine or the explicit proxy detect a threat, the FortiProxy unit can block the threat and replace it with a replacement message.

Encrypted explicit web proxy HTTPS traffic passes to the explicit web proxy for decryption. Decrypted traffic once again passes in parallel to the IPS engine and the explicit web proxy for content scanning.

If the IPS engine and the explicit proxy do not detect any security threats, the explicit proxy re-encrypts the traffic and the FortiProxy unit relays the content to its destination. If the IPS engine or the explicit proxy detect a threat, the FortiProxy unit can block the threat and replace it with a replacement message. The explicit proxy offloads HTTPS decryption and encryption to CP8 or CP9 processors.

The FortiProxy unit uses routing to route explicit web proxy sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. A FortiProxy unit operating in transparent mode changes the source address to the transparent mode management IP address. You can also configure the explicit web proxy to keep the original client IP address.

Previous
Next