Scribd
Upload
928 views5 pages

Security Profiles - Inspection Modes

This document provides information about configuring various security profiles on FortiGate devices, including inspection modes (flow-based vs proxy-based), antivirus, web filtering, DNS filtering, application control, intrusion prevention, file filtering, email filtering, data leak prevention, VoIP, ICAP, web application firewalling, and SSL/SSH inspection. It describes the differences between flow-based and proxy-based inspection, listing which features each security profile supports in each mode.

Uploaded by

Ayan Nas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
928 views5 pages

Security Profiles - Inspection Modes

This document provides information about configuring various security profiles on FortiGate devices, including inspection modes (flow-based vs proxy-based), antivirus, web filtering, DNS filtering, application control, intrusion prevention, file filtering, email filtering, data leak prevention, VoIP, ICAP, web application firewalling, and SSL/SSH inspection. It describes the differences between flow-based and proxy-based inspection, listing which features each security profile supports in each mode.

Uploaded by

Ayan Nas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
  • Security Profiles: Provides an overview of configuring FortiGate security features including advanced inspection and protection capabilities.
  • Inspection Modes: Describes different inspection modes for firewall policies, detailing flow-based and proxy-based inspection techniques.
  • Use Cases: Illustrates practical use cases demonstrating how different inspection modes can be applied to enhance security.
  • Feature Comparison: Compares features supported by flow and proxy mode inspections across various modules like antivirus and application control.

Security Profiles

This section contains information about configuring FortiGate security features, including:
l Inspection modes
l Antivirus
l Web filter
l DNS filter
l Application control
l Intrusion prevention
l File filter on
l Email filter
l Data leak prevention
l VoIP solutions
l ICAP
l Web application firewall
l SSL & SSH Inspection
l Custom signatures
l Overrides

If you are unable to view a security profile feature, go to System > Feature Visibility to enable
it.
Inspection modes
FortiOS supports flow-based and proxy-based inspection in firewall policies. You can select the inspection mode when
configuring a policy.
Flow-based inspection takes a snapshot of content packets and uses pattern matching to identify security threats in the
content.
Proxy-based inspection reconstructs content that passes through the FortiGate and inspects the content for security
threats.
Certain security profiles allows users to display flow-based or froxy-based feature sets.
This following topics provide information about inspection modes for various security profile features: 

l Flow mode inspection (default mode)


l Proxy mode inspection
l Inspection mode feature comparison

Flow mode inspection (default mode)


When a firewall policy's inspection mode is set to flow, traffic flowing through the policy will not be buffered by the
FortiGate. Unlike proxy mode, the content payload passing through the policy will be inspected on a packet by packet
basis with the very last packet held by the FortiGate until the scan returns a verdict. If a violation is detected in the
traffic, a reset packet is issued to the receiver, which terminates the connection, and prevents the payload from being
sent successfully.
Flow-based inspection identifies and blocks security threats in real time as they are identified. All applicable flow-based
security modules are applied simultaneously in one single pass, using Direct Filter Approach (DFA) pattern matching to
identify possible attacks or threats. Pattern matching is offloaded and accelerated by CP8 or CP9 processors.
Flow-based inspection typically requires lower processing resources than proxy-based inspection and does not change
packets, unless a threat is found and packets are blocked.

Use case

It is recommended to apply flow inspection to policies that prioritize traffic throughput, such as allowing connections to a
streaming or file server.
For example, you have an application server that accepts connections from users for a daily quiz show app, HQ. Each
HQ session sees 500,000+ participants, and speed is very important because participants have less than 10 seconds to
answer the quiz show questions.

In this scenario, a flow inspection policy is recommended to prioritize throughput. The success of the application
depends on providing reliable service for large numbers of concurrent users. The policy would include an IPS sensor to
protect the server from external DOS attacks.

Proxy mode inspection


When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the
FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the
FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS finishes
the inspection, the payload is either released to the destination (if the traffic is clean) or dropped and replaced with a
replacement message (if the traffic contains violations).
To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To
prevent the receiving end user from timing out, you can apply client comforting. This allows small portions of the
payload to be sent while it is undergoing inspection.
Proxy mode provides the most thorough inspection of the traffic; however, its thoroughness sacrifices performance,
making its throughput slower than that of a flow mode policy. Under normal traffic circumstances, the throughput
difference between a proxy-based and flow-based policy is not significant.

Use case 1

Your organization deals with sensitive data on a regular basis and a data leak would significantly harm your business. At
the same time, you wish to protect your employees from malicious content, such as viruses and phishing emails, which
could be used to gain access to your network and the sensitive data on your systems.

In this scenario, a proxy inspection policy is recommended to prioritize network security. You want traffic inspection to
be as thorough as possible to avoid any data leaks from exiting the LAN and any malicious content from entering it. The
policy would include antivirus, DLP, web, and email filters all operating in proxy mode.

Use case 2

You have a corporate mail server in your domain that is used by your employees for everyday business activities. You
want to protect your employees from phishing emails and viruses. At the same time, you want to also protect your web
servers from external attacks.

In this scenario, a proxy inspection policy is recommended to prioritize the safety of employee emails. Applying the
antivirus and email filter in this mode allows you to filter out any malware and spam emails received by the mail servers
via SMTP or MAPI. An IPS sensor would be used to prevent DOS attacks on the mail servers.

Inspection mode feature comparison


The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy.
Some UTM profiles are hidden in the GUI and can only be configured using the CLI. To configure profiles in a firewall
policy in CLI, enable the utm-status setting.

Some profiles might have feature differences between flow-based and proxy-based Inspection. From the GUI and CLI,
you can set the Feature set option to be Flow-based or Proxy-based to display only the settings for that mode.

Flow Mode Inspection Policy Proxy Mode Inspection Policy Feature


set
UTM Profile GUI CLI GUI CLI option

AntiVirus Yes Yes Yes Yes GUI/CLI

Web Filter Yes Yes Yes Yes GUI/CLI

DNS Filter Yes Yes Yes Yes N/A

Application Control Yes Yes Yes Yes N/A

Intrusion Prevention System Yes Yes Yes Yes N/A

File Filter Yes Yes Yes Yes GUI/CLI

Email Filter Yes Yes Yes Yes GUI/CLI

Data Leak Prevention No Yes No Yes CLI

VoIP Yes Yes Yes Yes N/A

ICAP No No Yes Yes N/A

Web Application Firewall No No Yes Yes N/A

SSL/SSH Inspection Yes Yes Yes Yes N/A

The following sections outline differences between flow-based and proxy-based inspection for a security profile.

Feature comparison between AntiVirus inspection modes

The following table indicates which AntiVirus features are supported by their designated scan modes.

Part1 Replacement Content Mobile Virus Sandbox NAC


Message Disarm Malware Outbreak Inspection Quarantine

Proxy Yes Yes Yes Yes Yes Yes

Flow (hybrid Yes* No Yes Limited Yes Yes


scan)

*IPS Engine caches the URL and a replacement message is presented after the second attempt.

Part 2 Archive Emulator Client Infection Heuristics Treat


Blocking Comforting Quarantine EXE as
Virus
Proxy Yes Yes Yes Yes (1) Yes Yes (2)

Flow (hybrid scan) Yes Yes No Limited Yes Yes (2)

1. Only available on FortiGate models with HDD or when FortiAnalyzer or FortiGate Cloud is connected and enabled.
2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.
Feature comparison between Web Filter inspection modes
The following table indicates which Web Filter features are supported by their designated inspection modes.

FortiGuard Category Override Search Static Rating Proxy Web


Category- Usage Blocked Engines URL Filter Option Option Profile
Based Quota Categories Override
Filter

Proxy Yes Yes Yes Yes Yes Yes Yes Yes

Flow Yes (1) No Yes (2) No Yes Yes Limited No


(3)

1. Local Category and Remote Category filters do not support the warning and authenticate actions.
2. Local Category and Remote Category filters cannot be overridden.
3. Only HTTP POST Action is supported.

Feature comparison between Email Filter inspection modes


The following tables indicate which Email Filters are supported by the specified inspection modes for local filtering and
FortiGuard-assisted filtering.

Local Filtering Banned Block/Allow HELO/ EHLO Return DNSBL/ MIME


Word List DNS Check Address ORBL Header
Check DNS Check Check Check

Proxy Yes Yes Yes Yes Yes Yes

Flow Yes Yes No No No Yes

FortiGuard- Phishing Anti-Spam Submit Spam Spam Email Spam


Assisted Filtering URL Check Block List to FortiGuard Checksum URL Check
Check Check

Proxy Yes Yes Yes Yes Yes

Flow No No No No No

Feature comparison between DLP inspection modes


The following table indicates which DLP filters are supported by their designated inspection modes.

Credit SSN Filter Regex File- File- Fingerprint Watermark Encrypted File-


Card Filter Type Pattern Filter Filter Filter Size
Filter Filter Filter Filter

Proxy Yes Yes Yes Yes Yes Yes Yes Yes Yes

Flow Yes Yes Yes Yes Yes No No Yes Yes*

*File-size filtering only works if file size is present in the protocol exchange.

Security Profiles This section contains information about configuring FortiGate security features, including: If you are unab
Inspection modes FortiOS supports flow-based and proxy-based inspection in firewall policies. You can select the inspection m
To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prev
Some UTM profiles are hidden in the GUI and can only be configured using the CLI. To configure profiles in a firewall policy
Feature comparison between Web Filter inspection modes The following table indicates which Web Filter features are supported

You might also like