- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Mix of Flow & Proxy mode Security Profile
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mix of Flow & Proxy mode Security Profile
Hi,
I am finding the new 5.4 documentation little confusing. So I am not sure if can we use mix of security profiles in flow & proxy mode. Like we would like to use App-Control,IPS in Flow mode but web-filtering & AV scanning in proxy mode for maximum security.
Is this configuration supported.
Kindly please let me know.
Regards
Sebastan
Solved! Go to Solution.
Labels:
- Labels:
-
5.4
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is some good information in the 5.4 documentation on Parallel Path Processing (Life of a Packet).
Specifically, the UTM/NGFW flows for:
[ul]Each time the proxy diagram includes the "IPS Engine" block, (I think) it is representing a copy of almost the entire diagram from the flow-based UTM, though with the SSL Inspection decryption being done by the proxy engine, instead of the flow one. So definitely more resource intensive.
I'd really like to see how that diagram changes with, for instance, a FortiGate in Proxy mode and a security policy that uses flow-mode AntiVirus, flow-mode Web Filter, App Control (flow-mode only), IPS (flow-mode only) and SSL Inspection. Is the proxy engine still being used to decrypt and encrypt the SSL in that case, even though nothing else is using it? Or do I still have the extra cost of the proxy engine encrypting and decrypting in this situation.
27 REPLIES 27
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
Any confirmation on the same.
Regards
Sebastan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I inadvertently had mine setup with mixed modes and it cause weird issues. Some sites would not load, or would have problems, had one android phone that could not get office 365 email. once all modules were the same everything worked fine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your feedback. So practically based on your experience I feel though it's supported but not recommended.
Regards
Sebastan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
actually I do not know if it helps you but to have no confiusion here me view and some official details:
- From my perspective I would use always proxy mode because it is the comment of the art. Some of the UTM can not be proxy mode because as an example IPS and Application Control can only be used in flow mode which makes sense from technology point of view.
The question and important to know is following: If you use in one policy a mix of security profiles meaning flow and proxy mode the mode would change for this UTM feature to flow if the UTM feature is supporting both modes. Example: If you use AV in proxy and WebFilter in flow in one Policy the FortiOS changes in the background the WebFilter also in flow mode even the security profile is in proxy mode.
This behaviour is described in the document "Life of a Packet" (http://docs.fortinet.com/d/fortigate-life-of-a-packet-5.4). In this document is also described what UTM is supporting which mode etc. This behaviour is for FortiOS 5.x and not only 5.4.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Andrea
i don't quite understand that remark for 5.4, specially there you designate the whole FortiGate or VDOM to either flow or proxy. so you can't even select a AV flow provide and a proxy Webfilter profile right?
as for the remark on it switching to flow, could you please point out the exact place in any document, im aware of the behaviour but have a hard time finding the documentation.
thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Andrea
I'd like to get more clarification on this as well.
The "Life of a Packet" PDF that you linked to above says on page 21:
"Packets initially encounter the IPS engine, which uses the same steps described in UTM/NGFW packet flow: flow-based inspection on page 19 to apply single-pass IPS, Application Control and CASI if configured in the firewall policy accepting the traffic. The packets are then sent to the FortiOS UTM/NGFW proxy for proxy-based inspection."
This seems to imply that the flow based profiles run, then hand off to the proxy based profiles. The diagram on page 22 shows this.
@boneyard
Regarding not being able to select an AV flow profile for a VDOM in proxy mode:
With 5.4.0 (haven't tried 5.4.1) I could use the CLI to create an AV flow profile and set it to be used for a specific policy, even though the VDOM is set to proxy. The flow AV profile then shows up in the GUI for that policy and appears to work. However, you can't do this in the (5.4.0) GUI. Also, the only FGT crash I ran into occurred while I had the flow based AV profile set on an active policy with the (root) VDOM in proxy mode.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just run my FortiGates in Proxy mode. In 5.4.x you can set the whole device to proxy or flow. Proxy gives you substantially more options for your UTM. I have had instances where it caused some weird issues though.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For reference, from the 5.4.1 documentation:
Flow Only
[ul]Proxy Only
[ul]Flow and Proxy Versions
[ul]
One thing I'm still confused about is using CASI, when the FGT is in proxy mode. From the documentation:
Unfortunately CASI does not work when using Proxy-based profiles for AV or Web filtering for example. Make sure to only use Flow-based profiles in combination with CASI on a specific policy.
This implies that to use CASI, I can't use the DNS filter for that policy, which seems problematic since that can catch a lot. Similarly, I can't add AV or Web Filter profiles from the GUI, since they default to proxy mode. Supposedly, I can create, edit, and add flow based AV or Web Filter profiles from the CLI, though. Because of the way policies are evaluated, I can't (as far as I know) break a policy into two policies so I can do CASI in one and use the proxy based profiles in the other.
Has anybody used CASI in 5.4.0 or 5.4.1, when their FGT (or the VDOM) is set in proxy mode? How did it go?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Basically the idea of not to mix both flow and proxy mode is to reduce the load on the device. When you have mixed config with both flow and proxy, the traffic has to be redirected back and forth between kernel <=> proxy, kernel <=> IPS, proxy <=> IPS which will spike the CPU indirectly causing performance issues. This is more evident on a low end device.
Cheers!
Related Posts
- Issues with activating proxy mode in... 83 Views
- Fortigate SSLVPN with DUO MFA -... 94 Views
- FortiGate Inspection mode used on the... 207 Views
- ZTNA not working. Help please. 301 Views
- FortiEMS/FortiClient - VPN Tunnel with Multiple... 264 Views
Labels
-
FortiGate
6,538 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.