Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LiaoYuRuei
New Contributor

Created on ‎07-02-2018 02:02 AM

Why enable AV also enable proxy and ssl inspection?

Hello All, could anyone tell me that why I enable AV profile on policy, but two other options (Proxy Options and SSL Inspection) are also be enabled ? Thanks.

 

Here is my FortiGate setting:

FortiOS: 5.6.4

 

 

Preview file
89 KB
4356
0 Kudos
1 Solution
darwin_FTNT
Staff
Staff

Created on ‎07-09-2018 08:18 PM

Proxy Options label in GUI are mapped in CLI to: config firewall profile-protocol-options

SSL Inspection label in GUI are mapped to CLI: config firewall ssl-ssh-profile

 

I think the GUI Proxy Options label are confusing.  The CLI labels are more accurate.

 

The 2 configs are used by both flow-based and proxy-based utm profiles.  Both contains different/important layer 7 protocols options so are required by either flow/proxy-based utm(s) to handle each protocol.  Flow-based utm are handled by ipsengine daemon.  Proxy-based utm are handled by wad daemon. As far as I know, not recommended to mix both utm profile modes (proxy vs flow) because the packet from kernel would be copied twice to different daemon queues.  The resulting setup are also more complicated due to more ipc, etc.

 

Can verify a session if its packet is being forward to ipsengine or wad daemon by doing 'diag sys session list' in CLI.  Then check field state= for either bits: ndr or redir.  ndr is forward packet to ipsengine. redir forward packet to proxy wad.  See for more info:  http://kb.fortinet.com/kb....do?externalId=FD30042

View solution in original post

1148
0 Kudos
1 REPLY 1
darwin_FTNT
Staff
Staff

Created on ‎07-09-2018 08:18 PM

Proxy Options label in GUI are mapped in CLI to: config firewall profile-protocol-options

SSL Inspection label in GUI are mapped to CLI: config firewall ssl-ssh-profile

 

I think the GUI Proxy Options label are confusing.  The CLI labels are more accurate.

 

The 2 configs are used by both flow-based and proxy-based utm profiles.  Both contains different/important layer 7 protocols options so are required by either flow/proxy-based utm(s) to handle each protocol.  Flow-based utm are handled by ipsengine daemon.  Proxy-based utm are handled by wad daemon. As far as I know, not recommended to mix both utm profile modes (proxy vs flow) because the packet from kernel would be copied twice to different daemon queues.  The resulting setup are also more complicated due to more ipc, etc.

 

Can verify a session if its packet is being forward to ipsengine or wad daemon by doing 'diag sys session list' in CLI.  Then check field state= for either bits: ndr or redir.  ndr is forward packet to ipsengine. redir forward packet to proxy wad.  See for more info:  http://kb.fortinet.com/kb....do?externalId=FD30042

1149
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.