What flow-based inspection do with packets?

pepso · ‎12-09-2020

Hi all,

FYI : I am new here, and this is my 1st post on this forum. I am preparing for NSE4 and one thing is unclear for me.

I rly need to understand how is FTG handling packets in flow-base mode. FORTINET documentation is not clear and

a) once claims that FTG doesn't buffer packets and only forward it

b) and in the same pdf in another section claims that it forward to client (without any delay) but at the same time buffer it.

Documentation is course for NSE4 exam.

a) The flow-based inspection mode examines the file as it passes through FortiGate => without any buffering.

[ul]

As each packet arrives, it is processed and forwarded without waiting for the complete file or web page.

Packets are analyzed and forwarded as they are received.

Original traffic is not altered. Therefore, advanced features that modify content, such as safe search enforcement, are not supported.

versus

b)

As you can see on this slide,

the client sends a request and starts receiving packets immediately from server

FortiGate also caches those packets at the same time When the last packet arrives, FortiGate caches it and puts it on hold.

Then, it sends the whole cached file to the IPS engine where rule match is checked and passed to the AV engine for scanning after that.

If the AV scan does not detect any viruses, and the result comes back clean, the last cached packet is regenerated and delivered to the client.However, if a virus is found, the last packet is dropped. Even if the client has received most of the file, the file will be truncated and the client will be not able to open a truncated file[/ul]

Thank you for explanation.

pepso

lobstercreed · ‎12-09-2020

Looks pretty straight forward to me. It simultaneously buffers and forwards. So the client experiences no delay as the buffering only serves to allow the AV scanning to see the whole file at once. I'm not sure it can be explained much better honestly.

pepso · ‎12-10-2020

lobstercreed wrote:
Looks pretty straight forward to me. It simultaneously buffers and forwards. So the client experiences no delay as the buffering only serves to allow the AV scanning to see the whole file at once. I'm not sure it can be explained much better honestly.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/659145/flow-mode-inspection-default-mode

very first sentence ..."When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. "

I also thought (all the time) that packets are simultaneously buffered and forwarded, but now I am not sure.

lobstercreed · ‎12-10-2020

You're overthinking it. Read this: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/969330/proxy-mode-inspection

At a high level, the two inspection modes are different in the sense that one buffers (without sending the packets on to the client until it has completed inspection) while the other does not (it immediately sends packets on to the client). Yes, technically they both buffer to perform A/V inspection, but as observed from the client side one does not buffer while the other does.