Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vishal
New Contributor

Changing inspection mode

Hello All, I have Fortigate 1100 series firewall in my organisation whose inspection mode is flow base and I want to change to proxy mode. Need to know what are the precaution need to take before proceeding so that there will be minimal disruption in my network
1 Solution
TecnetRuss

You didn't mention what firmware you're running or what security services you're using.  The answer really depends on your configuration.

 

It's worth noting that Inspection mode in FortiOS 6.4 and later is no longer a global setting but instead is a per-policy setting, so you can technically use both simultaneously, switching, mixing and matching as needed.

 

Assuming you're running FortiOS 6.2 or earlier, Inspection mode differences are covered in detail here:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/922096/inspection-mode-feature-compariso...

 

Going from Flow Mode to Proxy mode is generally safe because Proxy Mode supports all of the Flow mode inspection policies (see second link).  Generally, the only downside is that it will reduce the performance of your FortiGate a bit.  The more polices and security filtering you're doing the bigger the impact will be.

 

Going from Proxy Mode to Flow mode is trickier.  Flow mode doesn't support features like ICAP inspection or Web Application firewall, and only partially supports e-mail inspection (spam), so if you were already using these features they could get disabled by switching from Proxy to Flow.

 

Changing the inspection mode on 6.2 or earlier interrupts traffic.

 

If you upgrade to 6.4+ (obviously this interrupts traffic), you can change the inspection mode of a policy with minimal disruption (e.g. just change the mode of the policy, or clone the policy, switch the mode on the copy, then move the copy above the original policy).

 

Russ

NSE7

 

View solution in original post

5 REPLIES 5
vishal
New Contributor

Please help
jorge_americo

In theory, there is no problem. But as a precaution, I advise you that in case of HA, break the HA, and make the change. In case of a problem, just switch traffic to the second box.

NSE-4

NSE-4
vishal

Ok..but my device is standalone. Would I able to change mode without interrupting the traffic
TecnetRuss

You didn't mention what firmware you're running or what security services you're using.  The answer really depends on your configuration.

 

It's worth noting that Inspection mode in FortiOS 6.4 and later is no longer a global setting but instead is a per-policy setting, so you can technically use both simultaneously, switching, mixing and matching as needed.

 

Assuming you're running FortiOS 6.2 or earlier, Inspection mode differences are covered in detail here:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/922096/inspection-mode-feature-compariso...

 

Going from Flow Mode to Proxy mode is generally safe because Proxy Mode supports all of the Flow mode inspection policies (see second link).  Generally, the only downside is that it will reduce the performance of your FortiGate a bit.  The more polices and security filtering you're doing the bigger the impact will be.

 

Going from Proxy Mode to Flow mode is trickier.  Flow mode doesn't support features like ICAP inspection or Web Application firewall, and only partially supports e-mail inspection (spam), so if you were already using these features they could get disabled by switching from Proxy to Flow.

 

Changing the inspection mode on 6.2 or earlier interrupts traffic.

 

If you upgrade to 6.4+ (obviously this interrupts traffic), you can change the inspection mode of a policy with minimal disruption (e.g. just change the mode of the policy, or clone the policy, switch the mode on the copy, then move the copy above the original policy).

 

Russ

NSE7

 

vishal

My firmware is 6.6.4 so I think that would not be much effect on my traffic flow. Thanks man for your suc a beautiful explanation
Labels
Top Kudoed Authors