Home

Understanding FortiGate Inspection Modes: A Comprehensive Guide to Flow-Based vs. Proxy-Based Security

.

In the realm of network security, the FortiGate next-generation firewall from Fortinet stands as a formidable guardian. A critical, yet often misunderstood, aspect of its configuration is the inspection mode. This setting dictates how the firewall scrutinizes traffic for threats, striking a balance between security depth and network performance.

This guide synthesizes information from official Fortinet documentation, community knowledge bases, and expert analyses to provide a complete picture of FortiGate inspection modes, helping you make informed decisions for your network environment.

What are FortiGate Inspection Modes?

At its core, the inspection mode determines the method a FortiGate uses to process and analyze traffic against security profiles (like Antivirus, Web Filter, and IPS). FortiOS primarily supports two distinct modes: flow-based and proxy-based. You can select the desired mode when configuring a firewall policy, allowing for granular control over different types of traffic.

Flow-Based Inspection: The Performance Optimizer

Flow-based inspection is the default mode on many FortiGate models and is designed for speed and efficiency. Think of it as a "single-pass" scanner.

  • How it works: It examines data packets as they pass through the FortiGate without significant buffering or delay. It uses a direct filter approach (DFA) for pattern matching to identify threats on the fly.
  • Traffic Flow: The FortiGate acts as a streamlined forwarder. It establishes a single TCP connection between the client and the server, forwarding packets immediately upon arrival. The three-way handshake occurs directly between the endpoints through the firewall.
  • Resource Profile: This method requires fewer processing resources, making it ideal for high-throughput scenarios where performance is paramount.

Proxy-Based Inspection: The Security Specialist

Proxy-based inspection takes a more thorough, "buffered" approach to security. It reconstructs the content passing through the FortiGate before making a security decision.

  • How it works: The FortiGate terminates the client's connection and acts as a full proxy. It receives the entire file or web page, buffers it, and inspects the complete dataset for threats before forwarding it to the destination.
  • Traffic Flow: This creates two separate TCP connections: one from the client to the FortiGate, and another from the FortiGate to the server. The handshake with the server only occurs after the client's connection is fully established.
  • Resource Profile: While this method provides a higher level of threat protection and can examine more data points, it adds latency and consumes more memory and processing power.

Inspection Mode Comparison: A Side-by-Side Look

To better understand the practical differences, the following table summarizes the key characteristics of each mode based on the gathered information.

Feature Flow-Based Inspection Proxy-Based Inspection
Primary Focus Performance and throughput Security depth and inspection thoroughness
Inspection Method "Snapshot" of packets, pattern matching on the fly Reconstructs and buffers full content for analysis
Traffic Handling Single TCP connection between endpoints, immediate forwarding Two TCP connections (client <-> FG <-> server), full content buffered
Resource Usage Lower CPU/memory, more efficient Higher CPU/memory, more resource-intensive
Latency Low latency, minimal delay added Adds latency due to buffering and reconstruction
Ideal Use Case High-throughput traffic (streaming, file servers), NGFW policy-based mode Critical traffic where security is paramount (data leakage prevention, sensitive transactions)

Key Considerations and Configuration

Configuring and managing these modes involves several important technical details gathered from the sources.

1. Per-Policy Flexibility

Inspection mode is configured per firewall policy. This allows a single FortiGate to use flow-based inspection for a user's general web browsing (to prioritize performance) while applying proxy-based inspection to a policy governing traffic to a sensitive finance server. You can set this in the GUI under a policy's edit view or via the CLI: config firewall policyset inspection-mode {flow | proxy}.

2. Matching Security Profiles

For a security profile to function correctly, its own inspection mode must match the mode of the firewall policy it is applied to. For example, an Antivirus profile must have its feature-set configured to match the policy's inspection-mode (e.g., set feature-set flow for a flow-based policy). This can be configured in the CLI for profiles like antivirus and web filter.

3. GUI Visibility and Global Settings

Depending on the FortiOS version, the option to select inspection mode in the GUI might not be visible by default.

  • For versions 7.2.4 and later, you may need to enable proxy features globally to see the inspection mode option in the GUI. This is done via CLI commands: config system global set proxy-and-explicit-proxy enable config system settings set gui-proxy-inspection enable
  • This design is intentional to streamline the GUI for environments that do not use proxy-based features.

4. Special Scenarios and Limitations

  • NGFW Policy-Based Mode: When the FortiGate is running in NGFW (Next-Generation Firewall) policy-based mode, the operational inspection mode is limited to flow-based only. It cannot be changed to proxy.
  • VDOMs: If Virtual Domains (VDOMs) are enabled, the inspection mode cannot be set globally; it must be configured per VDOM.
  • Hardware Limitations: Starting with FortiOS 7.4.4, proxy-related features are no longer supported on lower-end FortiGate models with only 2 GB of RAM (e.g., 40F, 60F, 80E series). Administrators of these devices must use flow-based inspection.

5. Performance Impact Without UTM

It is crucial to note that the performance difference between flow and proxy modes is most pronounced when UTM/NGFW features are enabled. For traffic that simply matches a policy without any security profiles applied, the traffic is handled directly by the FortiOS kernel through "stateful inspection" and does not incur the overhead of either UTM inspection engine. Therefore, switching from proxy to flow mode may yield little to no performance gain for basic firewall policies, SSL VPN, or IPsec traffic that does not use UTM profiles.

Frequently Asked Questions (FAQ)

What is the main difference between flow-based and proxy-based inspection?

The main difference lies in how traffic is processed. Flow-based inspects packets as they pass through, prioritizing speed and low latency. Proxy-based buffers and reconstructs the full content for a deeper, more thorough inspection, which provides higher security but adds latency.

Which inspection mode should I use?

It depends on your priorities. Use flow-based for traffic where performance is critical, such as video streaming, large file downloads, or general internet access. Use proxy-based for traffic involving sensitive data, financial transactions, or where the highest level of threat detection is required, such as email or file transfers for critical servers.

Can I use both flow-based and proxy-based inspection on the same FortiGate?

Yes, absolutely. Inspection mode is configured per firewall policy. This allows you to apply flow-based mode to some policies and proxy-based mode to others, giving you maximum flexibility to balance security and performance across different types of traffic.

How do I change the inspection mode on my FortiGate?

You can change it when editing an IPv4 or IPv6 firewall policy. In the GUI, look for the "Inspection Mode" dropdown (if visible). You can also use the CLI: enter config firewall policy, edit the policy ID, and use the command set inspection-mode {flow | proxy}. Ensure that any security profiles applied to the policy have their feature-set configured to match.

Will switching from proxy to flow mode break my existing configuration?

The transition itself is typically transparent, as the configuration for services like SSL VPN and IPsec resides in the policies. However, you must ensure that the inspection mode of your security profiles (Antivirus, Web Filter, etc.) is changed to match the new policy mode. If they don't match, the profiles may not apply correctly, or traffic could be blocked. It's a best practice to plan the change and verify profile settings.

My FortiGate is a low-end model (e.g., 60F). Can I use proxy-based inspection?

It depends on your FortiOS version and the specific model's RAM. Starting from FortiOS 7.4.4, proxy-based features are not supported on FortiGate models with only 2 GB of RAM (this includes many 30G, 40F, 60F, and 80E series devices). You must use flow-based inspection on these platforms. Always check the latest Fortinet documentation for your specific model and firmware.

Why can't I see the "Inspection Mode" option in my FortiGate GUI?

This is common in newer firmware versions (7.2.4+). The option may be hidden by default. You need to enable it via the CLI with the following commands: config system global set proxy-and-explicit-proxy enable config system settings set gui-proxy-inspection enable After running these, the option should appear in your firewall policies.

Conclusion

Understanding FortiGate inspection modes is essential for optimizing both security and network performance. Flow-based mode offers speed and efficiency, making it suitable for most general traffic. Proxy-based mode provides a deeper level of inspection for critical assets where security cannot be compromised. By configuring these modes per policy and aligning them with the appropriate security profiles, administrators can fine-tune their FortiGate deployment to meet the specific needs of their organization. Always consult the official Fortinet documentation for your specific hardware and firmware version to understand any platform-specific limitations or features.