FortiGate Flow vs. Proxy based inspection

Traffic can be UTM inspected on the FortiGate either flow-based or proxy-based. Both inspection modes have advantages and disadvantages. Therefore it is very important to use the right inspection mode for the concerning purpose.

Flow based inspection

  • Default inspection mode
  • Uses single-pass direct filter approach (DFA) pattern matching to identify possible attacks or threats
  • File is scanned on a flow basis as it passes through FortiGate
  • Requires fewer processing resources
  • Provides faster scanning

If you sniff a flow based session, you can see this behaviour:

FGT # diag sniffer packet any 'host' 4
# The FortiGate receives the SYN packet from the client ...
0.000000 lan in -> syn 1706835036
# ... and sends the packet directly further to the Webserver.
0.000051 wan out -> syn 1706835036
# The webserver sends it's SYN/ACK packet which is also directly forwarded to the Client.
0.007561 wan in -> syn 187701112 ack 1706835037
0.007577 lan out -> syn 187701112 ack 1706835037
# The last packet of the TCP handshake is the ACK packet, which is also forwarded to the Webserver immediately.
0.008548 lan in -> ack 187701113
0.008566 wan out -> ack 187701113

Proxy based inspection

  • More thorough inspection
  • Adds latency
  • Complete content is scanned
  • Two TCP connections (From client to FortiGate acting as proxy server / From FortiGate to server)
  • Communication is terminated on Layer 4
  • More resource intensive
  • Provides a higher level of threat protection

If you sniff a flow based session, you can see this behaviour:

FGT # diag sniffer packet any 'host' 4
# The FortiGate receives the SYN packet from the client ...
0.000000 lan in -> syn 2610810331
# ... and answers directly with a SYN/ACK packet to establish the session between Client and FortiGate.
0.000049 lan out -> syn 3433523664 ack 2610810332
# As soon as the FortiGate receives the ACK packet from the client, ...
0.000131 lan in -> ack 3433523665
# ... the FortiGate contacts the Webserver by sending a SYN packet to establish the TCP connection.
0.001407 wan out -> syn 2081136307
# While the FortiGate waits for the first answer (SYN/ACK packet) from the server, it already receives traffic of this session from the Client.
0.001713 lan in -> psh 2610810332 ack 3433523665
0.001722 lan out -> ack 2610810933
# Underneath, the FortiGate finished the handshake with the Webserver and establishes the connection between FortiGate and Webserver.
0.009107 wan in -> syn 266185062 ack 2081136308
0.009123 wan out -> ack 266185063

Traffic, matching policies that do not use Flow- or Proxy based inspection or no UTM inspection at all

… are handled from the FortiOS kernel and the process is called “stateful inspection”. Since the traffic is not sent to the IPS Engine (for flow based inspection) or the WAD daemon (for proxy based inspection), this mode uses fewer system ressources.

Which inspection mode to choose

Flow-based inspection takes a snapshot of content packets and uses pattern matching to identify security threats in the content.

Flow inspection is recommended for policies that prioritize traffic throughput, such as allowing connections to a streaming or file server.

Proxy-based inspection reconstructs content passing through the FortiGate and inspects the content for security threats.

Because proxy mode provides the most thorough inspection, it is recommended that you use proxy inspection for policies where preventing data leakage or malicious content is critical.

Each inspection mode plays a role in processing traffic as it travels to its destination. While both modes provide significant security, proxy-based provides more feature configuration options, while flow-based is designed to optimize performance.

Information Sources

The content of this article is derived from several Fortinet information sources linked below:

FortiGate Administrator (FCP) and Fortinet Enterprise Firewall (FCSS) courseware.


Leave a Reply

Your email address will not be published. Required fields are marked *