Fortinet black logo

Handbook

Security profiles and different modes

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:149549
Download PDF

Security profiles and different modes

In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning are still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

Application control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning, or replacement, message. However, Application Control will still function.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you can't save security profiles that are set to proxy mode.

You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will not be visible from the GUI.

If you set flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or AntiSpam profile to a firewall policy.

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature

Proxy

Flow

Scan Mode (Quick or Full)

no

yes

Detect viruses (Block or Monitor)

yes

yes

Inspected protocols

yes

no (all relevant protocols are inspected)

Inspection Options

yes

yes (not available for quick scan mode)

Treat Windows Executables in Email Attachments as Viruses

yes

yes

Send Files to FortiSandbox Appliance for Inspection

yes

yes

Use FortiSandbox Database

yes

yes

Include Mobile Malware Protection

yes

yes

Web filter features in proxy and flow mode

Feature

Proxy Flow

FortiGuard category based filter

yes

yes (show, allow, monitor, block)

Category Usage Quota

yes

no

Allow users to override blocked categories (on some models)

yes

no

Search Engines

yes

no

Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex

yes

no

Restrict YouTube Access

yes

no

Log all search keywords

yes

no

Static URL Filter

yes

yes

Block invalid URLs

yes

no

URL Filter

yes

yes

Block malicious URLs discovered by FortiSandbox

yes

yes

Web Content Filter

yes

yes

Rating Options

yes

yes

Allow websites when a rating error occurs

yes

yes

Rate URLs by domain and IP Address

yes

yes

Block HTTP redirects by rating

yes

no

Rate images by URL

yes

no

Proxy Options

yes

no

Restrict Google account usage to specific domains

yes

no

Provide details for blocked HTTP 4xx and 5xx errors

yes

no

HTTP POST Action

yes

no

Remove Java Applets

yes

no

Remove ActiveX

yes

no

Remove Cookies

yes

no

Filter Per-User block/allowlist

yes

no

Security profiles and different modes

In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning are still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

Application control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning, or replacement, message. However, Application Control will still function.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you can't save security profiles that are set to proxy mode.

You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will not be visible from the GUI.

If you set flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or AntiSpam profile to a firewall policy.

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature

Proxy

Flow

Scan Mode (Quick or Full)

no

yes

Detect viruses (Block or Monitor)

yes

yes

Inspected protocols

yes

no (all relevant protocols are inspected)

Inspection Options

yes

yes (not available for quick scan mode)

Treat Windows Executables in Email Attachments as Viruses

yes

yes

Send Files to FortiSandbox Appliance for Inspection

yes

yes

Use FortiSandbox Database

yes

yes

Include Mobile Malware Protection

yes

yes

Web filter features in proxy and flow mode

Feature

Proxy Flow

FortiGuard category based filter

yes

yes (show, allow, monitor, block)

Category Usage Quota

yes

no

Allow users to override blocked categories (on some models)

yes

no

Search Engines

yes

no

Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex

yes

no

Restrict YouTube Access

yes

no

Log all search keywords

yes

no

Static URL Filter

yes

yes

Block invalid URLs

yes

no

URL Filter

yes

yes

Block malicious URLs discovered by FortiSandbox

yes

yes

Web Content Filter

yes

yes

Rating Options

yes

yes

Allow websites when a rating error occurs

yes

yes

Rate URLs by domain and IP Address

yes

yes

Block HTTP redirects by rating

yes

no

Rate images by URL

yes

no

Proxy Options

yes

no

Restrict Google account usage to specific domains

yes

no

Provide details for blocked HTTP 4xx and 5xx errors

yes

no

HTTP POST Action

yes

no

Remove Java Applets

yes

no

Remove ActiveX

yes

no

Remove Cookies

yes

no

Filter Per-User block/allowlist

yes

no