Inspection mode feature comparison
The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy.
Some UTM profiles are hidden in the GUI and can only be configured using the CLI. To configure profiles in a firewall policy in CLI, enable the utm-status
setting.
Some profiles might have feature differences between flow-based and proxy-based Inspection. From the GUI and CLI, you can set the Feature set option to be Flow-based or Proxy-based to display only the settings for that mode.
|
Flow Mode Inspection Policy |
Proxy Mode Inspection Policy |
Feature set option |
||
---|---|---|---|---|---|
UTM Profile |
GUI |
CLI |
GUI |
CLI |
|
AntiVirus |
Yes |
Yes |
Yes |
Yes |
GUI/CLI |
Web Filter |
Yes |
Yes |
Yes |
Yes |
GUI/CLI |
DNS Filter |
Yes |
Yes |
Yes |
Yes |
N/A |
Application Control |
Yes |
Yes |
Yes |
Yes |
N/A |
Intrusion Prevention System |
Yes |
Yes |
Yes |
Yes |
N/A |
Email Filter |
Yes |
Yes |
Yes |
Yes |
GUI/CLI |
Data Leak Prevention |
No |
Yes |
No |
Yes |
CLI |
VoIP |
Yes |
Yes |
Yes |
Yes |
N/A |
ICAP |
No |
No |
Yes |
Yes |
N/A |
Web Application Firewall |
No |
No |
Yes |
Yes |
N/A |
SSL/SSH Inspection |
Yes |
Yes |
Yes |
Yes |
CLI |
The following sections outline differences between flow-based and proxy-based inspection for a security profile.
Feature comparison between AntiVirus inspection modes
The following table indicates which AntiVirus features are supported by their designated scan modes.
Part1 |
Replacement Message |
Content Disarm |
Mobile Malware |
Virus Outbreak |
Sandbox Inspection |
NAC Quarantine |
---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow (hybrid scan) |
Yes* |
No |
Yes |
Limited |
Yes |
Yes |
*IPS Engine caches the URL and a replacement message is presented after the second attempt.
Part 2 |
Archive Blocking |
Emulator |
Client Comforting |
Infection Quarantine |
Heuristics |
Treat EXE as Virus |
---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes (1) |
Yes |
Yes (2) |
Flow (hybrid scan) |
Yes |
Yes |
No |
Limited |
Yes |
Yes (2) |
- Only available on FortiGate models with HDD or when FortiAnalyzer or FortiGate Cloud is connected and enabled.
- Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.
Feature comparison between Web Filter inspection modes
The following table indicates which Web Filter features are supported by their designated inspection modes.
|
FortiGuard Category-Based Filter |
Category Usage Quota |
Override Blocked Categories |
File Filter |
Search Engines |
Static URL Filter |
Rating Option |
Proxy Option |
Web Profile Override |
---|---|---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes (1) |
No |
Yes (2) |
No |
No |
Yes |
Yes |
Limited (3) |
No |
- Local Category and Remote Category filters do not support the warning and authenticate actions.
- Local Category and Remote Category filters cannot be overridden.
- Only HTTP POST Action is supported.
Feature comparison between Email Filter inspection modes
The following tables indicate which Email Filters are supported by the specified inspection modes for local filtering and FortiGuard-assisted filtering.
Local Filtering |
Banned Word Check |
Block/Allow List |
HELO/ EHLO DNS Check |
Return Address DNS Check |
DNSBL/ ORBL Check |
MIME Header Check |
File Filter |
---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes |
Yes |
No |
No |
No |
Yes |
No |
FortiGuard-Assisted Filtering |
Phishing URL Check |
Anti-Spam Block List Check |
Submit Spam to FortiGuard |
Spam Email Checksum Check |
Spam URL Check |
---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
No |
No |
No |
No |
No |
Feature comparison between DLP inspection modes
The following table indicates which DLP filters are supported by their designated inspection modes.
|
Credit Card Filter |
SSN Filter |
Regex Filter |
File-Type Filter |
File-Pattern Filter |
Fingerprint Filter |
Watermark Filter |
Encrypted Filter |
File-Size Filter |
---|---|---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
Yes |
Yes* |
*File-size filtering only works if file size is present in the protocol exchange.