Proxy mode inspection
When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS finishes the inspection, the payload is either released to the destination (if the traffic is clean) or dropped and replaced with a replacement message (if the traffic contains violations).
To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prevent the receiving end user from timing out, you can apply client comforting. This allows small portions of the payload to be sent while it is undergoing inspection.
In proxy-based antivirus scanning, certain techniques are used to streamline scanning with either in-process or stream-based scanning. For more information, see Proxy mode stream-based scanning.
Proxy mode provides some security profile capabilities that are not available to flow-based scanning:
-
Video Filter
-
Web Application Firewall (WAF)
-
Content Disarm and Reconstruction (CDR)
-
Web quota
For a complete list, see Inspection mode feature comparison.
Some features are exclusively proxy-based:
-
SSL Offloading
-
Explicit Web Proxy
-
ZTNA
Verify the capabilities that you need when deciding to use proxy-based or flow-based policy. Applying the same type of scan mode in all your policies also helps optimize your performance.