Fortinet white logo
Fortinet white logo

Administration Guide

Inspection mode feature comparison

Inspection mode feature comparison

The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy.

Some UTM profiles are hidden in the GUI and can only be configured using the CLI. To configure profiles in a firewall policy in CLI, enable the utm-status setting.

Some profiles might have feature differences between flow-based and proxy-based Inspection. From the GUI and CLI, you can set the Feature set option to be Flow-based or Proxy-based to display only the settings for that mode.

Flow Mode Inspection Policy

Proxy Mode Inspection Policy

Feature set option

UTM Profile

GUI

CLI

GUI

CLI

AntiVirus

Yes

Yes

Yes

Yes

GUI/CLI

Web Filter

Yes

Yes

Yes

Yes

GUI/CLI

Video Filter

No

No

Yes

Yes

N/A

DNS Filter

Yes

Yes

Yes

Yes

N/A

Application Control

Yes

Yes

Yes

Yes

N/A

Inline CASB

No

No

Yes

Yes

N/A

Intrusion Prevention System

Yes

Yes

Yes

Yes

N/A

File Filter

Yes

Yes

Yes

Yes

GUI/CLI

Email Filter

Yes

Yes

Yes

Yes

GUI/CLI

VoIP

Yes

Yes

Yes

Yes

N/A

ICAP

No

No

Yes

Yes

N/A

Web Application Firewall

No

No

Yes

Yes

N/A

Data Loss Prevention

No

Yes

Yes

Yes

CLI

Virtual Patching

Yes

Yes

Yes

Yes

N/A

SSL/SSH Inspection

Yes

Yes

Yes

Yes

N/A

The following sections outline differences between flow-based and proxy-based inspection for a security profile.

Feature comparison between Antivirus inspection modes

The following table indicates which Antivirus features are supported by their designated scan modes.

Part1

Replacement Message

Content Disarm

Mobile Malware

Virus Outbreak

Sandbox Post-Transfer Scanning

Sandbox Inline Scanning

NAC Quarantine

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes*

No

Yes

Yes

Yes

No

Yes

*IPS Engine caches the URL and a replacement message is presented after the second attempt.

Part 2

Archive Blocking

Emulator

Client Comforting

Infection Quarantine

Heuristics

Treat EXE as Virus

Proxy

Yes

Yes

Yes

Yes (1)

Yes

Yes (2)

Flow

Yes

Yes

No

Yes

Yes

Yes (2)

  1. Only available on FortiGate models with HDD or when FortiAnalyzer or FortiGate Cloud is connected and enabled.
  2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.

Part 3

External Blocklist

EMS Threat Feed

AI/ML Based Detection

FortiNDR Inline Detection

Proxy

Yes

Yes

Yes

Yes

Flow

Yes

Yes

Yes

No

Feature comparison between Web Filter inspection modes

The following table indicates which Web Filter features are supported by their designated inspection modes.

FortiGuard Category-Based Filter

Category Usage Quota

Override Blocked Categories

Search Engines

Static URL Filter

Rating Option

Proxy Option

Web Profile Override

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes (1)

No

Yes (2)

No

Yes

Yes

Limited (3)

No

  1. Local Category and Remote Category filters do not support the warning and authenticate actions.
  2. Local Category and Remote Category filters cannot be overridden.
  3. Only HTTP POST Action is supported.

Feature comparison between Email Filter inspection modes

The following tables indicate which Email Filters are supported by the specified inspection modes for local filtering and FortiGuard-assisted filtering.

Local Filtering

Banned Word Check

Block/Allow List

HELO/ EHLO DNS Check

Return Address DNS Check

DNSBL/ ORBL Check

MIME Header Check

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes

Yes

No

No

No

Yes

FortiGuard-Assisted Filtering

Phishing URL Check

Anti-Spam Block List Check

Submit Spam to FortiGuard

Spam Email Checksum Check

Spam URL Check

Proxy

Yes

Yes

Yes

Yes

Yes

Flow

No

No

No

No

No

Feature comparison between DLP inspection modes

The following table indicates which DLP filters are supported by their designated inspection modes.

Credit Card Filter

SSN Filter

Regex Filter

File-Type Filter

File-Pattern Filter

Fingerprint Filter

Watermark Filter

Encrypted Filter

File-Size Filter

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes

Yes

Yes

Yes

Yes

No

No

Yes

Yes*

*File-size filtering only works if file size is present in the protocol exchange.

Proxy feature visibility in the GUI for entry-level models

Note

All entry-level models have ZTNA, proxy, explicit proxy, WANOpt, and web cache disabled by default. See To enable proxy features on entry-level platforms: for more information.

The gui-proxy-inspection setting under config system settings is enabled on most models except for entry-level platforms with 2 GB of RAM or less. When this setting is disabled:

  • Proxy-based only profiles such as ICAP, Web Application Firewall, Video Filter, and Zero Trust Network Access are disabled (grayed out) on the System > Feature Visibility page.

  • The Feature set field is disabled on UTM profiles. Only flow-based features are shown.

    Example AV profile:

  • Firewall policy pages do not have option to select a Flow-based or Proxy-based inspection mode.

  • Proxy-based UTM profiles cannot be selected within policy configurations or other areas.

Note the following exceptions:

  • If the proxy feature set is enabled from the CLI or carried over from upgrading, it can be displayed in the GUI.

  • If proxy-based inspection mode is enabled from the CLI or carried over from upgrading, it can be displayed in GUI firewall policy pages.

    Example AV profile being edited from the New Policy page after upgrading:

To enable proxy features on entry-level platforms:
config system global
    set proxy-and-explicit-proxy enable
end
config system settings
    set gui-proxy-inspection enable
end

Inspection mode feature comparison

Inspection mode feature comparison

The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy.

Some UTM profiles are hidden in the GUI and can only be configured using the CLI. To configure profiles in a firewall policy in CLI, enable the utm-status setting.

Some profiles might have feature differences between flow-based and proxy-based Inspection. From the GUI and CLI, you can set the Feature set option to be Flow-based or Proxy-based to display only the settings for that mode.

Flow Mode Inspection Policy

Proxy Mode Inspection Policy

Feature set option

UTM Profile

GUI

CLI

GUI

CLI

AntiVirus

Yes

Yes

Yes

Yes

GUI/CLI

Web Filter

Yes

Yes

Yes

Yes

GUI/CLI

Video Filter

No

No

Yes

Yes

N/A

DNS Filter

Yes

Yes

Yes

Yes

N/A

Application Control

Yes

Yes

Yes

Yes

N/A

Inline CASB

No

No

Yes

Yes

N/A

Intrusion Prevention System

Yes

Yes

Yes

Yes

N/A

File Filter

Yes

Yes

Yes

Yes

GUI/CLI

Email Filter

Yes

Yes

Yes

Yes

GUI/CLI

VoIP

Yes

Yes

Yes

Yes

N/A

ICAP

No

No

Yes

Yes

N/A

Web Application Firewall

No

No

Yes

Yes

N/A

Data Loss Prevention

No

Yes

Yes

Yes

CLI

Virtual Patching

Yes

Yes

Yes

Yes

N/A

SSL/SSH Inspection

Yes

Yes

Yes

Yes

N/A

The following sections outline differences between flow-based and proxy-based inspection for a security profile.

Feature comparison between Antivirus inspection modes

The following table indicates which Antivirus features are supported by their designated scan modes.

Part1

Replacement Message

Content Disarm

Mobile Malware

Virus Outbreak

Sandbox Post-Transfer Scanning

Sandbox Inline Scanning

NAC Quarantine

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes*

No

Yes

Yes

Yes

No

Yes

*IPS Engine caches the URL and a replacement message is presented after the second attempt.

Part 2

Archive Blocking

Emulator

Client Comforting

Infection Quarantine

Heuristics

Treat EXE as Virus

Proxy

Yes

Yes

Yes

Yes (1)

Yes

Yes (2)

Flow

Yes

Yes

No

Yes

Yes

Yes (2)

  1. Only available on FortiGate models with HDD or when FortiAnalyzer or FortiGate Cloud is connected and enabled.
  2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.

Part 3

External Blocklist

EMS Threat Feed

AI/ML Based Detection

FortiNDR Inline Detection

Proxy

Yes

Yes

Yes

Yes

Flow

Yes

Yes

Yes

No

Feature comparison between Web Filter inspection modes

The following table indicates which Web Filter features are supported by their designated inspection modes.

FortiGuard Category-Based Filter

Category Usage Quota

Override Blocked Categories

Search Engines

Static URL Filter

Rating Option

Proxy Option

Web Profile Override

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes (1)

No

Yes (2)

No

Yes

Yes

Limited (3)

No

  1. Local Category and Remote Category filters do not support the warning and authenticate actions.
  2. Local Category and Remote Category filters cannot be overridden.
  3. Only HTTP POST Action is supported.

Feature comparison between Email Filter inspection modes

The following tables indicate which Email Filters are supported by the specified inspection modes for local filtering and FortiGuard-assisted filtering.

Local Filtering

Banned Word Check

Block/Allow List

HELO/ EHLO DNS Check

Return Address DNS Check

DNSBL/ ORBL Check

MIME Header Check

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes

Yes

No

No

No

Yes

FortiGuard-Assisted Filtering

Phishing URL Check

Anti-Spam Block List Check

Submit Spam to FortiGuard

Spam Email Checksum Check

Spam URL Check

Proxy

Yes

Yes

Yes

Yes

Yes

Flow

No

No

No

No

No

Feature comparison between DLP inspection modes

The following table indicates which DLP filters are supported by their designated inspection modes.

Credit Card Filter

SSN Filter

Regex Filter

File-Type Filter

File-Pattern Filter

Fingerprint Filter

Watermark Filter

Encrypted Filter

File-Size Filter

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow

Yes

Yes

Yes

Yes

Yes

No

No

Yes

Yes*

*File-size filtering only works if file size is present in the protocol exchange.

Proxy feature visibility in the GUI for entry-level models

Note

All entry-level models have ZTNA, proxy, explicit proxy, WANOpt, and web cache disabled by default. See To enable proxy features on entry-level platforms: for more information.

The gui-proxy-inspection setting under config system settings is enabled on most models except for entry-level platforms with 2 GB of RAM or less. When this setting is disabled:

  • Proxy-based only profiles such as ICAP, Web Application Firewall, Video Filter, and Zero Trust Network Access are disabled (grayed out) on the System > Feature Visibility page.

  • The Feature set field is disabled on UTM profiles. Only flow-based features are shown.

    Example AV profile:

  • Firewall policy pages do not have option to select a Flow-based or Proxy-based inspection mode.

  • Proxy-based UTM profiles cannot be selected within policy configurations or other areas.

Note the following exceptions:

  • If the proxy feature set is enabled from the CLI or carried over from upgrading, it can be displayed in the GUI.

  • If proxy-based inspection mode is enabled from the CLI or carried over from upgrading, it can be displayed in GUI firewall policy pages.

    Example AV profile being edited from the New Policy page after upgrading:

To enable proxy features on entry-level platforms:
config system global
    set proxy-and-explicit-proxy enable
end
config system settings
    set gui-proxy-inspection enable
end