Inspection mode feature comparison
The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy.
Some UTM profiles are hidden in the GUI and can only be configured using the CLI. To configure profiles in a firewall policy in CLI, enable the utm-status
setting.
Some profiles might have feature differences between flow-based and proxy-based Inspection. From the GUI and CLI, you can set the Feature set option to be Flow-based or Proxy-based to display only the settings for that mode.
|
Flow Mode Inspection Policy |
Proxy Mode Inspection Policy |
Feature set option |
||
---|---|---|---|---|---|
UTM Profile |
GUI |
CLI |
GUI |
CLI |
|
AntiVirus |
Yes |
Yes |
Yes |
Yes |
GUI/CLI |
Web Filter |
Yes |
Yes |
Yes |
Yes |
GUI/CLI |
Video Filter |
No |
No |
Yes |
Yes |
N/A |
DNS Filter |
Yes |
Yes |
Yes |
Yes |
N/A |
Application Control |
Yes |
Yes |
Yes |
Yes |
N/A |
Inline CASB |
No |
No |
Yes |
Yes |
N/A |
Intrusion Prevention System |
Yes |
Yes |
Yes |
Yes |
N/A |
File Filter |
Yes |
Yes |
Yes |
Yes |
GUI/CLI |
Email Filter |
Yes |
Yes |
Yes |
Yes |
GUI/CLI |
VoIP |
Yes |
Yes |
Yes |
Yes |
N/A |
ICAP |
No |
No |
Yes |
Yes |
N/A |
Web Application Firewall |
No |
No |
Yes |
Yes |
N/A |
Data Loss Prevention |
No |
Yes |
Yes |
Yes |
CLI |
Virtual Patching |
Yes |
Yes |
Yes |
Yes |
N/A |
SSL/SSH Inspection |
Yes |
Yes |
Yes |
Yes |
N/A |
The following sections outline differences between flow-based and proxy-based inspection for a security profile.
Feature comparison between Antivirus inspection modes
The following table indicates which Antivirus features are supported by their designated scan modes.
Part1 |
Replacement Message |
Content Disarm |
Mobile Malware |
Virus Outbreak |
Sandbox Post-Transfer Scanning |
Sandbox Inline Scanning |
NAC Quarantine |
---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes* |
No |
Yes |
Yes |
Yes |
No |
Yes |
*IPS Engine caches the URL and a replacement message is presented after the second attempt.
Part 2 |
Archive Blocking |
Emulator |
Client Comforting |
Infection Quarantine |
Heuristics |
Treat EXE as Virus |
---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes (1) |
Yes |
Yes (2) |
Flow |
Yes |
Yes |
No |
Yes |
Yes |
Yes (2) |
- Only available on FortiGate models with HDD or when FortiAnalyzer or FortiGate Cloud is connected and enabled.
- Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.
Part 3 |
External Blocklist |
EMS Threat Feed |
AI/ML Based Detection |
FortiNDR Inline Detection |
---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes |
Yes |
Yes |
No |
Feature comparison between Web Filter inspection modes
The following table indicates which Web Filter features are supported by their designated inspection modes.
|
FortiGuard Category-Based Filter |
Category Usage Quota |
Override Blocked Categories |
Search Engines |
Static URL Filter |
Rating Option |
Proxy Option |
Web Profile Override |
---|---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes (1) |
No |
Yes (2) |
No |
Yes |
Yes |
Limited (3) |
No |
- Local Category and Remote Category filters do not support the warning and authenticate actions.
- Local Category and Remote Category filters cannot be overridden.
- Only HTTP POST Action is supported.
Feature comparison between Email Filter inspection modes
The following tables indicate which Email Filters are supported by the specified inspection modes for local filtering and FortiGuard-assisted filtering.
Local Filtering |
Banned Word Check |
Block/Allow List |
HELO/ EHLO DNS Check |
Return Address DNS Check |
DNSBL/ ORBL Check |
MIME Header Check |
---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes |
Yes |
No |
No |
No |
Yes |
FortiGuard-Assisted Filtering |
Phishing URL Check |
Anti-Spam Block List Check |
Submit Spam to FortiGuard |
Spam Email Checksum Check |
Spam URL Check |
---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
No |
No |
No |
No |
No |
Feature comparison between DLP inspection modes
The following table indicates which DLP filters are supported by their designated inspection modes.
|
Credit Card Filter |
SSN Filter |
Regex Filter |
File-Type Filter |
File-Pattern Filter |
Fingerprint Filter |
Watermark Filter |
Encrypted Filter |
File-Size Filter |
---|---|---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Flow |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
Yes |
Yes* |
*File-size filtering only works if file size is present in the protocol exchange.
Proxy feature visibility in the GUI for entry-level models
All entry-level models have ZTNA, proxy, explicit proxy, WANOpt, and web cache disabled by default. See To enable proxy features on entry-level platforms: for more information. |
The gui-proxy-inspection
setting under config system settings
is enabled on most models except for entry-level platforms with 2 GB of RAM or less. When this setting is disabled:
-
Proxy-based only profiles such as ICAP, Web Application Firewall, Video Filter, and Zero Trust Network Access are disabled (grayed out) on the System > Feature Visibility page.
-
The Feature set field is disabled on UTM profiles. Only flow-based features are shown.
Example AV profile:
-
Firewall policy pages do not have option to select a Flow-based or Proxy-based inspection mode.
-
Proxy-based UTM profiles cannot be selected within policy configurations or other areas.
Note the following exceptions:
-
If the proxy feature set is enabled from the CLI or carried over from upgrading, it can be displayed in the GUI.
-
If proxy-based inspection mode is enabled from the CLI or carried over from upgrading, it can be displayed in GUI firewall policy pages.
Example AV profile being edited from the New Policy page after upgrading:
To enable proxy features on entry-level platforms:
config system global set proxy-and-explicit-proxy enable end config system settings set gui-proxy-inspection enable end