Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Inspection mode differences for Web Filter

Inspection mode differences for Web Filter

This section identifies the behavioral differences between Web Filter operating in flow and proxy inspection.

Feature comparison between Web Filter inspection modes

The following table indicates which Web Filter features are supported by their designated inspection modes.

  FortiGuard

CategoryBased Fil-

ter

Category

Usage

Quota

Override

Blocked

Categories

File Filter Search Engines Static

URL Filter

Rating Option Proxy Option
Proxy Yes Yes Yes Yes Yes Yes Yes Yes
Flow Yes (1) No Yes (2) No No Yes Yes No
  1. Local Category and Remote Category filters do not support the warning and authenticate actions.
  2. Local Category and Remote Category filters cannot be overridden.

Configuring DNS Servers On A FortiGate To Split DNS Traffic Out

FortiGate Split DNS

Use Case: Client has multiple branches that are spread out geographically. These locations utilize a central domain controller for active directory driven resources but need to be able to use local google servers for local domain resolution of content delivery networks, etc. All branches to a headquarters location that is located on the other side of the country (or wide distance from local branch). Local branch does not want users to go across the country for services that are available local.

 

Inspection mode differences for Email Filter

Inspection mode differences for Email Filter

This section identifies the behavioral differences between Email Filter operating in flow and proxy inspection.

Feature comparison between Email Filter inspection modes

The following table indicates which Email Filters are supported by their designated inspection modes.

  SMTP POP3 IMAP MAPI
Proxy Yes Yes Yes Yes
Flow Yes Yes Yes No

Feature comparison between Email Filter inspection modes

The following tables indicate which Email Filters are supported by the specified inspection modes for local filtering and FortiGuard-assisted filtering.

Local Filtering Banned

Word

Check

Black/

White

List

HELO/

EHLO

DNS Check

Return

Address

DNS Check

DNSBL/

ORBL

Check

MIME

Header

Check

File Filter
Proxy Yes Yes Yes Yes Yes Yes Yes
Flow Yes No No No No Yes No
FortiGuard-Assisted Filtering Phishing URL Check   Anti-Spam

Black List

Check

Submit Spam to FortiGuard Spam Email

Checksum

Check

Spam

URL Check

Proxy Yes   Yes Yes Yes Yes
Flow No   No No No No

Inspection mode differences for Data Leak Prevention

Inspection mode differences for Data Leak Prevention

This section identifies the behavioral differences between Data Leak Prevention (DLP) operating in flow and proxy inspection.

Feature comparison between DLP inspection modes

The following table indicates which DLP filters are supported by their designated inspection modes.

  Credit

Card

Filter

SSN Filter Regex

Filter

File-

Type

Filter

File-Pattern Filter Fingerprint

Filter

Watermark

Filter

Encrypted

Filter

FileSize

Filter

Proxy Yes Yes Yes Yes Yes Yes Yes Yes Yes
Flow Yes Yes Yes No Yes No No Yes Yes*

*File-size filtering will only work if file size is present in the protocol exchange.

Protocol comparison between DLP inspection modes

The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.

  HTTP FTP IMAP POP3 SMTP NNTP MAPI CIFS
Proxy Yes Yes Yes Yes Yes Yes Yes No
Flow Yes Yes Yes Yes Yes No No No

Inspection mode differences for Antivirus

Inspection mode differences for Antivirus

This section identifies the behavioral differences between Antivirus operating in flow and proxy inspection.

Feature comparison between Antivirus inspection modes

The following table indicates which Antivirus features are supported by their designated scan modes.

Part1 Replacement Message Content Disarm Mobile Malware Virus

Outbreak

Sandbox Inspection NAC Quar-

antine

Proxy Yes Yes Yes Yes Yes Yes
Flow Full Mode Yes* No Yes Yes Yes Yes
Flow Quick Mode Yes* No No No Yes Yes

*IPS Engine caches the URL and a replacement message will be presented after the second attempt.

Part 2 Archive Blocking Emulator Client Com- Infection forting Quarantine Heuristics Treat

EXE as

Virus

Proxy Yes Yes Yes                Yes (1) Yes Yes (2)
Flow Full Mode Yes Yes No                 Yes (1) Yes Yes (2)
Flow Quick Mode No No No                 No No No
  1. Only available on FortiGate models with HDD or when FortiAnalyzer or FortiCloud is connected and enabled.
  2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.

Protocol comparison between Antivirus inspection modes

The following table indicates which protocols can be inspected by the designated Antivirus scan modes.

  HTTP FTP IMAP POP3 SMTP NNTP MAPI CIFS
Proxy Yes Yes Yes Yes Yes Yes Yes Yes*
Flow Full Mode Yes Yes Yes Yes Yes No No Yes
Flow Quick Mode Yes Yes Yes Yes Yes No No Yes

* Proxy mode Antivirus inspection on CIFS protocol has the following limitations:

  • Cannot detect infections within archive files l Cannot detect oversized files
  • Will block special archive types by default l IPv6 is not supported yet (at the time of FOS v6.2.0 GA)

Other Antivirus differences between inspection modes

Flow Quick mode uses a separate pre-filtering database for malware detection as opposed to the full AV signature database that Flow Full and Proxy mode inspection use.

Proxy mode uses pre-scanning and stream-based scanning for HTTP traffic. This allows archive files that exceed the oversize limit to be uncompressed and scanned for infections.

Inspection mode feature comparison

Inspection mode feature comparison

The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy. Remember that some UTM profiles are hidden in the GUI, but can be configured by using the FortiOS CLI.

  Flow Mode Inspection Policy Proxy Mode Inspection Policy
UTM Profile GUI CLI GUI CLI
Antivirus Yes (2) Yes (2) Yes Yes
Application Control Yes Yes Yes Yes
CIFS Inspection No No No (1) Yes
Data Leak Prevention No Yes (3) Yes Yes
DNS Filter Yes Yes Yes Yes
Email Filter No Yes (4) Yes Yes
ICAP No No Yes Yes
Intrusion Prevention System Yes Yes Yes Yes
SSL/SSH Inspection Yes Yes Yes Yes
VoIP No No Yes Yes
Web Filter Yes (5) Yes (5) Yes Yes
Web Application Firewall No No Yes Yes
  1. CIFS inspection cannot be configured via GUI.
  2. Some Antivirus features are not supported in flow mode inspection. See Inspection mode differences for Antivirus on page 401.
  3. Some Data Leak Prevention features are not supported in Flow mode inspection. See Inspection mode differences for Data Leak Prevention on page 402.
  4. Some Email filter features are not supported in Flow mode inspection. See Inspection mode differences for Email Filter on page 402.
  5. Some Web filter features are not supported in Flow mode inspection. See Inspection mode differences for Web Filter on page 403.

Proxy mode inspection

Proxy mode inspection

When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the

FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS has finished the inspection, the payload is either released to the destination (if traffic is clean) or dropped and replaced with a replacement message (if traffic contains violations).

To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To prevent the receiving end user from timing out, client comforting can be applied, which allows small portions of the payload to be sent while it is undergoing inspection.

Proxy mode provides the most thorough inspection of the traffic; however, its thoroughness sacrifices performance, making its throughput slower than that of a flow-mode policy. Under normal traffic circumstances, the throughput difference between a proxy-based and flow-based policy is not significant.

Flow mode inspection (default mode)

Flow mode inspection (default mode)

When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the FortiGate. Unlike proxy mode, the content payload passing through the policy will be inspected on a packet by packet basis with the very last packet held by the FortiGate until the scan returns a verdict. If a violation is detected in the traffic, a reset packet is issued to the receiver, which terminates the connection, and prevents the payload from being sent successfully.

Because of this method, flow mode inspection cannot be as thorough as proxy mode inspection and will have some feature limitations. For example, flow mode inspection determines a file’s size by identifying the file size information in the protocol exchange. If a file’s size is not present in the protocol exchange, the file’s size cannot be identified. The flow-based policy will automatically block or pass the file (based on the configuration) despite the file meeting the file size requirements.

The objective of flow-based policy is to optimize performance and increase throughput. Although it is not as thorough as a proxy-based policy, flow mode inspection is still very reliable.