What's the difference between flow-based and proxy-based inspection modes in Fortigate firewalls?
A brief walk-through of the different inspection modes for Fortigate.
Fortigate firewalls have a couple different techniques for analyzing raw network data: Flow-based inspection mode and proxy-based inspection mode. Depending on what features and functionality the firewall needs to perform, one approach might have more benefits than another. For a full feature-by-feature breakdown, check out the docs here. In the meantime though, here's the short version...
Flow-based inspection mode (default)
Flow-based inspection mode is usually default and that's because it has a lot of speed advantages. In this mode, the firewall will examine individual pieces of data while they are traversing the wire. As long as the firewall doesn't see anything malicious with a given packet, it lets those (seemingly) clean chunks of data continue on to the intended destination. At any point, if the firewall identifies a threat, it will halt the session and prevent the rest of the data from going through.
- Pros:
- From a user perspective, this type of analysis seems faster. That's because the client software (e.g. web browser, etc) doesn't have to wait for the firewall to receive the full payload before some the pending data trickles through.
- Cons:
- This inspection mode potentially consumes more resources because data is transmitted at the same time as parallel inspection.
- There are certain protocol use cases and workflows that this mode doesn't support (see below).
Proxy Inspection Mode
In contrast, Proxy inspection mode is much more traditional. It holds (buffers) the whole file and then performs the scanning/analysis once it has all of the data. If a malicious file is found, no malicious packets ever leave the firewall.
- Pros:
- This type of inspection is potentially resource efficient because the firewall doesn't have to do as much activity in parallel.
- This technique has broader protocol support. For example, proxy inspection mode supports MAPI and SSH protocol inspection. See the full comparison matrix here for details.
- Because the firewall can get all of the data before sending any of it on, it can theoretically help with sanitizing data ("content disarm and reconstruction")
- Similar to above, because the firewall can get all of the data before sending any of it on, it can also use other features like FortiNDR to inspect files.
- Cons:
- From a user perspective, it seems to take longer to get data.
- Depending on the client application and miscellaneous firewall settings, client apps could timeout.
Which inspection mode is the best choice?
So naturally all of this begs the question: "which one should an admin use?"
It ultimately comes down to priorities:
- If security is the top priority, proxy inspection mode could be a better fit. It offers more functionality and is required for some features.
- If performance is a top priority, flow-based inspection mode might be a better fit. It still offers some decent inspection benefits but not ALL of the bells and whistles. Keep in mind though that the performance gains can vary depending on what other features and workflows are in play.
For more information, check out the following articles and resources:
