Individual Security Profile considerations
In flow mode, AntiVirus and Web Filter profiles only include flow-mode features. Web filtering and virus scanning are still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.
Application control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning, or replacement, message. However, Application Control will still function.
|CASI does not work when using Proxy-based profiles for AV or Web filtering. Make sure to only use flow-based profiles in combination with CASI on a specific policy.|
Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).
Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you can't save security profiles that are set to proxy mode.
You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will not be visible from the GUI.
If you set flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or AntiSpam profile to a firewall policy.
Proxy mode and flow mode antivirus and web filter profile options
The following tables list the antivirus and web filter profile options available in proxy and flow modes.
Antivirus features in proxy and flow mode
|Scan Mode (Quick or Full)||no||yes|
|Detect viruses (Block or Monitor)||yes||yes|
|Inspected protocols||yes||no (all relevant protocols are inspected)|
|Inspection Options||yes||yes (not available for quick scan mode)|
|Treat Windows Executables in Email Attachments as Viruses||yes||yes|
|Send Files to FortiSandbox Appliance for Inspection||yes||yes|
|Use FortiSandbox Database||yes||yes|
|Include Mobile Malware Protection||yes||yes|
Web Filter features in proxy and flow mode
|FortiGuard category based filter||yes||yes (show, allow, monitor, block)|
|Category Usage Quota||yes||no|
|Allow users to override blocked categories (on some models)||yes||no|
|Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex||yes||no|
|Restrict YouTube Access||yes||no|
|Log all search keywords||yes||no|
|Static URL Filter||yes||yes|
|Block invalid URLs||yes||no|
|Block malicious URLs discovered by FortiSandbox||yes||yes|
|Web Content Filter||yes||yes|
|Allow websites when a rating error occurs||yes||yes|
|Rate URLs by domain and IP Address||yes||yes|
|Block HTTP redirects by rating||yes||no|
|Rate images by URL||yes||no|
|Restrict Google account usage to specific domains||yes||no|
|Provide details for blocked HTTP 4xx and 5xx errors||yes||no|
|HTTP POST Action||yes||no|
|Remove Java Applets||yes||no|
|Filter Per-User Black/White List||yes||no|