With flow inspection (also called flow-based inspection), the FortiGate unit samples multiple packets in a session and multiple sessions, and uses a pattern matching engine to determine the kind of activity that the session is performing and to identify possible attacks or viruses. For example, if application control is operating, flow inspection can sample network traffic and identify the application that is generating the activity. Flow inspection using IPS samples network traffic and determines if the traffic constitutes an attack. Flow inspection can also be used for antivirus protection, web filtering, and data leak protection (DLP). Flow inspection occurs as the data is passing from its source to its destination. Flow inspection identifies and blocks security threats in real time as they are identified.

Flow inspection typically requires less processing than proxy inspection, and therefore flow antivirus, web filtering, and DLP inspection performance can be better than proxy inspection performance. However, some threats can only be detected when a complete copy of the payload (for example a complete email attachment) is obtained so, proxy inspection tends to be more accurate and complete than flow inspection.