Inspection Modes

This topic briefly discusses proxy and flow-based inspection modes. For more information on flow vs. proxy inspection modes on your FortiGate and how they impact web filtering, see Individual Security Profile considerations in the Inspection Modes section.


Proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allows for the examination of more points of data than the flow-based or DNS methods.

The advantage of a proxy-based method is that the inspection can be more thorough than the other methods, yielding fewer false positive or negative results in the data analysis.


The flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering. As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or web page.

The advantage of the flow-based method is that the user sees a faster response time for HTTP requests and there is less chance of a time-out error due to the server at the other end responding slowly.

The disadvantages of this method are: (1) there is a higher probability of a false positive or negative in the analysis of the data; and, (2) a number of security features that can be used in the proxy-based method are not available in the flow-based inspection method. There are also fewer actions available based on the categorization of the website by FortiGuard services.

note icon See What's New in FortiOS 5.4 and Individual Security Profile Considerations in the Inspection Modes section for more details on flow vs. proxy inspection modes on your FortiGate.