Changing the FortiGate's inspection mode to flow or proxy

You can select Flow or Proxy Inspection Mode from the System Information dashboard widget to control your FortiGate's security profile inspection mode. Having control over flow and proxy mode is helpful if you want to be sure that only flow inspection mode is used (and that proxy inspection mode is not used).

Switching to Flow Inspection Mode also turns off WAN Optimization, Web Caching, the Explicit Web Proxy, and the Explicit FTP Proxy making sure that no proxying can occur.

In most cases proxy mode is preferred because more security profile features are available and more configuration options for these individual features are available. Some implementations; however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used.

If you select flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or Anti-Spam profile to a firewall policy.

Changing between proxy and flow mode

Proxy mode is enabled by default and you change to flow mode by changing the Inspection Mode on the System Information dashboard widget.

When you select Flow-based you are reminded that all proxy mode profiles are converted to flow mode, removing any proxy settings. As well proxy-mode only features (for example, Web Application Profile) are removed from the GUI.

In addition, selecting Flow-based inspection will cause the Explicit Web Proxy and Explicit FTP Proxy features to be removed from the GUI and the CLI. This includes Explicit Proxy firewall policies.

When you select Flow-based you can only configure Virtual Servers (under Policy & Objects > Virtual Servers) with Type set to HTTP, TCP, UDP, or IP.

If required, you can change back to proxy mode through the System Information dashboard widget.

If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Use the top left dropdown menu to go to Global > System > VDOM. Click Edit for the VDOM you wish to change and select the Inspection Mode.

Security profile features mapped to inspection mode

The table below lists FortiOS security profile features and shows whether they are available in flow-based or proxy-based inspection modes.

note icon The DNS Filter security profile feature is only available for proxy-based inspection in FortiOS versions 5.4.0 and 5.4.1. It is available for both proxy-based and flow-based inspection in FortiOS versions 5.4.2 and above.


Security Profile Feature Flow-based inspection Proxy-based inspection
AntiVirus x


Web Filter x x
DNS Filter x x
Application Control x x
Cloud Access Security Inspection x x
Intrusion Protection x x
Anti-Spam   x
Data Leak Protection   x
VoIP   x
ICAP   x
Web Application Firewall   x
FortiClient Profiles x x
Proxy Options   x
SSL/SSH Inspection x x
Web Rating Overrides x x
Web Profile Overrides   x

From the GUI, you can only configure antivirus and web filter security profiles in proxy mode. From the CLI you can configure flow-based antivirus profiles, web filter profiles and DLP profiles and they will appear on the GUI and include their inspection mode setting. Also, flow-based profiles created when in flow mode are still available when you switch to proxy mode.

In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning is still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

note icon CASI does not work when using proxy-based profiles for AV or Web filtering. Make sure to only use flow-based profiles in combination with CASI on a specific policy.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you can't save security profiles that are set to proxy mode.

You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will not be visible from the GUI.

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature Proxy Flow
Scan Mode (Quick or Full) no yes
Detect viruses (Block or Monitor) yes yes
Inspected protocols yes no (all relevant protocols are inspected)
Inspection Options yes yes (not available for quick scan mode)
Treat Windows Executables in Email Attachments as Viruses yes yes
Send Files to FortiSandbox Appliance for Inspection yes yes
Use FortiSandbox Database yes yes
Include Mobile Malware Protection yes yes

Web Filter features in proxy and flow mode

  Feature Proxy Flow
FortiGuard category based filter yes yes (show, allow, monitor, block)
Category Usage Quota yes no
Allow users to override blocked categories (on some models) yes no
Search Engines
yes no
  Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex yes no
Restrict YouTube Access yes no
Log all search keywords yes no
Static URL Filter yes yes
  Block invalid URLs yes no
URL Filter yes yes
Block malicious URLs discovered by FortiSandbox yes yes
Web Content Filter yes yes
Rating Options yes yes
  Allow websites when a rating error occurs yes yes
Rate URLs by domain and IP Address yes yes
Block HTTP redirects by rating yes no
Rate images by URL yes no
Proxy Options yes no
  Restrict Google account usage to specific domains yes no
Provide details for blocked HTTP 4xx and 5xx errors yes no
HTTP POST Action yes no
Remove Java Applets yes no
Remove ActiveX yes no
Remove Cookies yes no
Filter Per-User Black/White List yes no