Inspecting traffic content using flow-based inspection

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will set your FortiGate’s inspection mode to use flow-based scanning. You will then apply flow-based antivirus scanning to network traffic.

FortiGates can inspect traffic in proxy mode or flow mode. Proxy mode, the default, uses a proxy to look for threats.  Proxy mode is usually preferred because, compared to flow mode, it offers more control and an improved user experience. In addition, some security profiles are only available in proxy mode, such as DNS filter, AntiSpam, DLP, and VoIP.

In some cases, however, you may want to use flow mode. For example, some traffic may not be compatible with proxy mode or you may want to avoid using proxy mode for performance reasons.

1. Changing from proxy to flow mode

Go to Dashboard and locate the System Information widget. If the Inspection Mode is set to the proxy (the default), click on [Change] and select Flow-based.
The System Information widget shows that flow-based inspection is set.
 

2. Configuring the AntiVirus profile

Go to Security Profiles > AntiVirus. By default, the GUI only shows flow-based inspection options.

When configuring flow-based virus scanning FortiOS 5.4 allows you to now choose between Quick and Full mode.

Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance.

 3. Enabling AntiVirus in a policy

Go to Policy & Objects > IPv4 Policy and edit the policy for outgoing traffic. Under Security Profiles, enable the AntiVirus profile.

4. Results

To test the AV scanning, go to www.eicar.org and attempt to download a test file. The browser will display a message denying permission to download the file.

 

For further reading, check out Changing the FortiGate’s inspection mode to flow or proxy  and AntiVirus sections in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
Flow mode uses in-line IPS inspection instead of proxying.
If you are working with VDOMs enabled, go to System > VDOM and click Edit for the VDOM you want to change and select the Inspection Mode you would like to use.
Files can only be sent to FortiSandbox for inspection while in Full scan mode Flow-based virus scanning.