▲ 5 r/fortinet
FortiGate SSL Inspection vs Proxy/Flow-Based (NSE4)
Hey guys,
The difference between proxy/flow-based and the SSL inspection profile is confusing me a lot even after a discussion with Claude and Open AI.
SSL Inspection Profile = tells FortiGate how to handle TLS/SSL encryption.
- Certificate inspection = FortiGate only reads the certificate and packet header. Checks: is the certificate legitimate? Is it revoked? Who issued it? Does the domain match? No decryption of actual traffic content.
- Full SSL inspection = FortiGate acts as a man-in-the-middle. Decrypts traffic, inspects content, re-encrypts, forwards. Creates 2 TLS sessions (client↔FortiGate and FortiGate↔server) so it can see inside the encrypted tunnel.
Proxy/Flow = tells FortiGate how to handle the traffic buffer AFTER and DURING decryption.
- Flow-based = FortiGate forwards packets to the client while simultaneously copying them to the antivirus engine (for all UTM?). The last packet is held until the scan completes. If a virus is found → connection reset, file arrives truncated/incomplete at the client.
- Proxy-based = FortiGate creates 2 TCP sessions and buffers the entire payload before sending anything to the client. Once fully buffered and scanned → either forwards clean content or sends a block replacement message. Client never receives a partial file. true?
All UTM profiles are always full inspection mode. (except for 2)
I don't know why it's still not clear for me.
I think i'm confusing proxy based and full ssl inspection.
u/EngineeringKindly993 — 7 days ago
