Description
This article describes that after upgrading to the firmware 6.4.0 policy is having warning sign with message 'The flow-mode policy is using proxy-mode feature set. Proxy feature will not work in flow policy'.
Solution
A feature is introduced in firmware version 6.4.0 under the security profile enhancement.
A feature set option is present in few security profiles.
Feature set option
To more clearly show the features specific to proxy-based mode, use the feature set option to select Flow-based or Proxy-based.
When Flow-based or Proxy-based are selected, only the features for that mode are available.
The following pages have the Feature set option:
1) Security Profiles -> AntiVirus.
2) Security Profiles -> Web Filter.
3) Security Profiles -> Email Filter.
4) Security Profiles -> Data Leak (CLI only)
5) Policy & Objects -> Protocol Options.
Example of the Feature set option in Security Profiles -> AntiVirus.
This article describes that after upgrading to the firmware 6.4.0 policy is having warning sign with message 'The flow-mode policy is using proxy-mode feature set. Proxy feature will not work in flow policy'.
Solution
A feature is introduced in firmware version 6.4.0 under the security profile enhancement.
A feature set option is present in few security profiles.
Feature set option
To more clearly show the features specific to proxy-based mode, use the feature set option to select Flow-based or Proxy-based.
When Flow-based or Proxy-based are selected, only the features for that mode are available.
The following pages have the Feature set option:
1) Security Profiles -> AntiVirus.
2) Security Profiles -> Web Filter.
3) Security Profiles -> Email Filter.
4) Security Profiles -> Data Leak (CLI only)
5) Policy & Objects -> Protocol Options.
Example of the Feature set option in Security Profiles -> AntiVirus.
If Proxy-based is selected, a red P icon indicates the proxy-only features. FortiOS.
When configure firewall policies is configured:
1) If the inspection mode is flow-based, dropdown menus only display profiles with flow-based feature sets.
2) If the inspection mode is proxy-based, dropdown menus display profiles with flow-based or proxy-based feature sets.
If a flow-based inspection policy has a proxy-based profile assigned, a warning icon and tooltip informs that proxy features do not work in a flow-based policy.
This warning also appears when the CLI is used to assign security profiles.
1) If the inspection mode is flow-based, dropdown menus only display profiles with flow-based feature sets.
2) If the inspection mode is proxy-based, dropdown menus display profiles with flow-based or proxy-based feature sets.
If a flow-based inspection policy has a proxy-based profile assigned, a warning icon and tooltip informs that proxy features do not work in a flow-based policy.
This warning also appears when the CLI is used to assign security profiles.
Upgrade support.
Upgrading from 6.2.x to 6.4.0 causes the following changes to security profiles.
Upgrading from 6.2.x to 6.4.0 causes the following changes to security profiles.
Configure security profiles from CLI.
To configure the anti virus security profile from CLI:
To configure the Web Filter security profile from CLI.
To configure the anti virus security profile from CLI:
(vdom1)# config antivirus profile
(profile) edit new-av-profile
(new-av-profile) set ?
comment <----- Comment.
replacemsg-group <----- Replacement message group customized for this profile.
feature-set <----- Flow/proxy feature set.
mobile-malware-db <----- Enable/disable using the mobile malware signature database.
av-virus-log <----- Enable/disable AntiVirus logging.
av-block-log <----- Enable/disable logging for AntiVirus file blocking.
extended-log <----- Enable/disable extended logging for antivirus.
(new-av-profile) set feature-set ?
flow <----- Flow feature set.
proxy <----- Proxy feature set.
(new-av-profile) set feature-set proxy
(new-av-profile) # show
# config antivirus profile
edit "new-av-profile"
set feature-set proxy
next
end
To configure the Web Filter security profile from CLI.
(vdom1)# config webfilter profileTo configure the Email Filter security profile from CLI.
(profile) edit new-wf-profile
(new-wf-profile) set ?
comment <----- Optional comments.
feature-set <----- Flow/proxy feature set.
replacemsg-group <----- Replacement message group.
options <----- Options.
...
(new-wf-profile) set feature-set ?
flow <----- Flow feature set.
proxy <----- Proxy feature set.
(new-wf-profile) set feature-set proxy
(new-wf-profile) # show
# config webfilter profile
edit "new-wf-profile"
set feature-set proxy
# config ftgd-wf
unset options
# config filters
...
end
end
next
end
(vdom1) # config emailfilter profileTo configure the DLP security profile From CLI.
(profile) edit new-ef-profile
(new-ef-profile) set ?
comment <----- Comment.
feature-set <----- Flow/proxy feature set.
replacemsg-group <----- Replacement message group.
spam-log <----- Enable/disable spam logging for email filtering.
spam-log-fortiguard-response <----- Enable/disable logging FortiGuard spam response.
spam-filtering <----- Enable/disable spam filtering.
external <----- Enable/disable external Email inspection.
options <----- Options.
spam-bword-threshold <----- Spam banned word threshold.
spam-bword-table <----- Anti-spam banned word table ID.
spam-bwl-table <----- Anti-spam black/white list table ID.
spam-mheader-table <----- Anti-spam MIME header table ID.
spam-rbl-table <----- Anti-spam DNSBL table ID.
spam-iptrust-table <----- Anti-spam IP trust table ID.
(new-ef-profile) set feature-set ?
flow <----- Flow feature set.
proxy <----- Proxy feature set.
(new-ef-profile) set feature-set proxy
(new-ef-profile) # show
# config emailfilter profile
edit "new-ef-profile"
set feature-set proxy
next
end
FGT_NAT (vdom1) # config dlp sensorTo configure Protocol Options in Policy & Objects from CLI.
FGT_NAT (sensor) edit new-dlp-profile
FGT_NAT (new-dlp-profile) set ?
comment <----- Comment.
feature-set <----- Flow/proxy feature set.
replacemsg-group <----- Replacement message group used by this DLP sensor.
dlp-log <----- Enable/disable DLP logging.
extended-log <----- Enable/disable extended logging for data leak prevention.
nac-quar-log <----- Enable/disable NAC quarantine logging.
full-archive-proto <----- Protocols to always content archive.
summary-proto <----- Protocols to always log summary.
(new-dlp-profile) set feature-set ?
flow <----- Flow feature set.
proxy <----- Proxy feature set.
(new-dlp-profile) set feature-set proxy
(new-dlp-profile) # show
# config dlp sensor
edit "new-dlp-profile"
set feature-set proxy
next
end
(vdom1) # config firewall profile-protocol-options
(profile-protocol~ons) edit new-protocol-options
FGT_NAT (new-protocol-options) set ?
comment <----- Optional comments.
feature-set <----- Flow/proxy feature set.
replacemsg-group <----- Name of the replacement message group to be used.
oversize-log <----- Enable/disable logging for antivirus oversize file blocking.
switching-protocols-log <----- Enable/disable logging for HTTP/HTTPS switching protocols.
rpc-over-http <------ Enable/disable inspection of RPC over HTTP.
(new-protocol-options) set feature-set ?
flow <----- Flow feature set.
proxy <----- Proxy feature set.
(new-protocol-options) set feature-set proxy
FGT_NAT (new-protocol-options) # show
# config firewall profile-protocol-options
edit "new-protocol-options"
set feature-set proxy
# config http
set ports 80
unset options
unset post-lang
end
# config ftp
set ports 21
set options splice
end
# config imap
set ports 143
set options fragmail
end
...
next
end
