An administrator builds a firewall policy that references a web filter profile set to proxy-based inspection, while the policy itself has its inspection mode left at flow-based. When traffic matches the policy, how does FortiGate handle the web filter profile's proxy-based inspection?
- AFortiGate applies the web filter profile using proxy-based inspection regardless of the policy inspection mode, because the profile setting takes precedence.
- BFortiGate blocks all traffic on the policy until the inspection modes of the policy and the profile are made to match.
- CFortiGate raises a configuration error and refuses to save the policy until the profile is changed to flow-based.
- DFortiGate silently converts the profile to flow-based inspection and applies the web filter using flow-based logic for that policy. Correct
Why A is wrong: This is tempting because it assumes the profile's own inspection mode wins, but the policy inspection mode governs how security profiles run, so a flow-based policy cannot execute a proxy-based profile as proxy.
Why B is wrong: This sounds cautious and secure, but FortiGate does not fail closed on a mode mismatch; it reconciles the profile to the policy mode rather than dropping traffic.
Why C is wrong: This is plausible because some mismatches are blocked at save time, but a web filter profile can be referenced by either policy mode, so the configuration commits without error.
Why D is correct: Correct: when the policy is in flow mode, FortiGate runs the web filter profile in flow-based mode, so any proxy-only behaviour in the profile is applied using the flow-based equivalent.