Skip to main content
caunon
Staff
caunon
Staff
March 23, 2025

Troubleshooting Tip: The av-mem-limit feature does not work properly when setting 'set av-failopen pass' in FortiGate

  • March 23, 2025
  • 0 replies
  • 628 views
Description

This article describes how to handle situation where the av-mem-limit feature does not work properly when setting 'av-failopen pass' in FortiGate v7.4.4. 
Scope

FortiGate v7.4.4.
Solution
  1. On the FortiGate unit, configure the av-mem-limit feature:

 

config ips global

    set av-mem-limit xx

end

 

xx is an integer value from <10> to <50>.

 

  1. Configure av-failopen with the pass as follows:

config system global

    set av-failopen pass

end

 

Option 'pass': New sessions are bypassed. AV scanning resumes when FortiGate exits conserve mode.

 

  1. The av-mem-limit feature does not work with the setting 'set av-failopen pass'.

To fix:

 

  1. For a workaround with a temporary fix:

Configure av-failopen to be 'off' or 'one-shot'.

 

config system global

    set av-failopen <off or one-shot>

end


The 'off' option: New sessions are dropped, but process current active sessions.
The 'one-shot' option: Bypass the antivirus system when memory is low.

 

  1. For a permanent fix:

It is necessary to upgrade FortiGate firmware version to be v7.4.6, v7.6.1, or above.
    Terms & ConditionsAccessibility statement