Flow Mode versus Proxy Mode

Hello, flowbase : faster, but less secure proxy : slower, but more secure (as the name suggest, the flow is proxied, like this the client isn' t directly connected to the server, and the fortigate has the entire file to do the security scan) For best performance, use the same mode for all your scan (AS, IPS, AV, ...).

Hmm, this is a question for NSE1 quiz, not sure this is the good place for this post (and for your first post)....

And Hello, .... Thanks ... You' re Welcome

With FOS 5.2.1, flow based AV now uses the same AV engine for virus scanning. Security wise, it' s comparable with proxy. In general flow based solution is faster, but provides a smaller feature set than proxy.

What makes proxymode slow is not the act of AV scanning the file. It' s the act of being a proxy and all that middle man work, handshaking, buffering, making sure the TCP session for both sides were in the proper state ... i could go on. Flow based AV in 5.0 used a separate AV engine linked to IPS. The idea being that the speed came from how IPS scanning itself works. 5.2 uses the proxy scan engine (HEY memory resources are saved because there is no longer a totally separate AV database to download). It does this by buffering the file in memory (not on the wire) and sending it to the AV engine when it detects end of file. So speed wise the only delay is holding onto that last packet. AV is clean, the last packet gets sent memory is flushed. Unless the file is something messy like multiple nested archives or an unknown compression format the act of scanning the file itself takes very little time.

That really depends on the nature of the inaccuracy in the first place. Flow mode still looks at the data as a stream. So if it can' t properly identify the beginning and end of a file transfer then the new format for the AV scanning won' t make any difference. Improved accuracy will come from looking at a file as a whole, rather then chunks. Proxy based inspection doesn' t suffer from that because it' s in the middle doing the exchange both sides, so it knows exactly where the beginning and end is.

Hi , I have a question. So how the uncompressed file size impact an antivirus scan? I believe that, in 5.2 both proxy and flow uses the file buffering to scan. By default the uncompressed size limit is 12MB, does that mean the FG will bypass all the files which has more than 12 MB file size? I always getting the " File reached uncompressed size limit" warning. Q1. What is the optimal uncompressed size limit ? Q2. How can be effectively scan all files which pass through the FG?

answers: yes, files are scanned up to the limit and bypassed or blocked if larger (if their size is not known in advance), or bypassed/blocked entirely if larger if their size is known. The rationale behind this: size matters for malware spreading. The smaller the file the more attempted infections. Or less cost. A survey of viruses in the wild showed that there are neglible numbers of (known) specimen larger than 2-3 MB. Setting the limit higher will only waste ressources. Compare the risk of encountering an oversize infected file to the risk of not recognizing a virus at all. Q1: 2-3 MB Q2: you can' t. There is a limit to every ressource. I' ve heard of mail bombs the size of a CD. Most probably your (mail) provider will refuse to transfer really large files. You may of course use flow mode which inherently is independent of file size. If you do that then please use the advanced flow mode in FOS 5.2.1 for higher detection rates. Still, if archives are encountered, flow mode has to revert to proxy mode in order to unpack the load (or sort of, FTN SE' s would like to bash me for this). Clearly, just my 2 cents.

Excellent .. Thanks !

Still, if archives are encountered, flow mode has to revert to proxy mode in order to unpack the load

Actually I am using flow based AV profile every where. And I am getting the uncompressed file reached message quite often.

flow mode has to revert to proxy mode in order to unpack the load

Does that mean the flow mode will not scan any archived files.? And if we want to do we have to use the proxy one. Am I understand this correctly? Or were you saying that even if we use flow mode also, it will automatically revert to proxy while scanning archived files? Thanks a lot.! :)

Now, I haven' t been involved with development but from what I' ve heard from SEs the file will be " buffered" in memory in flow mode. For me, that is quite the same as a proxy but faster. There is an end to RAM in any Fortigate so the oversize limit still holds. Flow mode has been enhanced a lot in v5.2.1. Now even archives are scanned after unpacking in memory. Having this obstacle removed I tend to prefer flow mode for performance reasons. If the FGT is running 5.2.1, that is.