Skip to main content
fjulianom
fjulianom
Explorer II
January 7, 2022
Question

FortiGate Flow-based AV scanning mode

  • January 7, 2022
  • 3 replies
  • 6119 views

Hi guys,

 

I have been away from Fortinet for some time, and last time I saw FortiGate was version 5.4 more or less. At the time, AV scannning had proxy-based mode and flow-based mode, and the latter in turn had full scan and quick scan, each one with its advantages and disadvantages. Now I am back with FortiGate I see there are proxy-based mode and flow-based mode, and the flow-based mode is just that, there are not full scan or quick scan submodes, and I think this is from FortiOS 6.2. Is that right? If there is only just flow-based mode, is it like the old full scan mode or like the old quick scan mode? Thanks in advance.

 

Regards,

Julián

3 replies

slautenschlager
Staff
slautenschlager
Staff
January 7, 2022

Hi Julian,

this is still configurable on 6.2 and beyond :

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/100953/inspection-mode-differences-for-antivirus

Is this what you were looking for?

Cheers,

 

Steffen

fjulianom
fjulianomAuthor
Explorer II
January 7, 2022

Hi Steffen,

 

Yes, it seems it is still the same. But I don't find that document for FortiOS 7. The following snapshot is for a FortiGate v7.0.3 (FortiGate demo) and you can see under Flow-based AV you can't choose between full scan or quick scan:

 

fjulianom_0-1641560507746.png

 

Regards,

Julián

slautenschlager
Staff
slautenschlager
Staff
January 7, 2022

Dear Julian,

 

understood. I checked a little bit and also don't find this documented when it was removed and what the default scanning mode is at the moment, so I would suggest to raise a ticket to TAC in case you want to investigate this further.


Cheers, Steffen

    fjulianom
    fjulianomAuthor
    Explorer II
    January 10, 2022

    Hi,

     

    I think TAC is more focused on actual incidents than theoretical questions. I investigated a little bit more and found that the AV scanning has changed a lot from v5.4. Now you have two options for AV scanning: proxy-based or flow-based modes (default is flow). For proxy-based AV mode you can choose between the default (stream-based scanning) or legacy submodes. For flow-based AV mode you can't choose between the default or legacy submodes, it uses a hybrid of the two scan submodes. Attached the documents:

     

    https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/836396/antivirus

     

    https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/532620/config-antivirus-profile

     

    https://docs.fortinet.com/document/fortigate/7.0.0/new-features/017521/stream-based-antivirus-scan-in-proxy-mode-for-ftp-sftp-and-scp

     

    https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/872942/proxy-mode-stream-based-scanning

     

    Regards,

    Julián

    AlexC-FTNT
    Staff
    AlexC-FTNT
    Staff
    January 10, 2022

    Perfectly right, and correctly documented:

     

    "Starting from 6.4.0, the scan mode option is no longer available for flow-based AV.

    This means that AV no longer exclusively uses the default or legacy scan modes when handling traffic on flow-based firewall policies."

     

    Basically, there is only flow- and proxy- mode, making everything more simple.

      Terms & ConditionsAccessibility statement