Protocol Options

The file size piece can be annoying but basically it' s letting you know it couldn' t scan the file for viruses because the file size was larger than your settings are set for. Vast majority of viruses are under 1MB so this can be verbose at times. The protocol options you are looking for are listed under " proxy options" under the Policy headed in 5.2. However if you wish to change the max file size option for AV scanning it' s located in the CLI: config antivirus service http(or other protocols) set uncompsizelimit 15 (default is 10) end

I follow what you are saying. It would be nice if they told you the size of the file that it was skipping the scanning process on. I am not so sure I care about what it doesn' t scan because of a size limitation being that I also have an enterprise antivirus solution. I will give you an example. I feel pretty confident that my AV signature updates are not virus laden. However, I get a notification that it did not scan them. That gets to be a lot of emails. So is the solutions to somehow exempt an IP from where the signatures come or something different? Does that make sense?

jrpayne, Are you doing email notifications from the FortiGate or from FortiAnalyzer? From the FortiGate you can filter out the logging of these oversize messages entirely if you want: conf log disk filter set oversized disable end Hope that helps.

Oh really? That is awesome to know. I will certainly give that at shot. I should still continue receive av signature hit notifications, correct?

Yes this should only affect the oversized log messages. One thing you' ll find with FortiOS is the option you want very likely exists it' s just not in the GUI...I guess if they put every possible option in the gui it would be unusable though.

Tried that command and it did not seem to be valid.

FG300B3909601246 # config log fortianalyzer filter Filters for FortiAnalyzer. setting Global FortiAnalyzer settings. FG300B3909601246 # config log fortianalyzer filter FG300B3909601246 (filter) # set severity Lowest severity level to log. forward-traffic Enable/disable log through traffic messages. local-traffic Enable/disable log local in or out traffic messages. multicast-traffic Enable/disable log multicast traffic messages. sniffer-traffic Enable/disable log sniffer traffic messages. anomaly Enable/disable log anomaly messages. netscan-discovery Enable/disable log netscan discovery events. netscan-vulnerability Enable/disable log netscan vulnerability events. voip Enable/disable log VoIP messages. dlp-archive Enable/disable log DLP archive. FG300B3909601246 (filter) # set These are the options that I get when trying to rrun either of these .

In the GUI there' s a checkbox in the proxy options profile " Log oversized" - this is why the AV oversize messages are logged. In the CLI it should be (example: " default" profile):

  config firewall profile-protocol-options   edit " default"    set oversize-log disable  

in the profile-protocol options there are also individual (http/ftp/...) values for oversize-limit (default 10MB).

It seems logging filter settings in 5.0 (which I have installed on this test unit) is different than on 5.2. What netmin has posted is more in line with 4.0. MR3 (which I am more familiar with). I do know a lot of logging options do not (and will not) show up (even with " show full-configuration" ) unless logging to " that device" is enabled. I can only assume you have enabled logging to the FortiAnalyzer.