Skip to main content
Ali7h
Ali7h
Visitor III
May 21, 2026
Solved

Questions Regarding Flow-Based Antivirus Processing and Architecture

  • May 21, 2026
  • 2 replies
  • 74 views

Hi ,

I would like to ask for some clarification regarding Flow-Based Antivirus behavior and architecture on FortiGate.

I reviewed the Administration Guide and several technical documents, but I could not find detailed explanations for some internal Flow AV processing behaviors.

I would highly appreciate it if you could clarify the following points or provide any related technical documentation, KB articles, technical tips, or architecture references.

  1. In Flow-Based Antivirus mode, is there still a file size limit / oversize handling mechanism similar to Proxy-Based AV, or is the oversize behavior only applicable to Proxy mode?
  2. In Flow mode, when scanning large files, does FortiGate bypass scanning after reaching a specific internal threshold, or can it continue scanning regardless of file size?
  3. Does Flow-Based Antivirus use the same Antivirus databases (Normal / Extended / Extreme) as Proxy-Based AV, or does Flow mode use a different AV engine/database architecture?
  4. If Flow mode does not fully buffer files like Proxy mode, how does the AV engine process files internally?
    • Is scanning performed chunk-by-chunk?
    • Does it use partial buffering/reassembly?
    • Is detection primarily signature-based, IPS-engine-assisted, heuristic-based, or stream-pattern matching?
  5. Are there any technical references that explain:
    • Flow AV internal architecture
    • IPS engine interaction with Flow AV
    • stream-based scanning logic
    • buffer handling/reassembly mechanisms
    • limitations and design differences between Flow and Proxy AV

I am trying to understand the internal processing logic and architecture differences between Flow-Based and Proxy-Based Antivirus in greater technical depth.

Any detailed explanation or internal/public technical references would be greatly appreciated.

Best answer by Sheikh

Hello ​@Ali7h 
 

  1. In Flow-Based Antivirus mode, is there still a file size limit / oversize handling mechanism similar to Proxy-Based AV, or is the oversize behavior only applicable to Proxy mode?
    1. Yes. Flow-Based AV still has scan limits (file size, decompression, memory), but handling is stream-based rather than full-file buffering like Proxy mode.
  2. In Flow mode, when scanning large files, does FortiGate bypass scanning after reaching a specific internal threshold, or can it continue scanning regardless of file size?
    1. Flow AV cannot scan indefinitely. After internal thresholds are reached, FortiGate may stop AV scanning and allow the session to continue.
  3. Does Flow-Based Antivirus use the same Antivirus databases (Normal / Extended / Extreme) as Proxy-Based AV, or does Flow mode use a different AV engine/database architecture?
    1. Flow AV and Proxy AV generally use the same FortiGuard AV databases (Normal / Extended / Extreme). The main difference is the inspection architecture.
  4. If Flow mode does not fully buffer files like Proxy mode, how does the AV engine process files internally?
    1. Flow AV uses stream-based inspection with partial buffering and TCP stream reassembly instead of fully buffering the entire file.
    2. Flow AV processes traffic as a stream using the IPS engine, performing incremental inspection with partial buffering and protocol-aware stream reassembly. Yes. Flow AV scans data incrementally in stream chunks/sliding windows instead of waiting for the entire file. Flow mode performs TCP stream reassembly and partial object buffering only as needed for inspection. Flow AV uses a combination of signature-based detection, IPS-engine-assisted inspection, heuristic analysis, and stream-pattern matching.

Fortinet Administration Guides, FortiGuard AV/IPS documentation, and Fortinet KB articles explain flow vs. proxy inspection, IPS engine interaction, stream scanning logic, and architectural limitations/design differences.

 

For more details, please check these documentation links.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/659145/flow-mode-inspection-default-mode

https://docs.fortinet.com/document/fortigate/8.0.0/administration-guide/969330/proxy-mode-inspection
https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/922096/inspection-mode-feature-comparison
 

regards,

 

Sheikh

 

 

2 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
May 27, 2026

Hello , 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Regards,

Jean-Philippe - Fortinet Community Team
Sheikh
Staff
SheikhAnswer
Staff
May 27, 2026

Hello ​@Ali7h 
 

  1. In Flow-Based Antivirus mode, is there still a file size limit / oversize handling mechanism similar to Proxy-Based AV, or is the oversize behavior only applicable to Proxy mode?
    1. Yes. Flow-Based AV still has scan limits (file size, decompression, memory), but handling is stream-based rather than full-file buffering like Proxy mode.
  2. In Flow mode, when scanning large files, does FortiGate bypass scanning after reaching a specific internal threshold, or can it continue scanning regardless of file size?
    1. Flow AV cannot scan indefinitely. After internal thresholds are reached, FortiGate may stop AV scanning and allow the session to continue.
  3. Does Flow-Based Antivirus use the same Antivirus databases (Normal / Extended / Extreme) as Proxy-Based AV, or does Flow mode use a different AV engine/database architecture?
    1. Flow AV and Proxy AV generally use the same FortiGuard AV databases (Normal / Extended / Extreme). The main difference is the inspection architecture.
  4. If Flow mode does not fully buffer files like Proxy mode, how does the AV engine process files internally?
    1. Flow AV uses stream-based inspection with partial buffering and TCP stream reassembly instead of fully buffering the entire file.
    2. Flow AV processes traffic as a stream using the IPS engine, performing incremental inspection with partial buffering and protocol-aware stream reassembly. Yes. Flow AV scans data incrementally in stream chunks/sliding windows instead of waiting for the entire file. Flow mode performs TCP stream reassembly and partial object buffering only as needed for inspection. Flow AV uses a combination of signature-based detection, IPS-engine-assisted inspection, heuristic analysis, and stream-pattern matching.

Fortinet Administration Guides, FortiGuard AV/IPS documentation, and Fortinet KB articles explain flow vs. proxy inspection, IPS engine interaction, stream scanning logic, and architectural limitations/design differences.

 

For more details, please check these documentation links.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/659145/flow-mode-inspection-default-mode

https://docs.fortinet.com/document/fortigate/8.0.0/administration-guide/969330/proxy-mode-inspection
https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/922096/inspection-mode-feature-comparison
 

regards,

 

Sheikh

 

 

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
    Terms & ConditionsAccessibility statement