Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kyozloveyou_FTNT
Staff
Staff

Created on ‎12-10-2023 10:55 PM

Article Id 288655

Technical Tip: Flowbased Antivirus mode

Description This article explains the Antivirus scan mode for flowbase.
Scope FortiGate v6.4 and above.
Solution

As per the document:

Security Profiles enhancements

 

Starting from 6.4, there is no longer a scanning option available for Flowbased. However, for proxy-based, it is still possible to set it via CLI mode.

Therefore, there is a hybrid mode in present here, IPSengine will decide based on criteria like files, protocols, and features used.

 

If the command below is run:

 

diag test application ipsmonitor 24

 

It will list out all the statistics on each of the IPSengine:

 

pid: 19497 from 20230706-06:46:11 to 20231211-10:01:07
av_failopen: enabled
FlowAV mmap : 0
FlowAV file open : 0
FlowAV timeout : 0
FlowAV req success : 596779
FlowAV req fail : 0
FlowAV req retry success : 0
FlowAV req retry fail : 0
FlowAV bypassed scan : 0
FlowAV buffer scan : 0
FlowAV file scan : 0
FlowAV interface file open : 17900271
FlowAV interface file close : 17900271
FlowAV ignored files : 13560 <----- Ignored files.
FlowAV legacy scan : 596779 <----- How many legacy scans.
FlowAV default scan : 16091142 <----- Default scan/stream based.
FlowAV buffer allocation fail : 0
FlowAV buffer reallocation : 15714891
FlowAV buffer reallocation fail: 0
FlowAV queue count: 0 retry_count: 0

 

To know roughly how many estimated files are in the Shared memory for this particular IPSengine PID, it is possible to use the formula below:

 

Files in memory = FlowAV interface file open - FlowAV interface file close.

 

Sometimes, if the file amount is too many in shared memory, it may cause FortiGate to enter into conserve mode.

As scanned (AV) is only scanning it, after the file finish transfer in the network.

 

To reduce the legacy scan amount, make sure to:

  1. Follow feature is disabled:AV engine AI scan, DLP, Quarantine, FortiGuard outbreak prevention, external block list, EMS threat feed, Content disarm.
  2. Reduce the oversize-limit in the proxy-option:

 

config firewall profile-protocol-options
    edit <profile>
        config <protocol>
            set oversize-limit <size>
            set uncompressed-oversize-limit <size>
        end
    next
end

 

  1. Increase the file transfer speed, if most of the file scanning is through the Internet, consider upgrading the Internet speed. As the file transfers faster, it shortens the time the file stays in the shared memory.
  2. Disable the session-sync-ttl in IPS global:

 

config ips global
    set sync-session-ttl enable
end

 

This will allow FortiGate to clear the file in shared memory after the IPS session expires in 5 minutes.

 

Related article:

Technical Tip: Explaining IPS 'sync-session-ttl'
1156
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.