Description

This article describes that after upgrading to the firmware 6.4.0, policy is having warning sign with message 'The flow-mode policy is using proxy-mode feature set'.
In general, proxy- and flow- based features should not be mixed in a firewall policy.

A proxy feature will not work in a flow-based policy. Strictly refering to AV, if the policy is in proxy-mode, the AV profile used in it must also be in proxy-mode: set feature-set proxy

Scope

FortiGate.

Solution

Antivirus profiles use hybrid scanning as default.

In flow-based antivirus profiles, the scan-mode option is removed.
Flow-based antivirus profiles use the default hybrid scanning method to process traffic.
Legacy mode is available for diagnostics purposes only.

Using this in policies may cause unwanted high-memory usage and even conserve mode.

Note

In FortiOS 6.2, the AV profile could be configured with "scan-mode default / legacy"

When upgrading from 6.2.x to 6.4.0, antivirus profiles assigned to flow-based firewall policies only operate in the default hybrid mode, regardless of the previous scan-mode setting.

From CLI, scan-mode options are only available for proxy-based antivirus profiles. The scan-mode options are not available for flow-based antivirus profiles.

config antivirus profile
    edit "new-av-profile"
        set comment ''
        set replacemsg-group ''
        set feature-set proxy
        set mobile-malware-db enable
        # config http
            unset options
            unset archive-block
            unset archive-log
            set emulator enable
            set outbreak-prevention disabled
        end
        ...
        set av-virus-log enable
        set av-block-log enable
        set extended-log disable
        set scan-mode default
    next
end

set ?
comment              <----- Comment.
replacemsg-group     <----- Replacement message group customized for this profile.
feature-set          <----- Flow/proxy feature set.
mobile-malware-db    <----- Enable/disable using the mobile malware signature database.
av-virus-log         <----- Enable/disable antivirus logging.
av-block-log         <----- Enable/disable logging for antivirus file blocking.
extended-log         <----- Enable/disable extended logging for antivirus.
scan-mode            <----- Choose between default scan mode and legacy scan mode.

Diagnostics.
The following diagnostic commands are meant for troubleshooting only.

diagnose ips av mode ?
    hybrid           <----- Enable/disable hybrid scan mode.
    show             <----- Show status of hybrid scan mode.

To check flow-base AV scan mode status.

diagnose ips av mode show
    Flow-av hybrid scan: Enabled
    Flow-av hybrid scan: Enabled
    Flow-av hybrid scan: Enabled
    Flow-av hybrid scan: Enabled

To disable hybrid scan for flow-base AV and enable full scan.

Note.
This command does not persist over a reboot.
In case of not applying AV profile on any policy, Disabled status will be shown from #diagnose ips av mode show command
Flow-av hybrid scan is enabled by default.

diagnose ips av mode hybrid disable
diagnose ips av mode show
    Flow-av hybrid scan: Disabled
    Flow-av hybrid scan: Disabled
    Flow-av hybrid scan: Disabled
    Flow-av hybrid scan: Disabled

To enable hybrid scan for flow-base AV and disable full scan to go back to default.

diagnose ips av mode hybrid enable
diagnose ips av mode show
    Flow-av hybrid scan: Enabled
    Flow-av hybrid scan: Enabled
    Flow-av hybrid scan: Enabled
    Flow-av hybrid scan: Enabled