FortiGate FortiOS operates in 2 different modes: Profile-Mode and Policy-Mode.

Profile mode is the traditional FortiOS method where profiles for security actions are created (like antivirus and web filter) and then applied to policies, while policy mode allows defining these security actions directly within the policies, without needing preconfigured profiles.

• Profile mode:

  Use when implementation needs fine-grained control over security features, has a large number of policies, or is migrating from a traditional firewall approach. 

   
• Policy mode:

  Use when implementation requirements want to simplify policy management, especially if transitioning from firewalls with application-based rules or when needing to leverage URL categories directly in policies.

There is a fundamental difference in how profile and policy modes operate.

Regarding antivirus and IPS scanning, in profile mode, FortiOS matches incoming packets against some very basic static conditions - src/dst IP and port, schedule, etc. All of them are always available and decide on which firewall profile to apply.

That allows it to apply antivirus scanning from the very first byte of the session.

In the policy mode, IPS tries to detect what app generated the traffic - Facebook, YouTube, ChatGPT - and only after it is detected does it select and apply the policy.
That always leads to some bytes going through, as FortiGate needs to observe how the client and server establish a connection and start the conversation.

Signatures tell IPS how many bytes they need to inspect before a particular signature will not be applicable anymore.
For example, it is hard to tell Google.Search, Google.Maps, and Google.YouTube apart, as in the beginning, they all will be talking to the very same Google front-end server.

There is a strict limit that none of the signatures can request more than 4 KB of data, so it's quite expected that it may not decide on the policy before that.

As the EICAR test file is only 68 bytes long, it'll be downloaded way before FortiGate decides it is not one of the apps from the config. This means that for FortiGate in policy mode, the EICAR test file might not be the best way to test firewall behavior, and antivirus/IPS might allow this test file to go through.

Example:

Firewall in Policy mode:

config system settings
    set ngfw-mode policy-based
end

Antivirus profile: 

config antivirus profile
    edit "TEST-AV"
        config http
            set av-scan block
            set outbreak-prevention block
            set quarantine enable
        end
        config ftp
            set av-scan block
            set outbreak-prevention block
            set quarantine enable
        end
        config imap
            set av-scan block
            set outbreak-prevention block
            set quarantine enable
            set executables virus
        end
        config pop3
            set av-scan block
            set outbreak-prevention block
            set quarantine enable
            set executables virus
        end
        config smtp
            set av-scan block
            set outbreak-prevention block
            set quarantine enable
            set executables virus
        end
        config cifs
            set av-scan block
            set outbreak-prevention block
            set quarantine enable
        end
            set ems-threat-feed enable
            set extended-log enable
    next
end

Firewall policy with antivirus and IPS enabled:

config firewall security-policy
    edit 1
        set name "BlockEICAR"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set logtraffic all
        set av-profile "TEST-AV"
    next
end

Normal NAT configured through the Central-SNAT section:

config firewall central-snat-map
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set orig-addr "all"
        set dst-addr "all"
    next
end

SSL Inspection profile applied:

config firewall policy
    edit 2
        set name "Deep-SSL-Inspection"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set ssl-ssh-profile "deep-inspection"
    next
end

Note: FortiGate CA SSL certificate needs to be installed in the trusted root certificate authority.

1. Download FortiGate_CA_SSL certificate:

2. Install the downloaded certificate on the Windows machine:

What is observed from the end user:

The EICAR text file is downloaded by the end user.

When the operation mode is changed from policy to profile mode, the behavior also changes:

Firewall Policy:

config firewall policy
    edit 1
        set name "BlockEICAR"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set av-profile "TEST-AV"
        set logtraffic all
        set nat enable
    next
end

What is observed from the end user:

Keep in mind that when changing operation mode from policy to profile and vice versa, all firewall policies will be deleted. This needs to be done with caution, and always do a backup of the current configuration before proceeding with the change.