Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎03-23-2025 04:49 PM

Article Id 384010

Technical Tip: The av-mem-limit feature doesn’t work properly when setting “set av-failopen pass” in FortiGate.

Description

This article describes the situation where the av-mem-limit feature doesn’t work properly when setting “av-failopen pass” in FortiGate v7.4.4. 
Scope

FortiGate v7.4.4
Solution
  1. At FortiGate unit, configure the av-mem-limit feature:

 

config ips global

set av-mem-limit xx

end

 

xx is an integer value from <10> to <50>.

 

  1. Configure av-failopen with the pass as follows:

config system global

set av-failopen pass

end

 

  1. The av-mem-limit feature does not work with the setting 'set av-failopen pass'.

To fix:

 

  1. For a workaround with a temporary fix:

Configure av-failopen to be 'off' or 'one-shot'.

 

config system global

set av-failopen yy

end

 

yy is off or one-shot.

 

  1. For a permanent fix:

It is necessary to upgrade FortiGate firmware version to be v7.4.6, v7.6.1, or above.
183
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.