Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Flow-based Antivirus

In the new version of Fortigate 4.0 MR2 can now use a new alternative form of anti-virus - Flow Antivirus (IPS-antivirus). The flow-based antivirus feature is not an antivirus enhancement, rather a way to detect malware using IPS. Someone has already used? What are some recommendations to use? how to configure? is whether to replace the classical form scanning? what problems and shortcomings can be found?
12 REPLIES 12
discoveryit
New Contributor

Someone has already used? What are some recommendations to use? how to configure? is whether to replace the classical form scanning? what problems and shortcomings can be found? < Message edited by roms -- 6/11/2010 12:38:48 PM >
UTM - Antivirus - Database - Click Flow-Based.... it does the rest.
FCNSP
FCNSP

OK, this is known, I' m just before the turn is trying to figure out how well it works, if anybody is experienced with this method of scanning.
discoveryit
New Contributor

Its so new i would doubt many ppl have used it.. From the description it should help us with the malware issues everyone is having. I would just enable it and see how it works for you...
FCNSP
FCNSP
laf
New Contributor II

Flow based AV it s a technique Fortinet borrowed from competitors; it is a FASTER method than proxy AV Fortinet use, but it has its known drawbacks.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
cgofish23
New Contributor

Anyone know which FGTs support this? Looking at our 111C I' m not seeing it as an option....
edsouza_FTNT

The following models I see support Flow-based AV as of 4.2.1 FGT_80C FGT_80CM FWF_80CM FWF_81CM FGT_200B (and POE) FGT_620B (and DC) FGT_1240B
TopJimmy
New Contributor

blurb from the UTM MR2 documentation on page 44
If your FortiGate unit supports flow-based antivirus scanning, you can choose to select it instead of proxy-based antivirus scanning. Flow-based antivirus scanning uses the FortiGate IPS engine to examine network traffic for viruses, worms, trojans, and malware, without the need to buffer the file being checked. The advantages of flow-based scanning include faster scanning and no maximum file size. Flow-based scanning doesn’t require the file be buffered so it is scanned as it passes through the FortiGate unit, packet-by-packet. This eliminates the maximum file size limit and the client begins receiving the file data immediately. The trade-off for these advantages is that flow-based scans detect a smaller number of infections. Viruses in documents, packed files, and some archives are less likely to be detected because the scanner can only examine a small portion of the file at any moment. Note however that your choice of flow-based or proxy-based scans only affects antivirus scans. Although you enable file filtering in the antivirus profile, it requires that files be proxied. Therefore, if you enable both flow-based antivirus scanning and file filtering, files will not be proxied for antivirus scans, but they will be proxied for file filtering.
and page 46
The flow-based database is a subset of the extreme database. Flow-based scans can not detect polymorphic and packed-file viruses so those signatures and not included in the flow-based database
-TJ
-TJ
Carl_Wallmark
Valued Contributor

And the best thing is that you can choose what antivirus db you want per firewall policy :)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
david1

ORIGINAL: Selective And the best thing is that you can choose what antivirus db you want per firewall policy :)
How are you achieving this? On my 620B running 4.0 MR2P1 the Virus DB option looks to be set per VDOM. Thanks, David
Labels
Top Kudoed Authors