Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

FortiGate Flow-based AV scanning mode

Hi guys,

 

I have been away from Fortinet for some time, and last time I saw FortiGate was version 5.4 more or less. At the time, AV scannning had proxy-based mode and flow-based mode, and the latter in turn had full scan and quick scan, each one with its advantages and disadvantages. Now I am back with FortiGate I see there are proxy-based mode and flow-based mode, and the flow-based mode is just that, there are not full scan or quick scan submodes, and I think this is from FortiOS 6.2. Is that right? If there is only just flow-based mode, is it like the old full scan mode or like the old quick scan mode? Thanks in advance.

 

Regards,

Julián

5 REPLIES 5
slautenschlager

Hi Julian,

this is still configurable on 6.2 and beyond :

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/100953/inspection-mode-differences-for-a...

Is this what you were looking for?

Cheers,

 

Steffen

NSE 4/5/7
fjulianom
New Contributor III

Hi Steffen,

 

Yes, it seems it is still the same. But I don't find that document for FortiOS 7. The following snapshot is for a FortiGate v7.0.3 (FortiGate demo) and you can see under Flow-based AV you can't choose between full scan or quick scan:

 

fjulianom_0-1641560507746.png

 

Regards,

Julián

slautenschlager

Dear Julian,

 

understood. I checked a little bit and also don't find this documented when it was removed and what the default scanning mode is at the moment, so I would suggest to raise a ticket to TAC in case you want to investigate this further.


Cheers, Steffen

NSE 4/5/7
fjulianom

Hi,

 

I think TAC is more focused on actual incidents than theoretical questions. I investigated a little bit more and found that the AV scanning has changed a lot from v5.4. Now you have two options for AV scanning: proxy-based or flow-based modes (default is flow). For proxy-based AV mode you can choose between the default (stream-based scanning) or legacy submodes. For flow-based AV mode you can't choose between the default or legacy submodes, it uses a hybrid of the two scan submodes. Attached the documents:

 

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/836396/antivirus

 

https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/532620/config-antivirus-profile

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/017521/stream-based-antivirus-scan-i...

 

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/872942/proxy-mode-stream-bas...

 

Regards,

Julián

AlexC-FTNT

Perfectly right, and correctly documented:

 

"Starting from 6.4.0, the scan mode option is no longer available for flow-based AV.

This means that AV no longer exclusively uses the default or legacy scan modes when handling traffic on flow-based firewall policies."

 

Basically, there is only flow- and proxy- mode, making everything more simple.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -