Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nicolas_Marengo
New Contributor

Antivirus change from Proxy-based to Flow-Based

My cluster of 2 x Fortigate 60C hits 100% very very often. One of the many changes im doing is reducing the amount of logging and UTM being done and apply them to traffic a bit more specific. I have also change most of the utm from proxy to flow-based. But when trying to change the Antivirus, it says: Value conflicts with system settings. I cannot find the system settings anywhere... Anyone can help? Thanks Nico
8 REPLIES 8
Nicolas_Marengo
New Contributor

.... So when trying to do the same change over CLI, the error is more descriptive. ========== fgt60c_ha_1 (default) # set inspection-mode flow-based failed! profile used by policy settings! node_check_object fail! for inspection-mode flow-based value parse error before ' flow-based' Command fail. Return code -7 ========== After removing the antivirus from ALL the policies i can now change it to flow-based. Thing is... is not being applied to any policy now until i re-add it.... Pain in the a$$
Nicolas_Marengo
New Contributor

Having said that.. it cannot be added back into the policies. So im not sure what the expected behavior is for this.
ssu_FTNT
Staff
Staff

Due to limited storage space, 60C support proxy or flow mode but not at same time. In my practice, if you want to change from proxy to flow: 1. Make sure all vdom all policy do not have av profile. 2. Change av default-db setting to normal 3. Change or create new av profile in flow mode 4. Do a manually db update by exe update-now 5. Apply av profile to policy again, and you are good to go
Sean_Toomey_FTNT

I would update to version 5.2 as there are major improvements to flow UTM since 5.0 Ensure that all of your UTM protections are in flow.. IPS and AppCtrl just use IPS engine, but Email Filtering, Web Filtering, Antivirus, DLP, these all need to be in flow mode. If any are proxy mode you will end up using the proxy again. Hope that helps. Cheers!
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Istvan_Takacs_FTNT

Hi Nicholas, 60Cs also don' t have built-in CPs/SPs (FortiASIC content/security processor) to off-load scanning from the main CPU. If you want to stay on the safe side and protect your network from nasty viruses, but also to have proper performance at the same time, it might be the time to upgrade to a device that can handle both scanning and other firewall duties at the same time. The smallest device that comes with a dedicated CP8 processor is the Fortigate 100D. If you follow all the previous advices and you still are having issue with the load, than it might only be the matter of having such a huge traffic passing through your cluster that the hardware can' t handle it anymore and time to look into the upgrade option. 100Ds also come with dual core CPU which would help with other traffic processing, too
Mika

Also, which version are you running? There might be some improvements in the latest FortiOS
Pre&post sales technical engineer Whitegold Solutions - Exclusive Networks ANZ
Pre&post sales technical engineer Whitegold Solutions - Exclusive Networks ANZ
dasilva13
New Contributor

I will have to agree with Istvan, I have many 60C out in the field, and the 100d, with dedicated processor handles UTM MUCH MUCH better in my opinion. We are hit and miss with the lower end models and always try to push at least the 100d model.
sebastan_bach

I hope FG should document the device models with the CP version that comes with the device. 

 

Regards

 

Sebastan

Labels
Top Kudoed Authors