DownLoad Problem

Jai_Kishore · ‎01-04-2011

Hi Guys, I am working for one R&D organization. Here we are using 2 FortiGate 610B in HA mode.I have enabled Antivirus,IPS in protection profile.I have enabled this protection profile in a policy My Anti Virus settings are as fallows enabledVirus scan in HTTP,FTP,IMAP,POP3 & IMAP Enabled comfort clients for HTTP & FTP and intervel 10 sec and amount 100 bytes and oversized file/Email is pass for threshold of 500Mb for HTTP & FTP and remaining setting are default and IPS have all default settings My problem is whenever we download any file then it is taking too much time to download. After long time it downloads immediately. But why it is taking too much time I don' t know. Please help me

willem · ‎01-05-2011

The file is downloaded to the firewall first, scanned for viruses and other stuff there and then forwarded to your client. If you want to change this, you can either: - reduce the comfort client interval (and/or let a larger amount of bytes pass through) or - switch to avscanning in flow based mode (as of FortiOS 4.0 MR2) (scans the stream, so doesn' t fully decompose the traffic before scanning) The latest is the fastest, but I wouldn' t recommend it because chances are higher that you miss a virus.

Willem __________________________________ FCNSP (Fortinet Certified Network Security Professional)

ede_pfau · ‎01-05-2011

Hi, this is due to a gross misconfiguration of the AV threshold. The size limit is not only the setting which triggers the " oversize" warning in the log. It determines up to which filesize content is AV scanned. The reasoning behind this is that malware is mass replicated only in small files. The percentage of infected files drops to 0.1% for filesizes of 2 MB or more. (there is a paper on the analysis of infected files vs. filesize somewhere, I can' t remember it at the moment). Sometimes the filesize is known in advance, sometimes not (e.g. streams). So, the FG will scan up to the threshold, and if nothing is found, will pass the file/stream unscanned. All files below the threshold are scanned in total. So, with your setting of 500 MB 100% of your incoming data is scanned which takes a toll on latency and CPU load. 1. Recommended setting for the threshold is 2 or 3 MB. You won' t gain anything beyond this size, on the contrary you' ll waste a lot of system ressources. 2. I would cancel client comforting altogether for security reasons. If the WAN connection is fast enough this won' t make a big difference in latency. If the 620B wasn' t such a great piece of hardware you would have noticed far earlier.

Ede Kernel panic: Aiee, killing interrupt handler!

ede_pfau · ‎01-06-2011

If you search for the term " oversize" in the forums, you' ll get several old threads on this topic, e.g.

https://forum.fortinet.com/FindPost/62620

https://forum.fortinet.com/FindPost/65772

https://forum.fortinet.com/FindPost/68318

Basically, they dwell on the reasoning behind the ' oversize' setting and the logged event it causes.

Ede Kernel panic: Aiee, killing interrupt handler!

DownLoad Problem

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website