Hello!

I try to understand "Flow-based antivirus scanning order" - https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-security-profiles/Antivirus/Antiviru...

"The following figure illustrates the antivirus scanning order when using flow-based scanning (i.e. the flow-based database). The antivirus scan takes place before any other antivirus-related scan. If file filter is not enabled, the file is not buffered."

but it the same time:

"FortiOS 5.2 introduced a new type of flow-based AV scanning, that is sometimes called deepflow or deep flow, and that takes a hybrid approach where content packets are buffered while simultaneously being sent to their destination. When all of the files packets have been collected and buffered, but before the final packet is delivered, the buffered file is scanned." - [link=https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-security-profiles/Inspection%20Modes/antivirus_scanning_modes.htm]https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-security-profiles/Inspection%20Modes/antivirusscanningmodes.htm[/link]

I think that figure that illustrates the Flow-based antivirus scanning order MUST has BUFFERING STAGE before AV scanning stage as during Proxy-based antivirus scanning order ....

So, my question -- Where is the correct scheme for Flow-based AV scanning order using deepflow ?