Hi guys,
I have been away from Fortinet for some time, and last time I saw FortiGate was version 5.4 more or less. At the time, AV scannning had proxy-based mode and flow-based mode, and the latter in turn had full scan and quick scan, each one with its advantages and disadvantages. Now I am back with FortiGate I see there are proxy-based mode and flow-based mode, and the flow-based mode is just that, there are not full scan or quick scan submodes, and I think this is from FortiOS 6.2. Is that right? If there is only just flow-based mode, is it like the old full scan mode or like the old quick scan mode? Thanks in advance.
Regards,
Julián
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Julian,
this is still configurable on 6.2 and beyond :
Is this what you were looking for?
Cheers,
Steffen
Hi Steffen,
Yes, it seems it is still the same. But I don't find that document for FortiOS 7. The following snapshot is for a FortiGate v7.0.3 (FortiGate demo) and you can see under Flow-based AV you can't choose between full scan or quick scan:
Regards,
Julián
Dear Julian,
understood. I checked a little bit and also don't find this documented when it was removed and what the default scanning mode is at the moment, so I would suggest to raise a ticket to TAC in case you want to investigate this further.
Cheers, Steffen
Hi,
I think TAC is more focused on actual incidents than theoretical questions. I investigated a little bit more and found that the AV scanning has changed a lot from v5.4. Now you have two options for AV scanning: proxy-based or flow-based modes (default is flow). For proxy-based AV mode you can choose between the default (stream-based scanning) or legacy submodes. For flow-based AV mode you can't choose between the default or legacy submodes, it uses a hybrid of the two scan submodes. Attached the documents:
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/836396/antivirus
https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/532620/config-antivirus-profile
Regards,
Julián
Perfectly right, and correctly documented:
"Starting from 6.4.0, the scan mode option is no longer available for flow-based AV.
This means that AV no longer exclusively uses the default or legacy scan modes when handling traffic on flow-based firewall policies."
Basically, there is only flow- and proxy- mode, making everything more simple.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.