I have taken my protection profiles apart piece by piece until I have found what the problem is. A pain, I agree, but at least I can get some of the benefits and just bypass the part that' s failing.

Yup, I have attempted to do that, but I need to try again. Do you know if there is a delay between adding/removing a feature and when the firewall starts implementing the change? Meaning, do I need to wait Seconds or minutes between each change to test the results?

The effect is immediate. Some features are session based so if you don' t start a new session you won' t see any changes. HTTP is a nice protocol in that respect. Did you look into timeout settings of your browsers, Firefox and IE? There are some but it depends on the version, too.

Is anyone using 4.2.2 who can confirm or deny they they seeing this problem often? Since there are no other threads on this yet, I feel a little crazy. But maybe it' s because most people here aren' t dumb enough roll out 4.2.2 in a production environment? Also, can anyone tell me if AV Engine 3.00013 (Updated 2009-08-13) is the latest? 8.13.2009 seems old, but everything else on my unit as very recent.

How did you performed the 4.2.2 loading? Using an upgrade process? All my 4.2.2 issues went away after flash formatting and reload one ' fresh' 4.2.2 image. That' s my personal experience only, not a general advice obviously.

**** EDIT: I spoke too soon, my downloads are still broken. When my firewall gets the slightest bit busy, like CPU and RAM near 20%, the issue starts showing up.... ****** I did get to 4.2.2 from an upgrade path of 4.1.x and 4.0.x before that. I downloaded a fresh 4.2.2 firmware, checked the MD5 (it was correct), then downloaded and installed Tftpd32, so I could format and put on a clean 4.2.2 per your suggestion. But before I did that, I switched out the Time warner cable modem with a new (but same model), cable modem. Before I could test to see if that work, my firewall all did a push update to new AV def, 12.00351 (Updated 2010-09-14 via Push Update). Then about the same time Fortinet actually called me and we played around a bit. Long story short, my downloads *SEEM* to be working now. Don' t really know which thing I did fixed the issue, but whatever glitch I was having seem to have gone away. Wish I could pinpoint it for anyone else having the issues... Happy I dont have to format and flash via TFTP. :-) The biggest thing I did with tech support was disable " strict blocking" , then re-enabled it for both HTTP & HTTPS. Don' t know what for, but I' m working again for now. Thanks for all the suggestions and help in this matter.

I wanted to update this thread with the progress I have made on this issue, in case anyone else is seeing failed downloads. After having a ticket opened for just over a month, I got the call today to confirm it is a BUG. Bug ID 0131322. I thought there was some part of the Fortinet site that shows all bugs and the details, but I was chatting with support today, and they said it is an internal only site, so let me give you the details of the bug from my point of view. After turning all UTM features off, and adding them back one at a time, and waiting at least 24hours between each feature being added, it was conclusively proven to be the Email Filter. Once the tech and I were 95% sure it was only within email, we tried removing all settings, and it then looked to be only within POP3, although I am not 100% sure on that point, since I only have pop3 and smtp, no imap. I then did rotations of email filter on/off in blocks of 24 hours, and proved it to be email filter 100% for me. Simple fact was, with email filter enabled on the policy, download failed ~99% of time. Email filter off=everything was fine. This may seem odd to you, since email filter should have nothing to do with http/http downloads. Which is what the tech thought too, and probably why the ticket was open for so long. With email filter on, the AV filter obviously looks at emails, so you could argue that it' s actually in the AV filter, but AV filter alone being on, you don' t see the failed downloads, and general choking of the firewall throughput. I am told the problem is with something called the " proxy worker" in conjunction with email scanning of POP3 email. The proxy worker crashes with 4.2.2 (and I also am pretty sure it effects 4.2.1), and this brief interruption causes downloads to fail, web pages to not load, and a variety of other brief but troublesome issues. So, at this point I am very happy to have a probably bug id, which means at some point in the future I would imagine a bug fix. Without email filtering on, I have infected and malicious emails pouring into inboxes for about 30 workers, fun fun!

Thanks for the update on this issue. Just a thought: could you set up a second VDOM to only process pop3, to have it AV scanned? transparent mode, just 2 interfaces, one policy, one protection profile. Might be worth the trouble instead of having no AV on mails at all.