I have been away from Fortinet for some time, and last time I saw FortiGate was version 5.4 more or less. At the time, AV scannning had proxy-based mode and flow-based mode, and the latter in turn had full scan and quick scan, each one with its advantages and disadvantages. Now I am back with FortiGate I see there are proxy-based mode and flow-based mode, and the flow-based mode is just that, there are not full scan or quick scan submodes, and I think this is from FortiOS 6.2. Is that right? If there is only just flow-based mode, is it like the old full scan mode or like the old quick scan mode? Thanks in advance.
Yes, it seems it is still the same. But I don't find that document for FortiOS 7. The following snapshot is for a FortiGate v7.0.3 (FortiGate demo) and you can see under Flow-based AV you can't choose between full scan or quick scan:
understood. I checked a little bit and also don't find this documented when it was removed and what the default scanning mode is at the moment, so I would suggest to raise a ticket to TAC in case you want to investigate this further.
I think TAC is more focused on actual incidents than theoretical questions. I investigated a little bit more and found that the AV scanning has changed a lot from v5.4. Now you have two options for AV scanning: proxy-based or flow-based modes (default is flow). For proxy-based AV mode you can choose between the default (stream-based scanning) or legacy submodes. For flow-based AV mode you can't choose between the default or legacy submodes, it uses a hybrid of the two scan submodes. Attached the documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.