In this recipe, you will set your FortiGate’s inspection mode to use flow-based scanning. You will then apply flow-based antivirus scanning to network traffic.
FortiGates can inspect traffic in proxy mode or flow mode. Proxy mode, the default, uses a proxy to look for threats. Proxy mode is usually preferred because, compared to flow mode, it offers more control and an improved user experience. In addition, some security profiles are only available in proxy mode, such as DNS filter, AntiSpam, DLP, and VoIP.
In some cases, however, you may want to use flow mode. Flow mode uses in-line IPS inspection instead of proxying. For example, some traffic may not be compatible with proxy mode or you may want to avoid using proxy mode for performance reasons.
Go to Dashboard and locate the System Information widget. If the Inspection Mode is set to the proxy (the default), click on [Change] and select Flow-based. If you are working with VDOMs enabled, go to System > VDOM and click Edit for the VDOM you want to change and select the Inspection Mode you would like to use.
The System Information widget shows that flow-based inspection is set.
Go to Security Profiles > AntiVirus. By default, the GUI only shows flow-based inspection options.
When configuring flow-based virus scanning FortiOS 5.4 allows you to now choose between Quick and Full mode.
Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance. Files can only be sent to FortiSandbox for inspection while in Full scan mode Flow-based virus scanning.
Go to Policy & Objects > IPv4 Policy and edit the policy for outgoing traffic. Under Security Profiles, enable the AntiVirus profile.
To test the AV scanning, go to www.eicar.org and attempt to download a test file. The browser will display a message denying permission to download the file.
For further reading, check out Changing the FortiGate’s inspection mode to flow or proxy and AntiVirus sections in the FortiOS 5.4 Handbook.