Fortinet black logo

Administration Guide

Proxy mode stream-based scanning

Proxy mode stream-based scanning

Stream-based scanning provides the following AV improvements over legacy scan mode:

  • Archive files (ZIP, GZIP, BZIP2, TAR, ISO) that exceed the oversize limit are uncompressed and scanned for infections.

  • The contents of large archive files are scanned without having to buffer the entire file.
  • Small files are scanned locally by the WAD daemon if only AV scanning is needed in the policy.
  • File filtering on HTTP/HTTPS is handled locally by the WAD daemon.

This means that the overall memory usage is optimized when an archive file is scanned, and better security is achieved by scanning archives that would otherwise be bypassed.

However, stream-based scanning has limitations on the more complex features that it can scan. For the following features, traffic will be automatically handed off to the scanunit daemon for scanning (as in the case of legacy mode):

  • Heuristic AV scan
  • DLP
  • Quarantine
  • FortiGuard outbreak prevention and external block list
  • Content disarm
To configure the scan mode:
config antivirus profile
    edit <name>
        set feature-set proxy 
        ...
        set scan-mode {default | legacy}
    next
end

TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {ftp | ssh}
            ...
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
            ...
        end
    next
end

{ftp | ssh}

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {system | static | dynamic}

The TCP window type to use for this protocol.

  • system: Use the system default TCP window size for this protocol (default).

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.

Proxy mode stream-based scanning

Stream-based scanning provides the following AV improvements over legacy scan mode:

  • Archive files (ZIP, GZIP, BZIP2, TAR, ISO) that exceed the oversize limit are uncompressed and scanned for infections.

  • The contents of large archive files are scanned without having to buffer the entire file.
  • Small files are scanned locally by the WAD daemon if only AV scanning is needed in the policy.
  • File filtering on HTTP/HTTPS is handled locally by the WAD daemon.

This means that the overall memory usage is optimized when an archive file is scanned, and better security is achieved by scanning archives that would otherwise be bypassed.

However, stream-based scanning has limitations on the more complex features that it can scan. For the following features, traffic will be automatically handed off to the scanunit daemon for scanning (as in the case of legacy mode):

  • Heuristic AV scan
  • DLP
  • Quarantine
  • FortiGuard outbreak prevention and external block list
  • Content disarm
To configure the scan mode:
config antivirus profile
    edit <name>
        set feature-set proxy 
        ...
        set scan-mode {default | legacy}
    next
end

TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {ftp | ssh}
            ...
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
            ...
        end
    next
end

{ftp | ssh}

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {system | static | dynamic}

The TCP window type to use for this protocol.

  • system: Use the system default TCP window size for this protocol (default).

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.