Fortinet white logo
Fortinet white logo

Administration Guide

Proxy mode stream-based scanning

Proxy mode stream-based scanning

In proxy mode, AV scanning is processed as follows:

Can the file be scanned by in-process scan?
  • This is determined by the WAD daemon.

  • In-process scan can be used for simple AV configurations to quickly scan a file without handing it off to another process.

  • The following, more complex feature sets cannot be processed by in-process scan:

    • AV engine AI scan
    • DLP
    • Quarantine
    • FortiGuard outbreak prevention, external block list, and EMS threat feed
    • Content disarm
Scan mode?
  • To configure the scan mode:

    config antivirus profile
        edit <name>
            set feature-set proxy 
            set scan-mode {default | legacy}
        next
    end

    default

    Enable stream-based scanning (default).

    legacy

    Disable stream-based scanning.

Is AV engine AI scan enabled?
  • When enabled, supported files (such as EXE, PDF, and MS Office) are forwarded to the scanunit scan.
  • AV engine AI scan is enabled by default. To disable it:
    config antivirus settings
        set machine-learning-detection disable
    end
Is the file supported by stream-based scan?
  • Stream-based scan supports the following archive file types: ZIP, GZIP, BZIP2, TAR, and ISO (ISO 9660).

  • In FortiOS 7.0, stream-based scan is supported in HTTP(S), FTP(S), and SCP/SFTP.

  • In FortiOS 6.4 and 6.2, stream-based scan is only supported in HTTP(S).

  • Stream-based scan does not support HTTP POST.

  • Stream-based scan is not supported when the following features are enabled:

    • DLP

    • Quarantine

    • FortiGuard outbreak prevention, external block list, and EMS threat feed

    • Content Disarm

  • If a file is not supported, it is buffered and sent to scanunit for scanning.

Is the file an oversized archive file?
  • An oversized archive file is a compressed file that is oversized according to the following setting:

    config firewall profile-protocol-options
        edit <profile>
            config <protocol>
                set oversize-limit <size>
            end
        next
    end
    
  • If the file is not oversized, it is buffered and sent to scanunit for scanning.

Notes

Stream-based scans:

  • Are performed with no oversize limits on a best effort basis.

  • Can inspect the contents of large archive files without buffering the entire file.

  • Decompress and scan the entire archive.

  • Can cache infected scan results and clean the scan results (this is enabled by default):

    config antivirus settings set cache-infection-result enable set cache-clean-result enable end

Legacy scan mode:

  • Used to disable stream-based scanning for troubleshooting purposes.

  • Limited by the oversize and uncompressed-oversize limits:

    config firewall profile-protocol-options
        edit <profile>
            config <protocol>
                set oversize-limit <size>
                set uncompressed-oversize-limit <size>
            end
        next
    end
    

TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2 GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {http | ftp | ssh | cifs}
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {auto-tuning | system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
        end
    next
end

{http | ftp | ssh | cifs}

  • http: Configure HTTP protocol options.

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

  • cifs: Configure CIFS protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {auto-tuning | system | static | dynamic}

The TCP window type to use for this protocol.

  • auto-tuning: Allow the system to auto-tune TCP window size (default).

  • system: Use the system default TCP window size for this protocol.

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.

Proxy mode stream-based scanning

Proxy mode stream-based scanning

In proxy mode, AV scanning is processed as follows:

Can the file be scanned by in-process scan?
  • This is determined by the WAD daemon.

  • In-process scan can be used for simple AV configurations to quickly scan a file without handing it off to another process.

  • The following, more complex feature sets cannot be processed by in-process scan:

    • AV engine AI scan
    • DLP
    • Quarantine
    • FortiGuard outbreak prevention, external block list, and EMS threat feed
    • Content disarm
Scan mode?
  • To configure the scan mode:

    config antivirus profile
        edit <name>
            set feature-set proxy 
            set scan-mode {default | legacy}
        next
    end

    default

    Enable stream-based scanning (default).

    legacy

    Disable stream-based scanning.

Is AV engine AI scan enabled?
  • When enabled, supported files (such as EXE, PDF, and MS Office) are forwarded to the scanunit scan.
  • AV engine AI scan is enabled by default. To disable it:
    config antivirus settings
        set machine-learning-detection disable
    end
Is the file supported by stream-based scan?
  • Stream-based scan supports the following archive file types: ZIP, GZIP, BZIP2, TAR, and ISO (ISO 9660).

  • In FortiOS 7.0, stream-based scan is supported in HTTP(S), FTP(S), and SCP/SFTP.

  • In FortiOS 6.4 and 6.2, stream-based scan is only supported in HTTP(S).

  • Stream-based scan does not support HTTP POST.

  • Stream-based scan is not supported when the following features are enabled:

    • DLP

    • Quarantine

    • FortiGuard outbreak prevention, external block list, and EMS threat feed

    • Content Disarm

  • If a file is not supported, it is buffered and sent to scanunit for scanning.

Is the file an oversized archive file?
  • An oversized archive file is a compressed file that is oversized according to the following setting:

    config firewall profile-protocol-options
        edit <profile>
            config <protocol>
                set oversize-limit <size>
            end
        next
    end
    
  • If the file is not oversized, it is buffered and sent to scanunit for scanning.

Notes

Stream-based scans:

  • Are performed with no oversize limits on a best effort basis.

  • Can inspect the contents of large archive files without buffering the entire file.

  • Decompress and scan the entire archive.

  • Can cache infected scan results and clean the scan results (this is enabled by default):

    config antivirus settings set cache-infection-result enable set cache-clean-result enable end

Legacy scan mode:

  • Used to disable stream-based scanning for troubleshooting purposes.

  • Limited by the oversize and uncompressed-oversize limits:

    config firewall profile-protocol-options
        edit <profile>
            config <protocol>
                set oversize-limit <size>
                set uncompressed-oversize-limit <size>
            end
        next
    end
    

TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2 GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {http | ftp | ssh | cifs}
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {auto-tuning | system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
        end
    next
end

{http | ftp | ssh | cifs}

  • http: Configure HTTP protocol options.

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

  • cifs: Configure CIFS protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {auto-tuning | system | static | dynamic}

The TCP window type to use for this protocol.

  • auto-tuning: Allow the system to auto-tune TCP window size (default).

  • system: Use the system default TCP window size for this protocol.

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.