FortiGate Antivirus Firewalls not only provide real-time virus threat response, but also have the flexibility to block files by type, block grayware or malware, and apply heuristics to traffic to detect emerging threats. See the FortiGate Administration Guide and the FortiGate CLI Guide for more information about FortiGate antivirus options.
This document describes antivirus failover and optimization features supported by FortiOS v2.80 MR8 and greater on the FortiGate 300A, 400, 400A, 500, 500A, 800, 800F, 1000, 3000, 3600, 4000 and 5000 series models.
Earlier maintenance releases of FortiOS v2.80 support failover and optimization on the FortiGate-3000, 3600, 4000, and 5000 series.
Using optimization and failsafes applied to the antivirus engines ensures continuous operation and virus protection.
Antivirus failopen is a safeguard feature that determines the behavior of the FortiGate antivirus system if it becomes overloaded in high traffic. The antivirus system operates in one of two modes, depending on available memory. If the free memory is greater than 30% of the total memory then the system is in non-conserve mode. If the free memory drops to less than 20% of the total memory, then the system enters conserve mode. The system will not go back to nonconserve mode until the free memory once again reaches 30% or greater of the total memory.
There are three options for antivirus failopen.
| off |
If the FortiGate unit enters conserve mode, the antivirus system will stop accepting new AV sessions. |
| one-shot |
If the FortiGate unit enters conserve mode, all subsequent connections bypass the antivirus system. The administrator must change antivirus failopen to off or pass to restart antivirus scanning. |
| pass |
Default setting. If the system enters conserve mode, connections bypass the antivirus system until the system enters non-conserve mode again.
|
There are currently 3 "events" that are passed to each proxy to tell the FortiGate unit to operate in fail-open mode:
- The system is low on memory and has entered conserve mode.
- The connection pool at the individual proxy is empty.
- Both conditions exist at the same time.
In the tables, B = connection blocked, P = connection passed. Withthe first condition, low memory, the av-failopen setting will be applied; see table one. The default for this setting is Pass.
Table 1: av-failopen
With the second condition (proxy connection pool reaches zero), the action will depend on the av-failopen-session settings. There are two setting, enabled and disabled (default).
- If the av-failopen-session is enabled and the proxy connection pool reaches zero, the protocol reverts back to the av-failopen settings and are applied as in table one.
- If the av-failopen-session is disabled, then all sessions will be blocked for the proxy, regardless of the av-failopen settings. See table two.
av-failopen-session
| |
off |
one shot |
pass |
| disable |
B |
B |
B |
Note: Each proxy calculates the size of its connection pool at start up, based on the installed memory of the FortiGate. On the FGT5001SX product, for example, when 2G of memory is installed, each proxy can handle around 9500 connections.
In the third scenario, both low memory and connection pool reaching zero, the protocol reverts back to the av-failopen settings and reacts accordingly; see table one.
Use antivirus failopen if virus scanning is enabled and the FortiGate unit is handling large amounts of network traffic.
Use the one-shot option if you want to manually enable virus scanning after the unit re-enters conserve mode. Use the pass option if you want the FortiGate unit to automatically change from conserve to non-conserve mode and back based on the available free memory. You can enable logging and alert email to receive notification each time the FortiGate antivirus system enters non-conserve or nonconserve mode. See the FortiGate Administration Guide for configuration procedures and the FortiGate Log Message Reference Guide for log message descriptions.
Antivirus failopen is only available through the command line interface (CLI).
To enable antivirus failopen
- Log in to the FortiGate unit CLI.
- Enter the following command with the desired option.
config system global
set av-failopen {off | one-shot | pass}
end
- Enter
get system global to confirm the settings.
How to configure antivirus failopen session
Antivirus failopen session is only available through the command line interface (CLI).
To enable antivirus failopen session
- Log in to the FortiGate unit CLI.
- Enter the following command with the desired option.
config system global
set av-failopen-session {enable | disable}
end
- Enter
get system global to confirm the settings.
Optimize antivirus
The optimize feature configures CPU settings to ensure efficient operation of the FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster.
Note: These proceedures are only available for the FortiGate-1000 and higher.
There are two options for optimize.
| antivirus |
The FortiGate unit spreads the antivirus scanning tasks across several CPUs (symmetric multiprocessing). |
| throughput |
Default setting. The FortiGate unit uses a single CPU to process traffic. |
Use antivirus failopen if virus scanning is enabled and the FortiGate unit is handling large amounts of network traffic.
Use optimize antivirus in conjunction with antivirus failopen to ensure maximum efficiency and safeguard against system crashes if the system does become overloaded because of high traffic.
Optimize is only available through the command line interface (CLI).
To enable optimize antivirus
- Log in to the FortiGate unit CLI.
- Enter
config system global
set optimize antivirus
end
The following warning appears:
This operation will reboot the system if the setting changes!
Do you want to continue? (y/n)
- Type
y.
The system reboots.
- Log back in to the CLI and enter
get system global to confirm the settings.
Note: If you get the following message when you enter the optimize command, then this command is not available on the FortiGate unit:
System has already been optimized for both antivirus and throughput. Command fail. Return code -56
To restore a configuration including optimize antivirus
If you are restoring a backed up configuration to the FortiGate unit, you must manually enable optimize antivirus through the CLI, even if the backup already includes this command.
After restoring the configuration, follow steps 1 through 4 above to enable optimize antivirus
