In this recipe, you will set your FortiGate’s inspection mode to use flow-based scanning. You will then apply flow-based antivirus scanning to network traffic.
FortiGates can inspect traffic in proxy mode or flow mode. Proxy mode, the default, uses a proxy to look for threats. Proxy mode is usually preferred because, compared to flow mode, it offers more control and an improved user experience. In addition, some security profiles are only available in proxy mode, such as DNS filter, AntiSpam, DLP, and VoIP.
In some cases, however, you may want to use flow mode. For example, some traffic may not be compatible with proxy mode or you may want to avoid using proxy mode for performance reasons.
1. Changing from proxy to flow mode |
|
| Go to Dashboard and locate the System Information widget. If the Inspection Mode is set to the proxy (the default), click on [Change] and select Flow-based. |  |
| The System Information widget shows that flow-based inspection is set. |  |
2. Configuring the AntiVirus profile |
|
|
Go to Security Profiles > AntiVirus. By default, the GUI only shows flow-based inspection options. When configuring flow-based virus scanning FortiOS 5.4 allows you to now choose between Quick and Full mode. |
 |
|
Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance. |
|
3. Enabling AntiVirus in a policy |
|
| Go to Policy & Objects > IPv4 Policy and edit the policy for outgoing traffic. Under Security Profiles, enable the AntiVirus profile. |  |
4. Results |
|
|
To test the AV scanning, go to www.eicar.org and attempt to download a test file. The browser will display a message denying permission to download the file.
|
 |
For further reading, check out Changing the FortiGate’s inspection mode to flow or proxy and AntiVirus sections in the FortiOS 5.4 Handbook.
The post Inspecting traffic content using flow-based inspection appeared first on Fortinet Cookbook.