DO NOT REPRINT

FORTINET

Antivirus & Conserve Mode

In this lesson, we will show you how to use antivirus scanning on a FortiGate.
Since antivirus scanning is one of the features that, depending on your configuration
and chosen signature database, can use significant RAM, we will also show you how
to resolve conserve mode.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

After completing this lesson, you should have these practical skills. Not only will you
be able to configure antivirus, but you should have a better understanding of how
virus scanning works, along with knowledge of some tools to help you optimize
memory usage on your FortiGate.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

How old are viruses? In 1949, John Von Neumann gave lectures at the University of
Illinois about what he called self-replicating automata. On ARPANET, the precursor
to the Internet, the first virus, named Creeper, was detected in 1971.
Since then, malicious software has evolved into many types. Technically, although
we often refer to all malware as viruses, not every piece of unwanted software
behaves like a virus malware is not always self-replicating, and sometimes users
willingly install it. To include viruses, worms, Trojans, spyware and all others, we now
use the term malware.
Malware can be divided into 2 major types:
viruses, which infect the computer and spread on their own (generally via an exploit),
such as Flash ad banners whose binaries contain buffer overflow code
grayware which requires some kind of user interaction but convinces them that the
benefit outweighs the cost, such as browser toolbars that also track the users
activity and insert its own ads into web pages

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Within the category of viruses, there are 2 important subtypes:

Trojans such as Zeus, like the literary Trojan horse, trick users into letting down their
defenses and installing them, and then often use the network to spread via email or
instant message.
Worms, such as Conficker and Code Red, spread by connecting to open ports on
the network and exploiting misconfigurations or other vulnerabilities in those
daemons
A Trojan can infect the same host multiple times, but that happens when another
copy arrives from an external source. The local copy of the software does not try to
re-infect the computer.
Are all viruses malicious? By definition, yes. But some white hat hackers and
academics have written beneficial worm-like software. It spreads via the same
exploits, but then cleans infections and/or patches the host. For example, Creeper
was followed by Reaper, which removed Creeper from infected systems.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Regardless of how the virus spreads, once installed, a virus is somehow malicious.
What makes it malicious? Its behavior. (This is one of the reasons, by the way, that
security analysts use sandboxing such as FortiSandbox to discover new viruses.
Looking at which C functions a virus contains, for example, cannot find all viruses.
Forensics lab must see which functions actually execute, and what the effects are.)
Most people are familiar with spyware, adware, and rootkits. Malware could also be:
Ransomware such as the CryptoLocker worm is fairly new. The software holds the
computer hostage, often encrypting critical user data with a password or secret key,
until the victim pays the extortionist.
Key loggers record key strokes and return them to a remote location including
sending administrator logins and personal email addresses for executives.
Mass mailers transform computers into open relay mail servers for the botnet, often
managed via a remote command and control, sending spam for hire. These are often
operated by organized crime syndicates.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Just as viruses have evolved many vectors for spreading, they also have evolved
many techniques for evading antivirus engines and manual analysis.
Viruses can encrypt their payloads, or change the exact code. As a result, when
comparing a signature to the binary sample, the two therefore arent an exact, bit-bybit match. So in order to detect the virus, the engine must be able to either:
match flexibly, or
ignore the changeable parts of the code, and match only based on the polymorphic
or metamorphic engine.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Now that you know some different ways that viruses spread and evade detection,
what are some methods that FortiGate uses to find and block them?

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

At the host level, a host-based antivirus software such as FortiClient helps. But hostbased antivirus cant be installed on routers. Guest Wi-Fi networks and ISP
customers also might not have antivirus software installed. So how can you protect
them? And how can you protect your own network from these botnets?
The solution is to implement antivirus in your network security on your FortiGate.
Just like viruses have many ways that they try to avoid detection, FortiGate has
many techniques that it can use to detect them. Lets explain each method.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

The first, fastest, simplest way to detect malware is if it exactly matches a signature.
Grayware is not technically a virus; remember, it is often bundled with innocuous
software, but it does have unwanted side effects, so it is categorized as malware.
Often, grayware can be detected this way, with a simple FortiGuard Antivirus
signature.
But for the reasons we just described, viruses usually cannot be detected this way.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

What is another way that FortiGate can use to detect viruses? It can look for
attributes that viruses usually have in other words, it can apply heuristics.
Heuristics are based on probability, so they increase the possibility of false positives,
but they also can detect zero-day viruses viruses that are new and unknown, and
therefore no signature exists yet. That is the tradeoff. If your network is a frequent
target for virus-writers, enabling heuristics may be worth the performance cost
because it can help you to detect a virus before the outbreak begins.
By default, when the antivirus scans heuristic engine detects a virus-like
characteristic, it will log the file as Suspicious but will not block it. Suspicious files
can be treated differently from a positive match with a virus or grayware signature:
you can choose whether to block or allow suspicious files.
When should you disable heuristic blocking vs. configure the antivirus scan to only
log detections?
Windows operating system updates often modify the registry. Viruses often do this,
too, however. So, for example, you might apply heuristics scans to Windows
updates, but block suspicious behavior in all other connections.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Remember, if the antivirus scans heuristic engine finds a suspicious file, it may not
always be a virus. So you might want to configure a separate action for it, or a
separate policy where heuristics is disabled for connections that you know will trigger
false positives.
To configure the action that FortiGate will take if the scan finds a suspicious file, use
these CLI commands.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

What if heuristics is too uncertain? What if you need a more sophisticated, more
certain way to detect malware, and to find zero-day viruses?
You can integrate your antivirus scans with FortiSandbox. For environments that
require more iron-clad certainty, FortiSandbox executes the file within a protected
environment, then examines the effects of the software to see if it is dangerous.
For example, lets say you have 2 files. Both alter the system registry, and are
therefore suspicious. One is a driver installation its behavior is normal but the
second file installs a virus that connects to a botnet command and control server.
Sandboxing would reveal the difference. Then, you can submit a sample of the new
virus to FortiGuard security researchers, and quickly receive and deploy a
FortiGuard Antivirus or IPS update to defend your network against this new threat.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

In order for FortiGate to sandbox files, it must be able to send them to either a
FortiSandbox device or a FortiCloud sandboxing account.
What is the primary difference between the two?
FortiCloud has limits imposed on the amount of data that can be transmitted. Each
account has a quota.
FortiSandbox limitations vary by the models capabilities.
On FortiSandbox, you also must configure it to accept input from your FortiGate or
FortiMail.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Whether you use FortiSandbox to discover new viruses, or one is discovered by your
own security team, the next step is to develop a signature to detect it so that your
FortiGates can begin to block it.
New viruses can be submitted to FortiGuards security research team manually or
automatically, via FortiSandbox or FortiCloud Sandbox.
If you want to submit a new virus manually, go to the FortiGuard web site. Upload the
file for scanning. If the virus does not currently exist in any of the FortiGuard
Antivirus databases, the web site will report it as being clean. You will then have
the option to submit the sample to FortiGuard analysts. They will develop a signature
for it, as well as engine modifications (if necessary), and this will be in the next
update that your FortiGate and FortiMail devices download from FortiGuard.
In addition to protecting your own network, this obviously also helps to ensure that
others networks wont be infected either. By being part of a united security
community, you can help to stop botnets from growing into large threats. This has
benefits for you, and not just your neighbors. If your neighbors arent infected, your
network wont need to spend as much CPU, RAM, and bandwidth on fighting spam,
worms, DDoS attacks, and other threats.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Now that weve discussed the types of scans, lets talk about the engines that use
them. They dont behave the same way.
FortiGate has traditional proxies, which break up each session into particular states
which it analyzes, but it can also analyze traffic as a more continuous packet flow.
Lets discuss how to choose between those two types of engine.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

One of the factors when choosing an antivirus engine is speed. Software that is
installed on endpoints such as FortiClient can usually schedule scans for later, pause
the current scan, or scan only with spare CPU cycles when the computer is idle. In
other words, time is not a factor.
But on a network device, this is not possible.
FortiGate must scan quickly to avoid a session or connection timeout. FortiGate will
allow up to 30 seconds for a scan to complete. If it takes longer then that, then a
process called a watchdog terminates the scan, and allows the traffic to pass. Also,
FortiGate creates an event log saying that scanunit crashed with a Signal 14. Its
not a real crash its not abnormal behavior exactly but because the scan is
terminated before completing. From the softwares perspective, thats technically a
crash, so the event log records it as one.
As you can see, speed is an important factor in network antivirus scans. With that in
mind, lets consider the two engines.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Depending on the protocol, FortiGate may be able to use either:

an implicit proxy, or
an explicit proxy that is, a proxy that clients must indicate that they want to use.
Usually, youll use an implicit proxy. Clients to connect through the proxys IP, not to
it. As long traffic is routed through FortiGate, the proxy transparently intercepts that
traffic, without configuring the clients.
Each proxy parses that protocols commands. Traffic usually must arrive on the
expected port, and conform to the specification. (A proxy cannot scan a protocol that
it does not listen for, or understand.) For example, in an SMTP session, an SMTP
proxy know each valid stage: the client uses the MAIL FROM: command to specify
the sender, RCPT TO: for the recipient, DATA for the message, etc. When scanning
for viruses, the SMTP proxy known the DATA command which is the part that may
contain a virus payload before it passes that data to a scanunitd child process.
Especially for larger files, this can add noticeable latency: FortiGate must buffer the
entire file (or wait until the oversize limit is reached) first before scanning. So if your
file limit is large, consider the setting Comfort Clients. While buffering the file, the
proxy will slowly retransmit some data until it can complete the buffer, and finish the
scan. This prevents a connection or session timeout. Whats the disadvantage? Very
small viruses in the first bytes could infect the client before the scan result is
available. Disable client comforting if very high security is required.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

What is another way to reduce latency? Use the flow-based engine instead.
It doesnt analyze sessions in discrete protocol stages. The flow-based engine scans
the packets as a continuous stream, looking for viral payloads regardless of
surrounding protocol details. Depending on your model, some flow-based operations
may be performed by a specialized FortiASIC chip, further improving performance.
But flow-based scans cant support all features that proxy-based scans can.
The flow-based engine doesnt operate according to the rules of the protocol. This
means that even if the scan later detects a virus, the flow-based engine may have
already forwarded packets where it should have inserted a block message. So the
client may think it is a network error, and try again. Also, much like a proxy with client
comforting enabled, the flow-based engine forwards packets at the same time as
scanning the payload. The result? The client may already have received most of a
virus by the time that the scan drops the connection. Like with client comforting, if
your environment requires very high security, you may want to avoid this option.
Regardless of which engine you use, the scan techniques will give similar detection
rates. How can you choose between the scan engines? If performance is your top
priority, then flow-based is more appropriate. If security is your priority, proxy-based
with client comforting disabled is more appropriate.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Both engines buffer up to your specified file size limit. The default is 10 MB. Its large
enough for most files except movies. If your FortiGate model has more RAM,
though, you may be able to increase this threshold.
Without a limit, very large files could exhaust scan memory. So this threshold
balances risk vs. performance. Is this tradeoff unique to FortiGate, or to a specific
model? No. Regardless of vendor or model, you must make a choice. This is due to
the difference between scans in theory, that have no limits, and scans on real-world
devices that have finite RAM. In order to detect 100% of malware regardless of file
size, a firewall would need infinitely large RAM something that no device has in the
real world.
Most viruses are very small. So percentage-wise unless many viruses are Trojans
appended to the very end of a large file changing this value doesnt impact security
very much. This table shows a typical tradeoff. You can see that even with a 5 MB
threshold, only 0.14% of spyware passes through. But after billions of packets,
several hosts may require disinfection.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

So what is the recommended buffer limit? It varies by model and configuration.

Adjust oversize for your unique network for optimal performance. A smaller buffer
minimizes proxy latency and (for both engines) RAM usage, but that may allow
viruses may pass through undetected. With a buffer thats too large, clients may
notice transmission timeouts. Balance the two.
If you arent sure how large of a buffer you need, temporarily enable oversize-log to
see if this is frequent, and whether the large files are important to allow.
Files that are too large for the maximum buffer size cannot be completely scanned.
And the default is to allow files to pass. This is because large files are often
harmless, and many networks have antivirus software installed on endpoints, so this
minimizes unnecessary help desk calls. But if you require a very secure
environment, or if your endpoints have no antivirus software, you can change this
setting on a per-protocol basis so that FortiGate blocks oversized files.
If oversized files are blocked, then your endpoints are safe. You wont need the logs
about oversize files for forensics. So you may be able to improve performance
slightly by disabling oversize-log.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Relatedly, large files are often compressed. From the scans perspective, this is light
encryption. It wont match signatures. So FortiGate must decompress the file in order
to scan it.
When decompressing, FortiGate must first identify the compression algorithm. Some
archive types can be correctly identified using only the header. Also, FortiGate must
check whether the file is password-protected. If the archive is protected with a
password, FortiGate cant decompress it, and therefore cant scan it.
FortiGate then decompresses files into RAM. Just like other large files, this buffer
has a maximum size: uncompress-oversize-limit. Increasing this limit may decrease
performance, but allows you to scan larger compressed files.
If an archive is nested for example, if an attacker is trying to circumvent your scans
by putting a ZIP file inside the ZIP file FortiGate will try to undo all layers of
compression. By default, FortiGate will attempt to uncompress and scan up to 12
layers deep, but you can configure it to scan up to 100 layers deep. Often, you
shouldnt increase this setting, though. It increases RAM usage, and if a file is
repeatedly compressed more than 12 times, it is almost always a virus anyway.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Lets review briefly.

If the buffer is full, the antivirus scan has a simple behavior. FortiGate will, depending
on your setting, either block or pass the file.
Since FortiGate doesnt have the entire file, it would be impossible to determine
whether or not the file contains a virus.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If the file has been completely transmitted that is, FortiGate reaches the byte that
marks the end of the file (EoF) then FortiGate decompresses the file (if applicable)
and uses these scans, in this order.
The virus scan is first, because the results have high certainty and the computations
are fast. Heuristics, which are less certain, are applied last.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If you consider all of the settings together, this is the complete decision tree that
FortiGate uses for antivirus scans.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

When an attacker releases a new virus into the wild, like with all antivirus software,
your FortiGate must be updated with a matching signature so that it can detect it.
Most organizations dont have the personnel to dedicate to writing antivirus
signatures, 24 hours a day, 7 days a week. Even if you do, it is usually beneficial to
share security knowledge and workload. A FortiGuard Antivirus service contract
provides your FortiGate with access to the latest signatures and detection engines
from Fortinets security research team.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

You can update your FortiGates antivirus signatures and engines via either push,
pull, or both methods. (If temporary packet loss, for example, interferes with the push
method, also enabling pull as a backup method helps to ensure that your FortiGate
will not miss any updates.)
Regardless of which method you select, virus scanning must be enabled in at least
one firewall policy. Otherwise, FortiGate will not download any updates.
Alternatively, you can download packages from the Fortinet Technical Support web
site, and then manually upload them to your FortiGate.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

diagnose autoupdate status shows your automatic update options, just like
System > Config > FortiGuard does on the GUI.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Its worth noting that there is an additional feature to the FortiGuard Antivirus service:
when FortiGate detects connections of infected computers to a botnets command
and control servers sometimes this is an IRC channel, or sometimes this is a
darknet web server FortiGate can block those connections. The setting is in the
antivirus profile.
The FortiGuard security research team compiles and maintains a list of known botnet
command and control server IP addresses. FortiGate downloads this via FortiGuard
Antivirus and IPS updates.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Multiple FortiGuard Antivirus databases exist. Support varies by FortiGate model.

All FortiGate devices have the regular database, which only contains signatures for
viruses that are in the wild that is, viruses detected in recent months or submitted
by Fortinet users and partners. It is the smallest database, and therefore results in
the fastest scans, but does not detect all known viruses.
Some models support the extended database, which detects viruses that have not
been detected for some time. Vulnerable platforms are still common, and/or these
viruses could be an issue later due to portable hard disks, periodic connectivity, and
other reasons.
The most powerful models and FortiClient support the extreme database. It is
intended for high security environments, and detects all known viruses, including for
legacy operating systems such as DOS, Windows3.x, Win95, Windows 98, and so
on.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Via the CLI, you can choose which database your FortiGate will use.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Once you have chosen an antivirus database, in order to use antivirus scans, youll
also need to configure an antivirus profile. These profiles contain settings for the
inspection mode (that is, the proxy or flow-based engines), and define what
FortiGate should do if it detects an infected file.
Proxy options also specify the proxies listening port numbers for various
unencrypted protocols. You can scan HTTP, for example, even if the connection
doesnt occur on the IANA standard TCP port 80.
But what about encrypted protocols? Encryption is a popular method for attackers to
circumvent security. So as you would expect, FortiGate can scan encrypted
protocols. But that isnt configured here.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

For secure protocols (HTTPS, FTPS, etc.), the proxies are configured in a different
profile type: the so-called SSL inspection profiles.
Encrypted protocols can be inspected to a greater or lesser extent, depending on
what you select.
SSL Certificate inspection only validates certificate information, such as the issuing
CA. This type cannot inspect the contents of the traffic, which are inside the
encrypted payload.
Full SSL Inspection validates the certificate, but also decrypts the payloads for
antivirus scanning. Because this method uses an authorized man-in-the-middle
(MITM) attack, clients will detect the inspection. Users may need to either override
the SSL validation failure, or install your CA certificate.
Certificate-based inspection is described in detail in another lesson.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Virus scanning statics can be found on the FortiGate dashboard, on the Advanced
Threat Protection Statistics widget.
If your FortiGate is submitting files for sandboxing, then it keeps statistics about the
number of files submitted, and the results of those scans. These statistics are
separate from files that are scanned locally on the FortiGate.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

When the antivirus scan detects a virus, by default, it creates a log about what virus
was detected, and by which method. It also provides a link to more information on
the FortiGuard web site.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If the antivirus logs are empty, this doesnt mean your network has no outbreak.
Before, we showed how to pass a file if it is too large for scan buffers, is passwordencrypted, or has too many layers of nested compression. Logging can be disabled
for those. We also explained the flow-based engine, and client comforting by the
proxy-based engine. Even if FortiGate detected a virus and reset the connection,
some or all of the virus could have been transmitted before then. And when choosing
an antivirus database, we said that if you trade some security for better performance,
some viruses may pass through. We also explained zero-day exploits.
If any of that happens, how can you submit a sample of a suspected virus, or get
information on how to disinfect those hosts?
Visit the FortiGuard web site, http://www.fortiguard.com.
In the example here, this antivirus signature is only in the extended database for
FortiClient. What does this mean? Unless you have a FortiGate model that can use
the extreme database, and you have enabled it, your firewall would not have been
able to detect that specific virus. If you have vulnerable Android hosts, and
FortiClient was installed, they would have been safe. But if they were not protected,
you would need to apply the recommended action to disinfect them.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If your antivirus scans are not functioning as you expect, where should you begin
troubleshooting?
Verify that FortiGuard updates are enabled, and that you have selected antivirus
profiles in your firewall policies. Updates wont occur if there is no firewall policy that
uses them, and antivirus scans wont occur unless a firewall policy applies them.
If automatic updates are enabled, the next thing to examine is whether those
scheduled update requests are succeeding. For that, use the command diagnose
autoupdate version.
It shows details about the antivirus engine and databases, IPS engine and
definitions, geography-to-IP mappings database, and other features.
It also shows your FortiGuard contract status FortiGate wont be able to download
updates if its not authorized and when the last update was attempted, and
succeeded.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Both manual and automatic updates to FortiGuard packages trigger FortiGate to

check if the version is newer. If the version available is equal to or less than the
version installed, then to prevent accidental downgrades, it will not apply the update.
To turn off the version check, you can use this command with the enable flag. If a
specific signature is causing false positives, you can use this command to
temporarily disable the version check, and revert the database. After you have
resolved the issue with Fortinet Technical Support, make sure to run this command
again but with the disable flag instead.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If your FortiGates RAM usage is high, the next thing to examine is the event log.
Look for messages about conserve mode. Conserve mode occurs when FortiGate
does not have enough RAM available to properly handle traffic.
UTM such as antivirus is not required to be enabled for conserve mode to occur, but
UTM inspection does increase memory usage beyond simple firewall policies. In
other words, conserve mode is more possible when antivirus or IPS is enabled. You
can determine whether antivirus is using much of the memory by running the
command diagnose sys top.
There are a few categories of RAM conservation. Lets show the difference.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Kernel conservation mode is when FortiOS specifically does not have enough
memory available. Theres no single cause, but it could be processes
simultaneously opening too many files, too much information on the stack, etc.
System conservation mode indicates a lack of RAM for processes and daemons
such as miglogd. The threshold is whenever the overall memory usage reaches
about 80%. Once triggered, FortiGate will not exit this mode until memory has
dropped by 10% to approximately 70%.
Proxy conservation mode is when the transparent UTM proxy runs out of available
sockets. The maximum number of proxied connections varies by model.
In kernel conservation, the behavior is not configurable. It is a critical lack of RAM.
But behavior for system and proxy RAM conservation is configurable. Lets see the
settings that you can use.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

av-fail-open is the CLI setting that controls FortiGates behavior while it is in system
conserve mode.
Depending on your configuration and traffic types, each option may be more or less
effective at freeing RAM.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If av-failopen-session is enabled, then FortiGate will act according to the avfailopen setting. Otherwise, by default, it will block new sessions until RAM becomes
available.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

During kernel conservation mode, FortiGate attempts to reclaim memory that is not
in use.
In an operating system, when a process releases memory, it is not immediately
reclaimed. There is a garbage collector memory daemon that periodically finds
unused pointers. As part of this process, FortiGate drops any sessions that the proxy
considers idle.
While FortiGate is in this type of conserve mode, all new sessions will pass through
the FortiGate without any UTM inspection, because the operating system does not
have enough memory to do so.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Because logging itself requires some RAM, depending on the type of conserve
mode, log messages may not always immediately appear. Kernel conserve mode
especially may not appear easily.
Creating a log entry takes up memory. While in conserve mode, your FortiGates
operating system is doing everything possible to prevent RAM usage from
increasing. Trying to create a log entry while conserve mode is active would be
counterproductive.
If your FortiGate is in one of the three conserve modes, how can you correct it?

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

This shows the shared memory diagnostic. It indicates what type of conserve mode
(if any) your FortiGate is in. It also provides a quick summary of how much shared
memory is being used on your FortiGate.
The antivirus database is one of the things on your FortiGate that uses shared
memory, so if this is very high, you can try to solve the problem by switching from the
extended signature database to the regular database, for example.
Notice that this command doesnt show kernel conserve mode, however. How can
you determine how much kernel memory is used?

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

diagnose firewall iprope state has a section right at the beginning with an entry for
av_break.
Normally, the av_break option will be pass/off. But if FortiGate is currently in kernel
conserve mode, this command will show av_break=pass/pass. If this is very
common, and youve checked your configuration, you may need to examine the
traffic levels and protocol types. Your network may have grown or changed in
important ways, and need a more powerful model capable of supporting the added
or changed traffic.
Much of the other output of this command is dictated by the settings for av-failopen
and av-failopen-session and will change based on the configured options.

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

To review what we discussed, here is a list. We showed:

Some different Malware terminology and what they meant
The different types of scanning that can be enabled on a FortiGate
Sandboxing and how that can be used.
Blocking botnet connection
The difference between proxy and flow based virus scanning
The different Antivirus databases
The behavior of oversized files
The order of operations within the virus scanning engine
How to handle an undetected piece of malware
Some details about virus scanning encrypted traffic
How to read virus detection logs
What conserve mode is
Some of the memory diagnostics that are available on a FortiGate