FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andy_G
Staff
Staff
Article Id 196816

Description

 

This article describes the maximum allowed file size for virus scanning on FortiGates in v6,v7.0,v7.2

Changing the maximum allowed file size.

On mid- to low-end FortiGates, the maximum file size for scanning in memory (maximum oversize threshold) is 10% of FortiGate's RAM.
The remaining RAM is reserved for system use. FortiGates automatically calculates the maximum oversized threshold for virus scanning.

On Fortiproxy try to keep the maximum over-size limit in MBs but not in GBs as PFX is not designed to buffer the GBs of data in a single session.
 
On VM the oversize maximum memory threshold is calculated based on VM platform memory. In most cases default 10Mb size is enough to scan a single session if the maximum over-size limit in GBs or higher then issues like file blocking, and rerunning empty pages of URLs may occur.

It is possible to display the maximum oversize threshold of a unit from the CLI, by entering 'set oversize-limit ?'.
As an example of a FortiGate-60D model with 1839 MB of total RAM:
 
config firewall profile-protocol-options
    edit [profile]
        config [service]
            set oversize-limit ?
           [value] maximum scannable filesize (min: 1MB, max: 183MB)

   Where:

[service] is FTP, HTTP, im, IMAP, nntp, mapi, pop3, or SMTP.
[profile] could be a custom profile, or the default one.

Proxy options provide the possibility to apply a maximum in-memory file size that will be scanned, in megabytes, for each of the network protocols (FTP, HTTP, im, IMAP, nntp, mapi, POP3, or SMTP) in the profile.

In FortiOS versions up to 5.2.0 inclusive, for FortiGates that support SSL, a maximum file size can be configured for HTTPS, imaps, pop3s, SMTPS, and FTPS. In FortiOS v5.2.1.
However, HTTP and HTTPS settings are combined with HTTP, SMTP with SMTP, etc.
This means the global antivirus settings specifically for HTTPS, imaps, pop3s, SMTPS, and FTPS are no longer in place in FortiOS v5.2.1.

If the file is larger than the oversize-limit, the file is passed or blocked, depending on whether 'oversize' is a selected [service] option (See example below).

When 'oversize' is a configured option, files that are over the file size limit are blocked.

In the following example, the threshold is configured to block files larger than 3 MB.
 
  1. Go to Policy ('Policy & Objects' in FortiOS v5.2) -> Policy -> Proxy Options.
  2. Edit the default or select.' Create New to add a new one.
  3. Scroll down to the 'Common Options' section and place a check in the box next to 'BlockOversized File/Email'.
  4. The subline 'Threshold (MB)' will appear with a value field. Enter 3 (see Fig.1).
  5. Select 'OK' or 'Apply'.

agodwin_KB10734_KB10734.bmp


To make the previous configuration via CLI, perform the change for all:

config firewall profile-protocol-options
    edit [profile]
        config [service]
            set options oversize
            set oversize-limit 3
 
Where:

[service] FTP, HTTP, im, IMAP, nntp, mapi, pop3, SMTP, HTTPS, imaps, pop3s, SMTPS, or FTPS.
[profile] could be a custom profile, or the default one.

It is a recommended best practice to reduce the Oversize Threshold settings if the FortiGate shows continuously high memory usage.
The recommended value is 1-3 MB depending on the FortiGate, number of concurrent sessions, and memory usage.

It is possible to consider reducing the Oversize Threshold for a FortiGate that persistently and frequently enters conserve mode as it may be under-scaled for the type of network flows that are being scanned by it.

Changing the uncompressed file size limit (scan buffer size).

From the FortiOS v4.3, v5.0, and v5.2.0 CLI, it is possible to use the 'config antivirus service' command to control the maximum file size that can be buffered before virus scanning.
Files bigger than this value are passed without scanning.
 
Note however that archived files are first extracted before being compared to the scan buffer size. Likewise, email attachments are decoded before the FortiGate determines if it can fit in the scan buffer.

In FortiOS versions up to 5.2.0 inclusive, for FortiGates that support SSL, the maximum file size can be configured for HTTPS, imaps, POP3S, SMTPS, and FTPS.
In FortiOS v5.2.1 however, HTTP and HTTPS settings are combined with HTTP, SMTP with SMTPS, etc.
 
This means the global antivirus settings specifically for HTTPS, imaps, pop3s, SMTPS, and FTPS are no longer in place in FortiOS v5.2.1.

It is possible to set the uncompressed file size limit for each service as follows.

In FortiOS v4.3, v5.0 and v5.2.0.

config antivirus service [service]
    set uncompsizelimit [MB_integer]
end

In FortiOS v5.2.1.

config firewall profile-protocol-options
    edit [profile]
        config [service]
            set uncompressed-oversize-limit [MB_integer]
end
 
Where:
 
[service] FTP, HTTP, im, imap, nntp, mapi, POP3, SMTP, HTTPS, imaps, pop3s, SMTPS, or FTPS.
[profile] could be a custom profile, or the default one.
[MB_integer] can be from 0 to the maximum oversize threshold. Enter 'set uncompsizelimit?' to display the buffer size range for the FortiGate.
The default [MB_integer] is 10MB.

Changing the compressed file nesting level (archive scan depth).

From the FortiOS v4.3, v5.0, and v5.2.0 CLI, it is possible to use the 'config antivirus service' command to control the number of compression levels that FortiOS will open before virus scanning the resulting uncompressed file.
 
It is possible to set the number of levels for each service.
In FortiOS versions up to 5.2.0 inclusive, for FortiGates that support SSL, the maximum file size can be configured for HTTPS, imaps, POP3S, SMTPS, and FTPS.
 
In FortiOS v5.2.1 however, HTTP and HTTPS settings are combined with HTTP, SMTP with SMTPS, etc.
This means the global antivirus settings specifically for HTTPS, imaps, POP3S, SMTPS, and FTPS are no longer in place in FortiOS v5.2.1.

FortiOS v4.3, v5.0 and v5.2.0.

config antivirus service [service]
    set uncompnestlimit [depth_integer]
end

In FortiOS v5.2.1.

config firewall profile-protocol-options
    edit [profile]
        config [service]
            set set uncompressed-nest-limit [depth_integer]
end
 
Where:

[service] FTP, HTTP, im, IMAP, nntp, mapi, pop3, SMTP, HTTPS, IMAPS, POP3S, SMTPS, or FTPS.
[profile] could be a custom profile, or the default one.
[depth_integer] can be from 2 to 100. The default [depth_integer] is 12. A file with more compression levels than [depth_integer] is passed through without being virus-scanned.

The attached document is related to maximum oversized threshold values in v2.80 and v3.