Description
This article provides the information on particular system event which can be seen.
Scope
FortiGate.
Solution
If the AV profile is applied in policy there can be some random websites which can be blocked and below system event can be observed for the traffic:
'Scanunit failed due to internal error: Content decode failed'
The error can be due to the HTTP inspection enabled in the AV profile.
There can be some web-traffic which use some random port instead of port 80 only, so the traffic is blocked which uses that port when HTTP enabled.
To avoid this the HTTP have to be disabled in AV profile.
Run the below command in AV profile which has been applied in policy:
config antivirus profile
edit <antivirus profile name>
config http
set av-optimize disable
end
- Monitor the web-traffic and re-check the system event. The failed error is resolved.
- Apart from this, check the AV engine with the below command and make sure that the unit has AV engine later to 6.130. Upgrade the AV engine, if required.
diag autoupdate versions
- It was the known behavior/bug which is resolved in 6.2.2. If FortiGate firmware version is below 6.2.2, plan to upgrade the unit to 6.2.2 or later.
Note:
The option 'set av-optimize' has been removed from 6.2.2 CLI and above:
Configure AntiVirus profiles.
Configure AntiVirus profiles.
Configure AntiVirus profiles.
