пятница, 25 августа 2017 г.

Fortigate Optimize AV (Fail-Open and Fail-Open session)

1 Antivirus failopen

1.1 - Introduction

Dealing with high traffic volume may cause the following two problems:
  • Running in conserve mode due to low system memory
  • Proxy connection pool has no free connectionsThe first problem deals with low memory situations. The antivirus system operates in one of two modes, conserve mode and non-conserve mode, depending on available memory for the whole FortiGate unit. If the free memory is greater than 30% of the total memory, then the system is in non-conserve mode. If the free memory drops to less than 20% of the total memory, then the system enters conserve mode. The system will not go back to non-conserve mode until the free memory once again reaches 30% or greater of the total memory.
    The second problem deals with connection pools and has the av-failopen feature working on a localized level and affecting a single proxy. If a FortiGate unit is receiving large volumes of traffic on a specific proxy, it is possible that the unit will exceed the connection pool limit.  If the number of free connections within a proxy connection pool reaches zero, the av-failopen will be applied to that specific proxy only. Each proxy calculates the size of its connection pool at start up, based on the available memory of the FortiGate. On the FGT5001SX product, for example, when 2G of memory is installed and available, theoretically, each proxy can handle around 9500 connections. But in fact, the installed 2G memory will be shared with the OS and other programs. So, when the proxy starts, the available memory is always less than 2G.
    If either situation occurs, or if both conditions co-exist, the problem will be resolved by the antivirus failopen feature.
    Antivirus failopen is a safeguard feature that determines the behavior of the FortiGate antivirus system if it becomes overloaded in high traffic. The feature is configurable in the CLI only. The command set av-failopen has the following three options.
    offIf the FortiGate unit enters conserve mode, the antivirus system will stop accepting new AV sessions but will continue to process current active sessions. 
    one-shotIf the FortiGate unit enters conserve mode, all subsequent connections bypass the antivirus system but current active sessions will continue to be processed. One-shot is similar to pass but will not automatically turn off once the condition causing av-failopen has stopped.
    WARNING: With the one-shot option, no content filtering of the traffic is done (except perhaps IPS). The data stream could contain malicious content.
    passDefault setting. If the system enters conserve mode, connections bypass the antivirus system until the system enters non-conserve mode again. Current active sessions will continue to be processed.
    WARNING: With the pass option, no content filtering of the traffic is done (except perhaps IPS). The data stream could contain malicious content.

    1.2 - How antivirus failopen works

    There are currently 2 conditions that can cause the FortiGate unit to operate in failopen mode:
    • The system is low on memory and has entered conserve mode.
    • The individual proxy pool is full (no free connections are available).
    In the tables, B = connection blocked, P = connection passed.
    With the first condition, low memory, the av-failopen setting will be applied; see table one. The default for this setting is Pass.
    Table 1: av-failopen
    offone shotpass
    BPP
    With the second condition (the individual proxy pool is full), the action will depend on the av-failopen-session settings. There are two settings, enabled and disabled (default).
    • If the av-failopen-session is enabled and the free connections in the proxy connection pool reach zero, the protocol reverts back to the av-failopen settings as in table one.
    • If the av-failopen-session is disabled, then all sessions will be blocked for the proxy, regardless of the av-failopen settings. See table two.
    Table 2: av-failopen-session
     offone shotpass
    disableBBB
    In the event that both conditions exist at the same time, the av-failopen settings will override the av-failopen-session settings. For example:
    The HTTPS connection pool reaches capacity and the av-failopen-session setting is enabled. The HTTPS proxy will revert to the av-failopen settings and will behave according to table one. No other proxies will be affected and the FortiGate unit will not enter conserve mode. The traffic to the FortiGate unit continues to increase and the free memory drops below the 20% threshold. The FortiGate unit automatically enters conserve mode and the av-failopen-session settings are overridden. All proxies are now affected by the av-failopen settings (see table 1) regardless of the av-failopen-session settings.

    1.3 - How to configure antivirus failopen

  • Antivirus failopen is only available through the command line interface (CLI).
    To enable antivirus failopen
    1. Log in to the FortiGate unit CLI.
    2. Enter the following command with the desired option.
      config system global
          set av-failopen {off | one-shot | pass}
      end
    3. Enter get system global to confirm the settings.

    1.4 - How to configure antivirus failopen session


    Antivirus failopen session is only available through the command line interface (CLI).
    To enable antivirus failopen session
    1. Log in to the FortiGate unit CLI.
    2. Enter the following command with the desired option.
    config system global
        set av-failopen-session {enable | disable}
    end
  • Enter get system global to confirm the settings.

      2 - Optimize antivirus

      The optimize feature configures CPU settings to ensure efficient operation of the FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster.
      Note: These procedures are only available for the FortiGate-1000 and higher.
      There are two options for optimize.
      antivirusThe FortiGate unit spreads the antivirus scanning tasks across several CPUs (symmetric multiprocessing).
      throughputDefault setting. The FortiGate unit uses a single CPU to process traffic.

      2.1 - When to use optimize antivirus

      Use optimize antivirus in conjunction with antivirus failopen to ensure maximum efficiency and safeguard against system crashes if the system does become overloaded because of high traffic.

      2.2 - How to configure optimize antivirus

      Optimize is only available through the command line interface (CLI).
      To enable optimize antivirus
      1. Log in to the FortiGate unit CLI.
      2. Enter
        config system global
            set optimize {antivirus | throughput}
        The following warning appears:
        This change will reboot the system.
        If you don't want it to be changed, type "abort"
      3. Type end
        The system reboots.
      4. Log back in to the CLI and enter get system global to confirm the settings.Note: If you get the following message when you enter the optimize command, then this command is not available on the FortiGate unit:
        command parse error before 'optimize' command fail. return code -61
      To restore a configuration including optimize antivirus
      If you are restoring a backed up configuration to the FortiGate unit, you must manually enable optimize antivirus through the CLI, even if the backup already includes this command.
      After restoring the configuration, follow steps 1 through 4 above to enable optimize antivirus.
      1. Автор: на

      Комментариев нет:

      Отправить комментарий

      Подписаться на: Комментарии к сообщению (Atom)