What does the command set av-failopen-session control in FortiGate?

The command set av-failopen-session in FortiGate is crucial for managing how the firewall handles sessions when there are antivirus (AV) feature failures. When set to enable fail open, sessions are allowed to continue even when there is an issue with the antivirus feature, which is especially important for ensuring that legitimate traffic is not disrupted due to temporary AV failures. Conversely, if fail open is not enabled, the firewall could drop sessions that are being processed by the antivirus engine, potentially resulting in service disruption for users.

This command provides fine control over the behavior of the firewall during AV issues, allowing for operational resilience. This is particularly beneficial in environments where continuous uptime and availability of services are essential, as it prevents blocking traffic when the antivirus functionality is temporarily impaired. By enabling fail open, organizations can maintain a level of service continuity while addressing any underlying AV issues.