Enabling AntiVirus scanning

Enabling AntiVirus scanning

Antivirus scanning is configured in an AntiVirus profile, but it is enabled in a firewall policy. Once the use of an antivirus profile is enabled and selected in one or more firewall policies, all the traffic controlled by those firewall policies will be scanned according to the settings in that profile.

In the Feature section found by going to System > Feature Select, you can enable or disable 2 aspects of the Antivirus Profile.

1. Antivirus will determine if the option to use Antivirus profiles is available.

2. Multiple Security Profiles will determine if you can configure any Antivirus profiles beyond the default profile. The Feature section can sometimes be misunderstood as to its actual effect. The enabling or disabling of a feature in this section refers to its visibility within the GUI, not whether or not the feature’s functionality will work.

If you were to disable the Antivirus Profile feature it would disappear from the GUI but not the CLI and configuration file. Since the functionality of the FortiGate unit is based on the contents of the config file any profile referred to by the policy in the configuration will be acted upon. The Feature section is primarily for keeping the GUI clean and uncluttered by features that are not being used by the administrators.

As the use of antivirus these days is practically a minimum standard for security protection the question left to decide is whether or not you wish to use multiple profiles in your configuration.

 

Antivirus profiles

From Security Profiles > AntiVirus you can edit existing profiles or create and configure new antivirus profiles that can then be applied to firewall policies. A profile is specific configuration information that defines how the traffic within a firewall policy is examined and what action may be taken based on the examination.

You can create multiple antivirus profiles for different antivirus scanning requirements. For example, you create an antivirus profile that specifies only virus scanning for POP3 which you then apply to the out-going firewall policy that is designed for users getting their email from the mail server. You can also choose specific protocols, such as HTTP, that will be scanned and if blocked, archived by the unit. This option is available only in the CLI.

Whether the mode of the antivirus detection is proxy-based or flow-based is also set within the profile.

 

Enable Antivirus steps – GUI based

1. Go to Security Profiles > AntiVirus.

2. Choose whether you want to edit an existing profile or create a new one.

  • The default profile will be the one displayed by default.
  • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
  • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.

3. If you are creating a new profile, write a name for it in the Name field.

4. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.

5. Under Inspected Protocols, enable the protocols you wish to be blocked or monitored.

6. Under Inspection Options, you may enable the following: Treat Windows Executables in Email Attachments as Viruses and Include Mobile Malware Protection.

You may also enable the following options if you have a FortiCloud account active on your FortiGate: Send Files to FortiSandbox Cloud for Inspection and Use FortiSandbox Database.

Furthermore, files can only be sent to FortiSandbox for inspection while in Full mode Flow-based virus scanning.

7. Select OK.

8. Add the Antivirus profile to a firewall security policy.

To view Mobile Malware license and version information, go to System > FortiGuard. In the LicensInformation table, under the AntiVirus heading, find Mobile Malware Definitions.

 

Enable Antivirus steps – CLI based

You need to configure the scan option for each type of traffic you want scanned.

1. Configure the Antivirus profile

config antivirus profile edit “default”

set comment “scan and delete virus” set replacemsg-group ”

set scan-botnet-connections block set ftgd-analytics suspicious config http

set options scan end

config ftp

set options scan end

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

config nntp

set options scan end

config smb

set options scan end

end

2. Add the Antivirus profile to the Fortigate firewall security policy. When using the CLI, you will need to know the policy ID number.

config firewall policy

edit <policy ID number>

set av-profile default

set profile-protocol-options default end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.