FortiOS 6 – AntiVirus

Testing your antivirus configuration

You have configured your FortiGate unit to stop viruses, but you’d like to confirm your settings are correct. Even if you have a real virus, it would be dangerous to use for this purpose. An incorrect configuration will allow the virus to infect your network.

To solve this problem, the European Institute of Computer Anti-virus Research has developed a test file that allows you to test your antivirus configuration. The EICAR test file is not a virus. It cannot infect computers, nor can it spread or cause any damage. It’s a very small file that contains a sequence of characters. Your FortiGate unit recognizes the EICAR test file as a virus so you can safely test your FortiGate unit antivirus configuration.

Go to http://www.fortiguard.com/antivirus/eicartest.html to download the test file (eicar.com) or the test file in a ZIP archive (eicar.zip).

If the antivirus profile applied to the security policy that allows you access to the Web is configured to scan HTTP traffic for viruses, any attempt to download the test file will be blocked. This indicates that you are protected.

Example scenarios

The following examples provide sample antivirus configuration scenarios.

Configuring simple default AntiVirus profile

If performance is not a real concern and the FortiGate’s resources are not being stretched, it is perfectly reasonable to create one AntiVirus profile that covers the range of uses found in your environment. This example is one possible default configuration.

Context:

  • This is an edited default profile and will be used on all security policies l It will need to scan for malware on all available protocols.

 

  • Malware, botnets, and grayware should be blocked l The inspection method should be flow-based l A current FortiCloud account is available

Creating the profile – GUI

  1. In the following fields, enter the settings shown in the screenshot.
  2. Select Apply.
  3. Enable grayware scanning through the CLI.

config antivirus settings

set grayware enable

end

Creating the profile – CLI

  1. Enter the CLI by one of the following methods:

l SSH through a terminal emulator l CLI Console access l FortiExplorer’s CLI mode

  1. Enter the following commands:

config antivirus profile

edit default

set comment “scan and delete virus” set inspection-mode flow-based set scan-botnet-connections block set ftgd-analytics suspicious config http

set options scan

end

config ftp set options scan

end

config imap set options scan

end

config pop3 set options scan

end

config smtp set options scan

end

config nntp set options scan

end

config smb set options scan

end end

  1. Enable grayware scanning config antivirus settings set grayware enable end

Setting up a basic proxy-based AntiVirus profile for email traffic

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.

Context:

  • The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
  • There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
  • The company policy is to block viruses and connections to botnets.
  • The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.

Creating the profile – GUI

  1. In the following fields, enter the settings shown below:
Name email-av
Comments Scans email traffic from Internet for malware
Detect Viruses Block
Inspected Protocols all checked (HTTP, SMTP, POP3, IMAP, MAPI, and FTP).
Content Disarm and Reconstruction checked (optional) – used to remove exploitable content and replace it with content that is known to be safe.

For more information, see Content Disarm and Reconstruction (CDR)

Original File Destination Destination to which files will be sent for inspection: FortiSandbox, File Quarantine, or Discard.
Treat Windows Executables in Email Attachments as Viruses checked – also optionally decide whether or not to submit files matching particular types and/or file name patterns.
Send Files to FortiSandbox Appliance for Inspection checked (All Supported Files).
Use Virus Outbreak Prevention Database checked – used to preempt outbreaks before AV Signatures are created.
Use FortiSandbox Database checked – supplements the AV Signature database.
  1. Select Apply.

Creating the profile – CLI

  1. Enter the CLI by one of the following methods:

l SSH through a terminal emulator l CLI Console widget l FortiExplorer’s CLI mode

  1. Enter the following commands:

config antivirus profile edit “email-av” set comment “Scans email traffic from Internet for malware” set inspection-mode proxy config content-disarm set original-file-destination {fortisandbox | quarantine | discard} set …

config <protocol> set options scan

end end

  1. Additionally, if you wish to only send those files to FortiSandbox that heuristics determines as suspicious, enter the following (only available via the CLI):

config antivirus profile edit “email-av” set ftgd-analytics suspicious

end

For more information on how to strip content from various content types from documents (hyperlinks, linked objects, embedded objects, JavaScript code), see Content Disarm and Reconstruction (CDR) and the FortiOS 6.0 CLI Reference.

Adding the profile to a policy

In this scenario the following assumptions will be made:

  • The policy that the profile is going to be added to is an IPv4 policy. l The ID number of the policy is 11.
  • The AntiVirus profile being added will be the “default” profile l The SSL/SSH Inspection profile used will be the “default” profile

Adding the profile – GUI

  1. Go to Policy & Objects > IPv4 Policy.
  2. Use your preferred method of finding a policy. l If the ID column is available you can use that.

l You can also choose based on your knowledge of the parameters of the policy l Select the policy with ID value of 11

  1. In the Edit Policy window, go to the Security Profiles section
  2. Turn ON AntiVirus, and in the drop down menu for the field, select default
  3. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.
  4. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.
  5. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate
  6. Turn on Antivirus.
  7. Select an antivirus profile.
  8. Select OK to save the security policy.

Adding the profile – CLI

To select the antivirus profile in a security policy — CLI

config firewall policy edit 11 set utm-status enable set profile-protocol-options default set av-profile basic_antivirus

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.