Category Archives: FortiGate

FortiGuard Web Filtering Service

2 Replies

FortiGuard Web Filtering Service

FortiGuard Web Filter is a managed web filtering solution available by subscription from Fortinet. FortiGuard Web Filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filter Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface.

FortiGuard Web Filter includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

FortiGuard Web Filter ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filter Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.

Before you begin to use the FortiGuard Web Filter options you should verify that you have a valid subscription to the service for your FortiGate firewall.

 

FortiGuard Web Filter and your FortiGate unit

When FortiGuard Web Filter is enabled in a web filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

 

FortiGuard Web Filter Actions

The Possible Actions are:

  • Allow permits access to the sites within the category.
  • Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
  • Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
  • Warning presents the user with a message, allowing them to continue if they choose.
  • Authenticate requires a user authenticate with the FortiGate unit before being allowed access to the category or category group.
  • Disable prevents that category, and all sub-categories, from inspection. This permits access to the sites within the category.

 

The choices of actions available will depend on the mode of inspection.

  • Proxy – Allow, Block, Monitor, Warning, Authenticate and Disable.
  • Flow-based – Allow, Block & Monitor.
  • DNS – Allow, Block & Monitor.

 

 

FortiGuard Web Filtering categories

The following tables identify each web filtering category (organized by group) along with associated category IDs. For a complete description of each web filtering category, visit http://www.fortiguard.com/webfilter.

 

Potentially Liable

 

ID Category   ID Category
 

1

  

Drug Abuse

    

12

  

Extremist Groups
 

3

  

Hacking

    

59

  

Proxy Avoidance
 

4

  

Illegal or Unethical

    

62

  

Plagiarism
 

5

  

Discrimination

    

83

  

Child Abuse
 

6

  

Explicit Violence

      
 

Adult/Mature Content
ID Category   ID Category
 

2

  

Alternative Beliefs

    

16

  

Weapons (Sales)
 

7

  

Abortion

    

57

  

Marijuana
 

8

  

Other Adult Materials

    

63

  

Sex Education
 

9

  

Advocacy Organizations

    

64

  

Alcohol
 

11

  

Gambling

    

65

  

Tobacco
 

13

  

Nudity and Risque

    

66

  

Lingerie and Swimsuit
 

14

  

Pornography

    

67

  

Sports Hunting and War Games
 

15

  

Dating

      
 

Bandwidth Consuming
ID Category   ID Category
 

19

  

Freeware and Software Downloads

    

72

  

Peer-to-peer File Sharing
 

24

  

File Sharing and Storage

    

75

  

Internet Radio and TV
 

25

  

Streaming Media and Download

    

76

  

Internet Telephony

 

Security Risk

ID Category   ID Category
 

26

  

Malicious Websites

    

86

  

Spam URLs
 

61

  

Phishing

    

88

  

Dynamic DNS
 

General Interest – Personal
ID Category   ID Category
 

17

  

Advertising

    

47

  

Travel
 

18

  

Brokerage and Trading

    

48

  

Personal Vehicles
 

20

  

Games

    

54

  

Dynamic Content
 

23

  

Web-based Email

    

55

  

Meaningless Content
 

28

  

Entertainment

    

58

  

Folklore
 

29

  

Arts and Culture

    

68

  

Web Chat
 

30

  

Education

    

69

  

Instant Messaging
 

33

  

Health and Wellness

    

70

  

Newsgroups and Message Boards
 

34

  

Job Search

    

71

  

Digital Postcards
 

35

  

Medicine

    

77

  

Child Education
 

36

  

News and Media

    

78

  

Real Estate
 

37

  

Social Networking

    

79

  

Restaurant and Dining
 

38

  

Political Organizations

    

80

  

Personal Websites and Blogs
 

39

  

Reference

    

82

  

Content Servers
 

40

  

Global Religion

    

85

  

Domain Parking
 

42

  

Shopping

    

87

  

Personal Privacy
 

44

  

Society and Lifestyles

    

89

  

Auction
 

46

  

Sports

      

 

General Interest – Business

ID Category   ID Category
 

31

  

Finance and Banking

    

52

  

Information Technology
 

41

  

Search Engines and Portals

    

53

  

Armed Forces
 

43

  

General Organizations

    

56

  

Web Hosting
 

49

  

Business

    

81

  

Secure Websites
 

50

  

Information and Computer Security

    

84

  

Web-based Applications
 

51

  

Government and Legal Organizations

      

 

FortiGuard Web Filter usage quotas

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily timed access quota by category, category group, or classification. Quotas allow access for a specified length of time, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

The use of FortiGuard Web Filter quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authen- tication is not required.

Editing the web filter profile resets the quota timers for all users.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

 

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

1. Category

2. Category group


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Web filter

Leave a reply

Web filter

This section describes FortiGate web filtering for HTTP traffic. The three main parts of the web filtering function, the Web Content Filter, the URL Filter, and the FortiGuard Web Filtering Service interact with each other to provide maximum control over what the Internet user can view as well as protection to your network from many Internet content threats. Web Content Filter blocks web pages containing words or patterns that you specify. URL filtering uses URLs and URL patterns to block or exempt web pages from specific sources. FortiGuard Web Filtering provides many additional categories you can use to filter web traffic.

 

The following topics are included in this section:

  • Web filter concepts
  • Inspections Modes
  • FortiGuard Web Filtering Service
  • Overriding FortiGuard website categorization
  • SafeSearch
  • YouTube Education Filter
  • Static URL Filter
  • Web content filter
  • Advanced web filter configurations
  • Configuring Web Filter Profiles
  • Web filtering example

 

Web filter concepts

Web filtering is a means of controlling the content that an Internet user is able to view. With the popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security. Important reasons for controlling web content include:

  • lost productivity because employees are accessing the web for non-business reasons
  • network congestion — when valuable bandwidth is used for non-business purposes, legitimate business applications suffer
  • loss or exposure of confidential information through chat sites, non-approved email systems, instant messaging, and peer-to-peer file sharing
  • increased exposure to web-based threats as employees surf non-business-related web sites
  • legal liability when employees access/download inappropriate and offensive material
  • copyright infringement caused by employees downloading and/or distributing copyrighted material.

 

As the number and severity of threats increase on the World Wide Web, the risk potential increases within a company’s network as well. Casual non-business related web surfing has caused many businesses countless hours of legal litigation as hostile environments have been created by employees who download and view offensive content. Web-based attacks and threats are also becoming increasingly sophisticated. Threats and web-based applications that cause additional problems for corporations include:

  • spyware/grayware
  • phishing
  • pharming
  • instant messaging
  • peer-to-peer file sharing
  • streaming media
  • blended network attacks.

 

Spyware, also known as grayware, is a type of computer program that attaches itself to a user’s operating system. It does this without the user’s consent or knowledge. It usually ends up on a computer because of something the user does such as clicking on a button in a pop-up window. Spyware can track the user’s Internet usage, cause unwanted pop-up windows, and even direct the user to a host web site. For further information, visit the FortiGuard Center.

Some of the most common ways of grayware infection include:

  • downloading shareware, freeware, or other forms of file-sharing services
  • clicking on pop-up advertising
  • visiting legitimate web sites infected with grayware.

Phishing is the term used to describe attacks that use web technology to trick users into revealing personal or financial information. Phishing attacks use web sites and email that claim to be from legitimate financial institutions to trick the viewer into believing that they are legitimate. Although phishing is initiated by spam email, getting the user to access the attacker’s web site is always the next step.

Pharming is a next generation threat that is designed to identify and extract financial, and other key pieces of information for identity theft. Pharming is much more dangerous than phishing because it is designed to be completely hidden from the end user. Unlike phishing attacks that send out spam email requiring the user to click to a fraudulent URL, pharming attacks require no action from the user outside of their regular web surfing activities. Pharming attacks succeed by redirecting users from legitimate web sites to similar fraudulent web sites that have been created to look and feel like the authentic web site.

Instant messaging presents a number of problems. Instant messaging can be used to infect computers with spyware and viruses. Phishing attacks can be made using instant messaging. There is also a danger that employees may use instant messaging to release sensitive information to an outsider.

Peertopeer (P2P) networks are used for file sharing. Such files may contain viruses. Peer-to-peer applications take up valuable network resources and may lower employee productivity but also have legal implications with the downloading of copyrighted or sensitive company material.

Streaming media is a method of delivering multimedia, usually in the form of audio or video to Internet users. Viewing streaming media impacts legitimate business by using valuable bandwidth.

Blended network threats are rising and the sophistication of network threats is increasing with each new attack. Attackers learn from each previous successful attack and enhance and update attack code to become more dangerous and fast spreading. Blended attacks use a combination of methods to spread and cause damage. Using virus or network worm techniques combined with known system vulnerabilities, blended threats can quickly spread through email, web sites, and Trojan applications. Examples of blended threats include Nimda, Code Red, Slammer, and Blaster. Blended attacks can be designed to perform different types of attacks, which include disrupting network services, destroying or stealing information, and installing stealthy backdoor applications to grant remote access.

 

Different ways of controlling access

The methods available for monitoring and controlling Internet access range from manual and educational methods to fully automated systems designed to scan, inspect, rate and control web activity.

Common web access control mechanisms include:

  • establishing and implementing a well-written usage policy in the organization on proper Internet, email, and computer conduct
  • installing monitoring tools that record and report on Internet usage
  • implementing policy-based tools that capture, rate, and block URLs.

The final method is the focus of this topic. The following information shows how the filters interact and how to use them to your advantage.

 

Order of web filtering

The FortiGate unit applies web filters in a specific order:

1. URL filter

2. FortiGuard Web Filter

3. web content filter

4. web script filter

5. antivirus scanning.

If you have blocked a FortiGuard Web Filter category but want certain users to have access to URLs within that pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to specify which users have access to which blocked URLs and how long they have that access. For example, if you want a user to be able to access www.example.com for one hour, you can use the override to set up the exemption. Any user listed in an override must fill out an online authentication form that is presented when they try to access a blocked URL before the FortiGate unit will grant access to it.

If you have blocked a FortiGuard Web Filter category but want users within a specific Web Filtwer profile to have access to URLs within that pattern, you can use the following CLI command below to override (this will have no timeout affiliated to it):

 

CLI Syntax:

config webfilter profile edit <profile>

config web

set whitelist exempt-av exempt-dlp exempt-rangeblock extended-log-others end

end

 

This command will set a Web Filter profile that exempts AV, DLP, RangeBlock, and supports extended log by FortiGuard whitelist.

 

Inspection Modes

 

 

Proxy

Proxy-based inspection involves buffering the traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allow this process to include more points of data to analyze than the flow-based or DNS methods.

The advantage of a proxy-based method is that the inspection can be more thorough than the other methods, resulting in fewer false positive or negative results in the analysis of the data.

 

Flowbased

The Flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering. As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or web page.

The advantage of the flow-based method is that the user sees a faster response time for HTTP requests and there is less chance of a time-out error due to the server at the other end responding slowly.

The disadvantages of this method are that there is a higher probability of a false positive or negative in the analysis of the data and that a number of points of analysis that can be used in the proxy-based method are not available in the flow-based inspection method. There is also fewer actions available to choose from based on the categorization of the website by FortiGuard services.

 

DNS

The DNS inspection method uses the same categories as the FortiGuard Service. It is lightweight in terms of resource usage because it doesn’t involve any proxy-based or flow-based inspection.

A DNS request is typically the first part of any new session to a new website. This inspection method takes advantage of that and places the results of the categorization of websites right on the FortiGuard DNS servers. When the FortiGate resolves a URL, in addition to the IP address of the website it also receives a domain rating.

In the same way that the flow-based inspection method had fewer filters and points of analysis than the proxy- based inspection method, DNS has fewer settings still. All of its inspection is based on the IP address, the domain name and the rating provided by the FortiGuard DNS server.

If the DNS mode is chosen, the additional setting of a DNS action must be chosen. The options are:

  • Block – The traffic will be blocked and the session dropped.
  • Redirect – The session will be redirected to a message page indicating to the user what is happening.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Testing your antivirus configuration

Leave a reply

Testing your antivirus configuration

You have configured your FortiGate unit to stop viruses, but you’d like to confirm your settings are correct. Even if you have a real virus, it would be dangerous to use for this purpose. An incorrect configuration will allow the virus to infect your network.

To solve this problem, the European Institute of Computer Anti-virus Research has developed a test file that allows you to test your antivirus configuration. The EICAR test file is not a virus. It can not infect computers, nor can it spread or cause any damage. It’s a very small file that contains a sequence of characters. Your FortiGate unit recognizes the EICAR test file as a virus so you can safely test your FortiGate unit antivirus configuration.

Go to http://www.fortiguard.com/antivirus/eicartest.html to download the test file (eicar.com) or the test file in a ZIP archive (eicar.zip).

If the antivirus profile applied to the security policy that allows you access to the Web is configured to scan HTTP traffic for viruses, any attempt to download the test file will be blocked. This indicates that you are protected.

 

Example Scenarios

The following examples provide a sample antivirus configuration scenarios.

 

Configuring simple default antivirus profile

The Antivirus function is so straight forward and widely used that many users just create one default profile and use that on all of the applicable firewall policies. If performance is not a real concern and the unit’s resources are not being stretched, it is perfectly reasonable to create one profile that covers the range of uses found in your environment. This example is one possible default configuration.

 

Context:

  • This is an edited default profile and will be used on all security policies
  • It will need to scan for malware on all available protocols.
  • Malware, botnets, and grayware should be blocked
  • The inspection method should be flow-based
  • A current FortiCloud account is available

 

Creating the profile – GUI

1. In the following fields, enter the indicated values or selections:

Name                                           default

Comments                                  Scans all traffic from Internet for malware

Inspection Mode                       Flow-based

Detect Virus                               Block

Send Files to FortiSandbox for Inspection checked

  • Suspicious Files Only         checked

Detect Connections to Bot- net C&C Servers checked

  • Block                                      checked

2. Check the appropriate protocols:

 

Protocol                                   Virus Scan and Block
 

HTTP                                           checked
SMTP                                          checked
POP3                                           checked
IMAP                                           checked
MAPI                                           checked
FTP                                             checked
NNTP                                          checked

 

3. Select Apply.

4. Enable grayware scanning

config antivirus settings set grayware enable

end

 

Creating the profile – CLI

1. Enter the CLI by one of the following methods:

  • SSH through a terminal emulator
  • CLI Console widget
  • FortiExplorer’s CLI mode

2. Enter the following commands:

config antivirus profile edit default

set comment “scan and delete virus” set inspection-mode flow-based

set scan-botnet-connections block set ftgd-analytics suspicious config http

set options scan end

config ftp

set options scan end

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

config nntp

set options scan end

config smb

set options scan end

end

3. Enable grayware scanning

config antivirus settings set grayware enable

end

 

Setting up a basic proxy-based Antivirus profile for email traffic

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.

 

Context:

  • The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
  • There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
  • The company policy is to block viruses and connections to botnets.
  • The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.

 

Creating the profile – GUI

1. In the following fields, enter the indicated values or selections:

Name                                           email-av

Comments                                  Scans email traffic from Internet for malware

Inspection Mode                       Proxy

Detect Virus                               Block

Send Files to FortiSandbox for Inspection checked

  • Suspicious Files Only         checked

 

Detect Connections to Bot- net C&C Servers checked

  • Block                                      checked

2. Check the appropriate protocols:

 

Protocol                                   Virus Scan and Block
 

HTTP                                           checked
SMTP                                          checked
POP3                                           checked
IMAP                                           checked
MAPI                                           checked
FTP                                             checked
NNTP                                          checked


3. Select Apply.

 

Creating the profile – CLI

1. Enter the CLI by one of the following methods:

  • SSH through a terminal emulator
  • CLI Console widget
  • FortiExplorer’s CLI mode

2. Enter the following commands:

Config antivirus profile edit “email-av”

set comment “Scans email traffic from Internet for malware” set inspection-mode proxy

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

end

 

Adding the profile to a policy

In this scenario the following assumptions will be made:

  • The policy that the profile is going to be added to is an IPv4 policy.
  • The ID number of the policy is 11.
  • The Antivirus profile being added will be the “default” profile
  • The SSL/SSH Inspection profile used will be the “default” profile

 

FortiClient enforcement has been moved from the Policy page to Networ> Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

 

Adding the profile – GUI

1. Go to Policy & Objects > IPv4 Policy.

2. Use your preferred method of finding a policy.

  • If the ID column is available you can use that.
  • You can also choose based on your knowledge of the parameters of the policy
  • Select the policy with ID value of 11

3. In the Edit Policy window, go to the Security Profiles section

4. Turn ON AntiVirus, and in the drop down menu for the field, select default

5. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.

6. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.

7. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate

8. Turn on Antivirus.

9. Select an antivirus profile.

10. Select OK to save the security policy.

 

Adding the profile – CLI

To select the antivirus profile in a security policy — CLI

config firewall policy edit 11

set utm-status enable

set profile-protocol-options default set av-profile basic_antivirus

end

 

Block files larger than 8 MB

Set proxy options profile to block files larger than 8 MB

1. Go to Security Profiles > Proxy Options.

2. Edit the default or select Create New to add a new one.

3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email

4. The sub line Threshold (MB) will appear with a value field. Enter 8.

5. Select OK or Apply.

The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.

 

To select the Proxy Options profile in a security policy

1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending).

2. Edit or create a security policy.

3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).

4. Beside Proxy Options select the name of the MTU proxy options protocol.

5. Select OK to save the security policy.

6. Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 8MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Enabling AntiVirus scanning

Leave a reply

Enabling AntiVirus scanning

Antivirus scanning is configured in an AntiVirus profile, but it is enabled in a firewall policy. Once the use of an antivirus profile is enabled and selected in one or more firewall policies, all the traffic controlled by those firewall policies will be scanned according to the settings in that profile.

In the Feature section found by going to System > Feature Select, you can enable or disable 2 aspects of the Antivirus Profile.

1. Antivirus will determine if the option to use Antivirus profiles is available.

2. Multiple Security Profiles will determine if you can configure any Antivirus profiles beyond the default profile. The Feature section can sometimes be misunderstood as to its actual effect. The enabling or disabling of a feature in this section refers to its visibility within the GUI, not whether or not the feature’s functionality will work.

If you were to disable the Antivirus Profile feature it would disappear from the GUI but not the CLI and configuration file. Since the functionality of the FortiGate unit is based on the contents of the config file any profile referred to by the policy in the configuration will be acted upon. The Feature section is primarily for keeping the GUI clean and uncluttered by features that are not being used by the administrators.

As the use of antivirus these days is practically a minimum standard for security protection the question left to decide is whether or not you wish to use multiple profiles in your configuration.

 

Antivirus profiles

From Security Profiles > AntiVirus you can edit existing profiles or create and configure new antivirus profiles that can then be applied to firewall policies. A profile is specific configuration information that defines how the traffic within a firewall policy is examined and what action may be taken based on the examination.

You can create multiple antivirus profiles for different antivirus scanning requirements. For example, you create an antivirus profile that specifies only virus scanning for POP3 which you then apply to the out-going firewall policy that is designed for users getting their email from the mail server. You can also choose specific protocols, such as HTTP, that will be scanned and if blocked, archived by the unit. This option is available only in the CLI.

Whether the mode of the antivirus detection is proxy-based or flow-based is also set within the profile.

 

Enable Antivirus steps – GUI based

1. Go to Security Profiles > AntiVirus.

2. Choose whether you want to edit an existing profile or create a new one.

  • The default profile will be the one displayed by default.
  • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
  • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.

3. If you are creating a new profile, write a name for it in the Name field.

4. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.

5. Under Inspected Protocols, enable the protocols you wish to be blocked or monitored.

6. Under Inspection Options, you may enable the following: Treat Windows Executables in Email Attachments as Viruses and Include Mobile Malware Protection.

You may also enable the following options if you have a FortiCloud account active on your FortiGate: Send Files to FortiSandbox Cloud for Inspection and Use FortiSandbox Database.

Furthermore, files can only be sent to FortiSandbox for inspection while in Full mode Flow-based virus scanning.

7. Select OK.

8. Add the Antivirus profile to a firewall security policy.

To view Mobile Malware license and version information, go to System > FortiGuard. In the LicensInformation table, under the AntiVirus heading, find Mobile Malware Definitions.

 

Enable Antivirus steps – CLI based

You need to configure the scan option for each type of traffic you want scanned.

1. Configure the Antivirus profile

config antivirus profile edit “default”

set comment “scan and delete virus” set replacemsg-group ”

set scan-botnet-connections block set ftgd-analytics suspicious config http

set options scan end

config ftp

set options scan end

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

config nntp

set options scan end

config smb

set options scan end

end

2. Add the Antivirus profile to the Fortigate firewall security policy. When using the CLI, you will need to know the policy ID number.

config firewall policy

edit <policy ID number>

set av-profile default

set profile-protocol-options default end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Antivirus concepts

1 Reply

Antivirus concepts

The word “antivirus” refers to a group of features that are designed to prevent unwanted and potentially malicious files from entering your network. These features all work in different ways, which include checking for a file size, name, or type, or for the presence of a virus or grayware signature.

The antivirus scanning routines your FortiGate unit uses are designed to share access to the network traffic. This way, each individual feature does not have to examine the network traffic as a separate operation, and the overhead is reduced significantly. For example, if you enable file filtering and virus scanning, the resources used to complete these tasks are only slightly greater than enabling virus scanning alone. Two features do not require twice the resources.

Antivirus scanning examines files for viruses, worms, trojans, and other malware. The antivirus scan engine has a database of virus signatures it uses to identify infections. If the scanner finds a signature in a file, it determines that the file is infected and takes the appropriate action.

 

Malware Threats

 

Viruses

Viruses are self replicating code that install copies of themselves into other programs, data files for boot sectors of storage devices. Virus can often carry a “payload” which performs some undesirable function. These functions can include but are not limited to:

  • Stealing drive space
  • Stealing cpu cycles
  • Accessing private information
  • Corrupting data
  • Digital defacement or vandalism
  • Spamming contact lists

 

Worms

A worm is a piece of standalone computer code that replicates itself in order to spread to other computers. It normally uses a computer network to spread itself, using security vulnerabilities on the target computer or network to propagate. Unlike a virus, it does not attach itself to an existing file. Even is there is no payload, worms consume resources such as bandwidth and storage space just through their act of replication.

 

Trojan horses

A Trojan horse, or Trojan is malware that is defined by its delivery method. Through the use of social engineering, or some other method, the code is installed on a system by a valid user of the system and like the original Trojan horse there is something more than advertised within the software. Trojans, unlike worms or viruses are generally non-self-replicating. The most common payload of a Trojan is the setting up of a “backdoor” control mechanism to the system that it is installed on.

 

Ransomware

Ransomware is a type of malware that, as the name implies, hold the system ransom until payment of some kind is made. It does this by restricting access to the legitimate owner of the system either by encrypting files or locking the system. Usually, a message of some kind is displayed with the demands. Upon payment a utility or key is sent to the user to unlock the system.

 

Scareware

Scareware comes in two main flavours; the first tries to convince the user that his computer is invected with some non-existent malware, scaring the user into purchasing the author’s virus removal utility. The utility is nonfunctional or some additional form of malware.

The second form tries to convince the user that the computer has been or is being used for an illegal act such as being part of a bot net or storing child pornography. Again, the objective is to scare the user into paying to cure something that is not really there.

 

Spyware

Spyware is used by its authors to collect information about the user and its computer without the users knowledge. The end result can be as benign as being better able to target adds, to as criminal as key loggers designed to record account ids and passwords of bank accounts and forward them off to the authors.

 

Adware

Adware is not malware per se. It is merely any software that produces advertisements in order to generate revenue for its author. While a lot of people find this inconvenient or irritating it is not malware. As such it is not blocked by the antivirus software for being malware. This doesn’t mean that software that has adware built into it will not be block if it does have malware in it.

 

Botnets

A botnet is a network of Internet connected computers that have been covertly usurped to forward transmissions to other computers on the Internet on behalf of a “master”. These transmission can be merely annoying such as spam or they can critically impact a target as when used to launch a Distributed Denial of Service attack.

Any such computer is referred to as a zombie – in effect, a computer “robot” or “bot” that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based.

According to a report from Russian-based Kaspersky Labs, botnets — not spam, viruses, or worms — currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion.

 

Phishing

Phishing is a social engineering technique that is used to obtain sensitive and confidential information by masquerading as a communication from a trusted entity such as a well known institution, company, or website. Usually, the malware is not in the communication itself but in the links within the communication.

 

Grayware

Grayware programs are unsolicited software programs installed on computers, often without the user’s consent or knowledge. Grayware programs are generally considered an annoyance, but they can also cause system performance problems or be used for malicious purposes.

 

Scanning Modes

FortiOS has two different mode of scanning for malware. The reasons for the different modes are performance and granularity. In just about everything relating to security there is a constant balancing act going on. As you increase the level of security and comprehensiveness, there is by necessity a decrease in either convenience or performance, sometimes both. The increase in processing to scan for more threats requires more resources; resources that are a finite supply on the hardware. Granularity can sometimes be used to mitigate performance impact by scanning for a smaller subset of traffic but this is only recommended when that smaller subset of traffic is the only traffic going through the firewall.

If the traffic on the device is slight then the impact on the performance will hardly be noticeable, but it the unit is working close to capacity in terms of traffic and there are a lot of files coming through then there might be a noticeable decline in the performance.

While both modes offer significant security, Proxy-based is weighted towards being more thorough and easily configurable, while Flow-based is designed to optimize performance.

 

Proxy

The most thorough scan requires that the FortiGate unit have the whole file for the scanning procedure. To achieve this, the antivirus proxy buffers the file as it arrives. Once the transmission is complete, the virus scanner examines the file. If no infection is present, it is sent to the destination. If an infection is present, a replacement message is set to the destination.

During the buffering and scanning procedure, the client must wait. With a default configuration, the file is released to the client only after it is scanned. You can enable client comforting in the Proxy Options profile to feed the client a trickle of data to prevent them from thinking the transfer is stalled, and possibly cancelling the download.

Buffering the entire file allows the FortiGate unit to eliminate the danger of missing an infection due to fragmentation because the file is reassembled before examination. Archives can also be expanded and the contents scanned, even if archives are nested.

Since the FortiGate unit has a limited amount of memory, files larger than a certain size do not fit within the memory buffer. The default buffer size is 10 MB. You can use the uncompsizelimit CLI command to adjust the size of this memory buffer.

Files larger than the buffer are passed to the destination without scanning. You can use the Oversize File/Email setting to block files larger than the antivirus buffer if allowing files that are too large to be scanned is an unacceptable security risk.

 

Flowbased

If your FortiGate unit supports flow-based antivirus scanning, you can select it instead of proxy-based antivirus scanning. The way flow-based antivirus works changed significantly starting with firmware version 5.2.

As packets of a file come into the FortiGate unit, a copy of the packet is cached locally before the packet is allowed to pass through to the recipient. When the last packet of the file arrives, it is also cached but put on hold. Now the entire cached file is delivered to the Antivirus engine for a full scanning, just as it would be if using the proxy-based method, using what ever antivirus database has been configured.

If the file is determined to be infected with malware, the last packet will be dropped and the session is reset. Without all of the packets the file cannot be built by the recipient. When download a file through an HTTP connection (or HTTPS is SSL scanning is enabled), the flow-based feature remembers the last virus result so any subsequent attempts to download the same file will be welcomed by an appropriate blocked message directly, without engaging in the effort of downloading the file.

By using the same engine as the proxy-based method the detection rate is the same for both methods. In terms of performance from the end user’s stand point, the performance of the download will be a lot faster until the last packet and then there will be a slight delay for the scan, but after the determination is made only one packet has to be sent from the firewall to the recipient so the overall speed is faster than the proxy based method.

Another advantage of the flow-based method is that the scanning process does not change the packets as they pass through the FortiGate unit, while proxy-based scanning can change packet details such as sequence numbers. The changes made by proxy-based scanning do not affect most networks.

Additionally, when configuring flow-based virus scanning you can now choose between Quick and Full scan mode. Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance. Use the following command to enable quick or full mode in an antivirus profile:

config antivirus profile edit <profile>

set scan-mode [quick | full]

end

 

Antivirus scanning order

The antivirus scanning function includes various modules and engines that perform separate tasks.

 

Proxybased antivirus scanning order

The following figure illustrates the antivirus scanning order when using proxy-based scanning. The first check for oversized files/email is to determine whether the file exceeds the configured size threshold. The uncompsizelimit check is to determine if the file can be buffered for file type and antivirus scanning. If the file is too large for the buffer, it is allowed to pass without being scanned. For more information, see the config antivirus service command. The antivirus scan includes scanning for viruses, as well as for grayware and heuristics if they are enabled.

File filtering includes file pattern and file type scans which are applied at different stages in the antivirus process.

 

Antivirus scanning order when using the normal, extended, or extreme database

If a file fails any of the tasks of the antivirus scan, no further scans are performed. For example, if the file fakefile.EXE is recognized as a blocked file pattern, the FortiGate unit will send the end user a replacement message, and delete or quarantine the file. The unit will not perform virus scan, grayware, heuristics, and file type scans because the previous checks have already determined that the file is a threat and have dealt with it.

 

Flowbased antivirus scanning order

The following figure illustrates the antivirus scanning order when using flow-based scanning (i.e. the flow-based database). The antivirus scan takes place before any other antivirus-related scan. If file filter is not enabled, the file is not buffered. The antivirus scan includes scanning for viruses, as well as for grayware and heuristics if they are enabled.

 

Start

FTP,  NNTP, SMTP,

POP3,  IMAP, HTTP traffic

Scanning  stage

Antivirus profile filtering stage

Buffering stage

File message  is buffered

Yes

 

Oversized threshold checking  stage

Pattern matching stage

Uncompsizelimit threshold checking stage

Type matching stage

Block

Pass file/ email

Passes to next process

 

Antivirus databases

The antivirus scanning engine relies on a database of virus signatures to detail the unique attributes of each infection. The antivirus scan searches for these signatures, and when one is discovered, the FortiGate unit determines the file is infected and takes action.

All FortiGate units have the normal antivirus signature database but some models have additional databases you can select for use. Which you choose depends on your network and security needs.

Normal   Includes viruses currently spreading as determined by the FortiGuard Global Security Research Team. These viruses are the greatest threat. The Normal database is the default selection and it is available on every FortiGate unit.

ExtendeIncludes the normal database in addition to recent viruses that are no-longer active. These viruses may have been spreading within the last year but have since nearly or completely disappeared.

Extreme    Includes the extended database in addition to a large collection of ‘zoo’ viruses. These are viruses that have not spread in a long time and are largely dormant today. Some zoo viruses may rely on operating systems and hardware that are no longer widely used.

If your FortiGate unit supports extended, extreme, or flow-based virus database definitions, you can select the virus database most suited to your needs.

If you require the most comprehensive antivirus protection, enable the extended virus database. The additional coverage comes at a cost, however, because the extra processing requires additional resources.

 

To change the antivirus database

Use the CLI to run the following commands:

config antivirus settings set default-db extended

end

 

Antivirus techniques

The first three antivirus features work in sequence to efficiently scan incoming files and offer your network optimum antivirus protection. The first two features have specific functions, the third, heuristics, protects against new, or previously unknown virus threats.

To ensure that your system is providing the most protection available, all virus definitions and signatures are updated regularly through the FortiGuard antivirus services. These updates can be scheduled as often as on an hourly basis. To configure this feature, go to System > FortiGuard. Under AntiVirus & IPS Scanning, enable Schedule Updates. From here you can set the updates to occur on a consistent weekly, daily, or even hourly basis.

 

Virus scan

If the file passes the file pattern scan, the FortiGate unit applies a virus scan to it. The virus definitions are kept up-to-date through the FortiGuard Distribution Network (FDN).

 

Grayware protection

If the file passes the virus scan, it can be checked for grayware.

Grayware scanning is an optional function and must be enabled in the CLI if it is to be scanned for along with other malware. Grayware cannot be scanned for on its own. While done as a separate step, antivirus scanning must be enabled as well.

To enable grayware detection enter the following in the CLI:

config antivirus settings set grayware enable

end

 

To disable grayware detection enter the following in the CLI:

config antivirus settings set grayware disable

end

Grayware signatures are kept up to date in the same manner as the antivirus definitions.

 

Heuristics

After an incoming file has passed the grayware scan, it is subjected to the heuristics scan. The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect virus-like behavior or known virus indicators. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results. You configure heuristics from the CLI.

To set heuristics, enter the following in the CLI:

 

config antivirus heuristic

set mode {pass |block |disable}

end

  • “block” enables heuristics and any files determined to be malware are blocked from entering the network.
  • “pass” enables heuristics but any files determined to be malware are still allowed to pass through to the recipient.
  • “disable” turns off heuristics.

 

FortiGuard Antivirus

The FortiGuard Antivirus services are included in the regular FortiGuard subscription and include automatic updates of antivirus engines and definitions as well as a DNS black list (DNSBL) through the FortiGuard Distribution Network (FDN).

Current information about your subscription and version numbers can be found at System > FortiGuard. This page will also allow the configuration of connections to the FortiGuard Center and how often to check for updates to the antivirus files.

 

FortiGuard Botnet protection

Protection from having your system being controlled by a botnet is achieved by detecting and blocking connection attempts to known botnets. This feature also includes connections to known phishing sites. The FortiGuard database includes a constantly updated database of known Command and Control (C&C) sites that Botnet clients attempt to connect to, as well as a database of phishing URLs.

To enable Botnet and phishing protection in a DNS Filter profile, enable Block DNS requests to known botnet C&C.

The latest Botnet database is available from FortiGuard. To see the version of the database and display its contents, go to System > FortiGuard > Botnet Definitions. You can also block, monitor, or allow outgoing connections to Botnet sites for each FortiGate interface.

Both the DNS Filter security profile and Botnet protection feature are only available for proxy-based inspection.

 

Quarantine / Source IP ban

As of FortiOS 5.2, quarantine was a place where traffic content was held in storage where it couldn’t interact with the network or system. This was removed, but the term quarantine was kept to describe keeping selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.

 

To configure the antivirus profile to add the source IP address of an infected file to the quarantine or list of banned source IP addresses edit the Antivirus profile, in the CLI as follows:

 

config antivirus profile edit <name of profile>

config nac-quar

set infected quar-src-ip set expiry 5m

end

 

If the quar-src-ip action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP adddress will be blocked. In the CLI the option is called expiry and the duration is in the format <###d##h##m>. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.

 

FortiSandbox

Not every piece of malware has a signature yet. This is especially true of new malware and new variations on existing malware. FortiOS can upload suspicious files to FortiSandbox where the file will be executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database. The next time your FortiGate unit updates its antivirus database it will have the new signature.

A file is considered suspicious if it does not contain a known virus and if it has some suspicious characteristics. The suspicious characteristics can change depending on the current threat climate and other factors. Fortinet optimizes how files are uploaded as required.

To configure an Antivirus profile to enable the use of the FortiSandbox check the checkbox next to Send Files to FortiSandbox Cloud for Inspection — this requires you have a FortiCloud account active.

Sending files to the FortiSandbox Cloud does not block files that it uploads. Instead they are used to improve how quickly new threats can be discovered and signatures created for them and added to the FortiGuard antivirus database.

The Advanced Threat Protection dashboard widget shows the number of files that your FortiGate unit has uploaded or submitted to FortiSandbox. To see more information regarding the version of the database and display its contents, go to System > External Security Devices.

 

Client Comforting

When proxy-based antivirus scanning is enabled, the FortiGate unit buffers files as they are downloaded. Once the entire file is captured, the FortiGate unit scans it. If no infection is found, the file is sent along to the client. The client initiates the file transfer and nothing happens until the FortiGate finds the file clean, and releases it. Users can be impatient, and if the file is large or the download slow, they may cancel the download, not realizing that the transfer is in progress.

The client comforting feature solves this problem by allowing a trickle of data to flow to the client so they can see the file is being transferred. The default client comforting transfer rate sends one byte of data to the client every ten seconds. This slow transfer continues while the FortiGate unit buffers the file and scans it. If the file is infection-free, it is released and the client will receive the remainder of the transfer at full speed. If the file is infected, the FortiGate unit caches the URL and drops the connection. The client does not receive any notification of what happened because the download to the client had already started. Instead, the download stops and the user is left with a partially downloaded file.

If the user tries to download the same file again within a short period of time, the cached URL is matched and the download is blocked. The client receives the Infection cache message replacement message as a notification that the download has been blocked. The number of URLs in the cache is limited by the size of the cache.

Client comforting can send unscanned and therefore potentially infected content to the client. You should only enable client comforting if you are prepared to accept this risk. Keeping the client comforting interval high and the amount low will reduce the amount of potentially infected data that is downloaded.

Client comforting is available for HTTP and FTP traffic. If your FortiGate unit supports SSL content scanning and inspection, you can also configure client comforting for HTTPS and FTPS traffic.

 

Enable and configure client comforting

1. Go to Security Profiles > Proxy Options.

2. Select a Proxy Options profile and choose Edit, or select Create New to make a new one.

3. Scroll down to the Common Options section and check the box next to Comfort Clients. This will set the option on all of the applicable protocols. The ability to set this feature on a protocol by protocol basis exists in the CLI

4. Select OK or Apply to save the changes.

5. Select this Proxy Options profile in any security policy for it to take effect on all traffic handled by the policy. The default values for Interval and Amount are 10 and 1, respectively. This means that when client comforting takes effect, 1 byte of the file is sent to the client every 10 seconds. You can change these values to vary the amount and frequency of the data transferred by client comforting.

 

Oversized files and emails

Downloaded files can range from a few Kilobytes to multiple Gigabytes. The problem lies in that a FortiGate doesn’t have the memory to allow for a large number of people downloading large files. Image the memory required for a team of developers to all download the latest Linux OS distribution at once, in addition to the normal requirements of the firewall. Everything would come to a grinding halt the FortiGate tried to store each of those Gibabyte+ files in memory. To give you some piece of mind, the chances of malware being in a large file like those is much smaller than in a smaller single Megabyte file, so the threat is somewhat limited, but you will probably want to use your computers antivirus software to scan those large files after they have been downloaded.

Therefore a threshold must be set to prevent the resources of the system from becoming overloaded. By default the threshold is 10 MB. Any files larger than the threshold will not be scanned for malware. With a maximum file size threshold in place, it must now be determined what is to be done with the files that are larger than threshold. There are only 2 choices; either the file is passed through without being scanned for malware or the file is blocked. The default action for oversized files is to pass them through.

If you wish to block the downloading of files over the threshold, this can be set within the Proxy Option profile found at Security Profiles > Proxy Options, under Common Options.

Check Block Oversized File/Email.

This will reveal an additional option, Threshold (MB). The threshold of the files is set based upon the protocol being used to transfer the file. In the CLI and configuration file, the threshold variable is found in each of the protocol sections within the profile. Changing the value in this field will change the oversize-limit value for all of the protocols.

 

If you wish to change the oversize-limit value on all of the protocols covered in a Proxy Option profile you have two options.

1. You can go into the CLI and change the value manually within each of the protocol sections.

2. You can use the GUI to temporarily block oversized files, and when configuring it change the threshold to the new value that you want. Apply this setting. Then go back to the profile and turn off the block setting. If you now go into the CLI you will find that the configuration file has retained the new oversize-limit value.

The settings can be found in the CLI by going to:

config firewall profile-protocol-options edit <the name of the profile>

 

Archive scan depth

The antivirus scanner will open archives and scan the files inside. Archives within other archives, or nested archives, are also scanned to a default depth of twelve nestings. You can adjust the number of nested archives to which the FortiGate unit will scan with the uncompressed-nest-limit CLI command. Further, the limit is configured separately for each traffic type.

 

Configuring archive scan depth

For example, this CLI command sets the archive scan depth for SMTP traffic to 5. That is, archives within archives will be scanned five levels deep.

config firewall profile-protocol-options

edit “default” config http

set uncompressed-nest-limit 5 end

You can set the nesting limit from 2 to 100.

 

Scan buffer size

When checking files for viruses, there is a maximum file size that can be buffered. Files larger than this size are passed without scanning. The default size for all FortiGate models is 10 megabytes.

Archived files are extracted and email attachments are decoded before the FortiGate unit determines if they can fit in the scan buffer. For example, a 7 megabyte ZIP file containing a 12 megabyte EXE file will be passed without scanning with the default buffer size. Although the archive would fit within the buffer, the uncompressed file size will not.

 

Configuring the uncompression buffer

In this example, the uncompressed-oversize-limit CLI command is used to change the scan buffer size to 20 megabytes for files found in HTTP traffic:

config firewall profile-protocol-options

edit “default” config http

set uncompressed-oversize-limit 20 end

The maximum buffer size varies by model. Enter set uncompressed-oversize-limit ? to display the buffer size range for your FortiGate unit.

 

Windows file sharing (CIFS)

FortiOS supports virus scanning of Windows file sharing traffic. This includes CIFS, SMB, and SAMBA traffic. This feature is applied by enabling SMB scanning in an antivirus profile and then adding this profile to a security policy that accepts CIFS traffic. CIFS virus scanning is available only through flow-based antivirus scanning.

FortiOS flow-based virus scanning can detect the same number of viruses in CIFS/SMB/SAMBA traffic as it can for all supported content protocols.

Note the following about CFIS/SMB/SAMBA virus scanning:

  • Some newer version of SAMBA clients and SMB2 can spread one file across multiple sessions, preventing some viruses from being detected if this occurs.
  • Enabling CIFS/SMB/SAMBA virus scanning can affect FortiGate performance.
  • SMB2 is a new version of SMB that was first partially implemented in Windows Vista.
  • Currently SMB2 is supported by Windows Vista or later, and partly supported by Samba 3.5 and fully support by Samba 3.6.
  • The latest version of SMB2.2 will be introduced with Windows 8.
  • Most clients still use SMB as default setting.

 

Configuring CIFS/SMB/SAMBA virus scanning

Use the following command to enable CIFS/SMB/SAMBA virus scanning in an antivirus profile:

config antivirus profile edit <smb-profile>

config smb

set options scan end

Then add this antivirus profile to a security policy that accepts the traffic to be virus scanned. In the security policy the service can be set to ANY, SAMBA, or SMB.

config firewall policy edit 0

set service ANY

set utm-status enable

set av-profile <smb-profile>

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

AntiVirus

1 Reply

AntiVirus

This section describes how to configure the antivirus options. From an antivirus profile you can configure the FortiGate unit to apply antivirus protection to HTTP, FTP, IMAP, POP3, SMTP, and NNTP sessions. If your FortiGate unit supports SSL content scanning and inspection, you can also configure antivirus protection for HTTPS, IMAPS, POP3S, SMTPS, and FTPS sessions.

In many cases you can just customize the default antivirus profile and apply it to the security policy that accepts the traffic to be virus scanned. You can also create custom antivirus profiles if want to apply different types of virus protection to different traffic.

 

The following topics are included in this section:

  • Antivirus concepts
  • Enabling AntiVirus scanning
  • Testing your antivirus configuration
  • Example Scenarios

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Security Profiles/lists/sensors

Leave a reply

Security Profiles/lists/sensors

A profile is a group of settings that you can apply to one or more firewall policies. Each Security Profile feature is enabled and configured in a profile, list, or sensor. These are then selected in a security policy and the settings apply to all traffic matching the policy. For example, if you create an antivirus profile that enables antivirus scanning of HTTP traffic, and select the antivirus profile in the security policy that allows your users to access the World Wide Web, all of their web browsing traffic will be scanned for viruses.

Because you can use profiles in more than one security policy, you can configure one profile for the traffic types handled by a set of firewall policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate sets of profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Security Profiles components

Leave a reply

Security Profiles components

 

AntiVirus

Your FortiGate unit stores a virus signature database that can identify more than 15,000 individual viruses. FortiGate models that support additional virus databases are able to identify hundreds of thousands of viruses. With a FortiGuard AntiVirus subscription, the signature databases are updated whenever a new threat is discovered.

AntiVirus also includes file filtering. When you specify files by type or by file name, the FortiGate unit will stop the matching files from reaching your users.

FortiGate units with a hard drive or configured to use a FortiAnalyzer unit can store infected and blocked files for that you can examine later.

 

Web Filter

Web filtering includes a number of features you can use to protect or limit your users’ activity on the web. FortiGuard Web Filtering is a subscription service that allows you to limit access to web sites. More than 60 million web sites and two billion web pages are rated by category. You can choose to allow or block each of the 77 categories.

URL filtering can block your network users from access to URLs that you specify.

Web content filtering can restrict access to web pages based on words and phrases appearing on the web page itself. You can build lists of words and phrases, each with a score. When a web content list is selected in a web filter profile, you can specify a threshold. If a user attempts to load a web page and the score of the words on the page exceeds the threshold, the web page is blocked.

 

DNS Filter

Application Control

Although you can block the use of some applications by blocking the ports they use for communications, many applications do not use standard ports to communicate. Application control can detect the network traffic of more than 1000 applications, improving your control over application communication.

 

Intrusion Protection

The FortiGate Intrusion Protection System (IPS) protects your network against hacking and other attempts to exploit vulnerabilities of your systems. More than 3,000 signatures are able to detect exploits against various operating systems, host types, protocols, and applications. These exploits can be stopped before they reach your internal network.

You can also write custom signatures, tailored to your network.

 

AntiSpam

FortiGuard Anti-Spam is a subscription service that includes an IP address black list, a URL black list, and an email checksum database. These resources are updated whenever new spam messages are received, so you do not need to maintain any lists or databases to ensure accurate spam detection.

You can use your own IP address lists and email address lists to allow or deny addresses, based on your own needs and circumstances.

 

Data Leak Prevention

Data Leak Prevention (DLP) allows you to define the format of sensitive data. The FortiGate unit can then monitor network traffic and stop sensitive information from leaving your network. Rules for U.S. social security numbers, Canadian social insurance numbers, as well as Visa, Mastercard, and American Express card numbers are included.

 

VoIP

The Session Initiation Protocol (SIP) is an IETF application layer signaling protocol used for establishing, conducting, and terminating multiuser multimedia sessions over TCP/IP networks using any media. SIP is often used for Voice over IP (VoIP) calls but can be used for establishing streaming communication between end points.

For more information, see VoIP Solutions: SIP.

 

ICAP

This module allows for the offloading of certain processes to a separate server so that your FortiGate firewall can optimize its resources and maintain the best level of performance possible.

 

FortiClient Profiles

FortiClient is a comprehensive endpoint security solutions that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. 5.4.0 has brought two notable capabilities for the detection of Advanced Persistent Threats (APT), including Botnet Command and Control (C&C) Communications Detection and FortiSandbox integration (Windows only).

For more information, see FortiClient 5.4.0 Administration Guide.

 

Proxy Options

Proxy Options includes features you can configure for when your FortiGate is operating in proxy mode, including protocol port mapping, block oversized files/emails, and other web and email options.

 

SSL Inspection

SSL Inspection (otherwise known as Deep Inspection) is used to scan HTTPS traffic in the same way that HTTP traffic can be scanned. This allows the FortiGate to receive and open up the encrypted traffic on behalf of the client, then the traffic is re-encrypted and sent on to its intended destination.

Individual Deep Inspection profiles can be created, depending on the requirements of the policy. Depending on the profile, you can:

  • Configure which CA certificate will be used to descrypt the SSL encrypted traffic
  • Configure which SSL protocols will be inspected
  • Configure which ports will be associated with which SSL protocols for inspection
  • Configure whether or not to allow invalid SSL certificates
  • Configure whether or not SSH traffic will be inspected

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!