Tag Archives: Testing your antivirus configuration fortinet

Testing your antivirus configuration

Testing your antivirus configuration

You have configured your FortiGate unit to stop viruses, but you’d like to confirm your settings are correct. Even if you have a real virus, it would be dangerous to use for this purpose. An incorrect configuration will allow the virus to infect your network.

To solve this problem, the European Institute of Computer Anti-virus Research has developed a test file that allows you to test your antivirus configuration. The EICAR test file is not a virus. It can not infect computers, nor can it spread or cause any damage. It’s a very small file that contains a sequence of characters. Your FortiGate unit recognizes the EICAR test file as a virus so you can safely test your FortiGate unit antivirus configuration.

Go to http://www.fortiguard.com/antivirus/eicartest.html to download the test file (eicar.com) or the test file in a ZIP archive (eicar.zip).

If the antivirus profile applied to the security policy that allows you access to the Web is configured to scan HTTP traffic for viruses, any attempt to download the test file will be blocked. This indicates that you are protected.

 

Example Scenarios

The following examples provide a sample antivirus configuration scenarios.

 

Configuring simple default antivirus profile

The Antivirus function is so straight forward and widely used that many users just create one default profile and use that on all of the applicable firewall policies. If performance is not a real concern and the unit’s resources are not being stretched, it is perfectly reasonable to create one profile that covers the range of uses found in your environment. This example is one possible default configuration.

 

Context:

  • This is an edited default profile and will be used on all security policies
  • It will need to scan for malware on all available protocols.
  • Malware, botnets, and grayware should be blocked
  • The inspection method should be flow-based
  • A current FortiCloud account is available

 

Creating the profile – GUI

1. In the following fields, enter the indicated values or selections:

Name                                           default

Comments                                  Scans all traffic from Internet for malware

Inspection Mode                       Flow-based

Detect Virus                               Block

Send Files to FortiSandbox for Inspection checked

  • Suspicious Files Only         checked

Detect Connections to Bot- net C&C Servers checked

  • Block                                      checked

2. Check the appropriate protocols:

 

Protocol                                   Virus Scan and Block
 

HTTP                                           checked

SMTP                                          checked
POP3                                           checked
IMAP                                           checked
MAPI                                           checked
FTP                                             checked
NNTP                                          checked

 

3. Select Apply.

4. Enable grayware scanning

config antivirus settings set grayware enable

end

 

Creating the profile – CLI

1. Enter the CLI by one of the following methods:

  • SSH through a terminal emulator
  • CLI Console widget
  • FortiExplorer’s CLI mode

2. Enter the following commands:

config antivirus profile edit default

set comment “scan and delete virus” set inspection-mode flow-based

set scan-botnet-connections block set ftgd-analytics suspicious config http

set options scan end

config ftp

set options scan end

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

config nntp

set options scan end

config smb

set options scan end

end

3. Enable grayware scanning

config antivirus settings set grayware enable

end

 

Setting up a basic proxy-based Antivirus profile for email traffic

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.

 

Context:

  • The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
  • There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
  • The company policy is to block viruses and connections to botnets.
  • The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.

 

Creating the profile – GUI

1. In the following fields, enter the indicated values or selections:

Name                                           email-av

Comments                                  Scans email traffic from Internet for malware

Inspection Mode                       Proxy

Detect Virus                               Block

Send Files to FortiSandbox for Inspection checked

  • Suspicious Files Only         checked

 

Detect Connections to Bot- net C&C Servers checked

  • Block                                      checked

2. Check the appropriate protocols:

 

Protocol                                   Virus Scan and Block
 

HTTP                                           checked

SMTP                                          checked
POP3                                           checked
IMAP                                           checked
MAPI                                           checked
FTP                                             checked
NNTP                                          checked


3
. Select Apply.

 

Creating the profile – CLI

1. Enter the CLI by one of the following methods:

  • SSH through a terminal emulator
  • CLI Console widget
  • FortiExplorer’s CLI mode

2. Enter the following commands:

Config antivirus profile edit “email-av”

set comment “Scans email traffic from Internet for malware” set inspection-mode proxy

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

end

 

Adding the profile to a policy

In this scenario the following assumptions will be made:

  • The policy that the profile is going to be added to is an IPv4 policy.
  • The ID number of the policy is 11.
  • The Antivirus profile being added will be the “default” profile
  • The SSL/SSH Inspection profile used will be the “default” profile

 

FortiClient enforcement has been moved from the Policy page to Networ> Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

 

Adding the profile – GUI

1. Go to Policy & Objects > IPv4 Policy.

2. Use your preferred method of finding a policy.

  • If the ID column is available you can use that.
  • You can also choose based on your knowledge of the parameters of the policy
  • Select the policy with ID value of 11

3. In the Edit Policy window, go to the Security Profiles section

4. Turn ON AntiVirus, and in the drop down menu for the field, select default

5. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.

6. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.

7. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate

8. Turn on Antivirus.

9. Select an antivirus profile.

10. Select OK to save the security policy.

 

Adding the profile – CLI

To select the antivirus profile in a security policy — CLI

config firewall policy edit 11

set utm-status enable

set profile-protocol-options default set av-profile basic_antivirus

end

 

Block files larger than 8 MB

Set proxy options profile to block files larger than 8 MB

1. Go to Security Profiles > Proxy Options.

2. Edit the default or select Create New to add a new one.

3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email

4. The sub line Threshold (MB) will appear with a value field. Enter 8.

5. Select OK or Apply.

The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.

 

To select the Proxy Options profile in a security policy

1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending).

2. Edit or create a security policy.

3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).

4. Beside Proxy Options select the name of the MTU proxy options protocol.

5. Select OK to save the security policy.

6. Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 8MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.