FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 25 - Security Profiles > AntiVirus > Example scenarios

Example scenarios

The following examples provide a sample antivirus configuration scenarios.

Configuring simple default AntiVirus profile

The Antivirus function is so straightforward and widely used that many users just create one default profile and use that on all of the applicable firewall policies. If performance is not a real concern and the unit’s resources are not being stretched, it is perfectly reasonable to create one profile that covers the range of uses found in your environment. This example is one possible default configuration.

Context:

  • This is an edited default profile and will be used on all security policies
  • It will need to scan for malware on all available protocols.
  • Malware, botnets, and grayware should be blocked
  • The inspection method should be flow-based
  • A current FortiCloud account is available

Creating the profile - GUI

  1. In the following fields, enter the indicated values or selections:
Name default
Comments Scans all traffic from Internet for malware
Inspection Mode Flow-based
Detect Virus Block
Send Files to FortiSandbox for Inspection checked
•   Suspicious Files Only checked (not applicable in FortiOS 5.4.1 and later)
Detect Connections to Botnet C&C Servers checked
•   Block checked
  1. Check the appropriate protocols:
Inspected Protocols Virus Scan and Block
HTTP checked
SMTP checked
POP3 checked
IMAP checked
MAPI checked
FTP checked
NNTP checked
  1. Select Apply.
  2. Enable grayware scanning

config antivirus settings

set grayware enable

end

Creating the profile - CLI

  1. Enter the CLI by one of the following methods:
  • SSH through a terminal emulator
  • CLI Console widget
  • FortiExplorer’s CLI mode
  1. Enter the following commands:

config antivirus profile

edit default

set comment "scan and delete virus"

set inspection-mode flow-based

set scan-botnet-connections block

set ftgd-analytics suspicious

config http

set options scan

end

config ftp

set options scan

end

config imap

set options scan

end

config pop3

set options scan

end

config smtp

set options scan

end

config nntp

set options scan

end

config smb

set options scan

end

end

 

  1. Enable grayware scanning

config antivirus settings

set grayware enable

end

Setting up a basic proxy-based AntiVirus profile for email traffic

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.

Context:

  • The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
  • There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
  • The company policy is to block viruses and connections to botnets.
  • The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.

Creating the profile - GUI

  1. In the following fields, enter the indicated values or selections:
Name email-av
Comments Scans email traffic from Internet for malware
Inspection Mode Proxy
Detect Virus Block
Send Files to FortiSandbox for Inspection checked
•   Suspicious Files Only checked
Detect Connections to Botnet C&C Servers checked
•   Block checked
  1. Check the appropriate protocols:
Inspected Protocols Virus Scan and Block
HTTP checked
SMTP checked
POP3 checked
IMAP checked
MAPI checked
FTP checked
NNTP checked
  1. Select Apply.

Creating the profile - CLI

  1. Enter the CLI by one of the following methods:
  • SSH through a terminal emulator
  • CLI Console widget
  • FortiExplorer’s CLI mode
  1. Enter the following commands:

Config antivirus profile

edit "email-av"

set comment "Scans email traffic from Internet for malware"

set inspection-mode proxy

config imap

set options scan

end

config pop3

set options scan

end

config smtp

set options scan

end

end

Adding the profile to a policy

In this scenario the following assumptions will be made:

  • The policy that the profile is going to be added to is an IPv4 policy.
  • The ID number of the policy is 11.
  • The AntiVirus profile being added will be the "default" profile
  • The SSL/SSH Inspection profile used will be the "default" profile
note icon FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

Adding the profile - GUI

  1. Go to Policy & Objects > IPv4 Policy.
  2. Use your preferred method of finding a policy.
  • If the ID column is available you can use that.
  • You can also choose based on your knowledge of the parameters of the policy
  • Select the policy with ID value of 11
  1. In the Edit Policy window, go to the Security Profiles section
  2. Turn ON AntiVirus, and in the drop down menu for the field, select default
  3. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.
  4. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.
  5. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate
  6. Turn on Antivirus.
  7. Select an antivirus profile.
  8. Select OK to save the security policy.

Adding the profile - CLI

To select the antivirus profile in a security policy — CLI

config firewall policy

edit 11

set utm-status enable

set profile-protocol-options default

set av-profile basic_antivirus

end

Block files larger than 8 MB

Set proxy options profile to block files larger than 8 MB

  1. Go to Security Profiles > Proxy Options.
  2. Edit the default or select Create New to add a new one.
  3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email
  4. The sub line Threshold (MB) will appear with a value field. Enter 8.
  5. Select OK or Apply.

The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.

To select the Proxy Options profile in a security policy

  1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending).
  2. Edit or create a security policy.
  3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).
  4. Beside Proxy Options select the name of the MTU proxy options protocol.
  5. Select OK to save the security policy.
  6. Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 8MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.