Enabling AntiVirus scanning
Antivirus scanning is configured in an antivirus profile, but it is enabled in a firewall policy. Once the use of an antivirus profile is enabled and selected in one or more firewall policies, all the traffic controlled by those firewall policies will be scanned according to the settings in that profile.
In the Feature section found by going to System > Config > Features, you can enable or disable 2 aspects of the Antivirus Profile.
- Antivirus will determine if the option to use Antivirus profiles is available.
- Multiple Security Profiles will determine if you can configure any Antivirus profiles beyond the default profile.
The Feature section can sometimes be misunderstood as to its actual effect. The enabling or disabling of a feature in this section refers to its visibility within the GUI, not whether or not the feature’s functionality will work. If you were to disable the Antivirus Profile feature it would disappear from the GUI but not the CLI and configuration file. Since the functionality of the FortiGate unit is based on the contents of the config file any profile referred to by the policy in the configuration will be acted upon. The Feature section is primarily for keeping the GUI clean and uncluttered by features that are not being used by the administrators.
As the use of antivirus these days is practically a minimum standard for security protection the question left to decide is whether or not you wish to use multiple profiles in your configuration.
Antivirus profiles
From Security Profiles > Antivirus you can edit existing profiles or create and configure new antivirus profiles that can then be applied to firewall policies. A profile is specific configuration information that defines how the traffic within a firewall policy is examined and what action may be taken based on the examination.
You can create multiple antivirus profiles for different antivirus scanning requirements. For example, you create an antivirus profile that specifies only virus scanning for POP3 which you then apply to the out-going firewall policy that is designed for users getting their email from the mail server. You can also choose specific protocols, such as HTTP, that will be scanned and if blocked, archived by the unit. This option is available only in the CLI.
Whether the mode of the antivirus detection is proxy-based or flow-based is also set within the profile.
Enable Antivirus steps - GUI based
- Go to Security Profiles > AntiVirus.
- Choose whether you want to edit an exiting profile or create a new one.
- The default profile will be the one displayed by default.
- If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
- If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.
- If you are creating a new profile, write a name for it in the Name field.
- Add or edit the Comments fields to more clearly describe the function.
- Select the Inspection Mode.
- For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.
- If you have a FortiCloud account, you can select Send Files to FortiGuard Sandbox for Inspection (Requires FortiCloud account)
- You can select whether to send All Files to the Sandbox or Suspicious Files Only.
- If you wish to use the Botnet feature, you can select Detect Connections to Botnet C&C Servers
- Just like with the viruses, you can select whether to Block or Monitor the files that contain botnet or phishing connections.
- Select OK or Apply.
- Add the Antivirus profile to a firewall security policy.
Enable Antivirus steps - CLI based
You need to configure the scan option for each type of traffic you want scanned.
- Configure the Antivirus profile
config antivirus profile
edit "default"
set comment "scan and delete virus"
set replacemsg-group ''
set scan-botnet-connections block
set ftgd-analytics suspicious
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
config nntp
set options scan
end
config smb
set options scan
end
end
- Add the Antivirus profile to the Fortigate firewall security policy. When using the CLI, you will need to know the policy ID number.
config firewall policy
edit <policy ID number>
set av-profile default
set profile-protocol-options default
end