FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 21 - Security Profiles > AntiVirus > Enabling AntiVirus scanning

Enabling AntiVirus scanning

Antivirus scanning is configured in an antivirus profile, but it is enabled in a firewall policy. Once the use of an antivirus profile is enabled and selected in one or more firewall policies, all the traffic controlled by those firewall policies will be scanned according to the settings in that profile.

In the Feature section found by going to System > Config > Features, you can enable or disable 2 aspects of the Antivirus Profile.

  1. Antivirus will determine if the option to use Antivirus profiles is available.
  2. Multiple Security Profiles will determine if you can configure any Antivirus profiles beyond the default profile.

The Feature section can sometimes be misunderstood as to its actual effect. The enabling or disabling of a feature in this section refers to its visibility within the GUI, not whether or not the feature’s functionality will work. If you were to disable the Antivirus Profile feature it would disappear from the GUI but not the CLI and configuration file. Since the functionality of the FortiGate unit is based on the contents of the config file any profile referred to by the policy in the configuration will be acted upon. The Feature section is primarily for keeping the GUI clean and uncluttered by features that are not being used by the administrators.

As the use of antivirus these days is practically a minimum standard for security protection the question left to decide is whether or not you wish to use multiple profiles in your configuration.

Antivirus profiles

From Security Profiles > Antivirus you can edit existing profiles or create and configure new antivirus profiles that can then be applied to firewall policies. A profile is specific configuration information that defines how the traffic within a firewall policy is examined and what action may be taken based on the examination.

You can create multiple antivirus profiles for different antivirus scanning requirements. For example, you create an antivirus profile that specifies only virus scanning for POP3 which you then apply to the out-going firewall policy that is designed for users getting their email from the mail server. You can also choose specific protocols, such as HTTP, that will be scanned and if blocked, archived by the unit. This option is available only in the CLI.

Whether the mode of the antivirus detection is proxy-based or flow-based is also set within the profile.

Enable Antivirus steps - GUI based

  1. Go to Security Profiles > AntiVirus.
  2. Choose whether you want to edit an exiting profile or create a new one.
  • The default profile will be the one displayed by default.
  • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
  • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.
  1. If you are creating a new profile, write a name for it in the Name field.
  2. Add or edit the Comments fields to more clearly describe the function.
  3. Select the Inspection Mode.
  4. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.
  5. If you have a FortiCloud account, you can select Send Files to FortiGuard Sandbox for Inspection (Requires FortiCloud account)
  • You can select whether to send All Files to the Sandbox or Suspicious Files Only.
  1. If you wish to use the Botnet feature, you can select Detect Connections to Botnet C&C Servers
  • Just like with the viruses, you can select whether to Block or Monitor the files that contain botnet or phishing connections.
  1. Select OK or Apply.
  2. Add the Antivirus profile to a firewall security policy.

Enable Antivirus steps - CLI based

You need to configure the scan option for each type of traffic you want scanned.

  1. Configure the Antivirus profile

config antivirus profile

edit "default"

set comment "scan and delete virus"

set replacemsg-group ''

set scan-botnet-connections block

set ftgd-analytics suspicious

config http

set options scan

end

config ftp

set options scan

end

config imap

set options scan

end

config pop3

set options scan

end

config smtp

set options scan

end

config nntp

set options scan

end

config smb

set options scan

end

end

  1. Add the Antivirus profile to the Fortigate firewall security policy. When using the CLI, you will need to know the policy ID number.

config firewall policy

edit <policy ID number>

set av-profile default

set profile-protocol-options default

end

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy