Testing your antivirus configuration
You have configured your FortiGate unit to stop viruses, but you’d like to confirm your settings are correct. Even if you have a real virus, it would be dangerous to use for this purpose. An incorrect configuration will allow the virus to infect your network.
To solve this problem, the European Institute of Computer Anti-virus Research has developed a test file that allows you to test your antivirus configuration. The EICAR test file is not a virus. It can not infect computers, nor can it spread or cause any damage. It’s a very small file that contains a sequence of characters. Your FortiGate unit recognizes the EICAR test file as a virus so you can safely test your FortiGate unit antivirus configuration.
Go to http://www.fortiguard.com/antivirus/eicartest.html to download the test file (eicar.com) or the test file in a ZIP archive (eicar.zip).
If the antivirus profile applied to the security policy that allows you access to the Web is configured to scan HTTP traffic for viruses, any attempt to download the test file will be blocked. This indicates that you are protected.
Example Scenarios
The following examples provide a sample antivirus configuration scenarios.
Configuring simple default antivirus profile
The Antivirus function is so straight forward and widely used that many users just create one default profile and use that on all of the applicable firewall policies. If performance is not a real concern and the unit’s resources are not being stretched, it is perfectly reasonable to create one profile that covers the range of uses found in your environment. This example is one possible default configuration.
Context:
- This is an edited default profile and will be used on all security policies
- It will need to scan for malware on all available protocols.
- Malware, botnets, and grayware should be blocked
- The inspection method should be flow-based
- A current FortiCloud account is available
Creating the profile – GUI
1. In the following fields, enter the indicated values or selections:
Name default
Comments Scans all traffic from Internet for malware
Inspection Mode Flow-based
Detect Virus Block
Send Files to FortiSandbox for Inspection checked
- Suspicious Files Only checked
Detect Connections to Bot- net C&C Servers checked
- Block checked
2. Check the appropriate protocols:
| Protocol Virus Scan and Block |
|
HTTP checked |
| SMTP checked |
| POP3 checked |
| IMAP checked |
| MAPI checked |
| FTP checked |
| NNTP checked |
3. Select Apply.
4. Enable grayware scanning
config antivirus settings set grayware enable
end
Creating the profile – CLI
1. Enter the CLI by one of the following methods:
- SSH through a terminal emulator
- CLI Console widget
- FortiExplorer’s CLI mode
2. Enter the following commands:
config antivirus profile edit default
set comment “scan and delete virus” set inspection-mode flow-based
set scan-botnet-connections block set ftgd-analytics suspicious config http
set options scan end
config ftp
set options scan end
config imap
set options scan end
config pop3
set options scan end
config smtp
set options scan end
config nntp
set options scan end
config smb
set options scan end
end
3. Enable grayware scanning
config antivirus settings set grayware enable
end
Setting up a basic proxy-based Antivirus profile for email traffic
Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.
Context:
- The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
- There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
- The company policy is to block viruses and connections to botnets.
- The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.
Creating the profile – GUI
1. In the following fields, enter the indicated values or selections:
Name email-av
Comments Scans email traffic from Internet for malware
Inspection Mode Proxy
Detect Virus Block
Send Files to FortiSandbox for Inspection checked
- Suspicious Files Only checked
Detect Connections to Bot- net C&C Servers checked
- Block checked
2. Check the appropriate protocols:
| Protocol Virus Scan and Block |
|
HTTP checked |
| SMTP checked |
| POP3 checked |
| IMAP checked |
| MAPI checked |
| FTP checked |
| NNTP checked |
3. Select Apply.
Creating the profile – CLI
1. Enter the CLI by one of the following methods:
- SSH through a terminal emulator
- CLI Console widget
- FortiExplorer’s CLI mode
2. Enter the following commands:
Config antivirus profile edit “email-av”
set comment “Scans email traffic from Internet for malware” set inspection-mode proxy
config imap
set options scan end
config pop3
set options scan end
config smtp
set options scan end
end
Adding the profile to a policy
In this scenario the following assumptions will be made:
- The policy that the profile is going to be added to is an IPv4 policy.
- The ID number of the policy is 11.
- The Antivirus profile being added will be the “default” profile
- The SSL/SSH Inspection profile used will be the “default” profile
FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.
Adding the profile – GUI
1. Go to Policy & Objects > IPv4 Policy.
2. Use your preferred method of finding a policy.
- If the ID column is available you can use that.
- You can also choose based on your knowledge of the parameters of the policy
- Select the policy with ID value of 11
3. In the Edit Policy window, go to the Security Profiles section
4. Turn ON AntiVirus, and in the drop down menu for the field, select default
5. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.
6. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.
7. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate
8. Turn on Antivirus.
9. Select an antivirus profile.
10. Select OK to save the security policy.
Adding the profile – CLI
To select the antivirus profile in a security policy — CLI
config firewall policy edit 11
set utm-status enable
set profile-protocol-options default set av-profile basic_antivirus
end
Block files larger than 8 MB
Set proxy options profile to block files larger than 8 MB
1. Go to Security Profiles > Proxy Options.
2. Edit the default or select Create New to add a new one.
3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email
4. The sub line Threshold (MB) will appear with a value field. Enter 8.
5. Select OK or Apply.
The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.
To select the Proxy Options profile in a security policy
1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending).
2. Edit or create a security policy.
3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).
4. Beside Proxy Options select the name of the MTU proxy options protocol.
5. Select OK to save the security policy.
6. Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 8MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.