Fortinet black logo

Handbook

Enabling scanning

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:567568
Download PDF

Enabling scanning

Antivirus scanning is configured in an AntiVirus profile, but it is enabled in a firewall policy. Once the use of an AntiVirus profile is enabled and selected in one or more firewall policies, all the traffic controlled by those firewall policies will be scanned according to the settings in that profile.

By going to System > Feature Visibility, you can enable or disable two aspects of the AntiVirus Profile.

  1. AntiVirus will determine if the option to use AntiVirus profiles is available.
  2. Multiple Security Profiles will determine if you can configure any AntiVirus profiles beyond the default profile.

The use of antivirus protection is a minimum standard for security protection. The question left to decide is whether or not you wish to use multiple profiles in your configuration.

From Security Profiles > AntiVirus you can edit existing profiles or create and configure new antivirus profiles that can then be applied to firewall policies. A profile is specific configuration information that defines how the traffic within a firewall policy is examined and what action may be taken based on the examination.

The configuration of the antivirus profile depends on whether the inspection mode is proxy-based or flow-based. You select the inspection mode by going to the System > Settings page. The FortiGate's inspection mode is also displayed on the unit's Dashboard in the System Information widget.

The discussion of the differences in antivirus scanning modes helps to understand how this scanning works in proxy- and flow-based inspection, as well as in different versions of FortiOS 5.x.

Enabling AntiVirus in Proxy-mode - GUI

  1. Go to Security Profiles > AntiVirus.
  2. Choose whether you want to edit an existing profile or create a new one.
    • The default profile will be the one displayed by default.
    • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
    • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.
  3. If you are creating a new profile, write a name for it in the Name field.
  4. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.
  5. Under Inspected Protocols, enable the protocols you wish to be blocked or monitored.
  6. Under APT Protection Options, you may enable the following: Content Disarm and Reconstruction, Treat Windows Executables in Email Attachments as Viruses and Send Files to FortiSandbox Cloud for Inspection, and Use Virus Outbreak Prevention Database.

    FortiSandbox options are only available if you have a FortiCloud account active on your FortiGate.

  7. Select Apply.
  8. Add the AntiVirus profile to a firewall security policy.

To view Mobile Malware license and version information, go to System > FortiGuard and locate the Mobile Malware section in the License Information table.

Content Disarm and Reconstruction (CDR)

Content Disarm and Reconstruction (CDR) is used to remove exploitable content and replace it with content that is known to be safe. As the files are processed through an enabled Proxy-based AntiVirus profile, content that is deemed malicious or unsafe is replaced with content that will allow the traffic to continue, but not put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (HTTP web download, SMTP email send, IMAP/POP3 email retrieval—MAPI is not supported).

This feature will work without FortiSandbox configured, but only if you wish to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it will pass the content unmodified.

note icon

This feature will not work if splice or client-comfort are enabled under profile-protocol-options for SMTP.

CDR does not alter documents in an HTTP POST, and is not designed to strip content leaving the network for HTTP. It only works on HTTP GET.

Syntax

The use of CDR is enabled or disabled separately for each protocol in the profile. Note that all CDR commands are only available when you set the profile's inspection-mode to proxy.

config antivirus profile

edit <name>

set inspection-mode proxy

config <protocol>

set options scan

set content-disarm {enable | disable}

next

end

end

note icon

You must ensure that set options scan is configured. If set options av-monitor is configured for a protocol, it will enable the detect-only option (see below) and CDR will not occur for that protocol.

The enabling and disabling of the CDR is specific to the protocol, but the granular configuration of which types of content will be rewritten by the CDR engine are configured based on the AntiVirus profile. The settings within the config content-disarm context are applicable to all of the CDR enabled protocols.

config antivirus profile

edit <name>

config content-disarm

set original-file-destination {fortisandbox | quarantine | discard}

set office-macro {enable | disable}

set office-hylink {enable | disable}

set office-linked {enable | disable}

set office-embed {enable | disable}

set pdf-javacode {enable | disable}

set pdf-embedfile {enable | disable}

set pdf-act-gotor {enable | disable}

set pdf-act-launch {enable | disable}

set pdf-act-uri {enable | disable}

set pdf-act-sound {enable | disable}

set pdf-act-movie {enable | disable}

set pdf-act-java {enable | disable}

set pdf-act-form {enable | disable}

set cover-page {enable | disable}

set detect-only {enable | disable}

next

end

end

Where:

Option Description

original-file-destination

Select the destination to which files will be sent for inspection.

Note that, once you enable content-disarm under a protocol, you will be warned that all original files will be discarded. To be able to retrieve the original files, you must set an original-file-destination for this profile.

office-macro

Enables/disables stripping of macros in Microsoft Office documents.

office-hylink

Enables/disables stripping of hyperlinks in Microsoft Office documents.

office-linked

Enables/disables stripping of linked objects in Microsoft Office documents.

office-embed

Enables/disables stripping of embedded objects in Microsoft Office documents.

pdf-javacode

Enables/disables stripping of JavaScript code in PDF documents.

pdf-embedfile

Enables/disables stripping of embedded files in PDF documents.

pdf-act-gotor

Enables/disables stripping of links to other PDFs in PDF documents.

pdf-act-launch

Enables/disables stripping of links to external applications in PDF documents.

pdf-act-uri

Enables/disables stripping of links to URI resources in PDF documents.

pdf-act-sound

Enables/disables stripping of embeded sound files in PDF documents.

pdf-act-movie

Enables/disables stripping of embeded movies in PDF documents.

pdf-act-java

Enables/disables stripping of actions that execute JavaScript code in PDF documents.

pdf-act-form

Enables/disables stripping of actions that submit data to other targets in PDF documents.

cover-page

Enables/disables inserting a cover page into the disarmed document.

detect-only

Enables/disables only detect disarmable files, do not alter content.

When the antivirus profile successfully detects suspicious content and strips the data, a new page is appended to the start of the document with a message that reads "This file has been cleaned of potential threats".

You can set cover-page disable (see above) if you do not want a cover page appended to any disarmed content.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention uses checksums to filter files in order to detect and prevent quick virus outbreaks, because it usually takes at least a few hours for FortiGuard to develop and push signatures and a virus outbreak can do a lot of damage within that time period. This method proves to be quite effective using hash values of probable virus files.

Enable this feature under Security Profiles > AntiVirus > Use Virus Outbreak Prevention Database. Note that this feature requires a license, which you can obtain through System > FortiGuard > Outbreak Prevention.

Syntax

Note that outbreak-prevention is only available when options is set to scan:

config antivirus profile

edit <name>

config <protocol>

set options scan

set outbreak-prevention {disabled | files | full-archive}

next

...

where full-archive analyzes files including the contents of archives, as opposed to files which does not include the contents of archives.

Enabling AntiVirus in Flow-mode - GUI

  1. Go to Security Profiles > AntiVirus.
  2. Choose whether you want to edit an existing profile or create a new one.
    • The default profile will be the one displayed by default.
    • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
    • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.
  3. If you are creating a new profile, write a name for it in the Name field.
  4. Select Quick or Full Scan Mode(see the discussion of the differences in antivirus scanning modes for more information).
  5. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.
  6. Under Inspected Protocols, enable the protocols you wish to be blocked or monitored.
  7. Under Inspection Options, you may enable the following: Treat Windows Executables in Email Attachments as Viruses and Include Mobile Malware Protection.

    note icon

    You may also enable the following options if you have a FortiCloud account active on your FortiGate: Send Files to FortiSandbox Cloud for Inspection and Use FortiSandbox Database.

  8. Select OK or Apply.
  9. Add the AntiVirus profile to a firewall security policy.

Enabling AntiVirus - CLI

Configure the scan option for each type of traffic you want scanned.

  1. Configure the AntiVirus profile

    config antivirus profile

    edit <profile_name>

    set comment "scan and delete virus"

    set replacemsg-group ''

    set scan-botnet-connections block

    set ftgd-analytics suspicious

    config http

    set options scan

    end

    config ftp

    set options scan

    end

    config imap

    set options scan

    end

    config pop3

    set options scan

    end

    config smtp

    set options scan

    end

    config nntp

    set options scan

    end

    set options scan

    config smb

    end

    end

  2. Add the AntiVirus profile to the Fortigate firewall security policy. When using the CLI, you will need to know the policy ID number.
  3. config firewall policy

    edit <policy ID number>

    set av-profile <profile_name>

    set profile-protocol-options default

    end

    end

Overriding the AV engine file scan timeout

Overriding the AV engine file scan timeout allows the FortiGate to scan files as large as 4GB without breaking the scan.

Override the large file scan timeout value in seconds (30 - 3600). Zero is the default value and is used to disable this command. When disabled, the daemon adjusts the large file scan timeout based on the file size.

Syntax

config antivirus settings

set override-timeout 0

end

Enabling scanning

Antivirus scanning is configured in an AntiVirus profile, but it is enabled in a firewall policy. Once the use of an AntiVirus profile is enabled and selected in one or more firewall policies, all the traffic controlled by those firewall policies will be scanned according to the settings in that profile.

By going to System > Feature Visibility, you can enable or disable two aspects of the AntiVirus Profile.

  1. AntiVirus will determine if the option to use AntiVirus profiles is available.
  2. Multiple Security Profiles will determine if you can configure any AntiVirus profiles beyond the default profile.

The use of antivirus protection is a minimum standard for security protection. The question left to decide is whether or not you wish to use multiple profiles in your configuration.

From Security Profiles > AntiVirus you can edit existing profiles or create and configure new antivirus profiles that can then be applied to firewall policies. A profile is specific configuration information that defines how the traffic within a firewall policy is examined and what action may be taken based on the examination.

The configuration of the antivirus profile depends on whether the inspection mode is proxy-based or flow-based. You select the inspection mode by going to the System > Settings page. The FortiGate's inspection mode is also displayed on the unit's Dashboard in the System Information widget.

The discussion of the differences in antivirus scanning modes helps to understand how this scanning works in proxy- and flow-based inspection, as well as in different versions of FortiOS 5.x.

Enabling AntiVirus in Proxy-mode - GUI

  1. Go to Security Profiles > AntiVirus.
  2. Choose whether you want to edit an existing profile or create a new one.
    • The default profile will be the one displayed by default.
    • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
    • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.
  3. If you are creating a new profile, write a name for it in the Name field.
  4. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.
  5. Under Inspected Protocols, enable the protocols you wish to be blocked or monitored.
  6. Under APT Protection Options, you may enable the following: Content Disarm and Reconstruction, Treat Windows Executables in Email Attachments as Viruses and Send Files to FortiSandbox Cloud for Inspection, and Use Virus Outbreak Prevention Database.

    FortiSandbox options are only available if you have a FortiCloud account active on your FortiGate.

  7. Select Apply.
  8. Add the AntiVirus profile to a firewall security policy.

To view Mobile Malware license and version information, go to System > FortiGuard and locate the Mobile Malware section in the License Information table.

Content Disarm and Reconstruction (CDR)

Content Disarm and Reconstruction (CDR) is used to remove exploitable content and replace it with content that is known to be safe. As the files are processed through an enabled Proxy-based AntiVirus profile, content that is deemed malicious or unsafe is replaced with content that will allow the traffic to continue, but not put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (HTTP web download, SMTP email send, IMAP/POP3 email retrieval—MAPI is not supported).

This feature will work without FortiSandbox configured, but only if you wish to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it will pass the content unmodified.

note icon

This feature will not work if splice or client-comfort are enabled under profile-protocol-options for SMTP.

CDR does not alter documents in an HTTP POST, and is not designed to strip content leaving the network for HTTP. It only works on HTTP GET.

Syntax

The use of CDR is enabled or disabled separately for each protocol in the profile. Note that all CDR commands are only available when you set the profile's inspection-mode to proxy.

config antivirus profile

edit <name>

set inspection-mode proxy

config <protocol>

set options scan

set content-disarm {enable | disable}

next

end

end

note icon

You must ensure that set options scan is configured. If set options av-monitor is configured for a protocol, it will enable the detect-only option (see below) and CDR will not occur for that protocol.

The enabling and disabling of the CDR is specific to the protocol, but the granular configuration of which types of content will be rewritten by the CDR engine are configured based on the AntiVirus profile. The settings within the config content-disarm context are applicable to all of the CDR enabled protocols.

config antivirus profile

edit <name>

config content-disarm

set original-file-destination {fortisandbox | quarantine | discard}

set office-macro {enable | disable}

set office-hylink {enable | disable}

set office-linked {enable | disable}

set office-embed {enable | disable}

set pdf-javacode {enable | disable}

set pdf-embedfile {enable | disable}

set pdf-act-gotor {enable | disable}

set pdf-act-launch {enable | disable}

set pdf-act-uri {enable | disable}

set pdf-act-sound {enable | disable}

set pdf-act-movie {enable | disable}

set pdf-act-java {enable | disable}

set pdf-act-form {enable | disable}

set cover-page {enable | disable}

set detect-only {enable | disable}

next

end

end

Where:

Option Description

original-file-destination

Select the destination to which files will be sent for inspection.

Note that, once you enable content-disarm under a protocol, you will be warned that all original files will be discarded. To be able to retrieve the original files, you must set an original-file-destination for this profile.

office-macro

Enables/disables stripping of macros in Microsoft Office documents.

office-hylink

Enables/disables stripping of hyperlinks in Microsoft Office documents.

office-linked

Enables/disables stripping of linked objects in Microsoft Office documents.

office-embed

Enables/disables stripping of embedded objects in Microsoft Office documents.

pdf-javacode

Enables/disables stripping of JavaScript code in PDF documents.

pdf-embedfile

Enables/disables stripping of embedded files in PDF documents.

pdf-act-gotor

Enables/disables stripping of links to other PDFs in PDF documents.

pdf-act-launch

Enables/disables stripping of links to external applications in PDF documents.

pdf-act-uri

Enables/disables stripping of links to URI resources in PDF documents.

pdf-act-sound

Enables/disables stripping of embeded sound files in PDF documents.

pdf-act-movie

Enables/disables stripping of embeded movies in PDF documents.

pdf-act-java

Enables/disables stripping of actions that execute JavaScript code in PDF documents.

pdf-act-form

Enables/disables stripping of actions that submit data to other targets in PDF documents.

cover-page

Enables/disables inserting a cover page into the disarmed document.

detect-only

Enables/disables only detect disarmable files, do not alter content.

When the antivirus profile successfully detects suspicious content and strips the data, a new page is appended to the start of the document with a message that reads "This file has been cleaned of potential threats".

You can set cover-page disable (see above) if you do not want a cover page appended to any disarmed content.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention uses checksums to filter files in order to detect and prevent quick virus outbreaks, because it usually takes at least a few hours for FortiGuard to develop and push signatures and a virus outbreak can do a lot of damage within that time period. This method proves to be quite effective using hash values of probable virus files.

Enable this feature under Security Profiles > AntiVirus > Use Virus Outbreak Prevention Database. Note that this feature requires a license, which you can obtain through System > FortiGuard > Outbreak Prevention.

Syntax

Note that outbreak-prevention is only available when options is set to scan:

config antivirus profile

edit <name>

config <protocol>

set options scan

set outbreak-prevention {disabled | files | full-archive}

next

...

where full-archive analyzes files including the contents of archives, as opposed to files which does not include the contents of archives.

Enabling AntiVirus in Flow-mode - GUI

  1. Go to Security Profiles > AntiVirus.
  2. Choose whether you want to edit an existing profile or create a new one.
    • The default profile will be the one displayed by default.
    • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
    • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.
  3. If you are creating a new profile, write a name for it in the Name field.
  4. Select Quick or Full Scan Mode(see the discussion of the differences in antivirus scanning modes for more information).
  5. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.
  6. Under Inspected Protocols, enable the protocols you wish to be blocked or monitored.
  7. Under Inspection Options, you may enable the following: Treat Windows Executables in Email Attachments as Viruses and Include Mobile Malware Protection.

    note icon

    You may also enable the following options if you have a FortiCloud account active on your FortiGate: Send Files to FortiSandbox Cloud for Inspection and Use FortiSandbox Database.

  8. Select OK or Apply.
  9. Add the AntiVirus profile to a firewall security policy.

Enabling AntiVirus - CLI

Configure the scan option for each type of traffic you want scanned.

  1. Configure the AntiVirus profile

    config antivirus profile

    edit <profile_name>

    set comment "scan and delete virus"

    set replacemsg-group ''

    set scan-botnet-connections block

    set ftgd-analytics suspicious

    config http

    set options scan

    end

    config ftp

    set options scan

    end

    config imap

    set options scan

    end

    config pop3

    set options scan

    end

    config smtp

    set options scan

    end

    config nntp

    set options scan

    end

    set options scan

    config smb

    end

    end

  2. Add the AntiVirus profile to the Fortigate firewall security policy. When using the CLI, you will need to know the policy ID number.
  3. config firewall policy

    edit <policy ID number>

    set av-profile <profile_name>

    set profile-protocol-options default

    end

    end

Overriding the AV engine file scan timeout

Overriding the AV engine file scan timeout allows the FortiGate to scan files as large as 4GB without breaking the scan.

Override the large file scan timeout value in seconds (30 - 3600). Zero is the default value and is used to disable this command. When disabled, the daemon adjusts the large file scan timeout based on the file size.

Syntax

config antivirus settings

set override-timeout 0

end