Fortinet black logo

Handbook

Examples

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:927086
Download PDF

Examples

The following examples provide sample antivirus configuration scenarios.

Configuring simple default AntiVirus profile

If performance is not a real concern and the FortiGate’s resources are not being stretched, it is perfectly reasonable to create one AntiVirus profile that covers the range of uses found in your environment. This example is one possible default configuration.

Context:

  • This is an edited default profile and will be used on all security policies
  • It will need to scan for malware on all available protocols.
  • Malware, botnets, and grayware should be blocked
  • The inspection method should be flow-based
  • A current FortiCloud account is available

Creating the profile - GUI

  1. In the following fields, enter the settings shown in the screenshot.
  2. Select Apply.
  3. Enable grayware scanning through the CLI.

    config antivirus settings

    set grayware enable

    end

Creating the profile - CLI

  1. Enter the CLI by one of the following methods:
    • SSH through a terminal emulator
    • CLI Console access
    • FortiExplorer’s CLI mode
  2. Enter the following commands:

    config antivirus profile

    edit default

    set comment "scan and delete virus"

    set inspection-mode flow-based

    set scan-botnet-connections block

    set ftgd-analytics suspicious

    config http

    set options scan

    end

    config ftp

    set options scan

    end

    config imap

    set options scan

    end

    config pop3

    set options scan

    end

    config smtp

    set options scan

    end

    config nntp

    set options scan

    end

    config smb

    set options scan

    end

    end

  3. Enable grayware scanning>

    config antivirus settings

    set grayware enable

    end

Setting up a basic proxy-based AntiVirus profile for email traffic

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.

Context:

  • The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
  • There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
  • The company policy is to block viruses and connections to botnets.
  • The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.

Creating the profile - GUI

  1. In the following fields, enter the settings shown below:

    Name

    email-av

    Comments

    Scans email traffic from Internet for malware

    Detect Viruses

    Block

    Inspected Protocols

    all checked (HTTP, SMTP, POP3, IMAP, MAPI, and FTP).

    Content Disarm and Reconstruction

    checked (optional) - used to remove exploitable content and replace it with content that is known to be safe.

    For more information, see Content Disarm and Reconstruction (CDR)

    Original File Destination

    Destination to which files will be sent for inspection: FortiSandbox, File Quarantine, or Discard.

    Treat Windows Executables in Email Attachments as Viruses

    checked - also optionally decide whether or not to submit files matching particular types and/or file name patterns.

    Send Files to FortiSandbox Appliance for Inspection

    checked (All Supported Files).

    Use Virus Outbreak Prevention Database

    checked - used to preempt outbreaks before AV Signatures are created.

    Use FortiSandbox Database

    checked - supplements the AV Signature database.

  2. Select Apply.

Creating the profile - CLI

  1. Enter the CLI by one of the following methods:
    • SSH through a terminal emulator
    • CLI Console widget
    • FortiExplorer’s CLI mode
  2. Enter the following commands:

    config antivirus profile

    edit "email-av"

    set comment "Scans email traffic from Internet for malware"

    set inspection-mode proxy

    config content-disarm

    set original-file-destination {fortisandbox | quarantine | discard}

    set ...

    config <protocol>

    set options scan

    end

    end

  3. Additionally, if you wish to only send those files to FortiSandbox that heuristics determines as suspicious, enter the following (only available via the CLI):

    config antivirus profile

    edit "email-av"

    set ftgd-analytics suspicious

    end

For more information on how to strip content from various content types from documents (hyperlinks, linked objects, embedded objects, JavaScript code), see Content Disarm and Reconstruction (CDR) and the FortiOS 6.0 CLI Reference.

Adding the profile to a policy

In this scenario the following assumptions will be made:

  • The policy that the profile is going to be added to is an IPv4 policy.
  • The ID number of the policy is 11.
  • The AntiVirus profile being added will be the "default" profile
  • The SSL/SSH Inspection profile used will be the "default" profile

note icon

FortiClient enforcement has been moved from the Policy page toNetwork > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

Adding the profile - GUI

  1. Go to Policy & Objects > IPv4 Policy.
  2. Use your preferred method of finding a policy.
    • If the ID column is available you can use that.
    • You can also choose based on your knowledge of the parameters of the policy
    • Select the policy with ID value of 11
  3. In the Edit Policy window, go to the Security Profiles section
  4. Turn ON AntiVirus, and in the drop down menu for the field, select default
  5. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.
  6. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.
  7. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate
  8. Turn on Antivirus.
  9. Select an antivirus profile.
  10. Select OK to save the security policy.

Adding the profile - CLI

To select the antivirus profile in a security policy — CLI

config firewall policy

edit 11

set utm-status enable

set profile-protocol-options default

set av-profile basic_antivirus

end

Block files larger than 8 MB

Set proxy options profile to block files larger than 8 MB

  1. Go to Security Profiles > Proxy Options.
  2. Edit the default or select Create New to add a new one.
  3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email
  4. The sub line Threshold (MB) will appear with a value field. Enter 8.
  5. Select OK or Apply.

    The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.

To select the Proxy Options profile in a security policy

  1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending).
  2. Edit or create a security policy.
  3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).
  4. Beside Proxy Options select the name of the MTU proxy options protocol.
  5. Select OK to save the security policy.
  6. Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 8MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.

Examples

The following examples provide sample antivirus configuration scenarios.

Configuring simple default AntiVirus profile

If performance is not a real concern and the FortiGate’s resources are not being stretched, it is perfectly reasonable to create one AntiVirus profile that covers the range of uses found in your environment. This example is one possible default configuration.

Context:

  • This is an edited default profile and will be used on all security policies
  • It will need to scan for malware on all available protocols.
  • Malware, botnets, and grayware should be blocked
  • The inspection method should be flow-based
  • A current FortiCloud account is available

Creating the profile - GUI

  1. In the following fields, enter the settings shown in the screenshot.
  2. Select Apply.
  3. Enable grayware scanning through the CLI.

    config antivirus settings

    set grayware enable

    end

Creating the profile - CLI

  1. Enter the CLI by one of the following methods:
    • SSH through a terminal emulator
    • CLI Console access
    • FortiExplorer’s CLI mode
  2. Enter the following commands:

    config antivirus profile

    edit default

    set comment "scan and delete virus"

    set inspection-mode flow-based

    set scan-botnet-connections block

    set ftgd-analytics suspicious

    config http

    set options scan

    end

    config ftp

    set options scan

    end

    config imap

    set options scan

    end

    config pop3

    set options scan

    end

    config smtp

    set options scan

    end

    config nntp

    set options scan

    end

    config smb

    set options scan

    end

    end

  3. Enable grayware scanning>

    config antivirus settings

    set grayware enable

    end

Setting up a basic proxy-based AntiVirus profile for email traffic

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.

Context:

  • The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
  • There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
  • The company policy is to block viruses and connections to botnets.
  • The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.

Creating the profile - GUI

  1. In the following fields, enter the settings shown below:

    Name

    email-av

    Comments

    Scans email traffic from Internet for malware

    Detect Viruses

    Block

    Inspected Protocols

    all checked (HTTP, SMTP, POP3, IMAP, MAPI, and FTP).

    Content Disarm and Reconstruction

    checked (optional) - used to remove exploitable content and replace it with content that is known to be safe.

    For more information, see Content Disarm and Reconstruction (CDR)

    Original File Destination

    Destination to which files will be sent for inspection: FortiSandbox, File Quarantine, or Discard.

    Treat Windows Executables in Email Attachments as Viruses

    checked - also optionally decide whether or not to submit files matching particular types and/or file name patterns.

    Send Files to FortiSandbox Appliance for Inspection

    checked (All Supported Files).

    Use Virus Outbreak Prevention Database

    checked - used to preempt outbreaks before AV Signatures are created.

    Use FortiSandbox Database

    checked - supplements the AV Signature database.

  2. Select Apply.

Creating the profile - CLI

  1. Enter the CLI by one of the following methods:
    • SSH through a terminal emulator
    • CLI Console widget
    • FortiExplorer’s CLI mode
  2. Enter the following commands:

    config antivirus profile

    edit "email-av"

    set comment "Scans email traffic from Internet for malware"

    set inspection-mode proxy

    config content-disarm

    set original-file-destination {fortisandbox | quarantine | discard}

    set ...

    config <protocol>

    set options scan

    end

    end

  3. Additionally, if you wish to only send those files to FortiSandbox that heuristics determines as suspicious, enter the following (only available via the CLI):

    config antivirus profile

    edit "email-av"

    set ftgd-analytics suspicious

    end

For more information on how to strip content from various content types from documents (hyperlinks, linked objects, embedded objects, JavaScript code), see Content Disarm and Reconstruction (CDR) and the FortiOS 6.0 CLI Reference.

Adding the profile to a policy

In this scenario the following assumptions will be made:

  • The policy that the profile is going to be added to is an IPv4 policy.
  • The ID number of the policy is 11.
  • The AntiVirus profile being added will be the "default" profile
  • The SSL/SSH Inspection profile used will be the "default" profile

note icon

FortiClient enforcement has been moved from the Policy page toNetwork > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

Adding the profile - GUI

  1. Go to Policy & Objects > IPv4 Policy.
  2. Use your preferred method of finding a policy.
    • If the ID column is available you can use that.
    • You can also choose based on your knowledge of the parameters of the policy
    • Select the policy with ID value of 11
  3. In the Edit Policy window, go to the Security Profiles section
  4. Turn ON AntiVirus, and in the drop down menu for the field, select default
  5. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.
  6. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.
  7. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate
  8. Turn on Antivirus.
  9. Select an antivirus profile.
  10. Select OK to save the security policy.

Adding the profile - CLI

To select the antivirus profile in a security policy — CLI

config firewall policy

edit 11

set utm-status enable

set profile-protocol-options default

set av-profile basic_antivirus

end

Block files larger than 8 MB

Set proxy options profile to block files larger than 8 MB

  1. Go to Security Profiles > Proxy Options.
  2. Edit the default or select Create New to add a new one.
  3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email
  4. The sub line Threshold (MB) will appear with a value field. Enter 8.
  5. Select OK or Apply.

    The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.

To select the Proxy Options profile in a security policy

  1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending).
  2. Edit or create a security policy.
  3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).
  4. Beside Proxy Options select the name of the MTU proxy options protocol.
  5. Select OK to save the security policy.
  6. Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 8MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.