Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.3 Administration Guide
    6.4.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Content disarm and reconstruction for antivirus

    Content disarm and reconstruction for antivirus

    Content disarm and reconstruction (CDR) allows the FortiGate to sanitize Microsoft Office documents and PDF files by removing active content, such as hyperlinks, embedded media, javascript, macros, and so on (disarm) from the files without affecting the integrity of its textual content (reconstruction). It allows network admins to protect their users from malicious document files.

    • CDR can be performed on Microsoft Office document and PDF files, including those that are in ZIP archives.
    • CDR is supported on HTTP, SMTP, POP3, IMAP. SMTP splice and client-comfort mode are not supported.
    • CDR does not support flow-based inspection modes.
    • Local disk CDR quarantine can be used on FortiGate models that contain a hard disk or disks.

    Files processed by CDR can have the original copy quarantined on the FortiGate, allowing administrators to observe them. The original copies can also be obtained in the event of a false positive.

    Network topology example

    Configuring the feature

    In order to configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and then fine-tune the CDR detection parameters.

    To enable CDR on your antivirus profile:
    1. Go to Security Profiles > AntiVirus.
    2. Edit an antivirus profile, or create a new one.
    3. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.

    To set a quarantine location:
    1. Go to Security Profiles > AntiVirus.
    2. Edit an antivirus profile, or create a new one.
    3. Select a quarantine location from the available options: Discard, File Quarantine, or FortiSandbox.
      DiscardThe default setting, which discards the original document file.
      File QuarantineSaves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate's log settings, visible through Config Global > Config Log FortiAnalyzer Setting.
      FortiSandboxSaves the original document file to a connected FortiSandbox.
    4. Click Apply.
    To fine-tune CDR detection parameters in the CLI:
    • Select which active content to detect/process:

      By default, all active office and PDF content types are enabled. To fine-tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.

      config antivirus profile 
    edit av
        config content-disarm
            set office-macro disable
        end
    next
end
    • Detect but do not modify active content:

      By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.

      config antivirus profile 
    edit av
        config content-disarm 
            set detect-only enable
        end
    next
end
    • Disable the CDR cover page:

      By default, a cover page will be attached to the file's content when the file has been processed by CDR. To disable the cover page, the cover-page parameter needs to be disabled.

      config antivirus profile 
    edit av
        config content-disarm 
            set cover-page disable
        end
    next
end
    Previous
    Next

    Content disarm and reconstruction for antivirus

    Content disarm and reconstruction for antivirus

    Content disarm and reconstruction (CDR) allows the FortiGate to sanitize Microsoft Office documents and PDF files by removing active content, such as hyperlinks, embedded media, javascript, macros, and so on (disarm) from the files without affecting the integrity of its textual content (reconstruction). It allows network admins to protect their users from malicious document files.

    • CDR can be performed on Microsoft Office document and PDF files, including those that are in ZIP archives.
    • CDR is supported on HTTP, SMTP, POP3, IMAP. SMTP splice and client-comfort mode are not supported.
    • CDR does not support flow-based inspection modes.
    • Local disk CDR quarantine can be used on FortiGate models that contain a hard disk or disks.

    Files processed by CDR can have the original copy quarantined on the FortiGate, allowing administrators to observe them. The original copies can also be obtained in the event of a false positive.

    Network topology example

    Configuring the feature

    In order to configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and then fine-tune the CDR detection parameters.

    To enable CDR on your antivirus profile:
    1. Go to Security Profiles > AntiVirus.
    2. Edit an antivirus profile, or create a new one.
    3. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.

    To set a quarantine location:
    1. Go to Security Profiles > AntiVirus.
    2. Edit an antivirus profile, or create a new one.
    3. Select a quarantine location from the available options: Discard, File Quarantine, or FortiSandbox.
      DiscardThe default setting, which discards the original document file.
      File QuarantineSaves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate's log settings, visible through Config Global > Config Log FortiAnalyzer Setting.
      FortiSandboxSaves the original document file to a connected FortiSandbox.
    4. Click Apply.
    To fine-tune CDR detection parameters in the CLI:
    • Select which active content to detect/process:

      By default, all active office and PDF content types are enabled. To fine-tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.

      config antivirus profile 
    edit av
        config content-disarm
            set office-macro disable
        end
    next
end
    • Detect but do not modify active content:

      By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.

      config antivirus profile 
    edit av
        config content-disarm 
            set detect-only enable
        end
    next
end
    • Disable the CDR cover page:

      By default, a cover page will be attached to the file's content when the file has been processed by CDR. To disable the cover page, the cover-page parameter needs to be disabled.

      config antivirus profile 
    edit av
        config content-disarm 
            set cover-page disable
        end
    next
end
    Previous
    Next