Fortinet white logo
Fortinet white logo

Administration Guide

Using FortiAI inline scanning with antivirus

Using FortiAI inline scanning with antivirus

FortiAI can be used with antivirus profiles in proxy inspection mode (flow mode is currently not supported). FortiAI inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiAI can log, block, ignore, or monitor (allow) the file based on the verdict.

Note

A licensed FortiAI appliance with version 1.5.1 or later is required to use this feature.

To configure FortiAI inline inspection with an AV profile:
  1. Configure FortiAI to join a Security Fabric in FortiOS (see Configuring FortiAI).

  2. In the FortiAI CLI, enable inline inspection:
    config system fortiai
        set status enable
    end
  3. Configure an AV profile in FortiOS to use inline inspection and block detected infections:
    config antivirus profile
        edit "av"
            set feature-set proxy
            config http
                set fortiai block
            end
            config ftp
                set fortiai block
            end
            config imap
                set fortiai block
            end
            config pop3
                set fortiai block
            end
            config smtp
                set fortiai block
            end
            config mapi
                set fortiai block
            end
            config nntp
                set fortiai block
            end
            config cifs
                set fortiai block
            end
            config ssh
                set fortiai block
            end
        next
    end
  4. Add the AV profile to a firewall policy. When potential infections are blocked by FortiAI inline inspection, a replacement message appears (FortiAI Block Page, see Replacement messages for more information). An infection blocked over HTTP looks similar to the following:

Sample log
date=2021-04-29 time=15:12:07 eventtime=1619734327633022960 tz="-0700" logid="0209008221" type="utm" subtype="virus" eventtype="fortiai" level="notice" vd="vdom1" policyid=1 msg="Detected by FortiAI." action="monitored" service="HTTP" sessionid=13312 srcip=10.1.100.221 dstip=172.16.200.224 srcport=50792 dstport=80 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="detected_samples.zip" quarskip="File-was-not-quarantined" virus="MSIL/Kryptik.KVH!tr" dtype="FortiAI" ref="http://www.fortinet.com/ve?vn=MSIL%2FKryptik.KVH%21tr" virusid=0 url="http://172.16.200.224/avengine_ai/detected_samples.zip" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

FortiAI inline inspection with other AV inspection methods

The following inspection logic applies when FortiAI inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.

HTTP, FTP, SSH, and CIFS protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
    1. FortiAI inline inspection occurs simultaneously.
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiAI inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiAI inline inspection occurs simultaneously.
Note

If any AV inspection method returns an infected verdict, the FortiAI inspection is aborted.

POP3, IMAP, SMTP, NNTP, and MAPI protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiAI inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiAI inline inspection occurs simultaneously.
Tooltip

In an AV profile, use set fortiai-error-action {log-only | block | ignore} to configure the action to take if FortiAI encounters an error.

Accepted file types

The following file types are sent to FortiAI for inline inspection:

7Z

ARJ

BZIP

BZIP2

CAB

ELF

GZIP

HTML

JS

LZH

LZW

MS Office documents (XML and non-XML)

PDF

RAR

RTF

TAR

VBA

VBS

WinPE (EXE)

XZ

ZIP

Using FortiAI inline scanning with antivirus

Using FortiAI inline scanning with antivirus

FortiAI can be used with antivirus profiles in proxy inspection mode (flow mode is currently not supported). FortiAI inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiAI can log, block, ignore, or monitor (allow) the file based on the verdict.

Note

A licensed FortiAI appliance with version 1.5.1 or later is required to use this feature.

To configure FortiAI inline inspection with an AV profile:
  1. Configure FortiAI to join a Security Fabric in FortiOS (see Configuring FortiAI).

  2. In the FortiAI CLI, enable inline inspection:
    config system fortiai
        set status enable
    end
  3. Configure an AV profile in FortiOS to use inline inspection and block detected infections:
    config antivirus profile
        edit "av"
            set feature-set proxy
            config http
                set fortiai block
            end
            config ftp
                set fortiai block
            end
            config imap
                set fortiai block
            end
            config pop3
                set fortiai block
            end
            config smtp
                set fortiai block
            end
            config mapi
                set fortiai block
            end
            config nntp
                set fortiai block
            end
            config cifs
                set fortiai block
            end
            config ssh
                set fortiai block
            end
        next
    end
  4. Add the AV profile to a firewall policy. When potential infections are blocked by FortiAI inline inspection, a replacement message appears (FortiAI Block Page, see Replacement messages for more information). An infection blocked over HTTP looks similar to the following:

Sample log
date=2021-04-29 time=15:12:07 eventtime=1619734327633022960 tz="-0700" logid="0209008221" type="utm" subtype="virus" eventtype="fortiai" level="notice" vd="vdom1" policyid=1 msg="Detected by FortiAI." action="monitored" service="HTTP" sessionid=13312 srcip=10.1.100.221 dstip=172.16.200.224 srcport=50792 dstport=80 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="detected_samples.zip" quarskip="File-was-not-quarantined" virus="MSIL/Kryptik.KVH!tr" dtype="FortiAI" ref="http://www.fortinet.com/ve?vn=MSIL%2FKryptik.KVH%21tr" virusid=0 url="http://172.16.200.224/avengine_ai/detected_samples.zip" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

FortiAI inline inspection with other AV inspection methods

The following inspection logic applies when FortiAI inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.

HTTP, FTP, SSH, and CIFS protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
    1. FortiAI inline inspection occurs simultaneously.
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiAI inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiAI inline inspection occurs simultaneously.
Note

If any AV inspection method returns an infected verdict, the FortiAI inspection is aborted.

POP3, IMAP, SMTP, NNTP, and MAPI protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiAI inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiAI inline inspection occurs simultaneously.
Tooltip

In an AV profile, use set fortiai-error-action {log-only | block | ignore} to configure the action to take if FortiAI encounters an error.

Accepted file types

The following file types are sent to FortiAI for inline inspection:

7Z

ARJ

BZIP

BZIP2

CAB

ELF

GZIP

HTML

JS

LZH

LZW

MS Office documents (XML and non-XML)

PDF

RAR

RTF

TAR

VBA

VBS

WinPE (EXE)

XZ

ZIP