After completing this document, you will be able to achieve these

objectives:

1- Understand why you should use antivirus protection

2- Explain how FortiGate antivirus works to block malware

3- Configure FortiGate antivirus profile in Flow-based and Proxy-based

inspection mode

4- Configure Protocol Options

5- Log & Monitor antivirus events

6- Troubleshoot Common antivirus issues and best practices

 Malware & Antivirus
Risk of Malware:
Keeping malware out of your network is key to securing your organization. Cyber criminals
use malware to:
• Cause data breaches
• Extort money
• Steal intellectual property
• Disrupt business and destroy systems

FortiGuard Labs: FortiGate with a valid antivirus license can update antivirus
signature databases from FortiGuard servers.
FortiGate Antivirus Scanning:
FortiGate uses many techniques to detect viruses. These detection techniques include:

• Antivirus scan (Signature-Based)- Antivirus scan detects known malware

and is the first, fastest, and the simplest way to detect malware. FortiGate detects viruses
that are an exact match for a signature in the FortiGuard antivirus database.
• Grayware scan - Grayware scan detects unsolicited programs, known as
grayware, that have been installed without the user’s knowledge or consent. While
grayware is not technically a virus, it can cause unwanted behavior, so FortiGate considers
it to be malware. Often, FortiGate detects grayware using a FortiGuard grayware
signature.
• Machine learning/artificial intelligence scan –
Machine learning/artificial intelligence scan uses machine learning and artificial
intelligence techniques to detect zero-day attacks containing malware that is new,
unknown, and, does not yet have a matching associated signature. Because this type of
scan is based on probability, using it does increase the possibility of false positives. By
default, when FortiGate detects a new virus, it logs the file as suspicious but does not
block it. You can choose whether to block or allow suspicious files.
Antivirus Inspection Mode?
Antivirus can operate in flow-based or proxy-based inspection mode.
 Flow-based inspection mode
IPS Engine:
The IPS engine is responsible for IPS and Protocol decoders, in addition to
application control, flow-based antivirus protection, web filtering, and
email filtering.

Packet Flow

Flow-based inspection mode uses a hybrid of two available scanning

modes available:
• the default scanning mode:
The default mode enhances the scanning of nested archive files without buffering
the container archive file.
• the legacy scanning mode:
The legacy mode buffers the full container, and then scans it.
Starting from 6.4.0, the scan mode option is no longer available for flow-based AV.
This means that AV no longer exclusively uses the default or legacy scan modes when handling
traffic on flow-based firewall policies. Instead, AV in flow-based policies uses a hybrid of the two
scan modes.
This slide shows that the client sends a request and starts receiving packets immediately,
but FortiGate also caches those packets at the same time. When the last packet arrives,
FortiGate caches it and puts it on hold. Then, the IPS engine extracts the payload of the
last packet, assembles the whole file, and sends it to the antivirus engine for scanning. If
the antivirus scan does not detect any viruses, and the result comes back clean, the last
cached packet is regenerated and delivered to the client. However, if a virus is found,
FortiGate resets the connection and does not send the last piece of the file. Although the
receiver got most of the file content, the file has been truncated and, therefore, can’t be
opened.
The IPS engine also caches the URL of the infected file, so that if a second attempt to
transmit the file is made, the IPS engine then sends a block replacement message to the
client instead of scanning the file again.
Because the file is transmitted at the same time, flow-based mode consumes more CPU
cycles than proxy-based mode. However, depending on the FortiGate model, some
operations can be offloaded to SPUs to improve performance.

* Note that:
Flow-based inspection mode doesn’t allow the profile to
inspect the MAPI and SSH protocols traffic.
 Configuration

Flow-based inspection mode is the default mode, and its configuration consists of two
steps:
• Creating an AntiVirus Profile with the selection of the inspected protocols, and the
action taken when the FortiGate detects a virus infected file: Block, Monitor.
FortiOS includes two preloaded antivirus profiles:
• default
• wifi-default
You can customize these profiles, or you can create your own to inspect certain protocols.

• Applying the flow-based Antivirus Profile to a firewall policy.

 Proxy-based inspection mode

Packet Flow

With a proxy inspection mode scan, the client sends a request and FortiGate starts
buffering the whole file, then sends it to the antivirus engine for scanning. If the file is
clean (without any viruses), FortiGate starts transmitting the file to the end client. If a
virus is found, no packets are delivered to the end client and the proxy sends the
replacement block message to the end client. Because FortiGate has to buffer the whole
file and then do the scanning, it takes a long time to scan. Also, from the client point of
view, it has to wait for the scanning to finish and might terminate the connection because
of lack of data.
Client Comforting:
This feature is supported just in Proxy-Mode.
You can configure client comforting for HTTP and FTP from the config firewall profile-
protocol-options command tree. This allows the proxy to slowly transmit some data until
it can complete the buffer and finish the scan. This prevents a connection or session
timeout. No block replacement message appears in the first attempt because FortiGate is
transmitting the packets to the end client.

stream-based scanning:
Using proxy inspection antivirus allows you to use stream-based scanning, which is
enabled by default. Stream-based scanning scans large archive files by decompressing the
files and then scanning and extracting them at the same time. This process optimizes
memory use to conserve resources on FortiGate. Viruses are detected even if they are in
the middle or toward the end of these large files.
In FortiOS 7.0, stream-based scan is supported in HTTP(S), FTP(S), and SCP/SFTP.

Stream-based scanning provides the following AV improvements:

• Archive files (ZIP, GZIP, BZIP2, TAR, ISO) that exceed the oversize limit are
uncompressed and scanned for infections.
• The contents of large archive files are scanned without having to buffer the entire file.
 Configuration

1. Creating an AntiVirus Profile with the selection of the inspected protocols, and the
action taken when the FortiGate detects a virus infected file: Block, Monitor.
Proxy-based inspection mode is applied when you set Feature set to Proxy-based.
For lowend platforms, this feature is available on the GUI when you enable the CLI command:
config system settings
set gui-proxy-inspection enable
end
The gui-proxy-inspection setting under config system settings is enabled on most models
except for entry-level platforms with 2 GB of RAM or less. When this setting is disabled, Firewall
policy pages do not have option to select a Flow-based or Proxy-based inspection mode.
Go to Security Profiles > AntiVirus and click Create New.
Configure the following settings:
2. Applying the Proxy-based Antivirus Profile to a firewall policy.
The next step is to apply the proxy-based antivirus profile to a firewall policy. You must set
Inspection Mode to Proxy-based.

3. Verify the Configuration

https://docs.fortinet.com/document/fortigate/7.4.3/administration-
guide/315155/testing-an-antivirus-profile

Example 1: EICAR test file

EICAR hosts anti-malware test files, which are available to download
from https://www.eicar.org/download-anti-malware-testfile.

Example 2: AI sample file

FortiGuard provides several sample files to test the AV configuration on the
FortiGate, which are available to download from
https://www.fortiguard.com/sample-files.

Example 3: VO sample file

To test the AV profile with the VO sample file:
1- On the PC, go to the FortiGuard website and download the VO Sample
file.
2- The download attempt is blocked by the FortiGate’s default AV profile,
and a block page appears in the PC's browser.

4. Monitor Antivirus Protection

* Note that:
Starting from 6.4.0, the scan mode option is no longer available for flow-based AV.
This means that AV no longer exclusively uses the default or legacy scan modes when handling
traffic on flow-based firewall policies. Instead, AV in flow-based policies uses a hybrid of the two
scan modes.
In contrast, proxy mode maintains the scan mode option, which can be toggled between default or
legacy mode.
• To configure the scan mode:
config antivirus profile
edit <name>
set feature-set proxy
set scan-mode {default | legacy}
next
end

default Enable stream-based scanning (default).

legacy Disable stream-based scanning.

After choosing Proxy-based:

• You can use “Client Comforting” in this mode
• You can use “stream-based scanning” in this mode
• Unlike flow-based inspection mode, proxy-based inspection mode allows the profile
to inspect the MAPI and SSH protocols traffic, as well as sanitize Microsoft
documents and PDF files using the content disarm and reconstruction (CDR) feature.
It can also use FortiNDR to inspect highrisk files.
Protocol comparison between antivirus inspection modes

Feature comparison between Antivirus inspection modes

 Inspection Mode Use Cases
Databases:
The antivirus scanning engine uses a virus signatures database to record the unique
attributes of each infection. The antivirus scan searches for these signatures and when
one is discovered, the FortiGate determines if the file is infected and takes action.
All FortiGates have the normal antivirus signature database. Some models have additional
databases that you can use. The database you use depends on your network and security
needs, and on your FortiGate model.
The extended virus definitions database is the default setting and provides comprehensive
antivirus protection. Entry-level and some mid-range FortiGates cannot support the
extreme database. The FortiGate 300D is the lowest model that supports the extreme
database. All VMs support the extreme database.

To change the antivirus database:

config antivirus settings
set use-extreme-db {enable | disable}
end
Regardless of which mode you use, both use the full antivirus database (extended or
extreme— depending on the CLI command use-extremedb and the FortiGate model) and
the scan techniques give similar detection rates.

How can you then choose between the inspection modes? If security is your priority,
proxy inspection mode —with client comforting disabled—is more appropriate. If
performance is your top priority, then flow inspection mode is more appropriate.
Flow inspection mode: Proxy inspection mode:
Priority on Traffic Throughput Priority on Network Security
 Antivirus Logs
Logging is an important part of managing a secure network. When you enable logging, you
can find details on Two ways:

1. Log & Report > Security Events. When the antivirus scan detects a virus, by default, it
creates a log about what virus was detected, as well as the action, policy ID, antivirus profile
name, and detection type. It also provides a link to more information on the FortiGuard
website.
When you enable oversized files logging, a log entry is also created with the details including
the message “Size limit is exceeded”.

2. Log & Report > Forward Traffic. You can also view log details on the Forward Traffic log
page, where firewall policies record traffic activity. You’ll find a summary of the traffic on
which FortiGate applied an antivirus action in the corresponding security details.
3. Dashboard > Security. You can also use the Security dashboard to view relevant
information regarding threats to your network. The security dashboard organizes
information into source and destination and allows you to drill down with session logs
details. For the Advanced Threat Protection Statistics, you can add the corresponding widget
on the dashboard for monitoring purposes.
 Troubleshooting Common Antivirus Issues
Viruses are constantly evolving and you must have the latest antivirus definitions version to
ensure correct protection.
With a valid license, FortiGate checks regularly for updates. If an antivirus profile is applied
on at least one firewall policy, you can also force an update of the antivirus definitions
database with the CLI command execute av-update.
FGT # execute update-av

1. If you are having issues with the antivirus license or FortiGuard updates, start
troubleshooting with basic connectivity tests. Most of the time, issues related to updates
are caused by connectivity problems with FortiGuard servers. You can do the following to
handle common antivirus issues:
• Make sure that FortiGate has a stable internet connection and can resolve DNS
(update.fortinet.net).
• If there is another firewall between FortiGate and the internet, make sure TCP port 443 is
open and traffic is allowed from and to the FortiGate device.
• If you continue to see issues with the update, run the real-time debug command to
identify the problem.

FGT# diagnose debug enable

FGT# diagnose debug application update -1
FGT# execute update-av
2. What if you have a valid connection and updated database, and you are still having
issues catching viruses? Start troubleshooting for basic configuration errors. Most of the
time, issues are caused by misconfiguration on the device. You can do the following to
verify:
• Make sure that the correct antivirus profile is applied on the right firewall policy.
• Make sure that the right protocol port is configured when the inspection mode is proxy-
based.

• Make sure that you are using the correct antivirus profile and SSL/SSH inspection on all
firewall policies. (For encrypted protocols, you must select deep inspection)
3. To troubleshoot further common antivirus issues, you can check information provided
by the following commands:
• get system performance status:
Displays statistics for the last one minute.
• diagnose antivirus database-info:
Displays current antivirus database information.
• diagnose autoupdate versions:
Displays current antivirus engine and signature versions.
• diagnose antivirus test "get scantime":
Displays scan times for infected files.