DO NOT REPRINT

© FORTINET
Lab 9: Antivirus

In this lab, you will configure, use, and monitor antivirus scanning on Local-FortiGate in both flow-based and
proxy-based inspection modes.

Objectives
l Configure antivirus scanning in both flow-based and proxy inspection modes.
l Understand FortiGate antivirus scanning behavior.
l Scan multiple protocols.
l Read and understand antivirus logs.

Time to Complete
Estimated: 20 minutes

Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

To restore the FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > Antivirus > local-AV-flow-based.conf, and then
click Open.
5. Click OK.
6. Click OK to reboot.

FortiGate Security 6.0 Lab Guide 149

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Using Antivirus Scanning in Flow-Based
Inspection Mode

There are two antivirus scanning modes in flow-based inspection mode:

l Quick scan uses a compact antivirus database and performs faster scanning because it doesn’t buffer the file in
memory.
l Full scan uses the full antivirus database. It buffers the file locally, but transmits it simultaneously to the end client.
Everything is transmitted except the last packet. The last packet is delayed, and the whole file is sent to the
antivirus engine for scanning.
In this exercise, you will use antivirus in flow-based inspection mode to understand how FortiGate performs
antivirus scanning. You will use full-scan mode with and without deep inspection. You will observe the behavior of
antivirus scanning, with and without deep inspection, to understand the importance of performing full-content
inspection.

Configure the Antivirus Profile in Flow-Based Inspection Mode

By default, the FortiGate inspection mode is set to flow-based, so all the security profiles will also be set to flow-
based inspection mode. In this procedure, you will verify the antivirus profile settings, and apply the antivirus
profile to a firewall policy.

To view the current FortiGate inspection mode

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click System > Settings.
3. At the bottom of the page, verify that Inspection Mode is set to Flow-based, and that NGFW Mode is set to
Profile-based.

150 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Using
REPRINT
Antivirus Scanning in Flow-Based Inspection Mode Review the Flow-Based Antivirus Profile

© FORTINET
Review the Flow-Based Antivirus Profile

Now that you've verified that the inspection mode is set to flow-based, you will review the antivirus profile to view
the settings.

To review the flow-based antivirus profile

1. Continuing on the Local-FortiGate GUI, click Security Profiles > AntiVirus.
2. Review the default antivirus profile.

Because the inspection mode is set to flow-based, by default, all the security profiles
will be set to flow-based as well.

Enable the Antivirus Profile on a Firewall Policy

Now that you have reviewed the antivirus profile, you must enable the antivirus profile on your firewall policy.
After you enable the antivirus profile on a firewall policy, it can scan for viruses and generate logs (based on
configured log settings).

Take the Expert Challenge!

On the Local-FortiGate GUI (10.0.1.254),complete the following:

l Edit the Full_Access firewall policy and enable the default antivirus profile.
l Use certificate-inspection profile for SSL inspection.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Test the Antivirus Configuration on page 152.

To enable the antivirus profile on a firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Right-click the ID column for the Full_Access firewall policy and click Edit.
3. Under the Security Profiles section, enable AntiVirus, and select default from the drop-down menu.
4. In the SSL/SSH Inspection drop-down menu, keep the default certificate-inspection profile.

When selecting an antivirus profile, SSL/SSH Inspection is enabled by default. You

can't disable it, but you can select any preconfigured SSL/SSH inspection profile in the
associated drop-down menu. You will use the certificate-inspection profile for this
section of the lab.

5. Keep the default values for the remaining settings, and then click OK to save the changes.

FortiGate Security 6.0 Lab Guide 151

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Antivirus Configuration Exercise 1: Using Antivirus Scanning in Flow-Based Inspection Mode

© FORTINET
Test the Antivirus Configuration

In this procedure, you will download the EICAR test file to your Local-Windows VM. The EICAR test file is an
industry-standard virus used to test antivirus detection without causing damage. The file contains the following
characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To test the antivirus configuration

1. Continuing on the Local-Windows VM, open a new web browser tab and access the following website:

http://eicar.org

2. In the upper-right corner of the EICAR webpage, click DOWNLOAD ANTI MALWARE TESTFILE.
3. Click the Download link on the left.
4. In the Download area using the standard protocol http section, download any EICAR sample file.

FortiGate should block the download attempt and insert a replacement message similar to the following
example:

FortiGate shows the HTTP virus message when it blocks or quarantines infected files.

Test an alternate download method

In this section, you will test the flow-based antivirus configuration using the Save Link As method to download
the EICAR text file.

152 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Using
REPRINT
Antivirus Scanning in Flow-Based Inspection Mode Test an alternate download method

© FORTINET
To test the antivirus configuration
1. Continuing on the Local-Windows VM, open a new web browser tab and go to the following website:

http://eicar.org

2. On the EICAR website, in the upper-right corner of the page, click DOWNLOAD ANTI MALWARE TESTFILE.
3. Click the Download link on the left.
4. In the Download area using the standard protocol http section, right-click eicar.com.txt and select Save
Link As.

5. Change the download location to Desktop, and then click Save.

You should see the file you downloaded on the desktop. Why was the download allowed?

6. On your desktop, right-click the eicar.com downloaded file, and click Edit with Notepad++ to open the file
you downloaded.
Is the content of the file what it's supposed to be? 

Stop and think!

Remember, you are using flow-based inspection mode. Using this method, the client sends a request and
starts receiving the packets immediately, but FortiGate is also buffering those packets at the same time.

When the last packet arrives, FortiGate buffers it and puts it on hold. Then, it sends the whole buffered file
to the IPS engine where rule match is checked and passed to the antivirus engine for scanning. If the
antivirus scan does not detect any viruses, and the result comes back clean, the last buffered packet is
regenerated and delivered to the client.

However, if a virus is found, the last packet is dropped. Even if the client has received most of the file, the
file will be truncated and the client will be not able to open a truncated file. FortiGate injects the block
message into the partially download file. The client can use Notepad to open and view the file.

7. Delete the downloaded eicar.com file from the Desktop.

FortiGate Security 6.0 Lab Guide 153

Fortinet Technologies Inc.
DO View
NOT REPRINT
the Antivirus Logs Exercise 1: Using Antivirus Scanning in Flow-Based Inspection Mode

© FORTINET
View the Antivirus Logs

The purpose of logs is to help you monitor your network traffic, locate problems, establish baselines, and make
adjustments to network security, if necessary.

To view the antivirus logs

1. Return to your browser where you are logged in to the Local-FortiGate GUI, and click Log & Report > Forward
Traffic. You may need to remove any log filters you have set.
2. Locate the antivirus log message and double-click it.
The Details tab shows forward traffic log information along with the action taken.

3. Select theSecurity tab to view security logs, which provide information more specific to security events, such as
file name, virus or botnet, and reference.
4. To view antivirus security logs, click Log & Report > AntiVirus.

The AntiVirus section won't display if there are no antivirus logs. FortiGate displays
the AntiVirus section after creating logs.  If the AntiVirus menu item does not
display in the GUI, refresh your browser or log out of the FortiGate GUI and log back in
again.

5. Click Dashboard > Main.

6. Scroll to the bottom of the page, and in the bottom right, click the settings icon.
7. Click Add Widget and add the Advanced Threat Protection Statistics widget to view the summary statistics
of the antivirus activity.

8. Click Close.

154 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Using
REPRINT
Antivirus Scanning in Flow-Based Inspection Mode Enable SSL Inspection on a Firewall Policy

© FORTINET
The Advanced Threat Protection Statistics widget provides statistics about the number of files submitted
and the results of those scans.

The Advance Threat Protection Statistics widget displays malware statistics

stored on the device by the antivirus process. Statistics on the widget can be cleared
by formatting the log disk.

Enable SSL Inspection on a Firewall Policy

So far, you have tested unencrypted traffic for antivirus scanning. In order for FortiGate to inspect the encrypted
traffic, you must enable deep inspection on the firewall policy. After you enable this feature, FortiGate will filter
for traffic that is using the SSL encrypted protocol, which is very similar to a man-in-the-middle (MITM) attack.

Take the Expert Challenge!

l On Local-Windows, test the configuration by downloading the eicar.com file using HTTPS without
enabling the deep-inspection profile on the Full Access firewall policy.
l Configure Local-FortiGate to scan secure protocols by enabling SSH/SSL Inspection using the deep-
inspection profile on the Full Access firewall policy.
l Test the configuration by downloading the eicar.com file using HTTPS.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

To test antivirus scanning without SSL Inspection enabled on the firewall policy
1. Continuing on the Local-Windows VM, open a web browser and go to the following website:

http://eicar.org

2. On the EICAR webpage, click DOWNLOAD ANTI MALWARE TESTFILE.

3. Click the Download link that appears on the left side.
4. In the Download area using the secure, SSL enabled protocol https section, download eicar.com sample
file.

FortiGate Security 6.0 Lab Guide 155

Fortinet Technologies Inc.
DO Enable
NOT SSLREPRINT
Inspection on a Firewall Policy Exercise 1: Using Antivirus Scanning in Flow-Based Inspection Mode

© FORTINET

FortiGate should not block the file, because you have not enabled full SSL inspection.

To enable and test the SSL inspection profile on a firewall policy

1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Policy& Objects >
IPv4Policy.
2. Right-click the ID column for the Full Access firewall policy and click Edit.
3. Under the Security Profiles section, in the SSL/SSH Inspection drop-down menu, select deep-inspection.
4. Keep the remaining default settings, and then click OK to save the changes.
5. On the EICAR web page, in the Download area using the secure, SSL enabled protocol https section, try
to download the same eicar.com file again.

If the FortiGate self-signed, full-inspection certificate is not installed on the browser,

end users will see a certificate warning message. In this environment, the FortiGate
self-signed SSL inspection certificate is installed on the browser.

FortiGate should block the download and replace it with a message. If it doesn't, you may need to clear your
cache. In Firefox, click History > Clear Recent History > Everything.

156 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Proxy-Based Antivirus Scanning

In proxy-based inspection mode, each protocol's proxy buffers the entire file (or waits for oversize limit) and scans
it. The client must wait for the scan to finish.

In this exercise, you will configure antivirus scanning in proxy-based inspection mode, including associated
security features, such as proxy options with deep-inspection. Then, you will apply antivirus scanning to the
firewall policy. Finally, you will view the logs and summary information for the antivirus activity.

Change the FortiGate Inspection Mode

By default, flow-based inspection mode is enabled on FortiGate. You will change the inspection mode from flow-
based to proxy-based.

To change the FortiGate inspection mode

1. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
2. At the login prompt, enter the user name admin and password password.
3. Enter the following commands to change from Flow-based to Proxy inspection mode:
config system settings
set inspection-mode proxy
end
4. Open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and password
password.
5. Click System > Settings to verify that the Inspection Mode is now set to Proxy.

Changing from one inspection mode to another will result in the conversion of profiles
and removal or addition of security features, based on the selected mode.

Review the Antivirus Profile in Proxy-Based Inspection Mode

Now that you've changed the inspection mode to proxy-based, you will view the antivirus profile to see the
changes.

To review the antivirus profile in proxy-based inspection mode

1. Continuing on the Local-FortiGate GUI, click Dashboard > Main.
You will notice that in System Information widget, the Mode is set to NAT (Proxy-based).

FortiGate Security 6.0 Lab Guide 157

Fortinet Technologies Inc.
DO Enable
NOT REPRINT
the Antivirus Profile on a Firewall Policy Exercise 2: Configuring Proxy-Based Antivirus Scanning

© FORTINET
If you do not see the mode set to NAT (Proxy-based) in the system information
widget, please refresh your browser.

2. Click Security Profiles > AntiVirus, and select the default antivirus profile.
3. Verify that Detect Viruses is set to Block and, in the Inspected Protocols section, make sure the FTP switch is
turned on.
This profile defines the behavior for virus scanning on the traffic that matches policies using that profile.

Enable the Antivirus Profile on a Firewall Policy

Now that the antivirus profile is configured, you must enable the antivirus profile on the firewall policy. After you
enable the antivirus profile on a firewall policy, it can scan for viruses and generate logs (based on configured log
settings).

To enable an antivirus profile on a firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Right-click the ID column for the Full_Access firewall policy and click Edit.
3. Under the Security Profiles section, verify that the default profile for AntiVirus is applied.

158 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Proxy-Based Antivirus Scanning Test the Proxy-Based Antivirus Profile

© FORTINET
When selecting an antivirus profile, Proxy Options and SSL/SSH Inspection are
automatically enabled. You can't disable Proxy Options or SSL/SSH Inspection,
but you can select any preconfigured profiles in the Proxy Options and SSL/SSH
Inspection drop-down menus.

4. Beside the Proxy Options profile, click the pencil icon to view the profile on the firewall policy tab.
Alternatively, click Security Profiles > Proxy Options to see the default proxy options profile selected in
the firewall policy.

This profile specifies how FortiGate’s proxies pick up protocols. For example, The FTP listening port is set to
port 21.

Test the Proxy-Based Antivirus Profile

Now, you will test the proxy-based antivirus profile using FTP file transfer.

Take the Expert Challenge!

l On the Local-Windows VM desktop, use the FileZilla FTP client to connect to the Linux preconfigured
profile under Site Manager.
l Leave the username and password fields empty.
l Download the eicar.com file from the FTP server.
l View the relevant logs on the Local-FortiGate GUI, and identify the action taken as a result of the
scanning.
If you require assistance, or to verify your work, the step-by-step instructions are provided below.

To test the antivirus configuration

1. Continuing on the Local-Windows VM, open the FileZilla FTP client software from the desktop.
2. Click the Site Manager icon in the upper-left corner and Select Linux.

3. On the Remote site side of the application (right), right-click the eicar.com file, and then select Download.

FortiGate Security 6.0 Lab Guide 159

Fortinet Technologies Inc.
DO View
NOT REPRINT
the Antivirus Logs Exercise 2: Configuring Proxy-Based Antivirus Scanning

© FORTINET

The client should display an error message that the server aborted the connection. FortiGate sends the
replacement message as a server response.

In proxy-based inspection mode, FortiGate buffers the file to scan the content before
sending the file or a replacement message to the client.

4. Close the FileZilla FTP client.

View the Antivirus Logs

Now, you will check and confirm the logs for the test you just performed.

To view the antivirus logs

1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Log & Report >
Forward Traffic.
2. Locate the antivirus logs message from when you tried to access the file from the FTP, and double-click the log
entry to view the details.

160 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Proxy-Based Antivirus Scanning View the Antivirus Logs

© FORTINET

The Details tab shows forward traffic log information along with the action taken.

3. To view security log information, do one of the following:

l Select the Security tab. This includes information more specific to the security event, such as file name,
virus/botnet, reference, and so on.
l Click Log & Report > AntiVirus.

FortiGate Security 6.0 Lab Guide 161

Fortinet Technologies Inc.