Antivirus

DO NOT REPRINT
© FORTINET

Before FortiGate devices can start scanning traffic for malware, you need to apply the antivirus profile, the
protocol options, and SSL/SSH inspection profiles on the firewall policy.

In full SSL inspection level, FortiGate terminates the SSL/TLS handshake at its own interface, before it
reaches the server. When certificates and private keys are exchanged, it is with FortiGate and not the server.
Next, FortiGate starts a second connection with the server.

Because traffic is unencrypted while passing between its interfaces, FortiGate can inspect the contents and
look for matches with the antivirus signature database, before it re-encrypts the packet and forwards it.

For these reasons, full SSL inspection level is the only choice that allows antivirus to be effective.

FortiGate Security 7.2 Study Guide 361

 Antivirus

DO NOT REPRINT
© FORTINET

For antivirus scanning in proxy-based inspection mode (with client comforting disabled), the block
replacement page is displayed immediately when a virus is detected.

For flow-based inspection mode scanning, if a virus is detected at the start of the stream, the block
replacement page is displayed at the first attempt. If a virus is detected after a few packets have been
transmitted, the block replacement page is not displayed. However, FortiGate caches the URL and can
display the replacement page immediately, on the second attempt.

Note that if deep inspection is enabled, all HTTPS-based applications also display the block replacement
message.

The block page includes the following:

• File name
• Virus name
• Website host and URL
• User name and group (if authentication is enabled)
• Link to FortiGuard Encyclopedia—which provides analysis, recommended actions (if any), and detection
availability

You can go directly to the FortiGuard website to view information about other malware, and scan, submit, or
do both, with a sample of a suspected malware.

FortiGate Security 7.2 Study Guide 362

 Antivirus

DO NOT REPRINT
© FORTINET

If you enable logging, you can find details on the AntiVirus log page under Security Events.

When the antivirus scan detects a virus, by default, it creates a log about what virus was detected, as well as
the action, policy ID, antivirus profile name, and detection type. It also provides a link to more information on
the FortiGuard website.

You can also view log details on the Forward Traffic log page, where firewall policies record traffic activity.
You’ll also find a summary of the traffic on which FortiGate applied an antivirus action.

FortiGate Security 7.2 Study Guide 363

 Antivirus

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 364

 Antivirus

DO NOT REPRINT
© FORTINET

Good job! You now understand antivirus configuration.

Now, you will learn about some antivirus best practices.

FortiGate Security 7.2 Study Guide 365

 Antivirus

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in antivirus best practices, you will be able to configure an effective antivirus
solution.

FortiGate Security 7.2 Study Guide 366

 Antivirus

DO NOT REPRINT
© FORTINET

The following are some best practices to follow when configuring antivirus scanning for use on FortiOS:
• Enable antivirus scanning on all internet traffic. This includes internal to external firewall policies, and any
VIP firewall policies.
• Use deep-inspection instead of certificate-based inspection, to ensure that full content inspection is
performed.
• Use FortiSandbox for protection against new viruses.
• Do not increase the maximum file size to be scanned, unless there is good reason, or you need to do so in
order to meet a network requirement.

FortiGate Security 7.2 Study Guide 367

 Antivirus

DO NOT REPRINT
© FORTINET

Logging is an important part of managing a secure network. Enable logging for oversized files so that if there
are files that are not scanned, you can be aware of it. Also, ensure that security events logging is enabled on
all firewall policies using security profiles. Use the standalone dashboards to view relevant information
regarding threats to your network. The standalone dashboard organizes information into network segments
and breaks it down into various categories.

FortiGate Security 7.2 Study Guide 368

 Antivirus

DO NOT REPRINT
© FORTINET

The FortiGate main CPU is responsible for performing UTM/NGFW inspection on the network traffic.
FortiGate models that have specialized chips can offload inspection tasks to enhance performance while
providing the same level of protection. FortiGate devices that support the NTurbo feature can offload
UTM/NGFW sessions to network processors. NTurbo creates a special data path to redirect traffic from the
ingress interface to the IPS engine, and from the IPS engine to the egress interface. This can improve
performance by accelerating antivirus inspection, without sacrificing security.

FortiGate Security 7.2 Study Guide 369

 Antivirus

DO NOT REPRINT
© FORTINET

FortiGate models that have CP8 or CP9 content processors can offload flow-based pattern matching to CP8
or CP9 processors. When CP acceleration is enabled, flow-based pattern databases are compiled and
downloaded to the content processors from the IPS engine and IPS database. This reduces load on the
FortiGate CPU because flow-based pattern matching requests are redirected to the CP hardware. Before
flow-based inspection is applied to the traffic, the IPS engine uses a series of decoders to determine the
appropriate security modules that can be used, depending on the protocol of the packet and policy settings. In
addition, if SSL inspection is configured, the IPS engine also decrypts SSL packets. SSL decryption is also
offloaded and accelerated by CP8 or CP9 processors.

FortiGate Security 7.2 Study Guide 370

 Antivirus

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 371

 Antivirus

DO NOT REPRINT
© FORTINET

Good job! You now understand antivirus best practices.

Now, you will learn about antivirus troubleshooting.

FortiGate Security 7.2 Study Guide 372

 Antivirus

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to troubleshoot common issues with antivirus.

By demonstrating competence in troubleshooting common antivirus issues, you will be able to configure and
maintain an effective antivirus solution.

FortiGate Security 7.2 Study Guide 373

 Antivirus

DO NOT REPRINT
© FORTINET

If you are having issues with the antivirus license or FortiGuard updates, start troubleshooting with basic
connectivity tests. Most of the time, issues related to updates are caused by connectivity problems with
FortiGuard servers. You can perform the following to handle common antivirus issues:
• Make sure that FortiGate has a stable internet connection and can resolve DNS
(update.fortinet.net).
• If there is another firewall between FortiGate and the internet, make sure TCP port 443 is open and traffic
is allowed from and to the FortiGate device.
• Force FortiGate to check for new virus updates using the CLI command: execute update-av.
• Verify that the FortiGate device is registered and has a valid antivirus service contract.

FortiGate Security 7.2 Study Guide 374

 Antivirus

DO NOT REPRINT
© FORTINET

What if FortiGate shows a valid license but the antivirus database is out-of-date?

Check the current database version installed on your FortiGate and compare the version number with the
current release on the FortiGuard website. FortiGate may not update the antivirus database if it is not being
used (applied on a firewall policy). Make sure the antivirus profile is applied on at least one firewall policy. If
you continue to see issues with the update, run the real-time debug command to identify the problem.

FortiGate Security 7.2 Study Guide 375

 Antivirus

DO NOT REPRINT
© FORTINET

What if you have a valid contract and updated database, and you are still having issues catching viruses?
Start troubleshooting for basic configuration errors. Most of the time, issues are caused by misconfiguration
on the device. You can verify them as following:
• Make sure that the correct antivirus profile is applied on the right firewall policy.
• Make sure that you are using the same antivirus profile and SSL/SSH inspection on all internet connection
firewall policies.
• Add and use advanced the threat protection statistics widget to get the latest virus statistics from the unit.

These are some of the commands that can be used to retrieve information and troubleshoot antivirus issues:
• get system performance status: Displays statistics for the last one minute.
• diagnose antivirus database-info: Displays current antivirus database information.
• diagnose autoupdate versions: Displays current antivirus engine and signature versions.
• diagnose antivirus test "get scantime": Displays scan times for infected files.
• execute update-av: Forces FortiGate to check for antivirus updates from the FortiGuard server.

FortiGate Security 7.2 Study Guide 376

 Antivirus

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 377

 Antivirus

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiGate Security 7.2 Study Guide 378

 Antivirus

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use FortiGate features and functions to
protect your network against viruses.

FortiGate Security 7.2 Study Guide 379

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to use FortiGate to protect your network against intrusions and denial of
service (DoS) attacks.

FortiGate Security 7.2 Study Guide 380

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiGate Security 7.2 Study Guide 381

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in intrusion prevention systems (IPS), you should be able to implement an
effective IPS solution to protect your network from intrusion.

FortiGate Security 7.2 Study Guide 382

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

It’s important to understand the difference between an anomaly and an exploit. It’s also important to know
which FortiGate features offer protection against each of these types of threats.

Exploits are known attacks, with known patterns that can be matched by IPS, web application firewall (WAF),
or antivirus signatures.

Anomalies are unusual behaviors in the network, such as higher-than-usual CPU usage or network traffic.
Anomalies must be detected and monitored (and, in some cases, blocked or mitigated) because they can be
the symptoms of a new, never-seen-before attack. Anomalies are usually better detected by behavioral
analysis, such as rate-based IPS signatures, DoS policies, and protocol constraints inspection.

FortiGate Security 7.2 Study Guide 383

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

IPS on FortiGate uses signature databases to detect known attacks. Protocol decoders can also detect
network errors and protocol anomalies.

The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. It’s
also responsible for application control, flow-based antivirus protection, web filtering, and email filtering.

FortiGate Security 7.2 Study Guide 384

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

How does the IPS engine determine if a packet contains an attack or anomaly?

Protocol decoders parse each packet according to the protocol specifications. Some protocol decoders
require a port number specification (configured on the CLI), but usually, the protocol is automatically detected.
If the traffic doesn’t conform to the specification—if, for example, it sends malformed or invalid commands to
your servers—then the protocol decoder detects the error.

FortiGate Security 7.2 Study Guide 385

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

By default, an initial set of IPS signatures is included in each FortiGate firmware release. FortiGuard updates
the IPS signature database with new signatures. That way, IPS remains effective against new exploits. Unless
a protocol specification or RFC changes (which doesn’t happen very often), protocol decoders are rarely
updated. The IPS engine itself changes more frequently, but still not often.

The FortiGuard IPS service updates the IPS signatures most often. The FortiGuard research team identifies
and builds new signatures, just like antivirus signatures. So, if your FortiGuard Services contract expires, you
can still use IPS. However, just like antivirus scans, IPS scans become increasingly ineffective the longer the
signatures are not updated—old signatures won’t defend against new attacks.

The default auto-update schedule for FortiGuard packages has been updated. Previously, the frequency was
a reoccurring random interval within two hours. Starting in FortiOS 7.0, the frequency is automatic, and the
update interval is calculated based on the model and percentage of valid subscriptions. The update interval is
within one hour.

For example, an FG-501E has 78% valid contracts. Based on this device model, FortiOS calculates the
update schedule to be every 10 minutes. You can verify the system event logs, which are generated
approximately every 10 minutes.

IPS is a FortiGuard subscription, and includes a botnet signature database. The botnet IP database is part of
the ISDB updates. The botnet domains database is part of the AV updates, and only the botnet signatures
require the FortiGuard IPS license subscription.

FortiGate Security 7.2 Study Guide 386

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

The IPS signature database is divided into the regular and extended databases. The regular signature
database contains signatures for common attacks whose signatures cause rare or no false positives. It's a
smaller database, and its default action is to block the detected attack.

The extended signature database contains additional signatures for attacks that cause a significant
performance impact, or don’t support blocking because of their nature. In fact, because of its size, the
extended database is not available for FortiGate models with a smaller disk or RAM. But, for high-security
networks, you might be required to enable the extended signatures database.

FortiGate Security 7.2 Study Guide 387

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

After FortiGate downloads a FortiGuard IPS package, new signatures appear in the signature list. When
configuring FortiGate, you can change the Action setting for each sensor that uses a signature.

The default action setting is often correct, except in the following cases:
• Your software vendor releases a security patch. Continuing to scan for exploits wastes FortiGate
resources.
• Your network has a custom application with traffic that inadvertently triggers an IPS signature. You can
disable the setting until you notify Fortinet so that the FortiGuard team can modify the signature to avoid
false positives.

FortiGate Security 7.2 Study Guide 388

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

There are two ways to add predefined signatures to an IPS sensor. One way is to select the signatures
individually. After you select a signature in the list, the signature is added to the sensor with its default action.
Then, you can right-click the signature and change the action.

The second way to add a signature to a sensor is using filters. FortiGate adds all the signatures that match
the filters.

The purpose of the IPS feature is to protect the inside of the network from outside threats.

FortiGate Security 7.2 Study Guide 389

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

You can also add rate-based signatures to block specific traffic when the threshold is exceeded during the
configured time period. You should apply rate-based signatures only to protocols you actually use. Then,
configure Duration to block malicious clients for extended periods. This saves system resources and can
discourage a repeat attack. FortiGate does not track statistics for that client while it is temporarily blocklisted.

FortiGate Security 7.2 Study Guide 390

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

When the IPS engine compares traffic with the signatures in each filter, order matters. The rules are similar to
firewall policy matching; the engine evaluates the filters and signatures at the top of the list first, and applies
the first match. The engine skips subsequent filters.

So, position the most likely matching filters, or signatures, at the top of the list. Avoid making too many filters,
because this increases evaluations and CPU usage. Also, avoid making very large signature groups in each
filter, which increase RAM usage.

In the event of a false-positive outbreak, you can add the triggered signature as an individual signature and
set the action to Monitor. This allows you to monitor the signature events using IPS logs, while investigating
the false-positive issue.

FortiGate Security 7.2 Study Guide 391

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

Sometimes it is necessary to exempt specific source or destination IP addresses from specific signatures.
This feature is useful during false-positive outbreaks. You can temporarily bypass affected endpoints until you
investigate and correct the false-positive issue.

You can configure IP exemptions on individual signatures only. Each signature can have multiple exemptions.

FortiGate Security 7.2 Study Guide 392

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

When you create a new entry to add signatures or filters, you can select the action by clicking Action.

Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its
destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in
the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to
use the default action of the signatures.

Quarantine allows you to quarantine the attacker’s IP address for a set duration. You can set the quarantine
duration to any number of days, hours, or minutes.

If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature.

FortiGate Security 7.2 Study Guide 393

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

IPS signature filter options include the CVE pattern. The CVE pattern option allows you to filter IPS signatures
based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are
automatically included.

FortiGate Security 7.2 Study Guide 394

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

Since the botnet database is part of the FortiGuard IPS contract, administrators can enable scanning of botnet
connections to maximize their internal security. You enable botnet scanning on the IPS profile that you applied
the firewall policy on. You can also enable scanning of botnet connections using the CLI.

There are three possible actions for botnet and C&C:

• Disable: Do not scan connections to botnet servers
• Block: Block connections to botnet servers
• Monitor: Log connections to botnet servers

FortiGate Security 7.2 Study Guide 395

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

To apply an IPS sensor, you must enable IPS and then select the sensor in a firewall policy. By default,
FortiGate logs all security events. This means you can see any traffic that is being blocked by IPS.

If you think some traffic should be blocked but is passing through the policy, you should change the Log
Allowed Traffic method to All Sessions. This will log all traffic processed by that firewall policy, and not just
the traffic that is blocked by the security profiles. This can help you in identifying false negative events.

FortiGate Security 7.2 Study Guide 396

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

If you enabled security events logging in the firewall policies that apply IPS, you can view events are logged
on the Security Events pane on the Log & Report page. You can view the logs by clicking on Intrusion
Prevention.

You should review IPS logs frequently. The logs are an invaluable source of information about the kinds of
attacks that are being targeted at your network. This helps you develop action plans and focus on specific
events, for example, patching a critical vulnerability.

FortiGate Security 7.2 Study Guide 397

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 398

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

Good job! You now understand the IPS on FortiGate.

Now, you will learn about DoS.

FortiGate Security 7.2 Study Guide 399

 Intrusion Prevention and Denial of Service

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in Denial of Service (DoS), you should be able to protect your network from
common DoS attacks.

FortiGate Security 7.2 Study Guide 400