Scribd
Upload
59 views16 pages

LAB 07 Antivirus

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
59 views16 pages

LAB 07 Antivirus

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Lab 7: Antivirus

Sumário
Lab 7: Antivirus.......................................................................................................................................... 3
Objectives.......................................................................................................................................... 3
Exercise 1: Configuring Flow-Based Antivirus Scanning ............................................................................. 4
Configure the Antivirus Profile Inspection Mode .................................................................................... 4
Enable the Antivirus Profile on a Firewall Policy ..................................................................................... 6
Test the Flow-Based Antivirus Profile .................................................................................................... 6
View the Antivirus Logs ....................................................................................................................... 7
To view the security logs ...................................................................................................................... 8
Exercise 2: Using Antivirus Scanning in Proxy-Based Inspection Mode ........................................................ 9
Change the Inspection Mode in an Antivirus Profile ............................................................................... 9
Change the Inspection Mode in a Firewall Policy ................................................................................. 10
Test the Antivirus Configuration ......................................................................................................... 11
Test an Alternate Download Method ................................................................................................... 12
View the Antivirus Logs ..................................................................................................................... 13
Enable SSL Inspection in a Firewall Policy ........................................................................................... 14
Review the Antivirus History .............................................................................................................. 15
To verify the antivirus definitions status .............................................................................................. 16

2
Lab 7: Antivirus
In this lab, you will examine how to configure, use, and monitor antivirus scanning on Local-FortiGate in both
flow-based and proxy-based inspection modes.

Objectives
• Configure antivirus scanning in both flow-based and proxy-based inspection modes

• Understand FortiGate antivirus scanning behavior

• Scan multiple protocols

• Read and understand antivirus logs

Time to Complete

Estimated: 30 minutes

LAB-7 > Antivirus

3
Exercise 1: Configuring Flow-Based Antivirus Scanning
In this exercise, you will configure a firewall policy with an antivirus profile in flow-based inspection mode.
Next, you will perform a test to download a file located on an FTP server. Finally, you will view the logs and
summary information related to the antivirus scanning.

Configure the Antivirus Profile Inspection Mode


You will verify that the antivirus profile is configured with an inspected protocol of FTP and that flow-based is
selected.

To verify the antivirus profile


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Security Profiles > AntiVirus.

3. Right-click the default antivirus profile, and then click Edit.

4. In the Inspected Protocols section, verify that FTP is enabled.

Stop and think!

Why is the Feature set field not available?

For low-end platforms, the feature is available on the GUI only after you enable
the gui-proxy-inspection CLI command.

5. Connect to the Local-FortiGate CLI, and then log in with the username admin and password password.

6. Enter the following commands:

config system settings

set gui-proxy-inspection enable

end

7. Continuing on the Local-FortiGate GUI, in the upper-right corner, click admin, and then click Logout.

4
8. Log in with the username admin and password password.

9. Click Security Profiles > AntiVirus.

10. Right-click the default antivirus profile, and then click Edit.

11. In the Feature set field, verify that Flow-based is selected.

12. Click OK.

5
Enable the Antivirus Profile on a Firewall Policy
By default, flow-based inspection mode is enabled on the FortiGate firewall policy. You will configure the
antivirus profile in the firewall policy.

To configure the firewall policy with the antivirus profile


1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Double-click the Full_Access policy to edit it.

3. In the Inspection Mode field, verify that Flow-based is selected.

4. In the Security Profiles section, enable AntiVirus, and then select default.

5. Keep the default values for the remaining settings, and then click OK to save the changes.

Test the Flow-Based Antivirus Profile


You will test the flow-based antivirus profile using FTP.

To test the antivirus configuration


1. On the Local-Client VM, on the desktop, open the FileZilla FTP client software.

2. In the upper-left corner, click the Site Manager icon, and then select Linux.

3. In the Remote site section, right-click the eicar.com file, and then select Download.

The client should display an error message that the server terminated the connection. FortiGate sends the
replacement message as a server response.

In flow-based inspection mode, FortiGate does not buffer traffic flowing through
the policy. If FortiGate detects a violation in the traffic, it sends a reset packet to
the receiver, which terminates the connection, and prevents the payload from
being sent successfully.

4. Close the FileZilla FTP client.


6
View the Antivirus Logs
The purpose of logs is to help you monitor your network traffic, locate problems, establish baselines, and make
adjustments to network security, if necessary. You will view the antivirus logs.

To view the forward logs


1. Continuing on the Local-FortiGate GUI, click Log & Report > Forward Traffic.

2. Locate the antivirus log message from when you tried to access the file using FTP, and then double-click
the log entry to view the details.

The Details tab shows forward traffic log information, along with the action taken.

3. Click Security.

The Security tab shows virus information.

7
To view the security logs
1. Continuing on the Local-FortiGate GUI, click Log & Report > Security Events > AntiVirus.

To view the logs, you may need to clear the filters in the search bar and increase
the time frame to 1 hour.

2. Locate the antivirus log message from when you tried to access the file using FTP, and then double-click
the log entry to view the security details.

LAB-7 > Configuring Flow-Based Antivirus Scanning

8
Exercise 2: Using Antivirus Scanning in Proxy-Based Inspection Mode
In this exercise, you will examine how to use antivirus in proxy-based inspection mode to understand how
FortiGate performs antivirus scanning. You will observe the behavior of antivirus scanning, with and without
deep inspection, to understand the importance of performing full-content inspection.

Change the Inspection Mode in an Antivirus Profile


You will change the inspection mode in the default antivirus profile, which is applied to the firewall policy, to
inspect traffic.

To change the inspection mode in an antivirus profile


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Security Profiles > AntiVirus.

3. Right-click the default antivirus profile, and then click Edit.

4. In the Feature set field, select Proxy-based.

5. Click OK.

9
Change the Inspection Mode in a Firewall Policy
Inspection mode is configured on a per-policy basis on FortiGate. You will change the inspection mode from
flow-based to proxy-based.

Take the Expert Challenge!

On the Local-FortiGate GUI, complete the following:

• Edit the Full_Access firewall policy, and change the Inspection


Mode to Proxy-based.

• Enable the default antivirus profile.

• Use the certificate-inspection profile for SSL inspection.

If you require assistance, or to verify your work, use the step-by-step instructions
that follow.

After you complete the challenge, see Test the Antivirus Configuration on page 1.

To change the inspection mode in a firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Double-click the Full_Access policy to edit it.

3. In the Inspection Mode field, select Proxy-based.

4. In the Protocol Options field, verify that the default profile is selected.

5. In the Security Profiles section, in the AntiVirus field, verify that the default profile is selected.

6. In the SSL Inspection field, keep the default certificate-inspection profile.

The Protocol Options profile provides the required settings to hold traffic in
proxy while the inspection process is carried out. The default profile is
preconfigured to follow the standardized parameters for the common protocols
used in networking.

SSL Inspection selects the certificate-inspection profile by default. You can


select any preconfigured SSL inspection profile in the associated field.

7. Keep the default values for the remaining settings, and then click OK to save the changes.

10
Test the Antivirus Configuration
You will download the EICAR test file to your Local-Client VM. The EICAR test file is an industry-standard virus
used to test antivirus detection without causing damage. The file contains the following characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To test the antivirus configuration


1. On the Local-Client VM, open a browser, and then access the following website:

http://10.200.1.254/test_av.html

2. In the Download area section, download any EICAR sample file.

FortiGate should block the download attempt, and insert a replacement message similar to the following
example:

Stop and think!

Why can FortiGate display a replacement message?

In proxy-based inspection mode, the file is buffered. If a virus is detected,


FortiGate can then replace the file by a message, which provides security
information.

11
Test an Alternate Download Method
You will test the proxy-based antivirus configuration using the Save Link As method to download the EICAR text
file.

To test the antivirus configuration


1. On the Local-Client VM, open a new browser tab, and then go to the following website:

http://10.200.1.254/test_av.html

2. In the Download area section, right-click eicar.com.txt, and then select Save Link As.

3. Change the download location to Desktop, and then click Save.

You should see the file you downloaded on the desktop. Why was the download allowed?

4. On your desktop, right-click the eicar.com.txt downloaded file, click Open With Other Application,
click Notepad++, click Select to open the file you downloaded, and then scroll to read the bottom of
the text file.

Is the content of the file what it is supposed to be?

Stop and think!

Remember, you are using proxy-based inspection mode. When a firewall policy
inspection mode is set to proxy, traffic flowing through the policy is buffered by
FortiGate for inspection. This means that FortiGate holds the packets for a file,
email, or web page until the entire payload is inspected for violations (virus,
spam, or malicious web links). After FortiOS has finished the inspection,
FortiGate either releases the payload to the destination (if traffic is clean) or
drops and replaces it with a message (if the traffic contains violations). FortiGate
injects the block message into the partially downloaded file. The client can use
Notepad to open and view the file.

5. Close Notepad++.

6. Delete the downloaded eicar.com.txt file from the desktop.

12
View the Antivirus Logs
You will check and confirm the logs for the tests you just performed.

To view the antivirus logs


1. Continuing on the Local-FortiGate GUI, click Log & Report > Forward Traffic.

You may need to remove any log filter in the search bar and increase the time frame.

2. Locate the antivirus log message, and then double-click it.

The Details tab shows forward traffic log information, along with the action taken.

3. Select the Security tab to view security logs.

Security logs provide information that is more specific to security events, such as filename, virus or botnet, and
reference.

4. Click Log & Report > Security Events > AntiVirus to view antivirus security logs.

The logs should be similar to the following example:

You can click Details to view more virus information related to an antivirus log
entry.

13
Enable SSL Inspection in a Firewall Policy
So far, you have tested unencrypted traffic for antivirus scanning. In order for FortiGate to inspect the encrypted
traffic, you must enable deep inspection in the firewall policy. After you enable this feature, FortiGate can
inspect SSL traffic using a technique similar to a man-in-the-middle (MITM) attack.

Take the Expert Challenge!

• On Local-Client, test the configuration by downloading the eicar.com file


using HTTPS, without enabling the deep-inspection profile in the Full
Access firewall policy.

• Configure Local-FortiGate to scan secure protocols by enabling SSL


Inspection, using the deep-inspection profile in the Full
Access firewall policy.

• Test the configuration by downloading the eicar.com file using HTTPS.

If you require assistance, or to verify your work, use the step-by-step instructions
that follow.

After you complete the challenge, seeReview the Antivirus History on page 1.

To test antivirus scanning without SSL inspection enabled in the firewall policy
1. On the Local-Client VM, open a browser, and then go to the following website:

https://10.200.1.254/test_av.html

2. Click Advanced.

3. Click Accept the Risk and Continue.

4. In the Download area section, download the eicar.com sample file.

FortiGate should not block the file, because you did not enable full SSL inspection.

5. On the Local-Client VM, close the browser.

To enable and test the SSL inspection profile in a firewall policy


1. Return to the Local-FortiGate GUI, and then click Policy & Objects > Firewall Policy.

2. Double-click the Full Access firewall policy to edit it.

3. In the Security Profiles section, in the SSL Inspection field, select deep-inspection.

4. Keep the remaining default settings, and then click OK to save the changes.

5. Click OK to confirm.

6. On the Local-Client VM, open a browser, and then go to the same website:

https://10.200.1.254/test_av.html

7. In the Download area section, try to download the same eicar.com file again.

14
If the FortiGate self-signed full-inspection certificate is not installed in the
browser, end users will see a certificate warning message. In this environment,
the FortiGate self-signed SSL inspection certificate is installed in the browser. If
the block page does not appear after 2 minutes, close all browser tabs, and then
restart the browser.

You may also need to clear your cache. In Firefox, click Settings > Privacy &
Security. Scroll to History, click Clear History, and then ensure the time range
to clear is set to Everything. Click OK.

FortiGate should block the download and replace it with a message.

Review the Antivirus History


You will check the security history and the virus definition status.

To view the security history


1. Continuing on the Local-FortiGate GUI, click Dashboard > Security > Top Threats by Threat Level.

The graph should be similar to the following example:

You can click Drill down to view more details about a specific threat.

15
To verify the antivirus definitions status
1. Connect over SSH to Local-FortiGate.

2. Log in with the username admin and password password.

3. Enter the following commands:

diagnose debug application update -1

diagnose debug enable

execute update-av

After a few seconds, the output should include information similar to the following example:

The output confirms that the device has the latest antivirus packages for correct
protection.

4. Enter the following commands:

diagnose debug disable

diagnose debug application update 0

5. Log out of the SSH session and Local-FortiGate GUI.

LAB-7 > Using Antivirus Scanning in Proxy-Based Inspection Mode

16

You might also like