Fortigate How-To: Anti Virus

It is essential that the firewall is deployed as it is supposed to. Surprisingly, there often are cases the firewall is deployed with just a couple of simple policies and not utilized for its purpose. I once had a conversation with a solution architect of a big security company, and he mentioned the biggest problem of the firewall deployment today is misconfiguration(and which leads the admin to criticise one vendor) rather than the vendor firewall functionality.

This time, I will add antivirus function in the policy.

 

Before AntiVirus is deployed

The most popular site to test AntiVirus function of your network is EICAR. You can download pseudo(not harmful) test file from here.

You can download there 8 files, and ideally all of them should trigger some kind of anti-virus system.At least, both “eicar.com” for http and https should be blocked by your firewall. Should either of them successfully downloaded, most likely the firewall is not configured correctly. In my (no antivirus configured on the firewall) cases, all of the files are blocked by Windows Defender. But in other words, all of the files are downloaded (at least) onto the client PC. And the malware can do anything if those clients antivirus are not updated, or antivirus are not good enough to block that particular malware.

 

Add AntiVirus on policy

Security Profiles > AntiVirus

I use built-in “default” policy this time.

 

Policy & Objects > IPv4 Policy

Add AntiVirus on the policy.

That’s all. Once configured, you can download the eicar file, and it should show the web page like follows:

It is tedious to test all files, instead there is a Fortinet URL to  test it automatically. Once you click “Run All Tests”, it tries all 18 cases, all of which uses different compression algorithm.