Technical Tip: Configuration and operation of the AV scanning splice option
Description
In FortiOS v4.0 MR3 the Antivirus splice option is available for the following protocols: FTP, FTPS, SMTP, SMTPS, and NNTP.
This article explains how to configure the splice options and describes how the functionality operates with the various protocols.
Scope
FortiOS v4.0 MR3 Splice option.
Solution
To configure the splice options.
1. Connect to the CLI of the FortiGate and create a 'firewall profile-protocol-options' profile as shown below:
2. Select the protocol to be used with the Antivirus splice option:
3. As an example, to enable the splice option for ftp:
The option is now enabled. The same principle applies for configuring the other protocols: FTPS, SMTP, SMTPS and NNTP.
Operation of AV Scanning when splice is enabled.
For FTP, FTPS, and NNTP:
1. Connect to the CLI of the FortiGate and create a 'firewall profile-protocol-options' profile as shown below:
| FGT50B3G11601684 (root) # config firewall profile-protocol-options FGT50B3G11601684 (profile-protoc~l) # edit *name profile name default FGT50B3G11601684 (profile-protoc~l) # edit test new entry 'test' added FGT50B3G11601684 (test) # |
| FGT50B3G11601684 (test) # config ftp FGT50B3G11601684 (ftp) # |
| FGT50B3G11601684 (ftp) # set options clientcomfort prevent client timeout no-content-summary disable monitoring of content information from dashboard oversize block oversized file/email splice enable splice mode FGT50B3G11601684 (ftp) # set options splice FGT50B3G11601684 (ftp) #end |
Operation of AV Scanning when splice is enabled.
For FTP, FTPS, and NNTP:
Antivirus simultaneously scans a file and sends it to the recipient. If the FortiGate unit detects a virus it will prematurely terminate the connection.
For SMTP and SMTPS:
Antivirus simultaneously scans a message and sends it to the recipient. If the FortiGate unit detects a virus it will prematurely terminate the connection and returns an error message to the sender listing the virus and the infected filename. Splice is selected when scan is selected.
With streaming mode enabled, select either Spam Action (Tagged or Discard) for SMTP spam. When streaming mode is disabled for SMTP, infected attachments are removed and the email is forwarded without the attachment to the SMTP server for delivery to the recipient. Throughput is higher when streaming mode is enabled.