Applying UTM policies correctly

Hi, the big picture is like this: - traffic originates at interfaces. - interfaces can be physical ports, VLAN ports or VPN tunnel ends. - whether traffic can flow into other interfaces is determined by a rule / rule set called policy. So, policies connect interfaces. Best practices: - be as specific as you can when you spell out a policy: which interface is the source? (NOT ' any' !) which interface is the target? which addresses are meant on each interface? (ALL at a pinch) which services are meant? which kind of UTM filtering do I want (if any)? The ' any' construct is FortiOS specific and IMHO dreadful. If have yet to see an example where you couldn' t solve a problem without using it. The downside of using ' any' is that traffic might be affected that you might not have thought of when writing the policy. You should try to avoid it if possible. That being said your points 1) to 7) make up a valid policy, except for 1) " assign a seqence ID" . You don' t need one - there is an implicit hierarchy of policies given by their position in the list of policies, i.e. top-down. Be aware that allowing traffic does not suffice to make it flow. Routing is equally important as it logically connects separate networks. HTH.

Thanks for your response. I am not concerned with your opinion on writing " correct" policies. I am concerned with how to properly implement UTM in a policy. I have created a separate policy for UTM filtering that passes traffic through (ACCEPT). Since it is at the top of the list (aka sequence position 1), it will pass it down to the next policy in sequence (the second one in the list), etc. Allow me to rephrase my question: Here is the info 1) Create a policy and assign it Sequence number 1. 2) Assign source interface to any (inspecting traffic ingress on any interface == protecting all the interfaces from each other) 3) Assign source address to all (inspecting traffic ingress from any ip address == protecting all subnets from each other) 4) Destination will be our internal1 interface (qualifying the destination interface) 5) Destination address is an address range that is the subnet of our user LAN (qualifying the destination subnet) 6) Action is ACCEPT 7) UTM is enabled for AntiVirus and IPS I am not getting any hits on this UTM policy. What am I doing wrong? It may be that since the firewall is stateful, that traffic never hits the UTM policy as it is already allowed via the statefulness of a connection with the source of internal1 [as there' s a policy internal1>any = ACCEPT]. Should this be the firewall policy where I apply the UTM policy? Thanks, Matt [edit] On page 63 of the UTM Guide the following is stated: " When an antivirus profile is selected in a firewall policy, its settings are applied to all the traffic the firewall policy handles." I' m guessing that I am correct in my assumption that I must apply the UTM policies to the policy that initiates the connection, even if the traffic being inspected is coming ingress on another interface than this policy. I will test. Additionally, protocol options must be applied. Alright, I lied before... I didn' t read the UTM guide through.

OK I guess I see your situation now. Wasn' t too accustomed to the ' any' interface. As soon as you use the ' any' interface anywhere your policy table switches into global view. From there it can be difficult to trace the sequence of policies a packet goes through. Get rid of the ' any' interface and choose ' segmented view' for the policies. There you have policies grouped according to interface pairs. Within a policy group traffic traverses top to down. BUT it will only pass down to the next policy if traffic doesn' t match. In reality you don' t have that many interfaces with incoming traffic - usually it' s only WAN1. For the sake of testing the concept put the real interface name into the policy and test. To help you in debugging you can switch on the ' hits' column in the policy table (Column Settings). It shows # of hits and amount of data passed by each policy. BTW please mention your FortiOS version.

Thanks Ede. I have no problem using global view to administer my policies, as I' ve added several columns that make it quite easy to pinpoint all the concerning information: " Seq. No.," " ID," " From [interface]," " To [interface]," " Source [ip addr]," " Destination [ip addr]," " Action," " Status," " NAT." I am using: 4.00 MR2 build 5400. I' ve gained a greater understanding, but I do have to test my assumption. That UTM policies trigger packet inspection, qualified by a firewall policy... for which, since the firewall is treated as stateful (when a TCP session traverses a firewall policy, then incoming traffic is allowed back without hitting any policy), that the UTM policy must be applied to the policy that allows this conversation to start. To test this theory, an example of a policy would be: src: internal1 src ip addr: any dst: wan1 dst ip addr: any UTM policy: anti-virus A host behind internal1 could then test the anti-virus policy by utilizing: http://www.fortiguard.com/antivirus/eicartest.html Alternately, to test the other theory (the the firewall will inspect all traffic whether or not it has been statefully established as " safe" aka requested traffic), a policy would be: src: wan1 src ip addr: any dst: internal1 dst ip addr: any UTM policy: anti-virus A host behind internal1 could then test the anti-virus policy by utilizing: http://www.fortiguard.com/antivirus/eicartest.html For reference, note that each of these UTM policies must also have qualified traffic using protocol options in the firewall policy for at least HTTP, and the anti-virus protocol scanning options must also be set for at least HTTP. Note the same is true for IPS with the relevant info: " EICAR.AV.Test.File.Download" is the signature. Logging is accessed Log&Report> Log Access> Attack [edit] The first test (src: internal1) failed. The second test (src: wan1) failed.

Policies decide whether the source can establish a session to the destination. Once the session is entered into the session table both traffic flowing forward and reverse which belongs to this session is inspected by the UTM feature. So, in your first scenario internal->wan the EICAR test file should have triggered the AV. There must be something else responsible for this, your AV just isn' t working at the moment. The policy for wan->internal will only work if someone on the internet would originate traffic towards your internal private network. That will never happen as traffic from private networks is not forwarded by ISPs.

Thanks again Ede. Okay, so I am correct in my second assumption... that UTM is activated on traffic originating through a policy (as in the first policy mention, src: internal1). How do I debug the anti-virus and IPS (since I am using both on the current internal1>wan1 policy)? My config is as follows:

         set srcintf " internal1"           set dstintf " wan1"               set srcaddr " any"               set dstaddr " all"           set rtp-nat disable          set action accept          set status enable          set utm-status enable          set ippool disable          set central-nat disable          set session-ttl 0          set wccp disable          set disclaimer disable          set natip 0.0.0.0 0.0.0.0          set match-vip disable          set diffserv-forward disable          set diffserv-reverse disable          set tcp-mss-sender 0          set tcp-mss-receiver 0          set comments ' '           set endpoint-check disable          set label ' '           set identity-based disable          set schedule " always"               set service " ANY"           set profile-type single          set av-profile " Antivirus all protocols"           set webfilter-profile ' '           set spamfilter-profile ' '           set ips-sensor " all_default"           set dlp-sensor ' '           set application-list ' '           set voip-profile ' '           set profile-protocol-options " protocol_restrict"           set logtraffic disable          set traffic-shaper ' '           set per-ip-shaper ' '           set nat enable          set fixedport disable  

  config antivirus profile      edit " Antivirus all protocols"               config http                  set options scan quarantine              end              config https                  set options scan              end              config ftp                  set options scan              end              config imap                  set options scan              end              config imaps                  set options scan              end              config pop3                  set options scan              end              config pop3s                  set options scan              end              config smtp                  set options scan              end              config smtps                  set options scan              end              config nntp                  set options scan              end              config im                  set options scan              end          set av-virus-log enable      next  end  

  config ips sensor      edit " all_default"           set comment " all predefined signatures with default setting"               config filter                  edit " 1"                   next              end      next  end  

      edit " protocol_restrict"               config http                  set inspect-all enable                  set options clientcomfort no-content-summary                  set comfort-interval 2                  set comfort-amount 2                  unset post-lang              end              config https                  set port 443                  set options no-content-summary                  unset post-lang              end              config ftp                  set inspect-all enable                  set options clientcomfort no-content-summary                  set comfort-interval 2                  set comfort-amount 2                  unset post-lang              end              config imap                  set port 143                  set options fragmail no-content-summary              end              config imaps                  set port 993                  set options fragmail no-content-summary              end              config pop3                  set port 110                  set options fragmail no-content-summary              end              config pop3s                  set port 995                  set options fragmail no-content-summary              end              config smtp                  set port 25                  set options fragmail no-content-summary              end              config smtps                  set port 465                  set options fragmail no-content-summary              end              config nntp                  set port 119                  set options no-content-summary              end      next  

What looks wrong?

Nothing really looks wrong with your config. The only thing I have in addition, in the " config antivirus profile" , " edit <name>" is this: " set av-block-log enable" but that isn' t why. Are you sure traffic hits the policy at all (check by means of the counter)?

Yes. I see the count is very high. In fact, this is our User LAN access to the internet (specifically). I have opened a case with support, but any more input is appreciated.

You have to turn on logging allowed traffic too. set profile-protocol-options " protocol_restrict" set logtraffic disable set traffic-shaper ' ' set per-ip-shaper ' ' set nat enable set fixedport disable