This article describes how to receive CDR logs on FortiAnalyzer and how to troubleshoot the CDR configuration on FortiGate.

Definition:

Content Disarm and Reconstruction (CDR) is a security technique used to mitigate the risk of file-based attacks by sanitizing and reconstructing potentially malicious content. CDR works by removing or neutralizing potentially harmful elements from files while preserving the overall functionality and usability of the content.

The main objective of CDR is to neutralize or eliminate any embedded threats within files, such as malware, exploits, or malicious code, by removing or disabling them. This process involves analyzing the file's structure, inspecting its components, and applying various techniques to sanitize the content.

Once the potentially malicious components are disarmed, the file is reconstructed to ensure its functionality is preserved. This reconstruction process aims to maintain the file's intended purpose and behavior while eliminating any hidden threats or vulnerabilities.

This article will use an example environment.

Network diagram of the setup environment:

• User A sends an email that contains malicious files to user B in the network. An SMTP server has been configured in this scenario to send emails.
• The FortiGate CDR engine will fully inspect and analyze file content at a granular level, then disarm and reconstruct it before sending it to user B.
• A log is generated by FortiGate and sent to the FortiAnalyzer.

In this example, FortiAnalyzer is used to receive the disarmed file content. Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols.

This article does not cover the case of a FortiSandbox appliance as the original file destination, where the original file could be archived and can be retrieved if necessary. The FortiGate embedded CDR engine is used.

Solution: 

Step 1: Configure CDR in FortiGate.

In the aim of receiving CDR logs on FortiAnalyzer, it is first necessary to configure CDR in FortiGate.

The CDR engine will use the AV security profile(s) and the protocol option mentioned in the proxy-based policy to fully inspect and analyze file content at a granular level.

Step 2: Connect FortiGate to send logs to FortiAnalyzer.

1. 1Navigate to Log & Report -> Log Settings.
2. Enable syslog or FortiAnalyzer log settings by configuring the following parameters: Set the 'Status' to 'Enable' to enable log sending.
3. Specify the IP address or hostname of the FortiAnalyzer (FAZ) server in the 'Remote Server' or 'Server Settings' field.
4. Configure the desired log options such as log format, log level, and log types according to requirements.

Step 3: How to see the CDR logs and download the reconstructed and disarmed files on FortiAnalyzer.

To view and download Content Disarm and Reconstruction (CDR) logs on a FortiAnalyzer (FAZ), follow these steps:

1. Select Log View -> Traffic > Security Profiles > Antivirus.
2. CDR logs contain generally the file where the content has been disarmed and reconstructed.
3. Select a specific log entry to view more details about the CDR event. The log details will typically include information such as the source and destination IP addresses, file name, action taken (for example: sanitized, blocked), and any additional information provided by the CDR engine.

4. Select the specific CDR log entry that contains the file to download.
5. Look for an option or icon that represents file download or attachment.

6. Select the download option or icon to initiate the file download process and follow the prompts to save the disarmed and reconstructed file to the local system.

Step 4: Troubleshooting on FortiGate.

1. If the CDR feature is not visible in the GUI:

• Confirm that the Inspection Mode is set to 'proxy' under System -> Settings (in FortiGates versions before v7.0).
• Additionally, check that the Antivirus profile inspection mode is set to 'proxy' using the CLI console:

config antivirus profile

    edit default

        set inspection-mode proxy

    next

end

2. Error messages and/or conflicts.

If an error message is received when attempting to enable Content Disarm and Reconstruction on the AntiVirus profile, check the Proxy Options settings in the CLI Console and disable splice and clientcomfort on CDR-supported protocols:

config firewall profile-protocol-options

    edit default

        config smtp

        unset options splice

    next

        config HTTP

        unset options clientcomfort

    next

        end

end

Confirm the Antivirus profile’s protocol settings under config antivirus profile:

Ensure that 'set options scan' is enabled on CDR-supported protocols.

If 'set options av-monitor' is configured on a CDR-supported protocol, it overrides the config content-disarm detect-only setting (and CDR will not occur).

If the CDR configuration is correctly applied to the relevant traffic but the disarmed file is not being stored locally on the FortiAnalyzer, the following CLI command can be executed on the FortiAnalyzer:

execute log device permissions <device_id> <permission> {enable | disable}

The following options are available:

• all: All permissions (can be used for CDR).
• logs: Log permission.
• content: Content permission.
• quar: Quarantine permission.
• IPS: IPS permission (can be used for CDR).

Related article:

Troubleshooting Tip: FortiGate to FortiAnalyzer connectivity