Introduction:

Whenever a user downloads a file from a network protected by FortiGate with Antivirus Inspection enabled, that file is inspected, and if a known virus is found, that connection is blocked (if configured to do it).

If a new user accesses the same website and tries to download the same file, the file would have to go through Antivirus inspection again, for the infected file to be blocked.

This operation consumes resources from the FortiGate, which are finite, and its usage must always be optimized.

If that second user's traffic passes through a different firewall policy without an Antivirus profile, the download of the infected file would be successful.

To avoid the waste of resources to inspect traffic that is known to be malicious, the administrator can automate the addition of the destination address to a firewall address group, which can be used as a destination or source in a firewall policy with the deny action.

This way, after the first time the Antivirus detects a malicious file, other users will not be able to access the IP address from where the virus was detected. Here are the steps to achieve this goal:

Note:

The steps described  below assume that FortiGate is configured with Antivirus profiles applied to firewall policies, with the 'Block' action defined:

Create an automation action of CLI Script type:

This script will take the dstip information from an Antivirus log message and use it to create an address object and add it to a group:

config system automation-action
    edit "block-virus-source"
        config system automation-action
            edit "block-virus-source"
            set action-type cli-script
            set script
                        config firewall address
                            edit Virus-Source%%log.dstip%%
                                set color 6
                                set subnet %%log.dstip%%/32
                            end
                                config firewall addrgrp
                                edit virus_source
                                append member Virus-Source%%log.dstip%%
                            end"
                                set accprofile "super_admin"
                            next
                        end
                    end

Create an automation stitch, using the previously created script as an action:

config system automation-stitch
    edit "block-virus-sources"
        set trigger "Virus Logs"
            config actions
                edit 1
                    set action "block-virus-source"
                    set required enable
                next
            end
        next
    end

Create a firewall policy with the address group created in the 'block-virus-source' script:

config firewall policy

    edit 0
        set srcintf "LAN"
        set dstintf "WAN"
        set srcaddr "LAN_Adrress"
        set dstaddr "virus_source"
        set schedule "always"
        set service "ALL"

        set status enable

        set action deny

        set logtraffic all
    next

end

When virus is detected in the traffic flow, the destination IP address is added to the address group:

The Automation Stitch was executed twice: