FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff
Staff

Description

 

The intent of this article is to assist administrators with locating Outbreak Prevention-specific AntiVirus logs based on what is reported in the Advanced Threat Prevention (ATP) Statistics widget.

 

As a reference, the Advanced Threat Prevention (ATP) Statistics widget on the FortiGate Dashboard shows a summary of results for AntiVirus scans, including:

 

- The number of scanned files

- How many were malicious/suspicious/clean

- How many files were detected using external services, such as the FortiGuard Outbreak Prevention service, External Malware Block Lists, and EMS Threat Feeds.

 

pjang_0-1650484922824.png

 

 

As of FortiOS 7.2.0 and earlier, the ATP Statistics widget does not directly link to corresponding AntiVirus logs, so an administrator must search the event logs manually for the related Outbreak Prevention logs.

 

Scope

 

FortiOS 7.2 and earlier.

 

Solution

 

First, AntiVirus-specific logs can be found in the following locations in the FortiOS Web UI :

 

- FortiOS 7.2: Log & Report -> Security Events -> AntiVirus.

- FortiOS 7.0 and earlier: Log & Report -> AntiVirus.

 

The following are a list of useful Log Fields and known-associated values that can be used with the log filter to assist an administrator in locating Outbreak Prevention-related AntiVirus logs :

 

Event Type ('eventtype'): outbreak-prevention.

Log ID ('logid'): 0204008202.

Detection Type ('dtype'): outbreak-prevention.

Message ('msg'): Blocked by Virus Outbreak Prevention service.

 

Further information on Outbreak Prevention-related log entries can be found here :

 

8202 - MESGID_AVQUERY_WARNING

8203 - MESGID_AVQUERY_NOTIF

 

For reference, the following is a sample of an Outbreak Prevention log in the GUI, as well as the same entry in the CLI/text log format :

 

outbreak_gui_1.png

 

outbreak_gui_2.png

 

outbreak_cli_1.png

 

As a final note, keep the following in mind when checking for AntiVirus logs:

 

- The ATP Statistics Widget is updated as the AntiVirus processes on the FortiGate scan files; it does not appear to use existing logs when generating these statistics.

- This can result in potential inconsistencies between the event count presented by the ATP Statistics widget vs. the actual number of log entries if the log facility being checked (i.e. FortiGate Cloud, FortiAnalyzer, Disk, etc.,) has deleted/overwritten old logs due to storage space and/or logging volume constraints.

 

Related articles:

Technical Tip: Displaying logs via FortiGate's CLI

FortiOS 6.2 Cookbook - FortiGuard outbreak prevention for antivirus
FortiOS 7.0 Administration Guide - FortiGuard outbreak prevention

Contributors