Technical Tip: How to configure FortiGate file quarantine

abarushka · ‎08-11-2016

Description

This article describes how to configure antivirus quarantine to save the infected files to the FortiGate disk (or send to FortiAnalyzer).

Scope

Any supported version of FortiGate.

Solution

Notes:

Make sure that "Quarantine" Option is enabled on GUI:

Go to Security Profiles -> AntiVirus and edit the AV profile. If it is necessary to create a new AV profile, ensure that at least one protocol is enabled in the AV profile for inspection. AntiVirus Scan and Quarantine option must be enabled:

FortiGate must have an internal HDD in order to be able to save virus files to disk. By default, these are deleted. It is also possible to choose to send it to FortiAnalyzer, if the unit is configured and present in the network.
If memory is chosen as a location for logs, it is not possible to download the quarantined files.

Configure an antivirus quarantine and antivirus profile from the CLI:

config antivirus quarantine

set destination disk

***NULL Files that would be quarantined are deleted (default value)

***FortiAnalyzer FortiAnalyzer

set quarantine-quota <size in MB>

end

config antivirus profile

edit <AV profile name>

config <required protocol: >

set options scan quarantine

end

end

Related documents:

Download quarantined files in archive format - FortiGate documentation.

Antivirus quarantine command reference - FortiGate documentation.