Description
This article describes how to configure antivirus quarantine to save the infected files to the FortiGate disk (or send to FortiAnalyzer).
Scope
Any supported version of FortiGate.
Solution
Notes:
-
Make sure that the 'Quarantine' Option is enabled on the GUI:
Go to Security Profiles -> Antivirus and edit the antivirus profile. If it is necessary to create a new antivirus profile, ensure that at least one protocol is enabled in the antivirus profile for inspection. Antivirus Scan and Quarantine option must be enabled:
- FortiGate should either have an internal physical drive or a provisioned FortiGate-VM log disk to be able to save virus files to disk. By default, files are deleted. It is also possible to choose to send files to FortiAnalyzer if the unit is configured and present in the network.
- If memory is chosen as a location for logs, it is not possible to download the quarantined files.
Configure an antivirus quarantine and antivirus profile from the CLI:
config antivirus quarantine
set destination disk
***NULL Files that would be quarantined are deleted (default value)
***FortiAnalyzer FortiAnalyzer
set quarantine-quota <size in MB>
end
config antivirus profile
edit <AV profile name>
config <required protocol: >
set options scan quarantine
end
end
To download the quarantined files, it is necessary to navigate (GUI: Log & Report -> Security Events -> Antivirus).
It is not possible to download quarantined files from (GUI: Log & Report -> Forward Traffic).
Related documents:
