Description

This article describes how to test antivirus log generation on FortiGate.

Scope

FortiGate.

Solution

There may be cases where FortiGate generates no logs. In this case, ensure the FortiGate Antivirus signatures are working properly using the following method.

1. Configure the Antivirus with HTTP protocol enabled (in this article, HTTP traffic will be tested). The Antivirus profile mode must match the inspection mode setting (proxy or flow) in the associated firewall policy.

2. Use deep inspection in the internet-facing policy and ensure the certificate is installed on the user's machine.

    

3. Go to eicar's Malware testfile download page  to generate antivirus traffic.

4. Go to the Download area using the secure, SSL-enabled protocol HTTPS and select eicar.com.

5. The AntiVirus block page should appear.

    

6. Antivirus logs should be visible in FortiGate:

If there are no entries in the Antivirus logs, it indicates that the Antivirus has not detected any infected files. The command 'diagnose log test' can be used to generate a sample test log for all categories of logs, including AV logs. 

Note:

On the Antivirus profile used on the respective firewall policy, the following entries must also be added:

config antivirus profile 

    edit <profile_name_of_av>

        set av-virus-log enable  <----- Enable/disable antivirus logging.

        set av-block-log enable  <----- Enable/disable logging for antivirus file blocking.

        set extended-log enable  <----- Enable/disable extended logging for antivirus.

next

end