Description
This article describes how to test antivirus log generation on FortiGate.
Scope
FortiGate.
Solution
There may be cases where FortiGate generates no logs. In this case, ensure the FortiGate Antivirus signatures are working properly using the following method.
- Configure the Antivirus with HTTP protocol enabled (in this article, HTTP traffic will be tested). The Antivirus profile mode must match the inspection mode setting (proxy or flow) in the associated firewall policy.
-
Use deep inspection in the internet-facing policy and ensure the certificate is installed on the user's machine.
-
Go to the following website to generate antivirus traffic: https://www.eicar.org/download-anti-malware-testfile/.
-
Go to the Download area using the secure, SSL-enabled protocol HTTPS and select eicar.com.
-
The AntiVirus block page should appear.
- Antivirus logs should be visible in FortiGate:
- If the log is not generating, for the Antivirus log to show up make sure that Web Filter and Application Control are disabled in the policy.
- If there are no entries in the AntiVirus logs, it indicates that the Antivirus has not detected any infected files.
- If Antivirus logs are empty, then the command 'diag log test' should be run and after a few minutes, Antivirus logs should be populating.
Note:
On the Antivirus profile used on the respective firewall policy, the following entries must also be added:
config antivirus profile
edit <profile_name_of_av>
set av-virus-log enable
set av-block-log enable
set extended-log enable
next
end
