Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor

FortiGate Antivirus is blocking but not logging

Hi everyone,

 

Very strange behaviour with FortiGate and AntiVirus in firewall rule. I have sometime my traffic blocked by AntiVirus but I can't see anything in logs.

 

In my Forward Traffic logs, I can see sometimes a value in result, sometimes not. When Result is green and has traffic, AntiVirus is disabled and request correctly pass. When Result is empty, traffic is blocked and AntiVirus is enabled on policy.

zoriax_0-1650533079162.png

 

If I looked inside AntiVirus logs, the are empty. My AntiVirus configuration is here : 

 

zoriax_1-1650533271572.png

 

I tried to disabled one by one each part of AntiVirus configuration but no change. The request is working only if I disabled AntiVirus in firewall rule.

 

I've mistaken somewhere or is it a bug ? If a virus is detected, why I don't have any log ? For me it looks like an AntiVirus engine bug...

 

Maybe you have more tools to debug this behaviour :)

 

Thanks for your help

12 REPLIES 12
AlexC-FTNT
Staff
Staff

If you don't see any logs, why do you think it is blocked by the AV?

And where do you look for AV logs? You can find the AV logs in the dedicated Antivirus section of Log & Report (not in Forward traffic) if logging is enabled in policy. 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
zoriax
Contributor

Hi ! 

 

I suspected the AV beacause if I disabled it form my policy, here : 

zoriax_0-1650534195811.png

My request is correctyl forwarded. If I changed it to : 

zoriax_1-1650534222577.png

My request is not working correctly.

 

My AntiVirus logs are totally empty... 

AlexC-FTNT

Once again, this is not a proof of a log problem. The traffic may be blocked by a wrongly configured AV (or maybe a bug). Make sure that AV profile mode is consistent with the policy operation mode (proxy-mode). Also, check that the FortiOS version you are running is up to date (6.4.8 / 7.0.5) to eliminate possible bugs.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
zoriax
Contributor

For me the problem seems to be related to AV more than log... Or something strange in AV that is not logged (a bug maybe...)

 

If I follow you, I need to pass my policy to Proxy-baded inspection if I wanted to user AV in profile ? I'm a bit confuse about that... 

 

Thanks for your return.

AlexC-FTNT
Staff
Staff

Yes. In flow-based mode only IPS and Webfilter work correctly.

For other inspection profiles, the policy must to be in proxy-based mode to offer proper results. 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Jirka1

Hi Alex,

what exactly do you mean by: "Yes. In flow-based mode only IPS and Webfilter work correctly. For other inspection profiles, the policy must be in proxy-based mode to offer proper results."

 

Does this mean that, for example, application control or antivirus does not work in Flow mode? Or is their functionality reduced? How do I understand that?

Thank you.

Jirka1_0-1650561560697.png

 



Jirka

AlexC-FTNT

You may get some false positive identifications in flow-based mode, or impossible to block the stream/connection after a positive identification.

AV/AppControl works on 'best effort' basis since the packets are not buffered (proxied).

Surely, flow-based inspection is 'lighter' on resource usage.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
zoriax
Contributor

As I can see in version 7.0.5, AntiVirus seems to work correctly with the 2 types : 

 

zoriax_0-1650544145578.png

 

But I tried proxy-mode in my firewall rule and it works now correctly...

 

So your recommandation is to always set proxy-based when AV is needed ?

 

zoriax
Contributor

Just to clarify the configuraiton of Policy and AV I can set : 

  • Flow-based / Proxy-based in Policies
  • Flow-based / Proxy-based in AntiVirus

If I understand correctly I must set Proxy-Based in policies and I can choose inspection in AV right ?