- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: AV scanning kills HTTP traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 10-18-2004 02:35 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AV scanning kills HTTP traffic
I recently had an issue with port 8o traffic being stopped by a push update that also updated the AV engine. My experience is related here. According to Skyhigh, this was a known issue with the AV sigs and the AV engine that affected v2.5 MR9. His advice at that time was to upgrade to MR10. We did and the problem went away.
Now, we are on v2.8 MR5 and having the same problem again - just started at ~0900 hrs EDT 10-18-2004. We can ping via DNS name and it will resolve and respond. However, that same site will not come up in Internet Explorer. To troubleshoot this, we have disabled AV scanning and intrusion detection on the outbound and found that when on, the issue is present; when AV is off, the issue goes away.
Has anyone else seen this issue?
22 REPLIES 22
Not applicable
Created on 10-25-2004 04:50 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can' t sniff the v2.5 MR10 anymore as I have upgraded to v2.8 MR5.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have seen this on various models and FortiOS versions from 2.50 to 2.80 MR5. We noticed it with IPS and AV enabled in combination or not. Configuring an internal DNS server for your workstations to use seems to take care of the problem.
Greg Baharoff
Fortinet Certified System Engineer
MTBW Services, Inc.
327 E Ridgeville Blvd
154
Mount Airy MD 21771
301-829-5925
Greg Baharoff Fortinet Certified System Engineer MTBW Services, Inc. 327
E Ridgeville Blvd 154 Mount Airy MD 21771 301-829-5925
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am seeing this problem as well. The HTTP traffic stops when virus scanning HTTP, as well as " file block" . It took me forever to find out what was going on. I finally disabled the virus checking and file block on the profile and the traffic came through again. We have our own DNS server and the workstations are pointed to it so that does not fix the problem per Pasdargent' s tip, if I read it correctly.
OT:
Not to rape this thread but can somebody give me a clue as to why the content filtering does the same thing as this virus issue, meaning, if I enable filtering, no traffic will come through to the machines, no loggin, nothing. If I enable " Web content block" it does the same thing. I am almost hairless on this one..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring an internal DNS server for your workstations to use seems to take care of the problemSorry about that mis-quote, Pasdargent. I was meaning to quote the Fortinet engineer, gbaharoff, in that the DNS issue is *not* the problem. It does seem to point to the anti-virus updates. I am on a 200 @ 2.8 rev5. There seems to be some really flakey stuff happening on this IOS. This is the first time I have used a Fortinet device and from what I have seen and read on these forums about this happening in the past, it is looking like this problem could hit at any time, which is not too pleasing. It really gives a false sense of security.
Not applicable
Created on 11-07-2004 06:51 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have internal DNS as well so we are very similar in our situations, indeed.
Not applicable
Created on 11-09-2004 06:36 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I posted this earlier but I found the problem on my end. Here is what I had posted..
" I found the problem, at least on my end..
Hit me late last night.
The problem is that I had WCCP redirecting from a Cisco router to a Cisco cache engine and when the content filtering, etc. was turned on within the Fortinet 200 device, it was getting redirected to the cache engine and stopping! Turn off WCCP on the redirecting router and all is good. Even the virus scanning works again.
Hope this helps some of you guys..
One last thing, I am using the Frotinet in transparent mode."
Hit me late last night.
The problem is that I had WCCP redirecting from a Cisco router to a Cisco cache engine and when the content filtering, etc. was turned on within the Fortinet 200 device, it was getting redirected to the cache engine and stopping! Turn off WCCP on the redirecting router and all is good. Even the virus scanning works again.
Hope this helps some of you guys..
One last thing, I am using the Frotinet in transparent mode."
Not applicable
Created on 11-10-2004 06:56 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chaps,
I' ve just replaced an fg-1000 running 2.5 MR10 with an FG-3600 running 2.8MR5
... and that' s when the problems started. All our users here have to go through our web caching service ( load balanced squid servers )
Basically for our web caches I' ve had to disable IDS (AV still running). This seems to cure 99.95 % of the problems we' ve been having.
There are some sites that seem to have problems ( that don' t show up in the logs ) with Av enabled, so for them I' ve configured our client auto-proxy configuration file to point them to another web cache that has IDS on and AV off !!! and that works as well.
Now we' ve just got some ftp funnies that seem to be AV related.
Alex
Not applicable
Created on 11-23-2004 07:15 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a case where an IPS configuration resulted in corupted files when downloading them through web.
Fortigate IPS has some bad written signatures (in my case MS.GDIPlus.JPEG.BufferOverflow.a and b). Which is the well known signature for mulformed Jpegs executing code on some MS machines. By comparing it with Cisco IDS and by examining the sites that JPEGs where originating we concuded that it was a false positive (Cisco IDS and AV on PC did not think a JPEG fro a DELL' s site had JPEG buffer overflow).
Unfortunately the client had configured the signature to drop session as an action. This led to corupted files (as the signature was drigered when downloading zip files).
So think again before enabling drop session on signatures belonging to web-misc web-client etc groups as they could lead to bad HTTP trafic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I faced the same issue whenever I try to enable Antivirus Port Scan on the Fortiget-50A unit, I couldn' t surf the internet. It block http request. I was running v2.5 firmware. After I upgrade the firmware to v280-build292, It solved the problem!
:-P
Hope it helps those who facing the same issue!
Junhan
Not applicable
Created on 11-29-2004 05:35 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is nothing called " Antivirus Port Scan" . Probably you mean IPS (anomaly) port scanning.
If you have a proxy it common (on most IDS) to missmuch the conections of your proxy as a portscan. As the proxy uses sequencial high ports (3506, 3507, 3508...) to connect to port 80 of other sites that can be triggered easily as port scan from other sites to your proxy. Normaly you create exeptions for some IP so the IDS ignores them for port scan (or other signatures). For now you cannot create exeptions on a fortigate
Related Posts
- FortiMail Cloud and Office 365 guidance... 506 Views
- A question about applying IPS profile 391 Views
- Fortiswitches and #rd Party Security Devices. 249 Views
- Is SSL inspection required for Intrusion... 4798 Views
- FortiGate - sessions with destination 255.255.255.255 1174 Views
Labels
-
FortiGate
6,590 -
FortiClient
1,314 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.