Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GTNman
New Contributor

Anti=Virus not catching Infect HTTPS traffic.

I just went over to eicar.org to download the test malware files to see if my Fortigate 100a would pick them up as dangerous. Well, it worked perfect on the regular Port 80 traffic but anything over Port 443 secure would download just fine without warning. Is there something that needs to be set for the Fortigate to pick up the HTTPS traffic?
11 REPLIES 11
UkWizard
New Contributor

HTTPS cannot be antivirus checked, as its encrypted between the browser and the webserver. there are few devices that can do this, and they are mostly proxy servers which are expensive. This is why the fortinet is not a replacement for desktop AV software...
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Not applicable

yup... same thing for me when I went to eicar.org HTTPS traffic can’t be scanned; but I think I heard somewhere that capability might be added into the FortiGate? Or Maybe it was something to do with SSL VPN and the FortiOS thats not out yet. UkWizard is correct in saying the Firewall should not be used as desktop AV replacement, if anything it should be used as an additional layer of security in your existing setup. If you need desktop AV; I would highly recommend Kaspersky Labs, I am on my 3rd year using their products and am very impressed.
laf
New Contributor II

Offtopic: What Kaspersky product do you use ? How s the licensing ? Does they update your software, too ? (I mean the product engine or by adding other functionalities over years).

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Victor
New Contributor III

The fortigate is an http proxy. How do you think it inspects the packets. If you look at the processes thhtpd is the proxy process. To inspect encrypted traffic where you do not have the keys you have to do a man-in-the-middle attack and that is a little trickier, not to mention the ethical considerations. Finjan I believe has a product that does this, and there are others. I suspect that Fortinet will be forced to follow the same path.
laf
New Contributor II

Yesterday I have tested HTTPS scanning on another vendor' s product gateway Protect, and I was impressed by the results. Then I immediately had contact with Fortinet and I can confirm Victor sayings: in v4.0 that will hit us in about 5-6 months, they promised to introduce this feature. I m just curious if they' ll implement on small equipments like 110C or they simply start with 310B.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
MasterBratac
Contributor

I wonder how this should work ... https is encrypted traffic ... how is it possible that it could be scanned?
romanr
Valued Contributor

I wonder how this should work ... https is encrypted traffic ... how is it possible that it could be scanned?
These devices start a " man-in-the-middle" attack -> they give away their own certificate (!!!!) and start their own ssl session to the server: Client <-https-> security device <-https-> ssl-website The problem with that is, that you totaly lose the control of the other points certificate!!! This is a problem by design, which will spend us some grey hair in future ;)! Especially when Fortigate offers this feature as well....
MasterBratac
Contributor

That means ... each https website is shown up in the webbrowser with a fortinet certificate? And everytime a user accesses a https website he has to klick away all those certificate error messages? That´s not good ...
romanr
Valued Contributor

ORIGINAL: MasterBratac That means ... each https website is shown up in the webbrowser with a fortinet certificate? And everytime a user accesses a https website he has to klick away all those certificate error messages? That´s not good ...
Yes -> It' ll be that way in FortiOS 4. You will be able to install a corporate cert which is then trusted! As I heard, there will also be a whitelist of https servers (via webfilter service???), which will not get scanned and so the authenticity of the servers will remain as usual, but no AV&IPS then....! cheers.roman
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors