Fortinet Community

Hi Chris,

I configured AV with both proxy/flow-based inspection mode. I could see that the right policy is matching and corresponding traffic logs are also generated.

Thanks,

Pratik

Christopher McMullan_FTNT wrote:

What proxy options profile are you using on the policy? And is it matching the right policy? Maybe we could create a test rule restricted to the one host as a source.

Hi Ede,

I am downloading file using wget and here is the output below. It uses http protocol and not http to download the file. I confirmed it by monitoring traffic on wireshark as well.

wget --bind-address=10.51.4.1 wget [link]http://www.eicar.org/download/eicar_com.zip[/link] --2015-01-16 07:37:28-- [link]http://www.eicar.org/download/eicar_com.zip[/link] Resolving www.eicar.org... 188.40.238.250 Connecting to www.eicar.org|188.40.238.250|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 184 [application/octet-stream] Saving to: “eicar_com.zip.20”

100%[=======================================================================================================================================================================================>] 184 --.-K/s in 0s

2015-01-16 07:37:28 (11.4 MB/s) - “eicar_com.zip.20” saved [184/184]

FINISHED --2015-01-16 07:37:28-- Downloaded: 1 files, 184 in 0s (11.4 MB/s)

ede_pfau wrote:

You should see the replacement page if downloading the eicar file via HTTP (*.txt, *.com, *.zip). But, by default HTTPS AV scanning is not enabled. So if you download from the lower row (using HTTPS) then only your OS based antivirus software will alert you (you do have local AV software, don't you?).

Hi,

I can confirm that I have attached AV profile to the firewall policy and same firewall policy is hit. I could also see generated traffic logs in the database. Below is the configuration for antivirus profile and attached is the traffic log information in csv format.

fw01 (root) # show antivirus profile DEFAULT
config antivirus profile
    edit "DEFAULT"
        set comment "DEFAULT"
        set inspection-mode proxy
        set scan-botnet-connections disable
            config http
                set options scan
            end
            config ftp
                set options scan
            end
            config imap
                set options scan
            end
            config pop3
                set options scan
            end
            config smtp
                set options scan
            end
            config mapi
                set options scan
            end
    next
end

Warren_Olson_FTNT wrote:

Is it possible you haven't assigned the AV profile to the firewall policy, or better yet the traffic doesn't match that profile? Looking for simple answers since this is a very basic test...if you want to attach your policy for review please do.

Yes, I could see that that packet is not scanned.

Policy has webfilter configured with blocked porn/security threat categories. URL and content filters are not configured.

Christopher McMullan_FTNT wrote:

The log shows that the FGT recognized that the packet was "Not.Scanned".

 

Could you post the proxy options profile in place on the policy as well, and indicate if the policy also has a webfilter profile?

 

If the webfilter profile has a URL filter, I'm wondering if the list contains any exemptions.

 

show firewall policy x

show firewall profile-protocol-options default //--or the appropriate name here, in place of 'default'