Hi everyone,
Very strange behaviour with FortiGate and AntiVirus in firewall rule. I have sometime my traffic blocked by AntiVirus but I can't see anything in logs.
In my Forward Traffic logs, I can see sometimes a value in result, sometimes not. When Result is green and has traffic, AntiVirus is disabled and request correctly pass. When Result is empty, traffic is blocked and AntiVirus is enabled on policy.
If I looked inside AntiVirus logs, the are empty. My AntiVirus configuration is here :
I tried to disabled one by one each part of AntiVirus configuration but no change. The request is working only if I disabled AntiVirus in firewall rule.
I've mistaken somewhere or is it a bug ? If a virus is detected, why I don't have any log ? For me it looks like an AntiVirus engine bug...
Maybe you have more tools to debug this behaviour :)
Thanks for your help
If you don't see any logs, why do you think it is blocked by the AV?
And where do you look for AV logs? You can find the AV logs in the dedicated Antivirus section of Log & Report (not in Forward traffic) if logging is enabled in policy.
Hi !
I suspected the AV beacause if I disabled it form my policy, here :
My request is correctyl forwarded. If I changed it to :
My request is not working correctly.
My AntiVirus logs are totally empty...
Once again, this is not a proof of a log problem. The traffic may be blocked by a wrongly configured AV (or maybe a bug). Make sure that AV profile mode is consistent with the policy operation mode (proxy-mode). Also, check that the FortiOS version you are running is up to date (6.4.8 / 7.0.5) to eliminate possible bugs.
For me the problem seems to be related to AV more than log... Or something strange in AV that is not logged (a bug maybe...)
If I follow you, I need to pass my policy to Proxy-baded inspection if I wanted to user AV in profile ? I'm a bit confuse about that...
Thanks for your return.
Yes. In flow-based mode only IPS and Webfilter work correctly.
For other inspection profiles, the policy must to be in proxy-based mode to offer proper results.
Created on 04-21-2022 10:15 AM Edited on 04-21-2022 10:19 AM
Hi Alex,
what exactly do you mean by: "Yes. In flow-based mode only IPS and Webfilter work correctly. For other inspection profiles, the policy must be in proxy-based mode to offer proper results."
Does this mean that, for example, application control or antivirus does not work in Flow mode? Or is their functionality reduced? How do I understand that?
Thank you.
Jirka
Created on 04-22-2022 01:39 AM Edited on 04-22-2022 01:40 AM
You may get some false positive identifications in flow-based mode, or impossible to block the stream/connection after a positive identification.
AV/AppControl works on 'best effort' basis since the packets are not buffered (proxied).
Surely, flow-based inspection is 'lighter' on resource usage.
As I can see in version 7.0.5, AntiVirus seems to work correctly with the 2 types :
But I tried proxy-mode in my firewall rule and it works now correctly...
So your recommandation is to always set proxy-based when AV is needed ?
Just to clarify the configuraiton of Policy and AV I can set :
If I understand correctly I must set Proxy-Based in policies and I can choose inspection in AV right ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.