FortiGate heuristic scanning on 600E in monitor mode

dbaddorf · ‎11-19-2020

Hello!

I have a customer with a pair or 600E's that I'd like to configure to do heuristic scanning in monitor mode and check the logs.

The only helpful documentation that I can find is the following: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48939

If I had a smaller model, then I'm assuming I could just do:

# config antivirus heuristic set mode pass

But since I have a 600E, do I need to also configure the "set drop_heuristic" and/or the "set store_heuristic" commands? I'm not quite sure what the purpose of these commands are for - especially if I don't want to do any quarantining.

Finally, I'd like to see the results of any heuristic scans. Would I search for virus="unknown" in the syslog output? Can anyone confirm? Or is there another way to see what the results of what the heuristic scans caught?

I appreciate any input on the subject!

dbaddorf · ‎12-15-2020

Ok, after opening a case w/ FortiNet, I got my answers:

[ol]

The "set drop_heuristic" defines what heuristic viruses to drop (based on protocol).

The "set store_heuristic" defines what heuristic viruses to save in quarantine (based on protocol).

Neither the "set drop_heuristic" nor the "set store_heuristic" are applicable when "config antivirus heuristic" is configured for "set mode pass". It is only applicable when configured for "set mode block".

The log output (Log & Report - AntiVirus or Syslog) will show virus="unknown" (see https://kb.fortinet.com/kb/documentLink.do?externalID=11227)[/ol]

FortiGate heuristic scanning on 600E in monitor mode

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website