Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jrpayne
New Contributor

Created on ‎08-28-2014 11:01 AM

Protocol Options

Hello All, I am looking for the location in the gui to edit protocol options and have not been able to locate it. I have recently upgraded to 5.2 and it appear a lot of stuff has changed or moved. I get notifications about downloads that file limit is exceeded and it categorizes that event as subtype of virus?? Makes no sense to me. I only want notification emails when a virus signature gets a hit. Anyone have any ideas about why this my be behaving like this? I just don' t understand how a file size (which I suppose I will need o change) would trigger an event with a subtype of " virus" .
25646
0 Kudos
20 REPLIES 20
Dave_Hall
Honored Contributor

Created on ‎08-29-2014 02:18 PM

It seems logging filter settings in 5.0 (which I have installed on this test unit) is different than on 5.2. What netmin has posted is more in line with 4.0. MR3 (which I am more familiar with). I do know a lot of logging options do not (and will not) show up (even with " show full-configuration" ) unless logging to " that device" is enabled. I can only assume you have enabled logging to the FortiAnalyzer.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3799
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎08-29-2014 02:29 PM

What netmin has posted is more in line with 4.0. MR3 (which I am more familiar with).
Under 4.0. MR3, that section looks like this... 
 config firewall profile-protocol-options
     edit " default" 
         set comment " all default services" 
             config http
                 set port 80 
                 set options clientcomfort
                 set comfort-amount 100
                 unset post-lang
                 set oversize-limit 5
             end
             config https
                 set port 443 
                 unset options
             end
             config ftp
                 set port 21 
                 set options no-content-summary splice
                 set oversize-limit 5
             end
             config imap
                 set port 143 
                 set options fragmail no-content-summary
                 set oversize-limit 5
             end
             config pop3
                 set port 110 
                 set options fragmail no-content-summary
                 set oversize-limit 5
             end
             config smtp
                 set port 25 
                 set options fragmail no-content-summary splice
                 set oversize-limit 5
             end
             config nntp
                 set port 119 
                 set options no-content-summary splice
                 set oversize-limit 5
             end
             config im
                 unset options
                 set oversize-limit 5
             end
     next
 end
Under 5.0, tried to edit " default" and add " set oversize-log disable" but just gives me an error. Only options I can set under " default" is 
 (default) # set 
 comment             comment
 replacemsg-group    Replacement message group.
 extended-utm-log    Enable/disable detailed UTM log messages.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3821
0 Kudos
netmin
Contributor II

Created on ‎08-29-2014 02:56 PM

Here a 5.2 version: 
 FGT (default) # show full-configuration 
 
 config firewall profile-protocol-options
     edit " default" 
         set comment " all default services" 
         set replacemsg-group ' ' 
         set oversize-log disable
         set switching-protocols-log disable
             config http
                 set ports 80
                 set status enable
                 set inspect-all disable
                 set options clientcomfort no-content-summary
                 set comfort-interval 10
                 set comfort-amount 1
                 unset post-lang
                 set fortinet-bar disable
                 set streaming-content-bypass enable
                 set switching-protocols bypass
                 set oversize-limit 10
                 set retry-count 0
             end
             config ftp
                 set ports 21
                 set status enable
                 set inspect-all disable
                 set options clientcomfort no-content-summary splice
                 set comfort-interval 10
                 set comfort-amount 1
                 set oversize-limit 10
             end
             config imap
                 set ports 143
                 set status enable
 
                 set inspect-all disable
                 set options fragmail
                 set oversize-limit 10
             end
             config mapi
                 set ports 135
                 set status enable
                 set options fragmail no-content-summary
                 set oversize-limit 10
             end
             config pop3
                 set ports 110
                 set status enable
                 set inspect-all disable
                 set options fragmail no-content-summary
                 set oversize-limit 10
             end
             config smtp
                 set ports 25
                 set status enable
                 set inspect-all disable
                 set options fragmail no-content-summary splice
                 set oversize-limit 10
                 set server-busy disable
             end
             config nntp
                 set ports 119
                 set status enable
                 set inspect-all disable
                 set options no-content-summary splice
                 set oversize-limit 10
             end
 
             config dns
                 set ports 53
                 set status enable
             end
             config mail-signature
                 set status disable
                 set signature ' ' 
             end
     next
 end
 
 and a screenshot:
Preview file
49 KB
3820
0 Kudos
jrpayne
New Contributor

Created on ‎08-29-2014 03:53 PM

The box you have noted here is not checked on my FG. I was hoping that was the issue but no dice on that one. :(
3820
0 Kudos
jrpayne
New Contributor

Created on ‎08-29-2014 04:04 PM

I used the " config firewall profile-protocol-options edit " default" ' set oversize-log disable . We shall see if that does the trick. I will let you know. I really appreciate your time and answers. Thank you folks.
3820
0 Kudos
jrpayne
New Contributor

Created on ‎09-02-2014 04:04 AM

Well I went in and ran that command and I am still getting those messages. So I don' t know what else there could be to change.
3821
0 Kudos
netmin
Contributor II

Created on ‎09-02-2014 11:26 AM

The ' default' profile was meant as an example of course (in case you are using multiple/different proxy option profiles). Other areas that could be checked: are you using a DLP sensor? What logging options are used in the AV profile? Could you also post an anonymized log entry? It was already asked - is the email sent by your FGT or a FortiAnalyzer event setting?
3821
0 Kudos
jrpayne
New Contributor

Created on ‎09-02-2014 12:20 PM

The notification is being sent by the FG. The only event setup in the FAZ is a high memory event. The notifications look like this when they come to me in an email. " Message meets Alert condition File Block Detected: iR3245_Series_HTML PC_02262014.exe Protocol: HTTP Source IP: ************* Destination IP: ************** Email Address From: Email Address To: date=2014-09-02 time=15:12:23 devname=*********** devid=************** logid=************ type=utm subtype=virus eventtype=oversize level=notice vd=" root" msg=" Size limit is exceeded." action=passthrough service=HTTP sessionid=54608523 srcip=************* dstip=************** srcport=3828 dstport=80 proto=6 direction=incoming filename=" iR3245_Series_HTML PC_02262014.exe" url=" http://downloads.canon.com/navilp/iR3245_Series_HTML%20PC_02262014.exe" profile=" Forsyth Protocol Options" user=" guest" group=" SSO_Guest_Users" agent=" Mozilla/4.0" DLP sensor is turned off. I looked in the AV profile and I do not see any logging options listed there. I am going to look once more.
3821
0 Kudos
jrpayne
New Contributor

Created on ‎09-02-2014 12:23 PM

These are the AV options from the CLI FG300B3909601246 (**********) # get name : ************* comment : replacemsg-group : inspection-mode : flow-based scan-botnet-connections: block ftgd-analytics : disable http: options : scan quarantine archive-block : archive-log : ftp: options : scan quarantine archive-block : archive-log : imap: options : scan quarantine archive-block : archive-log : pop3: options : scan quarantine archive-block : archive-log : smtp: options : scan quarantine --More-- archive-block : archive-log : nntp: options : archive-block : archive-log : smb: options : archive-block : archive-log : nac-quar: infected : quar-src-ip expiry : 364d23h59m log : disable av-virus-log : enable av-block-log : enable
3821
0 Kudos
netmin
Contributor II

Created on ‎09-02-2014 01:13 PM

profile=" Forsyth Protocol Options"
- this one has oversize logging disabled as well?
3821
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.