Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jrpayne
New Contributor

Protocol Options

Hello All, I am looking for the location in the gui to edit protocol options and have not been able to locate it. I have recently upgraded to 5.2 and it appear a lot of stuff has changed or moved. I get notifications about downloads that file limit is exceeded and it categorizes that event as subtype of virus?? Makes no sense to me. I only want notification emails when a virus signature gets a hit. Anyone have any ideas about why this my be behaving like this? I just don' t understand how a file size (which I suppose I will need o change) would trigger an event with a subtype of " virus" .
20 REPLIES 20
Dave_Hall
Honored Contributor

It seems logging filter settings in 5.0 (which I have installed on this test unit) is different than on 5.2. What netmin has posted is more in line with 4.0. MR3 (which I am more familiar with). I do know a lot of logging options do not (and will not) show up (even with " show full-configuration" ) unless logging to " that device" is enabled. I can only assume you have enabled logging to the FortiAnalyzer.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

What netmin has posted is more in line with 4.0. MR3 (which I am more familiar with).
Under 4.0. MR3, that section looks like this...
 config firewall profile-protocol-options
     edit " default" 
         set comment " all default services" 
             config http
                 set port 80 
                 set options clientcomfort
                 set comfort-amount 100
                 unset post-lang
                 set oversize-limit 5
             end
             config https
                 set port 443 
                 unset options
             end
             config ftp
                 set port 21 
                 set options no-content-summary splice
                 set oversize-limit 5
             end
             config imap
                 set port 143 
                 set options fragmail no-content-summary
                 set oversize-limit 5
             end
             config pop3
                 set port 110 
                 set options fragmail no-content-summary
                 set oversize-limit 5
             end
             config smtp
                 set port 25 
                 set options fragmail no-content-summary splice
                 set oversize-limit 5
             end
             config nntp
                 set port 119 
                 set options no-content-summary splice
                 set oversize-limit 5
             end
             config im
                 unset options
                 set oversize-limit 5
             end
     next
 end
 
Under 5.0, tried to edit " default" and add " set oversize-log disable" but just gives me an error. Only options I can set under " default" is
 (default) # set 
 comment             comment
 replacemsg-group    Replacement message group.
 extended-utm-log    Enable/disable detailed UTM log messages.
 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
netmin
Contributor II

Here a 5.2 version:
 FGT (default) # show full-configuration 
 
 config firewall profile-protocol-options
     edit " default" 
         set comment " all default services" 
         set replacemsg-group ' ' 
         set oversize-log disable
         set switching-protocols-log disable
             config http
                 set ports 80
                 set status enable
                 set inspect-all disable
                 set options clientcomfort no-content-summary
                 set comfort-interval 10
                 set comfort-amount 1
                 unset post-lang
                 set fortinet-bar disable
                 set streaming-content-bypass enable
                 set switching-protocols bypass
                 set oversize-limit 10
                 set retry-count 0
             end
             config ftp
                 set ports 21
                 set status enable
                 set inspect-all disable
                 set options clientcomfort no-content-summary splice
                 set comfort-interval 10
                 set comfort-amount 1
                 set oversize-limit 10
             end
             config imap
                 set ports 143
                 set status enable
 
                 set inspect-all disable
                 set options fragmail
                 set oversize-limit 10
             end
             config mapi
                 set ports 135
                 set status enable
                 set options fragmail no-content-summary
                 set oversize-limit 10
             end
             config pop3
                 set ports 110
                 set status enable
                 set inspect-all disable
                 set options fragmail no-content-summary
                 set oversize-limit 10
             end
             config smtp
                 set ports 25
                 set status enable
                 set inspect-all disable
                 set options fragmail no-content-summary splice
                 set oversize-limit 10
                 set server-busy disable
             end
             config nntp
                 set ports 119
                 set status enable
                 set inspect-all disable
                 set options no-content-summary splice
                 set oversize-limit 10
             end
 
             config dns
                 set ports 53
                 set status enable
             end
             config mail-signature
                 set status disable
                 set signature ' ' 
             end
     next
 end
 
 and a screenshot:
 
 
 
jrpayne
New Contributor

The box you have noted here is not checked on my FG. I was hoping that was the issue but no dice on that one. :(
jrpayne
New Contributor

I used the " config firewall profile-protocol-options edit " default" ' set oversize-log disable . We shall see if that does the trick. I will let you know. I really appreciate your time and answers. Thank you folks.
jrpayne
New Contributor

Well I went in and ran that command and I am still getting those messages. So I don' t know what else there could be to change.
netmin
Contributor II

The ' default' profile was meant as an example of course (in case you are using multiple/different proxy option profiles). Other areas that could be checked: are you using a DLP sensor? What logging options are used in the AV profile? Could you also post an anonymized log entry? It was already asked - is the email sent by your FGT or a FortiAnalyzer event setting?
jrpayne
New Contributor

The notification is being sent by the FG. The only event setup in the FAZ is a high memory event. The notifications look like this when they come to me in an email. " Message meets Alert condition File Block Detected: iR3245_Series_HTML PC_02262014.exe Protocol: HTTP Source IP: ************* Destination IP: ************** Email Address From: Email Address To: date=2014-09-02 time=15:12:23 devname=*********** devid=************** logid=************ type=utm subtype=virus eventtype=oversize level=notice vd=" root" msg=" Size limit is exceeded." action=passthrough service=HTTP sessionid=54608523 srcip=************* dstip=************** srcport=3828 dstport=80 proto=6 direction=incoming filename=" iR3245_Series_HTML PC_02262014.exe" url=" http://downloads.canon.com/navilp/iR3245_Series_HTML%20PC_02262014.exe" profile=" Forsyth Protocol Options" user=" guest" group=" SSO_Guest_Users" agent=" Mozilla/4.0" DLP sensor is turned off. I looked in the AV profile and I do not see any logging options listed there. I am going to look once more.
jrpayne
New Contributor

These are the AV options from the CLI FG300B3909601246 (**********) # get name : ************* comment : replacemsg-group : inspection-mode : flow-based scan-botnet-connections: block ftgd-analytics : disable http: options : scan quarantine archive-block : archive-log : ftp: options : scan quarantine archive-block : archive-log : imap: options : scan quarantine archive-block : archive-log : pop3: options : scan quarantine archive-block : archive-log : smtp: options : scan quarantine --More-- archive-block : archive-log : nntp: options : archive-block : archive-log : smb: options : archive-block : archive-log : nac-quar: infected : quar-src-ip expiry : 364d23h59m log : disable av-virus-log : enable av-block-log : enable
netmin
Contributor II

profile=" Forsyth Protocol Options"
- this one has oversize logging disabled as well?
Labels
Top Kudoed Authors