Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor II

Created on ‎04-21-2022 02:31 AM

FortiGate Antivirus is blocking but not logging

Hi everyone,

 

Very strange behaviour with FortiGate and AntiVirus in firewall rule. I have sometime my traffic blocked by AntiVirus but I can't see anything in logs.

 

In my Forward Traffic logs, I can see sometimes a value in result, sometimes not. When Result is green and has traffic, AntiVirus is disabled and request correctly pass. When Result is empty, traffic is blocked and AntiVirus is enabled on policy.

zoriax_0-1650533079162.png

 

If I looked inside AntiVirus logs, the are empty. My AntiVirus configuration is here : 

 

zoriax_1-1650533271572.png

 

I tried to disabled one by one each part of AntiVirus configuration but no change. The request is working only if I disabled AntiVirus in firewall rule.

 

I've mistaken somewhere or is it a bug ? If a virus is detected, why I don't have any log ? For me it looks like an AntiVirus engine bug...

 

Maybe you have more tools to debug this behaviour :)

 

Thanks for your help

Labels:
8795
0 Kudos
12 REPLIES 12
AlexC-FTNT
Staff
Staff

Created on ‎04-21-2022 02:41 AM

If you don't see any logs, why do you think it is blocked by the AV?

And where do you look for AV logs? You can find the AV logs in the dedicated Antivirus section of Log & Report (not in Forward traffic) if logging is enabled in policy. 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
7054
0 Kudos
zoriax
Contributor II

Created on ‎04-21-2022 02:45 AM

Hi ! 

 

I suspected the AV beacause if I disabled it form my policy, here : 

zoriax_0-1650534195811.png

My request is correctyl forwarded. If I changed it to : 

zoriax_1-1650534222577.png

My request is not working correctly.

 

My AntiVirus logs are totally empty... 

7053
0 Kudos
AlexC-FTNT
Staff
Staff
In response to zoriax

Created on ‎04-21-2022 04:26 AM

Once again, this is not a proof of a log problem. The traffic may be blocked by a wrongly configured AV (or maybe a bug). Make sure that AV profile mode is consistent with the policy operation mode (proxy-mode). Also, check that the FortiOS version you are running is up to date (6.4.8 / 7.0.5) to eliminate possible bugs.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
7043
0 Kudos
zoriax
Contributor II

Created on ‎04-21-2022 04:57 AM

For me the problem seems to be related to AV more than log... Or something strange in AV that is not logged (a bug maybe...)

 

If I follow you, I need to pass my policy to Proxy-baded inspection if I wanted to user AV in profile ? I'm a bit confuse about that... 

 

Thanks for your return.

7041
0 Kudos
AlexC-FTNT
Staff
Staff

Created on ‎04-21-2022 05:08 AM

Yes. In flow-based mode only IPS and Webfilter work correctly.

For other inspection profiles, the policy must to be in proxy-based mode to offer proper results. 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
7040
0 Kudos
Jirka1
Contributor III
In response to AlexC-FTNT

Created on ‎04-21-2022 10:15 AM Edited on ‎04-21-2022 10:19 AM

Hi Alex,

what exactly do you mean by: "Yes. In flow-based mode only IPS and Webfilter work correctly. For other inspection profiles, the policy must be in proxy-based mode to offer proper results."

 

Does this mean that, for example, application control or antivirus does not work in Flow mode? Or is their functionality reduced? How do I understand that?

Thank you.

Jirka1_0-1650561560697.png

 



Jirka

6998
0 Kudos
AlexC-FTNT
Staff
Staff
In response to Jirka1

Created on ‎04-22-2022 01:39 AM Edited on ‎04-22-2022 01:40 AM

You may get some false positive identifications in flow-based mode, or impossible to block the stream/connection after a positive identification.

AV/AppControl works on 'best effort' basis since the packets are not buffered (proxied).

Surely, flow-based inspection is 'lighter' on resource usage.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
6989
0 Kudos
zoriax
Contributor II

Created on ‎04-21-2022 05:30 AM

As I can see in version 7.0.5, AntiVirus seems to work correctly with the 2 types : 

 

zoriax_0-1650544145578.png

 

But I tried proxy-mode in my firewall rule and it works now correctly...

 

So your recommandation is to always set proxy-based when AV is needed ?

 

7038
0 Kudos
zoriax
Contributor II

Created on ‎04-21-2022 06:06 AM

Just to clarify the configuraiton of Policy and AV I can set : 

  • Flow-based / Proxy-based in Policies
  • Flow-based / Proxy-based in AntiVirus

If I understand correctly I must set Proxy-Based in policies and I can choose inspection in AV right ?

7028
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.