Tuesday, August 15, 2017

howto validate that your fortigate AVprofile is working

When you have enabled AV ( AntiVirus ) scan enable on a fortigate, you should  test against any one of the EICAR  test files.

1st here's the default AV profile on a typical firewall.

When the  AVprofile has detected a  virus it will throw a similar  formatted log_message

You can test both HTTP and HTTPS when you have  ssl-inspection enabled.


Note, this is a sure way to  test that your ssl-inspection is also working  btw

If you have  NO ssl-inspection profile enable, the fortigate-firewall will let you  download the  EICAR  test.file over  a secure protocol like  HTTPs with no warning. Here's a source for  text and zip or double-zip files.


e.g ( with no ssl-inspection  the EICAR  test file  was downloaded )

Security  best practice mandate you should have AV enabled and  ssl-inspection profile for protecting local lan users if end-point  protection has not been installed.

Here's how a firewall policy will look like from the  CLI  & that's enabled for  AV-profile and with SSL inspections.

A feedback page will  be displayed  to the end-user who hit's the policy and a simple link provided  if he/she want to  investigate what and why  the content was blocked in regards to AV.

( https test EICAR  file  source )


If your using the fortigate as an explicit -proxy, please ensure you have AVprofiles in use and in  proxy-mode.


Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment