Tuesday, May 8, 2018

AV with https inspection fortiOS

In this blog, I will show you how simple it is to  enable AntiVirus ( AV )  with  TLS inspection. In this  case we will use the EICAR test files and  see the block action when my machine tries to download the testAV-file.

The 1st thing you need is a firewall policy with ssl-ssh inspection profiles. This needs to be applied to the firewall.policy.

This  policy #8  has  a AV-profile and  using the default AV profile that comes in every NGFW FTNT appliance.

NOTE: The ssl-ssh profile "NEWSSH" was crafted for  my HTTPS deep-inspecton.

Now with these 2 combinations, we have AV inspection and SSH/TLS inspection. The fortigate will intercept the webcliet-browser and  inject the  issuer string as the fortigate for the CA-Chain & on the back inspect the HTTP traffic.

And a typical AntiVirus UTM log will be generated

Yes it's that simple to enable AV protection for webbrowsers. For regular HTTP ( non secure ) the principle ideal exist without the need for a SSH/TLS-inspection profile and the service enabled for HTTP.

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment