Tuesday, August 15, 2017

howto validate that your fortigate AVprofile is working

When you have enabled AV ( AntiVirus ) scan enable on a fortigate, you should  test against any one of the EICAR  test files.

1st here's the default AV profile on a typical firewall.






When the  AVprofile has detected a  virus it will throw a similar  formatted log_message



You can test both HTTP and HTTPS when you have  ssl-inspection enabled.


 

Note, this is a sure way to  test that your ssl-inspection is also working  btw



If you have  NO ssl-inspection profile enable, the fortigate-firewall will let you  download the  EICAR  test.file over  a secure protocol like  HTTPs with no warning. Here's a source for  text and zip or double-zip files.

http://www.rexswain.com/eicar.html




e.g ( with no ssl-inspection  the EICAR  test file  was downloaded )





Security  best practice mandate you should have AV enabled and  ssl-inspection profile for protecting local lan users if end-point  protection has not been installed.






Here's how a firewall policy will look like from the  CLI  & that's enabled for  AV-profile and with SSL inspections.




A feedback page will  be displayed  to the end-user who hit's the policy and a simple link provided  if he/she want to  investigate what and why  the content was blocked in regards to AV.



( https test EICAR  file  source )

https://secure.eicar.org/eicar.com


If your using the fortigate as an explicit -proxy, please ensure you have AVprofiles in use and in  proxy-mode.


example



Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

No comments:

Post a Comment