Fortinet Antivirus Protection Installation and Configuration Guide

FortiGate-50A Installation and Configuration Guide Version 2.50

Antivirus protection

You can enable antivirus protection in firewall policies. You can select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.

This chapter describes:

•General configuration steps

•Antivirus scanning

•File blocking

•Blocking oversized files and emails

•Exempting fragmented email from blocking

•Viewing the virus list

General configuration steps

Configuring antivirus protection involves the following general steps.

1Select antivirus protection options in a new or existing content profile. See “Adding content profiles” on page 167.

2Select the Anti-Virus & Web filter option in firewall policies that allow web (HTTP), FTP, and email (IMAP, POP3, and SMTP) connections through the FortiGate unit. Select a content profile that provides the antivirus protection options that you want to apply to a policy. See “Adding content profiles to policies” on page 169.

3Configure antivirus protection settings to control how the FortiGate unit applies antivirus protection to the web, FTP, and email traffic allowed by policies. See:

•“Antivirus scanning” on page 226,

•“File blocking” on page 227,

•“Blocking oversized files and emails” on page 228,

•“Exempting fragmented email from blocking” on page 228.

4Configure the messages that users receive when the FortiGate unit blocks or deletes an infected file. See “Replacement messages” on page 133.

5Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file. See “Configuring alert email” in the Logging and Message Reference Guide.

Note: For information about receiving virus log messages, see “Configuring logging”, and for information about log message content and format, see “Virus log messages” in the Logging Configuration and Reference Guide

FortiGate-50A Installation and Configuration Guide

225

Image 225

Fortinet 50A user manual Antivirus protection, General configuration steps, 225

Contents

February Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents NAT/Route mode NAT/Route mode and Transparent modeTransparent mode Introduction Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents Connecting to the web-based manager Powering onEnvironmental specifications To power on the FortiGate-50A unit To connect to the web-based manager Connecting to the command line interface CLI To connect to the CLI Bits per second Data bits ParityStop bits Flow control Factory default Dhcp configuration Factory default FortiGate configuration settings Factory default NAT/Route mode network configuration Factory default Transparent mode network configurationFactory default firewall configuration Service Factory default firewall configuration RecurringAuthentication Content Factory default content profiles Strict content profileStrict content profile Options Web content profile Scan content profileScan content profile Options Web content profile Options Planning the FortiGate configuration Unfiltered content profileUnfiltered content profile Options Setup wizard Configuration options CLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Next steps Getting started NAT/Route mode installation Preparing to configure NAT/Route mode Changing the default configurationInternal servers Advanced NAT/Route mode settings Using the setup wizardStarting the setup wizard Reconnecting to the web-based manager Configuring the FortiGate unit to operate in NAT/Route mode Using the command line interfaceConfiguring NAT/Route mode IP addresses Example Connecting the FortiGate unit to your networks FortiGate-50A ExternalInternal Completing the configuration Configuring your networksSetting the date and time Changing antivirus protection Registering your FortiGate unit Configuring virus and attack definition updates Completing the configuration Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS Settings Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Connecting the FortiGate unit to your networks Enabling antivirus protection Registering your FortiGateGo to Firewall Policy Int-Ext Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps CLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network Routing DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Changing the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware To change the FortiGate host name Go to System Status Upgrading the firmware using the CLI Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager To upgrade the firmware using the CLI Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu Restoring the previous configuration Testing a new firmware image before installing itTo test a new firmware image Save as Default firmware/Run image without savingD/R Manual attack definition updates Manual virus definition updatesTo update the antivirus definitions manually To update the attack definitions manually Restoring system settings Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up time Restoring system settings to factory defaults Changing to Transparent modeTo change to Transparent mode Go to System Status To change to NAT/Route mode Go to System Status Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unit System status Viewing CPU and memory statusTo view CPU and memory status Go to System Status Monitor CPU and memory status monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status To view the session list Go to System Status Session Session list Example session list Protocol Session list Updating antivirus and attack definitions Virus and attack definitions updates and registration Go to System Update Connecting to the FortiResponse Distribution NetworkVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDN Manually initiating antivirus and attack definitions updates Configuring update logging Scheduling updatesEnabling scheduled updates To configure update logging Go to Log&Report Log Setting Adding an override server To add an override server Go to System Update Enabling scheduled updates through a proxy server Enabling push updates Push updates when FortiGate IP addresses change Enabling push updatesEnabling push updates through a NAT device To enable push updates Go to System Update Example network topology Push updates through a NAT device Example push updates through a NAT device General procedure To configure the FortiGate NAT device Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP Registering FortiGate units Example push update configuration FortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit Changing your contact information or security question Changing your Fortinet support password Downloading virus and attack definition updates Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configuration Configuring an interface with a manual IP address Changing the administrative status of an interfaceTo stop an interface that is administratively up Viewing the interface list Connecting Configuring an interface for DhcpInitializing Connected Adding a secondary IP address to an interface Configuring an interface for PPPoE Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode Adding a default route Configuring routingAdding DNS server IP addresses 100 101 Adding destination-based routes to the routing table Adding routes in Transparent mode Configuring the routing table102 103 Policy routing Policy routing command syntax Configuring Dhcp servicesConfiguring a Dhcp relay agent 104 Adding a Dhcp server to an interface Configuring a Dhcp serverAdding scopes to a Dhcp server 105 106 Adding a reserve IP to a Dhcp serverScope Name IP Pool Configuring the modem interface Viewing a Dhcp server dynamic IP list107 Configuring modem settings Connecting a modem to the FortiGate unitTo configure modem settings Go to System Network Modem 108 Disconnecting the modem Connecting to a dialup account109 To connect to a dialup account Go to System Network Modem Standalone mode configuration Backup mode configurationTo configure backup mode Go to System Network Modem Viewing modem status To operate in standalone mode Go to System Network Modem Adding firewall policies for modem connections111 112 RIP configuration RIP settings113 Invalid HolddownFlush 115 Configuring RIP for FortiGate interfaces 116 Adding a RIP filter list Adding RIP filters117 To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter 119 Assigning a RIP filter list to the outgoing filter 120 Setting system date and time System configurationTo set the date and time Go to System Config Time 121 To set the Auth timeout Go to System Config Options To set the system idle timeout Go to System Config OptionsChanging system options 122 Adding and editing administrator accounts Modifying the Dead Gateway Detection settings123 Editing administrator accounts Adding new administrator accountsTo add an administrator account Go to System Config Admin 124 Configuring Snmp To edit an administrator account Go to System Config Admin125 Configuring FortiGate Snmp support Configuring the FortiGate unit for Snmp monitoringConfiguring Snmp access to an interface Configuring Snmp community settings 127 System NameSystem Location 128 FortiGate MIBs General FortiGate traps FortiGate trapsSystem traps 129 130 Firewall configuration System configuration and statusUsers and authentication configuration 131 132 Replacement messages Customizing replacement messages133 134 Customizing alert emails Nids event 135 Critical event 136 137 Firewall configuration Default firewall configuration Addresses138 Content profiles ServicesSchedules 139 140 Adding firewall policies 141 Action Traffic Shaping VPN Tunnel142 Dynamic IP Pool Fixed Port Anti-Virus & Web filter Authentication143 Maximum Bandwidth Traffic Priority Log Traffic Configuring policy listsComments 144 Policy matching in detail Changing the order of policies in a policy list145 Enabling and disabling policies AddressesDisabling policies Enabling policies Adding addresses 147To add an address Go to Firewall Address Deleting addresses Editing addressesOrganizing addresses into address groups 148 Services Predefined services149 GRE 150 Ldap 151 152 Adding custom TCP and UDP services Adding custom IP services Adding custom Icmp servicesGrouping services 153 154 Schedules Creating one-time schedules Creating recurring schedules155 156 Adding schedules to policies Virtual IPs 157To add a schedule to a policy Go to Firewall Policy 158 Adding static NAT virtual IPsTo add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal 159 Adding port forwarding virtual IPs Adding a port forwarding virtual IP 160 Adding policies with virtual IPs IP pools161 To add a policy with a virtual IP Go to Firewall Policy IP Pools for firewall policies that use fixed ports Adding an IP poolIP pools and dynamic NAT 162 IP/MAC binding 163Go to Firewall IP/MAC Binding Static IP/MAC 164 Configuring IP/MAC binding for packets going to the firewall Viewing the dynamic IP/MAC list Adding IP/MAC addressesEnabling IP/MAC binding 165 166 Content profiles Adding content profiles Default content profilesTo add a content profile Go to Firewall Content Profile 167 Oversized File/Email Pass Fragmented Email 168 Adding content profiles to policies To add a content profile to a policy Go to Firewall Policy169 170 171 Users and authentication Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options 173 Deleting user names from the internal database Adding Radius servers Configuring Radius supportDeleting Radius servers 174 Adding Ldap servers Configuring Ldap support175 To add an Ldap server Go to User Ldap Deleting Ldap servers 176To delete an Ldap server Go to User Ldap Adding user groups Configuring user groups177 To add a user group Go to User User Group Deleting user groups 178To delete a user group Go to User User Group 179 IPSec VPN Manual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 181 182 AutoIKE IPSec VPNsAES128 AES192 Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNTo create an AutoIKE VPN configuration To add a phase 1 configuration Go to VPN Ipsec Phase 184 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options185 186 187 Adding a phase 1 configuration Standard options Adding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase188 189 Use selectors from policyUse wildcard selectors Obtaining a signed local certificate Managing digital certificatesGenerating the certificate request 190 191 Key TypeKey Size Importing the signed local certificate Downloading the certificate requestObtaining CA certificates 192 Configuring encrypt policies Importing CA certificates193 Adding a destination address Adding a source address194 To add a source address Go to Firewall Address Adding an encrypt policy 195To add an encrypt policy Go to Firewall Policy 196 IPSec VPN concentrators VPN concentrator hub general configuration steps To create a VPN concentrator configuration197 Adding a VPN concentrator 198Source InternalAll Destination VPN spoke address Action VPN spoke general configuration steps To create a VPN spoke configuration199 200 VPN TunnelPolicies To view VPN tunnel status Go to VPN Ipsec Phase Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status 202 Testing a VPN Configuring the FortiGate unit as a Pptp gateway Configuring PptpPptp and L2TP VPN 203 To add a source address 204 To add a source address group 205To add a destination address To add a firewall policy Configuring a Windows 98 client for Pptp 206To connect to the Pptp VPN Configuring a Windows 2000 client for Pptp Configuring a Windows XP client for Pptp207 To configure the VPN connection 208Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway209 To add source addresses 210 211 Configuring a Windows 2000 client for L2TP To disable IPSec 212To connect to the L2TP VPN 213 Configuring a Windows XP client for L2TP 214 Network Intrusion Detection System Nids Detecting attacks215 Selecting the interfaces to monitor Configuring checksum verificationDisabling monitoring interfaces 216 Viewing the signature list Viewing attack descriptions217 Disabling Nids attack signatures Adding user-defined signatures218 219 Downloading the user-defined signature list Preventing attacks To enable Nids attack prevention Go to Nids PreventionEnabling Nids attack prevention Enabling Nids attack prevention signatures 221 Setting signature threshold values Logging attack messages to the attack log Logging attacksReducing the number of Nids attack log and email messages Automatic message reduction 223 Manual message reduction 224 General configuration steps Antivirus protection225 Antivirus scanning 226To scan FortiGate firewall traffic for viruses Blocking files in firewall traffic File blockingAdding file patterns to block 227 Blocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking 228 To view the virus list Go to Anti-Virus Config Virus List Viewing the virus list229 230 231 Web filtering Go to Web Filter Content Block Content blockingAdding words and phrases to the Banned Word list 232 Backing up the Banned Word list Clearing the Banned Word listRestoring the Banned Word list 233 Example Banned Word List text file 234 URL blocking Configuring FortiGate Web URL blockingAdding URLs to the Web URL block list 235 Downloading the Web URL block list Clearing the Web URL block listUploading a URL block list 236 Configuring FortiGate Web pattern blocking 237To upload a URL block list Installing a Cerberian license key Configuring Cerberian URL filteringAdding a Cerberian user 238 About the default group and policy Configuring Cerberian web filterTo configure Cerberian web filtering Enabling Cerberian URL filtering Enabling script filtering Script filteringSelecting script filter options 240 Adding URLs to the URL Exempt list Exempt URL list241 Go to Web Filter URL Exempt Downloading the URL Exempt List Uploading a URL Exempt List242 243 244 245 Email filter Email banned word list Adding words and phrases to the email banned word list246 Downloading the email banned word list Uploading the email banned word list247 Adding address patterns to the email block list Email block listDownloading the email block list 248 Uploading an email block list Email exempt list249 To upload the email block list Adding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 250 Recording logs Logging and reportingRecording logs on a remote computer 251 252 Recording logs on a NetIQ WebTrends server Filtering log messages To filter log entries Go to Log&Report Log SettingLog message levels 253 254 Configuring traffic logging Enabling traffic logging Configuring traffic filter settingsEnabling traffic logging for an interface Enabling traffic logging for a firewall policy Destination IP Address Destination Netmask Service Adding traffic filter entries256 Adding alert email addresses Configuring alert email257 To add a DNS server Go to System Network DNS Testing alert email Enabling alert email258 259 Glossary 260 261 262 263 Index Index 264 DNS 265 Http 266 NAT 267 268 RMA 269 TCP 270 VPN 271 272