Fortinet FortiGate-800 Antivirus protection

FortiGate-800 Installation and Configuration Guide Version 2.50

FortiGate-800 Installation and Configuration Guide 279

Antivirus protection

You can enable antivirus protection in firewall policies. You can select a content profile

that controls how the antivirus protection behaves. Content profiles control the type of

traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and

the treatment of fragmented email and oversized files or email.

This chapter describes:

•General configuration steps

•Antivirus scanning

•File blocking

•Quarantine

•Blocking oversized files and emails

•Exempting fragmented email from blocking

•Viewing the virus list

General configuration steps

Configuring antivirus protection involves the following general steps.

1Select antivirus protection options in a new or existing content profile. See “Adding

content profiles” on page 219.

2Select the Anti-Virus & Web filter option in firewall policies that allow web (HTTP),

FTP, and email (IMAP, POP3, and SMTP) connections through the FortiGate unit.

Select a content profile that provides the antivirus protection options that you want to

apply to a policy. See “Adding content profiles to policies” on page221.

3Configure antivirus protection settings to control how the FortiGate unit applies

antivirus protection to the web, FTP, and email traffic allowed by policies. See:

•“Antivirus scanning” on page 280,

•“File blocking” on page 281,

•“Blocking oversized files and emails” on page 286,

•“Exempting fragmented email from blocking” on page 287.

4Configure file quarantine settings to control the quarantining of infected or blocked

files by traffic type, age, and file size. See “Configuring quarantine options” on

page 285.

5Configure the messages that users receive when the FortiGate unit blocks or deletes

an infected file. See “Replacement messages” on page 181.

Contents

Main Page Table of Contents 4 Page 6 Virus and attack definitions updates and registration................................... 117 Page 8 Page 10 Network Intrusion Detection System (NIDS) ................................................... 269 12 Page Page Introduction Antivirus protection Web content filtering Email filtering Firewall 18 NAT/Route mode Transparent mode VLANs and virtual domains Network intrusion detection VPN High availability 20 Secure installation, configuration, and management Web-based manager Command line interface Logging and reporting Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Page Getting started 26 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) 30 Factory default FortiGate configuration settings Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration 32 Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode. Factory default content profiles Strict content profile 34 Scan content profile Web content profile Unfiltered content profile 36 Planning the FortiGate configuration NAT/Route mode NAT/Route mode with multiple external network connections Transparent mode 38 Configuration options Setup wizard CLI Front keypad and LCD FortiGate model maximum values matrix Next steps NAT/Route mode installation Preparing to configure NAT/Route mode 42 Advanced NAT/Route mode settings DMZ and user-defined interfaces Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager 44 Using the front control buttons and LCD Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Page Connecting the FortiGate unit to your networks FortiGate-800 Configuring your networks FortiGate-800 Completing the configuration Configuring the DMZ interface Configuring interfaces 1 to 4 Setting the date and time Changing antivirus protection Configuration example: Multiple connections to the Internet Configuring ping servers External Port3 ISP1 ISP2 Internet FortiGate-800 52 Using the CLI Destination-based routing examples Primary and backup links to the Internet Using the CLI Load sharing Load sharing and primary and secondary connections Page Policy routing examples Routing traffic from internal subnets to different external networks Routing a service to an external network 56 Firewall policy example Adding a redundant default policy Adding more firewall policies Page Page Transparent mode installation Preparing to configure Transparent mode 60 Using the setup wizard Changing to Transparent mode using the web-based manager Starting the setup wizard Reconnecting to the web-based manager Using the front control buttons and LCD Using the command line interface Changing to Transparent mode using the CLI 62 Configuring the Transparent mode management IP address Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate unit Configuring virus and attack definition updates Connecting the FortiGate unit to your networks Transparent mode configuration examples FortiGate-800 Default routes and static routes Example default route to an external network Internal Network DMZ FortiGate-800 Internet Example static route to an external destination Internal Network DMZ FortiGate-800 Internet Example static route to an internal destination DMZ FortiGate-800 Internal Network A Internal Network B Internet Page Page High availability 74 Configuring an HA cluster Configuring FortiGate units for HA operation Page 76 Connecting the cluster Page 78 Adding a new FortiGate unit to a functioning cluster Managing an HA cluster Configuring cluster interface monitoring 80 Viewing the status of cluster members Monitoring cluster members Page 82 Viewing cluster sessions Viewing and managing cluster log messages Monitoring cluster units for failover Viewing cluster communication sessions Managing individual cluster units 84 Changing cluster unit host names Synchronizing the cluster configuration 86 Upgrading firmware Replacing a FortiGate unit after failover Advanced HA options Selecting a FortiGate unit as a permanent primary unit 88 Configuring the priority of each FortiGate unit in the cluster Configuring weighted-round-robin weights Active-Active cluster packet flow NAT/Route mode packet flow Configuring switches to work with a NAT/Route mode cluster Transparent mode packet flow Page System status Changing the FortiGate host name Changing the FortiGate firmware Upgrading to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 96 Reverting to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Installing firmware images from a system reboot using the CLI Page Restoring the previous configuration Testing a new firmware image before installing it Page Installing and using a backup firmware image Installing a backup firmware image Page Switching to the backup firmware image 106 Switching back to the default firmware image Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Displaying log hard disk status Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit Shutting down the FortiGate unit System status Viewing CPU and memory status 112 Viewing sessions and network status Viewing virus and intrusions status Session list Each line of the session list displays the following information. Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 118 Connecting to the FortiResponse Distribution Network Manually initiating antivirus and attack definitions updates 120 Configuring update logging Scheduling updates Enabling scheduled updates Adding an override server 122 Enabling scheduled updates through a proxy server Enabling push updates Enabling push updates Push updates when FortiGate IP addresses change 124 Enabling push updates through a NAT device Example: push updates through a NAT device Internet FortiGate-800 Internal Network FortiGate-300 NAT Device 126 Adding a port forwarding virtual IP to the FortiGate NAT device Adding a firewall policy for the port forwarding virtual IP Configuring the FortiGate unit with an override push IP and port Registering FortiGate units FortiCare Service Contracts 130 Registering the FortiGate unit Updating registration information 132 Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number 134 Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Network configuration Configuring zones 138 Adding zones Deleting zones Configuring interfaces Viewing the interface list Changing the administrative status of an interface Adding an interface to a zone 140 Configuring an interface with a manual IP address Configuring an interface for DHCP Configuring an interface for PPPoE 142 Adding a secondary IP address to an interface Adding a ping server to an interface Controlling administrative access to an interface 144 Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode VLAN overview 146 VLANs in NAT/Route mode Rules for VLAN IDs Rules for VLAN IP addresses Adding VLAN subinterfaces Virtual domains in Transparent mode Page Virtual domain properties Configuring a virtual domain Adding a virtual domain 150 Adding VLAN subinterfaces to a virtual domain Adding zones to virtual domains Page 152 Adding firewall policies for virtual domains Adding addresses for virtual domains Adding firewall policies for virtual domains Deleting virtual domains Adding DNS server IP addresses Configuring routing 154 Adding a default route Adding destination-based routes to the routing table Adding routes in Transparent mode 156 Configuring the routing table Policy routing Policy routing command syntax Configuring DHCP services 158 Configuring a DHCP relay agent Configuring a DHCP server Adding a DHCP server to an interface Adding scopes to a DHCP server Page 160 Adding a reserve IP to a DHCP server Viewing a DHCP server dynamic IP list RIP configuration RIP settings 6Select Apply to save the changes. Configuring RIP for FortiGate interfaces 4Select OK to save the RIP configuration for the selected interface. Adding RIP filters Adding a RIP filter list 166 Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter Page Page System configuration Setting system date and time Changing system options Modifying the Dead Gateway Detection settings 172 Adding and editing administrator accounts Adding new administrator accounts Editing administrator accounts Configuring SNMP 174 Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support Configuring SNMP access to an interface Configuring SNMP community settings 4Select Apply. 176 FortiGate MIBs FortiGate traps System traps General FortiGate traps Page Fortinet MIB fields Firewall configuration System configuration and status Page Logging and reporting configuration Replacement messages 182 Customizing replacement messages Customizing alert emails Critical event Firewall configuration Default firewall configuration Interfaces VLAN subinterfaces Zones 188 Addresses Services Schedules Content profiles Adding firewall policies Page Destination Schedule Service Action 192 NAT VPN Tunnel Traffic Shaping Authentication Anti-Virus & Web filter Page Configuring policy lists Policy matching in detail 196 Changing the order of policies in a policy list Enabling and disabling policies Disabling policies Enabling policies Addresses Adding addresses 198 Editing addresses Deleting addresses Organizing addresses into address groups 200 Services Predefined services Page Page Adding custom TCP and UDP services 204 Adding custom ICMP services Adding custom IP services Grouping services Schedules 206 Creating one-time schedules Creating recurring schedules 208 Adding schedules to policies Virtual IPs Adding static NAT virtual IPs 210 Adding port forwarding virtual IPs Page 212 Adding policies with virtual IPs IP pools Adding an IP pool 214 IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP/MAC binding Configuring IP/MAC binding for packets going through the firewall 216 Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles Default content profiles Adding content profiles 6Enable the email filter protection options that you want. 7Enable the fragmented email and oversized file and email options that you want. 8Select OK. Adding content profiles to policies Page Users and authentication 224 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 226 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 228 Deleting LDAP servers Configuring user groups Adding user groups 230 Deleting user groups IPSec VPN 232 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel Page AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Configuring advanced options 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Page 240 Adding a phase 2 configuration for an AutoIKE VPN Page 242 Managing digital certificates Obtaining a signed local certificate Generating the certificate request Page 244 Downloading the certificate request Importing the signed local certificate Backing up and restoring the local certificate and private key Obtaining CA certificates Configuring encrypt policies 246 Adding a source address Adding a destination address Adding an encrypt policy Page IPSec VPN concentrators 250 VPN concentrator (hub) general configuration steps Adding a VPN concentrator 252 VPN spoke general configuration steps Redundant IPSec VPNs 254 Configuring redundant IPSec VPNs Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 256 Testing a VPN PPTP and L2TP VPN Configuring PPTP 258 Configuring the FortiGate unit as a PPTP gateway Page 260 Configuring a Windows 98 client for PPTP Configuring a Windows 2000 client for PPTP Configuring a Windows XP client for PPTP Page Configuring L2TP Configuring the FortiGate unit as an L2TP gateway Page Configuring a Windows 2000 client for L2TP Page Configuring a Windows XP client for L2TP Page Network Intrusion Detection System (NIDS) Detecting attacks 270 Selecting the interfaces to monitor Disabling monitoring interfaces Configuring checksum verification Viewing the signature list Viewing attack descriptions 272 Disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list 274 Preventing attacks Enabling NIDS attack prevention Enabling NIDS attack prevention signatures Setting signature threshold values 276 Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking 282 Blocking files in firewall traffic Adding file patterns to block Quarantine Quarantining infected files Quarantining blocked files 284 Viewing the quarantine list Sorting the quarantine list Filtering the quarantine list Deleting files from the quarantine list Downloading quarantined files Configuring quarantine options 286 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Viewing the virus list Page Web filtering 290 Content blocking Adding words and phrases to the Banned Word list Clearing the Banned Word list 292 Backing up the Banned Word list Restoring the Banned Word list URL blocking Configuring FortiGate Web URL blocking Adding URLs to the Web URL block list 294 Clearing the Web URL block list Downloading the Web URL block list Uploading a URL block list 296 Configuring FortiGate Web pattern blocking Configuring Cerberian URL filtering Installing a Cerberian license key Adding a Cerberian user Configuring Cerberian web filter About the default group and policy 298 Enabling Cerberian URL filtering Script filtering Enabling script filtering Selecting script filter options 300 Exempt URL list Adding URLs to the URL Exempt list Downloading the URL Exempt List Uploading a URL Exempt List Page Email filter 304 Email banned word list Adding words and phrases to the email banned word list Downloading the email banned word list Uploading the email banned word list 306 Email block list Adding address patterns to the email block list Downloading the email block list Uploading an email block list Email exempt list 308 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs 310 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server Recording logs on the FortiGate hard disk 312 Recording logs in system memory Log message levels Filtering log messages Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a VLAN subinterface Enabling traffic logging for a firewall policy 316 Configuring traffic filter settings Adding traffic filter entries Viewing logs saved to memory Viewing logs 318 Searching logs Viewing and managing logs saved to the hard disk Viewing logs Searching logs 320 Downloading a log file to the management computer Deleting all messages from an active log Deleting a saved log file Configuring alert email Adding alert email addresses Testing alert email 322 Enabling alert email Glossary Page Page Page Index A 328 B C D E F 330 G H I J K L M 332 N O P Q R S Page T U V 336 W Z