Antivirus protection, 279 | Fortinet FortiGate-800 guide

FortiGate-800 Installation and Configuration Guide Version 2.50

Antivirus protection

You can enable antivirus protection in firewall policies. You can select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.

This chapter describes:

•General configuration steps

•Antivirus scanning

•File blocking

•Quarantine

•Blocking oversized files and emails

•Exempting fragmented email from blocking

•Viewing the virus list

General configuration steps

Configuring antivirus protection involves the following general steps.

1Select antivirus protection options in a new or existing content profile. See “Adding content profiles” on page 219.

2Select the Anti-Virus & Web filter option in firewall policies that allow web (HTTP), FTP, and email (IMAP, POP3, and SMTP) connections through the FortiGate unit. Select a content profile that provides the antivirus protection options that you want to apply to a policy. See “Adding content profiles to policies” on page 221.

3Configure antivirus protection settings to control how the FortiGate unit applies antivirus protection to the web, FTP, and email traffic allowed by policies. See:

•“Antivirus scanning” on page 280,

•“File blocking” on page 281,

•“Blocking oversized files and emails” on page 286,

•“Exempting fragmented email from blocking” on page 287.

4Configure file quarantine settings to control the quarantining of infected or blocked files by traffic type, age, and file size. See “Configuring quarantine options” on page 285.

5Configure the messages that users receive when the FortiGate unit blocks or deletes an infected file. See “Replacement messages” on page 181.

FortiGate-800 Installation and Configuration Guide

279

Image 279

Fortinet FortiGate-800 manual Antivirus protection, General configuration steps, 279

Contents

January 15 Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Flexibility demanded by large enterprises Introduction Antivirus protection Web content filtering Firewall Email filtering Network intrusion detection NAT/Route modeTransparent mode VLANs and virtual domains High availability VPN Web-based manager Secure installation, configuration, and management Logging and reporting Command line interface Fortinet documentation Document conventions Comments on Fortinet technical documentation Customer service and technical support Customer service and technical support Getting started Mounting Package contents To power on the FortiGate-800 unit Powering onPower requirements Environmental specifications To connect to the web-based manager Connecting to the web-based manager Stop bits Flow control Connecting to the command line interface CLITo connect to the CLI Bits per second 9600 Data bits Parity Internal interface Factory default FortiGate configuration settingsFactory default NAT/Route mode network configuration Account Factory default Transparent mode network configuration Factory default firewall configuration Strict content profile Factory default content profiles Scan content profile Strict content profile OptionsScan content profile Options Unfiltered content profile Options Web content profileUnfiltered content profile Web content profile Options Example NAT/Route mode network configuration Planning the FortiGate configuration Example NAT/Route multiple internet connection configuration NAT/Route mode with multiple external network connections Setup wizard Configuration options Front keypad and LCD FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Preparing to configure NAT/Route mode NAT/Route mode installation Advanced NAT/Route mode settings Advanced FortiGate NAT/Route mode settingsDhcp server DMZ and user-defined interfaces Using the setup wizardStarting the setup wizard Reconnecting to the web-based manager Configuring NAT/Route mode IP addresses Using the front control buttons and LCDUsing the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Set system interface external mode static ip 204.23.1.5 To connect the FortiGate unit running in NAT/Route mode Connecting the FortiGate unit to your networks To connect to FortiGate-800 user-defined interfaces FortiGate-800 External Example FortiGate-800 user-defined interface connections Configuring your networks Setting the date and time Completing the configurationConfiguring the DMZ interface Configuring interfaces 1 to Configuration example Multiple connections to the Internet Configuring virus and attack definition updatesRegistering your FortiGate unit Internal Configuring ping servers Go to System Network Routing Table Using the CLIPrimary and backup links to the Internet Destination-based routing examples Load sharing and primary and secondary connections Load sharing Routing table should have routes arranged as shown in Table To add the routes using the CLI Policy routing examples Routing a service to an external network Adding more firewall policies Adding a redundant default policyDestination DMZAll Schedule Always Service Firewall policy example Restricting access to a single Internet connection Configuration example Multiple connections to the Internet DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator Password Go to System Status Changing to Transparent mode using the web-based manager Operation mode Transparent Changing to Transparent mode using the CLI Configuring the Transparent mode management IP address Configure the Transparent mode default gatewayEnabling antivirus protection Connecting the FortiGate unit to your networks FortiGate-800 Transparent mode configuration examples Example default route to an external network Default routes and static routes Default route to an external network General configuration steps Go to System Network Management Web-based manager example configuration stepsCLI configuration steps Example static route to an external destination DMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Go to System Config HA Configuring an HA clusterConfiguring FortiGate units for HA operation To configure a FortiGate unit for HA operation Least Connection Weighted Round RobinNone Hub Example Active-Active HA configuration Connecting the cluster To connect the cluster HA network configuration Managing an HA cluster Adding a new FortiGate unit to a functioning clusterTo add a new unit to the cluster Configuring cluster interface monitoring Monitoring cluster members Viewing the status of cluster members Example cluster CPU, memory, and hard disk display To set the update frequency Viewing and managing cluster log messages Viewing cluster sessions Monitoring cluster units for failover Viewing cluster communication sessionsManaging individual cluster units Changing cluster unit host names To manage a cluster unitTo set the host name of each cluster member Keyword Description Synchronizing the cluster configuration Upgrading firmware To select a permanent primary unit Advanced HA optionsReplacing a FortiGate unit after failover Selecting a FortiGate unit as a permanent primary unit To set the priority of each FortiGate unit in a cluster Configuring weighted-round-robin weights Active-active HA packet flow Active-Active cluster packet flow NAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System status To change the FortiGate host name Go to System Status Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Changing the FortiGate firmware To upgrade the firmware using the CLI Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the web-based manager Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot 100 Press any key to enter configuration menu Restoring the previous configuration Testing a new firmware image before installing it101 To test a new firmware image 102 Installing and using a backup firmware image Installing a backup firmware image103 104 To install a backup firmware image Switching to the backup firmware image To switch to the backup firmware image105 To update the antivirus definitions manually Manual virus definition updatesSwitching back to the default firmware image To switch back to the default firmware image 107 Manual attack definition updatesTo update the attack definitions manually Displaying the FortiGate serial number Displaying log hard disk status Backing up system settingsRestoring system settings Displaying the FortiGate up time 109 Restoring system settings to factory defaultsChanging to Transparent mode To change to Transparent mode Go to System Status Shutting down the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Restarting the FortiGate unit To view CPU and memory status Go to System Status Monitor System statusViewing CPU and memory status 111 CPU and memory status monitor Viewing sessions and network status 113 Viewing virus and intrusions status To view the session list Go to System Status Session Session list Protocol 115 116 Virus and attack definitions updates and registration Updating antivirus and attack definitions117 To make sure the FortiGate unit can connect to the FDN Connecting to the FortiResponse Distribution NetworkGo to System Update Version Expiry date Last update attempt Last update status 119 Manually initiating antivirus and attack definitions updates 120 Scheduling updatesConfiguring update logging Enabling scheduled updates To add an override server Go to System Update Adding an override server121 Enabling push updates Enabling scheduled updates through a proxy server122 123 Enabling push updatesPush updates when FortiGate IP addresses change To enable push updates Go to System Update Enabling push updates through a NAT device Example push updates through a NAT device124 125 General procedure 126 127 To configure the FortiGate NAT deviceSchedule Always Service ANY Action Accept Adding a firewall policy for the port forwarding virtual IP 128 Registering FortiGate units 129 FortiCare Service Contracts 130 Registering the FortiGate unit 131 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units132 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number133 Changing your Fortinet support password Changing your contact information or security question134 135 Downloading virus and attack definitions updates 136 Registering a FortiGate unit after an RMA Network configuration Configuring zones137 138 Configuring interfacesAdding zones Deleting zones 139 Changing the administrative status of an interfaceViewing the interface list Adding an interface to a zone Configuring an interface with a manual IP address Configuring an interface for Dhcp140 141 Configuring an interface for PPPoE Adding a secondary IP address to an interface Adding a ping server to an interface142 143 Controlling administrative access to an interface 144 Configuring traffic logging for connections to an interfaceConfiguring the management interface in Transparent mode Changing the MTU size to improve network performance 145 Vlan overview 146 VLANs in NAT/Route modeRules for Vlan IDs Rules for Vlan IP addresses To add Vlan subinterfaces Go to System Network Interface Virtual domains in Transparent modeAdding Vlan subinterfaces 147 FortiGate unit with two virtual domains 148 149 Configuring a virtual domainVirtual domain properties Adding a virtual domain Adding Vlan subinterfaces to a virtual domain Adding zones to virtual domains150 To add a zone to a virtual domain Go to System Network Zone 151 Go to Firewall Address Adding firewall policies for virtual domainsAdding addresses for virtual domains 152 153 Configuring routingAdding DNS server IP addresses Deleting virtual domains 154 Adding a default routeTo add a default route Go to System Network Routing Table Adding destination-based routes to the routing table 155 Adding routes in Transparent mode Configuring the routing table Policy routing156 Configuring Dhcp services Policy routing command syntax157 Adding scopes to a Dhcp server Configuring a Dhcp relay agentConfiguring a Dhcp server Adding a Dhcp server to an interface To add a scope to a Dhcp server Go to System Network Dhcp 159 Selected scope Adding a reserve IP to a Dhcp serverViewing a Dhcp server dynamic IP list 160 RIP configuration RIP settings161 Flush 162Invalid Holddown 163 Configuring RIP for FortiGate interfaces 164 Example RIP configuration for an internal interface To add a RIP filter list Go to System RIP Filter Adding RIP filtersAdding a RIP filter list 165 Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter166 167 Assigning a RIP filter list to the outgoing filter 168 169 System configurationSetting system date and time To set the date and time Go to System Config Time 170 To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options Changing system options 171 Modifying the Dead Gateway Detection settings 172 Adding and editing administrator accountsAdding new administrator accounts To add an administrator account Go to System Config Admin 173 Configuring SnmpEditing administrator accounts To edit an administrator account Go to System Config Admin Configuring Snmp community settings Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp access to an interface 175 System NameSystem Location 176 FortiGate MIBs 177 FortiGate trapsGeneral FortiGate traps System traps Logging traps VPN trapsNids traps Antivirus traps 179 System configuration and statusFirewall configuration Fortinet MIB fields 180 Replacement messages Logging and reporting configuration181 182 Customizing replacement messages Customizing alert emails 183Alert email message sections Alert email message sections 184 185 Firewall configuration 186 Default firewall configuration 187 InterfacesVlan subinterfaces Zones Schedules ServicesDefault addresses Interface Address Description Addresses To add a firewall policy Go to Firewall Policy Content profilesAdding firewall policies 189 Firewall policy options Source190 Action ServiceDestination Schedule Dynamic IP Pool Fixed Port VPN TunnelTraffic Shaping 192 Maximum Bandwidth Traffic Priority AuthenticationAnti-Virus & Web filter 193 Log Traffic Comments194 Configuring policy lists Policy matching in detail195 Enabling policies Changing the order of policies in a policy listEnabling and disabling policies Disabling policies To add an address Go to Firewall Address AddressesAdding addresses 197 Editing addresses 198To edit an address Go to Firewall Address To delete an address Go to Firewall Address Deleting addressesOrganizing addresses into address groups 199 Services Predefined services200 GRE 201 Ldap 202 203 Adding custom TCP and UDP services 204 Adding custom Icmp servicesAdding custom IP services Grouping services 205 Schedules 206 Creating one-time schedules 207 Creating recurring schedules To add a schedule to a policy Go to Firewall Policy Virtual IPsAdding schedules to policies 208 Virtual IP External Interface examples Description Internal Adding static NAT virtual IPs209 To add a static NAT virtual IP Go to Firewall Virtual IP 210 Adding port forwarding virtual IPs 211 Adding policies with virtual IPs 212To add a policy with a virtual IP Go to Firewall Policy To add an IP pool Go to Firewall IP Pool IP poolsAdding an IP pool 213 214 IP/MAC bindingIP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Go to Firewall IP/MAC Binding Static IP/MAC 215 216 Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding217 218 Content profiles 219 Default content profilesAdding content profiles To add a content profile Go to Firewall Content Profile Oversized File/Email Pass Fragmented Email 220 Adding content profiles to policies To add a content profile to a policy Go to Firewall Policy221 222 223 Users and authentication To set authentication timeout Go to System Config Options Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication 225 Deleting user names from the internal database 226 Configuring Radius supportAdding Radius servers Deleting Radius servers To add an Ldap server Go to User Ldap Configuring Ldap supportAdding Ldap servers 227 Deleting Ldap servers 228To delete an Ldap server Go to User Ldap To add a user group Go to User User Group Configuring user groupsAdding user groups 229 Deleting user groups 230To delete a user group Go to User User Group 231 IPSec VPN AutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys 233 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel AES256 234AES128 AES192 235 General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN AutoIKE IPSec VPNs 236 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options237 238 239 Adding a phase 1 configuration Standard options Adding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase240 241 Use selectors from policyUse wildcard selectors 242 Managing digital certificatesObtaining a signed local certificate Generating the certificate request 243 Key TypeKey Size Downloading the certificate request Importing the signed local certificate244 245 Configuring encrypt policiesObtaining CA certificates Importing CA certificates Adding a source address 246To add a source address Go to Firewall Address To add a destination address Go to Firewall Address Adding a destination addressAdding an encrypt policy 247 248 249 IPSec VPN concentrators VPN concentrator hub general configuration steps To create a VPN concentrator configuration250 251 Adding a VPN concentrator VPN spoke general configuration steps To create a VPN spoke configuration252 253 Redundant IPSec VPNs Configuring redundant IPSec VPNs To configure a redundant IPSec VPN254 Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing VPN tunnel status 256 Testing a VPN Configuring Pptp Pptp and L2TP VPN257 To add a source address Configuring the FortiGate unit as a Pptp gateway258 To add users and user groups To add a firewall policy 259To add a source address group To add a destination address 260 Configuring a Windows 98 client for Pptp To connect to the Pptp VPN Configuring a Windows 2000 client for PptpConfiguring a Windows XP client for Pptp 261 To configure the VPN connection 262Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway263 To add source addresses 264 265 Configuring a Windows 2000 client for L2TP To disable IPSec 266To connect to the L2TP VPN 267 Configuring a Windows XP client for L2TP 268 Network Intrusion Detection System Nids Detecting attacks269 270 Configuring checksum verificationSelecting the interfaces to monitor Disabling monitoring interfaces Viewing the signature list Viewing attack descriptions271 Disabling Nids attack signatures Adding user-defined signatures272 273 Downloading the user-defined signature list Enabling Nids attack prevention signatures To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention 275 Setting signature threshold values Automatic message reduction Logging attacksLogging attack messages to the attack log Reducing the number of Nids attack log and email messages 277 Manual message reduction 278 General configuration steps Antivirus protection279 Antivirus scanning 280To scan FortiGate firewall traffic for viruses 281 File blocking To block files in firewall traffic Blocking files in firewall trafficAdding file patterns to block 282 283 QuarantineQuarantining infected files Quarantining blocked files To view the quarantine list Go to Anti-Virus Quarantine Viewing the quarantine listSorting the quarantine list 284 Downloading quarantined files Configuring quarantine optionsFiltering the quarantine list Deleting files from the quarantine list Configuring limits for oversized files and email Blocking oversized files and emails286 287 To view the virus list Go to Anti-Virus Config Virus ListExempting fragmented email from blocking Viewing the virus list 288 289 Web filtering 290 Content blockingGo to Web Filter Content Block Adding words and phrases to the Banned Word list 291 Clearing the Banned Word list Backing up the Banned Word list Restoring the Banned Word list292 293 Configuring FortiGate Web URL blockingURL blocking Adding URLs to the Web URL block list 294 Clearing the Web URL block list To upload a URL block list Downloading the Web URL block listUploading a URL block list 295 Configuring Cerberian URL filtering Configuring FortiGate Web pattern blocking296 Adding a Cerberian user Installing a Cerberian license keyConfiguring Cerberian web filter About the default group and policy To configure Cerberian web filtering Enabling Cerberian URL filtering298 299 Script filteringEnabling script filtering Selecting script filter options Go to Web Filter URLExempt Exempt URL listAdding URLs to the URL Exempt list 300 Go to Web Filter URL Exempt Downloading the URL Exempt ListUploading a URL Exempt List 301 302 303 Email filter Email banned word list Adding words and phrases to the email banned word list304 Downloading the email banned word list Uploading the email banned word list305 306 Email block listAdding address patterns to the email block list Downloading the email block list To upload the email block list Email exempt listUploading an email block list 307 308 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list Logging and reporting Recording logs309 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server310 Option Recording logs on the FortiGate hard disk311 Overwrite Recording logs in system memory Log message levels312 To filter log entries Go to Log&Report Log Setting Filtering log messages313 314 Configuring traffic logging Enabling traffic logging for a firewall policy Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a Vlan subinterface Resolve IP Configuring traffic filter settingsAdding traffic filter entries 316 317 Destination IP Address Destination Netmask ServiceViewing logs saved to memory Viewing logs Keyword Viewing and managing logs saved to the hard diskSearching logs 318 To view the active or saved logs Go to Log&Report Logging 319 320 Downloading a log file to the management computerDeleting all messages from an active log Deleting a saved log file 321 Configuring alert emailTesting alert email Adding alert email addresses 322 Enabling alert email 323 Glossary 324 325 326 327 Index Index 328 Dialup Pptp 329 Http 330 Ldap 331 332 Pptp dialup connection 333 334 TCP 335 Vlan 336