Introduction
Fortinet’s FortiGate firewall includes an integrated antivirus engine as part of its security capabilities. FortiGate Antivirus provides protection against viruses, malware, ransomware, and zero-day threats for networks. It leverages technologies such as flow-based inspection, proxy-based inspection, cloud-based analysis with FortiSandbox, and the FortiGuard antivirus service to detect threats.
Implementing antivirus at the network layer is an important element of an organization’s cybersecurity strategy. Antivirus inspection at the gateway firewall can detect threats before they enter the network and spread to devices. Additionally, central management of antivirus from a firewall consolidates administration and policy deployment. Overall, FortiGate Antivirus offers robust threat detection to safeguard networks with low latency impact.
FortiOS Antivirus Features
FortiOS, the operating system of FortiGate firewalls, contains extensive antivirus capabilities:
Flow-based and Proxy-based Antivirus
FortiGate firewalls perform antivirus inspection in flow-based and proxy-based modes. Flow-based scanning analyzes network traffic transparently without proxying sessions. Proxy-based scanning proxies traffic so content can be fully decoded before inspection.
Administrators can configure custom policies determining which traffic goes through each mode for optimal performance and security. Proxy-based inspection offers the highest detection rate but also consumes the most resources.
Preconfigured Antivirus Profiles
FortiOS comes preconfigured with default profiles for antivirus inspection including default and wifi-default profiles. These contain optimal settings for networks and wireless access points. Additionally, administrators can fully customize profiles to match an organization’s requirements.
Customizable Inspection Rules
Within antivirus profiles, administrators have granular control to tailor security policies. Settings can be configured for:
- Inspection of protocols such as HTTP, FTP, SMTP, and more
- File size limits for scanning
- Blocking, monitoring, or allowing infected code
- Removal of viruses via heuristics
- Analysis with FortiSandbox
- Protection from botnet communication and callbacks
FortiSandbox Integration
FortiGate integrates with the FortiSandbox appliance, Fortinet’s advanced threat analysis sandbox. Suspicious files traversing FortiGate are sent to FortiSandbox for deeper inspection using techniques like emulation and behavioral analysis. The FortiSandbox database provides an added layer of cloud-based protection.
FortiNDR Inline Scanning
FortiGate also integrates with FortiNDR, Fortinet’s network detection and response platform. This allows for inline scanning of network traffic by the FortiNDR threat intelligence database in addition to FortiOS antivirus capabilities.
Exempt List
For files that generate false positives, FortiGate allows creating an antivirus exempt list to exclude files from scanning based on checksum. This prevents repetitive quarantining of clean files.
Quarantined File Download
Any files or code quarantined by antivirus inspection can be conveniently downloaded by administrators in password-protected archive format for review and analysis.
Profile Testing
Within FortiOS, administrators can upload samples of malware to securely test if an antivirus profile properly catches threats as intended. This verifies efficacy before deploying the profile into production.
FortiGuard Antivirus Service
Central to FortiGates antivirus capabilities is the FortiGuard antivirus service. This cloud-based service from Fortinet provides continuous updates that protect networks from the latest threats:
Broad Protection
FortiGuard offers wide security against malware, viruses, Trojans, worms, spyware, botnets, ransomware, and zero day attacks that may bypass traditional signature-based detection. The FortiGuard team closely monitors threat landscape globally for emerging attacks.
Content Pattern Recognition
Using proprietary algorithms and data science models like patented Content Pattern Recognition Language (CPRL), FortiGuard identifies new threats extremely quickly, often within seconds of outbreak. This allows immediate protections to be deployed to FortiGate firewalls globally.
Machine Learning and Signatures
The FortiGuard antivirus service uses machine learning techniques along with traditional signatures to catch threats. The combined approach ensures maximum detection of both known and unknown malware. Signatures remain essential for recognizing variants of known malware families.
Sandbox Integration
Fortinet sandwiches FortiGate between powerful tools on both sides as FortiGuard pairs with integrated FortiSandbox sandboxing. Network files can be inspected by multiple analytics systems simultaneously for uncompromising security.
Broad Platform Support
FortiGuard supplies threat intelligence for Fortinet products across the entire digital attack surface including firewalls, web applications, email, endpoints, servers and more. This allows coherent security policies across IT, OT and converged environments.
Endpoint Protection
Fortinet also offers FortiClient endpoint software leveraging the same FortiGuard threat intelligence as FortiGate firewalls. Teams can deploy antivirus with matching detection profiles across networks for harmonized cross-product protection.
FortiOS Antivirus Inspection Modes
FortiOS antivirus protection utilizes two primary inspection modes:
Protocol Comparison
Below are key differences between flow-based and proxy-based inspection:
| Criteria | Flow-based | Proxy-based |
|---|---|---|
| Performance impact | Lower | Higher |
| Latency added | Minimal | Increased |
| Detection rate | Moderate | Maximum |
| Supports SSL inspection | No | Yes |
| How traffic is processed | Transparent, non-proxy | Proxy, decode content |
Protocol Support
FortiGate antivirus scans the following protocols:
- HTTP, HTTPS
- FTP, FTPS
- SMTP, SMTPS
- POP3, POP3S
- IMAP, IMAPS
- MAPI over HTTP
- CIFS
- SSH
- NNTP, NNTPS
Additionally, proxy-based inspection can be applied to user-defined applications and protocols for customized security.
FortiGate Antivirus Configuration
Fortinet allows extensive customization of antivirus profiles deployed to FortiGate firewall policies including:
AI-based Malware Detection
Machine learning and artificial intelligence can be enabled to detect malware patterns beyond traditional signatures. This probes deeper including analyzing code frequency, injections, encryption, obfuscation and polymorphism.
Antivirus Testing
Within FortiOS, sample malware files from Fortinet’s repository can be downloaded to test FortiGate’s integrated antivirus scanner against new threats. The system will provide a report with the detection result for profile tuning.
FortiOS Best Practices
Follow these guidelines when enabling FortiGate antivirus for optimal security and performance:
Maintain FortiGate
Always ensure antivirus signatures and firmware remain updated on FortiGate to catch latest threats with high efficacy. Schedule regular automated FortiGuard updates along with system vulnerability scans.
Select Necessary Protocols
Only enable antivirus scanning on the required protocols instead of blanket enabling all traffic inspection. Start with highest risk protocols first like HTTP, SMTP then expand accordingly. This prevents performance decline from unnecessary scanning.
Consider File Size Limits
Set conservative file size limits between 2 to 10 MB maximum on antivirus inspection rules. This reduces degrade from scanning extremely large files while maintaining safety. Video streaming and backups may be exempted from antivirus inspection entirely.
Monitor Quarantines
Review FortiGate’s quarantined files regularly to understand targeting threats and identify false positives to add to exempt list. Quarantined malware can be submitted to FortiGuard as new samples to improve detections.
Tune Logging
Avoid logging every single antivirus event which can quickly consume storage space. Focus logs on critical severity detections with traffic filters to capture required incidents. Forward logs to a SIEM for correlations and dashboarding.
Minimize Inspection
Only enable security inspections like antivirus, IPS, and application control where explicitly needed instead of all traffic. This minimizes resource usage while allowing masking (NGFW mode) for positive security models and zero trust segmentation.
Consolidate Alerts
Set threshold counts and time durations along with event suppression rules to reduce repetitive alerts from the same infection vector. Alert storm protection is available in FortiOS 6.0 and above. Funnel alerts into reliable monitoring and response workflows.
Schedule Updates
Configure scheduled updates from FortiGuard servers to provide new antivirus definitions automatically as Fortinet release them to counter fresh threats. Include secondary update server for high availability.
Maintain Firmware
Stay current on FortiOS firmware updates which may bring antivirus detection improvements along with critical security patches and stability fixes. Test releases in staging environments first then progress to production.
Enable Services
Confirm FortiGuard antivirus and IPS services are enabled in the Fortinet support portal with valid licenses for full threat definitions from Fortinet’s research labs as updates emerge.
Conclusion
FortiGate firewalls include industry-leading antivirus inspection integrating multiple technologies like cloud analytics, sandboxing and machine learning to protect against malware threats targeting the network edge. Centralized control from FortiOS also simplifies policy administration and response workflows. With customizable profiles and extensive protocols support matching modern application traffic, FortiGate antivirus keeps organizations secure through proactive threat prevention. IT teams are advised to follow best practices and tune configurations for optimal efficacy through a harmony of performance and security within networks.