Skip to content
Home ยป FortiGate Antivirus

FortiGate Antivirus

  • by

Introduction

Fortinet’s FortiGate firewall includes an integrated antivirus engine as part of its security capabilities. FortiGate Antivirus provides protection against viruses, malware, ransomware, and zero-day threats for networks. It leverages technologies such as flow-based inspection, proxy-based inspection, cloud-based analysis with FortiSandbox, and the FortiGuard antivirus service to detect threats.

Implementing antivirus at the network layer is an important element of an organization’s cybersecurity strategy. Antivirus inspection at the gateway firewall can detect threats before they enter the network and spread to devices. Additionally, central management of antivirus from a firewall consolidates administration and policy deployment. Overall, FortiGate Antivirus offers robust threat detection to safeguard networks with low latency impact.

FortiOS Antivirus Features

FortiOS, the operating system of FortiGate firewalls, contains extensive antivirus capabilities:

Flow-based and Proxy-based Antivirus

FortiGate firewalls perform antivirus inspection in flow-based and proxy-based modes. Flow-based scanning analyzes network traffic transparently without proxying sessions. Proxy-based scanning proxies traffic so content can be fully decoded before inspection.

Administrators can configure custom policies determining which traffic goes through each mode for optimal performance and security. Proxy-based inspection offers the highest detection rate but also consumes the most resources.

Preconfigured Antivirus Profiles

FortiOS comes preconfigured with default profiles for antivirus inspection including default and wifi-default profiles. These contain optimal settings for networks and wireless access points. Additionally, administrators can fully customize profiles to match an organization’s requirements.

Customizable Inspection Rules

Within antivirus profiles, administrators have granular control to tailor security policies. Settings can be configured for:

  • Inspection of protocols such as HTTP, FTP, SMTP, and more
  • File size limits for scanning
  • Blocking, monitoring, or allowing infected code
  • Removal of viruses via heuristics
  • Analysis with FortiSandbox
  • Protection from botnet communication and callbacks

FortiSandbox Integration

FortiGate integrates with the FortiSandbox appliance, Fortinet’s advanced threat analysis sandbox. Suspicious files traversing FortiGate are sent to FortiSandbox for deeper inspection using techniques like emulation and behavioral analysis. The FortiSandbox database provides an added layer of cloud-based protection.

FortiNDR Inline Scanning

FortiGate also integrates with FortiNDR, Fortinet’s network detection and response platform. This allows for inline scanning of network traffic by the FortiNDR threat intelligence database in addition to FortiOS antivirus capabilities.

Exempt List

For files that generate false positives, FortiGate allows creating an antivirus exempt list to exclude files from scanning based on checksum. This prevents repetitive quarantining of clean files.

Quarantined File Download

Any files or code quarantined by antivirus inspection can be conveniently downloaded by administrators in password-protected archive format for review and analysis.

Profile Testing

Within FortiOS, administrators can upload samples of malware to securely test if an antivirus profile properly catches threats as intended. This verifies efficacy before deploying the profile into production.

FortiGuard Antivirus Service

Central to FortiGates antivirus capabilities is the FortiGuard antivirus service. This cloud-based service from Fortinet provides continuous updates that protect networks from the latest threats:

Broad Protection

FortiGuard offers wide security against malware, viruses, Trojans, worms, spyware, botnets, ransomware, and zero day attacks that may bypass traditional signature-based detection. The FortiGuard team closely monitors threat landscape globally for emerging attacks.

Content Pattern Recognition

Using proprietary algorithms and data science models like patented Content Pattern Recognition Language (CPRL), FortiGuard identifies new threats extremely quickly, often within seconds of outbreak. This allows immediate protections to be deployed to FortiGate firewalls globally.

Machine Learning and Signatures

The FortiGuard antivirus service uses machine learning techniques along with traditional signatures to catch threats. The combined approach ensures maximum detection of both known and unknown malware. Signatures remain essential for recognizing variants of known malware families.

Sandbox Integration

Fortinet sandwiches FortiGate between powerful tools on both sides as FortiGuard pairs with integrated FortiSandbox sandboxing. Network files can be inspected by multiple analytics systems simultaneously for uncompromising security.

Broad Platform Support

FortiGuard supplies threat intelligence for Fortinet products across the entire digital attack surface including firewalls, web applications, email, endpoints, servers and more. This allows coherent security policies across IT, OT and converged environments.

Endpoint Protection

Fortinet also offers FortiClient endpoint software leveraging the same FortiGuard threat intelligence as FortiGate firewalls. Teams can deploy antivirus with matching detection profiles across networks for harmonized cross-product protection.

FortiOS Antivirus Inspection Modes

FortiOS antivirus protection utilizes two primary inspection modes:

Protocol Comparison

Below are key differences between flow-based and proxy-based inspection:

Criteria Flow-based Proxy-based
Performance impact Lower Higher
Latency added Minimal Increased
Detection rate Moderate Maximum
Supports SSL inspection No Yes
How traffic is processed Transparent, non-proxy Proxy, decode content

Protocol Support

FortiGate antivirus scans the following protocols:

  • HTTP, HTTPS
  • FTP, FTPS
  • SMTP, SMTPS
  • POP3, POP3S
  • IMAP, IMAPS
  • MAPI over HTTP
  • CIFS
  • SSH
  • NNTP, NNTPS

Additionally, proxy-based inspection can be applied to user-defined applications and protocols for customized security.

FortiGate Antivirus Configuration

Fortinet allows extensive customization of antivirus profiles deployed to FortiGate firewall policies including:

AI-based Malware Detection

Machine learning and artificial intelligence can be enabled to detect malware patterns beyond traditional signatures. This probes deeper including analyzing code frequency, injections, encryption, obfuscation and polymorphism.

Antivirus Testing

Within FortiOS, sample malware files from Fortinet’s repository can be downloaded to test FortiGate’s integrated antivirus scanner against new threats. The system will provide a report with the detection result for profile tuning.

FortiOS Best Practices

Follow these guidelines when enabling FortiGate antivirus for optimal security and performance:

Maintain FortiGate

Always ensure antivirus signatures and firmware remain updated on FortiGate to catch latest threats with high efficacy. Schedule regular automated FortiGuard updates along with system vulnerability scans.

Select Necessary Protocols

Only enable antivirus scanning on the required protocols instead of blanket enabling all traffic inspection. Start with highest risk protocols first like HTTP, SMTP then expand accordingly. This prevents performance decline from unnecessary scanning.

Consider File Size Limits

Set conservative file size limits between 2 to 10 MB maximum on antivirus inspection rules. This reduces degrade from scanning extremely large files while maintaining safety. Video streaming and backups may be exempted from antivirus inspection entirely.

Monitor Quarantines

Review FortiGate’s quarantined files regularly to understand targeting threats and identify false positives to add to exempt list. Quarantined malware can be submitted to FortiGuard as new samples to improve detections.

Tune Logging

Avoid logging every single antivirus event which can quickly consume storage space. Focus logs on critical severity detections with traffic filters to capture required incidents. Forward logs to a SIEM for correlations and dashboarding.

Minimize Inspection

Only enable security inspections like antivirus, IPS, and application control where explicitly needed instead of all traffic. This minimizes resource usage while allowing masking (NGFW mode) for positive security models and zero trust segmentation.

Consolidate Alerts

Set threshold counts and time durations along with event suppression rules to reduce repetitive alerts from the same infection vector. Alert storm protection is available in FortiOS 6.0 and above. Funnel alerts into reliable monitoring and response workflows.

Schedule Updates

Configure scheduled updates from FortiGuard servers to provide new antivirus definitions automatically as Fortinet release them to counter fresh threats. Include secondary update server for high availability.

Maintain Firmware

Stay current on FortiOS firmware updates which may bring antivirus detection improvements along with critical security patches and stability fixes. Test releases in staging environments first then progress to production.

Enable Services

Confirm FortiGuard antivirus and IPS services are enabled in the Fortinet support portal with valid licenses for full threat definitions from Fortinet’s research labs as updates emerge.

Conclusion

FortiGate firewalls include industry-leading antivirus inspection integrating multiple technologies like cloud analytics, sandboxing and machine learning to protect against malware threats targeting the network edge. Centralized control from FortiOS also simplifies policy administration and response workflows. With customizable profiles and extensive protocols support matching modern application traffic, FortiGate antivirus keeps organizations secure through proactive threat prevention. IT teams are advised to follow best practices and tune configurations for optimal efficacy through a harmony of performance and security within networks.

Tags: