Fortinet black logo

Handbook

Creating an AV profile

Creating an AV profile

You must configure AV profiles to use the anti-virus service module, which can be done either from the GUI or the Console. Once created, you can include your AV profiles when creating advanced virtual server profiles that use the HTTP, HTTPS, or SMTP protocol. For more information, refer to Configuring virtual servers.

Configure AV profiles from the GUI

To configure an AV profile from the GUI:

  1. Click Network Security > Anti Virus.
  2. Select the Profile tab.
  3. Click the Create New button.
  4. Make the entries or selections as described in AV profile configuration.
  5. Click Save when done.

AV profile configuration

Settings Description
Name

A unique name for the AV profile.

An AV profile name can contain up to 63 alphanumeric characters.

Comments

A brief description of the profile.

A description can be up to 1024 alphanumeric characters long.

Uncomp Size Limit

The maximum size in MB of the memory buffer used to temporarily decompress files.

The default is 2 MB. Valid values range from 1 to 2000 MB.

Uncomp Nest Limit

The maximum number of levels of nesting (compression) allowed for the system to decompress.

The default is 2. Valid values range from 2 to 100.

Scan Bzip2

Scan archives using the bzip2 algorithm.

This is disabled by default.

Streaming Content Bypass

Enable or disable bypass streaming content (rather than buffering it).

This is enabled by default.

Oversize Limit

The maximum in-memory file size in KB to be scanned.

The default is 1024 KB. Valid values range from 1 to 12000000 KB.

Note: For AV files larger than 1000 KB, the device memory must be larger than 32 GB to support the scan.

Oversize

Select one of the options for the system to handle over-sized files:

  • Bypass — Ignore oversized files.
  • Log — Log and block oversized files.
  • Block — Block oversized files.

The default option is Bypass.

Options

Select an option for the system to handle infected files:

  • AV Monitor — Block and log infected files.
  • Quarantine — Quarantine and log infected files.

The default is AV Monitor.

Emulator

Enable or disable the Win32 Emulator.

This is disabled by default to improve throughput.

FSA Analytics

Select an option to submit files to to FortiSandbox.

  • Disable—No file is submitted.
  • Suspicious—Only suspicious files are submitted.
  • All—All files are submitted.

The default is Disable.

Analytics Max Upload

The maximum file size in KB allowed to upload to FortiSandbox.

The default is 1024 KB. Valid values range from 1 to 2048 KB.

Analytics DB

Enable or disable supplementing the AV signature databases with the FortiSandbox signature database.

This is disabled by default.

AV Virus Log

Enable or disable logging for anti-virus scanning.

This is enabled by default.

Note that FortiADC currently imposes no restriction on the types of files that can be uploaded for AV analysis or evaluation. When scanning files for viruses, it makes no distinction between viruses and Trojans, and submits all suspicious files to FortiSandbox for evaluation. A log is generated whenever a file is uploaded to FortiSandbox.

Configure AV profiles from the Console

To configure an AV profile from the Console, execute the following commands:

config security antivirus profile

edit <name_str>

set comment <var-string>

set uncomp-size-limit <limit_int>

set uncomp-nest-limit <limit_int>

set scan-bzip2 {enable | disable}

set streaming-content-bypass {enable | disable}

set oversize-limit <size_int>

set oversize {bypass | log | block}

set options {avmonitor | quarantine}

set emulator {enable | disable}

set fsa-analytics {disable | suspicious | everything}

set analytics-max-upload <integer>

set analytics-db {disable | enable}

set av-virus-log {enable | disable}

end

Creating an AV profile

You must configure AV profiles to use the anti-virus service module, which can be done either from the GUI or the Console. Once created, you can include your AV profiles when creating advanced virtual server profiles that use the HTTP, HTTPS, or SMTP protocol. For more information, refer to Configuring virtual servers.

Configure AV profiles from the GUI

To configure an AV profile from the GUI:

  1. Click Network Security > Anti Virus.
  2. Select the Profile tab.
  3. Click the Create New button.
  4. Make the entries or selections as described in AV profile configuration.
  5. Click Save when done.

AV profile configuration

Settings Description
Name

A unique name for the AV profile.

An AV profile name can contain up to 63 alphanumeric characters.

Comments

A brief description of the profile.

A description can be up to 1024 alphanumeric characters long.

Uncomp Size Limit

The maximum size in MB of the memory buffer used to temporarily decompress files.

The default is 2 MB. Valid values range from 1 to 2000 MB.

Uncomp Nest Limit

The maximum number of levels of nesting (compression) allowed for the system to decompress.

The default is 2. Valid values range from 2 to 100.

Scan Bzip2

Scan archives using the bzip2 algorithm.

This is disabled by default.

Streaming Content Bypass

Enable or disable bypass streaming content (rather than buffering it).

This is enabled by default.

Oversize Limit

The maximum in-memory file size in KB to be scanned.

The default is 1024 KB. Valid values range from 1 to 12000000 KB.

Note: For AV files larger than 1000 KB, the device memory must be larger than 32 GB to support the scan.

Oversize

Select one of the options for the system to handle over-sized files:

  • Bypass — Ignore oversized files.
  • Log — Log and block oversized files.
  • Block — Block oversized files.

The default option is Bypass.

Options

Select an option for the system to handle infected files:

  • AV Monitor — Block and log infected files.
  • Quarantine — Quarantine and log infected files.

The default is AV Monitor.

Emulator

Enable or disable the Win32 Emulator.

This is disabled by default to improve throughput.

FSA Analytics

Select an option to submit files to to FortiSandbox.

  • Disable—No file is submitted.
  • Suspicious—Only suspicious files are submitted.
  • All—All files are submitted.

The default is Disable.

Analytics Max Upload

The maximum file size in KB allowed to upload to FortiSandbox.

The default is 1024 KB. Valid values range from 1 to 2048 KB.

Analytics DB

Enable or disable supplementing the AV signature databases with the FortiSandbox signature database.

This is disabled by default.

AV Virus Log

Enable or disable logging for anti-virus scanning.

This is enabled by default.

Note that FortiADC currently imposes no restriction on the types of files that can be uploaded for AV analysis or evaluation. When scanning files for viruses, it makes no distinction between viruses and Trojans, and submits all suspicious files to FortiSandbox for evaluation. A log is generated whenever a file is uploaded to FortiSandbox.

Configure AV profiles from the Console

To configure an AV profile from the Console, execute the following commands:

config security antivirus profile

edit <name_str>

set comment <var-string>

set uncomp-size-limit <limit_int>

set uncomp-nest-limit <limit_int>

set scan-bzip2 {enable | disable}

set streaming-content-bypass {enable | disable}

set oversize-limit <size_int>

set oversize {bypass | log | block}

set options {avmonitor | quarantine}

set emulator {enable | disable}

set fsa-analytics {disable | suspicious | everything}

set analytics-max-upload <integer>

set analytics-db {disable | enable}

set av-virus-log {enable | disable}

end