Fortinet black logo

New Features

Statistics

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:592565
Download PDF

Statistics

This feature adds a flow AV statistics check, and provides an API for SNMP to get AV statistics.

Two CLI commands are added to show and clear the AV statistics:

diagnose ips av stats show

diagnose ips av stats clear

This example uses the following topology:

To check flow AV statistics:
  1. Create an AV profile:

    config antivirus profile

    edit "av-test"

    config http

    set options scan avmonitor

    end

    config ftp

    set options scan quarantine

    end

    next

    end

  2. Enable the profile on a firewall policy:

    config firewall policy

    edit 1

    set name "policy1"

    set srcintf "port2"

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set fsso disable

    set av-profile "av-test"

    set ssl-ssh-profile "custom-deep-inspection"

    set nat enable

    next

    end

  3. On the client PC, download the EICAR Standard Anti-Virus Test File via HTTP.
  4. Check the AV statistics on the FortiGate. As the action is set to monitor for HTTP, HTTP virus detected is increased by 1:

    diagnose ips av stats show

    AV stats:

    HTTP virus detected: 1

    HTTP virus blocked: 0

    SMTP virus detected: 0

    SMTP virus blocked: 0

    POP3 virus detected: 0

    POP3 virus blocked: 0

    IMAP virus detected: 0

    IMAP virus blocked: 0

    NNTP virus detected: 0

    NNTP virus blocked: 0

    FTP virus detected: 0

    FTP virus blocked: 0

    SMB virus detected: 0

    SMB virus blocked: 0

  5. On the client PC, download the EICAR file via FTP.
  6. Check the AV statistics on the FortiGate. As the action is set to quarantine for FTP, FTP virus detected and FTP virus blocked are both increased by 1:

    diagnose ips av stats show

    AV stats:

    HTTP virus detected: 1

    HTTP virus blocked: 0

    SMTP virus detected: 0

    SMTP virus blocked: 0

    POP3 virus detected: 0

    POP3 virus blocked: 0

    IMAP virus detected: 0

    IMAP virus blocked: 0

    NNTP virus detected: 0

    NNTP virus blocked: 0

    FTP virus detected: 1

    FTP virus blocked: 1

    SMB virus detected: 0

    SMB virus blocked: 0

  7. Check the AV statistics using snmpwalk:

    root:~# snmpwalk -c public -v 1 10.1.100.6 1.3.6.1.4.1.12356.101.8.2.1.1

    iso.3.6.1.4.1.12356.101.8.2.1.1.1.1 = Counter32: 2 (fgAvVirusDetected)

    iso.3.6.1.4.1.12356.101.8.2.1.1.2.1 = Counter32: 1 (fgAvVirusBlocked)

    iso.3.6.1.4.1.12356.101.8.2.1.1.3.1 = Counter32: 1 (fgAvHTTPVirusDetected)

    iso.3.6.1.4.1.12356.101.8.2.1.1.4.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.5.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.6.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.7.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.8.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.9.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.10.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.11.1 = Counter32: 1 (fgAvFTPVirusDetected)

    iso.3.6.1.4.1.12356.101.8.2.1.1.12.1 = Counter32: 1 (fgAvFTPVirusBlocked)

    iso.3.6.1.4.1.12356.101.8.2.1.1.13.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.14.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.15.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.16.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.17.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.18.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.19.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.20.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.21.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.22.1 = Counter32: 0

  8. Optionally, reset the AV statistics to zero:

    diagnose ips av stats clear

Statistics

This feature adds a flow AV statistics check, and provides an API for SNMP to get AV statistics.

Two CLI commands are added to show and clear the AV statistics:

diagnose ips av stats show

diagnose ips av stats clear

This example uses the following topology:

To check flow AV statistics:
  1. Create an AV profile:

    config antivirus profile

    edit "av-test"

    config http

    set options scan avmonitor

    end

    config ftp

    set options scan quarantine

    end

    next

    end

  2. Enable the profile on a firewall policy:

    config firewall policy

    edit 1

    set name "policy1"

    set srcintf "port2"

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set fsso disable

    set av-profile "av-test"

    set ssl-ssh-profile "custom-deep-inspection"

    set nat enable

    next

    end

  3. On the client PC, download the EICAR Standard Anti-Virus Test File via HTTP.
  4. Check the AV statistics on the FortiGate. As the action is set to monitor for HTTP, HTTP virus detected is increased by 1:

    diagnose ips av stats show

    AV stats:

    HTTP virus detected: 1

    HTTP virus blocked: 0

    SMTP virus detected: 0

    SMTP virus blocked: 0

    POP3 virus detected: 0

    POP3 virus blocked: 0

    IMAP virus detected: 0

    IMAP virus blocked: 0

    NNTP virus detected: 0

    NNTP virus blocked: 0

    FTP virus detected: 0

    FTP virus blocked: 0

    SMB virus detected: 0

    SMB virus blocked: 0

  5. On the client PC, download the EICAR file via FTP.
  6. Check the AV statistics on the FortiGate. As the action is set to quarantine for FTP, FTP virus detected and FTP virus blocked are both increased by 1:

    diagnose ips av stats show

    AV stats:

    HTTP virus detected: 1

    HTTP virus blocked: 0

    SMTP virus detected: 0

    SMTP virus blocked: 0

    POP3 virus detected: 0

    POP3 virus blocked: 0

    IMAP virus detected: 0

    IMAP virus blocked: 0

    NNTP virus detected: 0

    NNTP virus blocked: 0

    FTP virus detected: 1

    FTP virus blocked: 1

    SMB virus detected: 0

    SMB virus blocked: 0

  7. Check the AV statistics using snmpwalk:

    root:~# snmpwalk -c public -v 1 10.1.100.6 1.3.6.1.4.1.12356.101.8.2.1.1

    iso.3.6.1.4.1.12356.101.8.2.1.1.1.1 = Counter32: 2 (fgAvVirusDetected)

    iso.3.6.1.4.1.12356.101.8.2.1.1.2.1 = Counter32: 1 (fgAvVirusBlocked)

    iso.3.6.1.4.1.12356.101.8.2.1.1.3.1 = Counter32: 1 (fgAvHTTPVirusDetected)

    iso.3.6.1.4.1.12356.101.8.2.1.1.4.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.5.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.6.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.7.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.8.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.9.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.10.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.11.1 = Counter32: 1 (fgAvFTPVirusDetected)

    iso.3.6.1.4.1.12356.101.8.2.1.1.12.1 = Counter32: 1 (fgAvFTPVirusBlocked)

    iso.3.6.1.4.1.12356.101.8.2.1.1.13.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.14.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.15.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.16.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.17.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.18.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.19.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.20.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.21.1 = Counter32: 0

    iso.3.6.1.4.1.12356.101.8.2.1.1.22.1 = Counter32: 0

  8. Optionally, reset the AV statistics to zero:

    diagnose ips av stats clear