Fortinet black logo

Cookbook

Checking flow antivirus statistics

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:959279
Download PDF

Checking flow antivirus statistics

This feature provides a flow antivirus statistics check, and an API for SNMP to get AV statistics.

Two CLI commands are used to show and clear the antivirus statistics:

diagnose ips av stats show

diagnose ips av stats clear

This example uses the following topology:

To check flow antivirus statistics:
  1. Create an antivirus profile:
    config antivirus profile
        edit "av-test"
            config http
                set options scan avmonitor
            end
            config ftp
                set options scan quarantine
            end
        next
    end
  2. Enable the profile on a firewall policy:
    config firewall policy
        edit 1
            set name "policy1"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set fsso disable
            set av-profile "av-test"
            set ssl-ssh-profile "custom-deep-inspection"
            set nat enable
        next
    end
  3. On the client PC, download the EICAR Standard Anti-Virus Test File via HTTP.
  4. Check the antivirus statistics on the FortiGate. As the action is set to monitor for HTTP, HTTP virus detected is increased by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 0
    FTP virus blocked: 0
    SMB virus detected: 0
    SMB virus blocked: 0
  5. On the client PC, download the EICAR file via FTP.
  6. Check the antivirus statistics on the FortiGate. As the action is set to quarantine for FTP, FTP virus detected and FTP virus blocked are both increased by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 1
    FTP virus blocked: 1
    SMB virus detected: 0
    SMB virus blocked: 0
  7. Check the antivirus statistics using snmpwalk:
    root:~# snmpwalk -c public -v 1 10.1.100.6 1.3.6.1.4.1.12356.101.8.2.1.1
    iso.3.6.1.4.1.12356.101.8.2.1.1.1.1 = Counter32: 2  (fgAvVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.2.1 = Counter32: 1  (fgAvVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.3.1 = Counter32: 1  (fgAvHTTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.4.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.5.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.6.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.7.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.8.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.9.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.10.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.11.1 = Counter32: 1  (fgAvFTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.12.1 = Counter32: 1  (fgAvFTPVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.13.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.14.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.15.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.16.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.17.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.18.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.19.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.20.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.21.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.22.1 = Counter32: 0
  8. Optionally, reset the antivirus statistics to zero:
    diagnose ips av stats clear

Checking flow antivirus statistics

This feature provides a flow antivirus statistics check, and an API for SNMP to get AV statistics.

Two CLI commands are used to show and clear the antivirus statistics:

diagnose ips av stats show

diagnose ips av stats clear

This example uses the following topology:

To check flow antivirus statistics:
  1. Create an antivirus profile:
    config antivirus profile
        edit "av-test"
            config http
                set options scan avmonitor
            end
            config ftp
                set options scan quarantine
            end
        next
    end
  2. Enable the profile on a firewall policy:
    config firewall policy
        edit 1
            set name "policy1"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set fsso disable
            set av-profile "av-test"
            set ssl-ssh-profile "custom-deep-inspection"
            set nat enable
        next
    end
  3. On the client PC, download the EICAR Standard Anti-Virus Test File via HTTP.
  4. Check the antivirus statistics on the FortiGate. As the action is set to monitor for HTTP, HTTP virus detected is increased by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 0
    FTP virus blocked: 0
    SMB virus detected: 0
    SMB virus blocked: 0
  5. On the client PC, download the EICAR file via FTP.
  6. Check the antivirus statistics on the FortiGate. As the action is set to quarantine for FTP, FTP virus detected and FTP virus blocked are both increased by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 1
    FTP virus blocked: 1
    SMB virus detected: 0
    SMB virus blocked: 0
  7. Check the antivirus statistics using snmpwalk:
    root:~# snmpwalk -c public -v 1 10.1.100.6 1.3.6.1.4.1.12356.101.8.2.1.1
    iso.3.6.1.4.1.12356.101.8.2.1.1.1.1 = Counter32: 2  (fgAvVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.2.1 = Counter32: 1  (fgAvVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.3.1 = Counter32: 1  (fgAvHTTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.4.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.5.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.6.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.7.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.8.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.9.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.10.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.11.1 = Counter32: 1  (fgAvFTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.12.1 = Counter32: 1  (fgAvFTPVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.13.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.14.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.15.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.16.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.17.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.18.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.19.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.20.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.21.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.22.1 = Counter32: 0
  8. Optionally, reset the antivirus statistics to zero:
    diagnose ips av stats clear