FortiAI inline blocking and integration with an AV profile 7.0.1

This enhancement allows FortiAI to be used with antivirus profiles in proxy inspection mode (flow mode is currently not supported). FortiAI inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiAI can log, block, ignore, or monitor (allow) the file based on the verdict.

A licensed FortiAI appliance with version 1.5.1 or later is required to use this feature.

To configure FortiAI inline inspection with an AV profile:

Enable the Security Fabric and configure the interface to allow other Security Fabric devices to join (see Configuring the root FortiGate and downstream FortiGates in the FortiOS Administration Guide).
Install the FortiAI appliance and activate the product with a valid license (see Registering products in the Asset Management Guide). A license file is provided after the product is registered.
In FortiAI, go to System > FortiGuard and verify that the pre-trained models (engines) are up to date. Refer to the FortiGuard website for the latest FortiAI ANN versions.
Configure and authorize the FortiGate in the FortiAI GUI to join the Security Fabric:
1. Go to Security Fabric > Fabric Connectors and double-click the connector card.
2. Click the toggle to Enable Security Fabric.
3. Enter the FortiGate Root IP address and the FortiAI IP address.
4. Click OK. The FortiAI is now authorized.
Authorize the FortiAI in FortiOS:
1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
2. In the topology tree, click the highlighted FortiAI serial number and select Authorize.
3. Click Accept to verify the device certificate.

In the CLI, enable FortiAI inline inspection:

config system fortiai
    set status enable
end

Configure an AV profile to use inline inspection and block detected infections:

config antivirus profile
    edit "av"
        set feature-set proxy
        config http
            set fortiai block
        end
        config ftp
            set fortiai block
        end
        config imap
            set fortiai block
        end
        config pop3
            set fortiai block
        end
        config smtp
            set fortiai block
        end
        config mapi
            set fortiai block
        end
        config nntp
            set fortiai block
        end
        config cifs
            set fortiai block
        end
        config ssh
            set fortiai block
        end
    next
end

Add the AV profile to a firewall policy. When potential infections are blocked by FortiAI inline inspection, a replacement message appears (FortiAI Block Page, see Replacement messages for more information). An infection blocked over HTTP looks similar to the following:

Sample log

date=2021-04-29 time=15:12:07 eventtime=1619734327633022960 tz="-0700" logid="0209008221" type="utm" subtype="virus" eventtype="fortiai" level="notice" vd="vdom1" policyid=1 msg="Detected by FortiAI." action="monitored" service="HTTP" sessionid=13312 srcip=10.1.100.221 dstip=172.16.200.224 srcport=50792 dstport=80 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="detected_samples.zip" quarskip="File-was-not-quarantined" virus="MSIL/Kryptik.KVH!tr" dtype="FortiAI" ref="http://www.fortinet.com/ve?vn=MSIL%2FKryptik.KVH%21tr" virusid=0 url="http://172.16.200.224/avengine_ai/detected_samples.zip" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

FortiAI inline inspection with other AV inspection methods

The following inspection logic applies when FortiAI inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.

HTTP, FTP, SSH, and CIFS protocols:

AV engine scan; AV database and FortiSandbox database (if applicable).
1. FortiAI inline inspection occurs simultaneously.
AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
1. FortiAI inline inspection occurs simultaneously.
Outbreak prevention and external hash list resources.
1. FortiAI inline inspection occurs simultaneously.

If any AV inspection method returns an infected verdict, the FortiAI inspection is aborted.

POP3, IMAP, SMTP, NNTP, and MAPI protocols:

AV engine scan; AV database and FortiSandbox database (if applicable).
AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
1. FortiAI inline inspection occurs simultaneously.
Outbreak prevention and external hash list resources.
1. FortiAI inline inspection occurs simultaneously.

In an AV profile, use set fortiai-error-action {log-only | block | ignore} to configure the action to take if FortiAI encounters an error.

Accepted file types

The following file types are sent to FortiAI for inline inspection:

ARJ

BZIP

BZIP2

CAB

ELF

GZIP

HTML

LZH

LZW

MS Office documents (XML and non-XML)

PDF

RAR

RTF

TAR

VBA

VBS

WinPE (EXE)

ZIP

FortiAI inline blocking and integration with an AV profile 7.0.1

A licensed FortiAI appliance with version 1.5.1 or later is required to use this feature.

To configure FortiAI inline inspection with an AV profile:

Enable the Security Fabric and configure the interface to allow other Security Fabric devices to join (see Configuring the root FortiGate and downstream FortiGates in the FortiOS Administration Guide).
Install the FortiAI appliance and activate the product with a valid license (see Registering products in the Asset Management Guide). A license file is provided after the product is registered.
In FortiAI, go to System > FortiGuard and verify that the pre-trained models (engines) are up to date. Refer to the FortiGuard website for the latest FortiAI ANN versions.
Configure and authorize the FortiGate in the FortiAI GUI to join the Security Fabric:
1. Go to Security Fabric > Fabric Connectors and double-click the connector card.
2. Click the toggle to Enable Security Fabric.
3. Enter the FortiGate Root IP address and the FortiAI IP address.
4. Click OK. The FortiAI is now authorized.
Authorize the FortiAI in FortiOS:
1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
2. In the topology tree, click the highlighted FortiAI serial number and select Authorize.
3. Click Accept to verify the device certificate.

In the CLI, enable FortiAI inline inspection:

config system fortiai
    set status enable
end

Configure an AV profile to use inline inspection and block detected infections:

config antivirus profile
    edit "av"
        set feature-set proxy
        config http
            set fortiai block
        end
        config ftp
            set fortiai block
        end
        config imap
            set fortiai block
        end
        config pop3
            set fortiai block
        end
        config smtp
            set fortiai block
        end
        config mapi
            set fortiai block
        end
        config nntp
            set fortiai block
        end
        config cifs
            set fortiai block
        end
        config ssh
            set fortiai block
        end
    next
end

Add the AV profile to a firewall policy. When potential infections are blocked by FortiAI inline inspection, a replacement message appears (FortiAI Block Page, see Replacement messages for more information). An infection blocked over HTTP looks similar to the following:

Sample log

date=2021-04-29 time=15:12:07 eventtime=1619734327633022960 tz="-0700" logid="0209008221" type="utm" subtype="virus" eventtype="fortiai" level="notice" vd="vdom1" policyid=1 msg="Detected by FortiAI." action="monitored" service="HTTP" sessionid=13312 srcip=10.1.100.221 dstip=172.16.200.224 srcport=50792 dstport=80 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="detected_samples.zip" quarskip="File-was-not-quarantined" virus="MSIL/Kryptik.KVH!tr" dtype="FortiAI" ref="http://www.fortinet.com/ve?vn=MSIL%2FKryptik.KVH%21tr" virusid=0 url="http://172.16.200.224/avengine_ai/detected_samples.zip" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

FortiAI inline inspection with other AV inspection methods

HTTP, FTP, SSH, and CIFS protocols:

AV engine scan; AV database and FortiSandbox database (if applicable).
1. FortiAI inline inspection occurs simultaneously.
AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
1. FortiAI inline inspection occurs simultaneously.
Outbreak prevention and external hash list resources.
1. FortiAI inline inspection occurs simultaneously.

If any AV inspection method returns an infected verdict, the FortiAI inspection is aborted.

POP3, IMAP, SMTP, NNTP, and MAPI protocols:

AV engine scan; AV database and FortiSandbox database (if applicable).
AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
1. FortiAI inline inspection occurs simultaneously.
Outbreak prevention and external hash list resources.
1. FortiAI inline inspection occurs simultaneously.

In an AV profile, use set fortiai-error-action {log-only | block | ignore} to configure the action to take if FortiAI encounters an error.

Accepted file types

The following file types are sent to FortiAI for inline inspection:

ARJ

BZIP

BZIP2

CAB

ELF

GZIP

HTML

LZH

LZW

MS Office documents (XML and non-XML)

PDF

RAR

RTF

TAR

VBA

VBS

WinPE (EXE)

ZIP

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

New Features

FortiAI inline blocking and integration with an AV profile 7.0.1

FortiAI inline blocking and integration with an AV profile 7.0.1

To configure FortiAI inline inspection with an AV profile:

Sample log

FortiAI inline inspection with other AV inspection methods

HTTP, FTP, SSH, and CIFS protocols:

POP3, IMAP, SMTP, NNTP, and MAPI protocols:

Accepted file types

FortiAI inline blocking and integration with an AV profile 7.0.1

FortiAI inline blocking and integration with an AV profile 7.0.1

To configure FortiAI inline inspection with an AV profile:

Sample log

FortiAI inline inspection with other AV inspection methods