UTM scanning on TCP forwarding access proxy traffic 7.0.4
UTM scanning and deep inspection is supported for multiple protocols in a ZTNA TCP forwarding access proxy. In addition to HTTP and HTTPS, the mail protocols (SMTP, IMAP, and POP3) and file sharing protocols (SMB and CIFS) are supported.
Examples
This topology is used in the following four examples. For detailed instructions regarding configuring a TCP forwarding access proxy (TFAP), ZTNA rules (proxy policy), and ZTNA connection rules (FortiClient), refer to ZTNA TCP forwarding access proxy example in the FortiOS Administration Guide.
AV scanning for normal POP3, IMAP, and SMTP traffic
To configure AV scanning for normal POP3, IMAP, and SMTP traffic:
- In FortiClient, add ZTNA connection rules for the email server IP and POP3, IMAP, and SMTP ports.
- In FortiOS, configure the ZTNA TCP forwarding server to add the email server address and enable AV profile scanning in the ZTNA rules.
- On the client PC, open Outlook app and send emails with attachments containing virus affected files.
- The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
Sample logs
4: date=2022-01-13 time=16:13:04 eventtime=1642119184944916750 tz="-0800" logid="0211008194" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header detected to have a virus and blocked." action="attachment-removed" service="POP3" sessionid=49481 srcip=10.1.100.44 dstip=172.16.200.55 srcport=62056 dstport=110 srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6 direction="incoming" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa" unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" recipient="testpc3" subject="ZTNA av01" attachment="yes" analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
5: date=2022-01-13 time=15:32:46 eventtime=1642116766716926977 tz="-0800" logid="0211008194" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header detected to have a virus and blocked." action="attachment-removed" service="IMAP" sessionid=43017 srcip=10.1.100.44 dstip=172.16.200.55 srcport=61563 dstport=143 srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6 direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa" unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" recipient="\"testpc3\"" subject="ZTNA av testing" attachment="yes" analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
6: date=2022-01-13 time=15:32:44 eventtime=1642116764260408431 tz="-0800" logid="0211008194" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header detected to have a virus and blocked." action="blocked" service="SMTP" sessionid=43006 srcip=10.1.100.44 dstip=172.16.200.55 srcport=61559 dstport=25 srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6 direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa" unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" subject="ZTNA av testing" attachment="yes" analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
AV deep scanning for SSL encrypted POP3S, IMAPS, and SMTPS traffic
To configure AV deep scanning for SSL encrypted POP3S, IMAPS, and SMTPS traffic:
- In FortiClient, add ZTNA connection rules for the email server IP and POP3S, IMAPS, and SMTPS ports.
- In FortiOS, configure the ZTNA TCP forwarding server to add the email server address and enable AV profile scanning in the ZTNA rules.
- On the client PC, open Outlook app and send emails with attachments containing virus affected files.
- The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
Sample logs
1: date=2022-01-13 time=16:43:57 eventtime=1642121036970794477 tz="-0800" logid="0211008194" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header detected to have a virus and blocked." action="attachment-removed" service="IMAPS" sessionid=54283 srcip=10.1.100.44 dstip=172.16.200.55 srcport=62142 dstport=143 srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6 direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa" unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" recipient="\"testpc3\"" subject="ZTNA ssl port av test" attachment="yes" analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
2: date=2022-01-13 time=16:43:54 eventtime=1642121034843926858 tz="-0800" logid="0211008194" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header detected to have a virus and blocked." action="blocked" service="SMTPS" sessionid=54276 srcip=10.1.100.44 dstip=172.16.200.55 srcport=62140 dstport=25 srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6 direction="outgoing" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa" unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.exe" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" sender="testpc3@qa.fortinet.com" recipient="testpc3@qa.fortinet.com" subject="ZTNA ssl port av test" attachment="yes" analyticscksum="e39ed6986b7df43e394a71357929e3a2e5b72fa0d170246b47cb7fb6675eda3d" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
3: date=2022-01-13 time=16:35:47 eventtime=1642120547940825448 tz="-0800" logid="0211008194" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 poluuid="325d4516-74a8-51ec-db9b-a5511f9a7842" policytype="proxy-policy" msg="MIME header detected to have a virus and blocked." action="attachment-removed" service="POP3S" sessionid=52986 srcip=10.1.100.44 dstip=172.16.200.55 srcport=62114 dstport=995 srccountry="Reserved" dstcountry="Reserved" srcintf="port21" srcintfrole="undefined" dstintf="vdom1" dstintfrole="undefined" srcuuid="0f6255fa-742c-51ec-90fa-53966ea2dfeb" proto=6 direction="incoming" fctuid="90281C4D7C1B41AAB795DD870177BDAE" unauthuser="qa" unauthusersource="forticlient" srcdomain="releaseqa.fortinet.com" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" from="testpc3@qa.fortinet.com" to="testpc3@qa.fortinet.com" recipient="testpc3" subject="Hayder virus " attachment="yes" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
AV scanning for SMB service traffic
To configure AV scanning for SMB service traffic:
- In FortiClient, add ZTNA connection rules for the SMB file sharing server IP and ports.
- In FortiOS, configure the ZTNA TCP forwarding server to add the SMB server address and enable AV profile scanning in the ZTNA rules.
- On the client PC, upload and download virus affected files to and from the SMB server.
- The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
Sample logs
1: date=2022-01-13 time=18:59:47 eventtime=1642129187739702864 tz="-0800" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy" msg="File is infected." action="blocked" service="SMB" sessionid=403485 srcip=192.168.4.119 dstip=172.16.100.80 srcport=58569 dstport=445 srccountry="Reserved" dstcountry="Reserved" srcintf="port4" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" proto=6 direction="outgoing" fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient" filename="eicar.gz" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" analyticscksum="59ec794669c00c9de24539aa5f53ab2e61a63ff2517c1a7fa1f9ac2298678a77" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
2: date=2022-01-13 time=18:59:47 eventtime=1642129187713723634 tz="-0800" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy" msg="File is infected." action="blocked" service="SMB" sessionid=403485 srcip=192.168.4.119 dstip=172.16.100.80 srcport=58569 dstport=445 srccountry="Reserved" dstcountry="Reserved" srcintf="port4" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" proto=6 direction="outgoing" fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient" filename="eicar.tar" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="test-av" analyticscksum="b3c821df29abc46336495d604903bb13a99ce750bc61fab14491af7682e9663e" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
File filter scanning for CIFS service traffic
To configure file filter scanning for CIFS service traffic:
- In FortiClient, add ZTNA connection rules for the CIFS server IP and port.
- In FortiOS, configure the ZTNA TCP forwarding server to add the CIFA server address and enable file filter profile scanning in the ZTNA rules.
- On the client PC, upload and download predefined file types (such as .EXE) to and from the CIFS server.
- The ZTNA rule on the FortiGate blocks the email send/receive traffic and generates AV logs.
Sample logs
1: date=2022-01-13 time=18:23:40 eventtime=1642127020332998536 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" policyid=1 poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy" sessionid=395500 srcip=192.168.4.119 srcport=58456 srccountry="Reserved" srcintf="port4" srcintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" dstip=172.16.100.80 dstport=445 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=6 service="CIFS" profile="test_file_filter" direction="outgoing" action="blocked" filtername="file01" sharename="\\\\172.16.100.80\\Swap-1day" pathname="fhou" filename="winrar-x64-601.exe" filesize=524288 filetype="exe" msg="File was blocked by file filter." fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"
2: date=2022-01-13 time=18:23:01 eventtime=1642126981266143580 tz="-0800" logid="1900064001" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="root" policyid=1 poluuid="c6c33072-aa18-51eb-5fe7-cfc4055b0e7d" policytype="proxy-policy" sessionid=395500 srcip=192.168.4.119 srcport=58456 srccountry="Reserved" srcintf="port4" srcintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" dstip=172.16.100.80 dstport=445 dstcountry="Reserved" dstintf="root" dstintfrole="undefined" proto=6 service="CIFS" profile="test_file_filter" direction="incoming" action="passthrough" filtername="file01" sharename="\\\\172.16.100.80\\Swap-1day" pathname="fhou" filename="winrar-x64-601.exe" filesize=32768 filetype="exe" msg="File was detected by file filter." fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"