Fortinet black logo

Administration Guide

Checking flow antivirus statistics

Checking flow antivirus statistics

Two CLI commands are used for the antivirus statistics:

  • diagnose ips av stats show

  • diagnose ips av stats clear

SNMP uses an API to get the antivirus statistics.

To check flow antivirus statistics:
  1. Create an antivirus profile:
    config antivirus profile
        edit "av-test"
            config http
                set av-scan monitor
            end
            config ftp
                set av-scan block
                set quarantine enable
            end
        next
    end
  2. Enable the profile in a firewall policy:
    config firewall policy
        edit 1
            set name "policy1"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set fsso disable
            set av-profile "av-test"
            set ssl-ssh-profile "custom-deep-inspection"
            set nat enable
        next
    end
  3. On the client PC, download the EICAR Standard Anti-Virus Test File via HTTP.
  4. Check the antivirus statistics on the FortiGate. Since the action is set to monitor for HTTP, HTTP virus detected increases by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 0
    FTP virus blocked: 0
    SMB virus detected: 0
    SMB virus blocked: 0
  5. On the client PC, download the EICAR file via FTP.
  6. Check the antivirus statistics on the FortiGate. Since quarantine is enabled for FTP, FTP virus detected and FTP virus blocked increase by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 1FTP virus blocked: 1
    SMB virus detected: 0
    SMB virus blocked: 0
  7. Check the antivirus statistics using an SNMP walk:
    root:~# snmpwalk -c public -v 1 10.1.100.6 1.3.6.1.4.1.12356.101.8.2.1.1
    iso.3.6.1.4.1.12356.101.8.2.1.1.1.1 = Counter32: 2  (fgAvVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.2.1 = Counter32: 1  (fgAvVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.3.1 = Counter32: 1  (fgAvHTTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.4.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.5.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.6.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.7.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.8.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.9.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.10.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.11.1 = Counter32: 1  (fgAvFTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.12.1 = Counter32: 1  (fgAvFTPVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.13.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.14.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.15.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.16.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.17.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.18.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.19.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.20.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.21.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.22.1 = Counter32: 0
  8. Optionally, reset the antivirus statistics to zero:
    # diagnose ips av stats clear

Checking flow antivirus statistics

Two CLI commands are used for the antivirus statistics:

  • diagnose ips av stats show

  • diagnose ips av stats clear

SNMP uses an API to get the antivirus statistics.

To check flow antivirus statistics:
  1. Create an antivirus profile:
    config antivirus profile
        edit "av-test"
            config http
                set av-scan monitor
            end
            config ftp
                set av-scan block
                set quarantine enable
            end
        next
    end
  2. Enable the profile in a firewall policy:
    config firewall policy
        edit 1
            set name "policy1"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set fsso disable
            set av-profile "av-test"
            set ssl-ssh-profile "custom-deep-inspection"
            set nat enable
        next
    end
  3. On the client PC, download the EICAR Standard Anti-Virus Test File via HTTP.
  4. Check the antivirus statistics on the FortiGate. Since the action is set to monitor for HTTP, HTTP virus detected increases by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 0
    FTP virus blocked: 0
    SMB virus detected: 0
    SMB virus blocked: 0
  5. On the client PC, download the EICAR file via FTP.
  6. Check the antivirus statistics on the FortiGate. Since quarantine is enabled for FTP, FTP virus detected and FTP virus blocked increase by 1:
    # diagnose ips av stats show
    AV stats:
    HTTP virus detected: 1
    HTTP virus blocked: 0
    SMTP virus detected: 0
    SMTP virus blocked: 0
    POP3 virus detected: 0
    POP3 virus blocked: 0
    IMAP virus detected: 0
    IMAP virus blocked: 0
    NNTP virus detected: 0
    NNTP virus blocked: 0
    FTP virus detected: 1FTP virus blocked: 1
    SMB virus detected: 0
    SMB virus blocked: 0
  7. Check the antivirus statistics using an SNMP walk:
    root:~# snmpwalk -c public -v 1 10.1.100.6 1.3.6.1.4.1.12356.101.8.2.1.1
    iso.3.6.1.4.1.12356.101.8.2.1.1.1.1 = Counter32: 2  (fgAvVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.2.1 = Counter32: 1  (fgAvVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.3.1 = Counter32: 1  (fgAvHTTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.4.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.5.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.6.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.7.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.8.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.9.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.10.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.11.1 = Counter32: 1  (fgAvFTPVirusDetected)
    iso.3.6.1.4.1.12356.101.8.2.1.1.12.1 = Counter32: 1  (fgAvFTPVirusBlocked)
    iso.3.6.1.4.1.12356.101.8.2.1.1.13.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.14.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.15.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.16.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.17.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.18.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.19.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.20.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.21.1 = Counter32: 0
    iso.3.6.1.4.1.12356.101.8.2.1.1.22.1 = Counter32: 0
  8. Optionally, reset the antivirus statistics to zero:
    # diagnose ips av stats clear