FortiGate inline blocking (FOS 7.0.1 and higher)
You can configure FortiGate to integrate with FortiNDR using inline blocking. Changes in FortiOS allow the AV profile to configure inline blocking by sending files to FortiNDR for rapid inspection and verdict. FortiGate temporarily holds the user session for FortiNDR to return a clean or malicious verdict, and then it decides if the user can download the file.
This provides more security than integrated moded because you can download the file first while the file is sent to FortiNDR (and FortiSandbox) for inspection.
To configure FortiGate AV profile inline blocking:
- Configure FortiGate and FortiNDR Security Fabric pairing using the Security Fabric Connector. For details, see Fabric Connectors.
This is needed for authentication between the two devices before file submission begins.
- When pairing is complete, verify that FortiNDR appears in the FortiGate topology with the FortiNDR icon in the legend.
- Configure the FortiGate AV profile using the following CLI commands.
Config system fortindr Set status enable EndConfig antivirus profile edit fai << profile name Set feature-set proxy Config http << or another protocol such as FTP, SMTP, IMCP, CIFS, etc. Set fortindr block << or monitor End Next End - Apply this AV profile in the ForitOS NGFW policy.
Both FortiGate Antivirus logs and FortiNDR logs and reports show corresponding log entries.
Tips for using FortiNDR inline blocking
- Similar to the FortiGate AV profile, a browser replacement message if as displayed if a virus is found.
In FortiOS, the message is called FortiNDR block page, and is a customizable HTML page.
- For encrypted traffic such as HTTPS, the SSL profile must be configured on FortiGate to extract files in encrypted protocols.
-
The maximum file size is determined by both FortiGate and FortiNDR. FortiNDR supports a default maximum file size of 200MB. In FortiNDR the maximum file size can be adjusted with the following CLI command:
execute file-size-threshold - If there are network connectivity issues that causes a timeout between the connections, FortiGate and user download operations resume after connectivity is restored.
-
When FortiNDR is connected to the Security Fabric, you can configure a malware widget in the FortiOS Dashboard.
Go to Dashboard > Status > Add Widget > Fabric Device to display the detected attack scenarios.
FortiNDR inline inspection with other AV inspection methods
The following inspection logic applies when FortiNDRinline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.
HTTP, FTP, SSH, and CIFS protocols:
- AV engine scan; AV database and FortiSandbox database (if applicable).
- FortiNDR inline inspection occurs simultaneously.
- AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
- FortiNDR inline inspection occurs simultaneously.
- Outbreak prevention and external hash list resources.
- FortiNDR inline inspection occurs simultaneously.
|
If any AV inspection method returns an infected verdict, the FortiNDR inspection is aborted. |
POP3, IMAP, SMTP, NNTP, and MAPI protocols:
- AV engine scan; AV database and FortiSandbox database (if applicable).
- AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
- FortiNDR inline inspection occurs simultaneously.
- Outbreak prevention and external hash list resources.
- FortiNDR inline inspection occurs simultaneously.
|
In an AV profile, use |
Accepted file types
The following file types are sent to FortiNDR for inline inspection:
|
7Z ARJ BZIP BZIP2 CAB ELF GZIP |
HTML JS LZH LZW MS Office documents (XML and non-XML) RAR |
RTF TAR VBA VBS WinPE (EXE) XZ ZIP |