Fortinet white logo
Fortinet white logo

Administration Guide

Starting a malware test

Starting a malware test

The Malware case sends files with HTTP/FTP/SMTP/IMAP/POP3/SMB protocol and detects viruses in files. Malware Strike packs are provided and refreshed regularly by FortiGuard updates.

Different tests can be run depending on the FortiGuard malware object group configuration (based on OS type, malware type e.g. ransomware, created date).
To start a malware test:
  1. In Security testing, expand Malware and click malware.
  2. Click Create New.
  3. Configure the network or select a network template. See Using network configuration templates for how to create a network template.
  4. Select a Certificate Group, if applicable.
  5. Click OK.
  6. Configure the test case options described below.
  7. Click Start to run the test case.

FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it.

malware test case options

Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of test cases.
Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.
NOTE: You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so.
Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120.

Script Config

Select the script that will run before/after the test. To create a script, see Using script object templates.

Steady Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify.
Stopping Status in Second The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes.

DNS Host Group

Select the DNS host group to look up the IP address of a domain name. To create a DNS host group, see Creating DNS host group.

DUT Monitor

Select to monitor a FortiGate device under test (DUT). If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. To create a DUT monitoring, see Using DUT monitoring.

Network Settings
If you have selected a network config template, the network settings automatically inherit the configurations in the template. See Using network configuration templates for the description of network settings.
Load

Loops

Number of times to send the attacks. 0 means as many as possible.

HTTP Request Time Out An HTTP request timeout occurs when an HTTP request is issued, but no data is responded back from the server within a certain time (in seconds). The timeout usually indicates an overwhelmed server or reverse proxy, or an outage of the back-end transactions processing servers. FortiTester will reset the connection upon timeout.
Delay The period that FortiTester will wait until it sends the next web application attack.
Client Profile
Protocol Level Select HTTP version. If you select different HTTP versions for client and server, HTTP 1.1 will backward compatibility with HTTP 1.0.
Keep Alive Enable to add keepalive header.
Only available when HTTP 1.0 is selected in Protocol Level.
Request Header The HTTP header of the request packet. Click the Add button to specify more headers. Wild card is supported.
Client Close Mode Select the connection close method: 3Way_Fin or Reset.
Piggyback Get Requests If enabled, this means an acknowledgment is sent on the data frame, not in an individual frame. Otherwise, it sends an ACK frame individually. This feature only works with get/post requests.
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default.
IP Change Algorithm/Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly.
Server Profile
Protocol Level Select HTTP version. If you select different HTTP versions for client and server, HTTP 1.1 will backward compatibility with HTTP 1.0.
Keep Alive Enable to add keepalive header.
Only available when HTTP 1.0 is selected in Protocol Level.
Response Header The HTTP header of the response packet. Click the Add button to specify more headers.
Case Server Port The server port where the test case traffic arrives.
Client/Server TCP Options

TCP Receive Window

The receive window in which you want the TCP stack to send TCP segments. The receive window informs the peer how many bytes of data the stack is currently able to receive. The supplied value is used in all segments sent by the stack. The valid range is 0 to 65535.

Delayed Acks

Select to cause the TCP stack to implement the Delayed ACK strategy, which attempts to minimize the transmission of zero-payload ACK packets. Acknowledgments will be deferred and should be piggybacked on top of valid data packets. If successfully deferred, these acknowledgments are free, in the sense that they consume no additional bandwidth.

Delayed Ack Timeout

If you select Delayed ACKs, use this timeout value to specify the maximum time the TCP stack waits to defer ACK transmission. If this timer expires, the stack transmits a zero-payload acknowledgment.

Timestamps Option

Select to add a TCP time stamp to each TCP segment.

Enable Push Flag

Select to set the TCP PSH (push) flag in all TCP packets. This flag causes buffered data to be pushed to the receiving application. If deselected, the PSH flag is not set in any TCP packet.

SACK Option

Select to enable TCP Selective Acknowledgment Options(SACK).

Enable TCP Keepalive

Select to enable TCP Keep-alive Timer.

Keepalive Timeout

If you enable TCP Keepalive, use this timeout value to specify the maximum time to send your peer a keep-alive probe packet

Keepalive Probes

Probes If you enable TCP Keepalive, use this value to specify the maximum probes to detect the broken connection.

Override Internal Timeout Calculation

Select to override the TCP stack calculation of the retransmission timeout value.

Retransmission Timeout

If you select Override Internal Timeout Calculation, use this value for the first transmission of a particular data or control packet; it is doubled for each subsequent retransmission.

Retries

The number of times a timed-out packet is retransmitted before aborting further retransmission. If the client does not receive a response after the configured number of retries have been attempted, the error is logged in the results. CSV file as a TCP timeout when a SYN or FIN is sent, and no SYN/ACK or FIN/ACK from the server is received.

FinACK Timer

This value measures the amount of time that a SimUser waits after it finishes its actions and before it directly breaks all of its TCP connections (that is, the time to wait to receive the LAST_ACK message for a FIN request). A value of 0 disables the timer.

Note: Setting this timer can adversely affect TCP performance.

Client/Server Network

Network MTU The maximum transmission unit size.
TFTP Block Size Specify a Block Size. The default is 512 bytes.
Network MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally.
IP Option DSCP Provide quality of service (QoS).
Action

Malware File Group

Select an existing malware file from the list or click Manage Group to upload new files.

Starting a malware test

Starting a malware test

The Malware case sends files with HTTP/FTP/SMTP/IMAP/POP3/SMB protocol and detects viruses in files. Malware Strike packs are provided and refreshed regularly by FortiGuard updates.

Different tests can be run depending on the FortiGuard malware object group configuration (based on OS type, malware type e.g. ransomware, created date).
To start a malware test:
  1. In Security testing, expand Malware and click malware.
  2. Click Create New.
  3. Configure the network or select a network template. See Using network configuration templates for how to create a network template.
  4. Select a Certificate Group, if applicable.
  5. Click OK.
  6. Configure the test case options described below.
  7. Click Start to run the test case.

FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it.

malware test case options

Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of test cases.
Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.
NOTE: You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so.
Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120.

Script Config

Select the script that will run before/after the test. To create a script, see Using script object templates.

Steady Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify.
Stopping Status in Second The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes.

DNS Host Group

Select the DNS host group to look up the IP address of a domain name. To create a DNS host group, see Creating DNS host group.

DUT Monitor

Select to monitor a FortiGate device under test (DUT). If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. To create a DUT monitoring, see Using DUT monitoring.

Network Settings
If you have selected a network config template, the network settings automatically inherit the configurations in the template. See Using network configuration templates for the description of network settings.
Load

Loops

Number of times to send the attacks. 0 means as many as possible.

HTTP Request Time Out An HTTP request timeout occurs when an HTTP request is issued, but no data is responded back from the server within a certain time (in seconds). The timeout usually indicates an overwhelmed server or reverse proxy, or an outage of the back-end transactions processing servers. FortiTester will reset the connection upon timeout.
Delay The period that FortiTester will wait until it sends the next web application attack.
Client Profile
Protocol Level Select HTTP version. If you select different HTTP versions for client and server, HTTP 1.1 will backward compatibility with HTTP 1.0.
Keep Alive Enable to add keepalive header.
Only available when HTTP 1.0 is selected in Protocol Level.
Request Header The HTTP header of the request packet. Click the Add button to specify more headers. Wild card is supported.
Client Close Mode Select the connection close method: 3Way_Fin or Reset.
Piggyback Get Requests If enabled, this means an acknowledgment is sent on the data frame, not in an individual frame. Otherwise, it sends an ACK frame individually. This feature only works with get/post requests.
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default.
IP Change Algorithm/Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly.
Server Profile
Protocol Level Select HTTP version. If you select different HTTP versions for client and server, HTTP 1.1 will backward compatibility with HTTP 1.0.
Keep Alive Enable to add keepalive header.
Only available when HTTP 1.0 is selected in Protocol Level.
Response Header The HTTP header of the response packet. Click the Add button to specify more headers.
Case Server Port The server port where the test case traffic arrives.
Client/Server TCP Options

TCP Receive Window

The receive window in which you want the TCP stack to send TCP segments. The receive window informs the peer how many bytes of data the stack is currently able to receive. The supplied value is used in all segments sent by the stack. The valid range is 0 to 65535.

Delayed Acks

Select to cause the TCP stack to implement the Delayed ACK strategy, which attempts to minimize the transmission of zero-payload ACK packets. Acknowledgments will be deferred and should be piggybacked on top of valid data packets. If successfully deferred, these acknowledgments are free, in the sense that they consume no additional bandwidth.

Delayed Ack Timeout

If you select Delayed ACKs, use this timeout value to specify the maximum time the TCP stack waits to defer ACK transmission. If this timer expires, the stack transmits a zero-payload acknowledgment.

Timestamps Option

Select to add a TCP time stamp to each TCP segment.

Enable Push Flag

Select to set the TCP PSH (push) flag in all TCP packets. This flag causes buffered data to be pushed to the receiving application. If deselected, the PSH flag is not set in any TCP packet.

SACK Option

Select to enable TCP Selective Acknowledgment Options(SACK).

Enable TCP Keepalive

Select to enable TCP Keep-alive Timer.

Keepalive Timeout

If you enable TCP Keepalive, use this timeout value to specify the maximum time to send your peer a keep-alive probe packet

Keepalive Probes

Probes If you enable TCP Keepalive, use this value to specify the maximum probes to detect the broken connection.

Override Internal Timeout Calculation

Select to override the TCP stack calculation of the retransmission timeout value.

Retransmission Timeout

If you select Override Internal Timeout Calculation, use this value for the first transmission of a particular data or control packet; it is doubled for each subsequent retransmission.

Retries

The number of times a timed-out packet is retransmitted before aborting further retransmission. If the client does not receive a response after the configured number of retries have been attempted, the error is logged in the results. CSV file as a TCP timeout when a SYN or FIN is sent, and no SYN/ACK or FIN/ACK from the server is received.

FinACK Timer

This value measures the amount of time that a SimUser waits after it finishes its actions and before it directly breaks all of its TCP connections (that is, the time to wait to receive the LAST_ACK message for a FIN request). A value of 0 disables the timer.

Note: Setting this timer can adversely affect TCP performance.

Client/Server Network

Network MTU The maximum transmission unit size.
TFTP Block Size Specify a Block Size. The default is 512 bytes.
Network MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally.
IP Option DSCP Provide quality of service (QoS).
Action

Malware File Group

Select an existing malware file from the list or click Manage Group to upload new files.