7. Fortinet Getting Started v6.0. Antivirus and IPS

Greetings! Welcome to the seventh lesson of the course Fortinet getting started. In the last lesson, we introduced security profiles such as Web Filtering, Application Control, and HTTPS inspection. In this lesson, we will continue to become familiar with security profiles. First, we will get acquainted with the theoretical aspects of the operation of the antivirus and the intrusion prevention system, and then we will consider the operation of these security profiles in practice.

Let’s start with the antivirus. To get started, let’s discuss the technologies FortiGate uses to detect viruses:
Antivirus scanning is the easiest and fastest method for detecting viruses. It identifies viruses that completely match the signatures contained in the anti-virus database.
Grayware Scan or scan of unwanted programs – this technology identifies unwanted programs that are installed without the knowledge or consent of the user. Technically, these programs are not viruses. Usually they come bundled with other programs, but during installation they negatively affect the system, which is why they are classified as malware. Often such programs can be detected using simple grayware signatures from the FortiGuard research base.
Heuristic scanning – this technology is based on probabilities, therefore its use can cause false positives effects, however, it can also detect zero day viruses. Zero day viruses are new viruses that have not yet been investigated, and so far there are no signatures that could detect them. Heuristic scanning is not applied by default, it must be activated on the command line.
If all antivirus features are activated, FortiGate uses them in the following order: antivirus scan, grayware scan, heuristic scan.

FortiGate can use several anti-virus databases, depending on the tasks:

  • Normal anti-virus database (Normal) – found in all FortiGate’s models. It includes signatures for viruses that have been detected in recent months. This is the smallest anti-virus database, so when it is used, scanning is the fastest. However, this database cannot detect all known viruses.
  • Extend – This database is supported by most FortiGate models. With its help, you can detect viruses that are no longer active. Many platforms are still vulnerable to these viruses. Also these viruses can bring problems in the future.
  • And the last, extreme base (Extreme) – used in infrastructures where a high level of security is required. Using it, you can detect all known viruses, including viruses aimed at outdated operating systems that are currently not widely distributed. This type of signature database is also not supported by all FortiGate models.

There is also a compact signature database for quick scanning. We will talk about her a little later.

You can update anti-virus databases using various methods.
The first method – Push Update – it allows you to update the database as soon as the FortiGuard research base releases the update. This is useful for infrastructures that require a high level of security, because FortiGate will receive urgent updates immediately after they appear.
The second method is to set a schedule. Thus, updates can be checked every hour, day or week. That is, here the time range is at your discretion.
These methods can be used together.
But you need to keep in mind – in order for updates to be made, you must enable the antivirus profile for at least one firewall policy. Otherwise, updates will not be made.
You can also download updates from Fortinet Support, and then manually download them to FortiGate.

Consider the scan modes. There are only three of them – Full Mode in Flow Based mode, Quick Mode in Flow Based mode, and Full Mode in proxy mode. Let’s start with Full Mode in Flow mode.
Suppose a user wants to download a file. He sends a request. The server starts sending him the packets that make up the file. The user immediately receives these packages. But before passing these packets to the user, FortiGate caches them. After FortiGate receives the last packet, it begins to scan the file. At this time, the last packet is queued and not transmitted to the user. If the file is virus free, the last packet is sent to the user. If a virus is detected, FortiGate disconnects from the user.

The second scan mode available in Flow Based is Quick Mode. It uses a compact signature base, which contains fewer signatures than a regular base. It also has some limitations compared to Full Mode:

  • It cannot send files to the sandbox
  • It cannot use heuristic analysis.
  • Also, it cannot use mobile malware-related packages.
  • Some entry level models do not support this mode.

Quick mode also checks traffic for viruses, worms, trojans, and malware, but without buffering. This provides better performance, but at the same time, the likelihood of detecting a virus is reduced.

In Proxy mode, the only scan mode available is Full Mode. With such a scan, FortiGate first saves the entire file to itself (unless of course the permissible file size for scanning is exceeded). The client must wait for the scan to complete. If a virus is detected during scanning, the user will be immediately notified. Since FortiGate first saves the entire file and then scans it, this can take quite a while. because of this, it is possible for the client to terminate the connection before receiving the file due to a long delay.

The figure below shows a comparison table for the scanning modes – it will help you determine which type of scan is suitable for your tasks. Configuring and verifying the performance of the antivirus are reviewed in practice in the video at the end of the article.

Let’s move on to the second part of the lesson – the intrusion prevention system. But in order to start studying IPS, you need to understand the difference between exploits and anomalies, as well as understand what mechanisms FortiGate uses to protect against them.
Exploits are well-known attacks, with specific patterns that can be detected using IPS, WAF, or antivirus signatures.
Anomalies are unusual network behavior, for example, an unusually high amount of traffic or more than usual CPU consumption. Anomalies must be monitored, as they can be signs of a new, yet unexplored attack. Anomalies are usually detected through behavioral analysis – the so-called rate-based signatures and DoS policies.
As a result, IPS on FortiGate uses signature databases to detect known attacks, and Rate-Based signatures and DoS policies to detect various anomalies.

By default, the initial set of IPS signatures is included in each version of the FortiGate operating system. With the help of updates FortiGate receives new signatures. In this way, IPS remains effective against new exploits. The FortiGuard service updates IPS signatures quite often.
An important point that applies to both IPS and antivirus – if you have expired licenses, you can still use the latest signatures received. But getting new without a license will fail. Therefore, the lack of licenses is highly undesirable – with the advent of new attacks, you will not be able to defend yourself with old signatures.
The IPS signature databases are divided into regular and advanced. The usual database contains signatures for common attacks that are very rare or do not cause false positives. The predefined action for most of these signatures is a block.
The extended database contains additional attack signatures that strongly affect system performance or that cannot be blocked due to their special nature. Due to the size of such a database, it is not available for FortiGate models with a small disk or RAM. But for highly protected environments, you may need to use an extended base.
IPS configuration and health checks are also discussed in the video below.

In the next lesson, we will consider working with users. In order not to miss it, stay tuned for updates on the following channels:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *