FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Article Id 198001

Description

 

In FortiOS v4.0 MR3 the Antivirus splice option is available for the following protocols: FTP, FTPS, SMTP, SMTPS, and NNTP.


This article explains how to configure the splice options and describes how the functionality operates with the various protocols.


Scope

 

FortiOS v4.0 MR3 Splice option.


Solution

 
To configure the splice options.

1. Connect to the CLI of the FortiGate and create a 'firewall profile-protocol-options' profile as shown below:
FGT50B3G11601684 (root) # config firewall profile-protocol-options
FGT50B3G11601684 (profile-protoc~l) # edit
*name profile name
default
FGT50B3G11601684 (profile-protoc~l) # edit test
new entry 'test' added
FGT50B3G11601684 (test) #
2. Select the protocol to be used with the Antivirus splice option:
FGT50B3G11601684 (test) # config ftp
FGT50B3G11601684 (ftp) #
3. As an example, to enable the splice option for ftp:
FGT50B3G11601684 (ftp) # set options
clientcomfort prevent client timeout
no-content-summary disable monitoring of content information from dashboard
oversize block oversized file/email
splice enable splice mode
FGT50B3G11601684 (ftp) # set options splice
FGT50B3G11601684 (ftp) #end
The option is now enabled.  The same principle applies for configuring the other protocols: FTPS, SMTP, SMTPS and NNTP.


Operation of AV Scanning when splice is enabled.

For FTP, FTPS, and NNTP:
Antivirus simultaneously scans a file and sends it to the recipient.  If the FortiGate unit detects a virus it will prematurely terminate the connection.
For SMTP and SMTPS:
Antivirus simultaneously scans a message and sends it to the recipient.  If the FortiGate unit detects a virus it will prematurely terminate the connection and returns an error message to the sender listing the virus and the infected filename.  Splice is selected when scan is selected.
With streaming mode enabled, select either Spam Action (Tagged or Discard) for SMTP spam.  When streaming mode is disabled for SMTP, infected attachments are removed and the email is forwarded without the attachment to the SMTP server for delivery to the recipient.  Throughput is higher when streaming mode is enabled.