Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcdsweet98
New Contributor

Fortigate Antivirus Not updated

Hi there,

I have Fortigate 310B firewall running but the Antivirus is listed as expired as per below. I am having difficulty in uploading the image. So i am going to illustrate how it looks like here :

 

Fortiguard Subscription Services

 

Antivirus        Expired [renew]

- AV Definitions 14.00000 (Updated 2011-08-24 via Manual Update) [update]

- AV Engine  4.00392 (Updated 2012-02-09 via Manual Update)

 

1) What does this actually mean? I believe the antivirus should be updated since Fortigate is running on it's own Operating system FortiOS.

 

2) Does the antivirus definition update require a separate license to run? As this was the reason I got that the license purchased was for firewall feature only, so I would like to verify if there is such thing.

 

3) If an antivirus update is to be performed, when is the best time to implement the update? I believe it should have some impact on network performances and speed so I reckon it should be done after office hours but would like to get your opinion.

 

Thank you.

 

 

 

 

 

1 Solution
Dave_Hall
Honored Contributor

mcdsweet98 wrote:

I was just curious, since I am very new with Fortigate products, what did you mean by "fgt" devices?

fgt=Fortigate; other terms used on these forums are faz=FortiAnalyzer; fmr=FortiManager.  Those are the big 3 terms, but I'm sure someone jump in and add more.

 

Since you are new to Fortigate/Fortinets, you may want to check out the following links:

 

Fortinet Support Portal documents http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32312

 

Getting Started (link for 5.2 firmware)

http://docs.fortinet.com/uploaded/files/1987/fortigate-getting-started-52.pdf

FortiGate cookbook http://docs.fortinet.com/fortigate/cookbook FortiOS Handbook - Best Practices http://docs.fortinet.com/d/fortigate-best-practices FortiOS handbook - Install and System Admin (link is for 5.0 firmware) http://docs.fortinet.com/uploaded/files/1087/fortigate-install-system-admin-50.pdf

 

Fortinet's Youtube page

[link]https://www.youtube.com/user/SecureNetworks[/link]

or

http://video.fortinet.com/

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
8 REPLIES 8
emnoc
Esteemed Contributor III

Will the subscription for AV has expired. So you need a new subscription license. Read more about this here

 

http://www.fortinet.com/technology/network-threat-response-fortiguard.html

 

I'll try to answer some of the concerns & questions;

 

The impact on the update is minor during any of the updates

 

Any time is okay for manual updates execution, and the  unit will perform auto updates which is reccommended so that you stay fresh with  current threats. ( If a new threat comes out, you want to be aware of it )

 

btw; And there's no such thing as firewall features license outside of additonal vdoms  and forticlients

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
mcdsweet98
New Contributor

Hi Emnoc,

Thank you for the great insight. Seems like it's a necessity to have the antivirus subcription. I did a check against SANS institute's Fortigate best practices paper Page 34, and it did say antivirus needs to be updated.

Link :

http://www.giac.org/paper/gsna/178/fortigate-60-firewall-security-audit-auditors-perspective/106725

 

 If the impact is minimal, as you said, then there shouldn't be any problem to have it updated during office hours.

 

So I guess this antivirus definition update is definitely a company needs to have otherwise the FortiO.S will not be secured. It's like having a Server with Microsoft Windows 2008 but without any antivirus inside. Correct me if I am wrong.

 

Dave_Hall
Honored Contributor

mcdsweet98 wrote:

[...] I did a check against SANS institute's Fortigate best practices paper Page 34, and it did say antivirus needs to be updated.

Link : http://www.giac.org/paper/gsna/178/fortigate-60-firewall-security-audit-auditors-perspective/106725

 

Keep in mind that the paper is almost 10 years old, performed on older Fortigate firmware from that time period.  While the information is still true/valid today, I would imagine you will want to review more current/modern best security practices. 

 

[...] It's like having a Server with Microsoft Windows 2008 but without any antivirus inside. Correct me if I am wrong.

I recall an old story back in the old 3.5/4.0 days on how Microsoft wanted to sell their new server product to the US DoD, but needed to get a certain colored security book certified and the only way they could do it was what largely amounts to locking the server in a closet, taking away the monitor/keyboard and disconnecting it from any network. People would later add to the story, "turning on the power to the server was not allowed." 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

Welcome to the forums.

 

AntiVirus updates requires an active support contract; you can log into the support.fortinet.com site and view what entitlements are active on your Fortigate.  If AntiVirus is not covered or has expired, you could try to manually download the AntiVirus definition files from the Download drop-down menu and choose FortiGuard Service Updates.  The site should show the registered Fortigates on your account -- whether or not it will show Fortigates with inactive antivirus subscriptions I do not know.

 

We schedule FortiGuard updates during the night or early morning -- although it only takes minutes for updates, the process tends to send our smaller fgt devices into 100% CPU usage, thus triggering snmp trap events and support calls (which is sort of a big deal if you manage 40-50+ fgt devices).

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
mcdsweet98

Hi Dave

Thanks for the heads up. I reckon your a fortigate user based from your description above. I was just curious, since I am very new with Fortigate products, what did you mean by "fgt" devices?

 

Dave_Hall
Honored Contributor

mcdsweet98 wrote:

I was just curious, since I am very new with Fortigate products, what did you mean by "fgt" devices?

fgt=Fortigate; other terms used on these forums are faz=FortiAnalyzer; fmr=FortiManager.  Those are the big 3 terms, but I'm sure someone jump in and add more.

 

Since you are new to Fortigate/Fortinets, you may want to check out the following links:

 

Fortinet Support Portal documents http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32312

 

Getting Started (link for 5.2 firmware)

http://docs.fortinet.com/uploaded/files/1987/fortigate-getting-started-52.pdf

FortiGate cookbook http://docs.fortinet.com/fortigate/cookbook FortiOS Handbook - Best Practices http://docs.fortinet.com/d/fortigate-best-practices FortiOS handbook - Install and System Admin (link is for 5.0 firmware) http://docs.fortinet.com/uploaded/files/1087/fortigate-install-system-admin-50.pdf

 

Fortinet's Youtube page

[link]https://www.youtube.com/user/SecureNetworks[/link]

or

http://video.fortinet.com/

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
mcdsweet98
New Contributor

Hi Dave,

Thanks for the great input on the cookbook and other guides. Looks like the antivirus update is definitely a good practice to enable. I will highlight this to the management. By the way what is the difference between AV definitions and AV engine?

 

I also have one concern, although our Fortigate Firewall is equipped with IPS capabilities, should we also update the IPS engine and definition because we have our own IPS from McAfee.

 

Thanks again for the great help.

mcdsweet98
New Contributor

Hi Dave,

Would like to seek your expert on this, the administrator of the Fortigate device responded as below when we queried as to why the device did not have the latest antivirus definition. Does running the antivirus and updating it network speeds by 20-50%? That's a huge number!. We do have additional controls in the environment, however would like to gauge your experience if it does clog the network. I believe updating the antivirus can be done after office hours but how about running the antivirus if the below statement is correct.  

 

"We agreed with term another layer of defense. Yes, indeed IT security had applied defense in depth approach within security perimeter. But to consider your suggestion, we have to take into account the detrimental impact they can have on network performance, eg. scanning incoming traffic for viruses alone can reduce network speeds by 20-50%. Enabling IPS and other security features reduces performance even further"

Labels
Top Kudoed Authors