FortiOS 6.0 Security: Content Disarm and Reconstruction (CDR)

In this recipe you will configure the default AntiVirus security profile to include a new FortiOS 6.0 feature: Content Disarm and Reconstruction (CDR). You will apply this security profile to the Internet access policy so that exploitable content leaving the network is stripped from documents and replaced with content that is known to be safe.

In the example, we will use FortiSandbox as the original file destination, where the original file is archived and can be retrieved if necessary. The CDR feature works without FortiSandbox configured, but only if you wish to discard the original file.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols* (for more information, refer to the Security Profiles handbook).

Note that the FortiGate must be in Proxy inspection mode for CDR to function.

PREP 5 mins      COOK 5 min      TOTAL 10 mins

1. Setting the system inspection mode

Go to System > Settings and set System Operation Settings > Inspection Mode to Proxy.

2. Testing FortiSandbox connectivity

On the FortiGate, go to Security Fabric > Settings and enable Sandbox Inspection.

Select your FortiSandbox type and Server address.

Confirm that the service is available by selecting Test connectivity.

The Status should read “Service is online.”

3. Enabling Content Disarm and Reconstruction

Go to Security Profiles > AntiVirus.

Under APT Protection Options, enable Content Disarm and Reconstruction and select the Original File Destination.

If you enable FortiSandbox as the file destination, original files caught by the AntiVirus profile are archived on the FortiSandbox. The FortiSandbox administrator can retrieve the original files, but only for a short time.

If you enable either File Quarantine or Discard as the file destination, original files caught by the AntiVirus profile are lost. Only the disarmed content is made available.

4. Configuring the Internet access policy

Go to Policy & Objects > IPv4 Policy and Edit the Internet access policy.

Under Security Profiles, enable the default AntiVirus profile. Proxy Options and SSL Inspection are automatically enabled.

5. Results

As the AntiVirus profile scans files using CDR, it replaces content that is deemed malicious or unsafe with content that will allow the traffic to continue but not put the recipient at risk.

CDR appends a new cover page to the malicious/unsafe content that includes a replacement message.

If you wish to disable the cover page, enter the following commands in the CLI Console:

config antivirus profile
  edit default
    config content-disarm
      set cover-page disable
  end
end

6. Troubleshooting

The feature is not visible in the GUI

Confirm that the Inspection Mode is set to Proxy under System > Settings.

Also check that the AntiVirus profile inspection mode is set to proxy using the CLI Console:

config antivirus profile
  edit default
    set inspection-mode proxy
  next
end

Error messages and/or conflicts

If you receive an error message when attempting to enable Content Disarm and Reconstruction on the AntiVirus profile, check the Proxy Options settings in the CLI Console and disable splice and clientcomfort on CDR-supported protocols:

config firewall profile-protocol-options
  edit default
    config smtp
      unset options splice
    next
    config http
      unset options clientcomfort
    next
  end
end

You should also confirm the AntiVirus profile’s protocol settings under config antivirus profile:

• ensure that set options scan is enabled on CDR-supported protocols
• if set options av-monitor is configured on a CDR-supported protocol , it overrides the config content-disarm detect-only setting (and CDR will not occur)

The FortiSandbox service is unreachable

If testing the FortiSandbox connectivity returns a “Service is unreachable” error message, then you may need to authorize the FortiGate on the FortiSandbox.

On the FortiSandbox, go to Scan Input > Device and edit the entry for the FortiGate.

Under Permissions & Policy, enable Authorized.