Content Disarm and Reconstruction (CDR)

In this recipe you will configure the default AntiVirus security profile to include a new FortiOS 6.0 feature: Content Disarm and Reconstruction (CDR). You will apply this security profile to the Internet access policy so that exploitable content leaving the network is stripped from documents and replaced with content that is known to be safe.

In the example, we will use FortiSandbox as the original file destination, where the original file is archived and can be retrieved if necessary. The CDR feature works without FortiSandbox configured, but only if you wish to discard the original file.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (for more information, refer to the Security Profiles handbook).

Note that the FortiGate must be in Proxy inspection mode for CDR to function.

PREP 5 mins COOK 5 min TOTAL 10 mins

1. Setting the system inspection mode
Go to System > Settings and set System Operation Settings > Inspection Mode to Proxy.
2. Testing FortiSandbox connectivity
On the FortiGate, go to Security Fabric > Settings and enable Sandbox Inspection. Select your FortiSandbox type and Server address.
Confirm that the service is available by selecting Test connectivity. The Status should read “Service is online.”
3. Enabling Content Disarm and Reconstruction
Go to Security Profiles > AntiVirus. Under APT Protection Options, enable Content Disarm and Reconstruction and select the Original File Destination.
If you enable FortiSandbox as the file destination, original files caught by the AntiVirus profile are archived on the FortiSandbox. The FortiSandbox administrator can retrieve the original files, but only for a short time. If you enable either File Quarantine or Discard as the file destination, original files caught by the AntiVirus profile are lost. Only the disarmed content is made available.
4. Configuring the Internet access policy
Go to Policy & Objects > IPv4 Policy and Edit the Internet access policy. Under Security Profiles, enable the default AntiVirus profile. Proxy Options and SSL Inspection are automatically enabled.
5. Results
As the AntiVirus profile scans files using CDR, it replaces content that is deemed malicious or unsafe with content that will allow the traffic to continue but not put the recipient at risk.
CDR appends a new cover page to the malicious/unsafe content that includes a replacement message.
If you wish to disable the cover page, enter the following commands in the CLI Console: config antivirus profile edit default config content-disarm set cover-page disable end end
6. Troubleshooting
The feature is not visible in the GUI Confirm that the Inspection Mode is set to Proxy under System > Settings. Also check that the AntiVirus profile inspection mode is set to proxy using the CLI Console: config antivirus profile edit default set inspection-mode proxy next end
Error messages and/or conflicts If you receive an error message when attempting to enable Content Disarm and Reconstruction on the AntiVirus profile, check the Proxy Options settings in the CLI Console and disable `splice` and `clientcomfort` on CDR-supported protocols: config firewall profile-protocol-options edit default config smtp unset options splice next config http unset options clientcomfort next end end You should also confirm the AntiVirus profile’s protocol settings under `config antivirus profile`: ensure that `set options scan` is enabled on CDR-supported protocols if `set options av-monitor` is configured on a CDR-supported protocol , it overrides the `config content-disarm detect-only` setting (and CDR will not occur)
The FortiSandbox service is unreachable If testing the FortiSandbox connectivity returns a “Service is unreachable” error message, then you may need to authorize the FortiGate on the FortiSandbox. On the FortiSandbox, go to Scan Input > Device and edit the entry for the FortiGate.
Under Permissions & Policy, enable Authorized.