Use the Antivirus Profiles page to configure options to have the firewall scan for viruses on the defined traffic. Set the applications that should be inspected for viruses and the action to take when a virus is detected. The default profile inspects all of the listed protocol decoders for viruses, generates alerts for Simple Mail Transport Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office Protocol Version 3 (POP3), and takes the default action for other applications (alert or deny), depending on the type of virus detected. The profile will then be attached to a Security policy to determine the traffic traversing specific zones that will be inspected.
Customized profiles can be used to minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of traffic received from untrusted zones, such as the Internet, as well as the traffic sent to highly sensitive destinations, such as server farms.
To add a new Antivirus profile , select Add and enter the following settings.
Antivirus Profile Setting Description
Name Enter a profile name (up to 31 characters). This name appears in the list of antivirus profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
Description Enter a description for the profile (up to 255 characters).
Shared Select this option if you want the profile to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Antivirus tab Allows you to specify the action for the different types of traffic, such as ftp, and http.
Packet Capture Select this option if you want to capture identified packets.
Decoders and Actions For each type of traffic that you want to inspect for viruses, select an action from the drop-down. You can define different actions for standard antivirus signatures (Action column) and antivirus signatures that WildFire generates (WildFire Action column). Antivirus content updates are released daily, while WildFire content updates (including antivirus signatures) are released every five minutes as new threats are detected—this means that standard antivirus signatures undergo a longer testing period before release than WildFire antivirus signatures. Because of this, you can choose to enforce different actions for standard antivirus signatures and those generated by WildFire—for example, set alerts for WildFire antivirus signatures instead of blocking them. See Actions in Security Profiles and Custom Objects for a description of each action.
Applications Exceptions and Actions The Applications Exception table allows you to define applications that will not be inspected. For example, to block all HTTP traffic except for a specific application, you can define an antivirus profile for which the application is an exception. Block is the action for the HTTP decoder, and Allow is the exception for the application. For each application exception, select the action to be taken when the threat is detected. For a list of actions, see Actions in Security Profiles and Custom Objects. To find an application, start typing the application name in the text box. A matching list of applications is displayed, and you can make a selection.
Virus Exception The Virus Exceptions tab to define a list of threats that will be ignored by the antivirus profile.
Threat ID To add specific threats that you want to ignore, enter one Threat ID at a time and click Add. Threat IDs are presented as part of the threat log information. Refer to Monitor > Logs.

Related Documentation