Fortinet Exam FCSS_SASE_AD-23 Topic 4 Question 22 Discussion

Based on the provided exhibits and the configuration details, the reason why users are still able to download the eicar.com-zip file despite having an antivirus profile applied is due to the Web Filter allowing the traffic. Here is the step-by-step detailed explanation:

Web Filtering Logs Analysis:

The logs show that the traffic to the destination port 443 (which is HTTPS) is allowed and the security event triggered is Web Filter.

The log details indicate that the URL belongs to an allowed category in the policy and thus, the traffic is permitted by the Web Filter.

Security Profile Group Configuration:

The Web Filter with Inline-CASB section indicates that the site www.eicar.org is being monitored (93 occurrences) and not blocked.

Since the Web Filter is set to allow traffic from this site, the antivirus profile will not block it because the Web Filter decision takes precedence.

Antivirus Profile Configuration:

Although the antivirus profile is configured, the logs do not show any antivirus actions being triggered. This indicates that the web filter is overriding the antivirus action.

Policy Configuration:

The policy named 'Web Traffic' shows that it has logging enabled and is set to accept traffic.

The profile group 'SIA' applied to this policy includes both Web Filter and Antivirus settings. However, since the Web Filter is allowing the traffic, the antivirus profile does not get the chance to inspect it.

FortiGate Security 7.2 Study Guide: Provides details on the precedence of web filtering over antivirus in security profiles.

Fortinet Knowledge Base: Detailed explanation of web filtering and antivirus profiles interaction.