SSL content scanning and inspection

If your FortiGate model supports SSL content scanning and inspection, you can apply antivirus scanning, web filtering, FortiGuard Web Filtering, and email filtering to encrypted traffic. You can also apply DLP and DLP archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. To perform SSL content scanning and inspection, the FortiGate unit does the following:

• intercepts and decrypts HTTPS, IMAPS, POP3S, SMTPS, and FTPS sessions between clients and servers (FortiGate SSL acceleration speeds up decryption)
• applies content inspection to decrypted content, including:
• HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and DLP archiving
• HTTPS web filtering and FortiGuard web filtering
• IMAPS, POP3S, and SMTPS email filtering
• encrypts the sessions and forwards them to their destinations.

Figure 13:FortiGate SSL content scanning and inspection packet flow

Setting up certificates to avoid client warnings

To use SSL content scanning and inspection, you need to set up and use a certificate that supports it. FortiGate SSL content scanning and inspection intercepts the SSL keys that are passed between clients and servers during SSL session handshakes and then substitutes spoofed keys. Two encrypted SSL sessions are set up, one between the client and the FortiGate unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit the packets are decrypted.

While the SSL sessions are being set up, the client and server communicate in clear text to exchange SSL session keys. The session keys are based on the client and server certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the client and server and uses these keys to decrypt the SSL traffic to apply content scanning and inspection.

Some client programs (for example, web browsers) can detect this key replacement and will display a security warning message. The traffic is still encrypted and secure, but the security warning indicates that a key substitution has occurred.

You can stop these security warnings by importing the signing CA certificate used by the server into the FortiGate unit SSL content scanning and inspection configuration. Then the FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.

You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another signing CA certificate. To do this, you need the signing CA certificate file, the CA certificate key file, and the CA certificate password.

To add a signing CA certificate for SSL content scanning and inspection

1. Obtain a copy of the signing CA certificate file, the CA certificate key file, and the password for the CA certificate.
2. Go to S ystem > Certificates > Local Certificates and select Import.
3. Set Type to Certificate.
4. For Certificate file, use the Browse button to select the signing CA certificate file.
5. For Key file, use the Browse button to select the CA certificate key file.
6. Enter the CA certificate Password.
7. Select OK.

The CA certificate is added to the Local Certificates list. In this example the signing CA certificate name is Example_CA. This name comes from the certificate file and key file name. If you want the certificate to have a different name, change these file names.

8. Add the imported signing CA certificate to the SSL content scanning and inspection configuration. Use the following CLI command if the certificate name is Example_CA. config firewall ssl setting set caname Example_CA

end

The Example_CA signing CA certificate will now be used by SSL content scanning and inspection for establishing encrypted SSL sessions.

SSL content scanning and inspection settings

If SSL content scanning and inspection is available on your FortiGate unit, you can configure SSL settings. The following table provides an overview of the options available and where to find further instruction:

Table 11: SSL content scanning and inspection settings

Setting	Description
Predefined firewall services	The IMAPS, POP3S and SMTPS predefined services. You can select these services in a security policy and a DoS policy.
Protocol recognition	The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS, POP3S, and SMTPS. Go to Policy > Policy > Proxy Options. Add or edit a Proxy Options profile, configure HTTPS, IMAPS, POP3S, SMTPS, and FTPS. Using Proxy Options, you can also configure the FortiGate unit to perform URL filtering of HTTPS or to use SSL content scanning and inspection to decrypt HTTPS so that the FortiGate unit can also apply antivirus and DLP content inspection and DLP archiving to HTTPS. Using SSL content scanning and inspection to decrypt HTTPS also allows you to apply more web filtering and FortiGuard Web Filtering options to HTTPS. To enable full SSL content scanning of web filtering, select Enable Deep Scanning under HTTPS in the Proxy Options profile.
Antivirus	Antivirus options including virus scanning and file filtering for HTTPS, IMAPS, POP3S, and SMTPS. Go to AntiVirus > Profile. Add or edit a profile and configure Virus Scan for HTTPS, IMAPS, POP3S, and SMTPS.
Antivirus quarantine	Antivirus quarantine options to quarantine files in HTTPS, IMAPS, POP3S, SMTPS, and FTPS sessions. Go to Security Profiles > AntiVirus > Quarantine. You can quarantine infected files, suspicious files, and blocked files found in HTTPS, IMAPS, POP3S, SMTPS, and FTPS sessions.
Web filtering	Web filtering options for HTTPS: •      Web Content Filter •      Web URL Filter •      ActiveX Filter •      Cookie Filter •      Java Applet Filter •      Web Resume Download Block •      Block invalid URLs Go to Security Profiles > Web Filter > Profile. Add or edit a web filter profile and configure web filtering for HTTPS.

Table 11:SSL content scanning and inspection settings  (continued)

Setting	Description
FortiGuard Web Filtering	FortiGuard Web Filtering options for HTTPS: •      Enable FortiGuard Web Filtering •      Enable FortiGuard Web Filtering Overrides •      Provide Details for Blocked HTTP 4xx and 5xx Errors •      Rate Images by URL (Blocked images will be replaced with blanks) •      Allow Websites When a Rating Error Occurs •      Strict Blocking •      Rate URLs by Domain and IP Address •      Block HTTP Redirects by Rating Go to  Security Profiles > Web Filter > Profile. Add or edit a profile and configure FortiGuard Web Filtering for HTTPS.
Email filtering	Email filtering options for IMAPS, POP3S, and SMTPS: •      FortiGuard Email Filtering IP Address Check, URL check, E-mail Checksum Check, and Spam Submission •      IP Address BWL Check •      E-mail Address BWL Check •      Return S-mail DNS Check •      Banned Word Check •      Spam Action •      Tag Location •      Tag Format Go to Security Profiles > Email Filter > Profile. Add or edit a profile and configure email filtering for IMAPS, POP3S, and SMTPS.
Data Leak Prevention	DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the steps below: •      Go to Security Profiles > Data Leak Prevention > Sensor, create a new DLP sensor or edit an existing one and then add any combination of the DLP advanced rules, DLP compound rules, file filters, a Regular Expressions, and file size limits to a DLP sensor. •      Go to Policy > Policy > Proxy Options. Add or edit a profile and select Enable Deep Scan under HTTPS. •      Go to Policy > Policy > Policy, edit the required policy, enable DLP Sensor and select the DLP sensor. •      Go to Policy > Policy > Policy, edit the required policy, enable Proxy Options and select a profile that has Enable Deep Scan selected under HTTPS. Note: If no Proxy Options profile is selected, or if Enable Deep Scan is not selected within the Proxy Options profile, DLP rules cannot inspect HTTPS.

Table 11:SSL content scanning and inspection settings  (continued)

Setting	Description
DLP archiving	DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules for the protocol to be archived.
Monitor DLP content information on the system dashboard	DLP archive information on the Log and Archive Statistics widget on the system dashboard for HTTPS, IMAPS, POP3S, and SMTPS. Go to Policy > Policy > Proxy Options. Add or edit a profile. For each protocol you want monitored on the dashboard, enable Monitor Content Information for Dashboard. These options display meta-information on the Statistics dashboard widget.

Exeptions

Periodically, you will come across situations were SSL and certificates will interfer with the smooth operation of an application or website. For instance, there is a popular application called Dropbox that does not work when deep SSL inspection is enabled. The reason for this is that the trusted certificate authority that is recognised by Dropbox is imbedded in the software and Dropbox cannot be reconfigured to recognise the FortiGate certificates that are used when deep SSL inspection is implimented.

One way to by-pass the deep inspection for Dropbox is to add dropbox.com to a local category in webfiltering and add that local category to the ftgd-wf-ssl-exempt list in the webfilter profile. This way any connections with dropbox.com will be exempt from deep SSL inspection.

Whenever an exception is found, the reason that it causes an issue will have to be determined in order to figure out a way to accommodate that application or website.

Monitoring Security Profiles activity

The first two steps in monitoring  activity covered by Security profiles is make sure that logging is enabled on the FortiGate and that the policies are configured to collect those logs as traffic goes through them.

Check the Logging and Reporting handbook for configuration of such details as to whether the logs are stored locally on a disk or in memory, or use a remote service of some kind such as a FortiAnalyzer or SNMP server. The important thing is that the storing of logs is taking place somewhere. This is configured by going to Log & Report > Log Config > Log Setting. If you are going to log locally you will also have to enable logging locally in the CLI.

The next step is to get the firewall policies to collect traffic logs.  In the configuration of policies there are 3 logging options:

• No log
• Log Security events
• Log all Sessions

Make sure that either Log Security events or Log all sessions is selected.

There are two ways to view the Security Profiles activity based on the collected logs. The first gives you an overview based on a sampling of logs over time. This is good for spotting trends and giving you an idea of the overall impact of a type of Security Profiles threat. For instance you can see if you are a lot of your users are trying to get to sites that you have blocked or which email protocol is receiving the most blocked email.

 

Go to Security Profiles > Monitor. From here you can choose information from the differnt types of Security profile that you have running.

From the AV Monitor, you can see information relating to the Antivirus Profile.

• What are the Top Viruses coming through the FortiGate unit, listing:
• Virus name,
• Last time it was detected
• A count of how many times it was detected.

From the Web Monitor you can find information relating to Web filtering. You can choose:

• Report by FortiGuard Webfilter Category
• Top blocked Categories (pie chart and graph)
• Total blocked requests
• Report by Webfilter Technicue
• Pie chart of requests (allowed, etc.)
• Blocked Requests (Bar chart)
• Spam
• Banned Word
• Virus Archive
• FortiGuard
• URL Filter
• Fragmented
• DLP

From the Application Monitor you can get an idea of which applications are being used over your network and who is using them by looking at the charts:

• Top Application by Bandwidth
• Top Applications by Session Count
• Top IP/User for…

From the Intrusion Monitor you can determine what are the Top Attacks against your network. The report will list:

• Attack Name
• Last time the attack was detected
• A count of how many times the attack was used

From the Email Monitor

• Total Emails (pie chart)
• Blocked Emails, broken down by
• Protocol used
• Reason/technique used to block

From the Archive & Data Leak Monitor you can see what is the:

• Top DLP usage by policy
• Total Dropped Archives

From the FortiGuard Quota you can monitor the status of quotas by seeing which ones are in effect listing:

• User name
• Webfilter Profile
• Used Quota

The second way to look at the logs of the Security Profiles activity is to look at the individual logs. This is useful for trouble shooting and verification of what is being tracked and how because individual log display more information about what happened to the traffic in question.

To look at the logs go to Log and Report > Traffic Log > Forward Traffic and search for individual logged events. In order to see just the Security Profiles based events you may have to first display a column that relates to Security Profiles such as Security Action, Security Event or Security Sub type. Once the appropriate column is displayed in the log window you can then filter based on the criteria that you are searching on.  For instance if you were looking for examples of where your DLP profile stopped some traffic  from getting out you could go to the Security event column and then filter for the event “dlp”. The log page will now only display dlp events. You could not further refine your filter until you were only looking at the logs that relate to the events they you are trying to track.

Configuring packet logging options

You can use a number of CLI commands to further configure packet logging.

Limiting memory use

When logging to memory, you can define the maximum amount of memory used to store logged packets.

config ips settings set packet-log-memory 256

end

The acceptable range is from 64 to 8192 kilobytes. This command affects only logging to memory.

Limiting disk use

When logging to the FortiGate unit internal hard disk, you can define the maximum amount of space used to store logged packets.

config ips settings set ips-packet-quota 256

end

The acceptable range is from 0 to 4294967295 megabytes. This command affects only logging to disk.

Configuring how many packets are captured

Since the packet containing the signature is sometimes not sufficient to troubleshoot a problem, you can specify how many packets are captured before and after the packet containing the IPS signature match.

config ips settings packet-log-history packet-log-post-attack end

The packet-log-history command specifies how many packets are captured before and including the one in which the IPS signature is detected. If the value is more than 1, the packet containing the signature is saved in the packet log, as well as those preceding it, with the total number of logged packets equalling the packet-log-history setting. For example, if packet-log-history is set to 7, the FortiGate unit will save the packet containing the IPS signature match and the six before it.

The acceptable range for packet-log-history is from 1 to 255. The default is 1.

Setting packet-log-history to a value larger than 1 can affect the performance of the FortiGate unit because network traffic must be buffered. The performance penalty depends on the model, the setting, and the traffic load.

The packet-log-post-attack command specifies how many packets are logged after the one in which the IPS signature is detected. For example, if packet-log-post-attack is set to 10, the FortiGate unit will save the ten packets following the one containing the IPS signature match.

The acceptable range for packet-log-post-attack is from 0 to 255. The default is 0.

Using wildcards and Perl regular expressions

Many Security Profiles feature list entries can include wildcards or Perl regular expressions.

For more information about using Perl regular expressions, see http://perldoc.perl.org/perlretut.html.

Regular expression vs. wildcard match pattern

A wildcard character is a special character that represents one or more other characters. The most commonly used wildcard characters are the asterisk (*), which typically represents zero or more characters in a string of characters, and the question mark (?), which typically represents any one character.

In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result:

• com not only matches example.com but also examplea.com, exampleb.com, examplec.com, and so on.

To add a question mark (?) character to a regular expression from the FortiGate CLI, enter

Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression from the CLI you must add precede it with another backslash character. For example, example\\.com.

To match a special character such as ‘.’ and ‘*’ use the escape character ‘\’. For example:

• To match example.com, the regular expression should be: example\.com

In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not 0 or more times of any character. For example:

• exam*.com matches exammmm.com but does not match example.com

To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or more times. For example, the wildcard match pattern exam*.com should therefore be exam.*\.com.

Word boundary

In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also any word that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b” specifies the word boundary. To match exactly the word “test”, the expression should be \btest\b.

Case sensitivity

Regular expression pattern matching is case sensitive in the web and Email Filter filters. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of “bad language”, regardless of case.

Perl regular expression formats

T able 12 lists and describes some example Perl regular expressions.

Table 12:Perl regular expr ession formats

Expression	Matches
abc	“abc” (the exact character sequence, but anywhere in the string)
^abc	“abc” at the beginning of the string
abc$	“abc” at the end of the string
a|b	Either “a” or “b”
^abc|abc$	The string “abc” at the beginning or at the end of the string
ab{2,4}c	“a” followed by two, three or four “b”s followed by a “c”
ab{2,}c	“a” followed by at least two “b”s followed by a “c”
ab*c	“a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c	“a” followed by one or more b’s followed by a c
ab?c	“a” followed by an optional “b” followed by a” c”; that is, either “abc” or ”ac”
a.c	“a” followed by any single character (not newline) followed by a” c “
a\.c	“a.c” exactly
[abc]	Any one of “a”, “b” and “c”
[Aa]bc	Either of “Abc” and “abc”
[abc]+	Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”, ”acbabcacaa”)
[^abc]+	Any (nonempty) string which does not contain any of “a”, “b”, and “c” (such as “defg”)
\d\d	Any two decimal digits, such as 42; same as \d{2}
/i	Makes the pattern case insensitive. For example, /bad language/i blocks any instance of bad language regardless of case.

Table 12:Perl regular expression formats (continued)

\w+	A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk	The strings “100” and “mk” optionally separated by any amount of white space (spaces, tabs, newlines)
abc\b	“abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”)
perl\B	“perl” when not followed by a word boundary (for example, in “perlert” but not in “perl stuff”)
\x	Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. Use this to break up a regular expression into (slightly) more readable parts.
/x	Used to add regular expressions within other text. If the first character in a pattern is forward slash ‘/’, the ‘/’ is treated as the delimiter. The pattern must contain a second ‘/’. The pattern between ‘/’ will be taken as a regular expressions, and anything after the second ‘/’ will be parsed as a list of regular expression options (‘i’, ‘x’, etc). An error occurs if the second ‘/’ is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!