Security Profiles (AV, Web Filtering etc.)

Blocking Skype using CLI options for improved detection

If you want to identify or block Skype sessions, use the following CLI command with your FortiGate’s public

IP address to improve detection (FortiOS 4.3.12+ and 5.0.2+):

config ips global

set skype-client-public-ipaddr 198.51.100.0,203.0.113.0 end

Note that the above syntax is configured using multiple public IP addresses, where a single public IP address may suffice depending on your network configuration.

 

 

Email filter

Spam is a common means by which attacks are delivered. Users often open email attachments they should not, and infect their own machine.

  • Enable email filtering at the network edge for all types of email traffic.
  • Use FortiClient endpoint IPS scanning for protection against threats that get into your network.
  • Subscribe to the FortiGuard AntiSpam Service.

 

URL filtering

Best practices for URL filtering can be divided into four categories: flow-based versus proxy based filtering; local category/rating feature; URL filter ‘Exempt’ action; and Deep Scan.

 

Flowbased versus proxy-based

Try to avoid mixing flow-based and proxy-based features in the same profile if you are not using IPS or Application Control.

 

Local category/rating feature

Local categories and local rating features consume a large amount of CPU resources, so use this features as little as possible. It is better to use Local categories instead of using the ‘override’ feature, since the ‘override’ feature is more complicated and more difficult to troubleshoot.

 

URL filter ‘Exempt’ action

When using the URL filter ‘Exempt’ option, all scans (including antivirus) are bypassed by default, so use this option only for trusted sites.

 

Configuration notes: You need to configure ‘Exempt’ actions in the URL filter if you want to bypass the FortiGuard Web Filter.You can configure which particular inspection(s) you want to bypass using the set exempt command in config webfilter urlfilter.

 

Deep Scan

The ‘Deep Scan’ feature is much heavier on resources than ‘HTTPS URL Scan Only’. Deep Scan is much more accurate, since many sites (such as various Google applications) cannot be scanned separately without deep scanning enabled.

Note: If you configre Deep Scan in the SSL profile and then configure ‘Enable HTTPS URL Scan Only’ in the web filter profile, then Deep Scan is not performed.

 

Web filtering

FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs.

  • Enable FortiGuard Web Filtering at the network edge.
  • Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
  • Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous

 

Patch management

When vulnerabilities are discovered in software, the software vendors release updates that fix these problems. Keeping your software and operating system up-to-date is a vital step to prevent infection and defend against attacks.

  • Follow the latest advisories and reports on the FortiGuard webpage.
  • Apply updates to all software as the updates become available.
  • FortiGuard Vulnerability Management can help identify security weaknesses in your network. This subscription service is available through FortiScan and FortiAnalyzer units.
  • Apply firmware updates to your FortiGate unit as they are released.
  • Subscribe to FortiGuard AntiVirus and IPS services, so that AntiVirus and IPS scanning engines are automatically updated when new version are released.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

2 thoughts on “Security Profiles (AV, Web Filtering etc.)

  1. Could you help me with the following?
    About the security profiles, if on a firewall policy one or all of the profiles are disabled, does this mean that the Fortigate will drop the packet?
    I know that whatever is not explicity allowed is automatically categorised as deny, but I wasn’t sure if this also meant the same for disabled security profiles.

    • You mean if you have security profiles created but not applied to a policy? If that is the case, as long as they aren’t applied to a policy the policy will operate in standard firewall format.

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.