Category Archives: FortiOS 6

FortiOS 6 – ICAP Support

ICAP support

ICAP is the acronym for Internet Content Adaptation Protocol. The purpose of the feature is to offload work that would normally take place on the firewall to a separate server specifically set up for the specialized processing of the incoming traffic. This takes some of the resource strain off of the FortiGate firewall leaving it to concentrate its resources on things that only it can do.

Offloading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks.

ICAP servers are focused on a specific function, for example:

l Ad insertion l Virus scanning l Content translation l HTTP header or URL manipulation l Language translation l Content filtering

The following topics are included in this section:

The protocol

Offloading using ICAP

Configuring ICAP

Example ICAP sequence

Example ICAP scenario

The protocol

ICAP is an Application layer protocol; its specifications are set out in RFC 3507. It is, in essence, a lightweight protocol for executing a “remote procedure call” on HTTP messages and is a member of the member of the TCP/IP suite of protocols.

The default TCP that is assigned to it is 1344. Its purpose is to support HTTP content adaptation by providing simple object-based content vectoring for HTTP services. ICAP is usually used to implement virus scanning and content filters in transparent HTTP proxy caches. Content adaptation refers to performing the particular value added service, or content manipulation, for an associated client request/response.

Essentially it allows an ICAP client, in this case the FortiGate firewall, to pass HTTP messages to an ICAP server like a remote procedure call for the purposes of some sort of transformation or other processing adaptation. Once the ICAP server has finished processing the content, the modified content is sent back to the client.

The messages going back and forth between the client and server are typically HTTP requests or HTTP responses. While ICAP is a request/response protocol similar in semantics and usage to HTTP/1.1 it is not HTTP nor does it run over HTTP, as such it cannot be treated as if it were HTTP. For instance, ICAP messages can not be forwarded by HTTP surrogates.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3

FortiOS 6 – FortiClient Compliance Profiles

1 Reply

FortiClient Compliance Profiles

This section describes the FortiClient Compliance Profiles endpoint protection features and configuration.

FortiClient Compliance Profiles are used primarily to make sure connected devices are compliant with Endpoint Control and to protect against vulnerabilities. Both Endpoint Vulnerability Scan on Client and System compliance are enabled by default, while other settings are disabled by default. This allows FortiClient to work as part of a Security Fabric.

FortiClient Profiles was renamed FortiClient Compliance Profiles to clarify that this profile only creates “compliance rules” and cannot be used to “provision FortiClient endpoints”.

You must first enable this feature. Go to System > Feature Visibility and enable Endpoint Control. This will reveal the Security Profiles > FortiClient Compliance menu item.

The following topics are included in this section:

Endpoint protection overview

Configuring endpoint protection

Configuring endpoint registration over a VPN

Assigning FortiClient Profiles using Microsoft AD user groups

Modifying the endpoint protection replacement messages Monitoring endpoints

Endpoint protection overview

Endpoint Protection enforces the use of up-to-date FortiClient Endpoint Security software on endpoints (workstation computers and mobile devices). It pushes a FortiClient profile to the FortiClient application, specifying security settings, including:

Real-time antivirus protection – on or off l FortiClient web category filtering based on web filters defined in a FortiGate Web Filter profile
FortiClient Application Control (application firewall) using application sensors defined in the FortiGate Application Control profile

The FortiClient profile can also:

Create VPN configurations l Install CA certificates l Upload logs to FortiAnalyzer or FortiManager l Enable use of FortiManager for client software/signature update l Enable a dashboard banner l Enable client-based logging while on-net l Output a mobile configuration profile (.mobileconfig file for iOS) Endpoint protection overview

User experience

When using a web browser, the user of a non-compliant endpoint receives a replacement message HTML page from the FortiGate unit. The message explains that the user needs to install FortiClient Endpoint Security and provides a link to do so. The user cannot continue until the FortiClient software is installed.

For information about modifying the replacement message, see Modifying the endpoint protection replacement messages on page 195.

Default FortiClient non-compliance message for Windows

After installing FortiClient Endpoint Security, you will receive an invitation to register with the FortiGate unit. If you accept the invitation, the FortiClient profile is sent to the device’s FortiClient application. Now the device is compliant and can connect to the network. FortiClient Endpoint Security registered with a FortiGate unit does not need to be separately licensed with FortiGuard.

The FortiGate unit can also register endpoints connecting over the Internet through a VPN. See Configuring endpoint registration over a VPN on page 191.

Licensing and FortiGate endpoint registration limits

To view the number of endpoints that are registered and the total that can be registered, go to Dashboard. Under Licenses, find FortiClient. You will see text like “4 /10”. This means that there are four registered endpoints and a total of ten are allowed.

When the registration limit is reached, the next FortiClient-compatible device will not be able to register with the FortiGate unit. A message appears in the FortiClient application. The FortiClient profile is not sent to client and the client cannot connect through the FortiGate unit.

For all FortiGate models, the maximum number of registered endpoints is ten. For all models except 20C, you can purchase an endpoint license to increase this capacity:

To add an endpoint license – GUI

Go to Dashboard.
In the Licenses widget, click on FortiClient, select Enter License.
Enter the license key in the window that sllides in from the right, and select OK.

Maximum registered endpoints with endpoint license

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Model(s)	Maximum Client Limit
VM00	200
FGT/FWF 30 to 90 series	200
FGT 100 to 400 series	600
FGT 500 to 900 series, VM01, VM02	2,000
FGT 1000 to 2900 series	20,000
FGT 3000 to 3600 series, VM04	50,000
FGT 3700D and above, VM08 and above	100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

Pages: 1 2 3 4 5

FortiOS 6 – Proxy options

Leave a reply

Proxy options

Certain inspections defined in security profiles require that the traffic be held in proxy while the inspection is carried out. When a security profile requiring the use of a proxy is enabled in a policy, the Proxy Options field is displayed. The Proxy Options define the parameters of how the traffic will be processed and to what level the traffic will be processed. There can be multiple security profiles of a single type. There can also be a number of unique Proxy Option profiles. As the requirements for a policy differ from one policy to the next, a different Proxy Option profile for each individual policy can be configured or one profile can be repeatedly applied.

The Proxy Options refer to the handling of the following protocols:

l HTTP l SMTP l POP3 l IMAP l FTP l NNTP l MAPI l DNS

The configuration for each of these protocols is handled separately.

The use of different proxy profiles and profile options

Just like other components of the FortiGate, different Proxy Option profiles can be configured to allow for granular control of the FortiGate. In the case of the Proxy Option profiles the thing that you will want to focus on is the matching up of the correct profile to a firewall policy that is using the appropriate protocols. If you are creating a Proxy Option profile that is designed for policies that control SMTP traffic into your network you only want to configure the settings that apply to SMTP. You do not need or want to configure the HTTP components.

Proxy Options profile components

Highlighted below are certain features available in the Proxy Options security profile.

Log Oversized Files

This setting enables logging of the occurrence of oversized files being processed. It does not change how they are processed. It only enables the FortiGate unit to log that they were either blocked or allowed through. A common practice is to allow larger files through without antivirus processing. This allows you to get an idea of how often this happens and decide on whether or not to alter the settings relating to the treatment of oversized files.

The setting of the threshold for oversized files and emails is found on theSecurity Profiles > Proxy Options page under Common Options.

RPC over HTTP

FortiGate units with firmware version 5.4 and higher support RPC over HTTP. This protocol is used by the

Microsoft Exchange Server to perform virus scanning of Microsoft Exchange Server email that uses RPC over HTTP. To enable this feature, go to Security Profiles > Proxy Options and enable RPC over HTTP.

Protocol Port Mapping

To optimize the resources of the unit, the mapping and inspection of protocols can be enabled or disabled.

Each of the protocols listed in the GUI has a commonly used default TCP port, however, the port used by the protocols can be individually modified. It can also be set to inspect any port with flowing traffic for that particular protocol. The headers of the packets indicate which protocol generated the packet.

Comfort Clients

When proxy-based antivirus scanning is enabled, the FortiGate unit buffers files as they are downloaded. Once the entire file is captured, the FortiGate unit begins scanning the file. During the buffering and scanning procedure, the user must wait. After the scan is completed, if no infection is found, the file is sent to the next step in the process flow. If the file is a large one this part of the process can take some time. In some cases enough time that some users may get impatient and cancel the download.

The Comfort Clients feature mitigates this potential issue by feeding a trickle of data while waiting for the scan to complete. The user then knows that processing is taking place and that there hasn’t been a failure in the transmission. The slow transfer rate continues until the antivirus scan is complete. Once the file has been successfully scanned and found to be clean of any viruses, the transfer will proceed at full speed.

If there is evidence of an infection, the FortiGate unit caches the URL and drops the connection. The client does not receive any notification of what happened because the download to the client had already started. Instead, the download stops and the user is left with a partially downloaded file. If the user tries to download the same file again within a short period of time, the cached URL is matched and the download is blocked. A notification that the download has been blocked is displayed. The number of URLs in the cache is limited by the size of the cache.

Client comforting is available for HTTP and FTP traffic. If your FortiGate unit supports SSL content scanning and inspection, you can also configure client comforting for HTTPS and FTPS traffic.

Buffering the entire file allows the FortiGate unit to eliminate the danger of missing an infection due to fragmentation because the file is reassembled before examination. Client comforting can send unscanned and therefore potentially infected content to the client. You should only enable client comforting if you are prepared to accept this risk. Keeping the client comforting interval high and the amount low will reduce the amount of potentially infected data that is downloaded.

Block Oversized File/Email

This feature is related to antivirus scanning. The FortiGate unit has a finite amount of resources that can be used to buffer and scan a file. If a large file such as an ISO image or video file was to be downloaded this could overwhelm or exceed the memory of the FortiGate, especially if there were other large files being downloaded at the same time. For this reason, the treatment of large files needs to be addressed.

A threshold is assigned to identify an oversize file or email. This can be set at any size from 1 MB to 10 MB. Any file or email over this threshold will not be processed by policies applying the Antivirus security profile.

It should be noted that in terms of probability that malware is more likely to be found in smaller files than in larger files. A number of administrators take this into account when they lower the default threshold so as to lessen the impact on memory if they see the FortiGate unit going into conserve mode on a regular basis.

Chunked Bypass

The HTTP section allows the enabling of Chunked Bypass. This refers to the mechanism in version 1.1 of HTTP that allows a web server to start sending chunks of dynamically generated output in response to a request before actually knowing the actual size of the content. Where dynamically generated content is concerned, enabling this feature means that there is a faster initial response to HTTP requests. From a security stand point, enabling this feature means that the content will not be held in the proxy as an entire file before proceeding.

Allow Fragmented Messages

The specifications of RFC 2046 allow for the breaking up of emails and sending the fragments in parallel to be rebuilt and read at the other end by the mail server. It was originally designed to increase the performance over slower connections where larger email messages were involved. It will depend on your mail configuration if this is even possible for your network but outside of Microsoft Outlook and Outlook Express, not many email clients are set up to break up messages like this. The drawback of this feature is that if malware is broken up between multiple fragments of the message the risk is run that it will not be detected by some antivirus configurations because the code may not all be present at the same time to identify.

Append Email Signature

The Append Email Signature feature ensures that all of the emails going out of a particular network has the appropriate signature or corporate message, for example. These appended emails do not replace existing signatures.

Examples could include things like:

l Without prior approval the email should not be forwarded. l Please be environmentally friendly and don’t print out emails l For questions regarding the purchasing of our products please call…

It can be anything that the organization would like as long as it is in text format. The use of this feature usually works best in an environment where there is some standardization of what goes into the personal signatures of the senders so that there is no duplication or contradiction of information in the signatures.

FortiOS 6 – Data leak prevention

Leave a reply

Data leak prevention

The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data from leaving your network. When you define sensitive data patterns, data matching these patterns will be blocked, or logged and allowed, when passing through the FortiGate unit. You configure the DLP system by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule, in a DLP sensor and assign the sensor to a security policy.

Although the primary use of the DLP feature is to stop sensitive data from leaving your network, it can also be used to prevent unwanted data from entering your network and to archive some or all of the content passing through the FortiGate unit.

This section describes how to configure the DLP settings. DLP can only be configured for FortiGate units in proxybased inspection.

The following topics are included:

l Data leak prevention concepts l Enable data leak prevention l Creating or editing a DLP sensor l DLP archiving l DLP examples

Data leak prevention concepts

Data leak prevention examines network traffic for data patterns you define through the use of the GUI and CLI commands. The DLP feature is broken down into a number of parts. Note, DLP is not available in flow-based inspection.

DLP sensor

A DLP sensor is a package of filters. To use DLP, you must enable it in a security policy and select the DLP sensor to use. The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor. Matching traffic will be passed or blocked according to how you configured the filters.

DLP filter

Each DLP sensor has one or more filters configured within it. Filters can examine traffic for known files using DLP fingerprints, for files of a particular type or name, for files larger than a specified size, for data matching a specified regular expression, or for traffic matching an advanced rule or compound rule.

DLP filter actions

You can configure the action taken when a match is detected. The actions include:

l Allow l Log Only l Block l Quarantine IP address

Log Only is enabled by default.

Allow

No action is taken even if the patterns specified in the filter are matched.

Log Only

The FortiGate unit will take no action on network traffic matching a rule with this action. The filter match is logged, however. Other matching filters in the same sensor may still operate on matching traffic.

Block

Traffic matching a filter with the block action will not be delivered. The matching message or download is replaced with the data leak prevention replacement message.

Quarantine IP Address/ Source IP ban

Starting in FortiOS 5.2, the quarantine, as a place where traffic content was held in storage so it couldn’t interact with the network or system, was removed. The term quarantine was kept to describe preventing selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.

If the quarantine-ip action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP address will be blocked. In the GUI it is shown as a field before minutes. In the CLI the option is called expiry and the duration is in the format <###d##h##m>. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.

If a DLP sensor has contains a DLP filter with action set to Allow certain files and another DLP filter with action set to Block those same files, then the order of the filters within that sensor will determine which action is taken first.

Configuring using the CLI

To configure the DLP sensor to add the source IP address of the sender of a protected file to the quarantine or list of banned source IP addresses edit the DLP Filter, use these CLI commands:

config dlp sensor edit <sensor name> config filter edit <id number of filter> set action quarantine-ip set expiry 5m end end

Data leak prevention concepts

Preconfigured sensors

A number of preconfigured sensors are provided with your FortiGate unit. These can be edited to more closely match your needs.

Two of the preconfigured sensors with filters ready for you to enable are:

Credit-Card – This sensor logs the traffic, both files and messages, that contain credit card numbers in the formats used by American Express, MasterCard and Visa.
SSN-Sensor – This sensor logs the traffic, both files and messages, that contain Social Security Numbers with the exception of those that are WebEx invitation emails.

DLP document fingerprinting

One of the DLP techniques to detect sensitive data is fingerprinting (also called document fingerprinting). Most DLP techniques rely on you providing a characteristic of the file you want to detect, whether it’s the file type, the file name, or part of the file contents. Fingerprinting is different in that you provide the file itself. The FortiGate unit then generates a checksum fingerprint and stores it. The FortiGate unit generates a fingerprint for all files detected in network traffic, and it is compared to all of the fingerprints stored in its fingerprint database. If a match is found, the configured action is taken.

The document fingerprint feature requires a FortiGate unit with internal storage.

Any type of file can be detected by DLP fingerprinting and fingerprints can be saved for each revision of your files as they are updated. To use fingerprinting you:

l select the documents to be fingerprinted l add fingerprinting filters to DLP sensors l add the sensors to firewall policies that accept the traffic to which to apply fingerprinting.

Fingerprinting

Fingerprint scanning allows you to create a library of files for the FortiGate unit to examine. It will create checksum fingerprints so each file can be easily identified. Then, when files appear in network traffic, the FortiGate will generate a checksum fingerprint and compare it to those in the fingerprint database. A match triggers the configured action.

You must configure a document source or uploaded documents to the FortiGate unit for fingerprint scanning to work.

Fingerprinted documents

The FortiGate unit must have access to the documents for which it generates fingerprints.

Configuring the document source

To configure a DLP fingerprint document source in FortiOS 5.6.0, you must use CLI commands.

config dlp fp-doc-source edit <name_str> set name <string> set server-type {smb} set server <string>

set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string> set sensitivity <string> set tod-hour <integer> set tod-min <integer>

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer>

end

Configuring a DLP fingerprint sensor

To configure a DLP fingerprint sensor in FortiOS 5.6.0, you must use CLI commands.

config dlp sensor edit <sensor name> config filter edit <id number of filter> set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} set filter-by fingerprint

set fp-sensitivity { critical | private | warning}

set action {allow | log-only | block | ban | quarantine-ip | quarantineport}

end

Once you have set the document source and configured the DLP sensor for fingerprinting, add the DLP sensor to the applicable firewall policy. This can be done through the GUI.

File size

This filter-type checks for files exceeding a configured size. All files larger than the specified size are subject to the configured action. The value of the field is measured in kilobytes (KB).

Data leak prevention concepts

DLP filtering by specific file types

File filters use file filter lists to examine network traffic for files that match either file names or file types. For example, you can create a file filter list that will find files called secret.* and also all JPEG graphic files. You can create multiple file filter lists and use them in filters in multiple DLP sensors as required.

Specify File Types is a DLP option that allows you to block files based on their file name or their type.

File types are a means of filtering based on examination of the file contents, regardless of the file name. If you block the file type Archive (zip), all zip archives are blocked even if they are renamed with a different file extension. The FortiGate examines the file contents to determine what type of file it is and then acts accordingly.
File Name patterns are a means of filtering based purely on the names of files. They may include wildcards (*). For example, blocking *.scr will stop all files with an .scr file extension, which is commonly used for Windows screen saver files. Files trying to pass themselves off as Windows screen saver files by adopting the file-naming convention will also be stopped.
Files can specify the full or partial file name, the full or partial file extension, or any combination. File pattern entries are not case sensitive. For example, adding *.exe to the file pattern list also blocks any files ending with .exe. l Files are compared to the enabled file patterns from top to bottom, in list order.

Pages: 1 2 3 4

FortiOS 6 – Intrusion prevention

Leave a reply

Intrusion prevention

The FortiOS Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS sensors, each containing a complete configuration based on signatures. Then, you can apply any IPS sensor to any security policy.

This section describes how to configure the FortiOS Intrusion Prevention settings.

This Handbook chapter includes Inside FortiOS: Intrusion Prevention System providing readers an overview of the features and benefits of key FortiOS 5.6 components. For readers needing to delve into greater detail, we provide the following:

IPS concepts

Enabling IPS scanning

IPS processing in an HA cluster

Configure IPS options

Enabling IPS packet logging

Other IPS examples

IPS concepts

The FortiOS Intrusion Prevention System (IPS) protects your network from outside attacks. Your FortiGate unit has two techniques to deal with these attacks: anomaly- and signature-based defense.

Anomaly-based defense

Anomaly-based defense is used when network traffic itself is used as a weapon. A host can be flooded with far more traffic than it can handle, making the host inaccessible. The most common example is the denial of service (DoS) attack, in which an attacker directs a large number of computers to attempt normal access of the target system. If enough access attempts are made, the target is overwhelmed and unable to service genuine users. The attacker does not gain access to the target system, but it is not accessible to anyone else.

The FortiGate DoS feature will block traffic above a certain threshold from the attacker and allow connections from other legitimate users. The DoS policy configuration can be found in the Firewall chapter of the Handbook.

Access control lists in DoS Policies

This feature allows you to define a list of IPs/subnets/ranges in a DoS policy, and block those IPs from sending any traffic, by way of an ACL (access control list). The ACL looks similar to a firewall policy, but only checks source IP, destination IP, destination port, and protocol. To configure in the GUI, go to Policy & Objects > IPv4 Access Control List and create a new policy. Enter the incoming interface, the source address, the destination address, the services impacted, and, optionally, enter a comment.

CLI Syntax

config firewall acl edit 1

IPS concepts

set interface “port1” set srcaddr “google-drive” set dstaddr “all” set service “ALL”

end

Signature-based defense

Signature-based defense is used against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access and this communication will include particular commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing the FortiGate unit to detect and stop the attack.

Signatures

IPS signatures are the basis of signature-based intrusion prevention. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. Signatures include this information so your FortiGate unit knows what to look for in network traffic.

Signatures also include characteristics about the attack they describe. These characteristics include the network protocol in which the attack will appear, the vulnerable operating system, and the vulnerable application.

To view the complete list of signatures, go to Security Profiles > Intrusion Prevention, and select View IPS Signatures. This will include the predefined signatures and any custom signatures that you may have created.

With the release of FortiOS 5.6, the IPS signatures list page shows which IPS package is currently deployed.

Users can also change their IPS package by hovering over the information icon next to the IPS package name. Text will appear that links directly to the FortiGate’s System > FortiGuard page from the IPS Signatures list page.

Protocol decoders

Before examining network traffic for attacks, the IPS engine uses protocol decoders to identify each protocol appearing in the traffic. Attacks are protocol-specific, so your FortiGate unit conserves resources by looking for attacks only in the protocols used to transmit them. For example, the FortiGate unit will only examine HTTP traffic for the presence of a signature describing an HTTP attack.

IPS engine

Once the protocol decoders separate the network traffic by protocol, the IPS engine examines the network traffic for the attack signatures.

IPS sensors

The IPS engine does not examine network traffic for all signatures. You must first create an IPS sensor and specify which signatures are included. Add signatures to sensors individually using signature entries, or in groups using IPS filters.

To view the IPS sensors, go to Security Profiles > Intrusion Prevention.

You can group signatures into IPS sensors for easy selection when applying to firewall policies. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS

IPS concepts

sensor, and that sensor can then be applied to a firewall policy that controls all of the traffic to and from a web server protected by the unit.

The FortiGuard Service periodically updates the pre-defined signatures, with signatures added to counter new threats. Since the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Each IPS sensor consists of two parts: filters and overrides. Overrides are always checked before filters.

Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a time, from top to bottom. If a match is found, the unit takes the appropriate action and stops further checking.

A signature override can modify the behavior of a signature specified in a filter. A signature override can also add a signature not specified in the sensor’s filters. Custom signatures are included in an IPS sensor using overrides.

The signatures in the overrides are first compared to network traffic. If the IPS sensor does not find any matches, it then compares the signatures in each filter to network traffic, one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor allows the network traffic.

The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.

IPS filters

IPS sensors contain one or more IPS filters. A filter is a collection of signature attributes that you specify. The signatures that have all of the attributes specified in a filter are included in the IPS filter.

For example, if your FortiGate unit protects a Linux server running the Apache web server software, you could create a new filter to protect it. By setting OS to Linux, and Application to Apache, the filter will include only the signatures that apply to both Linux and Apache. If you wanted to scan for all the Linux signatures and all the Apache signatures, you would create two filters, one for each.

To view the filters in an IPS sensor, go to Security Profiles > Intrusion Prevention, select the IPS sensor containing the filters you want to view, and select Edit.

Custom/predefined signature entries

Signature entries allow you to add an individual custom or predefined IPS signature. If you need only one signature, adding a signature entry to an IPS sensor is the easiest way. Signature entries are also the only way to include custom signatures in an IPS sensor.

Another use for signature entries is to change the settings of individual signatures that are already included in a filter within the same IPS sensor. Add a signature entry with the required settings above the filter, and the signature entry will take priority.

Policies

To use an IPS sensor, you must select it in a security policy or an interface policy. An IPS sensor that it not selected in a policy will have no effect on network traffic.

Enabling IPS scanning

IPS is most often configured as part of a security policy. Unless stated otherwise, discussion of IPS sensor use will be in regards to firewall policies in this document.

Session timers for IPS sessions

A session time-to-live (TTL) timer for IPS sessions is available to reduce synchronization problems between the FortiOS Kernel and IPS, and to reduce IPS memory usage. The timeout values can be customized.

Pages: 1 2 3 4 5 6 7

FortiOS 6 – Anti-spam filter

Leave a reply

Anti-spam filter

This section describes how to configure FortiGate email filtering for IMAP, POP3, and SMTP email. Email filtering includes both spam filtering and filtering for any words or files you want to disallow in email messages. If your FortiGate unit supports SSL content scanning and inspection, you can also configure spam filtering for IMAPS, POP3S, and SMTPS email traffic.

The Anti-Spam security profile is only available when operating the FortiGate in proxy-based inspection.

The following topics are included in this section:

Anti-spam concepts

Anti-spam techniques

Configuring Anti-spam

Order of spam filtering

Spam actions

Anti-spam examples

Anti-spam concepts

You can configure the FortiGate unit to manage unsolicited commercial email by detecting and identifying spam messages from known or suspected spam servers.

The FortiGuard Anti-Spam service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools, to detect and block a wide range of spam messages. Using FortiGuard Anti-Spam profile settings, you can opt to filter with IP address checking, URL checking, email checksum checking, detection of phishing URLs in email, and spam submission. Updates to the IP reputation and spam signature databases are provided continuously via the global FortiGuard Distribution Network.

At the FortiGuard Anti-Spam service page on the FortiGuard Labs website, you can find out whether an IP address is blacklisted in the FortiGuard Anti-Spam IP reputation database, or whether a URL or email address is in the signature database.

Anti-spam techniques

The FortiGate unit has a number of techniques available to help detect spam. Some use the FortiGuard AntiSpam service and require a subscription. The remainder use your DNS servers or use lists that you must maintain.

Black white list

These are the types of black white lists available. They include:

IP/Netmask

The FortiGate unit compares the IP address of the client delivering the email to the addresses in the IP address techniques

black / white list specified in the email filter profile. If a match is found, the FortiGate unit will take the action configured for the matching black / white list entry against all delivered email.

The default setting of the smtp-spamhdrip CLI command is disable. If enabled, the FortiGate unit will check all the IP addresses in the header of SMTP email against the specified IP address black / white list.

Email Wildcard

The FortiGate unit compares the sender email address, as shown in the message header and envelope MAIL FROM, to the pattern in the patterned field. The wildcard symbol is used in the place of characters in the address that may vary from the pattern. If a match is found, the FortiGate unit will take the action configured for the matching black / white list entry. l Email Regular Expression

The FortiGate unit compares the sender email address, as shown in the message envelope MAIL FROM, to the pattern in the patterned field. The regular expression that can be used is much more sophisticated than a simple wildcard variable. If a match is found, the FortiGate unit will take the action configured for the matching black/white list entry.

Pattern

The pattern field is for entering the identifying information that will enable the filter to correctly identify the email messages.

If the type is IP/Netmask the filter will be an IP address with a subnet mask.
If the type is Email Wildcard the filter will be an email address with a wildcard symbol in place of the variable characters. For example *.example.com or fred@*.com.
If the type is Email Regular Expression, regular expression can be used to create a more granular filter for email addresses. For example, ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@(example|xmple|examp).(com|org|net) could be used filter based on a number of combinations of email domain names. Action
Tag

If this is the selected action, the email will be allowed through but it will be tagged with an indicator that clearly marks the email as spam. l Pass

If this is the selected action, the email will be allowed to go through to its destination on the assumption that the message is not spam.

Discard

If this is the selected action, the email will be dropped at the before reaching its destination. Status

Indicates whether this particular list is enabled or disabled.

Banned word check

When you enable banned word checking, your FortiGate unit will examine the email message for words appearing in the banned word list specified in the Anti-Spam profile. If the total score of the banned word discovered in the email message exceeds the threshold value set in the Anti-Spam profile, your FortiGate unit will treat the message as spam.

When determining the banned word score total for an email message, each banned word score is added once no matter how many times the word appears in the message. Use the command config spamfilter bword to Anti-spam techniques

add an email banned word list. Use the command config spamfilter profile to add a banned word list to an Anti-Spam profile.

How content is evaluated

Every time the banned word filter detects a pattern in an email message, it adds the pattern score to the sum of scores for the message. You set this score when you create a new pattern to block content. The score can be any number from zero to 99999. Higher scores indicate more offensive content. When the total score equals or exceeds the threshold, the email message is considered as spam and treated according to the spam action configured in the email filter profile. The score for each pattern is counted only once, even if that pattern appears many times in the email message. The default score for banned word patterns is 10 and the default threshold is 10. This means that by default, an email message is blocked by a single match.

A pattern can be part of a word, a whole word, or a phrase. Multiple words entered as a pattern are treated as a phrase. The phrase must appear as entered to match. You can also use wildcards or regular expressions to have a pattern match multiple words or phrases.

For example, the FortiGate unit scans an email message that contains only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.”

Banned word pattern	Pattern type	Assigned score	Score added to the sum for the entire page	Comment
word	Wildcard	20	20	The pattern appears twice but multiple occurrences are only counted once.
word phrase	Wildcard	20	0	Although each word in the phrase appears in the message, the words do not appear together as they do in the pattern. There are no matches.
word*phrase	Wildcard	20	20	The wildcard represents any number of any character. A match occurs as long as “word” appears before “phrase” regardless of what is in between them.
mail*age	Wildcard	20	20	Since the wildcard character can represent any characters, this pattern is a match because “email message” appears in the message.

In this example, the message is treated as spam if the banned word threshold is set to 60 or less.

Adding words to a banned word list

When you enter a word, set the Pattern-type to wildcards or regular expressions.

Wildcard uses an asterisk (“*”) to match any number of any character. For example, re* will match all words starting with “re”.

Regular expression uses Perl regular expression syntax. See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.

techniques

Pages: 1 2 3 4 5

FortiOS 6 – Application Control

2 Replies

Application control

Using the Application Control Security Profiles feature, your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses nonstandard ports or protocols. Application control supports detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).

The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.

Fortinet is constantly adding to the list of applications detected through maintenance of the FortiGuard Application Control Database. This database is part of the FortiGuard Intrusion Protection System Database because intrusion protection protocol decoders are used for application control and both of these databases have the same version number.

Cloud Access Security Inspection (CASI) is merged with Application Control resulting in changes to the GUI and the CLI.

You can identify the version of the application control database installed on your unit by going to the Licenses widget on the Dashboard and hovering over the IPS & Application Control line; the status, expiry date, and version will be displayed. Additionally, you can see the complete list of applications supported by FortiGuard Application Control on the FortiGuard site or http://fortiguard.com/appcontrol. This web page lists all of the supported applications. You can select any application name to see details about the application.

Application Control is a standard part of any FortiCare support contract and the database for Application Control signatures is separate from the IPS database. However, botnet application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection.

This Handbook chapter includes Inside FortiOS: Application Control and provides readers an overview of the features and benefits of key FortiOS 5.6 components. For readers needing to delve into greater detail, we provide the following topics:

Application control concepts

Enabling application control in profile-based modes

Application control actions Application considerations

Application control monitor

Application control examples

Application control concepts

You can control network traffic generally by the source or destination address, or by the port, the quantity or similar attributes of the traffic itself in the security policy. If you want to control the flow of traffic from a specific application, these methods may not be sufficient to precisely define the traffic. To address this problem, the application control feature examines the traffic itself for signatures unique to the application generating it. Application control does not require knowledge of any server addresses or ports. The FortiGate unit includes signatures for over 2,000 applications, services, and protocols.

Updated and new application signatures are delivered to your FortiGate unit as part of your FortiGuard Application Control Service subscription, which is a free service. Fortinet is constantly increasing the number of applications that this feature can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database. Both of these databases have the same version number.

You can find the version of the application control database installed on your unit by going to the Licenses widget on the Dashboard and hovering over the IPS& Application Control line; the status, expiry date, and version will be displayed.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard site or http://fortiguard.com/appcontrol. This web page lists all of the supported applications. You can select any application name to see details about the application.

Pages: 1 2 3 4

FortiOS 6 – DNS Filter

Leave a reply

DNS filter

You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow or monitor access based on FortiGuard category.

Blocking DNS requests to known botnet command & control addresses

FortiGuard maintains a database containing a list of known botnet command and control (C&C) addresses. This database is updated dynamically and stored on the FortiGate and requires a valid FortiGuard AntiVirus subscription.

When you block DNS requests to known botnet C&C addresses, using IPS, DNS lookups are checked against the botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all subdomains are also blocked.

To enable this feature, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.

Static Domain Filter

The DNS Static Domain Filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site.

If exempted, access to the site is allowed even if another method is used to block it.

CLI commands

l Rename webfilter-sdns-server-ip and webfilter-sdns-server-port:

config system fortiguard set sdns-server-ip x.x.x.x set sdns-server-port 53

end l Configure DNS domain filter lists in order to decide access for specific domains:

config dnsfilter domain-filter edit {id} set id {integer} set name {string} set comment {string} config entries edit {id}

DNS

set id {integer} set domain {string} set type {simple | regex | wildcard} set action {block | allow | monitor} set status {enable | disable}

end

config dnsfilter profile edit “dns_profile1″ set comment ” config domain-filter set domain-filter-table <id>

set external-blocklist [addr1] [addr2] [addr3]

end config ftgd-dns config filters

edit 1 set category 49 set action block set log enable

next edit 2 set category 71 set action monitor set log enable

end

set log-all-url disable set block-action redirect set redirect-portal 0.0.0.0 set block-botnet enable

end l Configure DNS profile in a firewall policy:

config firewall policy edit 1 set srcintf “any” set dstintf “any” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “FTP” set utm-status enable set dnsfilter-profile “dns_profile1” set profile-protocol-options “default”

set nat enable

next end

Configure DNS profile in profile group:

config firewall profile-group edit “pgrp1” set dnsfilter-profile “dns_profile1” set profile-protocol-options “default”

end

DNS profile supports safe search

Users can take advantage of pre-defined DNS filter rules to edit DNS profiles and provide safe search for Google, Bing, and YouTube.

To add safe search to a DNS profile – GUI

Go to Security Profiles > DNS Filter.
Edit the default filter or create a new one.
Enable Enforce ‘Safe Search’ on Google, Bing, YouTube.
Select Strict or Moderate level for Restrict YouTube Access.

To add safe search to a DNS profile – CLI

config dnsfilter profile edit “default” set safe-search enable

set youtube-restrict {strict | moderate} (only available if safe-search enabled)

end

FortiGuard botnet protection

Preventing botnets from controlling your system is achieved by detecting and blocking connection attempts to known botnets. This feature also blocks connections to known phishing sites. The FortiGuard database is continually updated with addresses of known Command and Control (C&C) sites that botnet clients attempt to connect to, as well as a addresses of known phishing URLs.

To enable botnet and phishing protection in a DNS Filter profile, enable Block DNS requests to known botnet C&C.

The latest botnet database is available from FortiGuard. To see the version of the database and display its contents, go to System > FortiGuard > AntiVirus and view the lists for Botnet IPs and Botnet Domains.

You can block, monitor, or allow outgoing connections to botnet sites for each FortiGate interface.