Traffic Shaping Policies

New Traffic Shaper Policy Configuration Method (269943)

Previously, traffic shapers were configured in Policy & Objects > Objects > Traffic Shapers and then applied in security policies under Policy & Objects > Policy > IPv4 . In FortiOS 5.4, traffic shapers are now configured in a new traffic shaping section in Policy & Objects > Traffic Shapers.

The way that traffic shapers are applied to policies has changed significantly in 5.4., because there is now a specific section for traffic shaping policies in Policy & Objects > Traffic Shaping Policy. In the new traffic shaping policies, you must ensure that the Matching Criteria is the same as the security policy or policies you want to apply shaping to.

There is also added Traffic Shaper support based on the following:

Source (Address, Local Users, Groups)
Destination (Address, FQDN, URL or category)
Service (General, Web Access, File Access, Email and Network services, Authentication, Remote Access, Tunneling, VoIP, Messaging and other Applications, Web Proxy)
Application
Application Category
URL Category

Creating Application Control Shapers

Application Control Shapers were previously configured in the Security Profiles > Application Control section, but for simplicity they are now consolidated in the same section as the other two types of traffic shapers: Shared and Per-IP.

To create an Application Control Shaper, you must first enable application control at the policy level, in Policy

& Objects > Policy > [IPv4 or IPv6]. Then, you can create a matching application-based traffic shaping policy that will apply to it, in the new Traffic Shaping section under Policy & Objects > Traffic Shaping Policy.

New attributes added to “firewall shaping-policy” (277030) (275431)

The two new attributes are status and url-category. The status attribute verifies whether the policy is set to enabled or disabled. The url-category attribute applies the shaping-policy to sessions without a URL rating when set to 0, and no web filtering is applied.

Syntax:

config firewall shaping-policy edit 1

set status enable

set url-category [category ID number]

New button added to “Clone” Shapers

You can now easily create a copy of an existing shaper by selecting the shaper and clicking the Clone button.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

The Fortinet NSE Program Is Still Broken

Leave a reply

Had to vent. I get the privilege of sitting for my NSE5 soon. (it goes to 8 and I have recently made certifications outside of my CISSP CE work a priority). Well, I’m technically an NSE 4 right now thanks to my grandfathered FCNSP. It doesn’t expire for a few months. I was under the impression that my NSE5 would reup the requirements of the lower certs. Apparently, this isn’t the case. Fortinet really needs to get their stuff together when it comes to their certification program. If they want it to be right they should seriously hire me to consult for them in regards.

Also, they need more than ONE guy running the certification department. It shouldn’t take a month to verify your standings and credentials in order to schedule testing for advancement.

Extended-UTM-Log Enable Error

Leave a reply

I received the following question through my consulting form:

Question: when configuring application list, setting the “extended-utm-log” the I got the following error:

burgfg01 (list) $ edit “RogersStandard”
new entry ‘RogersStandard’ added

set extended-utm-log enable
burgfg01 (RogersStandard) $ set extended-utm-log enable

command parse error before ‘extended-utm-log’
Command fail. Return code -61
———

Please advise.
Thanks

Answer: Chances are the user is utilizing FortiOS 5.2 or later which no longer has the extended-utm-log enable feature.

Fortinet Acquires AccelOps

Leave a reply

In case you guys didn’t know already Fortinet has bought, or acquired, or whatever we want to call it,AccelOps. Here is an excerpt from their blog post.

One of the biggest security challenges organizations face is being able to see enough of the network to identify today’s most advanced, multi-vector threats. Ideally, you need to be able to see across the distributed network, including cloud deployments and devices from multiple network and security vendors, correlate detected local activity with global threat intelligence and expected behaviors, and coordinate a response across the entire portfolio of installed security solutions.

This becomes increasingly challenging as networks continue to expand beyond the perimeter and embrace increasing numbers of devices and applications. As the network expands, the attack surface naturally expands with it. At the same time, new threats are targeting this distributed network architecture. Mobility, IoT, virtualization, big data, and the cloud aren’t only transforming businesses. They are being specifically targeted, which is a game changer for security as well. For example, it is estimated that by 2020 over 25% of attacks on enterprises will involve IoT.

If you are interested in reading more please CLICK HERE

A Wrap Up Of HITB Amsterdam 2016 Conference

Leave a reply

23 May 2016 marked the first day of the annual security conference organized by Hack In the Box. As usual, the event took place in Amsterdam, Netherlands. This year I had the privilege to attend. HITB is one of the top-notch technical conferences, where elite security researchers from around the world gather to share their research. Not to mention that it is also a great place to hang out with these people to exchange ideas offstage. There were so many great talks in this conference. I am pleased to share a couple of talks here that I feel were particularly interesting.

One of my favorite, and most anticipated talks, was Go Speed Tracer: Guided Fuzzing presented by Richard Johnson. Richard is an expert in fuzzing technology, particularly emphasizing on how to optimize the performance of traditional fuzzers to make them scale extensively. Of course, traditional fuzzing methodologies, such as dump fuzzing, which use simple sample-based mutation still work in most cases. However, they are often limited to discovering minor security issues, and eventually lead to bottlenecking, an issue many security researchers come across when writing their own fuzzer. Feedback driven fuzzing is an evolutionary fuzzing methodology, made possible by the introduction of American Fuzzy Lop (AFL), an approach that is able to enhance the coverage of a fuzzer, thereby increasing the chances that the user can discover more security issues, or even uncover severe security vulnerabilities. After thoroughly studying various open source fuzzers like AFL, Richard shed some light in his presentation on how to customize your own, optimal performance guided fuzzer using existing binary instrumentation technologies like Pin, DynamoRIO, and DynInst. He also performed a couple of demos that showed the performance overhead between Pin and DynamoRIO, which showed that DynamoRIO seems to outperform Pin in term of binary code instrumentation. Unfortunately, he wasn’t able to show the demo of AFL with full support for Windows binary, along with hardware tracing using Intel Processor Tracer via Windows driver, as the prototype has not been completed yet. Nevertheless, it was an inspirational talk for researchers who are interested in developing their own fuzzer.

Click Here To Continue Reading

FortiClient Monitoring and Quarantine

Leave a reply

FortiClient Monitoring and Quarantine

FortiClient monitoring and quarantine is currently only supported by FortiClient 5.4 for Windows.

FortiSandbox uses a single signature to identify tens of thousands of variations of viral code. A FortiSandbox can send frequent, dynamic signature updates to a FortiGate and FortiClient, which allows files to be blocked before they are sent to the FortiSandbox.

With FortiSandbox, FortiClient, and FortiGate integration, you can configure a FortiGate to send files to FortiSandbox for scanning.

When FortiSandbox determines that a file is infected, it will notify the FortiGate of this event. Then, from

FortiView, the administrator can take action to quarantine the endpoint which downloaded the infected file. FortiGate administrators can quarantine endpoints from FortiView.

To support this, the FortiClient now supports host-level quarantine, which cuts off other network traffic from the endpoint directly, preventing it from infecting or scanning the local network.

When a device is under quarantine, FortiClient cannot be shutdown or uninstalled. A user is also unable to unregister from the FortiGate that quarantined them, or register to another FortiGate unit.

Alternately, FortiGate can release the file to the client before receiving the FortiSandbox scan results, and then have FortiClient quarantine the device when the scan results are available if required.

Pushing signatures to AntiVirus

Leave a reply

Pushing signatures to AntiVirus

When a FortiSandbox discovers a malicious file, it can create a signature that is sent to the FortiGate, to supplement the AntiVirus signature database. This signature can be used to block that file from entering the network again, and to prevent duplicates of the file being sent to the FortiSandbox in the future. This feature is enabled in an AntiVirus profile.

CLI Syntax

config antivirus profile edit “default”

set ftgd-analytics {everything | suspicious}

set analytics-db {enable | disable}

end

Files blocked by a FortiSandbox signature can be viewed and filtered for in the FortiSandbox dashboard.

In FortiOS 5.4 Beta 2, the URL feature is only available for proxy-based Web Filter profiles.

Information on the current database for both malware signatures and blocked URLs can be found by going to

System > External Security Devices.

FortiSandbox Integration

Leave a reply

FortiSandbox Integration

The following improvements have been made to how sandboxing, using either a FortiSandbox Appliance or

FortiCloud Sandboxing, integrates with a FortiGate unit.

See the Cookbook recipe Sandboxing with FortiSandbox and FortiClient.

Connecting to a FortiSandbox

1. Go to System > External Security Devices and select Enable Sandbox Inspection.

2. You can either select FortiSandbox Appliance or FortiSandbox Cloud.

3. If you select FortiSandbox Appliance, add the Server IP address.

4. Select Test Connectivity to verify that you can connect to FortiSandbox.

5. Then edit an AntiVirus profile by going to Security Profiles > AntiVirus and selecting Send Filter to

FortiSandbox Appliance for Inspection.

6. You can also select to send Suspicious Files, Executable files or all supported files.

7. Select Use FortiSandbox Database to add signatures for suspicious files found by FortiSandbox to your

FortiGate antivirus signature database.

8. Then select this Antivirus profile in a firewall policy to send files in traffic accepted by the firewall policy to

FortiSandbox.

9. You can also go to Security Profiles > Web Filter and select Block malicious URLs discovered by

FortiSandbox.

Pushing malicious URLs to Web Filtering

The malicious URL database contains all malicious URLs active in the last month. The FortiSandbox can add the URLs where any malicious files originated to a URL filter, to block these files from being downloaded again from that URL.

This feature is enabled in a Web Filter profile under Security Profiles > Web Filter > Block malicious URLs discovered by FortiSandbox.

CLI Syntax

config webfilter profile edit <profile>

config web

…

set blacklist [enable | disable]

… end

Files blocked by a FortiSandbox signature can be viewed and filtered for in the FortiSandbox dashboard. Information on the current database for both malware signatures and blocked URLs can be found by going to System > External Security Devices.

FortiSandbox Dashboard in FortiView

The FortiSandbox dashboard is available from FortiView > FortiSandbox. The dashboard shows all samples submitted for sandboxing. Information on the dashboard can be filtered by checksum, file name, result, source, status, and user name. Each entry also offers a drilldown view to show more details about a particular sample.