Web Application Firewall

1 Reply

Web Application Firewall

Go to Security Profiles > Web Application Firewall. From here you can customize the default Web Application Firewall profile, or create new profiles, to protect against a variety of web-based threats. Web Application Firewall profiles can be created with a variety of options (Signatures and Constraints), similar to other security profiles.

You can set the Web Application Firewall to use an External Security Device, such as FortiWeb, by setting

Inspection Device to External.

Web Application Firewall

Selecting External in the Web Application Firewall profile adds the following configuration to the CLI:

config waf profile edit default

set external enable end

You must add the Web Application Firewall profile to a firewall policy in order for that traffic to be offloaded to the

External Security Device for processing.

If your FortiGate or VDOM Inspection mode is set to flow-based you must use the CLI to set a Web Application Firewall profile to external mode and add the Web Applic- ation Firewall profile to a firewall policy.

 

FortiMail

1 Reply

FortiMail

To be able to offload Anti-Spam processing to a FortiMail device you should.

1. Go to System > Feature Select and turn on AntiSpam Filter.

2. Go to System > External Security Devices, enable SMTP Service – FortiMail and add the IP address of your FortiMail device.

3. Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.

4. Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable AntiSpam and select the profile for which you set Inspection Device to External.

When you add this Anti-Spam profile to a firewall policy, email traffic accepted by the policy is offloaded to the

FortiMail device for processing.

If your FortiGate or VDOM inspection mode is set to flow-based you must use the CLI to set an Anti-Spam profile to external mode and add the Anti-Spam profile to a fire- wall policy.

Enabling FortiMail on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 52

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)

set group address 0.0.0.0

set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

 

Selecting External in the Anti-Spam profile adds the following configuration to the CLI:

config spamfilter profile edit default

set external enable end

FortiCache

Leave a reply

FortiCache

To be able to offload Web Caching to a FortiCache device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiCache and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.

When you add web caching to a firewall policy, web traffic accepted by the policy is offloaded to the FortiCache device for processing.

Enabling FortiCache on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)

set group address 0.0.0.0

set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

FortiWeb

1 Reply

FortiWeb

To be able to offload HTTP inspection to a FortiWeb device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiWeb and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Application Firewall. When you add Web Application Firewall to a firewall policy, web traffic accepted by the policy is offloaded to the FortiWeb device for processing.

Enabling FortiWeb on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)

set group address 0.0.0.0

set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

External Security Devices

Leave a reply

External Security Devices

External Security Devices can be configured as means to offload processes to other devices, such as a FortiWeb, FortiCache, or FortiMail. Example processes could include HTTP inspection, web caching, and anti-spam.

Fortinet External Security Devices

To configure such a device, go to System > External Security Devices.

DNS Filter

Leave a reply

DNS Filter

Blocking DNS requests to known Botnet C&C addresses

A new FortiGuard database contains a list of known Botnet C&C addresses. This database is updated

dynamically and stored on the FortiGate. This database is covered by FortiGuard web filter licensing, so you must have a FortiGuard web filtering license to use this feature.

When you block DNS requests to known Botnet C&C addresses, using IPS, DNS lookups are checked against the Botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub- domains are also blocked.

To enable blocking of DNS requests to known Botnet C&C addresses, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.

Static URL filter

The DNS inspection profile static URL filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site. If exempted, access to the site is allowed even if another method is used to block it.

DNSbased web filtering

This feature is similar to the FortiGuard DNS web filtering available in FortiOS 5.2. You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow access or monitor access based on FortiGuard category.

CLI commands

Rename webfilter-sdns-server-ip and webfilter-sdns-server-port:

config system fortiguard

set sdns-server-ip x.x.x.x set sdns-server-port 53

end

Configure DNS URL filter:

config dnsfilter urlfilter edit 1

set name “url1″ set comment ”

config entries edit 1

set url “www.google.com” set type simple

set action block set status enable

next edit 2

set url “www.yahoo.com” set type simple

set action monitor set status enable

next edit 3

set url “www.foritnet.com” set type simple

set action allow set status enable

next end

next end

Configure DNS filter profile:

config dnsfilter profile edit “dns_profile1″

set comment ” config urlfilter

set urlfilter-table 1

end

config ftgd-dns config filters

edit 1

set category 49 set action block set log enable

next edit 2

set category 71

set action monitor set log enable

next end

end

set log-all-url disable set block-action redirect set redirect-portal 0.0.0.0 set block-botnet enable

next end

Configure DNS profile in a firewall policy:

config firewall policy edit 1

set srcintf “any” set dstintf “any” set srcaddr “all” set dstaddr “all” set action accept

set schedule “always” set service “FTP”

set utm-status enable

set dnsfilter-profile “dns_profile1” set profile-protocol-options “default” set nat enable

next end

Configure DNS profile in profile group:

config firewall profile-group edit “pgrp1”

set dnsfilter-profile “dns_profile1” set profile-protocol-options “default”

next end

 

Editing CASI profiles

Leave a reply

Editing CASI profiles

The CASI profile application list consists of the Application Name, Category, and Action. A default

CASI profile exists, with the option to create custom profiles. For each CASI profile application, the user has the option to Allow, Block, or Monitor the selected cloud application. The following image demonstrates the ability to Allow, Block, or Monitor YouTube using CASI:editing CASI

When the user drills down into a selected cloud application, the following options are available (depending on the type of service):

lFor business services, such as Salesforce and Zoho:

Option to allow, block, or monitor file download/upload and login.

For collaboration services, such as Google.Docs and Webex:

Option to allow, block, or monitor file access/download/upload and login.

For web email services, such as Gmail and Outlook:

Option to allow, block, or monitor attachment download/upload, chat, read/send message.

For general interst services, such as Amazon, Google, and Bing:

Option to allow, block, or monitor login, search phase, and file download/upload.

For social media services, such as Facebook, Twitter, and Instagram:

Option to allow, block, or monitor chat, file download/upload, post, login.

For storage backup services, such as Dropbox, iCloud, and Amazon Cloud Drive:

Option to allow, block, or monitor file access/download/upload and login.

For video/audio services, such as YouTube, Netflix, and Hulu:

Option to allow, block, or monitor channel access, video access/play/upload, and login.

 

 

CLI Syntax

 

configure application casi profile edit “profile name”

set comment “comment”

set replacemsg-group “xxxx”

set app-replacemsg [enable|disable]

configure entries edit

set application “app name”

 

 

 

 

 

 

 

 

 

next end

set action [block|pass]

set log [enable|disable]

next edit 2

 

 

configure firewall policy edit “1”

set casi-profile “profile name” next

end

 

config firewall sniffer edit 1

set casi-profile-status [enable|disable]

set casi-profile “sniffer-profile” next

end

 

config firewall interface-policy edit 1

set casi-profile-status [enable|disable]

set casi-profile “2” next

end

Cloud Access Security Inspection (CASI)

1 Reply

Cloud Access Security Inspection (CASI)

This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied on a policy much like any other security profile.

Unfortunately CASI does not work when using Proxy-based profiles for AV or Web fil- tering for example.

Make sure to only use Flow-based profiles in combination with CASI on a specific policy.

CASI

For this feature, Deep Inspection of Cloud Applications (set deep-app-inspection [enable|disable]) has been moved out of the Application Control security profile options.

You will find the Cloud Access Security Inspection feature under Security Profiles > Cloud Access Security

Inspection, but you must first enable it in the Feature store under System > Feature Select > CASI.