Client Reputation

The Security scan types available on FortiGate units are varied and tailored to detect specific attacks. However, sometimes user/client behavior can increase the risk of attack or infection. For example, if one of your network clients receives email viruses on a daily basis while no other clients receive these attachments, extra measures may be required to protect the client, or a discussion with the user about this issue may be worthwhile.

Before you can decide on a course of action, you need to know the problem is occurring. Client reputation can provide this information by tracking client behavior and reporting on activities that you determine are risky or otherwise noteworthy.

To learn how to enable and customize Client Reputation on your FortiGate go to the following FortiGate Cookbook video:

Client Reputation Video

Summary of the Client Reputation features

Activities you can track include:

• Bad Connection Attempts: A typical BOT behavior is to connect to some hosts that do not exist on the Internet. This is because the BOT home needs to constantly change itself to dodge legislative enforcement or to hide from AV vendors. Bad connection attempts are tracked by:
• Look ups for a DNS name that does not exist.
• Connection attempts to an IP address that has no route.
• HTTP 404 errors
• Packets that are blocked by security policies.
• Intrusion protection: Attack detected. The effect on reputation increases with severity of attack. A subscription to FortiGuard IPS updates is required.
• Malware protection: Malware detected. This requires a subscription to FortiGuard Antivirus updates.
• Web activity: Visit to web site in risky categories, including Potentially Liable, Adult/Mature Content, Bandwidth Consuming and Security Risk. A subscription to FortiGuard Web Filtering is required.
• Application protection: Client uses software in risky categories, including Botnet, P2P, Proxy, and Games applications. A subscription to FortiGuard IPS updates is required.
• Geographical locations that clients are communicating with. Access to the FortiGuard geographic database and a valid Fortinet support contract is required.

You can configure how severely each type of tracked activity will impact the reputation of the client in a sliding scale of Low, Medium, High or Critical. You can also choose to ignore an activity by setting it to Off. When an activity is turned off, it will have no effect on reputation.

You can enable client reputation tracking for your FortiGate unit by going to Security Profiles > Client Reputation > Threat Level Definition. Turning on client reputation tracking turns on traffic logging for all security policies, for all DoS policies and for all sniffer policies. While client

Page 18

reputation is enabled, logging cannot be turned off for these policies. Traffic logging must be enabled for data to be added to the client reputation database.

Client reputation only highlights risky activity and does not include tools to stop it. Instead, client reputation is a tool that exposes risky behavior. When you uncover risky behavior that you are concerned about, you can take additional action to stop it. That action could include adding more restrictive security policies to block the activity or increase Security Profiles protection. You can also taking other measures outside your FortiGate unit to stop the activity.

To support client reputation your FortiGate unit must be registered, have a valid support contract and be licensed for FortiGuard antivirus, IPS and Web Filtering.

After client reputation is turned on, the FortiGate unit tracks recent behavior using a sliding window and displays current data for this window. The client reputation monitor displays clients and their activities in charts ordered according to how risky the behavior exhibited by the client is.

Client Reputation data is stored in traffic log messages in the newly added client reputation fields (crscore and craction). When you enable client reputation Log Security Events or Log all Sessions is enabled in all security policies. Log Security Events records traffic log messages for

Security Profile sessions and Log all Sessions records traffic logs for all sessions. When Client Reputation is enabled you cannot select No Log in a security policy. Using client reputation data in log messages, you can configure FortiAnalyzer to produce a client reputation report.

Enabling client reputation can affect system performance if you had not been using traffic logging.

This chapter describes:

• Applying client reputation monitoring to your network
• Viewing client reputation results
• Setting the client reputation profile/definition
• Expanding client reputation to include more types of behavior
• Client reputation execute commands
• Client reputation diagnose commands

Applying client reputation monitoring to your network

Client reputation monitoring is applied to network traffic by going to Security Profiles > Client Reputation > Threat Level Definition turning on Client Reputation Tracking and selecting Apply.

You can then either change the client reputation profile used by your FortiGate unit or you can accept the default profile. The client reputation profile indicates how risky you consider different types of client behavior to be. See “Setting the client reputation pr ofile/definition” on page 21 for details.

Viewing client reputation results

To view Client Reputation results go to Security Profiles > Client Reputation > Reputation Score to view the client reputation monitor. The monitor displays information about risky behavior as it was found. You can drill down into individual items to get more information about the behavior found and the client that caused it.

The client reputation monitor updates every 2 minutes. You can also select Refresh to manually update the display.

Select Reset to clear all client reputation data and restart the reporting window.

Figur e 1 shows example client reputation results that shows activity from for different IP addresses that matched the kinds of traffic to be monitored according to the client reputation profile. You can see the IP address or name of each client and the amount of risky activity detected. The list at the bottom of the display shows more information about each device. The device information is gathered from enabling device monitoring by going to User & Device > Device > Device Definition.

Figure 1: Example client reputation results

You can select any of the bars in the graph to view information for each time the risky behavior was detected during the past 7 days (or whatever the Client Reputation window is). Information for each event detected includes the date and time the event was detected, the destination address, the application, and the client reputation score.

Changing the client reputation reporting window and database size

By default, client reputation reports on activity for the last seven days. You can change this reporting window using the following command:

config client-reputation profile set window-size <interval_int>

end

Where <interval-int> is the reporting window in days. Range 1 to 30 days, default 7 days.

Enter the following command to set the client reputation report size:

config client-reputation profile set max-rep-db-size <size>

end

Where <size> can be from 10 to 2000 MBytes (2 GBytes). The default size is 100 MBytes.

Client reputation data update and maintenance intervals

Client reputation updates its database every 2 minutes by querying the log database for client reputation information. This means that data displayed in the client reputation monitor is very current, at the most 2 minutes old.

Client reputation includes a data maintenance routine that runs every 12 hours to perform maintenance functions on the client reputation database. This routine:

• Checks the number of tracked hosts. If the number is at the maximum of 5000, the maintenance routing removes the oldest ten percent (500) of hosts from the list. If the number is less than the maximum, nothing changes.
• Deletes any reputation data associated with a host that is not in the tracking list (usually this only occurs if hosts are removed).
• Deletes any reputation data that is older than the current time minus the window-size in days.

Setting the client reputation profile/definition

Configure the client reputation profile by going to Security Profiles > Client Reputation > Threat

Level Definition. You configure one client reputation profile for all of the activity monitored by the FortiGate unit. The profile sets the risk levels for the types of behavior that client reputation monitors. You can set the risk to off, low, medium, high and critical for the following types of behavior:

• Application Protection
• Botnet applications
• P2P applications
• Proxy applications
• Games applications
• Intrusion protection (IPS)
• Critical severity attack detected
• High severity attack detected
• Medium severity attack detected
• Low severity attack detected
• Informational severity attack detected
• Malware Protection
• Malware detected
• Botnet connection detected
• Packet based inspection
• Blocked by firewall policy
• Failed connection attempts
• Web Activity
• All blocked URLs
• Visit to security risk sites
• Visit to potentially liable sites
• Visit to adult/mature content sites
• Visit to bandwidth consuming sites

Figure 2: Default client reputation profile

To configure the profile, decide how risky or dangerous each of the types of behavior are to your network and rate them accordingly. The higher you rate a type of behavior, the more visible clients engaging in this behavior will become in the client reputation monitor and the more easily you can detect this behavior.

For example, if you consider malware a high risk for your network, you can set the client reputation profile for malware to high or critical (as it is in the default client reputation profile). Then, whenever any amount of malware is detected, clients that originated the malware will be very visible in the client reputation monitor.

Set the risk to off for types of activity that you do not want client reputation to report on. This does not reduce the performance requirements or the amount of data gathered by client reputation, just the report output.

You can change a profile setting at any time and data that has already been collected will be used.

It is normally not necessary to change the Risk Level Values but it can be done if you need to alter the relative importance of the risk settings.

Expanding client reputation to include more types of behavior

You can use the following command to change the client reputation profile from the CLI to include client reputation reporting about more settings:

config client-reputation profile

In addition to the settings configurable from the web-based manager, you can also set the following options:

• geolocation to enable reporting on connections to and from different countries (geographical locations). For example, use the following command to indicate that you consider communication with Aruba to be medium risk: config client-reputation profile

config geolocation edit 0

set country AW set level medium end

end

• url-block-detected to report on connections blocked by web filtering. Use the following command to enable reporting about blocked URLs and set the risk level to medium:

config client-reputation profile

set url-block-detected medium

end

From the CLI you can configure client reputation to report more FortiGuard web filtering categories and more types of applications. For example, to report on social network activity (application control category 23):

config client-reputation-profile

config application edit 0

set category 23 set level medium end

end

To report on the local web filtering category (category 22):

config client-reputation-profile

config web

edit 0

set group 22 set level medium end end

Client reputation execute commands

The execute client-reputation command includes the following options:

• erase, deletes all client reputation data.
• host-count, lists the clients that started sessions recorded by client reputation
• host-detail, for a specified client’s IP address, displays the client reputation traffic log messages saved for that client.
• host-summary, for a specified client’s IP address, displays the client’s IP address, total entries, and total score.
• purge, deletes all data from the client reputation database.
• topN, display the top N clients identified by client reputation.

Client reputation diagnose commands

The diagnose client-reputation command includes the following options

• convert-timestamp convert a client reputation database timestamp to date and time
• test-all adds log messages from multiple sources to the client reputation database for testing
• test-app adds application control log messages to the client reputation database for testing
• test-ips adds Intrusion Protection log messages to the client reputation database for testing
• test-webfilter adds webfilter log messages to the client reputation database for testing