FortiOS 6 – Other security profiles considerations

Other security profiles considerations

The following topics are included in this section:

  • Security profiles and Virtual Domains (VDOMs) l Conserve mode
  • Using wildcards and Perl regular expressions l CPU allocation and tuning commands to survive reboot

Global security profiles across Virtual domains (VDOMs)

Previously, if you enabled virtual domains (VDOMs) on your FortiGate unit, any Security Profiles configuration was limited to the VDOM in which you configured it.

Now Security Profiles can be configured globally across multiple VDOMs. In many VDOM environments, some or all profiles may be commonly-shared, for example an MSSP with “parental controls” configured will most likely have the same Web Filtering and Application Control profiles per VDOM.

Global profiles are configured under Global > Security Profiles in the GUI or under the following config global commands in the CLI:

l antivirus profile l application list l dlp sensor l ips sensor l webfilter profile

The name for any global profile must start with “g-” for identification. Global profiles are available as read-only for VDOM-level administrators and can only be edited or deleted from within the global settings.

Each security feature has at least one default global profile, available for all VDOMs.

Both Global security profile configuration and the various databases used by Security Profiles features are shared. The FortiGuard antivirus and IPS databases and updates to the databases are shared. The FortiGuard web filter and spam filter features access the FortiGuard distribution network and read the same information when checking email for spam and web site categories and classification.

Conserve mode

FortiGate units perform all Security Profiles processing in physical RAM. Since each model has a limited amount of memory, conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service. While conserve mode is active, the AV proxy does not accept new sessions.

A warning will appear in the top bar of the FortiGate, regardless of which page in the FortiGate GUI you are on.

Conserve mode

The AV proxy

Most content inspection the FortiGate unit performs requires that the files, email messages, URLs, and web pages be buffered and examined as a whole. The AV proxy performs this function, and because it may be buffering many files at the same time, it uses a significant amount of memory. Conserve mode is designed to prevent all the component features of the FortiGate unit from trying to use more memory than it has. Because the AV proxy uses so much memory, conserve mode effectively disables it in most circumstances. As a result, the content inspection features that use the AV proxy are also disabled in conserve mode.

All of the Security Profiles features use the AV proxy with the exception of IPS, application control, DoS as well as flow-based antivirus, DLP, and web filter scanning. These features continue to operate normally when the FortiGate unit enters conserve mode.

Entering and exiting conserve mode

A FortiGate unit will enter conserve mode because it is nearly out of physical memory, or because the AV proxy has reached the maximum number of sessions it can service. The memory threshold that triggers conserve mode varies by model, but it is about 20% free memory. When memory use rises to the point where less than 20% of the physical memory is free, the FortiGate unit enters conserve mode.

The FortiGate unit will leave conserve mode only when the available physical memory exceeds about 30%. When exiting conserve mode, all new sessions configured to be scanned with features requiring the AV proxy will be scanned as normal, with the exception of a unit configured with the one-shot option.

Conserve mode effects

What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen configured. There are four options:

off

The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.

For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.

Use the off setting when security is more important than a loss of access while the problem is rectified.

pass

The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.

Use the pass setting when access is more important than security while the problem is rectified.

Pass is the default setting.

Using wildcards and Perl regular expressions

one-shot

The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen setting is changed or the unit is restarted.

idledrop

The idledrop setting will recover memory and session space by terminating all the sessions associated with the host that has the most sessions open. The FortiGate may force this session termination a number of times, until enough memory is available to allow it to leave conserve mode.

The idledrop setting is primarily designed for situations in which malware may continue to open sessions until the AV proxy cannot accept more new sessions, triggering conserve mode. If your FortiGate unit is operating near capacity, this setting could cause the termination of valid sessions. Use this option with caution.

Configuring the av-failopen command

You can configure the av-failopen command using the CLI.

config system global set av-failopen {off | pass | one-shot | idledrop}

end

The default setting is pass.

Using wildcards and Perl regular expressions

Many Security Profiles feature list entries can include wildcards or Perl regular expressions.

For more information about using Perl regular expressions, see http://perldoc.perl.org/perlretut.html.

Regular expression vs. wildcard match pattern

A wildcard character is a special character that represents one or more other characters. The most commonly used wildcard characters are the asterisk (*), which typically represents zero or more characters in a string of characters, and the question mark (?), which typically represents any one character.

In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result: l example.com not only matches example.com but also examplea.com, exampleb.com, examplec.com, and so on.

To add a question mark (?) character to a regular expression from the FortiGate CLI, enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression from the CLI you must add precede it with another backslash character. For example, example\\.com.

To match a special character such as ‘.’ and ‘*’ use the escape character ‘\’. For example:

  • To match example.com, the regular expression should be: example\.com

Using wildcards and Perl regular expressions

In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not 0 or more times of any character. For example:

  • exam*.com matches exammmm.com but does not match example.com

To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or more times. For example, the wildcard match pattern exam*.com should be exam.*\.com.

Word boundary

In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also any word that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b” specifies the word boundary. To match exactly the word “test”, the expression should be \btest\b.

Case sensitivity

Regular expression pattern matching is case sensitive in the web and Email Filter filters. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of “bad language”, regardless of case.

Perl regular expression formats

The following table lists and describes some example Perl regular expressions.

Perl regular expression formats

Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string)
^abc “abc” at the beginning of the string
abc$ “abc” at the end of the string
a|b Either “a” or “b”
^abc|abc$ The string “abc” at the beginning or at the end of the string
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”
ab{2,}c “a” followed by at least two “b”s followed by a “c”
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c “a” followed by one or more b’s followed by a c
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or ”ac”
a.c “a” followed by any single character (not newline) followed by a” c “

Using wildcards and Perl regular expressions

Expression Matches
a\.c “a.c” exactly
[abc] Any one of “a”, “b” and “c”
[Aa]bc Either of “Abc” and “abc”
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”, ”acbabcacaa”)
[^abc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c” (such as “defg”)
\d\d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, /bad language/i blocks any instance of bad language regardless of case.
\w+ A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk The strings “100” and “mk” optionally separated by any amount of white space (spaces, tabs, newlines)
abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”)
perl\B “perl” when not followed by a word boundary (for example, in “perlert” but not in “perl stuff”)
\x Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. Use this to break up a regular expression into (slightly) more readable parts.
/x Used to add regular expressions within other text. If the first character in a pattern is forward slash ‘/’, the ‘/’ is treated as the delimiter. The pattern must contain a second ‘/’. The pattern between ‘/’ will be taken as a regular expressions, and anything after the second ‘/’ will be parsed as a list of regular expression options (‘i’, ‘x’, etc). An error occurs if the second ‘/’ is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression.

Examples of regular expressions

Block any word in a phrase

/block|any|word/

Block purposely misspelled words

Spammers often insert other characters between the letters of a word to fool spam blocking software.

/^.*v.*i.*a.*g.*r.*o.*$/i

/cr[eéèêë][\+\-\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i

Control how sessions are distributed to Fortinet processes

Block common spam phrases

The following phrases are some examples of common phrases found in spam messages.

/try it for free/i

/student loans/i

/you’re already approved/i

/special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i

Control how sessions are distributed to Fortinet processes

Previously, the explicit web proxy balanced the client to a specific WAD daemon based only on the source IP.

There are cases where customers use another explicit proxy in front of the FortiGate. With such a design, the FortiGate can see the traffic originating from only one IP address (or a small set of IP addresses) and utilize only one (or a small number) of WAD processes.

This new feature modifies the wad-worker balancing algorithm to also use the source port in addition to source IP when distributing the client to a specific WAD daemon. With this in place, even the connections from one IP address will be balanced over all the WAD processes. This also avoids the degraded performance results for the cases where customers are testing the FortiGate as the explicit webproxy to replace Bluecoats, but don’t want to remove Bluecoats from the network for the PoC.

Syntax

config system global set wad-source-affinity {enable | disable}

end

This feature is enabled by default. Disabling this option results in some features to be unsupported. IP-based user authentication, disclaimer messages, security profile override, authentication cookies, MAPI scanning, and some video caches such as Youtube are not supported.

CPU allocation and tuning commands to survive reboot

CPU affinity, whereby a process will execute on a specific CPU, can be changed so it survives a reboot.

CLI syntax:

config system global set av-affinity set ips-affinity set miglog-affinity

end av-affinity: Affinity setting for AV scanning (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).

ips-affinity: Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). This option is only available if the FortiGate includes NP6 processors and support NTurbo. miglog-affinity: Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).

Excluding industrial IP signatures

Excluding industrial IP signatures

To reduce performance impacts caused by industrial IP signatures, the admin can choose to exclude the industrial signatures when they are loaded by IPS; the industrial signatures then become inactive as a result. The following CLI command has been restored for this purpose.

Syntax

config ips global set exclude-signatures {none | industrial} end

This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.