Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Advanced Filters 1

Advanced Filters 1

Block malicious URLs discovered by FortiSandbox

To use this feature, you must be registered to a FortiSandbox and be connected to it.

This feature blocks malicious URLs that FortiSandbox finds.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable Block malicious URLs discovered by FortiSandbox.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set blacklist enable end

next

end

Allow websites when a rating error occurs

If you don’t have a FortiGuard license but you have enabled services that need a FortiGuard license, such as FortiGuard filter, then you’ll get a rating error message.

Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Rating Options
  2. Enable Allow websites when a rating erroroccurs.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf set options error-allow

end

next

end

Rate URLs by domain and IP address

If you enable this feature, in addition to only sending domain information to FortiGuard for rating, FortiGate always sends both the URL domain name and the TCP/IP packet’s IP address (except for private IP addresses) to FortiGuard for the rating.

FortiGuard server might return a different category of IP address and URL domain. If they are different, FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is hard-coded in FortiGate.

For example, if we use a spoof IP of Google as www.irs.gov, FortiGate will send both the IP address and domain name to FortiGuard to get the rating. In this example, we get two different ratings, one is search engine and portals which belongs to the IP of Google, another is government and legal organizations which belongs to www.irs.gov. As the search engine and portals has a higher weight than government and legal organizations, this traffic will be rated as search engine and portals and not rated as government and legal organizations.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Rating Options
  2. Enable Rate URLs by domain and IP address.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf set options rate-server-ip

end

next

end

Block invalid URLs

Use this feature to block websites when their SSL certificate CN field does not contain a valid domain name.

For example, this option blocks URLs which contains spaces. If there is a space in the URL, it must be written as: http://www.example.com/space%20here.html.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable Block invalid URLs .

To enable this feature in the CLI:

config webfilter profile edit “webfilter” set options block-invalid-url

next

end

Rate images by URL

This feature enable FortiGate to retrieve ratings for individual images in addition to websites. Images in a blocked category are not displayed even if they are part of a site in an allowed category. Blocked images are replaced with blank placeholders. These image file types are rated: GIF, JPEG, PNG, BMP, and TIFF.

This feature requires a valid FortiGuard license, otherwise rating errors will occur. By default, this feature is enabled.

For example, if the Other Adult Materials category is blocked, before enabling Rate images by URL, the image is not blocked:

After enabling Rate images by URL, images in the Other Adult Materials category are blocked. For example:

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Rating Options
  2. Enable Rate images by URL.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf unset options set rate-image-urls enable

end

next

end

Web content filter of webfilter

Web content filter of webfilter

You can control access to web content by blocking web pages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can specify words, phrases, patterns, wildcards and Perl regular expressions to match content on web pages. You can use multiple web content filter lists and select the best web content filter list for each web filter profile.

Pattern type

When you have created the web filter content list, you need to add web content patterns to it. There are two types of patterns: wildcard and regular expression.

Wildcard

Use the wildcard setting to block or exempt one word or text strings of up to 80 characters. You can also use wildcard symbols such as ? or * to represent one or more characters. For example, a wildcard expression forti*.com matches fortinet.com and forticare.com. The * represents any character appearing any number of times.

Regular expression

Use the regular expression setting to block or exempt patterns of Perl expressions which use some of the same symbols as wildcard expressions but for different purposes. In regular expressions, * represents the character before the symbol. For example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case, the symbol * represents i appearing any number of times.

The maximum number of web content patterns in a list is 5000.

Content evaluation

The web content filter feature scans the content of every web page that is accepted by a security policy. The system administrator can specify banned words and phrases and attach a numerical value, or score, to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases found on that page. If the sum is higher than a threshold set in the web filter profile, FortiGate blocks the page.

The default score for web content filter is 10 and the default threshold is 10. This means that by default, a web page is blocked by a single match.

Banned words or phrases are evaluated according to the following rules:

  • The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.
  • The score for any word in a phrase without quotation marks is counted. l The score for a phrase in quotation marks is counted only if it appears exactly as written.

Sample of applying banned pattern rules

The following table is an example of how rules are applied to the contents of a web page. For example, a web page contains only this sentence:

The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.

Banned

pattern

Assigned score Score added to the sum for the entire page Threshold score Comment
word 20 20 20 Appears twice but only counted once. Web page is blocked.
word phrase 20 40 20 Each word appears twice but only counted once giving a total score of 40. Web page is blocked.
word sentence 20 20 20 “word” appears twice, “sentence” does not appear, but since any word in a phrase without quotation marks is counted, the score for this pattern is 20. Web page is blocked.
“word sentence” 20 0 20 This phrase does not appear exactly as written. Web page is allowed.
“word or phrase” 20 20 20 This phrase appears twice but is counted only once. Web page is blocked.

Sample configuration

To configure web content filter in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable Content Filter to display its options.
  3. Select Create New to display the content filter options.
  4. For Pattern Type, select RegularExpression and enter fortinet in the Pattern
    • Leave Language as Western. l Set Action to Block.
    • Set Status to Enable.
  5. Select OK to see the updated Static URL Filter
  6. Validate the configuration by visiting a website with the word fortinet, for example, www.fortinet.com. The website is blocked and a replacement page displays.

To configure web content filter in the CLI:

  1. Create a content table:

config webfilter content

edit 1                           <– the id of this content

set name “webfilter”

config entries

edit “fortinet”            <– the banned word set pattern-type regexp  <– the type is regular expression set status enable set lang western

set score 10             <– the score for this word is 10 set action block

next

end

next end

  1. Attach the content table to the webfilter profile:

config webfilter profile

edit “webfilter”

config web

set bword-threshold 10  <– the threshold is 10

set bword-table 1       <– the id of content table we created in the previous step

end

config ftgd-wf

unset options

end

next end

Quota of webfilter

Quota of webfilter

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, and is calculated separately for each user. Quotas are reset everyday at midnight.

Quotas can be set only for the actions of Monitor, Warning, or Authenticate. When the quota is reached, the traffic is blocked and the replacement page displays.

Sample topology

Sample configuration of setting a quota

This example shows setting a time quota for a category, for example, the Education category.

To configure a quota in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Personal section by selecting the + icon beside it.
  3. Select Education and then select Monitor.
  4. In the Category Usage Quota section, select Create New.
  5. In the right pane, select the Category field and then select Education.
  6. For the Quota Type, select Time and set the Total quota to 5 minute(s).
  7. Select OK and the Category Usage Quota section displays the quota.
  8. Validate the configuration by visiting a website in the education category, for example https://www.harvard.edu/.

You can view websites in the education category.

  1. Check the used and remaining quota in Monitor> FortiGuard Quota.
  2. When the quota reaches its limit, traffic is blocked and the replacement page displays.

To configure a quota in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf

unset options

config filters

edit 1

set category 30 <– the id of education category  next

end

config quota

edit 1

set category 30

set type time

set duration 5m

next

end end

next

end

FortiGuard filter of webfilter

FortiGuard filter of webfilter

To use this service, you must have a valid subscription on your FortiGate.

FortiGuard filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories that users can allow or block.

FortiGuard web filtering services includes over 45 million individual website rating that applies to more than two billion pages. When FortiGuard filter is enabled in a webfilter and is applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard webfilter action

You can select one of the following FortiGuard webfilter actions:

FortiGuard webfilter Action Description
Allow Permit access to the sites in the category.
Block Prevent access to the sites in the category. Users trying to access a blocked site sees a replacement message indicating the site is blocked.
Monitor Permits and logs access to sites in the category. You can enable user quotas when you enable this action.
Warning Displays a message to the user allowing them to continue if they choose.
Authenticate Requires the user to authenticate with the FortiGate before allowing access to the category or category group.

FortiGuard webfilter categories

FortiGuard has many webfilter categories including two local categories and a special remote category. For more information on the different categories, see the table below.

FortiGuard webfilter category Where to find more information
All URL categories https://fortiguard.com/webfilter/categories.
Remote category External resources for webfilter on page 329.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of local category and not external or FortiGuard built-in category.

Sample configuration of blocking a web category

This example shows blocking a website based on its category (rating), for example, information technology.

To block a category in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Block.

To block a category in the CLI:

config webfilter profile

edit “webfilter”

config ftgd-wf

unset options

config filters

edit 1

set category 52    <– the pre-set id of “information technology” caterogy

set action block   <– set action to block  next

end

end

next end

To validate that you have blocked a category:

  1. Go to a website belonging to the blocked category, for example, www.fortinet.com, and you see a blocked page and the category that is blocked.

To view the log of a blocked website in the GUI:

  1. Go to Log & Report > Web Filter.

To view the log of a blocked website in the CLI:

FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=13:46:25 logid=”0316013056″ type=”utm” subtype=”webfilter” eventtype=”ftgd_blk” level=”warning” vd=”vdom1″ eventtime=1555965984972459609 policyid=1 sessionid=659263 srcip=10.1.200.15 srcport=49234 srcintf=”wan2″ srcintfrole=”wan” dstip=54.183.57.55 dstport=80 dstintf=”wan1″ dstintfrole=”wan” proto=6 service=”HTTP” hostname=”www.fortinet.com” profile=”webfilter” action=”blocked” reqtype=”direct” url=”/” sentbyte=386 rcvdbyte=0 direction=”outgoing” msg=”URL belongs to a denied category in policy” method=”domain” cat=52 catdesc=”Information Technology”

Sample configuration of issuing a warning

This example shows issuing a warning when a user visits a website based on its category (rating), for example, information technology.

To configure a warning in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Warning.
  4. Set the Warning Interval which is the interval when the warning page appears again after the user chooses to continue.

To configure a warning in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf unset options config filters edit 1 set category 52

set action warning  <– set action to warning

next

end

end

next end

To validate that you have configured the warning:

  1. Go to a website belonging to the selected category, for example, www.fortinet.com, and you see a warning page where you can choose to Proceed or Go Back.

Sample configuration of authenticating a web category

This example shows authenticating a website based on its category (rating), for example, information technology.

To authenticate a category in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Authenticate.
  4. Set the Warning Interval which is the interval when the authentication page appears again after authentication.
  5. Click the + icon beside Selected User Group and select a user group. You must have a valid user group to use this feature.

To authenticate a category in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf

unset options

config filters edit 1

set category 52

set action authenticate         <– set the action of authenticate set auth-usr-grp “local_group”  <– user to authenticate

next

end end

next

end

To validate that you have configured authentication:

  1. Go to a website belonging to the selected category, for example, www.fortinet.com. First, you see a warning page where you can choose to Proceed or Go Back.
  2. Click Proceed to check that the authentication page appears.
  3. Enter the username and password of the user group you selected, and click Continue.

If the credentials are correct, the traffic is allowed through.

Sample customization of the replacement page

When the FortiGuard webfilter action is Block, Warning, or Authenticate, there is a Customize option for you to customize the replace page.

To customize the replace page:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Right-click the item and select Customize.
  3. A pane appears for you to customize the page.

URL filter of webfilter

URL filter of webfilter

URL filter is also called static URL filter. By adding specific URLs with patterns containing text and regular expressions, FortiGate can allow, block, exempt, and monitor web pages matching any specified URLs or patterns, and can display a replacement message instead.

Sample topology

Create URL filter

You can create a URL filter using the GUI or CLI. After creating the URL filter, attach it to a webfilter profile.

To create URL filter in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable URL Filter.
  3. Under URL Filter, select Create New to display the New URL Filter
URL Filter Type Description
Simple FortiGate tries to strictly match the full context. For example, if you enter www.facebook.com in the URL field, it only matches traffic with www.facebook.com. It won’t match facebook.com or message.facebook.com.

When FortiGate finds a match, it performs the selected URL Action.

URL Filter Type Description
Regular

Expression or

Wildcard

FortiGate tries to match the pattern based on the rules of regular expressions or wildcards. For example, if you enter *fa* in the URL field, it matches all the content that has fa such as www.facebook.com, message.facebook.com, fast.com, etc.

When FortiGate finds a match, it performs the selected URL Action.

For more information, see the URL Filter expressions technical note in https://kb.fortinet.com/kb/documentLink.do?externalID=FD37057.

URL Filter Action Description
Block Denies or blocks attempts to access any URL matching the URL pattern. FortiGate displays a replacement message.
Allow The traffic is passed to the remaining FortiGuard webfilters, web content filters, web script filters, antivirus proxy operations, and DLP proxy operations. If the URL does not appear in the URL list, the traffic is permitted.
Monitor The traffic is processed the same way as the Allow action. For the Monitor action, a log message is generated each time a matching traffic pattern is established.
Exempt The traffic is allowed to bypass the remaining FortiGuard webfilters, web content filters, web script filters, antivirus scanning, and DLP proxy operations
  1. For example, enter *facebook.com and select Wildcard and Block; and select OK.

After creating the URL filter, attach it to a webfilter profile.

Create URL filter using CLI

To create and enable a URL filter using the CLI, create the URL filter and then attach it to a webfilter profile. The CLI commands below show the full configuration of creating a URL filter.

config webfilter urlfilter edit {id}

# Configure URL filter lists. set name {string} Name of URL filter list. size[35] config entries edit {id}

# URL filter entries. set url {string} URL to be filtered. size[511] set type {simple | regex | wildcard} Filter type (simple, regex, or wildcard).

simple    Simple URL string.

regex    Regular expression URL string.

wildcard Wildcard URL string.

set action {exempt | block | allow | monitor} Action to take for URL filter

matches. exempt Exempt matches. block      Block matches. allow   Allow matches (no log).

monitor Allow matches (with log).

set status {enable | disable} Enable/disable this URL filter.

set exempt {option} If action is set to exempt, select the security profile oper-

ations that exempt URLs skip. Separate multiple options with a space. av   AntiVirus scanning. web-content  Web filter content matching. activex-java-cookie ActiveX, Java, and cookie filtering. dlp   DLP scanning. fortiguard   FortiGuard web filtering. range-block Range block feature. pass  Pass single connection from all.

all                 Exempt from all security profiles.

set referrer-host {string} Referrer host name. size[255]

next

next

end

To create URL filter to filter Facebook using the CLI:

config webfilter urlfilter edit 1 set name “webfilter” config entries edit 1 set url “*facebook.com” set type wildcard set action block

next

end

next

end

To attach the URL filter to a webfilter profile:

config webfilter profile edit “webfilter”               <– the name of the webfilter profile config web set urlfilter-table 1 <– the URL filter created with ID number 1

end config ftgd-wf unset options

end

next

end

Attach webfilter profile to the firewall policy

After you have created the URL filter and attached it to a webfilter profile, you must attach the profile to a firewall policy.

To attach a webfilter profile to a firewall policy using the GUI:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Edit the policy that you want to enable the webfilter.
  3. In the Security Profiles section, enable Web Filter and select the profile you created.

To attach a webfilter profile to a firewall policy using the CLI:

config firewall policy edit 1 set name “WF”

set uuid b725a4d4-5be5-51e9-43fa-6d4e67d56bad

set srcintf “wan2” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all

set webfilter-profile “webfilter”    <– attach the webfilter profile you just

created. set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Validate the URL filter results

Validate the URL filter results by going to a blocked website. For example, when you go to the Facebook website, you see the replacement message.

To customize the URL web page blocked message:

  1. Go to System > Replacement Messages.
  2. Go to the Security section and select URL Block Page.
  3. Set up a custom message for blocked pages.

To check webfilter logs in the GUI:

  1. Go to Log & Report > Web Filter.
  2. If there are too many log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the

URL filter.

To check webfilter logs in the CLI:

FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=11:48:43 logid=”0315012544″ type=”utm” subtype=”webfilter” eventtype=”urlfilter” level=”warning” vd=”vdom1″ eventtime=1555958923322174610 urlfilteridx=0 urlsource=”Local URLfilter Block” policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472 srcintf=”wan2″ srcintfrole=”wan” dstip=157.240.18.35 dstport=443 dstintf=”wan1″ dstintfrole=”wan” proto=6 service=”HTTPS” hostname=”www.facebook.com” profile=”webfilter” actionn=”blocked” reqtype=”direct” url=”/” sentbyte=1171 rcvdbyte=141 direction=”outgoing” msg=”URL was blocked because it is in the URL filter list” crscore=30 craction=8 crlevel=”high”

Introduction to Web Filter

Introduction to Web Filter

Web filtering is a means of controlling the content that an internet user is able to view. With the increased popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security.

This topic provides a general introduction to the Web Filter security profile. Additional information, such as the GUI and CLI configurations, can be found in subsequent topics.

Web Filter Configuration

Web Filter configuration can be separated into the following parts: Web Filterprofile configuration and Web Filter profile overrides.

There are five components to Web Filter configuration:

  • URL filter: Block, allow, exempt, or monitor traffic by URL.
  • FortiGuard filter: With a FortiGuard license, you can get the rating of a URL. Action can be taken against the packet based on its rating.
  • Content filter: Block or exempt traffic by checking its content.
  • File filter: Log or block a file based on its file type (e.g. ZIP, MP3, PNG). l Advanced filter

There are two different ways to override web filtering behavior based on FortiGuard categorization of websites:

  • Using alternate categories: Web rating overrides. This method manually assigns a specific website to a different Fortinet category or a locally created category.
  • Using alternate profiles: The traffic going through the FortiGate unit using identity based policies and a web filtering profile have the option where configured users or IP addresses can use an alternative Web Filter profile when attempting to access blocked websites.

AppCtrl protocol enforcement check

AppCtrl protocol enforcement check

Protocol enforcement allows you to configure networking services (e.g. FTP, HTTP, HTTPS) on known ports (e.g. 21, 80, 443). For protocols which are not whitelisted under select ports, the IPS engine performs the violation action to block, allow, or monitor that traffic.

This feature acts upon the following two scenarios:

  • When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the confirmed service is whitelisted under the server port. If it is not, then the traffic is considered a violation and IPS can take the action specified by config (e.g. block).
  • When there is no confirmed service for the network traffic, the traffic is considered a service violation if IPS dissectors rule out all of the services enforced under its server port.

CLI configuration

In an applicable profile, a default-network-service list can be created to associate well known ports with accepted services.

To setup protocol enforcement in the CLI:

config application list

edit “protocol-GUI”

set other-application-log enable

 
      set control-default-network-services {enable | disable} of protocols over select ports. # Enable/Disable enforcement
      config default-network-services entries

edit 1

# Default network service
           set port 80 integer value from <0> to <65535> # Port number, port Enter an
           set services http

ssh, telnet, ftp, dns, smtp, pop3, imap, snmp, nntp and https          next

edit 2

set port 53

set services dns

# Network protocols: http,
           set violation-action { pass | monitor | block } when non-DNS traffic run over port 53

next

end    next end

GUI Configuration

  # Pass, or Log, or block

A new table is displayed when the Network Protocol Enforcement toggle is set to the On position. Enforced entries can be created, edited, or deleted to configure network services on certain ports and determine the violation action.

To setup protocol enforcement in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Enable Network Protocol Enforcement.
  3. Click Create New.
  4. In the New Default Network Service window:
    1. Enter a Port
    2. Select the Enforced protocols.
    3. Choose the Violation action.
    4. Select OK.

AppCtrl port enforcement check

AppCtrl port enforcement check

Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on port 80 and 443.

If the default network service is enabled in the application control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked.

This means that each application allowed by the app control sensor is only run on its default port.

To set port enforcement check in the CLI:

config application list edit “default_port” set enforce-default-app-port {enable | disable}

disable       Disable default application port enforcement.

enable        Enable default application port enforcement.

config entries edit 1 set application 15896 set action pass

next

end

next

end

For example, when applying the above appctrl sensor, FTP traffic with the standard port (port 21) is allowed, while the non-standard port (port 2121) is blocked.