Tag Archives: how to do tcpdump on fortigate

Other Security Profiles Considerations – Fortinet FortiGate

Other Security Profiles considerations

The following topics are included in this section:

  • Profile Groups
  • Security Profiles and Virtual domains (VDOMs)
  • Conserve mode
  • SSL content scanning and inspection
  • Monitoring Security Profiles activity
  • Using wildcards and Perl regular expressions
  • Monitor interface reference

Profile Groups

One of the options when adding Security profiles to policies is the use of the Profile Groups feature. This works much the same way as an address group or a service group. You assign a selection of Security profiles to the Group and assign the group to a policy. This can be very convenient in an environment that has a large number of policies because instead of deciding each time you make a policy which Security profiles are going to be used you can have a small selection of Profile groups and every policy is assigned one of those groups. If changes need to be make, rather than going into each policy to make individual changes you only have to make changes to the group and the changes automatically propagate through to all of the policies that are using the Profile Group. It makes Security Profiles administration much simpler to implement, simpler to administrate and simpler to remember what Security Profiles features are being assigned to policies.

To refine the application of Security Profiles even further you can use the Profile Group in combination with Identity based policies and User Groups so that depending upon which User group a person belongs to that can be assigned a common set of Security profiles. A good example of this would a school environment. Staff and students are going to have significantly different permissions and restrictions associated with them. Staff will be allow access to websites that children are not (Web Filter). Staff will be allowed to transmit certain data under certain circumstances while students cannot transmit that type of data at all (DLP). Staff might have access to applications to communicate with colleagues in real time while students might be denied social networking access to get them from being distracted from their studies (Application Control). There are a number of permutations and possibilities made simpler and easier to administrate using these features together.

Page 160

Creating a new group

Security profiles that can be grouped

When setting up a Profile Group you can assign to a group, or not as you want, the following Profile types:

  • AntiVirus
  • Web Filter
  • Application Control
  • IPS
  • Email Filter
  • DLP Sensor
  • VoIP
  • ICAP

Because the Security profiles need to use one, if you are assigning a Security profile to a policy you must assign a Proxy Option profile.

Using the Web-based Manager

To keep the interface simpler and less cluttered, by default, some versions of the firmware only display a default profile for each of the profile types and a default Profile Group. By going into the Admin Settings section and enabling the display of Multiple Security Profiles the option to have multiple Profile Groups in the Web Based Manager is also enabled.

  1. Go to Security Profiles –> Profile Group –> Profile Group
  2. Select Create New
  3. Give the New Profile group a name.
  4. Select the Security Profiles.
    1. Use the check-boxes to determine whether or not a particular Security profile will be assigned.
    2. Use the drop-down menu to determine which Security profile will be used.
    3. Select a Proxy Option profile.

The Default Proxy Option Profile will be added by default if another profile is not selected.

  1. Select OK.

Using the CLI

In the CLI enter the commands:

config firewall profile-group

edit <profile_group_name>

set profile-protocol-options <protocol_options_name> set av-profile <name_of_av-profile> set webfilter-profile <name_of_webfilter-profile> set spamfilter-profile <name_of_spamfilter-profile> set dlp-sensor <name_of_dlp-sensor> set ips-sensor <name_of_ips-sensor> set application-list <name_of_application-list> set voip-profile <name_of_voip-profile> set icap-profile <name_of_icap-profile> set deep-inspection-options <name_of_deep-inspection-options> next

end

Adding a Profile Group to a policy

Using the CLI

  1. Go to the Firewall policy that you wish to associate the Profile Group
    1. For an Address Firewall policy: config firewall policy edit <policyID>
    2. For an Identity based policy

config firewall policy

edit <policyID>

config identity-based-policy

edit <policy_id>

  1. To assign a Profile Group to a security policy the following additional settings need to be added to the policy configuration. set utm-status enable set profile-type group set profile-group <name of the profile group> end

When adding a Profile Group to a policy there are 2 potential points of confusion:

  1. Depending on your interpretation, there may be some confusion on the profile-type setting.
    • group indicates the use of a profile group.
    • single indicates the use of individual Security profiles.
  2. In the CLI, the context, or placement in the “syntax tree” of configuration settings, can make some options available or unavailable depending on other settings.

In an Address Policy you only have to go down 2 “levels” to have the options for configuring the Profile Groups available.

When an Identity policy is being used the Profile Group options are not available at the same level. You have to go down a further 2 levels, to inside the Authentication rule that is nested within the overall umbrella of the Firewall Policy. This is where the Profile Group settings will be available to you.

Security Profiles and Virtual domains (VDOMs)

If you enable virtual domains (VDOMs) on your FortiGate unit, all Security Profiles configuration is limited to the VDOM in which you configure it.

While configuration is not shared, the various databases used by Security Profiles features are shared. The FortiGuard antivirus and IPS databases and database updates are shared. The FortiGuard web filter and spam filter features contact the FortiGuard distribution network and access the same information when checking email for spam and web site categories and classification.

Conserve mode

FortiGate units perform all Security Profiles processing in physical RAM. Since each model has a limited amount of memory, conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service. While conserve mode is active, the AV proxy does not accept new sessions.

The AV proxy

Most content inspection the FortiGate unit performs requires that the files, email messages, URLs, and web pages be buffered and examined as a whole. The AV proxy performs this function, and because it may be buffering many files at the same time, it uses a significant amount of memory. Conserve mode is designed to prevent all the component features of the FortiGate unit from trying to use more memory than it has. Because the AV proxy uses so much memory, conserve mode effectively disables it in most circumstances. As a result, the content inspection features that use the AV proxy are also disabled in conserve mode.

All of the Security Profiles features use the AV proxy with the exception of IPS, application control, DoS as well as flow-based antivirus, DLP, and web filter scanning. These features continue to operate normally when the FortiGate unit enters conserve mode.

Entering and exiting conserve mode

A FortiGate unit will enter conserve mode because it is nearly out of physical memory, or because the AV proxy has reached the maximum number of sessions it can service. The memory threshold that triggers conserve mode varies by model, but it is about 20% free memory. When memory use rises to the point where less than 20% of the physical memory is free, the FortiGate unit enters conserve mode.

The FortiGate unit will leave conserve mode only when the available physical memory exceeds about 30%. When exiting conserve mode, all new sessions configured to be scanned with features requiring the AV proxy will be scanned as normal, with the exception of a unit configured with the one-shot option.

Conserve mode effects

What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen configured. There are four options:

off

The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.

For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.

Use the off setting when security is more important than a loss of access while the problem is rectified.

pass

The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.

Use the pass setting when access is more important than security while the problem is rectified.

Pass is the default setting.

one-shot

The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen setting is changed or the unit is restarted.

idledrop

The idledrop setting will recover memory and session space by terminating all the sessions associated with the host that has the most sessions open. The FortiGate may force this session termination a number of times, until enough memory is available to allow it to leave conserve mode.

The idledrop setting is primarily designed for situations in which malware may continue to open sessions until the AV proxy cannot accept more new sessions, triggering conserve mode. If your FortiGate unit is operating near capacity, this setting could cause the termination of valid sessions. Use this option with caution.

Configuring the av-failopen command

You can configure the av-failopen command using the CLI.

config system global set av-failopen {off | pass | one-shot | idledrop}

end

The default setting is pass.

ICAP – Fortinet FortiGate

ICAP

ICAP is the acronym for Internet Content Adaptation Protocol The purpose of the feature is to off load work that would normally take place on the firewall to a separate server specifically set up for the specialized processing of the incoming traffic. This takes some of the resource strain off of the FortiGate firewall leaving it to concentrate its resources on things that only it can do.

Off-loading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks.

ICAP servers are focused on a specific function, for example:

  • Ad insertion
  • Virus scanning
  • Content translation
  • HTTP header or URL manipulation
  • Language translation
  • The Protocol
  • Offloading using ICAP
  • Configuration Settings
  • Example ICAP sequence
  • Example Scenerio

The Protocol

The protocol is a lightweight member of the TCP/IP suite of protocols. It is an Application layer protocol and its specifications are set out in RFC 3507. The default TCP that is assigned to it is 1344. Its purpose is to support HTTP content adaptation by providing simple object-based content vectoring for HTTP services. ICAP is usually used to implement virus scanning and content filters in transparent HTTP proxy caches. Content Adaptation refers to performing the particular value added service, or content manipulation, for an associated client request/response.

Essentially it allows an ICAP client, in this case the FortiGate firewall, to pass HTTP messages to an ICAP server like a remote procedure call for the purposes of some sort of transformation or other processing adaptation. Once the ICAP server has finished processing the the content, the modified content is sent back to the client.

The messages going back and forth between the client and server are typically HTTP requests or HTTP responses. While ICAP is a request/response protocol similar in semantics and usage

Page 155

to HTTP/1.1 it is not HTTP nor does it run over HTTP, as such it cannot be treated as if it were HTTP. For instance ICAP messages can not be forwarded by HTTP surrogates.

Offloading using ICAP

If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to an ICAP server in the ICAP profile added to the policy. Responses from the ICAP server are returned to the FortiGate unit which forwards them to an HTTP client or server.

You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.

If the FortiGate unit supports HTTPS inspection, HTTPS traffic intercepted by a policy that includes an ICAP profile is also offloaded to the ICAP server in the same way as HTTP traffic.

When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

Configuration Settings

There are 2 sections where ICAP is configured:

Servers

The available settings to be configured regarding the profile are

IP Type (in the GUI) or  IP address version ( in the CLI)

The options for this field in the GUI are 2 radio buttons labelled “IPv4” and “IPv4”. In the CLI the approach is slightly different. There is a field “ip-version” that can be set to “4” or “6”.

IP address

depending on whether you’ve set the IP version to 4 or 6 will determine the format that the content of this field will be set into. In the GUI it looks like the same field with a different format but in the CLI it is actually 2 different fields named “ip-address” and ip6-address.

Maximum Connections

This value refers to the maximum number of concurrent connections that can be made to the ICAP server. The default setting is 100. This setting can only be configured in the CLI.

The syntax is:

config icap server edit <icap_server_name> set max-connections <integer> end

Port

this is the TCP port used for the ICAP traffic. The range can be from 1 to 65535. The default value is 1344.

Profiles

Enable Request Processing

Enabling this setting allows the ICAP server to process request messages.

If enabled this setting will also require:

  • Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
  • Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”
  • On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

Enable Response Processing

Enabling this setting allows the ICAP server to process response messages.

If enabled this setting will also require:

  • Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
  • Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”

On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

Enable Streaming Media Bypass

Enabling this setting allows streaming media to ignore offloading to the ICAP server.

Example ICAP sequence

This example is for an ICAP server performing web URL filtering on HTTP requests

  1. A user opens a web browser and sends an HTTP request to connect to a web server.
  2. The FortiGate unit intercepts the HTTP request and forwards it to an ICAP server.
  3. The ICAP server receives the request and determines if the request is for URL that should be blocked or allowed.
    • If the URL should be blocked the ICAP server sends a response to the FortiGate unit. The FortiGate unit returns this response to the user’s web browser. This response could be a message informing the user that their request was blocked.
    • If the URL should be allowed the ICAP server sends a request to the FortiGate unit. The FortiGate unit forwards the request to the web server that the user originally attempted to connect to.
    • When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

Example Scenerio

Information relavent to the following example:

  • The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
  • The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
  • Resources on both the Fortigate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyse the impact on performance.
  • The ICAP server’s IP address is 172.16.100. 55.
  • The path to the processing component is “/proprietary_code/content-filter/”.
  • Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
  • The ICAP profile is to be added to an existing firewall policy.
  • It is assumed that the display of the policies has already been configured to show the column “ID”.
  1. Enter the following to configure the ICAP server:

Go to Security Profiles > ICAP > Server.

Use the following values:

Name content-filtration-server4
IP Type 4
IP Address 172.16.100.55
Port 1344

Use the CLI to set the max-connections value.

config icap server edit content-filtration-server4 set max-connections 200 end

  1. Enter the following to configure the ICAP profile to then apply to a security policy:

Use the following values:

Name Prop-Content-Filtration
Enable Request Processing enable
Server content-filtration-server4
Path /proprietary_code/content-filter/
On Failure Error
Enable Response Processing enable
Server content-filtration-server4
Path /proprietary_code/content-filter/
On Failure Error

Enable Streaming Media Bypass enable

  1. Apply the ICAP profile to policy:

The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17

  1. Go to Policy > Policy >
  2. Open the existing policy ID# 17 for editing.
  3. Go to the section Security Profiles.
  4. Select the button next to ICAP so that it indicates that it’s status is ON.
  5. Select the field with the profile name and use the drop down menu to select Prop-Content-Filtration.
  6. Select OK.

 

Application Control – Fortinet FortiGate

Application control

Using the application control Security Profile feature, your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols.

The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.

Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

You can find the version of the application control database that is installed on your unit, by going to the License Information dashboard widget and find IPS Definitions version.

You can go to the FortiGuard Application Control List to see the complete list of applications supported by FortiGuard. This web page lists all of the supported applications. You can select any application name to see details about the application.

If you enable virtual domains (VDOMs) on the Fortinet unit, you need to configure application control separately for each virtual domain.

The following topics are included in this section:

  • Application control concepts
  • Application considerations
  • Application traffic shaping
  • Application control monitor
  • Enable application control
  • Application control examples

Application control concepts

You can control network traffic generally by the source or destination address, or by the port, the quantity or similar attributes of the traffic itself in the security policy. If you want to control the flow of traffic from a specific application, these methods may not be sufficient to precisely define the traffic. To address this problem, the application control feature examines the traffic itself for signatures unique to the application generating it. Application control does not require knowledge of any server addresses or ports. The FortiGate unit includes signatures for over 1000 applications, services, and protocols.

Updated and new application signatures are delivered to your FortiGate unit as part of your

FortiGuard Application Control Service subscription. Fortinet is constantly increasing the

Page 143

number of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

To view the version of the application control database installed on your FortiGate unit, go to the License Information dashboard widget and find the IPS Definitions version.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.

Application considerations

Some applications behave differently from most others. You should be aware of these differences before using application control to regulate their use.

Automatically allowing basic applications

A common practice is to block applications by category, because the alternative is to list each specific traffic on an individual basis. While listing the applications individually gives a great deal of granularity it does tend to allow for missing some of them. On the other hand, blocking by category has the drawback of blocking some traffic that was not intended to be blocked.

There are a number of basic applications that you may want to be allowed on a default basis. For example, DNS. If you were to block the category Network Services you would end up blocking your web browsing, unless your users are members of a very limited group that do their web browsing by using IP addresses instead of URLs. Without DNS the systems will not be able to resolve URLs into IP addresses.

Using a set of options in the CLI the FortiGate unit can be configured to automatically allow the following types of traffic, regardless of whether or not their category is blocked:

  • DNS
  • ICMP
  • Generic HTTP Web browsing
  • Generic SSL communications

Syntax

config application list edit appcontrol set options allow-dns allow-icmp allow-http allow-ssl

end

As the example indicates, DNS is vitally important to multiple other types of traffic so by default it is set to be allowed, however the other settings must be specifically enabled.

IM applications

The Application Control function for a number of IM application is not in the Web Based Manager, in the CLI of the FortiGate unit. These applications are:

  • AIM
  • ICQ
  • MSN
  • Yahoo

These applications are controlled by either permitting or denying the users from logging in to the service. Individual IM accounts are configured as to whether or not they are permitted and then there is a global policy for how to action unknown users, by the application, and whether to add the user to the black list or the white list.

The configuration details for these settings can be found in the CLI Reference guide under the heading of imp2p.

Skype

Based on the NAT firewall type, Skype takes advantage of several NAT firewall traversal methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT), to make the connection.

The Skype client may try to log in with either UDP or TCP, on different ports, especially well-known service ports, such as HTTP (80) and HTTPS (443), because these ports are normally allowed in firewall settings. A client who has previously logged in successfully could start with the known good approach, then fall back on another approach if the known one fails.

The Skype client could also employ Connection Relay. This means if a reachable host is already connected to the Skype network, other clients can connect through this host. This makes any connected host not only a client but also a relay server.

Data Leak Prevention – Fortinet FortiGate

Data leak prevention

The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data from leaving your network. When you define sensitive data patterns, data matching these patterns will be blocked, or logged and allowed, when passing through the FortiGate unit. You configure the DLP system by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule, in a DLP sensor and assign the sensor to a security policy.

Although the primary use of the DLP feature is to stop sensitive data from leaving your network, it can also be used to prevent unwanted data from entering your network and to archive some or all of the content passing through the FortiGate unit.

This section describes how to configure the DLP settings.

The following topics are included:

  • Data leak prevention concepts
  • Enable data leak prevention
  • Fingerprint
  • File filter
  • DLP archiving
  • DLP examples

Data leak prevention concepts

Data leak prevention examines network traffic for data patterns you specify. You define whatever patterns you want the FortiGate unit to look for in network traffic. The DLP feature is broken down into a number of parts.

DLP sensor

A DLP sensor is a package of filters. To use DLP, you must enable it in a security policy and select the DLP sensor to use. The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor. Matching traffic will be passed or blocked according to how you configured the filters.

DLP filter

Each DLP sensor has one or more filters configured within it. Filters can examine traffic for known files using DLP fingerprints, for files of a particular type or name, for files larger than a specified size, for data matching a specified regular expression, or for traffic matching an advanced rule or compound rule.

Page 121

You can configure the action taken when a match is detected. The actions include:

  • None
  • Log Only,
  • Block
  • Quarantine User,
  • Quarantine IP address
  • Quarantine Interface

Log Only is enabled by default.

Fingerprint

Fingerprint scanning allows you to create a library of files for the FortiGate unit to examine. It will create checksum fingerprints so each file can be easily identified. Then, when files appear in network traffic, the FortiGate will generate a checksum fingerprint and compare it to those in the fingerprint database. A match triggers the configured action.

File filter

File filters use file filter lists to examine network traffic for files that match either file names or file types. For example, you can create a file filter list that will find files called secret.* and also all JPEG graphic files. You can create multiple file filter lists and use them in filters in multiple DLP sensors as required.

File size

This filter-type checks for files exceeding a configured size. All files larger than the specified size are subject to the configured action.

Regular expression

The FortiGate unit checks network traffic for the regular expression specified in a regular expression filter. The regular expression library used by Fortinet is a variation of a library called PCRE (Perl Compatible Regular Expressions). A number of these filters can be added to a sensor making a sort of ‘dictionary’ subset within the sensor.

Some other, more limited DLP implementations, use a list of words in a text file to define what words are searched for. While the format used here is slightly different than what some people are used to, the resulting effect is similar. Each Regular Expression filter can be thought of as a more versatile word to be searched against. In this dictionary (or sensor), the list of words is not limited to just predefined words. It can include expressions that can accommodate complex variations on those words and even target phrases. Another advantage of the individual filter model of this dictionary over the list is that each word can be assigned its own action, making this implementation much more granular.

Watermark

Watermarking is essentially marking files with a digital pattern to mark the file as being proprietary to a specific company. Fortinet has a utility that will apply a digital watermark to files. The utility adds a small (approx. 100 byte) pattern to the file that is recognised by the DLP Watermark filter. the pattern is invisible to the end user.

When watermarking a file it should be verified that the pattern matches up to a category found on the FortiGate firewall. For example, if you are going to watermark a file with the sensitivity

 

level of “Secret” you should verify that “Secret” is a sensitivity level that has been assigned in the FortiGate unit.

Software Versions

Before planning on using watermarking software it is always best to verify that the software will work with your OS. Currently the utility was only available for the Linux and Windows operating systems.

The Linux version can be found in one of 3 command line executable programs.

  • watermark_linux_amd64
  • watermark_linux_arm
  • watermark_linux_x86

The Windows version is part of the FortiExplorer software.

File types

The Watermark tool does not work with every file type. The following file types are supported by the watermark tool:

  • .txt
  • .pdf
  • .doc
  • .xls
  • .ppt
  • .docx
  • .pptx • .xlsx

Currently the DLP only works with Fortinet’s watermarking software.

Using the FortiExplorer Watermark tool

The FortiExplorer software can be downloaded from the Fortinet Support Site.

  1. Choose whether to “Apply Watermark To:”
  • Select File • Entire Directory
  1. Fill in the fields:
    1. Select File

This Field has a browse icon next to it which will allow the user to browse to and select a single file or directory to apply the water mark to.

  1. Sensitivity Level

This field is a drop down menu that lists the available sensitivity levels that the FortiGate can scan for

  1. Identifier

This is a unique identifier string of characters to identify the company that the document belongs to.

  1. Output Directory

This Field has a browse icon next to it which will allow the user to browse to a directory where the altered file will be placed. If the output directory is the same as the source directory the original file will be overwritten. If the output directory is different than the source directory then the watermarked version of the file will be place there and the unaltered original will be left in the source directory.

  1. Select Apply Watermark to start the process.

You should get output in the window similar to this:

> fortinet-watermark-win.exe -v -f “C:\Users\TestUser\Documents\test document.txt” -i “123456ABC” -l “Private” -o “C:\Users\TestUser\Watermarked Documents”     Creating watermark. Pattern:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=identifier=123456ABC sensitivity=Private=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

–> ‘C:\Users\TestUser\Documents\test document.txt’

Inserted watermark size 231

——————————————————–

1 file(s) processed. (success = 1, failure = 0)

Installation of the watermark utility on Linux

Add the watermark file to a location on the system that is in the $PATH.

To see what the path is use the command echo $PATH

Example results:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/ga mes for example you could move or copy the file to the :/bin directory.

Permissions on the watermark file:

Check the existing permissions:

The command in Linux for listing file along with the permissions is: ls -l

Run the check to see if the permission status. The results may be something along these lines:

-rw-r–r– 1 root root 2053868 Jan 10 11:44 watermark

You will see that in this case it has no executable permissions To change the permissions on the watermark file:

It will be assume for this command that the utility is in the bin directory and that you have ownership level access.

chmod o+x /bin/watermark

To verify the change: ls -l wa* -rw-r–r-x 1 root root 2053868 Jan 10 11:44 watermark

You can see how the x for executable has been added to the permissions for the others group.

Syntax of the Watermark utility

The tool is executed in a Linux environment by passing in files or directories of files to insert a watermark.

USAGE:

watermark <options> -f <file name> -i <identifier> -l <sensitivity level> watermark <options> -d <directory> -i <identifier> -l <sensitivity level>

Options:

-h print help

-v verbose information

-I inplace watermarking (don’t copy file)

-o output directory

-e encode <to non-readable>

-a add additional watermark (by default replaces watermarks existing watermarks)

-D delete all watermarks

Using the watermark utility

Now if you are in your home directory and you want to watermark a file in the Documents directory you could plan out the command like this: watermark [because that is the executable to be used]

-v [so that you can get as much feedback as possible]

-I [because you don’t want a new file you just want to watermark the existing one]

-f [because you only want to change the one file not the entire directory] filename.pdf [the name of the file]

-i 123456 [to set the identifier to 123456 – this is a required setting

-l Private [to set the sensitivity level to “Private”]

Now at the command prompt enter all of these components in order:

watermark -v -I -f filename.pdf -i 12345 -l Private Creating watermark.  Pattern:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=identifier=12345 sensitivity=Private=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Watermarking file: ‘filename.pdf’

Inserted watermark size 148

Web filter – Fortinet FortiGate

Web filter

This section describes FortiGate web filtering for HTTP traffic. The three main parts of the web filtering function, the Web Content Filter, the URL Filter, and the FortiGuard Web Filtering Service interact with each other to provide maximum control over what the Internet user can view as well as protection to your network from many Internet content threats. Web Content Filter blocks web pages containing words or patterns that you specify. URL filtering uses URLs and URL patterns to block or exempt web pages from specific sources. FortiGuard Web Filtering provides many additional categories you can use to filter web traffic.

This section describes the Web Content Filter and URL Filter functions. For information on FortiGuard Web Filtering, see “FortiGuard W eb Filter” on page 133 The following topics are included in this section:

  • Web filter concepts
  • Inspections Modes
  • FortiGuard Web Filtering Service
  • Overriding FortiGuard website categorization
  • SafeSearch
  • YouTube Education Filter
  • Web Site Filter
  • Web content filter
  • Advanced web filter configurations
  • Working with the Interface
  • Web filtering example

Web filter concepts

Web filtering is a means of controlling the content that an Internet user is able to view. With the popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security. Important reasons for controlling web content include:

  • lost productivity because employees are accessing the web for non-business reasons
  • network congestion — when valuable bandwidth is used for non-business purposes, legitimate business applications suffer
  • loss or exposure of confidential information through chat sites, non-approved email systems, instant messaging, and peer-to-peer file sharing
  • increased exposure to web-based threats as employees surf non-business-related web sites
  • legal liability when employees access/download inappropriate and offensive material
  • copyright infringement caused by employees downloading and/or distributing copyrighted material.

As the number and severity of threats increase on the World Wide Web, the risk potential increases within a company’s network as well. Casual non-business related web surfing has caused many businesses countless hours of legal litigation as hostile environments have been created by employees who download and view offensive content. Web-based attacks and

Page 84

threats are also becoming increasingly sophisticated. Threats and web-based applications that cause additional problems for corporations include:

  • spyware/grayware
  • phishing
  • pharming
  • instant messaging
  • peer-to-peer file sharing
  • streaming media
  • blended network attacks.

Spyware, also known as grayware, is a type of computer program that attaches itself to a user’s operating system. It does this without the user’s consent or knowledge. It usually ends up on a computer because of something the user does such as clicking on a button in a pop-up window. Spyware can track the user’s Internet usage, cause unwanted pop-up windows, and even direct the user to a host web site. For further information, visit the FortiGuard Center.

Some of the most common ways of grayware infection include:

  • downloading shareware, freeware, or other forms of file-sharing services
  • clicking on pop-up advertising
  • visiting legitimate web sites infected with grayware.

Phishing is the term used to describe attacks that use web technology to trick users into revealing personal or financial information. Phishing attacks use web sites and email that claim to be from legitimate financial institutions to trick the viewer into believing that they are legitimate. Although phishing is initiated by spam email, getting the user to access the attacker’s web site is always the next step.

Pharming is a next generation threat that is designed to identify and extract financial, and other key pieces of information for identity theft. Pharming is much more dangerous than phishing because it is designed to be completely hidden from the end user. Unlike phishing attacks that send out spam email requiring the user to click to a fraudulent URL, pharming attacks require no action from the user outside of their regular web surfing activities. Pharming attacks succeed by redirecting users from legitimate web sites to similar fraudulent web sites that have been created to look and feel like the authentic web site.

Instant messaging presents a number of problems. Instant messaging can be used to infect computers with spyware and viruses. Phishing attacks can be made using instant messaging. There is also a danger that employees may use instant messaging to release sensitive information to an outsider.

Peer-to-peer (P2P) networks are used for file sharing. Such files may contain viruses. Peer-to-peer applications take up valuable network resources and may lower employee productivity but also have legal implications with the downloading of copyrighted or sensitive company material.

Streaming media is a method of delivering multimedia, usually in the form of audio or video to Internet users. Viewing streaming media impacts legitimate business by using valuable bandwidth.

Blended network threats are rising and the sophistication of network threats is increasing with each new attack. Attackers learn from each previous successful attack and enhance and update attack code to become more dangerous and fast spreading. Blended attacks use a combination of methods to spread and cause damage. Using virus or network worm techniques combined with known system vulnerabilities, blended threats can quickly spread through email, web sites, and Trojan applications. Examples of blended threats include Nimda, Code Red, Slammer, and Blaster. Blended attacks can be designed to perform different types of attacks, which include disrupting network services, destroying or stealing information, and installing stealthy backdoor applications to grant remote access.

Different ways of controlling access

The methods available for monitoring and controlling Internet access range from manual and educational methods to fully automated systems designed to scan, inspect, rate and control web activity.

Common web access control mechanisms include:

  • establishing and implementing a well-written usage policy in the organization on proper Internet, email, and computer conduct
  • installing monitoring tools that record and report on Internet usage
  • implementing policy-based tools that capture, rate, and block URLs.

The final method is the focus of this topic. The following information shows how the filters interact and how to use them to your advantage.

Order of web filtering

The FortiGate unit applies web filters in a specific order:

  1. URL filter
  2. FortiGuard Web Filter
  3. web content filter
  4. web script filter
  5. antivirus scanning.

If you have blocked a FortiGuard Web Filter category but want certain users to have access to URLs within that pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to specify which users have access to which blocked URLs and how long they have that access. For example, if you want a user to be able to access www.example.com for one hour, you can use the override to set up the exemption. Any user listed in an override must fill out an online authentication form that is presented when they try to access a blocked URL before the FortiGate unit will grant access to it. For more information, see “FortiGuard Web  Filter” on page 133.

Inspections Modes

Proxy

Proxy-based inspection involves buffering the traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allow this process to include more points of data to analyze than the flow-based or DNS methods.

The advantage of a proxy-based method is that the inspection can be more thorough than the other methods, resulting in fewer false positive or negative results in the analysis of the data.

Flow-based

The Flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering. As each packet of the traffic arrives it is process and forwarded without waiting for the complete file or web page, etc.

The advantage of the flow-based method is that the user sees a faster response time for HTTP requests and there is less chance of a time-out error due to the server at the other end responding slowly.

The disadvantages of this method are that there is a higher probability of a false positive or negative in the analysis of the data and that a number of points of analysis that can be used in the proxy-based method are not available in the flow-based inspection method. There is also fewer actions available to choose from based on the categorization of the website by FortiGuard services.

DNS

The DNS inspection method uses the same categories as the FortiGuard Service. It is lightweight in terms of resource usage because it doesn’t involve any proxy-based or flow-based inspection.

A DNS request is typically the first part of any new session to a new website. This inspection method takes advantage of that and places the results of the categorization of websites right on the FortiGuard DNS servers. When the FortiGate resolves a URL, in addition to the IP address of the website it also receives a domain rating.

In the same way that the flow-based inspection method had fewer filters and points of analysis than the proxy-based inspection method, DNS has fewer settings still. All of its inspection is based on the IP address, the domain name and the rating provided by the FortiGuard DNS server.

FortiGuard Web Filtering Service

FortiGuard Web Filter is a managed web filtering solution available by subscription from Fortinet. FortiGuard Web Filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filter Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface.

FortiGuard Web Filter includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

FortiGuard Web Filter ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filter Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.

Before you begin to use the FortiGuard Web Filter options you should verify that you have a valid subscription to the service for your FortiGate firewall.

FortiGuard Web Filter and your FortiGate unit

When FortiGuard Web Filter is enabled in a web filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

Figure 12:Webfiltering flowchart

Custom Application & IPS Signatures

Custom Application & IPS Signatures

Creating a custom IPS signature

The FortiGate predefined signatures cover common attacks. If you use an unusual or specialized application or an uncommon platform, add custom signatures based on the security alerts released by the application and platform vendors.

You can add or edit custom signatures using the web-based manager or the CLI.

To create a custom signature

  1. Go to Security Profiles > Intrusion Protection > IPS Signatues.
  2. Select Create New to add a new custom signature.
  3. Enter a Name for the custom signature.
  4. Enter the Signature. For information about completing this field, see “Custom signature syntax and keywords”.
  5. Select OK.

Custom signature syntax and keywords

All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. The syntax and keywords are detailed in the next two topics.

Custom signature syntax

A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.

A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semi colon (;) and consist of a keyword and a value separated by a space. The basic format of a definition is

HEADER (KEYWORD VALUE;)

You can use as many keyword/value pairs as required within the 512 character limit. To configure a custom signature, go to Security Profiles > Intrusion Protection > IPS Signatues, select Create New and enter the data directly into the Signature field, following the guidance in the next topics.

T able 1 shows the valid characters and basic structure. For details about each keyword and its associated values, see “Custom signature keywor ds” on page 76.

Page 74

Table 1: Valid syntax for custom signatur e fields

Field Valid Characters Usage
HEADER F-SBID The header for an attack definition signature. Each custom signature must begin with this header.
KEYWORD Each keyword must start with a pair of dashes (–), and consist of a string of 1 to 19 characters.

Normally, keywords are an English word or English words connected by an underscore (_). Keywords are case insensitive.

The keyword is used to identify a parameter. See “Custom signature keywords” on  page 76

for tables of supported keywords.

VALUE Double quotes (“) must be used around the value if it contains a space and/or a semicolon (;).

If the value is NULL, the space between the KEYWORD and VALUE can be omitted.

Values are case sensitive.

Note: If double quotes are used for quoting the value, the double quotes are not considered as part of the value string.

The value is set specifically for a parameter identified by a keyword.

Custom signature keywords

Table 2: Information keywords

Keyword and value Description
–attack_id

<id_int>;

Use this optional value to identify the signature. It cannot be  the same value as any other custom rules. If an attack ID is not specified, the FortiGate automatically assigns an attack ID to the signature. If you are using VDOMs, custom signatures appear only in the VDOM in which you create them. You can use the same attack ID for signatures in different VDOMs.

An attack ID you assign must be between 1000 and 9999.

Example:

–attack_id 1234;

–name <name_str>; Enter the name of the rule. A rule name must be unique. If you are using VDOMs, custom signatures appear only in the VDOM in which you create them. You can use the same rule name for signatures in different VDOMs.

The name you assign must be a string greater than 0 and less than 64 characters in length.

Example:

–name “Buffer_Overflow”;

Table 3: Session keywords

Keyword and value Description
–flow

{from_client[,reversed] |  from_server[,reversed] |  bi_direction };

Specify the traffic direction and state to be inspected. They can be used for all IP traffic.

Example:

–sr c_port 41523; –flow bi_direction;

The signature checks traffic to and fr om port 41523.

If you enable “quarantine attacker”, the optional reversed keyword allows you to change the side of the connection to be quarantined when the signature is detected.

For example, a custom signature written to detect a brute-force log in attack is triggered when “Login Failed” is detected from_server more than 10 times in 5 seconds. If the attacker is quarantined, it is the server that is quarantined in this instance. Adding reversed corrects this problem and quarantines the actual attacker.

Previous FortiOS versions used to_client and to_server values. These are now deprecated, but still function for backwards compatibility.

–service {HTTP |

T ELNET | FTP | DNS |

S MTP | POP3 | IMAP |

S NMP | RADIUS | LDAP |

MSSQL | RPC | SIP |

H 323 | NBSS | DCERPC |

SSH | SSL};

Specify the protocol type to be inspected.

This keyword allows you to specify the traffic type by protocol rather than by port. If the decoder has the capability to identify the protocol on any port, the signature can be used to detect the attack no matter what port the service is running on. Currently, HTTP, SIP, SSL, and SSH protocols can be identified on any port based on the content.

Table 4: UDP header keywords

Keyword and Value Description
–dst_port

[!]{<port_int> |

:<port_int> |  <port_int>: |

<port_int>:<port_int>};

Specify the destination port number.

You can specify a single port or port range:

•      <port_int> is a single port.

•      :<port_int> includes the specified port and all lower numbered ports.

•      <port_int>: includes the specified port and all higher numbered ports.

•      <port_int>:<port_int> includes the two specified ports and all ports in between.

–src_port

[!]{<port_int> |

Specify the source port number.

You can specify a single port or port range:

:<port_int> |  <port_int>: |

<port_int>:<port_int>};

•      <port_int> is a single port.

•      :<port_int> includes the specified port and all lower numbered ports.

•      <port_int>: includes the specified port and all higher numbered ports.

•      <port_int>:<port_int> includes the two specified ports and all ports in between.

Table 5: ICMP keywords

Keyword and Value Usage
–icmp_code <code_int>; Specify the ICMP code to match.
–icmp_id <id_int>; Check for the specified ICMP ID value.
–icmp_seq <seq_int>; Check for the specified ICMP sequence value.
–icmp_type <type_int>; Specify the ICMP type to match.

Table 6: Other keywor ds

Keyword and Value Description
 –data_size {<size_int> |

<<size_int> |  ><size_int> |

<port_int><><port_int>};

Test the packet payload size. With data_size specified, packet reassembly is turned off automatically. So a signature with data_size and only_stream values set is wrong.

•      <size_int> is a particular packet size.

•      <<size_int> is a packet smaller than the specified size.

•      ><size_int> is a packet larger than the specified size.

•      <size_int><><size_int> is a packet within the range between the specified sizes.

–data_at <offset_int>[, relative]; Verify that the payload has data at a specified offset, optionally looking for data relative to the end of the previous content match.
–rate

<matches_int>,<time_int>;

Instead of generating log entries every time the signature is detected, use this keyword to generate a log entry only if the signature is detected a specified number of times within a specified time period.

•      <matches_int> is the number of times a signature must be detected.

•      <time_int> is the length of time in which the signature must be detected, in seconds.

For example, if a custom signature detects a pattern, a log entry will be created every time the signature is detected. If –rate 100,10; is added to the signature, a log entry will be created if the signature is detected 100 times in the previous 10 seconds.

Use this command with –track to further limit log entries to when the specified number of detections occur within a certain time period involving the same source or destination address rather than all addresses.

–rpc_num <app_int>[,

<ver_int> | *][,

<proc_int> | *>];

Check for RPC application, version, and procedure numbers in SUNRPC CALL requests. The * wildcard can be used for version and procedure numbers.

 

Table 6: Other keywords (continued)

Keyword and Value Description
–same_ip; Check that the source and the destination have the same IP addresses.
–track {client | server}[,block_int]; When used with –rate, this keyword narrows the custom signature rate totals to individual addresses.

•      client has the FortiGate unit maintain a separate count of signature matches for each source address.

•      server has the FortiGate unit maintain a separate count of signature matches for each destination address.

•      block_int has the FortiGate unit block connections for the specified number of seconds, from the client or to the server, depending on which is specified.

For example, if –rate 100,10 is added to the signature, a log entry will be created if the signature is detected 100 times in the previous 10 seconds. The FortiGate unit maintains a single total, regardless of source and destination address.

If the same custom signature also includes

–track client; matches are totalled separately for each source address. A log entry is added when the signature is detected 100 times in 10 seconds within traffic from the same source address.

The –track keyword can also be used without –rate. If an integer is specified, the client or server will be blocked for the specified number of seconds every time the signature is detected.