Configuration guideline for Fortinet Fortigate Firewall - Mitigate Instant Security Check Tests
High Level Test Overview - Matching Features
High Level View of Licensing and Required Features for Mitigation:
Browser Security - Local Browser Configuration - https://support.google.com/chrome/answer/95472?co=GENIE.Platform%3DDesktop&hl=en
Network Access Protection - NGFW
Block access to adult website - Web Filtering
Block websites in embargoed countries - Geo IP
Block access to anonymizing websites - Web Filtering
Cross-Site Scripting Scanning Attempt via http, get - IPS
Cross-Site Scripting Scanning Attempt via https, get - IPS
JS Cryptojacking via http, get - IPS
JS Cryptojacking via https, get - IPS
SQL Injection in GET request via http - IPS
SQL Injection in GET request via https - IPS
Data Encryption - Local Browser Configuration and HTTPS Inspection
Certificate Validation
Broken Cryptography
Domain Security Policies
SSL inspection
Online Privacy - Local Browser Configuration - Do Not track Option -https://support.google.com/chrome/answer/114836?co=GENIE.Platform%3DDesktop&hl=en
Malware Protection - NGTP
Download EICAR file via http - AntiVirus
Download EICAR file via https - AntiVirus + SSLi
Download EICAR text file via http - AntiVirus
Download EICAR text file via https - AntiVirus + SSLi
Download EICAR text file inside zip via http - AntiVirus
Download EICAR text file inside zip via https - AntiVirus + SSLi
Download EICAR file zipped 2 times via http - AntiVirus
Download EICAR file zipped 2 times via https - AntiVirus + SSLi
Download EICAR file zipped 5 times via http - AntiVirus
Download EICAR file zipped 5 times via https - AntiVirus + SSLi
Download EICAR file zipped with '123456' password via http - AntiVirus
Download EICAR file zipped with '123456' password via https - AntiVirus + SSLi
Download EICAR file zipped with 'password' password via http - AntiVirus
Download EICAR file zipped with 'password' password via https - AntiVirus + SSLi
Data Protection - DLP {CLI only after 6.2.2)
SSN codes leak via https - DLP +SSLi
SSN codes leak via http - DLP
Local Country SSN code leak via https - DLP +SSLi
Local Country SSN code leak via http - DLP
Credit card numbers leak via https - DLP +SSLi
Credit card numbers leak via http - DLP
Source code (C) leak via https - DLP +SSLi
Source code (C) leak via http - DLP
SSH private key leak via https - DLP +SSLi
SSH private key leak via http - DLP
Not all protections are covered by default configuration or signatures!
For SSL/HTTPS tests you would need to have HTTPS Inspection configured
Configuration for Fortinet Fortigate
Set-up a basic installation following the documentation here.
Make sure to activate the features according to the mapping at the beginning of the article, as follows:
You need to make sure the license includes both Web Filtering/Application Control and Threat Prevention fucntions.
In order to have the checks for HTTPS websites we would need to first configure HTTPS Inspection
References:
About: https://inside.fortinet.com/doku.php?id=fortigate:about_ssl_inspection
Admin Guide: https://docs2.fortinet.com/document/fortigate/6.4.2/administration-guide/929997/ssl-ssh-inspection
Select the Gateway and Navigate to the Security Profiles > SSL/SSH Inspection tab. Select deep-inspection profile and create a Clone. Rename this to the deep-inspection-custom profile.
Select and Edit the profile and make sure to Block Untrusted Certificates and inspect at least HTTPS Protocol. Also enable Exceptions in order to avoid issues with Update Services.
Make sure to export the CA certificate by clicking the Download Link. You can also import a certificate from your own CA but this needs to have the ability to create other certificates and sign them. Import the downloaded certificate into either “AD” Trusted Root or each local host Trusted Root certificate store.
For Chrome/Mozilla the procedure is a bit different and will be discussed in a dedicated article.
Once HTTPS Inspection is active you can check any HTTPS Site’s certificate when passing the Security Gateway. It should look like it was signed by the CA of the Fortigate Firewall.
Inspection Certificate versus Original Certificate.
Mitigation for Specific Tests
Network Access Protection - NGFW
Data Encryption
Online Privacy
Malware Protection
There is also a possibility that even though AV and IPS are working properly and the network is secured the EICAR test file that we are using is allowed. In order for the test to reflect thsi as dropped define EICAR action on IPS profile to be Block. Details in the screenshots below.
Data Protection
Data Loss Prevention Feature
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/781717/dlp-filepattern
KB: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46641
This entry has been removed in the GUI. All the config must be done from CLI
fg-vm # config dlp sensor
fg-vm # edit dlp_custom
fg-vm (dlp_custom) # show
config dlp sensor
edit "dlp_custom"
set comment "created for matching SSN and PCI DSS"
config filter
edit 1
set name "SSN"
set type message
set proto http-post
set filter-by ssn
set action block
next
edit 2
set name "PCI"
set type message
set proto http-post
set action block
next
edit 3
set name "SSN_LOCAL"
set proto http-post
set filter-by regexp
set regexp "[1-8]\d{2}(0[1-9]|1[0-2])(0[1-9]|[12]\d|3[01])(0[1-9]|[1-4]\d|5[0-2]|99)\d{4}"
set action block
next
end
set extended-log enable
next
end
config firewall policy
edit 1
set name "OUTBOUND"
set uuid 151e4378-fc4b-51ea-f670-d968b3d77611
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection-custom"
set av-profile "default"
set webfilter-profile "Clone of default"
set dnsfilter-profile "default"
set dlp-sensor "dlp_custom"
set file-filter-profile "Test"
set ips-sensor "high_security"
set application-list "default"
set nat enable
next
end
SSN codes leak via https
SSN codes leak via http
config filter
edit 1
set name "SSN"
set type message
set proto http-post
set filter-by ssn
set action block
Local Country SSN code leak via https
Local Country SSN code leak via http
edit 3
set name "SSN_LOCAL"
set proto http-post
set filter-by regexp
set regexp "[1-8]\d{2}(0[1-9]|1[0-2])(0[1-9]|[12]\d|3[01])(0[1-9]|[1-4]\d|5[0-2]|99)\d{4}"
set action block
next
When entering regex make sure to use quote marks and escape special chars.
The test is sending more than one SSN so for this reason ^$ where taken out of the regex
Credit card numbers leak via https
Credit card numbers leak via http
edit 2
set name "PCI"
set type message
set proto http-post
set action block
next
Source code (C) leak via https
Source code (C) leak via http
Not mitigated by default as Fortinet does not provide a Source code filter
'#include <iostream.h>\r\n#include "functions.h"\r\nint main(){\r\nprint_hello();\r\ncout << endl;\r\ncout << "The factorial of 5 is " << factorial(5) << endl;\r\nreturn 0;\r\n}\r\n',description: 'Source code (C)',
Example simple REGEX to match C libraries:
edit 5
set filter-by regexp
set regexp "((#){1}include(\ ){1}[<"]{1}[a-z]+(.h){1}[>"]{1})+"
set name "CCODE"
set proto http-post
set filter-by regexp
set action block
next
Need to define specific regex in order to match the above payload
SSH private key leak via https
SSH private key leak via http
edit 4
set name "PKEY"
set proto http-post
set filter-by regexp
set regexp "(-){5}BEGIN\ RSA\ PRIVATE\ KEY(-){5}(.*){1}(-){5}END\ RSA\ PRIVATE\ KEY(-){5}"
set action block
next
Comments
0 comments
Please sign in to leave a comment.