Sunday, May 1, 2022

FortiGate Application Control

The FortiGate can recognize network traffic generated by a large number of applications. Application Control sensors specify what action to take with the application traffic. Application Control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. Application control supports traffic detection using the HTTP protocol (versions 1.0, 1.1, and 2.0).

To configure the FortiGate Application Control, go to Security Profiles > Application Control > Create New.

Notice there are several default Application Control Profiles.

 

Type a Name: BLOCK_SOCIAL_MEDIA > under Social Media > select Block.

Click OK.


The next step is to apply the Application Control Profile in a Firewall Policy, go to Policy & Objects > Firewall Policy > select FG_LAN_INTERNET (Policy ID 1).

Go under Security Profiles.

Enable (toggle) Application Control > select BLOCK_SOCIAL_MEDIA > click OK.


I tried to access facebook.com from 172.16.1.100 (Windows 7 VM) but it only timed out. There was a Application Blocked error when I tried instagram.com and twitter.com.



To view Application Control logs, go to Log & Report > Application Control.


Notice the Application Name: Twitter and Facebook had an Action: block. 

 

You can use the Add Filter to only display Action: block.

Select a log > click Details.





Posted by at No comments:

Friday, April 1, 2022

FortiGate Web Filtering (Static URL)

You can lookup which Web Category a website falls under using the FortiGuard Web Filter tool. In the example, I lookup: youtube.com and it's under the Category: Streaming Media and Download.

 

To configure a Static URL Filter, go to Security Profiles > Web Filter > Create New.

 

Notice there are system default profiles created.

 

Type a Name: LAB_URL_FILTER > enable URL filter (toggle) > click Create New.

Type URL: *.facebook.com > select Type: Wildcard > select Action: Block > click OK.

Create Static URL Filter for cisco.com and youtube.com > click OK.


The next step is to apply the Web Filter Profile in a Firewall Policy. Go to Policy & Object > Firewall Policy > select FG_LAN_INTERNET > click Edit (or just double-click).

Go under Security Profiles.

Under Security Profiles > enable Web Filter (toggle) > select LAB_URL_FILTER > click OK.


I tried to access the websites from 172.16.1.100 (Windows 7 VM) but got a Web Page Blocked error.



To view the FortiGate Web Filter logs, go to Log & Report > Web Filter.

Select a log > click Details.

 

Notice the Action: blocked and Web Filter Profile Name: LAB_URL_FILTER were applied to the HTTP traffic.

 


Posted by at No comments:

Friday, March 4, 2022

Fortigate SSL/TLS Inspection

SSL (TLS) deep inspection on outbound traffic allows FortiGate to inspect encrypted Internet-bound traffic (outbound) and apply Security Profiles (UTM). The FortiGate acts as a Man-In-The-Middle to inspect traffic and apply the Security Profiles such as Antivirus, Web Filter and Application Control.

 

To configure SSL Inspection, go to Security Profiles > SSL/SSH Inspection.

 

Notice there are default inspection profiles created. Select custom-deep-inspection > click Edit (or just double-click).

Under Common Options > select Invalid SSL certifications: Allow > click OK.


The next step is to enable SSL Inspection in a Firewall Policy. Go to Policy & Objects > Firewall Policy > select FG_LAN_INTERNET > click Edit (or just double-click).

Under Security Profiles > select SSL Inspection: custom-deep-inspection > click OK.


Notice there's a warning near the SSL Inspection. Hover to view it.

I tried to access https://www.cnn.com but was presented with a warning: There is a problem with this website's security certificate.

The Fortigate includes a system default SSL certificate called Fortinet_CA_SSL, which can be used for full SSL inspection. You can avoid the web browser certificate warning by downloading and installing the Fortinet_CA_SSL certificate in your machine.

 

To download the FortiGate SSL certificate, go to System > Certificates > select Fortinet_CA_SSL > click View Details.

 


Click Download > Save File.

To install the Fortinet_CA_SSL in Internet Explorer, go to Tools > Internet Options > Content > Certificates.

Under Trusted Root Certificate Authorities > click Import.

Run the Certificate Import Wizard > click Next.

Browse for the Fortinet_CA_SSL.cert > click Next.

Select the default Place all certificates in the following store: Personal > click Next.

Click Finish.

Click Yes.

Click OK.

Select the newly installed Fortinet SSL certificate > click View.




I accessed again https://www.cnn.com but this time there's no certificate error being presented.

To view FortiGate logs, go to Log & Report > Forward Traffic. 

Notice the log with the Application Name: SSL.

Select the SSL log > click Details.


Posted by at No comments:
Subscribe to: Comments (Atom)