Fortinet black logo

online help

Home FortiCASB 20.2.0 online help

Shadow IT discovery

20.2.0
24.1.b
24.1.a
23.4.a
23.3.a
23.2.b
23.2.a
23.1.0
22.4.0
21.4.0
21.2.0
21.1.0
20.4.1
20.4.0
20.3.0
20.2.0
20.1.0
4.2.0
4.1.0
2.1.0
Copy Link
Copy Doc ID ceffee45-ba54-11ea-8b7d-00505692583a:120326

Shadow IT discovery

FortiCASB provides features for shadow IT discovery. By integrating with FortiGate and FortiAnalyzer, FortiCASB gives users a concrete overview of all sanctioned and unsanctioned cloud applications organization wide. Furthermore, FortiCASB calculates a risk score for each application and gives users the ability to control application usage.

FortiCASB's Shadow IT discovery helps users enhance the security of their cloud application environment with the following features:

  • Unsanctioned Application Discovery—FortiCASB uses logs from FortiGate and FortiAnalyzer as well as its own discovery process to deliver a comprehensive view of risk and usage of cloud applications.
  • Cloud Risk Score—FortiCASB generates a cloud risk score for each cloud application. This score is calculated using many factors, such as but not limited to: user numbers, size of the company, multi-factor authentication support, and service hosting location. These factors are used to generate scores in multiple criteria, which are then aggregated into one final score. Users can prioritize these criteria to match their needs.
  • Access Control—Users can block or monitor certain applications using FortiCASB and FortiGate.
  • Data Correlation—FortiCASB uses data from FortiGate and FortiAnalyzer, as well as its own data to define and identify riskier activities.

Configuration and requirements

Shadow IT discovery requires a FortiGate or FortiAnalyzer policy.

Configuration details depend on your specific setup requirements. See the scenarios below, and find the one which best suits your needs.

Scenario 1: You want to receive logs from FortiGate.
Scenario 2: You want to receive logs from FortiGate, but it is already providing logs to another device.
Scenario 3: You want to receive logs from FortiAnalyzer.
  • See FortiAnalyzer configuration. Then, follow the instructions under FortiCASB configuration as needed.

FortiGate configuration

  1. Go to Security Profiles > SSL/SSH Inspection.
  2. Create a new SSL/SSH inspection profile called deep-test.
  3. Configure the profile as shown below:

  4. Go to Security Profiles > Application Control.
  5. Set all categories to Monitor.
  6. Under Options, enable Allow and Log DNS Traffic and Replacement Messages for HTTP-based Applications.

    7. FortiGate 5.6

    FortiGate 5.4

  7. Go to Security Profiles > Cloud Access Security Inspection.
  8. Under the Action column, set all action to Monitor.

  9. Go to Policy & Objects > IPv4 Policy.
  10. Create a new policy named Shadow-IT.
  11. Configure the policy as shown below:

  12. Configure Security Profiles.
    1. To use access control, choose the Web Filter created with the URL filter set.
    2. Open Application Control to allow FortiCASB to track how many cloud applications are visited.
    3. To correlate log data with FortiCASB data, make sure Application Control is open, and set SSL/SSH Inspection to deep-test.

    13. NOTE: For FortiGate 5.4, set CASI to the default.

  13. Open Log Allowed Traffic, and select either Security Events or All Sessions.
    14. Log configuration using FortiGate GUI
  14. Go to Log & Report > Log Settings.
  15. Open Send Logs to FortiAnalyzer/FortiManager.
  16. Set the FortiCASB receiver's IP address for IP Address.

    17. The FortiCASB receiver IP address can be found by pressing the Device button from the FortiCASB Shadow IT dashboard. It will be one of the followin addresses:

    Global Users 34.212.87.235 or 52.27.136.156
    EU Users 34.254.217.50 or 52.18.7.98

    Enter the IP address into the appropriate section of the FortiGate UI, shown below, then click Test Connectivity.

    Log configuration using FortiGate CLI
  17. Login to the FortiGate's CLI mode.
  18. Configure log settings for the second FortiAnalyzer device on the FortiGate.

    19. #config log fortianalyzer2 setting

    #set status enable

    #set server <FortiCASB server IP>

    #set enc-algorithm high-medium

    #set upload-option realtime

    #set reliable enable

    #end

  19. Configure the log filter to only forward application-ctrl logs:

    20. #config log fortianalyzer2 filter

    #set filter-type include

    #set filter "logid(1059028704)"

    #end

  20. Test the connection using the following CLI command:

#execute log fortianalyzer test-connectivity 2

If the connection is successful, the FortiGate will return the following:

Registration: registered

Connection: allow

Otherwise, the FortiGate will return an error code.

FortiAnalyzer configuration

  1. Provide a public IPv4 address to your FortiAnalyzer. Make sure this IP address with the appropriate TCP port(default 443) can be accessed from the external network, via the internet.
  2. Finish steps 1-12 of the FortiGate configuration.
  3. Use the following commands to add RPC-permit's read and write permissions to the user:
    1. config system admin user
    2. edit admin
    3. set rpc-permit read-write

FortiCASB configuration

  1. Choose the device type to connect.
    1. Click the Device button, located on the top right, from the Shadow IT dashboard.

    2. Choose either FortiGate or FortiAnalyzer.
  2. Enter the device DevID.
    1. If the DevID is for FortiGate, fill in the other fields.
    2. If the DevID is for FortiAnalyzer, fill in the other fields, then select the FortiGate device(s) to add.

Using Shadow IT discovery

Access control

After analyzing an application using FortiCASB, users can use FortiGate's Web Filter to block or monitor the application.

  1. Use FortiCASB to get the host name of the traffic to be controlled.
  2. On the FortiGate device, go to Security Profile > Web Filter.
  3. Under Static URL Filter, choose the URL filter.
  4. Click Create to add a new URL filter.
  5. Choose a Type.
  6. Choose an Action.
  7. Set Status to Open.
  8. Click OK.

Shadow IT Dashboard

Usage of unsanctioned cloud applications

All unsanctioned cloud applications are given a ranking based on the risk score, the number of users, and volume of use. FortiCASB uses that data to pinpoint and display the applications, clients, and sessions that are most at risk. FortiCASB also displays the percentage of risky applications, clients, and sessions using pie charts.

File insight

File insight shows the total number of sanctioned cloud applications the organization is using, the total number of users, and the total number of files stored in each cloud application.

Application list

The application list displays all appliations monitored by FortiCASB. Filter the list using the time range box on the top right, the risk score slider on the top left, and the categories checkboxes on the left.

Click a specific application to display detailed information regarding the application.

Previous
Next

Shadow IT discovery

FortiCASB provides features for shadow IT discovery. By integrating with FortiGate and FortiAnalyzer, FortiCASB gives users a concrete overview of all sanctioned and unsanctioned cloud applications organization wide. Furthermore, FortiCASB calculates a risk score for each application and gives users the ability to control application usage.

FortiCASB's Shadow IT discovery helps users enhance the security of their cloud application environment with the following features:

  • Unsanctioned Application Discovery—FortiCASB uses logs from FortiGate and FortiAnalyzer as well as its own discovery process to deliver a comprehensive view of risk and usage of cloud applications.
  • Cloud Risk Score—FortiCASB generates a cloud risk score for each cloud application. This score is calculated using many factors, such as but not limited to: user numbers, size of the company, multi-factor authentication support, and service hosting location. These factors are used to generate scores in multiple criteria, which are then aggregated into one final score. Users can prioritize these criteria to match their needs.
  • Access Control—Users can block or monitor certain applications using FortiCASB and FortiGate.
  • Data Correlation—FortiCASB uses data from FortiGate and FortiAnalyzer, as well as its own data to define and identify riskier activities.

Configuration and requirements

Shadow IT discovery requires a FortiGate or FortiAnalyzer policy.

Configuration details depend on your specific setup requirements. See the scenarios below, and find the one which best suits your needs.

Scenario 1: You want to receive logs from FortiGate.
Scenario 2: You want to receive logs from FortiGate, but it is already providing logs to another device.
Scenario 3: You want to receive logs from FortiAnalyzer.
  • See FortiAnalyzer configuration. Then, follow the instructions under FortiCASB configuration as needed.

FortiGate configuration

  1. Go to Security Profiles > SSL/SSH Inspection.
  2. Create a new SSL/SSH inspection profile called deep-test.
  3. Configure the profile as shown below:

  4. Go to Security Profiles > Application Control.
  5. Set all categories to Monitor.
  6. Under Options, enable Allow and Log DNS Traffic and Replacement Messages for HTTP-based Applications.

    7. FortiGate 5.6

    FortiGate 5.4

  7. Go to Security Profiles > Cloud Access Security Inspection.
  8. Under the Action column, set all action to Monitor.

  9. Go to Policy & Objects > IPv4 Policy.
  10. Create a new policy named Shadow-IT.
  11. Configure the policy as shown below:

  12. Configure Security Profiles.
    1. To use access control, choose the Web Filter created with the URL filter set.
    2. Open Application Control to allow FortiCASB to track how many cloud applications are visited.
    3. To correlate log data with FortiCASB data, make sure Application Control is open, and set SSL/SSH Inspection to deep-test.

    13. NOTE: For FortiGate 5.4, set CASI to the default.

  13. Open Log Allowed Traffic, and select either Security Events or All Sessions.
    14. Log configuration using FortiGate GUI
  14. Go to Log & Report > Log Settings.
  15. Open Send Logs to FortiAnalyzer/FortiManager.
  16. Set the FortiCASB receiver's IP address for IP Address.

    17. The FortiCASB receiver IP address can be found by pressing the Device button from the FortiCASB Shadow IT dashboard. It will be one of the followin addresses:

    Global Users 34.212.87.235 or 52.27.136.156
    EU Users 34.254.217.50 or 52.18.7.98

    Enter the IP address into the appropriate section of the FortiGate UI, shown below, then click Test Connectivity.

    Log configuration using FortiGate CLI
  17. Login to the FortiGate's CLI mode.
  18. Configure log settings for the second FortiAnalyzer device on the FortiGate.

    19. #config log fortianalyzer2 setting

    #set status enable

    #set server <FortiCASB server IP>

    #set enc-algorithm high-medium

    #set upload-option realtime

    #set reliable enable

    #end

  19. Configure the log filter to only forward application-ctrl logs:

    20. #config log fortianalyzer2 filter

    #set filter-type include

    #set filter "logid(1059028704)"

    #end

  20. Test the connection using the following CLI command:

#execute log fortianalyzer test-connectivity 2

If the connection is successful, the FortiGate will return the following:

Registration: registered

Connection: allow

Otherwise, the FortiGate will return an error code.

FortiAnalyzer configuration

  1. Provide a public IPv4 address to your FortiAnalyzer. Make sure this IP address with the appropriate TCP port(default 443) can be accessed from the external network, via the internet.
  2. Finish steps 1-12 of the FortiGate configuration.
  3. Use the following commands to add RPC-permit's read and write permissions to the user:
    1. config system admin user
    2. edit admin
    3. set rpc-permit read-write

FortiCASB configuration

  1. Choose the device type to connect.
    1. Click the Device button, located on the top right, from the Shadow IT dashboard.

    2. Choose either FortiGate or FortiAnalyzer.
  2. Enter the device DevID.
    1. If the DevID is for FortiGate, fill in the other fields.
    2. If the DevID is for FortiAnalyzer, fill in the other fields, then select the FortiGate device(s) to add.

Using Shadow IT discovery

Access control

After analyzing an application using FortiCASB, users can use FortiGate's Web Filter to block or monitor the application.

  1. Use FortiCASB to get the host name of the traffic to be controlled.
  2. On the FortiGate device, go to Security Profile > Web Filter.
  3. Under Static URL Filter, choose the URL filter.
  4. Click Create to add a new URL filter.
  5. Choose a Type.
  6. Choose an Action.
  7. Set Status to Open.
  8. Click OK.

Shadow IT Dashboard

Usage of unsanctioned cloud applications

All unsanctioned cloud applications are given a ranking based on the risk score, the number of users, and volume of use. FortiCASB uses that data to pinpoint and display the applications, clients, and sessions that are most at risk. FortiCASB also displays the percentage of risky applications, clients, and sessions using pie charts.

File insight

File insight shows the total number of sanctioned cloud applications the organization is using, the total number of users, and the total number of files stored in each cloud application.

Application list

The application list displays all appliations monitored by FortiCASB. Filter the list using the time range box on the top right, the risk score slider on the top left, and the categories checkboxes on the left.

Click a specific application to display detailed information regarding the application.

Previous
Next