Version:

Version:

Version:

Version:


Table of Contents

Online Help

Customized Risk Assessment Policy Setup

FortiCWP also allows you to create the customized risk assessment policies. To access customized risk assessment policies, please go to Policy > Risk Assessment > Customized tab. There are two steps to setup a configured risk assessment policy. First step is to setup a code pattern, and the second step is to use the code pattern to setup a customized policy.

Step 1: Setup Code Pattern

Go to Policy > Risk Assessment > Customized tab, in Code Pattern, click on +Add New to setup a new code pattern.

Here are some characteristics of a code pattern:

  • A code pattern is a block of Python 3 codes.
  • A code pattern has a name which will not be modified after the code pattern is created.
  • A code pattern has three statuses: PENDING,APPROVED, ERROR. When a code pattern is in PENDING or APPROVED status, the code pattern can not be edited. A code pattern is editable only if the code pattern’s status is ERROR. When a code pattern is in APPROVED status, the code pattern can be bound to a customize risk assessment policy. One a customized risk assessment policy can only be associated with one code pattern.

The code pattern creation page has two fields: Code Name and a block of Python 3 codes.

The code name can only contain decimal digits, lower- or upper-case alphabetic characters, and spaces. And the length of the code name must be between 1 and 100 characters in length.

The Python codes can not contain more than 100000 characters, including comments.

When you write Python 3 codes, you must define a function run with a parameter aws, it looks like below:

def run(aws):

#here add codes for function run

The parameter 'aws' is a proxy of AWS python API boto3.

You can get a client just like you use boto3, such as iam = aws.client('iam').

So far, We only support iam, s3, ec2, es, rds, elb. And only some methods of the originals.

 

iam:

list_users ,

list_roles,

list_groups,

list_policies,

list_groups_for_user,

list_attached_user_policies,

list_attached_group_policies,

list_attached_role_policies,

list_user_policies,

list_group_policies,

list_role_policies,

get_user_policy,

get_group_policy,

get_role_policy,

get_policy,

get_policy_version

s3:

list_buckets,

get_bucket_location,

get_bucket_policy,

get_bucket_tagging,

get_bucket_acl

ec2:

describe_security_groups

es:

list_domain_names,

describe_elasticsearch_domains

rds:

describe_db_instances,

describe_db_snapshots,

describe_db_snapshot_attributes,

list_tags_for_resource,

describe_db_cluster_snapshots,

describe_db_cluster_snapshot_attributes

elb:

describe_load_balancers

 

All supported methods have the same parameters as boto3. For more information, see https://boto3.readthedocs.io/en/latest/reference/services/index.html.

 

You can also use these methods below:

def diff_days_date_and_now(date)

Get the number of days between a specific date and current date

 

def parse_json(data)

Parse a string of json

 

def dumps_to_json(data)

Generate a string of json from an object data

 

def decode_escapes(data)

Html escapes

 

def match_regex_insensitive(value, pattern)

Match value by a regex, insensitive

 

def match_regex_sensitive(value, pattern)

Match value by a regex, sensitive

 

def match_regex_sensitive_search(value, pattern)

Search by a regex, sensitive

 

def set_region(region_name)

Set a AWS region.

You can call it for setting AWS region, if a region is needed. This method must be called outside of the run function.

def get_region()

Get the AWS region setted previously

 

def set_aws_access_key_id(aws_access_key_id)

def get_aws_access_key_id()

def set_aws_secret_access_key(aws_secret_access_key)

def get_aws_secret_access_key()

def set_aws_session_token(aws_session_token)

def get_aws_session_token()

 

def set_data(*args, **kwargs)

Save the data you want to save when checking a resource.

 

def fail(message, resource_id)

A check is done, and the result is fail.

 

def warn(message, resource_id)

A check is done, and the result is fail.

 

def success(message, resource_id)

A check is done, and the result is success.

 

def error(message, resource_id)

A check is done, and the result is error

 

def error_user(message)

def error_sys(message)

 

In the block of Python 3 codes, you can define multiple functions, but you must make sure no function name is the same as any of the above functions.

After you code, you can test your grammar to check if it meets our criteria by using the Test button.

Save the code pattern by clicking the Save button. The status is PENDING after the code pattern is saved. The status will be modified to APPROVED automatically after you run the code.

Cancel the code pattern creation using the Close button.

Here is an example of code pattern on checking the AWS security group:

#Please click Enter to start...

set_region('us-east-1')

def run(aws):

conditions = {

"ip_to_check": "0.0.0.0/0"

}

ec2 = aws.client('ec2')

instances_info = ec2.describe_instances()

info = instances_info['Reservations']

for rf in info:

instance_list = rf['Instances']

for ec2_instance in instance_list:

instance_id = ec2_instance['InstanceId']

security_groups = ec2_instance['SecurityGroups']

for sg in security_groups:

result = ec2.describe_security_groups(GroupIds=[sg['GroupId']])

for group_info in result["SecurityGroups"]:

ip_egress = group_info['IpPermissionsEgress'][0]

ip_range = ip_egress['IpRanges'][0]

ip_to_check = ip_range['CidrIp']

if ip_to_check == conditions["ip_to_check"]:

fail(message="Instance {} does not allow 0.0.0.0/0".format(instance_id),resource_id=group_info['GroupName'])

else:

success(message="No issue")

 

Step 2 - Setup Customized Risk Assessment Policy

A customized risk assessment policy is a policy that is associated with a code pattern, make sure the code pattern is setup already before setting up the customized risk assessment policy.

Go to Policy > Risk Assessment > Customized tab, in Customized Risk Assessment Policy, click on +Add New to setup a customized risk assessment policy. Then a new window will prompt you to enter the parameters.

Name — Only contains decimal digits, lower-case or upper-case alphabetic characters, and spaces. Be sure to use no more than 100 characters .

Apply to account — Choose the account which the policy will be applying to.

Severity Level — Pick a severity level associated with the policy.

Description— Enter a brief description in less than 200 characters.

Code Pattern— You must choose an available code pattern to create a customized risk assessment policy. If there is no available code pattern, you must create one.

Click Add Customized Policy to complete adding the policy; to cancel, click Cancel button.

Here is an example of customized risk assessment policy. The name of the code pattern bound to the customized risk assessment policy is under Code Pattern Column.

 

To setup notification to receive policy triggered alerts, refer to .

 

 

 

 

 

Customized Risk Assessment Policy Setup

FortiCWP also allows you to create the customized risk assessment policies. To access customized risk assessment policies, please go to Policy > Risk Assessment > Customized tab. There are two steps to setup a configured risk assessment policy. First step is to setup a code pattern, and the second step is to use the code pattern to setup a customized policy.

Step 1: Setup Code Pattern

Go to Policy > Risk Assessment > Customized tab, in Code Pattern, click on +Add New to setup a new code pattern.

Here are some characteristics of a code pattern:

  • A code pattern is a block of Python 3 codes.
  • A code pattern has a name which will not be modified after the code pattern is created.
  • A code pattern has three statuses: PENDING,APPROVED, ERROR. When a code pattern is in PENDING or APPROVED status, the code pattern can not be edited. A code pattern is editable only if the code pattern’s status is ERROR. When a code pattern is in APPROVED status, the code pattern can be bound to a customize risk assessment policy. One a customized risk assessment policy can only be associated with one code pattern.

The code pattern creation page has two fields: Code Name and a block of Python 3 codes.

The code name can only contain decimal digits, lower- or upper-case alphabetic characters, and spaces. And the length of the code name must be between 1 and 100 characters in length.

The Python codes can not contain more than 100000 characters, including comments.

When you write Python 3 codes, you must define a function run with a parameter aws, it looks like below:

def run(aws):

#here add codes for function run

The parameter 'aws' is a proxy of AWS python API boto3.

You can get a client just like you use boto3, such as iam = aws.client('iam').

So far, We only support iam, s3, ec2, es, rds, elb. And only some methods of the originals.

 

iam:

list_users ,

list_roles,

list_groups,

list_policies,

list_groups_for_user,

list_attached_user_policies,

list_attached_group_policies,

list_attached_role_policies,

list_user_policies,

list_group_policies,

list_role_policies,

get_user_policy,

get_group_policy,

get_role_policy,

get_policy,

get_policy_version

s3:

list_buckets,

get_bucket_location,

get_bucket_policy,

get_bucket_tagging,

get_bucket_acl

ec2:

describe_security_groups

es:

list_domain_names,

describe_elasticsearch_domains

rds:

describe_db_instances,

describe_db_snapshots,

describe_db_snapshot_attributes,

list_tags_for_resource,

describe_db_cluster_snapshots,

describe_db_cluster_snapshot_attributes

elb:

describe_load_balancers

 

All supported methods have the same parameters as boto3. For more information, see https://boto3.readthedocs.io/en/latest/reference/services/index.html.

 

You can also use these methods below:

def diff_days_date_and_now(date)

Get the number of days between a specific date and current date

 

def parse_json(data)

Parse a string of json

 

def dumps_to_json(data)

Generate a string of json from an object data

 

def decode_escapes(data)

Html escapes

 

def match_regex_insensitive(value, pattern)

Match value by a regex, insensitive

 

def match_regex_sensitive(value, pattern)

Match value by a regex, sensitive

 

def match_regex_sensitive_search(value, pattern)

Search by a regex, sensitive

 

def set_region(region_name)

Set a AWS region.

You can call it for setting AWS region, if a region is needed. This method must be called outside of the run function.

def get_region()

Get the AWS region setted previously

 

def set_aws_access_key_id(aws_access_key_id)

def get_aws_access_key_id()

def set_aws_secret_access_key(aws_secret_access_key)

def get_aws_secret_access_key()

def set_aws_session_token(aws_session_token)

def get_aws_session_token()

 

def set_data(*args, **kwargs)

Save the data you want to save when checking a resource.

 

def fail(message, resource_id)

A check is done, and the result is fail.

 

def warn(message, resource_id)

A check is done, and the result is fail.

 

def success(message, resource_id)

A check is done, and the result is success.

 

def error(message, resource_id)

A check is done, and the result is error

 

def error_user(message)

def error_sys(message)

 

In the block of Python 3 codes, you can define multiple functions, but you must make sure no function name is the same as any of the above functions.

After you code, you can test your grammar to check if it meets our criteria by using the Test button.

Save the code pattern by clicking the Save button. The status is PENDING after the code pattern is saved. The status will be modified to APPROVED automatically after you run the code.

Cancel the code pattern creation using the Close button.

Here is an example of code pattern on checking the AWS security group:

#Please click Enter to start...

set_region('us-east-1')

def run(aws):

conditions = {

"ip_to_check": "0.0.0.0/0"

}

ec2 = aws.client('ec2')

instances_info = ec2.describe_instances()

info = instances_info['Reservations']

for rf in info:

instance_list = rf['Instances']

for ec2_instance in instance_list:

instance_id = ec2_instance['InstanceId']

security_groups = ec2_instance['SecurityGroups']

for sg in security_groups:

result = ec2.describe_security_groups(GroupIds=[sg['GroupId']])

for group_info in result["SecurityGroups"]:

ip_egress = group_info['IpPermissionsEgress'][0]

ip_range = ip_egress['IpRanges'][0]

ip_to_check = ip_range['CidrIp']

if ip_to_check == conditions["ip_to_check"]:

fail(message="Instance {} does not allow 0.0.0.0/0".format(instance_id),resource_id=group_info['GroupName'])

else:

success(message="No issue")

 

Step 2 - Setup Customized Risk Assessment Policy

A customized risk assessment policy is a policy that is associated with a code pattern, make sure the code pattern is setup already before setting up the customized risk assessment policy.

Go to Policy > Risk Assessment > Customized tab, in Customized Risk Assessment Policy, click on +Add New to setup a customized risk assessment policy. Then a new window will prompt you to enter the parameters.

Name — Only contains decimal digits, lower-case or upper-case alphabetic characters, and spaces. Be sure to use no more than 100 characters .

Apply to account — Choose the account which the policy will be applying to.

Severity Level — Pick a severity level associated with the policy.

Description— Enter a brief description in less than 200 characters.

Code Pattern— You must choose an available code pattern to create a customized risk assessment policy. If there is no available code pattern, you must create one.

Click Add Customized Policy to complete adding the policy; to cancel, click Cancel button.

Here is an example of customized risk assessment policy. The name of the code pattern bound to the customized risk assessment policy is under Code Pattern Column.

 

To setup notification to receive policy triggered alerts, refer to .