Fortinet black logo

Cookbook

URL certificate blacklist

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:832220
Download PDF

URL certificate blacklist

As increasing numbers of malware have started to use SSL to attempt to bypass IPS, maintaining a fingerprint-based certificate blacklist is useful to block botnet communication that relies on SSL.

This feature adds a dynamic package that is distributed by FortiGuard and is part of the Web Filtering service. It is enabled by default for SSL/SSH profiles, and can be configured using the following CLI commands (highlighted in bold):

config vdom
    edit <vdom>
        config firewall ssl-ssh-profile
            edit "certificate-inspection"
                set comment "Read-only SSL handshake inspection profile."
                config ssl
                    set inspect-all disable
                end
                config https
                    set ports 443
                    set status certificate-inspection
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                    set sni-server-cert-check enable
                end
                config ftps
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config imaps
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config pop3s
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config smtps
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config ssh
                    set ports 22
                    set status disable
                    set inspect-all disable
                    set unsupported-version bypass
                    set ssh-tun-policy-check disable
                    set ssh-algorithm compatible
                end
                set block-blacklisted-certificates enable  
                set caname "Fortinet_CA_SSL"
                set ssl-anomalies-log enable
            next
            edit "deep-inspection"
                set comment "Read-only deep inspection profile."
                config ssl
                    set inspect-all disable
                end
                config https
                    set ports 443
                    set status deep-inspection
                    set client-cert-request bypass
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                    set sni-server-cert-check enable
                end
                config ftps
                    set ports 990
                    set status deep-inspection
                    set client-cert-request bypass
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config imaps
                    set ports 993
                    set status deep-inspection
                    set client-cert-request inspect
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config pop3s
                    set ports 995
                    set status deep-inspection
                    set client-cert-request inspect
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config smtps
                    set ports 465
                    set status deep-inspection
                    set client-cert-request inspect
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config ssh
                    set ports 22
                    set status disable
                    set inspect-all disable
                    set unsupported-version bypass
                    set ssh-tun-policy-check disable
                    set ssh-algorithm compatible
                end
                set whitelist disable
                set block-blacklisted-certificates enable 
                config ssl-exempt
                    edit 1
                        set type fortiguard-category
                        set fortiguard-category 31
                    next
                    edit 2
                        set type fortiguard-category
                        set fortiguard-category 33
                    next
                    edit 3
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-adobe"
                    next
                    edit 4
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-Adobe Login"
                    next
                    edit 5
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-android"
                    next
                    edit 6
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-apple"
                    next
                    edit 7
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-appstore"
                    next
                    edit 8
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-auth.gfx.ms"
                    next
                    edit 9
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-citrix"
                    next
                    edit 10
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-dropbox.com"
                    next
                    edit 11
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-eease"
                    next
                    edit 12
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-firefox update server"
                    next
                    edit 13
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-fortinet"
                    next
                    edit 14
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-googleapis.com"
                    next
                    edit 15
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-drive"
                    next
                    edit 16
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-play2"
                    next
                    edit 17
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-play3"
                    next
                    edit 18
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-Gotomeeting"
                    next
                    edit 19
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-icloud"
                    next
                    edit 20
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-itunes"
                    next
                    edit 21
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-microsoft"
                    next
                    edit 22
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-skype"
                    next
                    edit 23
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-softwareupdate.vmware.com"
                    next
                    edit 24
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-verisign"
                    next
                    edit 25
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-Windows update 2"
                    next
                    edit 26
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-live.com"
                    next
                    edit 27
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-play"
                    next
                    edit 28
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-update.microsoft.com"
                    next
                    edit 29
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-swscan.apple.com"
                    next
                    edit 30
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-autoupdate.opera.com"
                    next
                end
                set server-cert-mode re-sign
                set caname "Fortinet_CA_SSL"
                set untrusted-caname "Fortinet_CA_Untrusted"
                set ssl-anomalies-log enable
                set ssl-exemptions-log disable
                set rpc-over-https disable
                set mapi-over-https disable
                set use-ssl-server disable
            next
        end
    next
end

URL certificate blacklist

As increasing numbers of malware have started to use SSL to attempt to bypass IPS, maintaining a fingerprint-based certificate blacklist is useful to block botnet communication that relies on SSL.

This feature adds a dynamic package that is distributed by FortiGuard and is part of the Web Filtering service. It is enabled by default for SSL/SSH profiles, and can be configured using the following CLI commands (highlighted in bold):

config vdom
    edit <vdom>
        config firewall ssl-ssh-profile
            edit "certificate-inspection"
                set comment "Read-only SSL handshake inspection profile."
                config ssl
                    set inspect-all disable
                end
                config https
                    set ports 443
                    set status certificate-inspection
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                    set sni-server-cert-check enable
                end
                config ftps
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config imaps
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config pop3s
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config smtps
                    set status disable
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config ssh
                    set ports 22
                    set status disable
                    set inspect-all disable
                    set unsupported-version bypass
                    set ssh-tun-policy-check disable
                    set ssh-algorithm compatible
                end
                set block-blacklisted-certificates enable  
                set caname "Fortinet_CA_SSL"
                set ssl-anomalies-log enable
            next
            edit "deep-inspection"
                set comment "Read-only deep inspection profile."
                config ssl
                    set inspect-all disable
                end
                config https
                    set ports 443
                    set status deep-inspection
                    set client-cert-request bypass
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                    set sni-server-cert-check enable
                end
                config ftps
                    set ports 990
                    set status deep-inspection
                    set client-cert-request bypass
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config imaps
                    set ports 993
                    set status deep-inspection
                    set client-cert-request inspect
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config pop3s
                    set ports 995
                    set status deep-inspection
                    set client-cert-request inspect
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config smtps
                    set ports 465
                    set status deep-inspection
                    set client-cert-request inspect
                    set unsupported-ssl bypass
                    set invalid-server-cert block
                    set untrusted-server-cert allow
                end
                config ssh
                    set ports 22
                    set status disable
                    set inspect-all disable
                    set unsupported-version bypass
                    set ssh-tun-policy-check disable
                    set ssh-algorithm compatible
                end
                set whitelist disable
                set block-blacklisted-certificates enable 
                config ssl-exempt
                    edit 1
                        set type fortiguard-category
                        set fortiguard-category 31
                    next
                    edit 2
                        set type fortiguard-category
                        set fortiguard-category 33
                    next
                    edit 3
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-adobe"
                    next
                    edit 4
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-Adobe Login"
                    next
                    edit 5
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-android"
                    next
                    edit 6
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-apple"
                    next
                    edit 7
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-appstore"
                    next
                    edit 8
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-auth.gfx.ms"
                    next
                    edit 9
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-citrix"
                    next
                    edit 10
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-dropbox.com"
                    next
                    edit 11
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-eease"
                    next
                    edit 12
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-firefox update server"
                    next
                    edit 13
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-fortinet"
                    next
                    edit 14
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-googleapis.com"
                    next
                    edit 15
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-drive"
                    next
                    edit 16
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-play2"
                    next
                    edit 17
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-play3"
                    next
                    edit 18
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-Gotomeeting"
                    next
                    edit 19
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-icloud"
                    next
                    edit 20
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-itunes"
                    next
                    edit 21
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-microsoft"
                    next
                    edit 22
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-skype"
                    next
                    edit 23
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-softwareupdate.vmware.com"
                    next
                    edit 24
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-verisign"
                    next
                    edit 25
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-Windows update 2"
                    next
                    edit 26
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-live.com"
                    next
                    edit 27
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-google-play"
                    next
                    edit 28
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-update.microsoft.com"
                    next
                    edit 29
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-swscan.apple.com"
                    next
                    edit 30
                        set type wildcard-fqdn
                        set wildcard-fqdn "g-autoupdate.opera.com"
                    next
                end
                set server-cert-mode re-sign
                set caname "Fortinet_CA_SSL"
                set untrusted-caname "Fortinet_CA_Untrusted"
                set ssl-anomalies-log enable
                set ssl-exemptions-log disable
                set rpc-over-https disable
                set mapi-over-https disable
                set use-ssl-server disable
            next
        end
    next
end