Security profiles
Security profiles define what to inspect in the traffic that the FortiGate is passing. When traffic matches the profile, it is either allowed, blocked, or monitored (allowed and logged).
The protection that a profile provides, and the information that it monitors, can be configured to your requirements, but increased inspection uses more of the FortiGate's resources. Assess your policies' traffic matching, and then apply the necessary level of protection. You might consider implementing denial of service (DoS) security policies to detect and drop illegitimate traffic before it reaches the more resource intensive security profiles (see Denial of service for more information).
Security profiles can use flow or proxy mode inspection. Apply flow mode inspection to policies that prioritize traffic throughput, and proxy mode when thoroughness is more important than performance. Under normal traffic conditions, the throughput difference between the two modes is insignificant. For resource optimization, using one mode uniformly across all of the policies is recommended.
Each security profile generates its own log type that contains some log fields that are not present in other logs. This can be important when reviewing or analyzing the logs to assess or troubleshoot user traffic. For example, if no web filtering is applied, then you will not have insight or control of users' browsing information.
The following table lists some basic examples of how a security profile could be used on an edge FortiGate, where inbound traffic goes from the internet to an internal resource using a VIP, and outbound traffic goes from your network to an internet resource:
Security profile |
Inbound traffic |
Outbound traffic |
---|---|---|
Antivirus1 |
Protect external resources from malware, such as HTTP PUT requests or FTP uploads. |
Scan requested user traffic for malware. |
Web filter |
Not usually applied to inbound traffic. |
Monitor and block user web traffic based on categories and domains. |
Video filter |
Not usually applied to inbound traffic. |
Monitor and restrict YouTube videos based on categories or channels. |
DNS filter |
Not usually applied to inbound traffic. |
Monitor and filter DNS lookups based on domain ratings. Block requests for known compromised domains. |
Application control |
Make sure that specific protocols are used to access specific ports. For example, only allow SSH traffic to be sent and received over port 22. |
Monitor and filter applications on any port. |
Intrusion prevention |
Protect external services from known exploits and protocol anomalies. |
Block connections to botnet sites. |
File filter |
Prevent uploading files based on the file type and the protocol that is used. |
Prevent downloading files based on the file type and the protocol that is used. |
Email filter |
Perform spam detection and filtering. |
Prevent specific IP address or subnets from sending and receiving email messages. Block messages that contain specific words. |
Data leak prevention |
Prevent sensitive data from entering your network. |
Prevent sensitive data, such as credit card numbers or SSNs, from leaving your network. |
VoIP |
Allow SIP and SCCP traffic, and protect your network from SIP and SCCP based attacks. |
Secure clients that are connecting to external SIP servers. |
ICAP |
Offload tasks to separate, specialized servers. |
Offload tasks to separate, specialized servers. |
Web application firewall |
Detect and block known web application attacks, such as SQL injection, XSS, and known exploits. |
Not usually applied to outbound traffic. |
1 Antivirus profiles can submit files to FortiSandbox for further inspection. This enables the detection of zero-day malware, and threat intelligence that is learned from submitted malicious and suspicious files supplements the FortiGate’s antivirus database and protection.
Opened ports for Authentication Override in Web Filter Replacement Messages
When a firewall policy is configured with a web filter, AV or application control, or other UTM security profiles, the policy may open up one or more of ports 8008, 8010, 8015 or 8020 for authentication override and data retrieval for replacement messages, depending on the inspection mode.
When a port is open and you try to access the port on HTTP, this may result in the following behavior:
-
FortiGate replies and then redirects to the port with a block message.
-
FortiGate sends a TCP RST to close the connection.
-
FortiGate doesn’t respond.
-
FortiGate does a TCP 3-way handshake, then sends a FIN to close the connection.
Traffic does not leak through the policy. However, in some scenarios such as testing the FortiGate for open ports against PCI compliance, this may result in failure of the test case.
To work around the issue, you can close the above ports by doing the following:
config webfilter fortiguard set close-ports enable end
When
FortiGuard and Local URL Filter blocking will not be affected. |
When VDOM is enabled, edit the settings in global:
config global config webfilter fortiguard set close-ports enable end end
In the case of Application Control, use the following to disable the use of replacement messages and port 8008:
config application list edit <list> set app-replacemsg disable next end
If it is acceptable to simply change the ports to a high ephemeral port, the override ports can be changed from here:
-
Default:
config webfilter fortiguard set ovrd-auth-port-http 8008 set ovrd-auth-port-https 8010 set ovrd-auth-port-https-flow 8015 set ovrd-auth-port-warning 8020 end
-
Update:
config webfilter fortiguard set ovrd-auth-port-http <high port> set ovrd-auth-port-https <high port> set ovrd-auth-port-https-flow <high port> set ovrd-auth-port-warning <high port> end