Enhance web filter antiphishing profile
The following enhancements have been made to the antiphishing profile:
- Allow username and password field patterns to be fetched from FortiGuard.
- Add DNS support for domain controller IP fetching.
- Add support to specify a source IP or port for the fetching domain controller.
- Add LDAP server as a credential source (only the OpenLDAP server is supported).
- Block or log valid usernames regardless of password match.
- Add literal custom patterns type for username and password.
- Add support for Active Directory Lightweight Directory Services (AD LDS).
|
In previous versions of FortiOS, the domain controller for antiphishing is configured under |
Configuration examples
To update the antiphish pattern database:
- Go to System > FortiGuard and in the right-side pane, click Update Licenses & Definitions Now.
- Enter the following in the CLI:
# diagnose autoupdate versions ... AntiPhish Pattern DB --------- Version: 1.00002 Contract Expiry Date: n/a Last Updated using manual update on Sun Nov 22 10:31:00 2020 Last Update Attempt: Tue Jan 12 16:54:06 2021 Result: No Updates
To enable DNS service lookup:
config user domain-controller
edit "win2016"
set ad-mode ds
set dns-srv-lookup enable
set hostname "win2016"
set username "replicate"
set password **********
set domain-name "SMB2016.LAB"
next
end
To specify the source IP and port for the fetching domain controller:
config user domain-controller
edit "win2016"
set ad-mode ds
set hostname "win2016"
set username "replicate"
set password **********
set ip-address 172.18.52.188
set source-ip-address 172.16.100.1
set source-port 2000
set domain-name "SMB2016.LAB"
next
end
To use an LDAP server as a credential store:
- Configure the LDAP server:
config user ldap edit "openldap" set server "172.18.60.214" set cnid "cn" set dn "dc=qafsso,dc=com" set type regular set username "cn=Manager,dc=qafsso,dc=com" set password ********** set antiphish enable set password-attr "userPassword" next end - Configure the web filter profile:
config webfilter profile edit "webfilter" set feature-set proxy config ftgd-wf unset options config filters edit 1 set action block next end end config antiphish set status enable config inspection-entries edit "cat34" set fortiguard-category 34 set action block next end set authentication ldap set ldap "openldap" end set log-all-url enable next end
To configure username-only credential matching:
config webfilter profile
edit "webfilter"
set feature-set proxy
config ftgd-wf
unset options
...
end
config antiphish
set status enable
set check-username-only enable
config inspection-entries
edit "cat34"
set fortiguard-category 34
set action block
next
end
set domain-controller "win2016"
end
set log-all-url enable
next
end
To configure different custom pattern types for usernames and passwords:
config webfilter profile
edit "webfilter"
set feature-set proxy
config ftgd-wf
unset options
...
end
config antiphish
set status enable
config inspection-entries
edit "cat34"
set fortiguard-category 34
set action block
next
end
config custom-patterns
edit "qwer"
set type literal
next
edit "[0-6]Dat*"
next
edit "dauw9"
set category password
set type literal
next
edit "[0-5]foo[1-4]"
set category password
next
end
set domain-controller "win2016"
end
set log-all-url enable
next
end
In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the default regex type.
To configure Active Directory in LDS mode:
config user domain-controller
edit "win2016adlds"
set hostname "win2016adlds"
set username "foo"
set password **********
set ip-address 192.168.10.9
set domain-name "adlds.local"
set ad-mode lds
set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
set adlds-ip-address 192.168.10.9
set adlds-port 3890
next
end