Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Enhance web filter antiphishing profile

The following enhancements have been made to the antiphishing profile:

  • Allow username and password field patterns to be fetched from FortiGuard.
  • Add DNS support for domain controller IP fetching.
  • Add support to specify a source IP or port for the fetching domain controller.
  • Add LDAP server as a credential source (only the OpenLDAP server is supported).
  • Block or log valid usernames regardless of password match.
  • Add literal custom patterns type for username and password.
  • Add support for Active Directory Lightweight Directory Services (AD LDS).
Note

In previous versions of FortiOS, the domain controller for antiphishing is configured under config credential-store domain-controller. Starting in 7.0.0, it is configured under config user domain-controller.

Configuration examples

To update the antiphish pattern database:
  1. Go to System > FortiGuard and in the right-side pane, click Update Licenses & Definitions Now.
  2. Enter the following in the CLI:
    # diagnose autoupdate versions
    ...
    AntiPhish Pattern DB
    ---------
    Version: 1.00002
    Contract Expiry Date: n/a
    Last Updated using manual update on Sun Nov 22 10:31:00 2020
    Last Update Attempt: Tue Jan 12 16:54:06 2021
    Result: No Updates
To enable DNS service lookup:
config user domain-controller
    edit "win2016"
        set ad-mode ds
        set dns-srv-lookup enable
        set hostname "win2016"
        set username "replicate"
        set password **********
        set domain-name "SMB2016.LAB"
    next
end
To specify the source IP and port for the fetching domain controller:
config user domain-controller
    edit "win2016"
        set ad-mode ds	
        set hostname "win2016"
        set username "replicate"
        set password **********
        set ip-address 172.18.52.188
        set source-ip-address 172.16.100.1
        set source-port 2000
        set domain-name "SMB2016.LAB"

    next
end
To use an LDAP server as a credential store:
  1. Configure the LDAP server:
    config user ldap
        edit "openldap"
            set server "172.18.60.214"
            set cnid "cn"
            set dn "dc=qafsso,dc=com"
            set type regular
            set username "cn=Manager,dc=qafsso,dc=com"
            set password **********
            set antiphish enable
            set password-attr "userPassword"
        next
    end
    
  2. Configure the web filter profile:
    config webfilter profile
        edit "webfilter"
            set feature-set proxy
            config ftgd-wf
                unset options
                config filters
                    edit 1
                        set action block
                    next
                end
            end
            config antiphish
                set status enable
                config inspection-entries
                    edit "cat34"
                        set fortiguard-category 34
                        set action block
                    next
                end
                set authentication ldap
                set ldap "openldap"
            end
            set log-all-url enable
        next
    end
To configure username-only credential matching:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            set check-username-only enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end
To configure different custom pattern types for usernames and passwords:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            config custom-patterns
                edit "qwer"
                    set type literal
                next
                edit "[0-6]Dat*"
                next
                edit "dauw9"
                    set category password
                    set type literal
                next
                edit "[0-5]foo[1-4]"
                    set category password
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the default regex type.

To configure Active Directory in LDS mode:
config user domain-controller
    edit "win2016adlds"
        set hostname "win2016adlds"
        set username "foo"
        set password **********
        set ip-address 192.168.10.9
        set domain-name "adlds.local"
        set ad-mode lds
        set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
        set adlds-ip-address 192.168.10.9
        set adlds-port 3890
    next
end

Enhance web filter antiphishing profile

The following enhancements have been made to the antiphishing profile:

  • Allow username and password field patterns to be fetched from FortiGuard.
  • Add DNS support for domain controller IP fetching.
  • Add support to specify a source IP or port for the fetching domain controller.
  • Add LDAP server as a credential source (only the OpenLDAP server is supported).
  • Block or log valid usernames regardless of password match.
  • Add literal custom patterns type for username and password.
  • Add support for Active Directory Lightweight Directory Services (AD LDS).
Note

In previous versions of FortiOS, the domain controller for antiphishing is configured under config credential-store domain-controller. Starting in 7.0.0, it is configured under config user domain-controller.

Configuration examples

To update the antiphish pattern database:
  1. Go to System > FortiGuard and in the right-side pane, click Update Licenses & Definitions Now.
  2. Enter the following in the CLI:
    # diagnose autoupdate versions
    ...
    AntiPhish Pattern DB
    ---------
    Version: 1.00002
    Contract Expiry Date: n/a
    Last Updated using manual update on Sun Nov 22 10:31:00 2020
    Last Update Attempt: Tue Jan 12 16:54:06 2021
    Result: No Updates
To enable DNS service lookup:
config user domain-controller
    edit "win2016"
        set ad-mode ds
        set dns-srv-lookup enable
        set hostname "win2016"
        set username "replicate"
        set password **********
        set domain-name "SMB2016.LAB"
    next
end
To specify the source IP and port for the fetching domain controller:
config user domain-controller
    edit "win2016"
        set ad-mode ds	
        set hostname "win2016"
        set username "replicate"
        set password **********
        set ip-address 172.18.52.188
        set source-ip-address 172.16.100.1
        set source-port 2000
        set domain-name "SMB2016.LAB"

    next
end
To use an LDAP server as a credential store:
  1. Configure the LDAP server:
    config user ldap
        edit "openldap"
            set server "172.18.60.214"
            set cnid "cn"
            set dn "dc=qafsso,dc=com"
            set type regular
            set username "cn=Manager,dc=qafsso,dc=com"
            set password **********
            set antiphish enable
            set password-attr "userPassword"
        next
    end
    
  2. Configure the web filter profile:
    config webfilter profile
        edit "webfilter"
            set feature-set proxy
            config ftgd-wf
                unset options
                config filters
                    edit 1
                        set action block
                    next
                end
            end
            config antiphish
                set status enable
                config inspection-entries
                    edit "cat34"
                        set fortiguard-category 34
                        set action block
                    next
                end
                set authentication ldap
                set ldap "openldap"
            end
            set log-all-url enable
        next
    end
To configure username-only credential matching:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            set check-username-only enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end
To configure different custom pattern types for usernames and passwords:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            config custom-patterns
                edit "qwer"
                    set type literal
                next
                edit "[0-6]Dat*"
                next
                edit "dauw9"
                    set category password
                    set type literal
                next
                edit "[0-5]foo[1-4]"
                    set category password
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the default regex type.

To configure Active Directory in LDS mode:
config user domain-controller
    edit "win2016adlds"
        set hostname "win2016adlds"
        set username "foo"
        set password **********
        set ip-address 192.168.10.9
        set domain-name "adlds.local"
        set ad-mode lds
        set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
        set adlds-ip-address 192.168.10.9
        set adlds-port 3890
    next
end