Credential phishing prevention

When credential phishing prevention is enabled, the FortiGate scans for corporate credentials submitted to external websites and compares them to sensitive credentials stored in the corporate domain controller. Based on the configured antiphishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user if the credentials match ones that are stored on the corporate domain controller.

  • The corporate domain controller must be configured in the domain controller.
  • Credentials can be matched based on sAMAccountName, user principal name (UPN), or down-level logon name.
  • The antiphishing profile defines the corporate domain controller, antiphishing check option, default action if no rules match, antiphishing status, and so on.
  • Inspection entries in the profile define what action occurs when the submission request matches the specified FortiGuard categories.
  • The profile scans for pre-defined and custom username and password fields in the HTTP request, such as username, auth, and password. You can evaluate custom fields by configuring custom patterns.
  • The URL filter defines individual URLs that the antiphish action (block or log) is applied to when the URL submission request matches.
Note

Web-based URL filter actions and FortiGuard category-based filtering have higher priority than antiphishing URL filter actions and FortiGuard filtering:

  • If a request is blocked by the web-based URL filter or FortiGuard filter, there is no further antiphishing scanning. Antiphishing scanning only happens after the web-based URL filtes and FortiGuard filters allow the traffic.
  • If a submission matches an entry in the URL filter table that has an antiphishing action, the defined action is taken. No further FortiGuard category-based rules are applied.
  • Like firewall rules, the URL filter table and Fortiguard category-based antiphishing rules use a top-down priority. The rule that matches first is the one that is used.

In this example, URLs that match FortiGuard category 37 (social networking) will be blocked and other categories will be logged.

To configure credential phishing prevention:
  1. Configure the corporate domain controller:
    config user domain-controller
        edit "win2016"
            set hostname "win2016"
            set domain-name "corpserver.local"
            set username "Administrator"
            set password **********
            set ip <server_ip>
        next
    end