Fortinet black logo

Administration Guide

Additional antiphishing settings

Additional antiphishing settings

The following settings are available for antiphishing:

Configuration examples

To enable DNS service lookup:
config user domain-controller
    edit "win2016"
        set ad-mode ds
        set dns-srv-lookup enable
        set hostname "win2016"
        set username "replicate"
        set password **********
        set domain-name "SMB2016.LAB"
    next
end
To specify the source IP and port for the fetching domain controller:
config user domain-controller
    edit "win2016"
        set ad-mode ds	
        set hostname "win2016"
        set username "replicate"
        set password **********
        set ip-address 172.18.52.188
        set source-ip-address 172.16.100.1
        set source-port 2000
        set domain-name "SMB2016.LAB"

    next
end
To use an LDAP server as a credential store:
  1. Configure the LDAP server:

    config user ldap
        edit "openldap"
            set server "172.18.60.214"
            set cnid "cn"
            set dn "dc=qafsso,dc=com"
            set type regular
            set username "cn=Manager,dc=qafsso,dc=com"
            set password **********
            set antiphish enable
            set password-attr "userPassword"
        next
    end
    
  2. Configure the web filter profile:

    config webfilter profile
        edit "webfilter"
            set feature-set proxy
            config ftgd-wf
                unset options
                config filters
                    edit 1
                        set action block
                    next
                end
            end
            config antiphish
                set status enable
                config inspection-entries
                    edit "cat34"
                        set fortiguard-category 34
                        set action block
                    next
                end
                set authentication ldap
                set ldap "openldap"
            end
            set log-all-url enable
        next
    end
To configure username-only credential matching:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            set check-username-only enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end
To configure different custom pattern types for usernames and passwords:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            config custom-patterns
                edit "qwer"
                    set type literal
                next
                edit "[0-6]Dat*"
                next
                edit "dauw9"
                    set category password
                    set type literal
                next
                edit "[0-5]foo[1-4]"
                    set category password
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the default regex type.

To configure Active Directory in LDS mode:
config user domain-controller
    edit "win2016adlds"
        set hostname "win2016adlds"
        set username "foo"
        set password **********
        set ip-address 192.168.10.9
        set domain-name "adlds.local"
        set ad-mode lds
        set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
        set adlds-ip-address 192.168.10.9
        set adlds-port 3890
    next
end

Additional antiphishing settings

The following settings are available for antiphishing:

Configuration examples

To enable DNS service lookup:
config user domain-controller
    edit "win2016"
        set ad-mode ds
        set dns-srv-lookup enable
        set hostname "win2016"
        set username "replicate"
        set password **********
        set domain-name "SMB2016.LAB"
    next
end
To specify the source IP and port for the fetching domain controller:
config user domain-controller
    edit "win2016"
        set ad-mode ds	
        set hostname "win2016"
        set username "replicate"
        set password **********
        set ip-address 172.18.52.188
        set source-ip-address 172.16.100.1
        set source-port 2000
        set domain-name "SMB2016.LAB"

    next
end
To use an LDAP server as a credential store:
  1. Configure the LDAP server:

    config user ldap
        edit "openldap"
            set server "172.18.60.214"
            set cnid "cn"
            set dn "dc=qafsso,dc=com"
            set type regular
            set username "cn=Manager,dc=qafsso,dc=com"
            set password **********
            set antiphish enable
            set password-attr "userPassword"
        next
    end
    
  2. Configure the web filter profile:

    config webfilter profile
        edit "webfilter"
            set feature-set proxy
            config ftgd-wf
                unset options
                config filters
                    edit 1
                        set action block
                    next
                end
            end
            config antiphish
                set status enable
                config inspection-entries
                    edit "cat34"
                        set fortiguard-category 34
                        set action block
                    next
                end
                set authentication ldap
                set ldap "openldap"
            end
            set log-all-url enable
        next
    end
To configure username-only credential matching:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            set check-username-only enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end
To configure different custom pattern types for usernames and passwords:
config webfilter profile
    edit "webfilter"
        set feature-set proxy
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            config custom-patterns
                edit "qwer"
                    set type literal
                next
                edit "[0-6]Dat*"
                next
                edit "dauw9"
                    set category password
                    set type literal
                next
                edit "[0-5]foo[1-4]"
                    set category password
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the default regex type.

To configure Active Directory in LDS mode:
config user domain-controller
    edit "win2016adlds"
        set hostname "win2016adlds"
        set username "foo"
        set password **********
        set ip-address 192.168.10.9
        set domain-name "adlds.local"
        set ad-mode lds
        set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
        set adlds-ip-address 192.168.10.9
        set adlds-port 3890
    next
end