Inline CASB

The inline CASB security profile enables the FortiGate to perform granular control over SaaS applications directly on firewall policies. The supported controls include:

Control	Description
Privilege control	Specify the action to apply to user activities per application such as upload, download, share, delete, log in, and so on.
Safe search	On SaaS applications that support searching, enable and select the level of safe search.
Tenant control	Allow only users belonging to specific domains to access the SaaS application.
UTM bypass	For each user activity, bypass further UTM scanning any of the following security profiles: Antivirus DLP File filter Video filter Web filter

Administrators can customize their own SaaS applications, matching conditions, and custom controls and actions.

A firewall policy must use proxy-based inspection with a deep inspection SSL profile to apply the inline CASB profile and scan the traffic payload.

Inline CASB can be applied to a firewall policy or a proxy policy.

The Inline-CASB Application Definitions entitlement is licensed under the basic firmware and updates contract. To view the entitlement information, go to System > FortiGuard and expand the Firmware & General Updates section in the License Information table.

To enable inline CASB security profiles in the GUI:

1. Go to System > Feature Visibility.

2. Enable Inline-CASB in the Security Features section.

3. Click Apply.

Example 1: privilege control

In this example, logging in to Microsoft Outlook is blocked by the privilege control settings in the inline CASB profile.

To configure an inline CASB profile with privilege control in the GUI:

1. Configure the inline CASB profile:

   1. Go to Security Profiles > Inline-CASB and click Create new.

   2. Enter a Name, such as outlook_test.

   3. In the SaaS Applications table, click Create new. The Create SaaS Application Rules pane opens.

   4. Set the Application to microsoft-outlook, then click Next.

      

   5. Enable Logging.

   6. In the Privilege Control table, select login and from the Set Action dropdown, select Block.

      

   7. Click OK.

2. Configure the firewall policy:

   1. Go to Policy & Objects > Firewall Policy. Edit an existing policy, or create a new one.

   2. Set the Inspection Mode to Proxy-based.

   3. In the Security Profiles section, enable Inline-CASB and select the outlook_test profile.

   4. Set the SSL Inspection profile to one that uses deep inspection.

   5. Configure the other settings as needed.

   6. Click OK.

To configure an inline CASB profile with privilege control in the CLI:

1. Configure the inline CASB profile:

   config casb profile
       edit "outlook_test"
           config saas-application
               edit "microsoft-outlook"
                   config access-rule
                       edit "microsoft-outlook-login"
                           set action block
                       next
                   end
               next
           end
       next
   end

2. Configure the firewall policy:

   config firewall policy
       edit 6
           set name "casb_test"
           set srcintf "port1"
           set dstintf "port3"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set inspection-mode proxy
           set ssl-ssh-profile "ssl"
           set casb-profile "outlook_test"
           set nat enable
       next
   end

To test the configuration:

1. Open a browser and attempt to access the Outlook login page.

2. The traffic is blocked by the firewall policy. The browser displays a replacement message: Blocked by Inline CASB Control.

   

Sample log:

1: date=2023-08-18 time=16:59:32 eventtime=1692403171962221884 tz="-0700" logid="2500010000" type="utm" subtype="casb" eventtype="casb" level="warning" vd="vdom1" msg="CASB access was blocked because it contained banned activity." policyid=6 sessionid=63635 srcip=10.1.100.195 dstip=20.190.190.130 srcport=61013 dstport=443 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="block" profile="outlook_test" saasapp="microsoft-outlook" useractivity="microsoft-outlook-login" activitycategory="activity-control"

Example 2: safe search

In this example, safe search is configured for Google in the inline CASB profile.

To configure an inline CASB profile with safe search in the GUI:

1. Configure the inline CASB profile:

   1. Go to Security Profiles > Inline-CASB and click Create new.

   2. Enter a Name, such as google_test.

   3. In the SaaS Applications table, click Create new. The Create SaaS Application Rules pane opens.

   4. Set the Application to google, then click Next.

      

   5. Enable Safe search.

      

   6. Click OK.

2. Configure the firewall policy:

   1. Go to Policy & Objects > Firewall Policy. Edit an existing policy, or create a new one.

   2. Set the Inspection Mode to Proxy-based.

   3. In the Security Profiles section, enable Inline-CASB and select the google_test profile.

   4. Set the SSL Inspection profile to one that uses deep inspection.

   5. Configure the other settings as needed.

   6. Click OK.

To configure an inline CASB profile with safe search in the CLI:

1. Configure the inline CASB profile:

   config casb profile
       edit "google_test"
           config saas-application
               edit "google"
                   set safe-search enable
                   set safe-search-control "strict"
               next
           end
       next
   end

2. Configure the firewall policy:

   config firewall policy
       edit 7
           set name "casb_test_google"
           set srcintf "port1"
           set dstintf "port3"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set inspection-mode proxy
           set ssl-ssh-profile "ssl"
           set casb-profile "google_test"
           set nat enable
       next
   end

To test the configuration:

1. Open a browser and attempt to search in Google for content that is considered mature or explicit.

2. The sensitive content is filtered out in the search results.

Sample log:

1: date=2023-08-18 time=17:01:36 eventtime=1692403295962385271 tz="-0700" logid="2500010002" type="utm" subtype="casb" eventtype="casb" level="information" vd="vdom1" msg="CASB access was monitored because it contained activity." policyid=7 sessionid=63774 srcip=10.1.100.195 dstip=142.250.217.98 srcport=61065 dstport=443 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="monitor" profile="google_test" saasapp="google" useractivity="google-safe-search" activitycategory="safe-search-control"

Example 3: tenant control

In this example, tenant control is configured for Microsoft in the inline CASB profile for the fortinet-us.com domain.

To configure an inline CASB profile with tenant control in the GUI:

1. Configure the inline CASB profile:

   1. Go to Security Profiles > Inline-CASB and click Create new.

   2. Enter a Name, such as microsoft_test.

   3. In the SaaS Applications table, click Create new. The Create SaaS Application Rules pane opens.

   4. Set the Application to microsoft, then click Next.

      

   5. Enable Tenant control. Click the + and enter fortinet-us.com.

      

   6. Click OK.

2. Configure the firewall policy:

   1. Go to Policy & Objects > Firewall Policy. Edit an existing policy, or create a new one.

   2. Set the Inspection Mode to Proxy-based.

   3. In the Security Profiles section, enable Inline-CASB and select the microsoft_test profile.

   4. Set the SSL Inspection profile to one that uses deep inspection.

   5. Configure the other settings as needed.

   6. Click OK.

To configure an inline CASB profile with tenant control in the CLI:

1. Configure the inline CASB profile:

   config casb profile
       edit "microsoft_test"
           config saas-application
               edit "microsoft"
                   set tenant-control enable
                   set tenant-control-tenants "fortinet-us.com"
               next
           end
       next
   end

2. Configure the firewall policy:

   config firewall policy
       edit 8
           set name "casb_test_microsoft"
           set srcintf "port1"
           set dstintf "port3"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set inspection-mode proxy
           set ssl-ssh-profile "ssl"
           set casb-profile "microsoft_test"
           set nat enable
       next
   end

To test the configuration:

1. Open a browser and attempt to log in to Microsoft Office 365 with a fortinet-us.com account.

2. Since the domain is valid, the user can log in successfully.

   

3. Attempt to log in to Microsoft Office 365 with another account with a different domain.

4. The domain is invalid. The user is unable to log in, and an error message appears: Your network administrator has blocked access.

   

Sample log:

1: date=2023-08-18 time=17:09:25 eventtime=1692403765238967943 tz="-0700" logid="2500010002" type="utm" subtype="casb" eventtype="casb" level="information" vd="vdom1" msg="CASB access was monitored because it contained activity." policyid=8 sessionid=65108 srcip=10.1.100.195 dstip=20.189.173.15 srcport=61912 dstport=443 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="monitor" profile="microsoft_test" saasapp="microsoft" useractivity="ms-tenant-control" activitycategory="tenant-control"

Example 4: UTM bypass

In this example, UTM bypass is configured for Dropbox file downloading in the inline CASB profile.

To configure an inline CASB profile with UTM bypass in the GUI:

1. Configure the inline CASB profile:

   1. Go to Security Profiles > Inline-CASB and click Create new.

   2. Enter a Name, such as dropbox_test.

   3. In the SaaS Applications table, click Create new. The Create SaaS Application Rules pane opens.

   4. Set the Application to dropbox, then click Next.

      

   5. Enable Logging.

   6. In the Privilege Control table, select download-file and from the Set Action dropdown, select Bypass.

      

      The Bypass UTM Profile(s) pane opens.

   7. Click the + and set Profile(s) to File Filter.

      

   8. Click OK to save the bypass UTM profile.

   9. Click OK to save the inline CASB profile

2. Configure the firewall policy:

   1. Go to Policy & Objects > Firewall Policy. Edit an existing policy, or create a new one.

   2. Set the Inspection Mode to Proxy-based.

   3. In the Security Profiles section, enable Inline-CASB and select the dropbox_test profile.

   4. Set the SSL Inspection profile to one that uses deep inspection.

   5. Configure the other settings as needed.

   6. Click OK.

To configure an inline CASB profile with UTM bypass in the CLI:

1. Configure the inline CASB profile:

   config casb profile
       edit "dropbox_test"
           config saas-application
               edit "dropbox"
                   config access-rule
                       edit "dropbox-download-file"
                           set bypass file-filter
                           set action bypass
                       next
                   end
               next
           end
       next
   end

2. Configure the firewall policy:

   config firewall policy
       edit 9
           set name "casb_test_dropbox"
           set srcintf "port1"
           set dstintf "port3"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set inspection-mode proxy
           set ssl-ssh-profile "ssl"
           set casb-profile "dropbox_test"
           set nat enable
       next
   end

To test the configuration:

1. Open a browser and log in to Dropbox.

2. Attempt to download a file, such as a PDF. The download is successful.

Sample log:

1: date=2023-08-18 time=17:15:29 eventtime=1692404129378193492 tz="-0700" logid="2500010001" type="utm" subtype="casb" eventtype="casb" level="information" vd="vdom1" msg="CASB access was allowed although it contained activity." policyid=9 sessionid=65452 srcip=10.1.100.195 dstip=162.125.1.15 srcport=62110 dstport=443 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="bypass" profile="dropbox_test" saasapp="dropbox" useractivity="dropbox-download-file" activitycategory="activity-control"

Example 5: customized SaaS application and user activity

In this example, a custom SaaS application is created (pc4) with a custom user action. When a user accesses pc4.qa.fortinet.com/virus, they are redirected to pc4.qa.fortinet.com/testweb/testweb.htm.

To configure a customized inline CASB profile in the GUI:

1. Configure the inline CASB profile:

   1. Go to Security Profiles > Inline-CASB and click Create new.

   2. Enter a Name, such as custom_test.

   3. In the SaaS Applications table, click Create new. The Create SaaS Application Rules pane opens.

   4. In the Application dropdown, click the + to create a custom entry. The Create Inline-CASB SaaS Application pane opens.

   5. Enter the Name (pc4) and Domains (pc4.qa.fortinet.com), then click OK.

      

   6. Select pc4 and click Next.

   7. Configure the custom control and action:

      1. In the Custom Controls table, Create new. The Create Custom Control pane opens.

      2. Enter a Name, such as pc4-virus_test_replace.

      3. Set Apply when HTTP packet matches to All of the following.

      4. Enable URL path and enter /virus.

         

      5. In the Application-Defined Controls table, Create new. The Create Custom Control Action pane opens.

      6. Enter a Name, such as virus_replace_operation.

      7. Set the Control Type to Edit URL path.

      8. Set the Action to Replace path with value.

      9. Set the Path to /virus.

      10. Set the Value to /testweb/testweb.html.

          

      11. Click OK to save the custom action.

      12. Click OK to save the custom control.

   8. Click OK to save the application rule.

   9. Click OK to save the inline CASB profile.

2. Configure the firewall policy:

   1. Go to Policy & Objects > Firewall Policy. Edit an existing policy, or create a new one.

   2. Set the Inspection Mode to Proxy-based.

   3. In the Security Profiles section, enable Inline-CASB and select the custom_test profile.

   4. Set the SSL Inspection profile to one that uses deep inspection.

   5. Configure the other settings as needed.

   6. Click OK.

To configure a customized inline CASB profile in the CLI:

1. Configure the CASB SaaS application:

   config casb saas-application
       edit "pc4"
           set domains "pc4.qa.fortinet.com"
       next
   end

2. Configure the CASB user activity:

   config casb user-activity
       edit "pc4-virus_test_replace"
           set application "pc4"
           set category other
           config match
               edit 1
                   config rules
                       edit 1
                           set type path
                           set match-value "/virus"
                       next
                   end
               next
           end
           config control-options
               edit "virus_replace_operation"
                   config operations
                       edit "virus_replace_operation"
                           set target path
                           set action replace
                           set search-key "/virus"
                           set values "/testweb/testweb.html"
                       next
                   end
               next
           end
       next
   end

3. Configure the inline CASB profile:

   config casb profile
       edit "custom_test"
           config saas-application
               edit "pc4"
                   config custom-control
                       edit "pc4-virus_test_replace"
                           config option
                               edit "virus_replace_operation"
                               next
                           end
                       next
                   end
               next
           end
       next
   end

4. Configure the firewall policy:

   config firewall policy
       edit 10
           set name "casb_test_custom"
           set srcintf "port1"
           set dstintf "port3"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set inspection-mode proxy
           set ssl-ssh-profile "ssl"
           set casb-profile "custom_test"
           set nat enable
       next
   end

To test the configuration:

1. Open a browser and go to pc4.qa.fortinet.com/virus.

2. Access is redirected to pc4.qa.fortinet.com/testweb/testweb.htm.

   

Sample log:

1: date=2023-08-21 time=08:31:06 eventtime=1692631866382806917 tz="-0700" logid="2500010001" type="utm" subtype="casb" eventtype="casb" level="information" vd="vdom1" msg="CASB access was allowed although it contained activity." policyid=10 sessionid=3139 srcip=10.1.100.195 dstip=172.16.200.44 srcport=56774 dstport=80 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 url="http://pc4.qa.fortinet.com/testweb/testweb.html" action="bypass" profile="custom_test" saasapp="pc4" useractivity="pc4-virus_test_replace" activitycategory="other"