NSE7_EFW-7.2 Security profiles

Security Profiles Detailed Explanation

Security Profiles are essential for FortiGate’s role as a Unified Threat Management (UTM) device. These profiles allow you to identify, filter, and block threats before they affect your network.

3.1 Web Filtering

Web Filtering controls access to websites by categorizing them or blocking specific URLs, protecting users from inappropriate or malicious content.

3.1.1 URL Categorization

• What it Does:

  • FortiGuard’s database categorizes websites into predefined groups (e.g., Social Media, Gambling, Malicious Sites).
  • Administrators can allow or block traffic based on these categories.

• How to Configure:

  • In the GUI:

    1. Go to Security Profiles > Web Filter.
    2. Create or edit a Web Filter profile.
    3. Under FortiGuard Categories, select categories to allow or block (e.g., block "Malicious Websites").

  • Example CLI:

    config webfilter profile
        edit "example-profile"
            config web
                set category-action 52 block  # 52 represents a specific category ID.
            end
        next
    end
    

3.1.2 HTTPS Traffic Scanning

• Why It’s Important:

  • Most modern web traffic is encrypted (HTTPS). Without SSL inspection, FortiGate cannot analyze this traffic, potentially missing threats.

• How to Configure SSL Inspection:

  • Enable SSL inspection in your Web Filter profile:
    1. Go to Security Profiles > SSL/SSH Inspection.
    2. Select a pre-defined profile or create a custom profile.
    3. Deploy the SSL certificate to user devices for decryption and inspection.

3.1.3 Custom URL Filtering

• When to Use:

  • For blocking or allowing specific websites that don’t fall neatly into FortiGuard’s predefined categories.

• How to Configure:

  • Example: Block example.com:

    config webfilter urlfilter
        edit 1
            set url "example.com"
            set action block
        next
    end
    

3.2 Intrusion Prevention System (IPS)

IPS is used to detect and block attacks by analyzing traffic for known vulnerabilities and exploits.

3.2.1 IPS Signatures

• Predefined Signatures:

  • FortiGuard provides an extensive database of known attack patterns (e.g., SQL Injection, Buffer Overflow).

• Custom Signatures:

  • Create custom rules to detect specific patterns unique to your environment.

  • Example:

    config ips custom
        edit "custom-signature"
            set signature "alert tcp any any -> any 80 (content:\"/malicious-pattern\"; msg:\"Blocked Malicious Pattern\")"
        next
    end
    

3.2.2 Deep Packet Inspection (DPI)

• What DPI Does:
  • Analyzes application-layer traffic to detect threats beyond basic protocol analysis.
• How to Enable:
  • Enable IPS in a Security Policy:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Create/Edit a policy and attach the IPS profile.

3.3 Application Control

Application Control helps identify and manage application traffic, ensuring proper use of bandwidth and resources.

3.3.1 Application Identification

• What it Does:
  • Detects applications (e.g., Facebook, Dropbox) based on behavior and traffic patterns.
• How to Configure:
  • Enable Application Control in a Security Policy:
    1. Go to Security Profiles > Application Control.
    2. Select or create a profile.
    3. Add applications or categories to allow/block.

3.3.2 Bandwidth Prioritization

• Why It’s Useful:
  • Ensures critical applications (e.g., VoIP, Video Conferencing) receive priority bandwidth.
• How to Configure:
  • Use Shaping Policies under Application Control:
    • Define traffic priorities using QoS settings.

3.4 Antivirus and DNS Filtering

These features protect against malicious files and domains.

3.4.1 Antivirus Features

• Real-Time Scanning:

  • Inspects files in transit for viruses and malware.

• Static Analysis:

  • Scans files for malicious signatures before they are downloaded.

• How to Configure:

  1. Go to Security Profiles > Antivirus.
  2. Create or edit an Antivirus profile.
  3. Enable features like Real-Time Scan or Archive Scanning.
  4. Attach the Antivirus profile to a policy.

• Quarantine Example CLI:

  config antivirus quarantine
      set enable
  end
  

3.4.2 DNS Filtering

• What It Does:

  • Blocks access to malicious domains before the connection is established.

• How to Configure:

  • Use FortiGuard DNS Filtering:

    1. Go to Security Profiles > DNS Filter.
    2. Create a profile and enable FortiGuard Category Filtering.

  • CLI Example:

    config dnsfilter profile
        edit "dns-block-malicious"
            set block-botnet enable
        next
    end
    

Practical Example Workflow

Here’s how Security Profiles might be applied in a real-world scenario:

1. Web Filtering:
   • Block access to gambling and malicious sites.
2. IPS:
   • Enable a default IPS profile to detect common network attacks.
3. Application Control:
   • Limit access to social media applications during work hours.
4. Antivirus:
   • Scan all downloaded files and quarantine suspicious ones.
5. DNS Filtering:
   • Block known botnet domains.

Why Security Profiles Are Important

Security Profiles are FortiGate’s primary defense against modern threats. By combining Web Filtering, IPS, Application Control, and DNS Filtering, you create a layered security strategy. Start by enabling default profiles, then customize them as you gain familiarity with your network’s needs.

Security Profiles (Additional Content)

1. Email Filtering

What It Does:

Email filtering is used to protect inbound and outbound email traffic against:

• Spam
• Malware attachments
• Phishing attempts
• Impersonation attacks

FortiGate supports email filtering via FortiGuard Antispam, combined with basic DLP and antivirus scanning for email protocols (SMTP, POP3, IMAP).

How to Configure Email Filtering:

Create or edit an email filter profile and enable spam filtering:

config emailfilter profile
    edit "email-security"
        set spam-filtering enable
        set spam-action discard
    next
end

You can also:

• Use FortiGuard DNS-based and IP-based blocklists (RBLs/ORBLs).
• Tag suspected spam instead of discarding.
• Configure additional filters such as banned file types or subject keywords.

Key Use Cases:

• Blocking phishing campaigns targeting user credentials.
• Preventing malicious attachments from reaching inboxes.
• Tagging or redirecting promotional/spam content.

Exam Tip:

Expect scenario questions on:

• Recognizing spam actions (discard, tag, quarantine).
• Integration with mail relays.
• Protocols protected by email filtering.

2. Data Loss Prevention (DLP)

What It Does:

DLP is a security mechanism that prevents sensitive or confidential data from leaving the organization’s network unintentionally or maliciously.

Common Use Cases:

• Blocking credit card or personal identification numbers via email.
• Preventing unauthorized uploads of confidential documents.
• Enforcing compliance with regulations (e.g., PCI-DSS, HIPAA, GDPR).

How to Configure a Basic DLP Rule:

Example: Block credit card number patterns over SMTP.

config dlp sensor
    edit "Block-CC"
        config rule
            edit 1
                set protocol smtp
                set filter-by regex
                set regex "4[0-9]{12}(?:[0-9]{3})?"  # Visa card pattern
                set action block
            next
        end
    next
end

After defining a sensor, apply it to a firewall policy:

config firewall policy
    edit 10
        set srcintf "port1"
        set dstintf "wan1"
        set action accept
        set schedule "always"
        set service "SMTP"
        set dlp-sensor "Block-CC"
    next
end

DLP Matching Options:

• File types (e.g., .docx, .pdf)
• Regular expressions (credit card, ID numbers)
• File fingerprinting (for document control)

3. SSL Inspection – Modes and Configuration

Why SSL Inspection Matters:

Today, over 90% of internet traffic is encrypted via HTTPS. Without SSL inspection, FortiGate cannot inspect payloads, leaving malware, C2 traffic, or data leaks hidden inside SSL tunnels.

FortiGate offers three SSL Inspection Modes:

1. Certificate Inspection (Basic Mode):

• Does not decrypt traffic
• Only inspects SSL/TLS handshake
• Faster but limited visibility
• Detects basic issues like expired or untrusted certificates

2. Deep SSL Inspection (Full Decryption):

• Decrypts full SSL traffic
• Enables full inspection by Antivirus, IPS, Web Filter, Application Control
• Requires deployment of the FortiGate CA certificate to all client devices
• May break applications using certificate pinning

3. No Inspection:

• All SSL traffic is passed without inspection
• Not recommended unless for specific trusted traffic (e.g., banking apps)

How to Configure Deep SSL Inspection:

config firewall ssl-ssh-profile
    edit "Deep-Inspection"
        set can-decrypt-ssl enable
        set ssl-anomalies block
        set expired-server-cert block
        set untrusted-server-cert block
    next
end

Apply the profile in a firewall policy:

config firewall policy
    edit 3
        set ssl-ssh-profile "Deep-Inspection"
    next
end

Best Practices:

• Deploy FortiGate’s CA certificate to endpoints to avoid browser warnings.
• Whitelist applications that break under decryption.
• Use certificate inspection for high-privacy apps (e.g., banking) where decryption is inappropriate.

Quick Comparison Table

Feature	Purpose	Config Interface	Exam Notes
Email Filtering	Protects email from spam, phishing, malware	emailfilter profile	Often tested in phishing cases
DLP	Prevents sensitive data from leaving network	dlp sensor + firewall	Regex-based content detection
SSL Inspection	Enables payload visibility in HTTPS traffic	ssl-ssh-profile	Key concept in threat prevention