Technical Tip: AI driven credential phishing prevention
Description
This article describes AI driven feature which prevents credential phishing by scanning traffic against the sensitive corporate network credentials stored in the corporate domain controller.
Solution
When credential phishing prevention is enabled, the FortiGate scans user names and passwords in submission traffic to external URLs against the sensitive corporate network credentials stored in the corporate domain controller.
Based on the configured antiphishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user.
Credential phishing prevention includes the following components:
- The antiphishing profile that defines the corporate network credentials stored in the domain controller, antiphishing check option, default action if no rules match, antiphishing status, and so on.
- The antiphishing table that defines specific URLs and what antiphishing action (block, log, exempt) should be taken when the URL submission request matches.
- The FortiGuard category-based antiphishing rule that defines what action will occur if the submission request matches a FortiGuard category.
- The antiphishing table and FortiGuard category-based antiphishing rule behavior is different than the urlfilter and FortiGuard filter:
- If a request is blocked by the urlfilter or FortiGuard filter, there will be no further antiphishing scanning.
- Antiphishing scanning occurs only after the local urlfilter and FortiGuard filter allow traffic. If a submission matches the antiphishing table, the defined action will be taken. No further FortiGuard category-based rules will be applied.
- Similar to firewall rules, the antiphishing table and FortiGuard category-based antiphishing rule use a top-down priority. Whichever rules matches first is the one that is used.
To configure credential phishing prevention.
Configure the antiphishing profile, which includes the FortiGuard category rule:
Besides built-in user name and password keyword patterns, it is possible to configure additional keyword patterns with config custom-patterns.
2) Add the antiphishing attribute to the urlfilter table:
The antiphish-table references a urlfilter table with the antiphish attribute enabled.
The urlfilter-table and antiphish-table cannot refer to the same list number:
This article describes AI driven feature which prevents credential phishing by scanning traffic against the sensitive corporate network credentials stored in the corporate domain controller.
Solution
When credential phishing prevention is enabled, the FortiGate scans user names and passwords in submission traffic to external URLs against the sensitive corporate network credentials stored in the corporate domain controller.
Based on the configured antiphishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user.
Credential phishing prevention includes the following components:
- The antiphishing profile that defines the corporate network credentials stored in the domain controller, antiphishing check option, default action if no rules match, antiphishing status, and so on.
- The antiphishing table that defines specific URLs and what antiphishing action (block, log, exempt) should be taken when the URL submission request matches.
- The FortiGuard category-based antiphishing rule that defines what action will occur if the submission request matches a FortiGuard category.
- The antiphishing table and FortiGuard category-based antiphishing rule behavior is different than the urlfilter and FortiGuard filter:
- If a request is blocked by the urlfilter or FortiGuard filter, there will be no further antiphishing scanning.
- Antiphishing scanning occurs only after the local urlfilter and FortiGuard filter allow traffic. If a submission matches the antiphishing table, the defined action will be taken. No further FortiGuard category-based rules will be applied.
- Similar to firewall rules, the antiphishing table and FortiGuard category-based antiphishing rule use a top-down priority. Whichever rules matches first is the one that is used.
To configure credential phishing prevention.
Configure the antiphishing profile, which includes the FortiGuard category rule:
# config webfilter profileIn this example, URLs that match the FortiGuard category 37 (social networking) will be blocked and other categories will be logged.
edit "<profile-name>"
...
# config web
...
end
# config antiphish
set status enable
set domain-controller "win2016"
set default-action block
set check-uri enable
set check-basic-auth enable
set max-body-len 65536
# config inspection-entries
edit "inspect-37"
set fortiguard-category 37
set action block
next
edit "inspect-others"
set fortiguard-category all
set action log
next
end
# config custom-patterns
edit "customer-name"
set category username
next
edit "customer-passwd"
set category password
next
end
end
...
set web-antiphishing-log enable
next
end
Besides built-in user name and password keyword patterns, it is possible to configure additional keyword patterns with config custom-patterns.
2) Add the antiphishing attribute to the urlfilter table:
# config webfilter urlfilter3) Add the antiphishing table to the webfilter profile.
edit 1
set name "antiphish-table"
set antiphish enable
# config entries
edit 1
set url "www.example.com"
set type simple
set antiphish-action block
set status enable
set referrer-host ''
next
end
next
end
The antiphish-table references a urlfilter table with the antiphish attribute enabled.
The urlfilter-table and antiphish-table cannot refer to the same list number:
# config webfilter profile
edit "<profile-name>"
# config web
set urlfilter-table 4
set antiphish-table 1
end
...
next
end