Description
This article describes how to configure credential phishing prevention.
Scope
FortiGate, v6.2, 6.4, 7.0, 7.2.
Solution
When credential phishing prevention is enabled, the FortiGate scans for corporate credentials submitted to external websites and compares it to sensitive credentials stored in the corporate domain controller.
Based on the configured anti-phishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user if the credentials match the ones that are stored on the corporate domain controller.
To configure credential phishing prevention.
- Configure the corporate domain controller:The corporate domain controller must be configured on the credential store. Credentials are matched based on sAMAccountName. UPN format is not currently supported.
config credential-store domain-controller
edit "win2016"
set domain-name "corpserver.local"
set username "Administrator"
set password ENC password
set ip <server_ip>
next
end
The domain controller entry name has to be the hostname of the DC (win2016 in the example).Both the hostname and the domain name are case-sensitive.
V6.2.X and v6.4.X:
config credential-store domain-controller
edit "win-2016"
set ad-mode ds <- Depends upon the active directory configuration.
set hostname "WIN-703SCUQNK4V” <- Computer name, must match the server name and case sensitive
set username "administrator"
set password ENC Mzc7EHSErnksdOmIcJSk4XqaPs5huYfbKfqbX09rmgGp1IGx8UDvFCBXNFrbfr
DwhyqC8nENo94PBf00q5cqKCd/BRtj1igxl68Bpw0zFgpYDH2y6avt8JYOmM3Urj5dMJ8CjAkrkSLFa3EgHMqW6
vbMuqeVKqgKtKXtDV1TT3rM2/E+7DbaV8qX8UFnjbVb12GSMA==
set ip-address 90.0.0.2 <- IP of the domain controller.
set domain-name "mango-jazz.local"
next
config user ldap
edit "90.0.0.2"
set server "90.0.0.2"
set cnid "SAMAccountName"
set dn "dc=mango-jazz,dc=local"
set type regular
set username "mango-jazz\\administrator"
set password ENC MTAwNPlwRLfBrqmgQXXVg+1NiYbq51zyoCUCbeyNWv2VGVOwUvTjROPmbJkjZ0
Rf4jQEFAfD6XdVdUabi8or8TWwqqB0d/telVFxSQSCuSbSGn62z7l7IuG4YryNMXlBYVdmlSc/XVhGy8UUHlp1k
VxN10ibQfoGN5kN8KqjzBXVrvuLNygc0pD34CrxO0+RQUWkCA==
set antiphish enable <- antiphish is disabled by default, only enable when ldap used as authentication server
set password-attr "userPassword"
next
end
- Configure the anti-phishing profile, which includes the FortiGuard category rule:
config webfilter profile
edit "<profile-name>"
set feature-set proxy
...
config web
...
end
config antiphish
set status enable
set domain-controller "win2016"
set default-action block
set check-uri enable
set check-basic-auth enable
set max-body-len 65536
config inspection-entries
edit "inspect-37"
set fortiguard-category 37
set action block
next
edit "inspect-others"
set fortiguard-category all
set action log
next
end
config custom-patterns
edit "customer-name"
set category username
next
edit "customer-passwd"
set category password
next
end
end
...
set web-antiphishing-log enable
next
end
- check-uri enables support for scanning HTTP GET URI parameters.
- check-basic-auth enables support for scanning the HTTP Basic Auth field.
In the above example, category 37 for antiphishing scan is blocked and other categories will be allowed with logging enabled.
- Configure the URL filter to scan specific URLs. The anti-phish action is added to the URL filter table entry, and the URL filter is applied to the web filter profile.
config webfilter urlfilter
edit 1
set name "antiphish-table"
config entries
edit 1
set url "www.example.com"
set type simple
set antiphish-action block
set status enable
set referrer-host ''
next
end
next
end
config webfilter profile
edit "<profile-name>"
config web
set urlfilter-table 1
end
...
next
end
- Optionally, define custom patterns to scan fields other than the built-in username and password keywords are needed:
config webfilter profile
edit "<profile-name>"
config custom-patterns
edit "customer-name"
set category username
next
edit "customer-passwd"
set category password
next
end
next
end
Troubleshooting:
WAD debugs can be run to verify the antiphishing process. For HTTPS websites, it is necessary to enable SSL Deep Inspection and ensure SSL Certificate is installed on the end host machines to avoid certificate errors.
diag debug reset
diagnose wad debug display pid enable
diagnose wad debug enable level verbose
diagnose wad debug enable category antiphish
diagnose debug enable
Sample debug output.
[I]2023-04-14 11:40:20.349211 [p:1851][s:2593][r:515] wad_http_url_filter_check_local
:3383 hreq=0x7fa6184e9c38 prof=default host=example.com(93.184.216.34) vd=root id=0 r
ate=0
[I]2023-04-14 11:40:20.349219 [p:1851][s:2593][r:515] wad_url_filter_local_request
:906 hreq=0x7fa6184e9c38 wfp=0x7fa61d012378 ssl_url_chk=1 acion=allow: >>
[V]2023-04-14 11:40:20.349221 [p:1851][s:2593][r:515] wad_url_fetch_cate2
:1505 host=example.com ip=93.184.216.34
[I]2023-04-14 11:40:20.349230 [p:1851][s:2593][r:515] wad_url_cate_dump_req_ctx
:243 (fetch-done): req/wfp=1/1 cate: cate=255 webf=255 sslexempt=255 url/ip=0/0 done
: bal=0,local/user/cache/ftgd=1/1/1/1 matched[url]: block/allow/user=0/0/0 ftgd=0 sub
=1 log=0 invalid=0
[I]2023-04-14 11:40:20.349236 [p:1851][s:2593][r:515] wad_url_choose_cate
:2163 cate=52 (ftgd) url-cates=[52,]; url=[ # 52,],ip=[ # 56,]; conf webfilter 'defa
ult':[96,98,99,64,65,66,67,83,86,88,90,91,52,57,59,61,62,63,0,1,2,3,4]
[I]2023-04-14 11:40:20.349241 [p:1851][s:2593][r:515] wad_url_filter_dump_result
:223 wad_url_filter_check_url_filter_on_result(dump) id=0 state=done type=req_http h
as_cat=1[52] log=1 result: id=0 log=1 cate=52(0/0) flags=00000000 action=ftgd-monitor w
arn_domain=0 warn_session=0
[V]2023-04-14 11:40:20.349272 [p:1851][s:2593][r:515] wad_url_filter_proc_http_result
:2259 hreq=0x7fa6184e9c38 id=0 wsp=0x7fa61b920228 wfp=0x7fa61d012378
[V]2023-04-14 11:40:20.349274 [p:1851][s:2593][r:515] wad_url_filter_log_result
:2386 url_req=0x7fa61878ab08 result=1 log=1 type=ftgd_monitor lasttype=none
[V]2023-04-14 11:40:20.349275 [p:1851][s:2593][r:515] wad_url_filter_log
:1954 http req=0x7fa6184e9c38 action=0 type=ftgd_monitor keyword=0/0 search_log=0/0
[V]2023-04-14 11:40:20.349821 [p:1851][s:2593][r:515] wad_tcp_port_out_read_block
:1005 tcp_port 0x7fa61b7c6b38 fd=107 on=0 n_out_block=1~>0 in(/out)_shutdown=0/0 clos
ed=0 state=2.
[V]2023-04-14 11:40:20.349824 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block
:960 tcp_port 0x7fa61b7c6b38 fd=107 on=0 n_out_block=1~>0 in(/out)_shutdown=0/0 clos
ed=0 events=0x0.
[V]2023-04-14 11:40:20.349825 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block
:992 sock 107 read_block removed, turn on readability.
[V]2023-04-14 11:40:20.349827 [p:1851][s:2593][r:515] wad_http_msg_strm_resume
:1088 strm resumed, execute=wad_http_clt_read_req_line is_clt=1
[V]2023-04-14 11:40:20.349829 [p:1851][s:2593][r:515] wad_http_decide_antiphish
:95 Performing proper check
[I]2023-04-14 11:40:20.349831 [p:1851][s:2593][r:515] wad_url_filter_cancel
:667 type=0 req=0x7fa6184e9c38 url_req=0x7fa61878ab08 id=0
[I]2023-04-14 11:40:20.349833 [p:1851][s:2593][r:515] wad_http_req_proc_waf
:1309 req=0x7fa6184e9c38 ssl.deep_scan=0 proto=1 exempt=0 waf=(nil) body_len=0 ua=Moz
illa/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/11
2.0.0.0 Safari/537.36 Edg/112.0.1722.39 skip_scan=0
[V]2023-04-14 11:40:20.349835 [p:1851][s:2593][r:515] wad_mem_c_malloc
:138 size 27112 exceeds max_elm_size (18396); not using bucket
[V]2023-04-14 11:40:20.349838 [p:1851][s:2593][r:515] wad_tcp_port_out_read_block
:1005 tcp_port 0x7fa61b7c6b38 fd=107 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 clos
ed=0 state=2.
[V]2023-04-14 11:40:20.349839 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block
:960 tcp_port 0x7fa61b7c6b38 fd=107 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 clos
ed=0 events=0x1.
[V]2023-04-14 11:40:20.349839 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block
:974 sock 107 read_block enforced, turn off readability.
[V]2023-04-14 11:40:20.349840 [p:1851][s:2593][r:515] wad_http_msg_strm_pause
:1065 strm paused, flag=0x2 is_clt=1
[V]2023-04-14 11:40:20.349840 [p:1851][s:2593][r:515] wad_http_req_proc_antiphish
:8239 Antiphish configured for req=0x7fa6184e9c38. HTTP method=0. Body_len=0
[V]2023-04-14 11:40:20.349858 [p:1851][s:2593][r:515] wad_antiphish_find_matches
:537 Found credentials while parsing req=0x7fa6184e9c38 Password count=1 Users: "jes
sie" "jessie"
[I]2023-04-14 11:40:20.349861 [p:1851][s:2593][r:515] wad_auth_get_credentials
:354 Got request to fetch credentials with type 1 principal jessie
[V]2023-04-14 11:40:20.349862 [p:1851][s:2593][r:515] wad_auth_cred_cache_internal_look
up:434 Found principal 'jessie' in cache
[V]2023-04-14 11:40:20.349889 [p:1851][s:2593][r:515] wad_auth_get_credentials
:369 Cred cache hit for type 1 principal jessie
[V]2023-04-14 11:40:20.349890 [p:1851][s:2593][r:515] wad_antiphish_request_done
:180 Credentials for req=0x7fa6184e9c38 Result=Match Action=BLOCK
[I]2023-04-14 11:40:20.349909 [p:1851][s:2593][r:515] __wad_http_build_replmsg_resp
:705 Generating replacement message. Antiphish matched credentials repmsg_id 70
[V]2023-04-14 11:40:20.349912 [p:1851][s:2593][r:515] wad_mem_c_malloc
:138 size 32770 exceeds max_elm_size (18396); not using bucket
For Gmail access:
:1309 req=0x7fa6184ef488 ssl.deep_scan=1 proto=10 exempt=0 waf=(nil) body_len=1844674
4073709551615 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, l
ike Gecko) Chrome/112.0.0.0 Safari/537.36 skip_scan=0
[V]2023-04-14 11:43:23.959339 [p:1851][s:2816][r:573] wad_mem_c_malloc
:138 size 27112 exceeds max_elm_size (18396); not using bucket
0415:h2s=0x7fa618604098,strm_id=00001,strm_id=1 blocks=1, on=1, new_data=0,clt
[V]2023-04-14 11:43:23.959342 [p:1851][s:2816][r:573] wad_http_req_proc_antiphish
:8239 Antiphish configured for req=0x7fa6184ef488. HTTP method=0. Body_len=1844674407
3709551615
[V]2023-04-14 11:43:23.959367 [p:1851][s:2816][r:573] wad_antiphish_find_matches
:537 Found credentials while parsing req=0x7fa6184ef488 Password count=1 Users: "htt
ps://mail.google.com/mail/u/0/"
[I]2023-04-14 11:43:23.959369 [p:1851][s:2816][r:573] wad_auth_get_credentials
:354 Got request to fetch credentials with type 1 principal https://mail.google.com/
mail/u/0/
[V]2023-04-14 11:43:23.959370 [p:1851][s:2816][r:573] wad_auth_cred_cache_internal_look
up:430 Found principal 'https://mail.google.com/mail/u/0/' in negative cache
[V]2023-04-14 11:43:23.959371 [p:1851][s:2816][r:573] wad_auth_get_credentials
:379 Negative cred cache hit for type 1 principal https://mail.google.com/mail/u/0/
[I]2023-04-14 11:43:23.959372 [p:1851][s:2816][r:573] wad_antiphish_check_credentials
:417 We've exhausted our user count req=0x7fa61b700010
[V]2023-04-14 11:43:23.959372 [p:1851][s:2816][r:573] wad_antiphish_request_done
