FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vinodhini
Staff
Staff
Article Id 196429

Description

 

This article describes how to configure credential phishing prevention.

 

Scope


FortiGate, FortiOS 6.2, 6.4, 7.0, 7.2.

Solution

 

When credential phishing prevention is enabled, the FortiGate scans for corporate credentials submitted to external websites and compares it to sensitive credentials stored in the corporate domain controller.

Based on the configured anti-phishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user if the credentials match the ones that are stored on the corporate domain controller.

To configure credential phishing prevention.

1) Configure the corporate domain controller:

The corporate domain controller must be configured on the credential store.
Credentials are matched based on sAMAccountName.
UPN format is not currently supported.

 

# config credential-store domain-controller
    edit "win2016"
        set domain-name "corpserver.local"
        set username "Administrator"
        set password ENC password
        set ip <server_ip>
    next
end

 

The domain controller entry name has to be the hostname of the DC (win2016 in the example).
Both it and the domain name are case-sensitive.

 

6.2.X and 6.4.X.

 

# config credential-store domain-controller

    edit "win-2016"

        set ad-mode ds                      <- Depends upon the active directory configuration.

        set hostname "WIN-703SCUQNK4V”      <- Computer name.

        set username "administrator"                 

        set password ENC Mzc7EHSErnksdOmIcJSk4XqaPs5huYfbKfqbX09rmgGp1IGx8UDvFCBXNFrbfr

DwhyqC8nENo94PBf00q5cqKCd/BRtj1igxl68Bpw0zFgpYDH2y6avt8JYOmM3Urj5dMJ8CjAkrkSLFa3EgHMqW6

vbMuqeVKqgKtKXtDV1TT3rM2/E+7DbaV8qX8UFnjbVb12GSMA==

        set ip-address 90.0.0.2                       <- IP of the domain controller.

        set domain-name "mango-jazz.local"      

    next

 

# config user ldap

    edit "90.0.0.2"

        set server "90.0.0.2"

        set cnid "SAMAccountName"

        set dn "dc=mango-jazz,dc=local"

        set type regular

        set username "mango-jazz\\administrator"

        set password ENC MTAwNPlwRLfBrqmgQXXVg+1NiYbq51zyoCUCbeyNWv2VGVOwUvTjROPmbJkjZ0

Rf4jQEFAfD6XdVdUabi8or8TWwqqB0d/telVFxSQSCuSbSGn62z7l7IuG4YryNMXlBYVdmlSc/XVhGy8UUHlp1k

VxN10ibQfoGN5kN8KqjzBXVrvuLNygc0pD34CrxO0+RQUWkCA==

        set antiphish enable                          <- antiphish is disabled by default.

        set password-attr "userPassword"

    next

end

 

7..X and 7.2.X.

 

# config user domain-controller     <- Domain controller configuration is now under user domain-controller.

    edit "win-2016"

        set ad-mode ds

        set hostname "WIN-703SCUQNK4V"

        set username "administrator"

        set password ENC Mzc7EHSErnksdOmIcJSk4XqaPs5huYfbKfqbX09rmgGp1IGx8UDvFCBXNFrbfr

DwhyqC8nENo94PBf00q5cqKCd/BRtj1igxl68Bpw0zFgpYDH2y6avt8JYOmM3Urj5dMJ8CjAkrkSLFa3EgHMqW6

vbMuqeVKqgKtKXtDV1TT3rM2/E+7DbaV8qX8UFnjbVb12GSMA==

        set ip-address 90.0.0.2

        set domain-name "mango-jazz.local"

    next

end

 

2) Configure the anti-phishing profile, which includes the FortiGuard category rule:

 

# config webfilter profile
    edit "<profile-name>"
        set feature-set proxy
        ...
            # config web
            ...
            end
            # config antiphish
                set status enable
                set domain-controller "win2016"   
                set default-action block
                set check-uri enable
                set check-basic-auth enable
                set max-body-len 65536
                    # config inspection-entries
                        edit "inspect-37"
                            set fortiguard-category 37
                            set action block
                        next
                        edit "inspect-others"
                            set fortiguard-category all
                            set action log
                        next
                    end
                    # config custom-patterns
                        edit "customer-name"
                            set category username
                        next
                        edit "customer-passwd"
                            set category password
                        next
                    end
            end
            ...
        set web-antiphishing-log enable
    next
end

 

- check-uri enables support for scanning HTTP GET URI parameters.
- check-basic-auth enables support for scanning the HTTP Basic Auth field.

In the above example, category 37 for antiphishing scan is blocked and other categories will be allowed with logging enabled.


3) Configure the URL filter to scan specific URLs.
The anti-phish action is added to the URL filter table entry, and the URL filter is applied to the web filter profile.

 

# config webfilter urlfilter
    edit 1
        set name "antiphish-table"
            # config entries
                edit 1
                    set url "www.example.com"
                    set type simple
                    set antiphish-action block
                    set status enable
                    set referrer-host ''
                next
            end
    next
end


# config webfilter profile
    edit "<profile-name>"
        # config web
            set urlfilter-table 1
        end
        ...
    next
end

 

4) Optionally, define custom patterns to scan fields other than the built-in username and password keywords are needed:

 

# config webfilter profile
    edit "<profile-name>"
        # config custom-patterns
            edit "customer-name"
                set category username
            next
            edit "customer-passwd"
                set category password
            next
        end
    next
end

 

Troubleshooting.

WAD debugs can be run to verify the antiphishing process.

For HTTPS websites, it is necessary to enable SSL Deep Inspection and ensure SSL Certificate is installed on the end host machines to avoid certificate errors.

 

# diag debug reset

# diagnose wad debug display pid enable

# diagnose wad debug enable level verbose

# diagnose wad debug enable category antiphish

# diagnose debug enable

 

Sample debug output.

[I]2023-04-14 11:40:20.349211 [p:1851][s:2593][r:515] wad_http_url_filter_check_local

 :3383  hreq=0x7fa6184e9c38 prof=default host=example.com(93.184.216.34) vd=root id=0 r

ate=0

[I]2023-04-14 11:40:20.349219 [p:1851][s:2593][r:515] wad_url_filter_local_request

 :906   hreq=0x7fa6184e9c38 wfp=0x7fa61d012378 ssl_url_chk=1 acion=allow: >>

[V]2023-04-14 11:40:20.349221 [p:1851][s:2593][r:515] wad_url_fetch_cate2

 :1505  host=example.com ip=93.184.216.34

[I]2023-04-14 11:40:20.349230 [p:1851][s:2593][r:515] wad_url_cate_dump_req_ctx

 :243   (fetch-done): req/wfp=1/1 cate: cate=255 webf=255 sslexempt=255 url/ip=0/0 done

: bal=0,local/user/cache/ftgd=1/1/1/1   matched[url]: block/allow/user=0/0/0 ftgd=0 sub

=1 log=0 invalid=0

[I]2023-04-14 11:40:20.349236 [p:1851][s:2593][r:515] wad_url_choose_cate

 :2163  cate=52 (ftgd) url-cates=[52,]; url=[ # 52,],ip=[ # 56,];  conf webfilter 'defa

ult':[96,98,99,64,65,66,67,83,86,88,90,91,52,57,59,61,62,63,0,1,2,3,4]

[I]2023-04-14 11:40:20.349241 [p:1851][s:2593][r:515] wad_url_filter_dump_result

 :223   wad_url_filter_check_url_filter_on_result(dump) id=0 state=done type=req_http h

as_cat=1[52] log=1 result: id=0 log=1 cate=52(0/0) flags=00000000 action=ftgd-monitor w

arn_domain=0 warn_session=0

[V]2023-04-14 11:40:20.349272 [p:1851][s:2593][r:515] wad_url_filter_proc_http_result

 :2259  hreq=0x7fa6184e9c38 id=0 wsp=0x7fa61b920228 wfp=0x7fa61d012378

[V]2023-04-14 11:40:20.349274 [p:1851][s:2593][r:515] wad_url_filter_log_result

 :2386  url_req=0x7fa61878ab08 result=1 log=1 type=ftgd_monitor lasttype=none

[V]2023-04-14 11:40:20.349275 [p:1851][s:2593][r:515] wad_url_filter_log

 :1954  http req=0x7fa6184e9c38 action=0 type=ftgd_monitor keyword=0/0 search_log=0/0

[V]2023-04-14 11:40:20.349821 [p:1851][s:2593][r:515] wad_tcp_port_out_read_block

 :1005  tcp_port 0x7fa61b7c6b38 fd=107 on=0 n_out_block=1~>0 in(/out)_shutdown=0/0 clos

ed=0 state=2.

[V]2023-04-14 11:40:20.349824 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block

 :960   tcp_port 0x7fa61b7c6b38 fd=107 on=0 n_out_block=1~>0 in(/out)_shutdown=0/0 clos

ed=0 events=0x0.

[V]2023-04-14 11:40:20.349825 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block

 :992   sock 107 read_block removed, turn on readability.

[V]2023-04-14 11:40:20.349827 [p:1851][s:2593][r:515] wad_http_msg_strm_resume

 :1088  strm resumed, execute=wad_http_clt_read_req_line is_clt=1

[V]2023-04-14 11:40:20.349829 [p:1851][s:2593][r:515] wad_http_decide_antiphish

 :95    Performing proper check

[I]2023-04-14 11:40:20.349831 [p:1851][s:2593][r:515] wad_url_filter_cancel

 :667   type=0 req=0x7fa6184e9c38 url_req=0x7fa61878ab08 id=0

[I]2023-04-14 11:40:20.349833 [p:1851][s:2593][r:515] wad_http_req_proc_waf

 :1309  req=0x7fa6184e9c38 ssl.deep_scan=0 proto=1 exempt=0 waf=(nil) body_len=0 ua=Moz

illa/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/11

2.0.0.0 Safari/537.36 Edg/112.0.1722.39 skip_scan=0

[V]2023-04-14 11:40:20.349835 [p:1851][s:2593][r:515] wad_mem_c_malloc

 :138   size 27112 exceeds max_elm_size (18396); not using bucket

[V]2023-04-14 11:40:20.349838 [p:1851][s:2593][r:515] wad_tcp_port_out_read_block

 :1005  tcp_port 0x7fa61b7c6b38 fd=107 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 clos

ed=0 state=2.

[V]2023-04-14 11:40:20.349839 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block

 :960   tcp_port 0x7fa61b7c6b38 fd=107 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 clos

ed=0 events=0x1.

[V]2023-04-14 11:40:20.349839 [p:1851][s:2593][r:515] wad_tcp_port_transport_read_block

 :974   sock 107 read_block enforced, turn off readability.

[V]2023-04-14 11:40:20.349840 [p:1851][s:2593][r:515] wad_http_msg_strm_pause

 :1065  strm paused, flag=0x2 is_clt=1

[V]2023-04-14 11:40:20.349840 [p:1851][s:2593][r:515] wad_http_req_proc_antiphish

 :8239  Antiphish configured for req=0x7fa6184e9c38. HTTP method=0. Body_len=0

[V]2023-04-14 11:40:20.349858 [p:1851][s:2593][r:515] wad_antiphish_find_matches

 :537   Found credentials while parsing req=0x7fa6184e9c38 Password count=1 Users: "jes

sie" "jessie"

[I]2023-04-14 11:40:20.349861 [p:1851][s:2593][r:515] wad_auth_get_credentials

 :354   Got request to fetch credentials with type 1 principal jessie

[V]2023-04-14 11:40:20.349862 [p:1851][s:2593][r:515] wad_auth_cred_cache_internal_look

up:434   Found principal 'jessie' in cache

[V]2023-04-14 11:40:20.349889 [p:1851][s:2593][r:515] wad_auth_get_credentials

 :369   Cred cache hit for type 1 principal jessie

[V]2023-04-14 11:40:20.349890 [p:1851][s:2593][r:515] wad_antiphish_request_done

 :180   Credentials for req=0x7fa6184e9c38 Result=Match Action=BLOCK

[I]2023-04-14 11:40:20.349909 [p:1851][s:2593][r:515] __wad_http_build_replmsg_resp

 :705   Generating replacement message. Antiphish matched credentials repmsg_id 70

[V]2023-04-14 11:40:20.349912 [p:1851][s:2593][r:515] wad_mem_c_malloc

 :138   size 32770 exceeds max_elm_size (18396); not using bucket

 

For Gmail access:

 

:1309  req=0x7fa6184ef488 ssl.deep_scan=1 proto=10 exempt=0 waf=(nil) body_len=1844674

4073709551615 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, l

ike Gecko) Chrome/112.0.0.0 Safari/537.36 skip_scan=0

[V]2023-04-14 11:43:23.959339 [p:1851][s:2816][r:573] wad_mem_c_malloc

 :138   size 27112 exceeds max_elm_size (18396); not using bucket

0415:h2s=0x7fa618604098,strm_id=00001,strm_id=1 blocks=1, on=1, new_data=0,clt

[V]2023-04-14 11:43:23.959342 [p:1851][s:2816][r:573] wad_http_req_proc_antiphish

 :8239  Antiphish configured for req=0x7fa6184ef488. HTTP method=0. Body_len=1844674407

3709551615

[V]2023-04-14 11:43:23.959367 [p:1851][s:2816][r:573] wad_antiphish_find_matches

 :537   Found credentials while parsing req=0x7fa6184ef488 Password count=1 Users: "htt

ps://mail.google.com/mail/u/0/"

[I]2023-04-14 11:43:23.959369 [p:1851][s:2816][r:573] wad_auth_get_credentials

 :354   Got request to fetch credentials with type 1 principal https://mail.google.com/

mail/u/0/

[V]2023-04-14 11:43:23.959370 [p:1851][s:2816][r:573] wad_auth_cred_cache_internal_look

up:430   Found principal 'https://mail.google.com/mail/u/0/' in negative cache

[V]2023-04-14 11:43:23.959371 [p:1851][s:2816][r:573] wad_auth_get_credentials

 :379   Negative cred cache hit for type 1 principal https://mail.google.com/mail/u/0/

[I]2023-04-14 11:43:23.959372 [p:1851][s:2816][r:573] wad_antiphish_check_credentials

 :417   We've exhausted our user count req=0x7fa61b700010

[V]2023-04-14 11:43:23.959372 [p:1851][s:2816][r:573] wad_antiphish_request_done

 

jc0893_0-1682529775602.png

Contributors