FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vinodhini
Staff
Staff
Description
This article describes how to configure credential phishing prevention.

Solution
When credential phishing prevention is enabled, the FortiGate scans for corporate credentials submitted to external websites and compares them to sensitive credentials stored in the corporate domain controller.

Based on the configured anti phishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user if the credentials match ones that are stored on the corporate domain controller.

To configure credential phishing prevention.

1) Configure the corporate domain controller:

The corporate domain controller must be configured on the credential-store.
Credentials are matched based on sAMAccountName.
UPN format is not currently supported.
# config credential-store domain-controller
    edit "win2016"
        set domain-name "corpserver.local"
        set username "Administrator"
        set password ENC password
        set ip <server_ip>
    next
end
The domain controller entry name has be the host name of the DC (win2016 in the example).
Both it and the domain name are case sensitive.


2) Configure the anti phishing profile, which includes the FortiGuard category rule:
# config webfilter profile
    edit "<profile-name>"
        set feature-set proxy
        ...
       # config web
            ...
        end
        # config antiphish
            set status enable
            set domain-controller "win2016"   
            set default-action block
            set check-uri enable
            set check-basic-auth enable
            set max-body-len 65536
            # config inspection-entries
                edit "inspect-37"
                    set fortiguard-category 37
                    set action block
                next
                edit "inspect-others"
                    set fortiguard-category all
                    set action log
                next
            end
            # config custom-patterns
                edit "customer-name"
                    set category username
                next
                edit "customer-passwd"
                   set category password
                next
            end
        end
        ...
        set web-antiphishing-log enable
    next
end
- check-uri enables support for scanning HTTP GET URI parameters.
- check-basic-auth enables support for scanning the HTTP Basic Auth field.

3) Configure the URL filter to scan specific URLs.
The anti phish action is added to the URL filter table entry, and the URL filter is applied to the webfilter profile.
# config webfilter urlfilter
    edit 1
        set name "antiphish-table"
        # config entries
            edit 1
                set url "www.example.com"
                set type simple
                set antiphish-action block
                set status enable
                set referrer-host ''
            next
        end
    next
end
# config webfilter profile
    edit "<profile-name>"
        config web
            set urlfilter-table 1
        end
        ...
    next
end
4) Optionally, define custom patterns to scan fields other than the built-in username and password keywords are needed:
# config webfilter profile
    edit "<profile-name>"
        # config custom-patterns
                edit "customer-name"
                    set category username
                next
                edit "customer-passwd"
                   set category password
                next
            end
        end
    next
end

Internal Notes
Web-based URL filter actions and FortiGuard category-based filtering have higher priority than antiphishing URL filter actions and FortiGuard filtering:
•    If a request is blocked by the web-based URL filter or FortiGuard filter, there is no further antiphishing scanning. Antiphishing scanning only happens after the web-based URL filtes and FortiGuard filters allow the traffic.
•    If a submission matches an entry in the URL filter table that has an antiphishing action, the defined action is taken. No further FortiGuard category-based rules are applied.
•    Like firewall rules, the URL filter table and Fortiguard category-based antiphishing rules use a top-down priority. The rule that matches first is the one that is used.

Contributors