Fortinet Community

Sindre-FTNT · ‎11-12-2019

Description
An increasing number of malware have started to use SSL to attempt to bypass IPS.
Maintaining a fingerprint-based certificate blacklist is useful to block botnet communication that relies on SSL.
This article will describe this feature.

Solution

This feature adds a dynamic package that is distributed by FortiGuard and is part of the Web Filtering service. It is enabled by default for SSL/SSH profiles, and can be configured using the following CLI commands (highlighted in yellow):

#config vdom
edit <vdom>
config firewall ssl-ssh-profile
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config ssl
set inspect-all disable
end

#config https
set ports 443
set status certificate-inspection
set invalid-server-cert block
set untrusted-server-cert allow
set sni-server-cert-check enable
end

#config ftps
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config imaps
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config pop3s
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config smtps
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config ssh
set ports 22
set status disable
set inspect-all disable
set unsupported-version bypass
set ssh-tun-policy-check disable
set ssh-algorithm compatible
end

#set block-blacklisted-certificates enable
set caname "Fortinet_CA_SSL"
set ssl-anomalies-log enable
next
edit "deep-inspection"
set comment "Read-only deep inspection profile."
config ssl
set inspect-all disable
end

#config https
set ports 443
set status deep-inspection
set client-cert-request bypass
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
set sni-server-cert-check enable
end

#config ftps
set ports 990
set status deep-inspection
set client-cert-request bypass
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config imaps
set ports 993
set status deep-inspection
set client-cert-request inspect
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config pop3s
set ports 995
set status deep-inspection
set client-cert-request inspect
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config smtps
set ports 465
set status deep-inspection
set client-cert-request inspect
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config ssh
set ports 22
set status disable
set inspect-all disable
set unsupported-version bypass
set ssh-tun-policy-check disable
set ssh-algorithm compatible
end

#set whitelist disable
set block-blacklisted-certificates enable
config ssl-exempt
edit 1
set type fortiguard-category
set fortiguard-category 31
next
edit 2
set type fortiguard-category
set fortiguard-category 33
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "g-adobe"
next
edit 4
set type wildcard-fqdn
set wildcard-fqdn "g-Adobe Login"
next
edit 5
set type wildcard-fqdn
set wildcard-fqdn "g-android"
next
edit 6
set type wildcard-fqdn
set wildcard-fqdn "g-apple"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "g-appstore"
next
edit 8
set type wildcard-fqdn
set wildcard-fqdn "g-auth.gfx.ms"
next
edit 9
set type wildcard-fqdn
set wildcard-fqdn "g-citrix"
next
edit 10
set type wildcard-fqdn
set wildcard-fqdn "g-dropbox.com"
next
edit 11
set type wildcard-fqdn
set wildcard-fqdn "g-eease"
next
edit 12
set type wildcard-fqdn
set wildcard-fqdn "g-firefox update server"
next
edit 13
set type wildcard-fqdn
set wildcard-fqdn "g-fortinet"
next
edit 14
set type wildcard-fqdn
set wildcard-fqdn "g-googleapis.com"
next
edit 15
set type wildcard-fqdn
set wildcard-fqdn "g-google-drive"
next
edit 16
set type wildcard-fqdn
set wildcard-fqdn "g-google-play2"
next
edit 17
set type wildcard-fqdn
set wildcard-fqdn "g-google-play3"
next
edit 18
set type wildcard-fqdn
set wildcard-fqdn "g-Gotomeeting"
next
edit 19
set type wildcard-fqdn
set wildcard-fqdn "g-icloud"
next
edit 20
set type wildcard-fqdn
set wildcard-fqdn "g-itunes"
next
edit 21
set type wildcard-fqdn
set wildcard-fqdn "g-microsoft"
next
edit 22
set type wildcard-fqdn
set wildcard-fqdn "g-skype"
next
edit 23
set type wildcard-fqdn
set wildcard-fqdn "g-softwareupdate.vmware.com"
next
edit 24
set type wildcard-fqdn
set wildcard-fqdn "g-verisign"
next
edit 25
set type wildcard-fqdn
set wildcard-fqdn "g-Windows update 2"
next
edit 26
set type wildcard-fqdn
set wildcard-fqdn "g-live.com"
next
edit 27
set type wildcard-fqdn
set wildcard-fqdn "g-google-play"
next
edit 28
set type wildcard-fqdn
set wildcard-fqdn "g-update.microsoft.com"
next
edit 29
set type wildcard-fqdn
set wildcard-fqdn "g-swscan.apple.com"
next
edit 30
set type wildcard-fqdn
set wildcard-fqdn "g-autoupdate.opera.com"
next
end
set server-cert-mode re-sign
set caname "Fortinet_CA_SSL"
set untrusted-caname "Fortinet_CA_Untrusted"
set ssl-anomalies-log enable
set ssl-exemptions-log disable
set rpc-over-https disable
set mapi-over-https disable
set use-ssl-server disable
next
end
next
end

Fortinet Community

Technical Tip: URL Certificate Blacklist