Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paddydhurley
New Contributor

UTM Features?

What UTM features do I need to turn on for a Windows 10 and iPhone environment to keep from being exposed to ransomeware? I will be running an endpoint solution as well but that isn’t the focus of my question. What can I do with UTM?
4 REPLIES 4
SecurityPlus
Contributor II

Others can weigh in with more detailed responses but I think the simple answer is that the more UTM features you enable the better your protection, in other words a defense in depth strategy. Enabling deep packet inspection is also advised. Depending on the tolerance for risk and the type of business there may be additional Fortinet and non-Fortinet solutions that would be advised. Don’t forget to utilize a local and off-site backpack solution that too is well protected from ransomware.
paddydhurley

Is deep packet inspection part of the UTM license?
SecurityPlus

Yes, I believe that it is.

TecnetRuss

Deep Packet Inspection isn't a FortiGuard feature. It's a separate built-in feature you can enable to do "man-in-the-middle" on-the-fly decryption of outgoing or incoming traffic on a per-policy basis.  With DPI, UTM features like AV, Web Filtering, Intrusion Protection, etc. can fully inspect the traffic and are thus more effective.  Without DPI, encrypted traffic can only be partially inspected and encrypted payloads like ransomware can sneak through.

 

An example multi-layered approach to preventing ransomware on a single FortiGate would typically involve the following UTM features:

[ol]
  • IRDB Blacklisting (via top-sorted Deny rules) of inbound and outbound traffic to IP addresses with negative reputation (e.g. Tor, Botnet, spammers, anonymizer proxies, etc.), or optionally, blocking all outbound traffic by default and only allowing outbound traffic to necessary/authorized ISDB destinations (e.g. Office 365).
  • DNS filtering to intercept lookups of malicious or Botnet domains (Botnet DB) at the early DNS lookup stage, before client-server traffic even begins.
  • Web Content Filtering to intercept HTTP/HTTPS traffic to malicious or other risky or unapproved website categories (as maintained by FortiGuard's category lists), and gain visibility into risky user behavior.
  • Intrusion Protection Services (IPS) to intercept both inbound and outbound malicious behavior patterns like hacking, brute-forcing, vulnerability exploitation or denial-of-service attacks, and also block connections to known Botnet IPs (Botnet DB).
  • AntiVirus DB to intercept malicious payloads in traffic that has been allowed through the above layers.
  • Optionally, Geo-IP restrictions to limit access to things you publish like your SSL-VPN to whitelisted countries and reduce your exposure slightly (limited protection)
  • Selectively, enable deep packet inspection to allow all of the above features to work more effectively on encrypted traffic like HTTPS and SSH.[/ol]

    All of the above can be considered your first lines/layers of defense.  Your desktop and server's hardened security configuration, and lastly your desktop and server antivirus software should be considered your last line of defense for ransomware.

     

    So, all the FortGuard Security bundles include AV and IPS, but the ATP bundle doesn't IRDB/ISDB (IP Reputation), Web Filtering, DNS Filtering, Botnet DB, or Geo-IP, so I'd recommend the UTP bundle at a minimum as it includes everything above.  The ENT or 360 bundles would be worth considering if you're are a larger enterprise managing a number of FortiGate firewalls where you'd want to centralize your management, reporting and automation of threat remediation (beyond the scope of this discussion).

     

    Russ

    NSE7

  • Labels
    Top Kudoed Authors