FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes AI driven feature which prevents credential phishing by scanning traffic against the sensitive corporate network credentials stored in the corporate domain controller.
Solution When credential phishing prevention is enabled, the FortiGate scans user names and passwords in submission traffic to external URLs against the sensitive corporate network credentials stored in the corporate domain controller. Based on the configured antiphishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user.
Credential phishing prevention includes the following components: - The antiphishing profile that defines the corporate network credentials stored in the domain controller, antiphishing check option, default action if no rules match, antiphishing status, and so on. - The antiphishing table that defines specific URLs and what antiphishing action (block, log, exempt) should be taken when the URL submission request matches. - The FortiGuard category-based antiphishing rule that defines what action will occur if the submission request matches a FortiGuard category. - The antiphishing table and FortiGuard category-based antiphishing rule behavior is different than the urlfilter and FortiGuard filter: - If a request is blocked by the urlfilter or FortiGuard filter, there will be no further antiphishing scanning. - Antiphishing scanning occurs only after the local urlfilter and FortiGuard filter allow traffic. If a submission matches the antiphishing table, the defined action will be taken. No further FortiGuard category-based rules will be applied. - Similar to firewall rules, the antiphishing table and FortiGuard category-based antiphishing rule use a top-down priority. Whichever rules matches first is the one that is used.
To configure credential phishing prevention. Configure the antiphishing profile, which includes the FortiGuard category rule:
# config webfilter profile edit "<profile-name>" ... # config web ... end # config antiphish set status enable set domain-controller "win2016" set default-action block set check-uri enable set check-basic-auth enable set max-body-len 65536 # config inspection-entries edit "inspect-37" set fortiguard-category 37 set action block next edit "inspect-others" set fortiguard-category all set action log next end # config custom-patterns edit "customer-name" set category username next edit "customer-passwd" set category password next end end ... set web-antiphishing-log enable next end
In this example, URLs that match the FortiGuard category 37 (social networking) will be blocked and other categories will be logged. Besides built-in user name and password keyword patterns, it is possible to configure additional keyword patterns with config custom-patterns.
2) Add the antiphishing attribute to the urlfilter table:
# config webfilter urlfilter edit 1 set name "antiphish-table" set antiphish enable # config entries edit 1 set url "www.example.com" set type simple set antiphish-action block set status enable set referrer-host '' next end next end
3) Add the antiphishing table to the webfilter profile.
The antiphish-table references a urlfilter table with the antiphish attribute enabled. The urlfilter-table and antiphish-table cannot refer to the same list number:
# config webfilter profile edit "<profile-name>" # config web set urlfilter-table 4 set antiphish-table 1 end ... next end
