Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sindre-FTNT
Staff
Staff

Created on ‎11-12-2019 08:46 AM

Article Id 195511

Technical Tip: URL Certificate Blacklist

Description
An increasing number of malware have started to use SSL to attempt to bypass IPS.
Maintaining a fingerprint-based certificate blacklist is useful to block botnet communication that relies on SSL.
This article will describe this feature.

Solution
This feature adds a dynamic package that is distributed by FortiGuard and is part of the Web Filtering service. It is enabled by default for SSL/SSH profiles, and can be configured using the following CLI commands (highlighted in yellow):
#config vdom
edit <vdom>
config firewall ssl-ssh-profile
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config ssl
set inspect-all disable
end

#config https
set ports 443
set status certificate-inspection
set invalid-server-cert block
set untrusted-server-cert allow
set sni-server-cert-check enable
end
               
#config ftps
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config imaps
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config pop3s
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config smtps
set status disable
set invalid-server-cert block
set untrusted-server-cert allow
end

#config ssh
set ports 22
set status disable
set inspect-all disable
set unsupported-version bypass
set ssh-tun-policy-check disable
set ssh-algorithm compatible
end

#set block-blacklisted-certificates enable 
set caname "Fortinet_CA_SSL"
set ssl-anomalies-log enable
next
edit "deep-inspection"
set comment "Read-only deep inspection profile."
config ssl
set inspect-all disable
end

#config https
set ports 443
set status deep-inspection
set client-cert-request bypass
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
set sni-server-cert-check enable
end

#config ftps
set ports 990
set status deep-inspection
set client-cert-request bypass
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config imaps
set ports 993
set status deep-inspection
set client-cert-request inspect
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config pop3s
set ports 995
set status deep-inspection
set client-cert-request inspect
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config smtps
set ports 465
set status deep-inspection
set client-cert-request inspect
set unsupported-ssl bypass
set invalid-server-cert block
set untrusted-server-cert allow
end

#config ssh
set ports 22
set status disable
set inspect-all disable
set unsupported-version bypass
                    set ssh-tun-policy-check disable
set ssh-algorithm compatible
end

#set whitelist disable
set block-blacklisted-certificates enable
config ssl-exempt
edit 1
set type fortiguard-category
set fortiguard-category 31
next
edit 2
set type fortiguard-category
set fortiguard-category 33
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "g-adobe"
next
edit 4
set type wildcard-fqdn
set wildcard-fqdn "g-Adobe Login"
next
edit 5
set type wildcard-fqdn
set wildcard-fqdn "g-android"
next
edit 6
set type wildcard-fqdn
set wildcard-fqdn "g-apple"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "g-appstore"
next
edit 8
set type wildcard-fqdn
set wildcard-fqdn "g-auth.gfx.ms"
next
edit 9
set type wildcard-fqdn
set wildcard-fqdn "g-citrix"
next
edit 10
set type wildcard-fqdn
set wildcard-fqdn "g-dropbox.com"
next
edit 11
set type wildcard-fqdn
set wildcard-fqdn "g-eease"
next
edit 12
set type wildcard-fqdn
set wildcard-fqdn "g-firefox update server"
next
edit 13
set type wildcard-fqdn
set wildcard-fqdn "g-fortinet"
next
edit 14
set type wildcard-fqdn
set wildcard-fqdn "g-googleapis.com"
next
edit 15
set type wildcard-fqdn
set wildcard-fqdn "g-google-drive"
next
edit 16
set type wildcard-fqdn
set wildcard-fqdn "g-google-play2"
next
edit 17
set type wildcard-fqdn
set wildcard-fqdn "g-google-play3"
next
edit 18
set type wildcard-fqdn
set wildcard-fqdn "g-Gotomeeting"
next
edit 19
set type wildcard-fqdn
set wildcard-fqdn "g-icloud"
next
edit 20
set type wildcard-fqdn
set wildcard-fqdn "g-itunes"
next
edit 21
set type wildcard-fqdn
set wildcard-fqdn "g-microsoft"
next
edit 22
set type wildcard-fqdn
set wildcard-fqdn "g-skype"
next
edit 23
set type wildcard-fqdn
set wildcard-fqdn "g-softwareupdate.vmware.com"
next
edit 24
set type wildcard-fqdn
set wildcard-fqdn "g-verisign"
next
edit 25
set type wildcard-fqdn
set wildcard-fqdn "g-Windows update 2"
next
edit 26
set type wildcard-fqdn
set wildcard-fqdn "g-live.com"
next
edit 27
set type wildcard-fqdn
set wildcard-fqdn "g-google-play"
next
edit 28
set type wildcard-fqdn
set wildcard-fqdn "g-update.microsoft.com"
next
edit 29
set type wildcard-fqdn
set wildcard-fqdn "g-swscan.apple.com"
next
edit 30
set type wildcard-fqdn
set wildcard-fqdn "g-autoupdate.opera.com"
next
end
set server-cert-mode re-sign
set caname "Fortinet_CA_SSL"
set untrusted-caname "Fortinet_CA_Untrusted"
set ssl-anomalies-log enable
set ssl-exemptions-log disable
set rpc-over-https disable
set mapi-over-https disable
set use-ssl-server disable
next
end
next
end

Labels:
3226
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.