Additional antiphishing settings
The following settings are available for antiphishing:
- Enable DNS service lookup in the domain controller so that the domain controller IP does not need to be configured. The DNS server will resolve the domain controller IP.
- Specify a source IP or port for the fetching domain controller.
- Use an LDAP server as a credential source (only the OpenLDAP server is supported).
- Block or log valid usernames regardless of password match.
- Use literal custom patterns type for username and password.
- Active Directory Lightweight Directory Services (AD LDS) support
Configuration examples
To enable DNS service lookup:
config user domain-controller edit "win2016" set ad-mode ds set dns-srv-lookup enable set hostname "win2016" set username "replicate" set password ********** set domain-name "SMB2016.LAB" next end
To specify the source IP and port for the fetching domain controller:
config user domain-controller edit "win2016" set ad-mode ds set hostname "win2016" set username "replicate" set password ********** set ip-address 172.18.52.188 set source-ip-address 172.16.100.1 set source-port 2000 set domain-name "SMB2016.LAB" next end
To use an LDAP server as a credential store:
- Configure the LDAP server:
config user ldap edit "openldap" set server "172.18.60.214" set cnid "cn" set dn "dc=qafsso,dc=com" set type regular set username "cn=Manager,dc=qafsso,dc=com" set password ********** set antiphish enable set password-attr "userPassword" next end
- Configure the web filter profile:
config webfilter profile edit "webfilter" set feature-set proxy config ftgd-wf unset options config filters edit 1 set action block next end end config antiphish set status enable config inspection-entries edit "cat34" set fortiguard-category 34 set action block next end set authentication ldap set ldap "openldap" end set log-all-url enable next end
To configure username-only credential matching:
config webfilter profile edit "webfilter" set feature-set proxy config ftgd-wf unset options ... end config antiphish set status enable set check-username-only enable config inspection-entries edit "cat34" set fortiguard-category 34 set action block next end set domain-controller "win2016" end set log-all-url enable next end
To configure different custom pattern types for usernames and passwords:
config webfilter profile edit "webfilter" set feature-set proxy config ftgd-wf unset options ... end config antiphish set status enable config inspection-entries edit "cat34" set fortiguard-category 34 set action block next end config custom-patterns edit "qwer" set type literal next edit "[0-6]Dat*" next edit "dauw9" set category password set type literal next edit "[0-5]foo[1-4]" set category password next end set domain-controller "win2016" end set log-all-url enable next end
In this example, the qwer
and dauw9
entries use the literal type, while [0-6]Dat*
and [0-5]foo[1-4]
use the default regex type.
To configure Active Directory in LDS mode:
config user domain-controller edit "win2016adlds" set hostname "win2016adlds" set username "foo" set password ********** set ip-address 192.168.10.9 set domain-name "adlds.local" set ad-mode lds set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM" set adlds-ip-address 192.168.10.9 set adlds-port 3890 next end