Credential phishing prevention
When credential phishing prevention is enabled, the FortiGate scans for corporate credentials submitted to external websites and compares them to sensitive credentials stored in the corporate domain controller. Based on the configured antiphishing rules in proxy mode web filter profiles, the FortiGate will block the URL or alert the user if the credentials match ones that are stored on the corporate domain controller.
-
The corporate domain controller must be configured in the
domain controller
. -
For FortiGate to retrieve the domain information, the user needs to grant Replicating Directory Changes permissions in the Domain Controller (DC). See How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account for more information.
-
Credentials can be matched based on sAMAccountName, user principal name (UPN), or down-level logon name.
-
The antiphishing profile defines the corporate domain controller, antiphishing check option, default action if no rules match, antiphishing status, and so on.
-
Inspection entries in the profile define what action occurs when the submission request matches the specified FortiGuard categories.
-
The profile scans for pre-defined and custom username and password fields in the HTTP request, such as
username
,auth
, andpassword
. You can evaluate custom fields by configuring custom patterns. -
The URL filter defines individual URLs that the antiphish action (block or log) is applied to when the URL submission request matches.
Web-based URL filter actions and FortiGuard category-based filtering have higher priority than antiphishing URL filter actions and FortiGuard filtering:
|
In this example, URLs that match FortiGuard category 37 (social networking) will be blocked and other categories will be logged.
To configure credential phishing prevention:
-
Configure the corporate domain controller:
config user domain-controller edit "win2016" set hostname "win2016" set domain-name "corpserver.local" set username "Administrator" set password ********** set ip <server_ip> next end
The
hostname
and thedomain-name
are case sensitive. -
Configure the antiphishing profile, which includes the FortiGuard category rule:
config webfilter profile edit <profile-name> set feature-set proxy ... config web ... end config antiphish set status enable set domain-controller "win2016" set default-action block set check-uri enable set check-basic-auth enable set max-body-len 65536 config inspection-entries edit "inspect-37" set fortiguard-category 37 set action block next edit "inspect-others" set fortiguard-category all set action log next end config custom-patterns edit "customer-name" set category username next edit "customer-passwd" set category password next end end ... set web-antiphishing-log enable next end
-
check-uri
enables support for scanning HTTP GET URI parameters. -
check-basic-auth
enables support for scanning the HTTP basic authentication field.
-
-
Configure the URL filter to scan specific URLs.
The antiphish action is added to the URL filter table entry, and the URL filter is applied to the web filter profile:
config webfilter urlfilter edit 1 set name "antiphish-table" config entries edit 1 set url "www.example.com" set type simple set antiphish-action block set status enable set referrer-host '' next end next end config webfilter profile edit "<profile-name>" config web set urlfilter-table 1 end ... next end
-
Optionally, define custom patterns to scan fields other than the built-in username and password keywords:
config webfilter profile edit "<profile-name>" config custom-patterns edit "customer-name" set category username next edit "customer-passwd" set category password next end end next end