Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Security Profiles

Security Profiles

The FortiProxy unit combines a number of security features to protect your network from threats. As a whole, these features, when included in a single Fortinet security appliance, are referred to as security profiles.

A profile is a group of settings that you can apply to one or more firewall policies. Each Security Profile feature is enabled and configured in a profile, list, or sensor. These are then selected in a security policy and the settings apply to all traffic matching the policy. For example, if you create an antivirus profile that enables antivirus scanning of HTTP traffic, and select the antivirus profile in the security policy that allows your users to access the World Wide Web, all of their web browsing traffic will be scanned for viruses.

Because you can use profiles in more than one security policy, you can configure one profile for the traffic types handled by a set of firewall policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate sets of profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks. FortiProxy does not modify the original payload if no security action is taken.

This section covers the following topics:

The following are brief descriptions of the security profiles and their features.

Antivirus

Your FortiProxy unit stores a virus signature database that can identify more than 15,000 individual viruses. FortiProxy models that support additional virus databases are able to identify hundreds of thousands of viruses. With a FortiGuard Antivirus subscription, the signature databases are updated whenever a new threat is discovered.

Antivirus also includes file filtering. When you specify files by type or by file name, the FortiProxy unit will block the matching files from reaching your users.

FortiProxy units with a hard drive or configured to use a FortiAnalyzer unit can store infected and blocked files that you can examine later.

Web filter

Web filtering includes a number of features you can use to protect or limit your users’ activity on the web.

FortiGuard Web Filtering is a subscription service that allows you to limit access to web sites. More than 60 million web sites and two billion web pages are rated by category. You can choose to allow or block each of the 77 categories.

URL filtering can block your network users from access to URLs that you specify.

Web content filtering can restrict access to web pages based on words and phrases appearing on the web page itself. You can build lists of words and phrases, each with a score. When a web content list is selected in a web filter profile, you can specify a threshold. If a user attempts to load a web page and the score of the words on the page exceeds the threshold, the web page is blocked.

You can create overrides to web filter profiles as well.

Video filter

With the video filter profile, you can filter YouTube videos by channel ID for a more granular override of a single channel, user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.

DNS filter

The FortiProxy will inspect DNS traffic to any DNS server, so long as the policy has DNS inspection enabled. The FortiProxy will intercept DNS requests, regardless of the destination IP, and redirect it to the FortiGuard Secure DNS server—this is separate from the FortiGuard DNS server.

The Secure DNS server will resolve and rate the FQDN and send a DNS response which includes both IP and rating of the FQDN back to the FortiProxy, where it will handle the DNS response according to the DNS filter profile.

Application control

Although you can block the use of some applications by blocking the ports they use for communications, many applications do not use standard ports to communicate. Application control can detect the network traffic of more than 1,000 applications, improving your control over application communication.

You can also write custom signatures tailored to your network.

Intrusion protection

The FortiProxy Intrusion Protection System (IPS) protects your network against hacking and other attempts to exploit vulnerabilities of your systems. More than 3,000 signatures are able to detect exploits against various operating systems, host types, protocols, and applications. These exploits can be stopped before they reach your internal network.

You can also write custom signatures tailored to your network.

File filter

The file filter allows the FortiProxy unit to block files passing through based on file type based on the fileʼs metadata only and not on file size or file content. A DLP sensor must be configured to block files based on size or content, such as SSN numbers, credit card numbers, or regular expression pattern. The file filter can be applied directly to firewall policies.

SSL/SSH inspection

SSL/SSH inspection (otherwise known as deep inspection) is used to scan HTTPS traffic in the same way that HTTP traffic can be scanned. This allows the FortiProxy to receive and open up the encrypted traffic on behalf of the client, then the traffic is re-encrypted and sent on to its intended destination.

Individual Deep Inspection profiles can be created, depending on the requirements of the policy. Depending on the profile, you can:

  • Configure which CA certificate will be used to decrypt the SSL encrypted traffic
  • Configure which SSL protocols will be inspected
  • Configure which ports will be associated with which SSL protocols for inspection
  • Configure whether or not to allow invalid SSL certificates
  • Configure whether or not SSH traffic will be inspected
Data leak prevention

Data leak prevention (DLP) allows you to define the format of sensitive data. The FortiProxy unit can then monitor network traffic and stop sensitive information from leaving your network. Rules for U.S. social security numbers, Canadian social insurance numbers, as well as Visa, Mastercard, and American Express card numbers are included.

Order of execution of security profiles

  1. Check the IP ban of the UTM quarantine.
  2. For transparent HTTPS traffic, process TLS ClientHello with/without SNI:
    1. Check the firewall policy to determine what to allow or deny and which security profiles to apply, including TLS inspection mode, forwarding proxy, and so on.
    2. Check the TLS exemption of deep inspection if necessary.
    3. Check the URL filtering of the web-filtering profile based on hosts learned from TLS negotiation and whether web-filter-based exemptions need to be applied.
    4. Apply TLS sanity checks.
    5. If no deep inspection is needed, forward the traffic back and force with only possible IPS scans.
  3. Process the HTTP request headers for plantext HTTP or decrypted HTTPS traffic:
    1. Check the firewall policy on the HTTP request to determine whether to allow or deny and which security profiles to apply:
      1. Check the TLS inspection mode for the HTTP CONNECT request.
      2. Determine the forwarding proxy for plantext HTTP.
    2. Check the URL filtering of the web-filtering profile based on the URL in the HTTP request.
    3. Apply the video filter profile if necessary.
    4. Apply the web application profile (WAF) on the HTTP headers if necessary.
    5. Apply the web proxy profile to the HTTP request header.
    6. Perform a botnet check in the IPS profile if necessary.
    7. Apply the ICAP profile to forward the HTTP request headers to the ICAP server.
    8. Apply the IPS sensor and Application Control profiles to the HTTP request headers.
  4. Process the HTTP request streaming data of the body if the body exists:
    1. Apply the web application profile (WAF) on the HTTP request body if necessary.
    2. Apply the stream-based file filtering, web content filtering, and antivirus scanning.
    3. Apply the IPS sensor and Application Control profiles to the HTTP request body.
    4. Apply the ICAP profile to forward the HTTP request body to the ICAP server.
  5. Process the HTTP request whole body if the body exists:
    1. Apply file filtering, web content filtering, antivirus scanning, and DLP to the whole HTTP request.
  6. Process the HTTP response headers:
    1. Apply the web application profile (WAF) on the HTTP headers if necessary.
    2. Apply the web proxy profile to the HTTP response headers.
    3. Apply the ICAP profile to forward the HTTP response headers to the ICAP server.
    4. Apply the IPS sensor and Application Control profiles to the HTTP response headers.
  7. Process the HTTP response streaming data of the body if the body exists:
    1. Apply the web application profile (WAF) on the HTTP response body if necessary.
    2. Apply the stream-based file filtering, web content filtering, and antivirus scanning.
    3. Apply the IPS sensor and Application Control profiles to the HTTP response body.
    4. Apply the ICAP profile to forward the HTTP response body to the ICAP server.
  8. Process the HTTP response whole body if the body exists:
    1. Apply file filtering, web content filtering, antivirus scanning, and DLP to the whole HTTP response.
Previous
Next

Security Profiles

The FortiProxy unit combines a number of security features to protect your network from threats. As a whole, these features, when included in a single Fortinet security appliance, are referred to as security profiles.

A profile is a group of settings that you can apply to one or more firewall policies. Each Security Profile feature is enabled and configured in a profile, list, or sensor. These are then selected in a security policy and the settings apply to all traffic matching the policy. For example, if you create an antivirus profile that enables antivirus scanning of HTTP traffic, and select the antivirus profile in the security policy that allows your users to access the World Wide Web, all of their web browsing traffic will be scanned for viruses.

Because you can use profiles in more than one security policy, you can configure one profile for the traffic types handled by a set of firewall policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate sets of profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks. FortiProxy does not modify the original payload if no security action is taken.

This section covers the following topics:

The following are brief descriptions of the security profiles and their features.

Antivirus

Your FortiProxy unit stores a virus signature database that can identify more than 15,000 individual viruses. FortiProxy models that support additional virus databases are able to identify hundreds of thousands of viruses. With a FortiGuard Antivirus subscription, the signature databases are updated whenever a new threat is discovered.

Antivirus also includes file filtering. When you specify files by type or by file name, the FortiProxy unit will block the matching files from reaching your users.

FortiProxy units with a hard drive or configured to use a FortiAnalyzer unit can store infected and blocked files that you can examine later.

Web filter

Web filtering includes a number of features you can use to protect or limit your users’ activity on the web.

FortiGuard Web Filtering is a subscription service that allows you to limit access to web sites. More than 60 million web sites and two billion web pages are rated by category. You can choose to allow or block each of the 77 categories.

URL filtering can block your network users from access to URLs that you specify.

Web content filtering can restrict access to web pages based on words and phrases appearing on the web page itself. You can build lists of words and phrases, each with a score. When a web content list is selected in a web filter profile, you can specify a threshold. If a user attempts to load a web page and the score of the words on the page exceeds the threshold, the web page is blocked.

You can create overrides to web filter profiles as well.

Video filter

With the video filter profile, you can filter YouTube videos by channel ID for a more granular override of a single channel, user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.

DNS filter

The FortiProxy will inspect DNS traffic to any DNS server, so long as the policy has DNS inspection enabled. The FortiProxy will intercept DNS requests, regardless of the destination IP, and redirect it to the FortiGuard Secure DNS server—this is separate from the FortiGuard DNS server.

The Secure DNS server will resolve and rate the FQDN and send a DNS response which includes both IP and rating of the FQDN back to the FortiProxy, where it will handle the DNS response according to the DNS filter profile.

Application control

Although you can block the use of some applications by blocking the ports they use for communications, many applications do not use standard ports to communicate. Application control can detect the network traffic of more than 1,000 applications, improving your control over application communication.

You can also write custom signatures tailored to your network.

Intrusion protection

The FortiProxy Intrusion Protection System (IPS) protects your network against hacking and other attempts to exploit vulnerabilities of your systems. More than 3,000 signatures are able to detect exploits against various operating systems, host types, protocols, and applications. These exploits can be stopped before they reach your internal network.

You can also write custom signatures tailored to your network.

File filter

The file filter allows the FortiProxy unit to block files passing through based on file type based on the fileʼs metadata only and not on file size or file content. A DLP sensor must be configured to block files based on size or content, such as SSN numbers, credit card numbers, or regular expression pattern. The file filter can be applied directly to firewall policies.

SSL/SSH inspection

SSL/SSH inspection (otherwise known as deep inspection) is used to scan HTTPS traffic in the same way that HTTP traffic can be scanned. This allows the FortiProxy to receive and open up the encrypted traffic on behalf of the client, then the traffic is re-encrypted and sent on to its intended destination.

Individual Deep Inspection profiles can be created, depending on the requirements of the policy. Depending on the profile, you can:

  • Configure which CA certificate will be used to decrypt the SSL encrypted traffic
  • Configure which SSL protocols will be inspected
  • Configure which ports will be associated with which SSL protocols for inspection
  • Configure whether or not to allow invalid SSL certificates
  • Configure whether or not SSH traffic will be inspected
Data leak prevention

Data leak prevention (DLP) allows you to define the format of sensitive data. The FortiProxy unit can then monitor network traffic and stop sensitive information from leaving your network. Rules for U.S. social security numbers, Canadian social insurance numbers, as well as Visa, Mastercard, and American Express card numbers are included.

Order of execution of security profiles

  1. Check the IP ban of the UTM quarantine.
  2. For transparent HTTPS traffic, process TLS ClientHello with/without SNI:
    1. Check the firewall policy to determine what to allow or deny and which security profiles to apply, including TLS inspection mode, forwarding proxy, and so on.
    2. Check the TLS exemption of deep inspection if necessary.
    3. Check the URL filtering of the web-filtering profile based on hosts learned from TLS negotiation and whether web-filter-based exemptions need to be applied.
    4. Apply TLS sanity checks.
    5. If no deep inspection is needed, forward the traffic back and force with only possible IPS scans.
  3. Process the HTTP request headers for plantext HTTP or decrypted HTTPS traffic:
    1. Check the firewall policy on the HTTP request to determine whether to allow or deny and which security profiles to apply:
      1. Check the TLS inspection mode for the HTTP CONNECT request.
      2. Determine the forwarding proxy for plantext HTTP.
    2. Check the URL filtering of the web-filtering profile based on the URL in the HTTP request.
    3. Apply the video filter profile if necessary.
    4. Apply the web application profile (WAF) on the HTTP headers if necessary.
    5. Apply the web proxy profile to the HTTP request header.
    6. Perform a botnet check in the IPS profile if necessary.
    7. Apply the ICAP profile to forward the HTTP request headers to the ICAP server.
    8. Apply the IPS sensor and Application Control profiles to the HTTP request headers.
  4. Process the HTTP request streaming data of the body if the body exists:
    1. Apply the web application profile (WAF) on the HTTP request body if necessary.
    2. Apply the stream-based file filtering, web content filtering, and antivirus scanning.
    3. Apply the IPS sensor and Application Control profiles to the HTTP request body.
    4. Apply the ICAP profile to forward the HTTP request body to the ICAP server.
  5. Process the HTTP request whole body if the body exists:
    1. Apply file filtering, web content filtering, antivirus scanning, and DLP to the whole HTTP request.
  6. Process the HTTP response headers:
    1. Apply the web application profile (WAF) on the HTTP headers if necessary.
    2. Apply the web proxy profile to the HTTP response headers.
    3. Apply the ICAP profile to forward the HTTP response headers to the ICAP server.
    4. Apply the IPS sensor and Application Control profiles to the HTTP response headers.
  7. Process the HTTP response streaming data of the body if the body exists:
    1. Apply the web application profile (WAF) on the HTTP response body if necessary.
    2. Apply the stream-based file filtering, web content filtering, and antivirus scanning.
    3. Apply the IPS sensor and Application Control profiles to the HTTP response body.
    4. Apply the ICAP profile to forward the HTTP response body to the ICAP server.
  8. Process the HTTP response whole body if the body exists:
    1. Apply file filtering, web content filtering, antivirus scanning, and DLP to the whole HTTP response.
Previous
Next