Fortinet 201 FG Web Filtering
description
Transcript of Fortinet 201 FG Web Filtering
-
5/24/2018 Fortinet 201 FG Web Filtering
1/30
1
2013 Fortinet Inc. All rights reserved.
The information contained herein is subject to change without notice. No part of this publication including text, examples, diagramsor illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D
FortiGate Multi-Threat Security
Systems I
Module 9: Web Filtering
-
5/24/2018 Fortinet 201 FG Web Filtering
2/30
2
Module Objectives
By the end of this module participants will be able to: Identify the web filtering mechanisms used on the FortiGate device
Create web content and URL filters
Configure FortiGuard Web Filtering
Configure FortiGuard Web Filtering exemptions and rating overrides
Define firewall policies using web filter profiles
Explain the differences between various web filter modes
-
5/24/2018 Fortinet 201 FG Web Filtering
3/30
3
Web Filtering
Means of controlling the web content that a user is able to view Preserve employee productivity
Prevent network congestion where valuable bandwidth is used for non-business
purposes
Prevent loss or exposure of confidential information
Decrease exposure to web-based threats
Limit legal liability when employees access or download inappropriate or offensive
material
Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials
Prevent children from viewing inappropriate material
-
5/24/2018 Fortinet 201 FG Web Filtering
4/30
4
Proxy-Based Web Filtering
Proxy based solution that communicates between client and server Inspects full URL
Allows for customizable block pages to display when sites are
prevented
Most resource intensive option Lowest throughput
Has the Most options available inAdvancedsection
-
5/24/2018 Fortinet 201 FG Web Filtering
5/30
5
Proxy-Based Web Filtering
Select inspection modein web filter profile
-
5/24/2018 Fortinet 201 FG Web Filtering
6/30
6
Flow-Based Web Filtering
Non-proxy solution that uses IPS engine to perform inspection High throughput
Inspects full URL
FortiGuard Web Filtering override will not apply when flow-based
inspection is enabled Only a fewAdvancedoptions available
Not as flexible as proxy-based
Allow, Monitor, BlockONLY
Warn andAuthenticate not possible
Overrides not possible
-
5/24/2018 Fortinet 201 FG Web Filtering
7/30
7
Flow-Based Web Filtering
Select inspection mode in web filter profile
-
5/24/2018 Fortinet 201 FG Web Filtering
8/30
8
DNS-Based Web Filtering
DNS-proxy solution that uses DNS queries to decide access DNS queries redirected to FortiGuard SDNS server
Very lightweight
SSL inspection never required
Cannot inspect URL, only hostname (DNS)
Supports URL Filtering and FortiGuard Category only
No individual block pages, can redirect to a portal
Web site access by IP means no DNS lookup
-
5/24/2018 Fortinet 201 FG Web Filtering
9/30
9
DNS-Based Web Filtering
Select inspection mode in web filter profile
-
5/24/2018 Fortinet 201 FG Web Filtering
10/30
10
When Does Filtering Activate?
www.acme.com
DNS Request
DNS Response
!
HTTP GET
!HTTP 200
TCP 3-Way Handshake
-
5/24/2018 Fortinet 201 FG Web Filtering
11/30
11
HTTP Inspection Order
Virus Scan
Advanced
Filter
Content
Filter
FortiGuard
Filter
Web URL
Filter
Block Page
EXEMPT (from ALL further inspection) Block Page
Block Page
Block Page
Block Page Display Page
URLExempt
Block Allow
Block
Allow
AllowBlock
Block
Block
Allow
Allow
-
5/24/2018 Fortinet 201 FG Web Filtering
12/30
12
Types of Web Filtering
Proxy-Based Highly secure
Traffic is cached
Flow-Based
High throughput
No caching
Not as secure
DNS-Based
Very lightweight
Hostname filtering only
No advanced options, URL and FortiGuard only
-
5/24/2018 Fortinet 201 FG Web Filtering
13/30
13
Web Content Filtering
Create Pattern list inthe CLI
Drugs
Score=10
PharmacyScore=5
PrescriptionScore=5
Threshold=18
10 +5 +5 =20
Block or Exempt
www.acme.com
Allow or block web pages
containing specific words orpatterns
Wildcards or regular
expressions used to
define patterns
Scores for matched patternsare added
If greater than threshold,
FortiGate unit performs
configured action
If pattern appearsmultiple times on web
page, score is only
counted once
-
5/24/2018 Fortinet 201 FG Web Filtering
14/30
14
Web URL Filtering
Control web access by allowing or blocking URLs Text, wildcards or regular expressions can be used to define the URL patterns
If no URL match on list, go on to next enabled check
Possible web URL filter actions are:
Allow
Block
Monitor
Exempt
-
5/24/2018 Fortinet 201 FG Web Filtering
15/30
15
URL: www.mypage.com/index.html
www.example.com
www.abc.com
www.mypage.com/index.html
Web URL Filtering
URL Filter list
www.mypage.com
BlockAllow
MonitorExempt
-
5/24/2018 Fortinet 201 FG Web Filtering
16/30
16
Forcing Safe Search
Safe Search is used by search sites to prevent explicit web sites andimages from appearing in search results
FortiGate unit rewrites the search URL to include the required codes to
enable Safe Search
Supported for Google, Bing, Yahoo! And Yandex
Does NOT force strict safe search
Youtube EDU available
Instructions for Youtube will include value to enter on FortiGate unit
-
5/24/2018 Fortinet 201 FG Web Filtering
17/30
17
FortiGuard Category Filter
URL: www.mypage.com
Block
Allow
Monitor
Authenticate
Categories
Warning
www.mypage.com
-
5/24/2018 Fortinet 201 FG Web Filtering
18/30
18
FortiGuard Category Filter
The FortiGate unit accesses the FortiGuard Distribution Server todetermine the category of a requested page
Action is taken based on selection in web filtering profile
Web filter rating determined by:
Human rater
Text analysis
Exploitation of web structure
Description of Categories can be found on FortiGuard website
http://www.fortiguard.com/static/webfiltering.html
-
5/24/2018 Fortinet 201 FG Web Filtering
19/30
19
FortiGuard Category Filter
Split into multiple categories and sub-categories
Layout will switch periodically as the Internet changes
New categories and sub-categories are released and compatible with
updated firmware
Older firmware has new values mapped to existing categories
-
5/24/2018 Fortinet 201 FG Web Filtering
20/30
20
FortiGuard Caching
Most web sites are visited over and over again FortiGate unit can remember what the response was
Caching improves performance by reducing FortiGate unit requests to
FortiGuard servers
Cache checked before sending request to FortiGuard server TTL settings controls the number of seconds query results are cached
Small amount of FortiGate unit system memory dedicated to the cache
Default is 2% used for cache, can be increased to 15% from CLI
Port 53 used for FortiGuard communicationsAlternate port number of 8888 can used
KB Article IDs: 11779, FD32121, FD30088
-
5/24/2018 Fortinet 201 FG Web Filtering
21/30
21
FortiGuard Usage Quotas
Category:
GamesGames Quota
Games Quota
Games Quota
Category:
Games
Category:
Games
Category:
Games
Category:
Games
Quotas allow access to specific categories for aspecific length of time (calculated separately foreach quota configured)
If authentication is enabled, quota is automatically
based on the user, otherwise IP is used
Can only apply to categories with actions: Monitor,
WarnorAuthenticate
-
5/24/2018 Fortinet 201 FG Web Filtering
22/30
22
Rating Submissions
Requests for rating of a web site, or to have a web sites rating
re-evaluated can be submitted by accessing: http://www.fortiguard.com/ip_rep.php
-
5/24/2018 Fortinet 201 FG Web Filtering
23/30
23
Rating Override
www.acme.com
Category:General Organizations
Sub-Category: Information and Computer Security
Rating override
-
5/24/2018 Fortinet 201 FG Web Filtering
24/30
24
Rating Override
Can override the rating applied to a hostname by FortiGuardSubscription Services
Hostname reassigned to a completely different category and uses that action
Override applies to FortiGate unit only
Changes not submitted to FortiGuard Subscription Services
Hostnames only
google.com
www.google.com
www.google.com/index.html
-
5/24/2018 Fortinet 201 FG Web Filtering
25/30
25
Rename and deletion of sub-categories only in CLI
config webfilter ftgd-local-catdelete
rename to
Local Categories
-
5/24/2018 Fortinet 201 FG Web Filtering
26/30
26
Warning Action
Action = Warning (right click in the GUI)
Web Filtering Warning Page
-
5/24/2018 Fortinet 201 FG Web Filtering
27/30
27
Authenticate Action
www.hackthissite.org
Marketing
-
5/24/2018 Fortinet 201 FG Web Filtering
28/30
28
Web Filter Profiles
Web filtering,
FortiGuard web filteringand Advanced Filter
options enabled
through web filtering
profiles
Profile in turn applied to
firewall policy
Any traffic being
examined by the
policy will have the
web filtering
operations applied
to it
-
5/24/2018 Fortinet 201 FG Web Filtering
29/30
29
Labs
Lab 1: Web Filtering Ex 1: FortiGuard Web Filtering
-
5/24/2018 Fortinet 201 FG Web Filtering
30/30
30
Classroom Lab Topology