Posts Tagged ‘policy’

$appname = "Microsoft Edge"
((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a email came in from a third party which wasn’t blocked by the Impersonation Protection

Administration > Gateway > Policies > Impersonation Protection Definitions  

Default Impersonation Protection for Mimecast 

  • Similar Internal Domain (Similarity Distance 2 ) 
  • Newly Observed Domain ( Checked ) 
  • Internal User Name ( Checked ) 
  • Reply-to Address Mismatch ( Uncheck ) 
  • Targeted Threat Dictionary ( Checked ) 
  • Mimecast Threat Dictionary ( Checked ) 
  • Number of Hits : 2
  • Ignore Signed Messages ( Unchecked ) 

For executives, particularly those who are disclosed on the company website I recommend implementing a hit score of 1 on emails with their name as a display name. 

Exec Impersonation Protection

  • Similar Internal Domain  ( Checked ) 
  • Newly Observed Domain  ( Checked ) 
  • Internal User name  ( Checked ) 
  • Number of Hits: 1 


Administration > Gateway > Policies > Impersonation Protection > New Policy 


Selection Option: Choose the new definition that was just created 
Addresses based on: Both 
Applies from: Header Display Name 
Specifically: INSERT NAME 
Applies To: Internal Addresses 
Save and Exit 

I would advise that display name checks are in place all high profile targets, particularly those disclosed on the company website or other public sources. You also may want to consider alternative spellings. An individual policy is required for each display name. 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I needed to train a SysAdmin on how to whitelist sites using the Gui. I couldn’t find an online guide ( only using CLI ) so here it is! 

  1. Create a Block and Allow List

2. Add URL’s you would like to block and allow

3. Create a new policy to block and allow these

4. Add this policy as a UTM Policy under Web Filtering Polices

5) Define this UTM policy in between zones 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who SSL-VPN into the office need to route to a different subnet which is connected via an IPSEC VPN

You should already have Address Setup for your SSL VPN Users and Address for Remote Site

Add the below polices

Policy :

Incoming Interface <VPN interface to Remote Site>
Source Address VPN all
Outgoing Interface ssl.root
Destination Address SSLVPN_TUNNEL_ADDR1
Schedule Always
Service all
Action Accept

Policy :

Incoming Interface ssl.root
Source Address VPN SSLVPN_TUNNEL_ADDR1
Outgoing Interface <VPN interface to Remote Site>
Destination Address all
Schedule Always
Service all
Action Accept
Enable NAT
Use Dynamic IP Pool and Create a pool (<IP of Fortigate>-<IP of Fortigate>).

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)