Hot!Fortigate Application Control "Dropbox" excludes web-based access?

Author
AlexFeren
Silver Member
  • Total Posts : 102
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
2017/04/19 01:36:09 (permalink)
0

Fortigate Application Control "Dropbox" excludes web-based access?

Dropbox service can be accessed using a web browser or a host-based app.
Does Application Control "Dropbox" apply to traffic from web browser, host-based app or both?
#1

10 Replies Related Threads

    hmtay_FTNT
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: online
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 06:36:19 (permalink)
    0
    Hello AlexFeren,
     
    They cover both. However with the host-based app, you have to use the "Dropbox.Lan.Sync.Discovery.Protocol" signature too. The Download, Upload signatures work only on the web browser. Dropbox implements Certificate Pinning on its standalone applications. 
     
    HoMing
    #2
    AlexFeren
    Silver Member
    • Total Posts : 102
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 07:08:37 (permalink)
    0
    Hi HoMing, thanks for reply.

    > They cover both.
    I don't see this at all. When I upload using browser, I don't see the the send/receive bandwidth numbers change in FortiAnalyzer's Fortiview's Top Applications' "app=Dropbox"; on the other hand, I do see the corresponding numbers change in Top Websites' "domain=dropbox.com".

    Can you explain the observation?
    #3
    hmtay_FTNT
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: online
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 07:11:28 (permalink)
    0
    Did you enable deep-inspection? Those signature require deep-inspection as they use HTTPS. You can do a quick check to see deep-inspection is enabled by looking at the Certificate of the session. If they are replaced with your certificate or the default FGT's then it's replaced. Otherwise, deep-inspection was not done.
    #4
    AlexFeren
    Silver Member
    • Total Posts : 102
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 22:23:00 (permalink)
    0
    > Did you enable deep-inspection? Those signature require deep-inspection as they use HTTPS.
     
    How would I know that? In
    FG60C (global) # get application name status | grep -A 15 Dropbox
    app-name: "Dropbox"
    id: 17459
    category: "Storage.Backup"
    cat-id: 22
    sub-category: "(null)"
    sub-cat-id: 0
    parameter:  
    popularity: 5.low
    risk: 3.low
    shaping: 0
    protocol: 1.TCP, 26.SSL, 9.HTTP
    vendor: 0.Other
    technology: 1.Browser-Based
    behavior:
    does "26.SSL" tell me that the signatures REQUIRE deep-inspection?
     
    There's a myriad of Dropbox-associated URLs (dropbox.com, dropboxstatic.com, dropboxapi.com
    dropboxusercontent.com, dropboxpayments.com, dropboxforum.com, dropbox.de, dropboxusercontent.com, getdropbox.com and probably plenty more) - how can I obtain statistics on "all Dropbox" traffic.


    post edited by AlexFeren - 2017/04/19 22:32:42
    #5
    hmtay_FTNT
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: online
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/20 06:22:52 (permalink)
    0
    Hello,
     
    In your command, "get application name status | grep -A 15 Dropbox", you are short by 1 for your "grep -A" value. Use 16.
     
    You should get the following:
     
    FWF90D3Z14000497 # get application name status | grep -A 16 Dropbox
    app-name: "Dropbox"
    id: 17459
    category: "Storage.Backup"
    cat-id: 22
    sub-category: "(null)"
    sub-cat-id: 0
    parameter:
    popularity: 5.low
    risk: 3.low
    weight: 10
    shaping: 0
    protocol: 1.TCP, 26.SSL, 9.HTTP
    vendor: 0.Other
    technology: 1.Browser-Based
    behavior: 9.Cloud
    language: Multiple
    require_ssl_di: No
    --
    app-name: "Dropbox.Lan.Sync.Discovery.Protocol"
    id: 36313
    category: "Storage.Backup"
    cat-id: 22
    sub-category: "(null)"
    sub-cat-id: 0
    parameter:
    popularity: 4.low
    risk: 3.low
    weight: 20
    shaping: 0
    protocol: 2.UDP
    vendor: 0.Other
    technology: 2.Client-Server
    behavior: 9.Cloud
    language: Multiple
    require_ssl_di: No
    --
     
    require_ssl_di will tell you if that signature require deep-inspection or not. As for obtaining statistics on all Dropbox traffic. You can filter "Dropbox" under "Application Name" (in 5.6 - in other FortiOS, the name is probably slightly different) at Application Logs or using FortiView-> Applications.

    Attached Image(s)

    #6
    AlexFeren
    Silver Member
    • Total Posts : 102
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/20 17:11:56 (permalink)
    0
    hmtayyou are short by 1 for your "grep -A" value. Use 16.

    No! I don't see "require_ssl_di" in v5.2.10, observe:
    FG60C (global) # get application name status | grep -A 20 Dropbox  
    app-name: "Dropbox"
    id: 17459
    category: "Storage.Backup"
    cat-id: 22
    sub-category: "(null)"
    sub-cat-id: 0
    parameter:  
    popularity: 5.low
    risk: 3.low
    shaping: 0
    protocol: 1.TCP, 26.SSL, 9.HTTP
    vendor: 0.Other
    technology: 1.Browser-Based
    behavior:

    app-name: "Dropbox.Lan.Sync.Discovery.Protocol"
    id: 36313
    :
     
    require_ssl_di will tell you if that signature require deep-inspection or not.

    err..., your printout indicates value "No" for Dropbox application - doesn't this contradict your earlier allegation: 
    Those signature require deep-inspection as they use HTTPS.
    ?
     
     
    You can filter "Dropbox" under "Application Name" (in 5.6 - in other FortiOS, the name is probably slightly different) at Application Logs or using FortiView-> Applications.

    I'm using FortiAnalyzer: FortiView -> Application & Websites -> Top Applications, filter "app=Dropbox srcip=140.159.XX.YY":
    04-20 11:18    140.159.XX.YY    108.160.172.206    HTTPS    65.58KB/158.89KB        Dropbox    
    04-20 11:16    140.159.XX.YY    108.160.172.206    HTTPS    7.02KB/9.69KB        Dropbox    
    04-20 11:16    140.159.XX.YY    162.125.81.5    HTTPS    2.79KB/8.39KB        Dropbox    
    04-20 11:16    140.159.XX.YY    162.125.34.129    HTTPS    1.57KB/5.58KB        Dropbox    
    04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
    04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.34.129    HTTPS    1.54KB/5.49KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.75KB/6.47KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.23KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.78KB/7.19KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.238    HTTPS    1.09KB/4.98KB        Dropbox     
     

    FortiView -> Application & Websites -> Top Applications, filter "domain=Dropbox* srcip=140.159.XX.YY"
    04-20 11:18    140.159.XX.YY    108.160.172.206    HTTPS    65.58KB/158.89KB        Dropbox    
    04-20 11:18    140.159.XX.YY    162.125.34.134    HTTPS    5.05MB/47.21KB        SSL_TLSv1.2    
    04-20 11:17    140.159.XX.YY    162.125.34.134    HTTPS    2.13KB/5.22KB        SSL_TLSv1.2    
    04-20 11:16    140.159.XX.YY    108.160.172.206    HTTPS    7.02KB/9.69KB        Dropbox    
    04-20 11:16    140.159.XX.YY    162.125.81.5    HTTPS    2.79KB/8.39KB        Dropbox    
    04-20 11:16    140.159.XX.YY    162.125.34.129    HTTPS    1.57KB/5.58KB        Dropbox    
    04-20 11:14    140.159.XX.YY    162.125.34.134    HTTPS    753B/3.58KB        SSL_TLSv1.2    
    04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
    04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.34.129    HTTPS    1.54KB/5.49KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.23KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.75KB/6.47KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.78KB/7.19KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
    04-20 11:13    140.159.XX.YY    108.160.172.238    HTTPS    1.09KB/4.98KB        Dropbox   

    If you do comparison (after sorting), both are identical except for "SSL_TLSv1.2" entries. This means that "Dropbox" application signature excludes some traffic, even though everything is via same HTTPS protocol. Given that "require_ssl_di" is "No", can you explain this exclusion?
    post edited by AlexFeren - 2017/04/20 17:14:48
    #7
    hmtay_FTNT
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: online
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/21 06:16:05 (permalink)
    0
    >>No! I don't see "require_ssl_di" in v5.2.10, observe:
     
    Sorry, the require_ssl_di syntax is only available in FortiOS 5.4 and above. 
     
    >>err..., your printout indicates value "No" for Dropbox application - doesn't this contradict your earlier allegation: 
     
    Dropbox does not require deep-inspection. Dropbox_Login, Dropbox_File.Upload and Dropbox_File.Download require deep-inspection.
     
    >>If you do comparison (after sorting), both are identical except for "SSL_TLSv1.2" entries. This means that "Dropbox" application signature excludes some traffic, even though everything is via same HTTPS protocol. Given that "require_ssl_di" is "No", can you explain this exclusion?
     
    Yes, it looks like a missed detection on that. I will look into it and get back to you in a bit. Sorry for the inconveniences.
     
    HoMing
     
    #8
    AlexFeren
    Silver Member
    • Total Posts : 102
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/27 17:44:22 (permalink)
    0
    hmtay
    Yes, it looks like a missed detection on that. I will look into it and get back to you in a bit. Sorry for the inconveniences.

    Progress?
     
    #9
    hmtay_FTNT
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: online
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/28 07:17:23 (permalink)
    0
    Hello Alex, 
     
    The signature is in IPS Definition 10.127 and above.
    #10
    AlexFeren
    Silver Member
    • Total Posts : 102
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/28 07:35:02 (permalink)
    0
    Hi HoMing,
    is there a way for me to determine the set of destination IP addresses that constitute traffic for FortiGuard's Dropbox application control? (This isn't to reverse engineer, but rather to compare against other UTMs we have in our network.)
    R's, Alex
    #11
    Jump to:
    © 2017 APG vNext Commercial Version 5.5