Hot!Fortigate Application Control "Dropbox" excludes web-based access?

Page: 12 > Showing page 1 of 2
Author
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
2017/04/19 01:36:09 (permalink)
0

Fortigate Application Control "Dropbox" excludes web-based access?

Dropbox service can be accessed using a web browser or a host-based app.
Does Application Control "Dropbox" apply to traffic from web browser, host-based app or both?
#1
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 06:36:19 (permalink)
0
Hello AlexFeren,
 
They cover both. However with the host-based app, you have to use the "Dropbox.Lan.Sync.Discovery.Protocol" signature too. The Download, Upload signatures work only on the web browser. Dropbox implements Certificate Pinning on its standalone applications. 
 
HoMing
#2
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 07:08:37 (permalink)
0
Hi HoMing, thanks for reply.

> They cover both.
I don't see this at all. When I upload using browser, I don't see the the send/receive bandwidth numbers change in FortiAnalyzer's Fortiview's Top Applications' "app=Dropbox"; on the other hand, I do see the corresponding numbers change in Top Websites' "domain=dropbox.com".

Can you explain the observation?
#3
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 07:11:28 (permalink)
0
Did you enable deep-inspection? Those signature require deep-inspection as they use HTTPS. You can do a quick check to see deep-inspection is enabled by looking at the Certificate of the session. If they are replaced with your certificate or the default FGT's then it's replaced. Otherwise, deep-inspection was not done.
#4
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/19 22:23:00 (permalink)
0
> Did you enable deep-inspection? Those signature require deep-inspection as they use HTTPS.
 
How would I know that? In
FG60C (global) # get application name status | grep -A 15 Dropbox
app-name: "Dropbox"
id: 17459
category: "Storage.Backup"
cat-id: 22
sub-category: "(null)"
sub-cat-id: 0
parameter:  
popularity: 5.low
risk: 3.low
shaping: 0
protocol: 1.TCP, 26.SSL, 9.HTTP
vendor: 0.Other
technology: 1.Browser-Based
behavior:
does "26.SSL" tell me that the signatures REQUIRE deep-inspection?
 
There's a myriad of Dropbox-associated URLs (dropbox.com, dropboxstatic.com, dropboxapi.com
dropboxusercontent.com, dropboxpayments.com, dropboxforum.com, dropbox.de, dropboxusercontent.com, getdropbox.com and probably plenty more) - how can I obtain statistics on "all Dropbox" traffic.


post edited by AlexFeren - 2017/04/19 22:32:42
#5
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/20 06:22:52 (permalink)
0
Hello,
 
In your command, "get application name status | grep -A 15 Dropbox", you are short by 1 for your "grep -A" value. Use 16.
 
You should get the following:
 
FWF90D3Z14000497 # get application name status | grep -A 16 Dropbox
app-name: "Dropbox"
id: 17459
category: "Storage.Backup"
cat-id: 22
sub-category: "(null)"
sub-cat-id: 0
parameter:
popularity: 5.low
risk: 3.low
weight: 10
shaping: 0
protocol: 1.TCP, 26.SSL, 9.HTTP
vendor: 0.Other
technology: 1.Browser-Based
behavior: 9.Cloud
language: Multiple
require_ssl_di: No
--
app-name: "Dropbox.Lan.Sync.Discovery.Protocol"
id: 36313
category: "Storage.Backup"
cat-id: 22
sub-category: "(null)"
sub-cat-id: 0
parameter:
popularity: 4.low
risk: 3.low
weight: 20
shaping: 0
protocol: 2.UDP
vendor: 0.Other
technology: 2.Client-Server
behavior: 9.Cloud
language: Multiple
require_ssl_di: No
--
 
require_ssl_di will tell you if that signature require deep-inspection or not. As for obtaining statistics on all Dropbox traffic. You can filter "Dropbox" under "Application Name" (in 5.6 - in other FortiOS, the name is probably slightly different) at Application Logs or using FortiView-> Applications.

Attached Image(s)

#6
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/20 17:11:56 (permalink)
0
hmtayyou are short by 1 for your "grep -A" value. Use 16.

No! I don't see "require_ssl_di" in v5.2.10, observe:
FG60C (global) # get application name status | grep -A 20 Dropbox  
app-name: "Dropbox"
id: 17459
category: "Storage.Backup"
cat-id: 22
sub-category: "(null)"
sub-cat-id: 0
parameter:  
popularity: 5.low
risk: 3.low
shaping: 0
protocol: 1.TCP, 26.SSL, 9.HTTP
vendor: 0.Other
technology: 1.Browser-Based
behavior:

app-name: "Dropbox.Lan.Sync.Discovery.Protocol"
id: 36313
:
 
require_ssl_di will tell you if that signature require deep-inspection or not.

err..., your printout indicates value "No" for Dropbox application - doesn't this contradict your earlier allegation: 
Those signature require deep-inspection as they use HTTPS.
?
 
 
You can filter "Dropbox" under "Application Name" (in 5.6 - in other FortiOS, the name is probably slightly different) at Application Logs or using FortiView-> Applications.

I'm using FortiAnalyzer: FortiView -> Application & Websites -> Top Applications, filter "app=Dropbox srcip=140.159.XX.YY":
04-20 11:18    140.159.XX.YY    108.160.172.206    HTTPS    65.58KB/158.89KB        Dropbox    
04-20 11:16    140.159.XX.YY    108.160.172.206    HTTPS    7.02KB/9.69KB        Dropbox    
04-20 11:16    140.159.XX.YY    162.125.81.5    HTTPS    2.79KB/8.39KB        Dropbox    
04-20 11:16    140.159.XX.YY    162.125.34.129    HTTPS    1.57KB/5.58KB        Dropbox    
04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.34.129    HTTPS    1.54KB/5.49KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.75KB/6.47KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.23KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.78KB/7.19KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.238    HTTPS    1.09KB/4.98KB        Dropbox     
 

FortiView -> Application & Websites -> Top Applications, filter "domain=Dropbox* srcip=140.159.XX.YY"
04-20 11:18    140.159.XX.YY    108.160.172.206    HTTPS    65.58KB/158.89KB        Dropbox    
04-20 11:18    140.159.XX.YY    162.125.34.134    HTTPS    5.05MB/47.21KB        SSL_TLSv1.2    
04-20 11:17    140.159.XX.YY    162.125.34.134    HTTPS    2.13KB/5.22KB        SSL_TLSv1.2    
04-20 11:16    140.159.XX.YY    108.160.172.206    HTTPS    7.02KB/9.69KB        Dropbox    
04-20 11:16    140.159.XX.YY    162.125.81.5    HTTPS    2.79KB/8.39KB        Dropbox    
04-20 11:16    140.159.XX.YY    162.125.34.129    HTTPS    1.57KB/5.58KB        Dropbox    
04-20 11:14    140.159.XX.YY    162.125.34.134    HTTPS    753B/3.58KB        SSL_TLSv1.2    
04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.34.129    HTTPS    1.54KB/5.49KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.23KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.75KB/6.47KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.78KB/7.19KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox    
04-20 11:13    140.159.XX.YY    108.160.172.238    HTTPS    1.09KB/4.98KB        Dropbox   

If you do comparison (after sorting), both are identical except for "SSL_TLSv1.2" entries. This means that "Dropbox" application signature excludes some traffic, even though everything is via same HTTPS protocol. Given that "require_ssl_di" is "No", can you explain this exclusion?
post edited by AlexFeren - 2017/04/20 17:14:48
#7
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/21 06:16:05 (permalink)
0
>>No! I don't see "require_ssl_di" in v5.2.10, observe:
 
Sorry, the require_ssl_di syntax is only available in FortiOS 5.4 and above. 
 
>>err..., your printout indicates value "No" for Dropbox application - doesn't this contradict your earlier allegation: 
 
Dropbox does not require deep-inspection. Dropbox_Login, Dropbox_File.Upload and Dropbox_File.Download require deep-inspection.
 
>>If you do comparison (after sorting), both are identical except for "SSL_TLSv1.2" entries. This means that "Dropbox" application signature excludes some traffic, even though everything is via same HTTPS protocol. Given that "require_ssl_di" is "No", can you explain this exclusion?
 
Yes, it looks like a missed detection on that. I will look into it and get back to you in a bit. Sorry for the inconveniences.
 
HoMing
 
#8
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/27 17:44:22 (permalink)
0
hmtay
Yes, it looks like a missed detection on that. I will look into it and get back to you in a bit. Sorry for the inconveniences.

Progress?
 
#9
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/28 07:17:23 (permalink)
0
Hello Alex, 
 
The signature is in IPS Definition 10.127 and above.
#10
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/28 07:35:02 (permalink)
0
Hi HoMing,
is there a way for me to determine the set of destination IP addresses that constitute traffic for FortiGuard's Dropbox application control? (This isn't to reverse engineer, but rather to compare against other UTMs we have in our network.)
R's, Alex
#11
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/30 17:33:13 (permalink)
0
Hello Alex,
 
You can do a filter on the logs by filtering the Application "Dropbox" and then extracting the "Destination Address" value to get all the IPs that we label as Dropbox. 
 
HoMing
#12
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/30 17:45:51 (permalink)
0
Hi HoMing,
> .. do a filter on the logs by filtering the Application "Dropbox" and then extracting the "Destination Address" value to get all the IPs that we label as Dropbox.
 
well, that's what I've done above. However, that's not good enough. I want to know the whole set, not just those addresses that have seen traffic. The reason is that in comparison to another UTM vendor, FortiGuard's set (for Dropbox) seems incomplete; and, as proven above, (sometimes) FortiGuard also gets it wrong.
 
> Dropbox does not require deep-inspection. Dropbox_Login, Dropbox_File.Upload and Dropbox_File.Download require deep-inspection.
 
those three, requiring Deep-inspection for more specific Dropbox traffic, would their traffic statistics be included or excluded for more general "domain=Dropbox*" and "app=Dropbox" qualifier?
R's, Alex
#13
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/30 18:11:11 (permalink)
0
>>well, that's what I've done above. However, that's not good enough. I want to know the whole set, not just those addresses that have seen traffic. The reason is that in comparison to another UTM vendor, FortiGuard's set (for Dropbox) seems incomplete; and, as proven above, (sometimes) FortiGuard also gets it wrong.
 
We do not identify Dropbox by the IPs. They can change anytime and will cause False Positive. The reason for the missed sessions earlier was we do not have coverage for the other Dropbox domains like .dropboxstatic, etc. 
 
>>those three, requiring Deep-inspection for more specific Dropbox traffic, would their traffic statistics be included or excluded for more general "domain=Dropbox*" and "app=Dropbox" qualifier?
 
If you do a filter for "Dropbox", the Dropbox_* signatures will be included in the filtered list.
#14
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/30 18:19:20 (permalink)
0
> We do not identify Dropbox by the IPs.
 
This is the source of our problem - another vendor is showing Dropbox-associated traffic for address range outside of the set we see on FortiAnalyzer (and reverse-DNS query is not showing a Dropbox-related domain name). The difference in traffic statistics is so significant it cannot be ignored.
post edited by AlexFeren - 2017/04/30 18:23:01
#15
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/30 18:47:33 (permalink)
0
Do you have a couple of those IPs? I will reverse engineer those IPs to see what I can find and if we can do something about them. 
#16
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/04/30 18:51:53 (permalink)
0
> to see what I can find and if we can do something about them.
 
Ticket Number: 2170890. We have another issue (Ticket Number: 2159670, to do with number of reported entries versus duration), so, don't conflate.
#17
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/05/01 09:22:33 (permalink)
0
Thanks. I looked into the ticket. I understand your question better now. Let me explain.
 
The difference you see in the 7 days vs 1 day Analyzer is because of the new signatures we released on the 27th. I believe the 1 day report was generated after your signature has updated to the new definitions and received the new Dropbox signatures. 
 
As for the IP range of 54.192.0.0/16, can you do a filter on some of the IP identified by PAN on the Fortigate and send me the Application Control logs? The Client side hostname of the IPs will be in the logs. 
 
Once I have the logs, I will be able to verify if PAN detected correctly or if we missed the detection. One other possibility is that the IPs have changed since the report on April 21st. With cloud servers like Cloudfront and AWS, they should not be identified by the IPs. Those servers can be used by other services. Since these are HTTPS sessions, the detections should be done by the SNI. We obtained our reference from the Dropbox's official site.
 
https://www.dropbox.com/help/security/official-domains
 
Thanks!
HoMing
 
 
#18
AlexFeren
Silver Member
  • Total Posts : 111
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/05/01 22:03:08 (permalink)
0
hmtayThe difference you see in the 7 days vs 1 day Analyzer is because of the new signatures we released on the 27th.
I believe the 1 day report was generated after your signature has updated to the new definitions and received the new Dropbox signatures.

 
I've attached 3 new screenshots to Ticket #2159670 for the last 3 days - that's well after 27th April - the one for last 3 days shows less than one for last 1 day.

hmtay
As for the IP range of 54.192.0.0/16, can you do a filter on some of the IP identified by PAN on the Fortigate and send me the Application Control logs? The Client side hostname of the IPs will be in the logs.


As per attachment, I can see traffic to 54.192.118.0/24 having "hostname" set to "clientupdates.dropboxstatic.com" and application as "Dropbox". So, as you imply, since about "date=2017-04-27 time=07:06:43" Fortigate has correctly identified it as "Dropbox" instead of "SSL_TLSv1.0" and to the suspect subnet. I've attached more to Ticket #2170890.

hmtaySince these are HTTPS sessions, the detections should be done by the SNI.


If SNI was not included would "hostname" field be equal to "destination name" (ie. DNS reverse resolve)?
R's, Alex
PS. our Fortigate has disk logging disabled, no I need to use FortiAnalyzer.
post edited by AlexFeren - 2017/05/02 00:50:25

Attached Image(s)

#19
hmtay_FTNT
Gold Member
  • Total Posts : 190
  • Scores: 24
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Fortigate Application Control "Dropbox" excludes web-based access? 2017/05/02 06:44:40 (permalink)
0
Hello Alex,
 
Thanks for the files. I looked at the spreadsheet and everything looks right to me. 

>>If SNI was not included would "hostname" field be equal to "destination name" (ie. DNS reverse resolve)?
 
If SNI was not included in the Client Hello packet, we would log the "hostname" field as the id-at-commonName of the SSL Certificate. It would not be as granular as the SNI from the Client Hello packet, but it provides better information than the "DNS reverse resolve".
 
HoMing
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2017 APG vNext Commercial Version 5.5