Cloud Access Security Inspection (CASI)
Cloud Access Security Inspection (CASI)
This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied to a policy much like any other security profile.
|
Unfortunately CASI does not work when using Proxy-based profiles for AV or Web filtering for example. Make sure to only use Flow-based profiles in combination with CASI on a specific policy. |
For this feature, Deep Inspection of Cloud Applications (set deep-app-inspection [enable| disable]) has been moved out of the Application Control security profile options.
You will find the Cloud Access Security Inspection feature under Security Profiles > Cloud Access Security Inspection, but you must first enable it in the Feature store under System > Feature Select > CASI.
Editing CASI profiles
The CASI profile application list consists of the Name, Category, and Action. A default CASI profile exists, with the option to create custom profiles.
There is an improvement to the CASI GUI (303760) under release 5.4.1. When you search for a profile application to edit, you can hit enter after typing your search terms to see the results. Under release 5.4.0, hitting enter causes the screen to refresh and the profile to be applied.
For each CASI profile application, the user has the option to Allow, Block, or Monitor the selected cloud application. The following image demonstrates the ability to Allow, Block, or Monitor YouTube using CASI:
When the user drills down into a selected cloud application, the following options are available (depending on the type of service):
- For business services, such as Salesforce and Zoho: Option to allow, block, or monitor file download/upload and login.
- For collaboration services, such as Google.Docs and Webex: Option to allow, block, or monitor file access/download/upload and login.
- For web email services, such as Gmail and Outlook: Option to allow, block, or monitor attachment download/upload, chat, read/send message.
- For general interest services, such as Amazon, Google, and Bing: Option to allow, block, or monitor login, search phase, and file download/upload.
- For social media services, such as Facebook, Twitter, and Instagram: Option to allow, block, or monitor chat, file download/upload, post, login.
- For storage backup services, such as Dropbox, iCloud, and Amazon Cloud Drive: Option to allow, block, or monitor file access/download/upload and login.
- For video/audio services, such as YouTube, Netflix, and Hulu:
Option to allow, block, or monitor channel access, video access/play/upload, and login.
CLI Syntax
configure application casi profile
edit "profile name"
set comment "comment"
set replacemsg-group "xxxx"
set app-replacemsg [enable|disable]
configure entries
edit
set application "app name"
set action [block|pass]
set log [enable|disable]
next
edit 2
next
end
configure firewall policy
edit "1"
set casi-profile "profile name"
next
end
config firewall sniffer
edit 1
set casi-profile-status [enable|disable]
set casi-profile "sniffer-profile"
next
end
config firewall interface-policy
edit 1
set casi-profile-status [enable|disable]
set casi-profile "2"
next
end
Copyright © 2020 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
