Facebook Just Wont Die

ameif56hgt · ‎03-21-2024

I guess the title says it all. I block Facebook in a web profile with *.facebook.com. and its the first item, with action to block. (I block Meta as well.) I have an application profile with the first override to block the facebook application. My DNS server has the DNS for Facebook to be blocked. I've never had a facebook account and never installed a facebook app on my computer, and nobody in my house uses facebook. But, as you can see, sometimes its blocked, other times its not a moment later. What am I missing here??

ameif56hgt · ‎03-21-2024

I looked more at the details. The ones passed says action: client-rst with Security Action Allow. Others says action: client-rst with Security Action Block a second later.

ozkanaltas · ‎03-21-2024

Hello @ameif56hgt ,

Did you configure deep ssl-inspection? if you're not doing it, that could be why.

Also DNS filter should catch this before the web and application filter. Which application do you use as a DNS filter? Fortigate or other app?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

ameif56hgt · ‎03-22-2024

Deep inspection is ON and the Fortigate certificate is installed on computers and phones, BUT I do not believe this needs to be on to detect Facebook web access. I do use AdGuard Home on a Pi for DNS blocking, but I'm also seeing more apps get around it by going to their own DNS (which I block) or having the IP hardcoded in the app. If you look at the log I provided, you can clearly see the IP identified as Facebook, which the Fortigate should be blocking.

hbac · ‎03-22-2024

Hi @ameif56hgt,

We should see those traffic if you don't use Facebook. Can you check what is the source IP and track it from there? Can you show the log details of the allowed logs?

Regards,

ameif56hgt · ‎03-22-2024

The source IP is from Macs or iPhones or iPads. My guess Apple initiates this or some non-related app I have does. Maybe a browser.

smaruvala · ‎03-26-2024

Hi,

From the traffic logs it is using udp protocol for communication. So I am assuming it is using QUIC protocol for the communication. You can try to block the quic application or service so that the facebook will fallback TLS.

Regards,

Shiva

Genobaseball10 · ‎03-22-2024

Web filtering should work by editing your security profile and doing a URL filter with a wildcard mask of *facebook.com. If this doesn't fix your issue, we can move to DNS filtering. Please let us know the status after trying this solution! I've just tested it in my home network and it seems to function. If this doesn't work, we can try DNS filtering after.

CCNA | FCP | CWNA

ameif56hgt · ‎03-22-2024

So I do have a Fortigate DNS filter in between my devices and my DNS repeaters (AdGuards) which are also on my network. I block DNS traffic that goes from devices to the WAN unless it's from AdGuard to the WAN, obviously. It's a wildcard *Facebook.com

I do wish I could find the app. on the iPhone or Mac generating it, but I don't really know how to go that deep.

ameif56hgt · ‎03-22-2024

Also, I know some browsers want to use DNS over TLS or DNS over HTTPS but I do have those turned off in the browser because the AdGuard enforces this to the actual DNS servers.