Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ambush4261
New Contributor II

Created on ‎02-06-2024 03:08 AM

Facebook blocked and not blocked with same policy

Hello,

 

I have a mystery on a Fortigate.

I have a security group that block Facebook using application control and webfilter categories.

My users told by that they still can use Facebook. I checked the log and I see that most of the traffic linked to Facebook is blocked, but, I have some line with allowed traffic to facebook, using the same firewall policy. it's unbelievable, my own rules which block Facebook is also allowing it.

How this is possible ?

2024-02-06 12_03_25-Clipboard.jpg2024-02-06 12_05_11-Clipboard.jpg

 
 

2024-02-06 12_06_18-Mozilla Firefox (Work Resources).jpg

 

 

Labels:
1479
0 Kudos
1 Solution
fricci_FTNT
Staff
Staff
In response to Ambush4261

Created on ‎02-08-2024 05:17 AM Edited on ‎02-08-2024 05:18 AM

Proxy mode can be a workaround for now.
Flow-based inspection uses hardware acceleration (where available, depends on the model), Proxy inspected traffic goes through the FortiGate main CPU.
Using Proxy mode is more CPU intensive but in normal condition should be fine, it actually depend on the traffic running through the FortiGate. Please keep on eye on the CPU (get sys performance status).

Here you can find some more details about Flow/Proxy inspection: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/721410/inspection-modes

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

1278
12 REPLIES 12
adambomb1219
SuperUser
SuperUser

Created on ‎02-06-2024 04:13 AM

What does your rule actually look like?  Are you using Application Control?  ISDB?  Something else?  Also why would you block Facebook on a guest network?

1089
0 Kudos
Ambush4261
New Contributor II

Created on ‎02-06-2024 05:01 AM

Hi,

 

I'm using a firewall policy, flow-based,  which use a "security profile group" which use "web filter and "application control".

I block the social media category in the application control profile and also in the web filter filter profile.

1078
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎02-06-2024 05:27 AM

Hello

SSL deep inspection is required to recognize most facebook traffic.

Try on of the below:

  • Either enable deep inspection
  • Or you can always try filtering by ISDB
AEK
AEK
1069
Ambush4261
New Contributor II

Created on ‎02-06-2024 05:42 AM

I am using "certificate inspection" not the deep one because of the complexity of deploying the router certificate on the users smartphone. 

What do you mean by ISDB, the categories in the fortigate ?

1064
0 Kudos
AEK
SuperUser
SuperUser
In response to Ambush4261

Created on ‎02-06-2024 05:53 AM

Create a "deny" policy and add the related fb services as destination.

Please see the below guide:

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/179236/using-internet-service-in-policy

AEK
AEK
1059
0 Kudos
fricci_FTNT
Staff
Staff
In response to Ambush4261

Created on ‎02-06-2024 07:09 AM Edited on ‎02-06-2024 07:23 AM

Hi @Ambush4261,
If you are using certificate inspection, the issue you are experiencing might be due to the fact that your client is using "Encrypted Client Hello" (ECH) [https://blog.cloudflare.com/announcing-encrypted-client-hello | https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ ].
When ECH is in use, the client TLS handshake uses an outer certificate that does contain a moked/trivial domain name and not the real website that the client wants to visit (so FortiGate would allow it) and an inner certificate (encrypted) that contains the real domain name visited by the client (i.e. Facebook). As it is encrypted the FortiGate would not be able to read it.  Some CDN provider (Cloudflare/Akamai) are adopting ECH and it is not a trivial problem to resolve when using certificate inspection. A solution would be adopting deep inspection which is not applicable to every scenario (like yours for example).

Please try to create a deny firewall policy for Facebook services as suggested by AEK. If that does not work, try to sniff traffic or investigate if your clients are using ECH.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
1028
Ambush4261
New Contributor II

Created on ‎02-06-2024 06:02 AM

okay, well understood, I will try with the new rule and the fb related service, good idea.

 

Thanks for support!

1055
0 Kudos
Ambush4261
New Contributor II

Created on ‎02-06-2024 07:06 AM

Just tested with the ISDB, it block some of the traffic but a lot is not blocked.

 

2024-02-06 16_04_30-Clipboard.jpg

 

 

2024-02-06 16_05_55-Clipboard.jpg

1030
0 Kudos
AEK
SuperUser
SuperUser
In response to Ambush4261

Created on ‎02-06-2024 07:10 AM

Are you using policy based mode? (check in System > Setting)

Can you also check the ISDB signatures date? (check in System > FortiGuard)

AEK
AEK
1024
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.