Hot!DNS web filtering instead of SSL inspection?

Author
LanceMc
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/06/13 17:39:35
  • Status: offline
2014/06/13 17:54:35 (permalink)
0

DNS web filtering instead of SSL inspection?

Hi,
I want to set up some basic web category filtering for our school. A common problem is that we can block " http://facebook.com" but we can' t block " https://facebook.com" . Is there an easy way to do this without setting up SSL Inspection? I have seen articles about DNS Inspection mode for the web filtering but no doc on how to set it up. Do the clients need to use the Fortigate as their DNS server? Currently we use internal MS dns with forwarding to external (ISP) dns. How would this need to change to use DNS mode? TIA
#1

10 Replies Related Threads

    Bromont_FTNT
    Platinum Member
    • Total Posts : 558
    • Scores: 43
    • Reward points: 0
    • Joined: 2012/11/19 07:22:36
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/19 06:07:40 (permalink)
    0
    What firmware are you running? You can block sites without deep SSL inspection by using the certificate CN and/or SNI
    #2
    LanceMc
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/06/13 17:39:35
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/19 15:17:36 (permalink)
    0
    Hi, thanks for your reply. Firmware is v5.0,build3608 (GA Patch 7). Can you send be a link to doc or basic instructions for setting up this blocking filter?
    #3
    Dipen
    Gold Member
    • Total Posts : 305
    • Scores: 4
    • Reward points: 0
    • Joined: 2013/06/17 07:24:49
    • Location: Muscat; Oman
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/21 08:47:35 (permalink)
    0
    FortiOS 5.0.x has issues with blocking HTTPS sites but FortiOS 5.2 is out, it has got better HTTPS blocking capabilities.
    In any case you always use Application Control instead of Web Filters to achieve your results.

    Ahead of the Threat.
    FCNSA v5 / FCNSP v5
    Fortigate 1000C / 1000D / 1500D
     
    #4
    pcraponi
    Gold Member
    • Total Posts : 450
    • Scores: 24
    • Reward points: 0
    • Joined: 2006/07/28 11:43:39
    • Location: Brazil
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/22 14:34:23 (permalink)
    0
    you can follow this doc to block HTTPS without deep scan:

    http://docs.fortinet.com/d/fortigate-configuring-fortios-v5.0-webfiltering-for-https-scanning-without-ssl-deep-scanning

    Not work for all websites (youtube, for example) but for facebook works fine.

    This method block using cert CN...


    regards,
    paulo raponi
    #5
    LanceMc
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/06/13 17:39:35
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/22 16:22:32 (permalink)
    0
    Many thanks for the replies. I have arranged for the OS to be upgraded to 5.2 then we will try the solutions suggested.
    #6
    pcraponi
    Gold Member
    • Total Posts : 450
    • Scores: 24
    • Reward points: 0
    • Joined: 2006/07/28 11:43:39
    • Location: Brazil
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/22 20:19:02 (permalink)
    0
    5.2 are a very new OS. It have some bugs yet...

    The best way are you trying with 5.0.7 and if you have NO SUCCESS, you can upgrade to 5.2...

    I can confirm that 5.0.7 works fine with HTTPS block..
    < Message edited by pcraponi -- 6/22/2014 8:19:17 PM >
    #7
    Dipen
    Gold Member
    • Total Posts : 305
    • Scores: 4
    • Reward points: 0
    • Joined: 2013/06/17 07:24:49
    • Location: Muscat; Oman
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/22 23:00:36 (permalink)
    0
    All because of certificates. Mismatch in URL & CN in certificates causes this always . Youtube is a pain because the certificate of YouTube is *.google.com
    Application Control I s more helpful to block HTTPS.

    Ahead of the Threat.
    FCNSA v5 / FCNSP v5
    Fortigate 1000C / 1000D / 1500D
     
    #8
    Bromont_FTNT
    Platinum Member
    • Total Posts : 558
    • Scores: 43
    • Reward points: 0
    • Joined: 2012/11/19 07:22:36
    • Status: offline
    RE: DNS web filtering instead of SSL inspection? 2014/06/23 05:14:27 (permalink)
    0

    Just to be clear... before v5 non deep SSL inspection used only certificate CN thus Google sites could not be differentiated.

    in v5 inspection via SNI was also added so Youtube etc can be blocked without SSL deep inspection.
    #9
    Prab
    Bronze Member
    • Total Posts : 56
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/12/04 01:30:25
    • Status: offline
    Re: RE: DNS web filtering instead of SSL inspection? 2018/07/11 03:55:30 (permalink)
    0
    Hi all,
     
    In firmware version 5.6.3, build1547, I tested the Certificate based inspection & I was able to block youtube.com and allow google.com using Web filter only.
     
    The following screenshot shows it:

     
    I did not get any certificate warnings. The client browser will just see default Error_CONNECTION_CLOSED or The site can't be reached message. It's worth noting that, I did configure my filter to not to display a block page/replacement message.
    Hope it helps!
     
    Thanks & regards,
    Prab :)
    post edited by Prab - 2018/07/11 04:13:26

    Attached Image(s)

    #10
    emnoc
    Expert Member
    • Total Posts : 5063
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: RE: DNS web filtering instead of SSL inspection? 2018/07/11 13:00:33 (permalink)
    0

    Just to be clear... before v5 non deep SSL inspection used only certificate CN thus Google sites could not be differentiated.

     
    BTW the  certificate "CN"  is  ignore in ALL major web-browsers when a AltName is present.
     
    Back to te OP, you could also use a Explicit proxy and block the website without setting up SSLinspection.
     
    Ken

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #11
    Jump to:
    © 2018 APG vNext Commercial Version 5.5