Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fingolfin
New Contributor

Strange hostname in logs bypassing webfilter profile

Hello everyone,

I need your help because I lack some knowledge in firewall security. I use a Fortigate 1500D and I need some help to understand the following logs.

As you'll see, 172.24.110.135 is watching a video on mareplaytv.fr. I put this url in a forbidden black list but it didn't change anything. I had to block mareplaytv pattern in the web content filter but I don't want to do this for each web filter profile.

It looks like to me that mareplaytv is not web filtered because the user is going throug these strange hostnames that belong to allowed categories. That's were I'm lacking some knowledge: what are these hostnames? How the user is doing this? How can I block it?

Thanks in advance for your answers

 

Feb  7 16:11:10 date=2017-02-07 subtype=webfilter eventtype=ftgd_allow level=notice srcip=172.24.110.135 srcport=65120 dstip=212.129.7.87 dstport=80proto=6 service=HTTP hostname="engine.espace.qosmik.com" profile="CAMPUS" action=passthrough reqtype=direct url="/diffusion/?psid=52&retour=1320&TS=1486480270625&random=902766993&url=http%3A%2F%2Fwww.mareplaytv.com%2Fvideo%2Fles-anges-9-bac" sentbyte=22271 rcvdbyte=35876 direction=N/A msg="URL belongs to an allowed category in policy" method=domain cat=17 catdesc="Advertising" Feb  7 16:11:10 date=2017-02-07 type=utm subtype=webfilter eventtype=ftgd _allow level=notice user="" srcip=172.24.110.135 srcport=65299 dstip=176.31.226.106 dstport=80  proto=6 service=HTTP hostname="pub7.media-clic.com" profile="CAMPUS" action=passthrough reqtype=direct url="/www/delivery/lg.php?bannerid=8146&campaigni   d=834&zoneid=28600&loc=1&referer=http%3A%2F%2Fwww.mareplaytv.com%2Fvideo%2Fles-ange" sentbyte=822 rcvdbyte=0 direction=N/A msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology"

Fingolfin

2 REPLIES 2
NeilG
Contributor

At first glance the user is not trying to bypass its that this content is being served up through whatever Advertisement provider qosmik.com is using, in this case pub7.media-clic.com

 

 

That site is showing as "Information Technology" when you check the url at Fortiguard.com:

http://beta.fortiguard.com/webfilter?q=pub7.media-clic.com

 

(I used Beta as the normal webpage was having issues)

 

So what is your status for advertising sites AND do you have the web filter policy set to:

* Block HTTP redirects by rating

* Rate Images by URL

 

Note: Be very careful with the option for blocking by IP and domain - most of the time that will have results you don't expect so probably best to not touch that setting.

 

I hope this helps.

 

-Neil

Fingolfin

Thanks for your answer.

Advertising is allowed (users need it).

And I see that "Block HTTP redirects by rating" and "Rate Images by URL" are available when proxy mode is active but I'm doing flow-based web filtering.

Labels
Top Kudoed Authors