Hot!Webfiltering Fortiguard query - hostname only or full url path ?

Author
Headspinning
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Status: offline
2017/08/09 19:14:55 (permalink)
0

Webfiltering Fortiguard query - hostname only or full url path ?

Hi,


    I wondering if someone can advise me when Fortigate webfilter perform category check with Fortiguard server, it is just submit the hostname or the full URL path.


  For example, when a user access to http://www.aaa.com/bbb/ccc.js, is the fortigate going to query the Fortiguard server with www.aaa.com or www.aaa.com/bbb/ccc.js ?


Regards

Kevin
#1

4 Replies Related Threads

    oheigl
    Gold Member
    • Total Posts : 235
    • Scores: 8
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: Webfiltering Fortiguard query - hostname only or full url path ? 2017/08/10 05:19:53 (permalink)
    0
    I guess this will be helpful to explain the different situations, it's taken from the FortiOS Handbook 5.4.4
     
    Scenario 1: The configuration of the domain name overrides the configuration for the subdirectory.
    Depending on the URL specified or other aspects of configuration, the configuration of a local
    or custom category may not take effect. Consider a scenario where you have defined:
    • example.com – local rating as “category 1”, action set to Block
    • example.com/subdirectory – local rating as “category 2”, action set to Monitor
    • example.com/subdirectory/page.html – local rating as “category 3”, action set to Warning.
    If a user browses to “example.com", access will be blocked. If a user browses to example.com/subdirectory,
    access will also be blocked,even though that address was configured to be part of category2. The configuration of
    the domain name overrides the configuration for the subdirectory.
    However, if you configure a specific HTML page differently than the domain name, then that configuration will
    apply. In this scenario, the user will see a Warning message but will be able to pass through to the page.

    #2
    Headspinning
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Webfiltering Fortiguard query - hostname only or full url path ? 2017/08/10 15:07:06 (permalink)
    0
    Hi,
      The issue that I am observing is that when checking on the Fortiguard Webfiltering,
     
    1) example.com was categorized as Information Technology (which is allowed by fortigate webfilter profile)
    2) example.com/aa/bb categorized as Malicious Websites (which is disallowed by fortigate webfilter profile)
     
    The issue was that when the user click on example.com/aa/bb, it was allowed by the fortigate which according to the traffic log classified as Information Technology. Which leads to this question, is the Fortigate querying Fortiguard only on hostname or full url path?
     
       Hope I make it clear enough this time.
     
    Regards
    Kevin
    #3
    oheigl
    Gold Member
    • Total Posts : 235
    • Scores: 8
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: Webfiltering Fortiguard query - hostname only or full url path ? 2017/08/11 01:00:56 (permalink)
    0
    In the past I only thought that the hostname is queried, I was surprised that also additional paths are checked too. 
     
    In your example you mentioned: You get two different categories if you query for example on the https://fortiguard.com/webfilter website, or is it defined by you locally on the FortiGate? Another question: Is the website in question accessed via HTTPS? Maybe you have only certificate inspection enabled, and in this way only the information in the website certificate can be checked, so the additional path parameters are ignored?
    #4
    Headspinning
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Webfiltering Fortiguard query - hostname only or full url path ? 2017/08/21 21:52:42 (permalink)
    0
    I actually query the fortiguard.com/webfilter with both hostname only and full url, both returned with different categories. Looks like the Fortigate only filter based on hostname.
    It is on SSL DPI when it happened.
     
    #5
    Jump to:
    © 2017 APG vNext Commercial Version 5.5