Hot!Application Control: can't override block action with custom signature when HTTPS

Author
serinfbco
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/28 06:49:03
  • Status: online
2017/11/28 07:22:02 (permalink) 5.2
0

Application Control: can't override block action with custom signature when HTTPS

The "proxy" category is blocked but we wan't to allow only one legit web site. We created a custom signature with the right pattern. In the override section this custom application is set to "monitor". But this site still blocked.
 
The problem seems that the custom signature worked and I see in the log the "pass" action when the service is HHTP BUT after that the workflow continue to HTTPS service and reach the default signature "Proxy.Websites" and at that time the action is set to "block"... So how to override the bock action? Is it possible to stop the workflow in the custom signature to stop processing after the "allow" action? We set the weight of the signature to 255 but this not working. Here the details:
 
The custom signature:
F-SBID( --attack_id 9524; --name "Permit.proxy.XXX"; --pattern "proxy.XXX.ca"; --protocol tcp; --no_case; --flow from_client; --context host; --app_cat 6; --weight 255;)
 

Attached Image(s)

#1

9 Replies Related Threads

    hmtay_FTNT
    Gold Member
    • Total Posts : 209
    • Scores: 26
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/11/28 09:25:09 (permalink)
    0
    Hello serinfbco,
     
    Can you try this?
     
    F-SBID( --attack_id 9524; --name "Permit.proxy.XXX.SSL"; --protocol tcp; --service SSL; --pattern "proxy.XXX.ca"; --no_case; --context host; --app_cat 6; --weight 255;)
     
    F-SBID( --attack_id 9525; --name "Permit.proxy.XXX.HTTP"; --protocol tcp; --service HTTP; --flow from_client; --pattern "proxy.XXX.ca"; --context host; --no_case; --app_cat 6; --weight 255;)
     
    Homing
    post edited by hmtay_FTNT - 2017/11/28 09:26:17
    #2
    serinfbco
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/28 06:49:03
    • Status: online
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/11/29 02:26:17 (permalink)
    0
    Thanks hmtay_FTNT,
     
    I tried the signatures and I see they are matching the pattern but the default "Proxy.Websites" application control signature still matching too and this one is set to "block". So I have two signatures matching and one is set to block...
     
    We are in flow-base mode.
      

    Attached Image(s)

    #3
    hmtay_FTNT
    Gold Member
    • Total Posts : 209
    • Scores: 26
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/11/29 12:40:22 (permalink)
    0
    The default Proxy.Websites signature will match. However, with the custom signatures, it will override that. Did the site work? If not, can I know what is your FortiOS and IPS Engine version?
    #4
    serinfbco
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/28 06:49:03
    • Status: online
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/12/01 11:02:28 (permalink)
    0
    I see the signature matching but at one time the traffic is beeing block by the default "Proxy.Websites" signature. Yes the site works. I put a network monitor tool and I see where it is blocked: a response packet never reach the client (the picture below). But all others packets before that contains the pattern "proxy.XXX.ca" are allow. Why this one would be blocked? And furthermore we apply application control only to traffic going outside so why the response would be blocked?
     
    FortiIOS version v5.2.11,build754
    IPS Engine version 3.00441
    Thanks!
     

    Attached Image(s)

    #5
    serinfbco
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/28 06:49:03
    • Status: online
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/12/02 03:03:02 (permalink)
    0
    Finally after looking all the logs, I found something really strange. The custom signature is working as expect on the outgoing packet BUT the problem comes from the incoming packet that doesn't make sense. 
     
    Ok the Application Control policy is apply to the traffic on this way: Interface 9 (internal) to Interface 10 (external). I can't explain why the IPS Engine sees the private addresse on the external interface... Sorry for my english but the image below explains better the strange behavior. The client IP address is xxx.xxx.xx.118 and the server public IP address is xxx.xxx.xxx.53.
     

     
    post edited by serinfbco - 2017/12/02 03:16:06

    Attached Image(s)

    #6
    hmtay_FTNT
    Gold Member
    • Total Posts : 209
    • Scores: 26
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/12/05 09:37:08 (permalink)
    0
    Can you modify the following custom signature to these:
     
    F-SBID( --attack_id 9524; --name "Permit.proxy.XXX.SSL"; --protocol tcp; --service SSL; --pattern "proxy.XXX.ca"; --no_case; --context host; --app_cat 6; --depend-on 32384; --depend-on 38941; --scan-range 2k,all; --weight 255;)
     
    F-SBID( --attack_id 9525; --name "Permit.proxy.XXX.HTTP"; --protocol tcp; --service HTTP; --flow from_client; --pattern "proxy.XXX.ca"; --context host; --no_case; --app_cat 6; --depend-on 32384; --depend-on 38941; --scan-range 2k,all; --weight 255;)
     
    If you already have the set, dont add new ones, modify them. Add the --depend-on and --scan-range syntaxes. If you run into an index error, let me know. 
    #7
    serinfbco
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/28 06:49:03
    • Status: online
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/12/06 06:41:50 (permalink)
    0
    Thanks hmtay_FTNT,
     
    I applied both new signatures but I got the same results. HTTP passed and SSL passed with the custom signature and right after it's blocked by the default "Proxy.Websites" signature. Again the packet blocked is strange because it's in reverse flow without logic. As I said what I see in the log is the source IP (our client) is seen on the external interface and destination IP is seen on the internal interface. I can't see this behavior for others packets logged for "application control". 
     
    Just to be sure here the two new custom signatures:
     
    F-SBID( --attack_id 1219; --name "Permit.proxy.xxx.SSL";  --protocol tcp; --service SSL; --pattern "proxy.xxx.ca"; --context host; --no_case; --app_cat 6; --depend-on 32384; --depend-on 38941; --scan-range 2k,all; --weight 255;)
     
    F-SBID( --attack_id 5475; --name "Permit.proxy.xxx.HTTP"; --protocol tcp; --service HTTP; --pattern "proxy.xxx.ca"; --context host; --no_case; --app_cat 6; --depend-on 32384; --depend-on 38941; --scan-range 2k,all; --weight 255;)
    #8
    hmtay_FTNT
    Gold Member
    • Total Posts : 209
    • Scores: 26
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/12/06 13:01:08 (permalink)
    0
    Hi serinfbco,
     
    Can you send me your configuration file and the output to "diagnose autoupdate versions"? You can send it to me in a PM. I will check and see what's wrong. 
     
    >>I applied both new signatures but I got the same results. HTTP passed and SSL passed with the custom signature and right after it's blocked by the default "Proxy.Websites" signature. Again the packet blocked is strange because it's in reverse flow without logic. As I said what I see in the log is the source IP (our client) is seen on the external interface and destination IP is seen on the internal interface. I can't see this behavior for others packets logged for "application control". 
     
    This would happen on an older IPS Engine + FortiOS combination that dont support custom signature whitelisting. The IPS Engine says the packet is allowed, but they are dropped.
    #9
    serinfbco
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/28 06:49:03
    • Status: online
    Re: Application Control: can't override block action with custom signature when HTTPS 2017/12/08 05:57:43 (permalink)
    0
    Hi hmtay,
     
    I sended you by PM our config file and the output of "diagnose autoupdate versions".
     
    Thanks!
    #10
    Jump to:
    © 2017 APG vNext Commercial Version 5.5