Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
figge
New Contributor

URL filter regexp

Have the way the Fortigate interprets regular expressions changed between FortiOS release 5.4 an 5.6 ???   \.ru\b  worked in 5.4 to match all domains under the top-domain .ru, it does not work in 5.6.4   if I add \.ru\b  in the Static URL filter via GUI the regexp as show in the CLI is \\.ru\\b and it does not match
1 Solution
baggins
New Contributor III

right..

 

Just checked with wildcard option and *.ru/ and it works.

I'm on 6.0.3..

Site that you mentioned works "www.rum.se" and went trough list here on few and all blocked.

try..

View solution in original post

12 REPLIES 12
Dave_Hall
Honored Contributor

I'm pretty sure this is an intended design - I know it was/is pointed out in the old 4.0.x documentation, that the fgt will insert a \ prefix in url expression before a \ character - you just don't see it in the GUI.  Perhaps your issue is elsewhere - can you provide more info?

 

Edit: see https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-security-profiles/Other_Profile_Cons...

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
figge

I have two fortigate, one running 5.4.8 and one running 5.6.4.

The first one (FortiOS 5.4.8) have a VDOM in proxy mode and I use the IPv4 Policy to apply a Webfilter + static URL filter to the traffic. The URL filter have a policy  \.ru\b  Block Enable and it works as intended blocking the top domain ru.

 

The second one (FortiOS 5.6.4) have no VDOMs, runs in proxy mode and I use the Explicit Proxy Policy to apply a Webfilter + static URL. The URL filter have a policy  \.ru\b  Block Enable and it does not work, I have tested many different regexp patterns. The interesting thing though is that using exactly the same regexp as above gives a different result e.g. no match for www.google.ru .and other .ru sites

Dave_Hall
Honored Contributor

If explicit proxy is setup on the second fgt, are you sure it is working properly?  Have you forced (manual set a proxy server setting) on a client browser?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
figge

Yes, everything works correctly; AV, Webfilter, App-filter, Deep SSL-inspection - no problems.

I use PAC file and have no problem what so ever with that. Forced proxy setting make no difference.

So the logical conclusion is that handling of regular expressions must have changed. I can test the two systems side by side and get different results from the same URL filter regexp.

 

baggins
New Contributor III

Hi,

 

I know it's a long shot but can you try only with .ru

 

so create new url filter and set to regex + block and enter only .ru and try.

 

 

figge
New Contributor

That regexp surely blocks all .ru sites, but it also blocks

sites like www.rum.se  and I dont want that.

baggins
New Contributor III

right..

 

Just checked with wildcard option and *.ru/ and it works.

I'm on 6.0.3..

Site that you mentioned works "www.rum.se" and went trough list here on few and all blocked.

try..

figge
New Contributor

Thanks, the wildcard option solves this particular use case.

I am still curious as to why the very same regexp gives different result in the two Fortigates though.

I have opened a TAC-case with this question. 

baggins
New Contributor III

Hi figge,

 

glad that this helps..

Do you have same fw version on both?

Labels
Top Kudoed Authors