Hot!Spotify block through override not taking effect

Author
jesse.fletcher
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/19 18:10:36
  • Status: offline
2019/06/19 18:19:08 (permalink) 6.2
0

Spotify block through override not taking effect

I'm having an odd issue with Application Control (Blocking Spotify) on an outgoing client policy on 6.2. Wondering if anyone would have any insight to what I may be missing?

The application control profile has Spotify added as an override with Block as the action. When I check the logs and filter Spotify it appears with pass as the action.

I've confirmed through these records that it is the correct policy which has the profile with the override in it that is being applied to that traffic.

Is there anything else in the app control profile that needs to be done other than adding the override block in order for that to work?
 
Screenshots linked below. Thanks.
 
https://www.dropbox.com/s/nomrodlithgsvnf/spotify1.PNG?dl=0
https://www.dropbox.com/s/1mlqf5g15kddmgi/spotify2.PNG?dl=0
https://www.dropbox.com/s/d0s0arkt5e4qeod/spotify3.PNG?dl=0
https://www.dropbox.com/s/hjgz9ml98ipzerb/spotify4.PNG?dl=0
#1

12 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/19 22:25:45 (permalink)
    0
    Can you see in the logs the correct profile name (Application Control)?
    #2
    jesse.fletcher
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 18:10:36
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/20 17:42:27 (permalink)
    0
    It appears that the Application Control Sensor appearing under the log details is "default" which doesn't match the "default-block-spotify" profile which has been created. Any reason why this profile would be showing even though the other is assigned to the policy which the traffic is passing through? The correct policy #27 is showing in the log detials which has the "default-block-spotify" profile attached. Screenshots below.
     
    https://www.dropbox.com/s/uqsgy5q12kwkl0p/spotify5.PNG?dl=0
    https://www.dropbox.com/s/v7g4q3h27o5yjxq/spotify6.PNG?dl=0
     
     
     
    #3
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/21 09:50:25 (permalink)
    0
    Yes, it doesn't make sense. Can you show the policy ID 27 configuration?
    #4
    jesse.fletcher
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 18:10:36
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/23 17:29:56 (permalink)
    #5
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/24 23:53:56 (permalink)
    0
    You need the policy with Application Control with action 'block'. I see your policy 27 has action 'pass'.
     
    I just test it and it works fine on 6.2:
     
    date=2019-06-24 time=23:46:49 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="warning" vd="root" eventtime=1561445209 appid=17405 srcip=10.0.1.10 dstip=104.154.127.47 srcport=49642 dstport=443 srcintf="port3" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=1917 applist="spotify-test" appcat="Video/Audio" app="Spotify" action="block" hostname="www.spotify.com" incidentserialno=1399263240 url="/" msg="Video/Audio: Spotify," apprisk="medium"


    #6
    jorge.americo
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 06:49:38
    • Location: Bahia/Brasil
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/25 06:22:04 (permalink)
    0
     
    Try removing the override. and block the category.
    This test is just to see if it can be some problem in the override.
    #7
    jesse.fletcher
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 18:10:36
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/25 17:17:58 (permalink)
    0
    hubertzw
    You need the policy with Application Control with action 'block'. I see your policy 27 has action 'pass'.
     
    I just test it and it works fine on 6.2:
     
    date=2019-06-24 time=23:46:49 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="warning" vd="root" eventtime=1561445209 appid=17405 srcip=10.0.1.10 dstip=104.154.127.47 srcport=49642 dstport=443 srcintf="port3" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=1917 applist="spotify-test" appcat="Video/Audio" app="Spotify" action="block" hostname="www.spotify.com" incidentserialno=1399263240 url="/" msg="Video/Audio: Spotify," apprisk="medium"






    See below 2 screenshots which have the override as blocks. Surely the IPv4 Policy "27" isn't meant to be action of "DENY"?
     
    https://www.dropbox.com/s/1mlqf5g15kddmgi/spotify2.PNG?dl=0
    https://www.dropbox.com/s/d0s0arkt5e4qeod/spotify3.PNG?dl=0
     
    #8
    jesse.fletcher
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 18:10:36
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/25 17:28:10 (permalink)
    0
    jorge.americo
     
    Try removing the override. and block the category.
    This test is just to see if it can be some problem in the override.


     
    Tried this and the same thing occurs, log entry shows Spotify entry with pass and the policy with ID 27. It also shows under the log details the Application Control with the sensor with name "Default" which is not what is assigned to policy 27. I've disabled app control on the policy and re-enabled to test and the same thing occurs. The wrong app control sensor is assigned to the policy 27.
    #9
    jorge.americo
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 06:49:38
    • Location: Bahia/Brasil
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/25 17:51:25 (permalink)
    0
    ok. now I see a thing. try without webfilter option.
    #10
    jesse.fletcher
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 18:10:36
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/25 18:52:16 (permalink)
    0
    No difference after disabling web filter on policy 27.
    #11
    binnyrog
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/20 00:43:09
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/25 23:13:27 (permalink)
    0
    Enable "Network Protocol Environment" option  from this screenshot. https://www.dropbox.com/s/1mlqf5g15kddmgi/spotify2.PNG?dl=0
     
    It'd help you. 
    #12
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Spotify block through override not taking effect 2019/06/26 03:34:52 (permalink)
    0
    Yes, my mistake, the firewall policy action can be 'allow' of course. The one scenario I tested is like your one and in my case it works fine:
     
    FortiOS v6.2.0 build0866 (GA)
     
    config firewall policy
        edit 1
            set name "Full_Access"
            set uuid b11ac58c-791b-51e7-4600-12f829a689d9
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "LOCAL_SUBNET"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set logtraffic all
            set fsso disable
            set application-list "spotify-test"
            set ssl-ssh-profile "custom-deep-inspection"
            set nat enable
        next
    end
     



    edit "spotify-test"
            set comment ''
            set replacemsg-group ''
            set extended-log disable
            set other-application-action pass
            set app-replacemsg enable
            set other-application-log enable
            set enforce-default-app-port disable
            set unknown-application-action pass
            set unknown-application-log disable
            unset p2p-black-list
            set deep-app-inspection enable
            set options allow-dns
            config entries
                edit 1
                    set application 17405
                    set action block
                    set log enable
                    set log-packet disable
                    set rate-count 0
                    set session-ttl 0
                    set quarantine none
                next
     

     
     
    #13
    Jump to:
    © 2019 APG vNext Commercial Version 5.5