Both Facebook and Youtube uses a wildcard security certificate - in Youtube's case, it uses Google's wildcard security certificate - depending on inspection mode (
SSL Certificate Inspection vs Full SSL Inspection) the fgt may not fully see what site a device is connecting to.
Other things to keep in mind:
If you choose to block the QUIC protocol - you really only need to create one firewall policy that blocks it and move it to or near the top of the firewall rule chain.
Firewall policies (rules) are executed from top-to-bottom - when a rule is triggered (match found) it stops processing further rules (below it) (there is I think one exception to this is an identifying rule ?). So if you are trying to block something, place that firewall rule above any general rule (that would allow that content).
Almost all (if not all) of the major web sites/services make the use of other domains to redirect traffic or pull resources from other domains. Both youtube and FB make the use of
content delivery networks (CDNs). Most of the fgts we manage are located at remote educational sites that have no on site IT personnel, so there is no real computer/domain support - all web filtering is performed via security certificate only - so generally we can only block sites based on whatever name appears on the security certificate and/or by static or FQDN addresses. (Note this is for HTTPS connections.)
Web filter URL rules override "FortiGuard category based filters", so if you have issues blocking sites based on categories, you could try
crafting url filters rules. Another option (which only works on domains or FQDN) is to reclassify a site using "Security Profile-> Web Ratings Overrides".
Enable Device Detection on the internal LAN interface - this will allow the fgt to identify devices - you can use "Users & Device-> Device Inventory" to see what devices (and how many) are on your internal network.
For troubleshooting blocking/unblocking issues on devices - your best tool on the fgt is FortiView - I like to use "FortiView->Sources" and "FortiView->Destinations", and along with "Log & Report->Web Filter" (assuming you have enabled logging on security events). You can drill down to the individual sessions to see what is allowing/blocking connections.
post edited by Dave Hall - 2019/12/03 10:55:20
Attached Image(s)
