Re: Compromised site and fake tech support not blocked y fortigate
The best overall advise IMO is user education - those fake tech support scams mostly always rely heavily on social engineering, be it via email and/or voice communication and usually involves getting the "victim" to download something onto their computer.
As for why the fgt isn't catching it may depend on a number of factors, starting with how are you monitoring/scanning/protecting your users. Is the Fortigate performing full SSL content inspection or only security certificate inspection? Is the fgt configured to look up both the host name and IP address (e.g. Rate URLs by domain and IP Address)? How are sites that return "rating error" handled - is the fgt configured to drop that connection or allow the connection to go through? Is the fgt configured to allow or block remote (.e.g. VNC) connections? Is the fgt configured to allow endpoint connections to IP addresses in foreign countries?
Cloudfront.net is seen by the fgt as a content server, so it may be a bit difficult to differentiate legit traffic from illicit traffic. You can try URL web filtering, using either a wild card or regex and that's assuming the fgt is configured for full SSL content inspection.
NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C