AnsweredHot!Filter blocks only insecured web sites

Author
zigfridus
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/11 06:57:46
  • Status: offline
2020/02/11 23:22:33 (permalink)
0

Filter blocks only insecured web sites

Hello
 
I would like to create a policy that consists of the white list URLs and a rule that block all other URLs. So I started with creating a WEB filter and added only one rule that block everything. 
Then I added the filter into the policy. Unfortunately this filter blocks only insecured web sites (http) but not secured (https).
 
Could you please help?
 
Thanks

 

Attached Image(s)

#1
Johan Witters
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/06/03 04:06:12
  • Location: Belgium
  • Status: offline
Re: Filter blocks only insecured web sites 2020/02/12 04:16:11 (permalink)
0
Hi,
 
I recommend you to use a DNS filter if possible as it will block the name resolution itself, and not HTTP or other traffic.
 
If you want to use a web filter you have to configure ssl inspection (certificate inspection or deep inspection) so the Fortigate can at least check the certificate of the website to check the url, but the browser might present a "certificate warning". This is due to the fact https traffic is encrypted so the Fortigate can't see which site the request is for.
You can also try with a webfilter "*.*:443", but I haven't tried that myself, so I can't promise it'll work.
 
Good luck,
 
Johan
#2
zigfridus
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/11 06:57:46
  • Status: offline
Re: Filter blocks only insecured web sites 2020/02/12 06:19:21 (permalink)
0
Thank you Johan for your reply.
As I understood the DNS filter parse only DNS requests. So when a user sends a request not to the WEB site name, but it's IP address then DNS filter will not block it.
Am I right?
#3
Dave Hall
Expert Member
  • Total Posts : 1641
  • Scores: 174
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Filter blocks only insecured web sites 2020/02/12 08:05:49 (permalink) ☼ Best Answerby zigfridus 2020/02/28 01:50:50
0
Hi Valentyn.
 
Screenshot shows you are using certificate inspection on the Web Filter Profile, which means the fgt should peek at the security certificate for the CN or alt names to process whether it needs to be allow or blocked.   Common problems using this approach is some sites may use wildcard security certificates or use the same security certificates for multiple sites.  On top of that, some sites may make the use of local content servers or pull resources (like images) from other domains.
 
The pic below shows www.mcdonalds.com, but the CN on the certificate is assets.mcdonalds.co.uk.  (Though I haven't checked on the alt names.)  To fully block/allow www.mcdonalds.com you may need to also include a URL filter for assets.mcdonalds.co.uk.
 
 
 
DNS filtering is another approach for web filtering, but mostly only works on whole FQDNs. (Someone correct me on this if this is incorrect.)
 
Full SSL or deep packet inspection is likely the best option for monitoring/limiting/restricting web traffic, but it requires a security certificate be installed on client browsers (for the most part). 
 
This KB explains the differences between the two inspection modes.
 
 

Attached Image(s)


NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
#4
zigfridus
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/11 06:57:46
  • Status: offline
Re: Filter blocks only insecured web sites 2020/02/13 02:40:14 (permalink)
0
Hi Dave
 
Thank you for your answer.
 
Dave Hall
To fully block/allow www.mcdonalds.com you may need to also include a URL filter for assets.mcdonalds.co.uk.


But why my filter *.* doesn't block all web sites? I thought it must block every web site.
#5
zigfridus
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/11 06:57:46
  • Status: offline
Re: Filter blocks only insecured web sites 2020/02/14 00:34:48 (permalink)
0
I figured out something weird. Fortigate blocks https web sites but not all. For example it's successfully blocks https://itc.ua:
 
2020-02-14T09:35:04.355876+02:00 192.168.60.2 date=2020-02-14 time=09:35:03 devname="fortigate" devid="xxx" logid="0315012544" type="utm" subtype="webfilter" eventtype="urlfilter" level="warning" vd="root" eventtime=1581665704323571840 tz="+0200" urlfilteridx=1 urlfilterlist="Auto-webfilter-urlfilter_qka27jppz" policyid=15 sessionid=3770186 srcip=192.168.60.17 srcport=5247 srcintf="lan" srcintfrole="lan" dstip=93.183.199.243 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="itc.ua" profile="exclusions" action="blocked" reqtype="direct" url="https://itc.ua/" sentbyte=517 rcvdbyte=0 direction="outgoing" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"
 
But it doesn't block https://facebook.com and https://youtube.com at all. I don't understand why the web filter's rule "*" works so selectively. Maybe it's SSL inspection allows requests.
#6
Johan Witters
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/06/03 04:06:12
  • Location: Belgium
  • Status: offline
Re: Filter blocks only insecured web sites 2020/02/27 23:44:56 (permalink) ☄ Helpfulby zigfridus 2020/02/28 01:51:06
0
Hi Zigfridus,
 
like Dave already stated your Fortigate will try to inspect the ssl certificate for the CN or ALT names and match that info to your web filter settings. If the info on the certificate does not 100% match with your filter, it will not block/allow the traffic, depending on what you have set. It will not inspect the packets themselves as this is encrypted traffic and cannot be read.
 
Best way to process your traffic is by enabling ssl "deep inspection", that way the Fortigate can inspect all packets and work on different levels to check and allow/block traffic according to your policies and utm profiles. It will however require you to by an official ssh certificate, or to install the self-signed fortigate certificate on your clients.
 
If you can't or don't want to use deep inspection you would mainly focus on dns and webfilter to check your traffic.
 
regards,
 
Johan
#7
zigfridus
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/11 06:57:46
  • Status: offline
Re: Filter blocks only insecured web sites 2020/02/28 03:22:48 (permalink)
0
Hello
 
I've decided to enable deep inspection and installed Forigate's self-signed certificated on all PCs.
Tomorrow I'm going to install Fortigate  as a main router.
Hope everything will be fine.
 
Thanks everyone for your advices and help.
#8
Jump to:
© 2020 APG vNext Commercial Version 5.5