Hot!static url filter does not work when cathegory is blocked

Author
sw2090
Platinum Member
  • Total Posts : 678
  • Scores: 42
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
2020/04/24 02:31:24 (permalink)
0

static url filter does not work when cathegory is blocked

I have this url:
https://scnem2.com/goto.php?l=6zyco3.14kg484,u=ca0e6e8374547cefdd49da232d825666,n=2mt9d.301e22,art_id=2mt9h.9ih9hb
 
scnem2.com is rated in cathegory "information technology" by fortiguard which is blocked in webfilter here.
 
I set up a static url filter rule for the url with type exempt.
 
Thus this rule does not match and I get blocked by utm cathegory.
I don't want to allow this cathegory or set a rating override for the domain. I want my users to be able to open just this one url.
 
This is all in one webfilter profile that applies to the used policy. I see in traffic and webfilter log that the correct profile is used. 
Also diag test app urlfilter 3 on cli shows no match for this url unless I unblock or orverride the cathegory.
 
Is this no longer possible? I remember that this worked in FortiOS before 6.x .
#1

5 Replies Related Threads

    localhost
    Silver Member
    • Total Posts : 120
    • Scores: 17
    • Reward points: 0
    • Joined: 2015/05/21 02:47:51
    • Location: Zug, Switzerland
    • Status: offline
    Re: static url filter does not work when cathegory is blocked 2020/04/24 03:41:32 (permalink)
    0
    Are you using Type: Simple and Action: Exempt in the static url filter?
    #2
    sw2090
    Platinum Member
    • Total Posts : 678
    • Scores: 42
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: static url filter does not work when cathegory is blocked 2020/04/24 04:13:51 (permalink)
    0
    yes that is what I do. I know accept would still trigger the utm filters and i use type simple. Even using only part of the url and makeing a wildcard rule with that does not work.
     
    #3
    Dave Hall
    Expert Member
    • Total Posts : 1702
    • Scores: 174
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: static url filter does not work when cathegory is blocked 2020/04/24 08:09:40 (permalink)
    0
    If the fgt is not using full SSL inspection, it will likely only sees *.scem2.com.  Another thing is that url appears to be redirected to the www.loeffler.at domain, so you may need to do exemption on that url too.  May want to check to see how the fgt handles url redirects.
     

    Attached Image(s)


    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #4
    sw2090
    Platinum Member
    • Total Posts : 678
    • Scores: 42
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: static url filter does not work when cathegory is blocked 2020/06/02 06:06:44 (permalink)
    0
    hm I retested with a policy now that does have full inspection enabled (and with different url). The policy is definietely matched and the the target of the forward is not blocked by cathegory.
    Still I have the same behaviour even with enabled full inspection:
     
    Even though there is an exempt rule for that url in url filter it still gets blocked by cathegory. If I set a rating override for it to a cathegory that is in the reputation list in the ssl profile it dies not get blocked any longer.
     
    To me that looks like if deep inspection does not care for webfilter profiles and url filters and just only looks at its owb whitelist by cathegory. This is not very satisfying. In times of more and more *censored* tracking and putting everything into some cloud this will also create a security risk as you mostly have to whitelist most of the cloud since rating override only works for domains.
     
    I verfied that now: as long as there is an url filter exempt rule in the webfilter profile applied to the policy the site is accessible if you use http. It is still blocked when you use https as it is not in a reputable cathegory.
    So looks to me as if you cannot use any webfilter profiles with https atm. SSL Inspection allows filtering by fortiguard cathegories only. Filtering sepcific urls is obviously impossible atm.
     
    I also openened a TAC Ticket for this and annother issue connected to it. TAC will do a remote session with me at a yet-to-be negotiated time and date to have a close look at this.
    post edited by sw2090 - 2020/06/15 05:41:33
    #5
    sw2090
    Platinum Member
    • Total Posts : 678
    • Scores: 42
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: static url filter does not work when cathegory is blocked 2020/06/30 01:31:34 (permalink)
    0
    To make it even worse: ever since I set a web rating override for scnem2.com to a reputable cathegory in ssl inspection profile the site is accessible. It even stays accessible when I remove the rating override.
    Looks like this gets cached somewhere on the FGT. Emptying Browser Cache on Client or Webfilter Cache on FGT do not help here.
     
    Additionally google does not work in all browsers (except IE) when deep inspection is on. Thus google starts to work in all other browsers once you openend it in IE for one time.
     
    Even TAC couldn't tell me why those things happen...
     
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5