Hot!Blocking any website that only uses HTTP

Author
Resident1942
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/10/13 20:54:23
  • Status: offline
2020/10/14 02:05:43 (permalink)
0

Blocking any website that only uses HTTP

Hi, I've trying to block any computers on my network from accessing sites that only uses HTTP. Currently I've tried blocking all the HTTP ports (80, 8008, 8080) but somehow it's still going through, does anyone know what I'm doing wrong?
 
I've uploaded the policy I created for this task. 

Attached Image(s)

#1

3 Replies Related Threads

    Markus
    Expert Member
    • Total Posts : 269
    • Scores: 47
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Location: Switzerland
    • Status: offline
    Re: Blocking any website that only uses HTTP 2020/10/14 02:09:40 (permalink)
    0
    1) this policy should be ordered to be first in lan-wan policy
    2) try in cli ->  conf firewall policy edit"policyID" set match-vip enable
    #2
    Yurisk
    Silver Member
    • Total Posts : 110
    • Scores: 22
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: Blocking any website that only uses HTTP 2020/10/14 02:36:21 (permalink)
    0
    If it is a newer Fortigate OS version you can start with Security Policy Lookup - enter port 80 etc and see that only your Deny policy is indeed matched.
     
    To really know on what feature/policy this goes out, you'd need to run debug on cli:
     
    # diagn debug flow filter ?  <-- Filter on something specific to the test, say IP address of remote website
    # diag debug flow show function
    # dia deb flow trace start
    # dia deb enable
    #3
    emnoc
    Expert Member
    • Total Posts : 5791
    • Scores: 381
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Blocking any website that only uses HTTP 2020/10/14 08:06:26 (permalink)
    0
    What I would do is do a application-control and with services  ports that are not 443.
     
    To find what policy that are allowing http just use the  diag sys session and the filter
     
    e.g 
     
      diag sys session filter dport 80
      diag sys session list | grep policy_id
     
    Than you can review those policyid# that's allowing the traffic flows
     
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5