Technical Tip: A website may appear blocked but can still be accessed due to CDN-based delivery

Some websites may use CDN (content delivery network) services to make them faster based on the nearest geo location.

This feature also allows multiple public servers to serve the same website access.

Sometimes blocking these websites may require additional settings, like identifying all the redirections. This becomes more typical if the redirected domain is a completely different domain.

The ChatGPT website is taken as an example. Here is the web filter to block the upload option on chatgpt page: After selecting the Attach option on chatgpt.com, it will redirect to auth.openai.com:

With the above filters, the redirected website sentinel.openai.com seems blocked in web filter logs:

But the website is still accessible, and similar logs can be verified with IPS debug:

[2189@28545]on_client_hello: host name: sentinel.openai.com
[2189@28545]ips_ssl_prepare_urlfilter: sni(verified:1):'sentinel.openai.com' sni_server_ip:0 cn:'openai.com'
[2189@28545]ips_ssl_run_urlfilter: urlfilter matched 'sentinel.openai.com/':action=1 entryid=4 <---action=1 refers a block.

krypton-kvm19 # diagnose ips filter set 'src 10.162.13.127'   <----- Replace src IP with source machine IP.

krypton-kvm19 # diagnose ips debug enable ssl

krypton-kvm19 # diagnose debug enable

With the IPS SSL category debug, it is easy to identify the website redirections. After blocking all the identified redirections, the upload action is blocked on ChatGPT:

[2189@28633]on_client_hello: host name: auth.openai.com
[2189@28633]ips_ssl_prepare_urlfilter: sni(verified:1):'auth.openai.com' sni_server_ip:0 cn:'auth.openai.com'
[2189@28633]ips_ssl_run_urlfilter: urlfilter matched 'auth.openai.com/':action=1 entryid=3

[2189@28545]on_client_hello: host name: sentinel.openai.com
[2189@28545]ips_ssl_prepare_urlfilter: sni(verified:1):'sentinel.openai.com' sni_server_ip:0 cn:'openai.com'
[2189@28545]ips_ssl_run_urlfilter: urlfilter matched 'sentinel.openai.com/':action=1 entryid=4

[2189@28551]on_client_hello: host name: cdn.openai.com
[2189@28551]ips_ssl_prepare_urlfilter: sni(verified:1):'cdn.openai.com' sni_server_ip:0 cn:'cdn.openai.com'

In some browsers, if the website is still accessible, verify if it is using Quic. If that is the case, apply an Application control profile and block the QUIC protocol.

The QUIC protocol can also be blocked via an option in the SSL/SSH inspection profile.

config firewall ssl-ssh-profile
    edit <profile_name>
        config https
            set quic inspect
        end
end

Similarly, it is better to run an IPS debug in such cases to identify the website redirection and block it accordingly. Running only the SSL category will skip unnecessary output while running IPS debug.

Note:

With the websites running over CDN and multiple cross-domain sites, always run an IPS debug instead of verifying the web filter logs in the GUI.

Related article: