Skip to main content
mramalinga
Staff
mramalinga
Staff
March 25, 2021

Technical Tip: URL filter type 'Simple' does not perform exact match in flow-based inspection policies

  • March 25, 2021
  • 0 replies
  • 3513 views

Description
This article provides details of the ‘Simple’ URL filter type inspection in Flow inspection mode.

Solution
In Flow-based inspection, IPS engine inspects the traffic.

For simple patterns, IPS engine uses the rule where only partial matching is possible.
This behavior is by design.

Example 1:
If camel.com is added as type ‘Simple’ under Static URL Filter, in Flow-mode the IPS engine would also match urls with domain 'camelcamelcamel.com'.

Example 2:
Static URL Filter is configured to block a 'simple' type 's.id' - in this case the website apps.identrust.com will also be blocked.

Configured as below:

# config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
    edit 27
        set url "s.id"         <-----
        set action block       <-----
    next

Excerpt from the WebFilter log:

date=2021-03-10 time=09:33:58 id=6937940868305257768 itime="2021-03-10 09:33:58" euid=3 epid=6288 dsteuid=3 dstepid=101 logver=604021723 type="utm" subtype="webfilter" level="warning" action="blocked" sessionid=383954196 policyid=55 srcip=10.1.2.3 dstip=192.35.177.64 srcport=51121 dstport=80 proto=6 logid=0315012544 service="HTTP" eventtime=1615365238986150716 urlfilteridx=1 sentbyte=140 rcvdbyte=0 craction=8 crscore=30 crlevel="high" srcintfrole="undefined" dstintfrole="wan" direction="outgoing" reqtype="direct" url="http://apps.identrust.com/roots/dstrootcax3.p7c" urlfilterlist="Auto-webfilter-urlfilter" hostname="apps.identrust.com" profile="BlockingFaultUrls" eventtype="urlfilter" srcintf="npu0_vlink1" dstintf="EXT-VLAN1240" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" tz="+0100" devid="FGxxxxxxxxxxxx" vd="VD-EXTERN" dtime="2021-03-10 09:33:58" itime_t=1615365238 devname="FGT"

In order to perform exact match, below are the options available:

1) Switch inspection to proxy mode in the respective policy/VDOM, if possible.

2) Use 'regex' type for the short patterns.

set url "x.co"
set type regex

This will cause the engine to do exact matching.

3) Use ‘Wildcard’ type entry.

For example:

# config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
    edit 27
        set url "*.s.id"       <-----
        set type wildcard      <-----
        set action block       <-----
    next
end

Note that the Fortinet Technical Support department does not offer technical assistance with regex configuration.

 

Related Articles

Technical Tip: Technical support on customization on various Fortinet products

Terms & ConditionsAccessibility statement