Skip to main content
vifi
Staff
vifi
Staff
December 19, 2024

Technical Tip: Websites of a specific category in Web Filter are not getting blocked in Google Chrome, despite the category is blocked

  • December 19, 2024
  • 0 replies
  • 2312 views
Description This article describes how to work around the issue when some websites of a specific category in Web Filter are not getting blocked in Google Chrome, despite the category being blocked in Web Filter.
Scope FortiGate v7.2.
Solution

The website is categorized correctly by checking in: Web filter lookup.

Using static URLs to block this website or using web rating override to override this website to another one will not help.

In the forward logs is seen that this website is related to CloudFlare.

 

eventtime=1729788324734273772 tz="-0700" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=14 poluuid="062105c8-919c-51ef-c75a-250268491a04" policytype="policy" sessionid=1327 srcip=10.1.10.1 srcport=56430 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="fb73f05a-919a-51ef-6819-878047fdfc5f" dstip=172.67.223.251 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="fb73f05a-919a-51ef-6819-878047fdfc5f" proto=6 service="HTTPS" hostname="cloudflare-ech.com" profile="webfilter_profile" action="passthrough" reqtype="direct" url="https://cloudflare-ech.com/" sentbyte=1952 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"

 

In this example the customer tries to ingress to youperv.comIn this example the customer tries to ingress to youperv.com

 

CloudFlare DNS may use the same IP addresses for different domains. This is completely normal and part of how reverse proxy and CDN (Content Delivery Network) services work.

 

CloudFlare acts as an intermediary between visitors and the websites’ actual servers (origin). When a domain uses CloudFlare, its public IP address is one of CloudFlare’s IP addresses, not the actual IP address of the website’s server. This is why blocking only the IP address can block other websites hosted on CloudFlare's DNS.

 

For example:

The IP addresses 141.193.213.20 and 141.193.213.21 also hosted the FQDNs are 'www.tradingtechnologies.com' and 'www.integreon.com'.

 â€ƒ

Legit traffic to 'www.integreon.comwas blocked because the FQDN is 'www.tradingtechnologies.com' was included in a deny address group, which is listed in a deny Firewall policy

 

Screenshot (9).png

 

Screenshot2 (2).png

 

Workaround:

  1. Use deep inspection in firewall policy, or:
  2. Block CloudFlare in Web Filter Profile with a static URL.

 

CLI:


config webfilter urlfilter
    config entries
        edit 1

            set url "*cloudflare*"
            set type wildcard
            set action block
        next
end

 

GUI:

Screenshot 2024-12-19 182653.png

 

Related article: 

Technical Tip: How to block TLS 1.3 Encrypted Client Hello (ECH) in FortiGate firewalls
    Terms & ConditionsAccessibility statement