Blocking any website that only uses HTTP

Forum|Forum|5 years ago
October 14, 2020
1 reply
5792 views

Hi, I've trying to block any computers on my network from accessing sites that only uses HTTP. Currently I've tried blocking all the HTTP ports (80, 8008, 8080) but somehow it's still going through, does anyone know what I'm doing wrong?

I've uploaded the policy I created for this task.

Http.jpg

Markus

New Member

1) this policy should be ordered to be first in lan-wan policy

2) try in cli -> conf firewall policy edit"policyID" set match-vip enable

Yurisk

SuperUser

If it is a newer Fortigate OS version you can start with Security Policy Lookup - enter port 80 etc and see that only your Deny policy is indeed matched.

To really know on what feature/policy this goes out, you'd need to run debug on cli:

# diagn debug flow filter ? <-- Filter on something specific to the test, say IP address of remote website

# diag debug flow show function

# dia deb flow trace start

# dia deb enable

emnoc

New Member

What I would do is do a application-control and with services ports that are not 443.

To find what policy that are allowing http just use the diag sys session and the filter

e.g

diag sys session filter dport 80

diag sys session list | grep policy_id

Than you can review those policyid# that's allowing the traffic flows

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded