Skip to main content
sistemi
sistemi
New Member
March 8, 2018
Question

Deny incoming connection to a specific Url

  • March 8, 2018
  • 2 replies
  • 14445 views

Hi,

i need help to configure a block to incoming connection to a specific url website in my infrastructure:

actually i've an IIS server published with a vip_rule in firewall policy.

WAN --> serverLAn - source:all dest:vip_ipaddress protocol:80/443 ALLOW

 

In this webserver, inside my LAN, i've 20 different sites (are all on the same ip address, because the "binding" is setting up on IIS level and work correctly) and i need to filter access to a specific site (http:\\site1.mysite.com) blocking all traffic except 2 ip addresses.

 

example: (in my mind )

 

WAN -->serverLan - source:(group ip) dest:Http:\\site1.mysite.com  protocol:80/443 ALLOW

WAN -->serverLan - source:all dest:Http:\\site1.mysite.com  protocol:80/443 DENY

2 rule because one block all traffic and the other to allow only my autorizhed ip.

I've tried but, without success.

 

All others sites of my iis server instead is opened to all inbound traffic without any filter.

 

Any suggestion for this problem?

Thanks in advance

Matteo

    2 replies

    Markus
    Markus
    New Member
    March 8, 2018

    Hi Matteo Welcome to the forum.

     

    In my opinion this should work, but you have to consider some stuff.

    1) Policy Order: Fortigate (and all other FW) "reads" the policies top down. If a policy hits, no further rules are processed. So you have to put Wan-->ServerLan-->All-->Vip-->http/https after the "more restricted" policies.

    2) About encryptet Traffic: Not quite sure how the FGT process URL destinations with https. Maybe you have to inspect SSL for that. So first policy is allowing the specific IPs to site1... Second is deny to site1... maybe with SSL Inspection

    Third is the allow any

     

    Best, Markus

    sistemi
    sistemiAuthor
    New Member
    March 9, 2018

    Hi Markus,

    and thanks for reply.

    In my post i've put in order my rules, first the rule with the filter and after the rule with "all".

    Anyway my problem is to set correctly the rules. I not understand what the metod to filter to specific internal url.

    Create a fqdn? Does not work for me because i've blocked all sites binding to same vip_ip. i need to block (or filter) only one.

    what you mean with ssl inspection? help me to configure it.

     

    EMES
    EMES
    New Member
    March 9, 2018

    What if you create web filter profiles? You can create customer categorys, enter all the sites you want to allow in one category, then the one you want to limit in another. Your first policy gets the web filter profile with both custom categories allowed(or just the one you want to limit), then the second policy has another web filter profile with the custom category with all the other sites allowed. Since you have the source IP set in the first policy then this should work for you.

    anelis
    anelis
    New Member
    March 12, 2018

    Seems a bit tricky. If you have web-filtering in your licence you can try with a web-filtering profile where you specify in a custom denied category your domains that you don't wish to deny.

     

    Keep in mind that it should work in HTTP but not in HTTPS without deep-inspection enabled. Since it is traffic towards your own server it shouldn't be to hard to get the server's certificate and enable deep-inspection on that flow.

     

    A Layer 3 policy won't work without a change in your design.

    Terms & ConditionsAccessibility statement