Explorer

Solved

Facebook blocked and not blocked with same policy

Forum|Forum|2 years ago
February 6, 2024
7 replies
11418 views

Hello,

I have a mystery on a Fortigate.

I have a security group that block Facebook using application control and webfilter categories.

My users told by that they still can use Facebook. I checked the log and I see that most of the traffic linked to Facebook is blocked, but, I have some line with allowed traffic to facebook, using the same firewall policy. it's unbelievable, my own rules which block Facebook is also allowing it.

How this is possible ?

2024-02-06 12_03_25-Clipboard.jpg 2024-02-06 12_05_11-Clipboard.jpg

2024-02-06 12_06_18-Mozilla Firefox (Work Resources).jpg

FortiGate

Best answer by fricci_FTNT

Proxy mode can be a workaround for now.
Flow-based inspection uses hardware acceleration (where available, depends on the model), Proxy inspected traffic goes through the FortiGate main CPU.
Using Proxy mode is more CPU intensive but in normal condition should be fine, it actually depend on the traffic running through the FortiGate. Please keep on eye on the CPU (get sys performance status).

Here you can find some more details about Flow/Proxy inspection: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/721410/inspection-modes

Best regards,

adambomb1219

SuperUser

What does your rule actually look like? Are you using Application Control? ISDB? Something else? Also why would you block Facebook on a guest network?

Ambush4261Author

Explorer

Hi,

I'm using a firewall policy, flow-based, which use a "security profile group" which use "web filter and "application control".

I block the social media category in the application control profile and also in the web filter filter profile.

AEK

SuperUser

Hello

SSL deep inspection is required to recognize most facebook traffic.

Try on of the below:

Either enable deep inspection
Or you can always try filtering by ISDB

AEK

Ambush4261Author

Explorer

I am using "certificate inspection" not the deep one because of the complexity of deploying the router certificate on the users smartphone.

What do you mean by ISDB, the categories in the fortigate ?

AEK

SuperUser

Create a "deny" policy and add the related fb services as destination.

Please see the below guide:

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/179236/using-internet-service-in-policy

AEK

Ambush4261Author

Explorer

okay, well understood, I will try with the new rule and the fb related service, good idea.

Thanks for support!

Ambush4261Author

Explorer

Just tested with the ISDB, it block some of the traffic but a lot is not blocked.

2024-02-06 16_04_30-Clipboard.jpg

2024-02-06 16_05_55-Clipboard.jpg

AEK

SuperUser

Are you using policy based mode? (check in System > Setting)

Can you also check the ISDB signatures date? (check in System > FortiGuard)

AEK

Ambush4261Author

Explorer

I switch to "proxy-based" and it seems to work much better, 99% of the traffic I want to block is really blocked now.

Whats the impact of settings a firewall policy to proxy-based instead of flow-based ? it will load the firewall cpu ?

fricci_FTNTAnswer

Staff

Proxy mode can be a workaround for now.
Flow-based inspection uses hardware acceleration (where available, depends on the model), Proxy inspected traffic goes through the FortiGate main CPU.
Using Proxy mode is more CPU intensive but in normal condition should be fine, it actually depend on the traffic running through the FortiGate. Please keep on eye on the CPU (get sys performance status).

Here you can find some more details about Flow/Proxy inspection: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/721410/inspection-modes

Best regards,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded