Skip to main content
jor1
jor1
New Member
March 19, 2025
Question

Intermittenly blocked by application filter

  • March 19, 2025
  • 2 replies
  • 844 views

Hi,

 

I've got a site that's being blocked by the student policy
(yearbookavenue.jostens.com 192.189.112.187). It's a big single page web
app type site that makes a lot of xml http requests. Students can visit
the site just fine, but when students go to save their progress on the
site it makes a POST request to yearbookavenue.jostens.com/savestuff or
whatever and this will work fine on my machine when I'm hitting the
Staff policy, but produces an error when on a student account on a chromebook.

 

Looking in the firewall logs I can see that the ip address
192.189.112.197 is allowed when the "Application Name" is HTTPS.BROWSER but blocked when it's SSL. I've
allowed the site in web filter but it seems like it's still being
blocked at the application level somehow, like the SPA is producing a
different application signature. To make things trickier sometimes traffic to that site produces HTTPS.BROWSER when student access it, allowing them to save, but other times it produces SSL traffic and it's blocked.

 

I've tried adding an application signature

config application custom
edit "yearbookavenue"
set comment "yearbookavenue.jostens.com signature"
set signature "F-SBID( --attack_id 6694; --name Allow.YearbookAvenue.jostens.com; --pattern yearbookavenue.jostens.com; --service SSL; --protocol tcp; --no_case; --app_cat 32; )"
set category 32
next
end

This is my first time writing one and I'm kind of confused as to how it works, and I've also failed to apply it to the student application policy.

 

I'm therefore kind of stuck on how to allow yearbookavenue.jostens.com
on the fortigate. I've included a screenshot that can show you what I'm
talking about a little better. I filtered only destination
192.189.112.187 and you can see that SSL is getting denied and
HTTPS.BROWSER is allowed.

 

Thanks,

Jordan

2 replies

yderek
Staff
yderek
Staff
March 19, 2025

Hi, jor1

 

If allowing in application control does not help, bypass the website or domain in your inspection profile, see below KB might help   

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Exempting-applications-domains-websites-from-Deep/ta-p/191170

 

Feel free to post here if you have any other doubts 

jor1
jor1Author
New Member
March 21, 2025

In my case the firewall is not configured to use SSL inspection method: full SSL inspection. So the above article doesn't apply to my situation.

 

*EDIT it seems that I might not have applied the signature correctly to the policy. I've tried again and it seems to want to stick this time

yderek
Staff
yderek
Staff
March 22, 2025

 

What version of FortiOs are you currently running? 

Try below command see whether you have the correct connection to FortiGuard 

exe ping services.fortiguard.net 

exe ping update.fortiguard.net 

Run below debug 

dia de reset 

dia de dis 

dia de app update -1 

dia de en 

exe update now 

Let debug run for 1 minutes , to stop use below 

dia de dis 

dia de reset 

jor1
jor1Author
New Member
April 2, 2025

I was on 7.2.0 but I am now on 7.2.9. It hasn't happened since Friday so I might be okay, but I'm going to keep an eye on it.

 

I was able to access service.fortiguard.net and update.fortiguard.net

I'll save the debug commands for when there's a bunch of students trying to access the service again.

Terms & ConditionsAccessibility statement