Skip to main content
Fingolfin
Fingolfin
New Member
February 7, 2017
Question

Strange hostname in logs bypassing webfilter profile

  • February 7, 2017
  • 1 reply
  • 8609 views

Hello everyone,

I need your help because I lack some knowledge in firewall security. I use a Fortigate 1500D and I need some help to understand the following logs.

As you'll see, 172.24.110.135 is watching a video on mareplaytv.fr. I put this url in a forbidden black list but it didn't change anything. I had to block mareplaytv pattern in the web content filter but I don't want to do this for each web filter profile.

It looks like to me that mareplaytv is not web filtered because the user is going throug these strange hostnames that belong to allowed categories. That's were I'm lacking some knowledge: what are these hostnames? How the user is doing this? How can I block it?

Thanks in advance for your answers

 

Feb  7 16:11:10 date=2017-02-07 subtype=webfilter eventtype=ftgd_allow level=notice srcip=172.24.110.135 srcport=65120 dstip=212.129.7.87 dstport=80proto=6 service=HTTP hostname="engine.espace.qosmik.com" profile="CAMPUS" action=passthrough reqtype=direct url="/diffusion/?psid=52&retour=1320&TS=1486480270625&random=902766993&url=http%3A%2F%2Fwww.mareplaytv.com%2Fvideo%2Fles-anges-9-bac" sentbyte=22271 rcvdbyte=35876 direction=N/A msg="URL belongs to an allowed category in policy" method=domain cat=17 catdesc="Advertising" Feb  7 16:11:10 date=2017-02-07 type=utm subtype=webfilter eventtype=ftgd _allow level=notice user="" srcip=172.24.110.135 srcport=65299 dstip=176.31.226.106 dstport=80  proto=6 service=HTTP hostname="pub7.media-clic.com" profile="CAMPUS" action=passthrough reqtype=direct url="/www/delivery/lg.php?bannerid=8146&campaigni   d=834&zoneid=28600&loc=1&referer=http%3A%2F%2Fwww.mareplaytv.com%2Fvideo%2Fles-ange" sentbyte=822 rcvdbyte=0 direction=N/A msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology"

Fingolfin

    1 reply

    NeilG
    NeilG
    New Member
    February 8, 2017

    At first glance the user is not trying to bypass its that this content is being served up through whatever Advertisement provider qosmik.com is using, in this case pub7.media-clic.com

     

     

    That site is showing as "Information Technology" when you check the url at Fortiguard.com:

    http://beta.fortiguard.com/webfilter?q=pub7.media-clic.com

     

    (I used Beta as the normal webpage was having issues)

     

    So what is your status for advertising sites AND do you have the web filter policy set to:

    * Block HTTP redirects by rating

    * Rate Images by URL

     

    Note: Be very careful with the option for blocking by IP and domain - most of the time that will have results you don't expect so probably best to not touch that setting.

     

    I hope this helps.

     

    -Neil

    Fingolfin
    FingolfinAuthor
    New Member
    February 9, 2017

    Thanks for your answer.

    Advertising is allowed (users need it).

    And I see that "Block HTTP redirects by rating" and "Rate Images by URL" are available when proxy mode is active but I'm doing flow-based web filtering.

    Terms & ConditionsAccessibility statement