Web Filter still allowing traffic?

Forum|Forum|5 years ago
February 18, 2021
1 reply
5219 views

I have a webfilter active with some URL's

URL Type Action Status

*.123.domain1.com Wildcard Allow Enable

*.123.domain2.com Wildcard Allow Enable

*.123.domain3.com Wildcard Allow Enable

*.* Wildcard Block Enable

If i do a telnet> telnet www.xyzdomain.com 443

In my opinion this should be blocked, but it shows:

HTTP/1.1 400 Bad Request

Server: nginx/1.17.7

Date: Thu, 18 Feb 2021 14:19:24 GMT

Content-Type: text/html

Content-Length: 157

Connection: close

<html> <head><title>400 Bad Request</title></head>

<body>

<center><h1>400 Bad Request</h1></center>

<hr><center>nginx/1.17.7</center>

</body>

</html>

Does this expose a security risk for PC contacting a Malware site.

Regards,

Henk

Yurisk

SuperUser

Your test is not good for this - URL Filtering looks at URLs in a valid browser<->web server connection, your telnet session cannot emulate this and will be closed (as you see in the output) by the web server as invalid. To verify, try browse to the domain.

Also make sure you don't have other rules that would allow outbound access to port 443 without Web Filtering applied.

Bold_EagleAuthor

New Member

Hello Yurisk,

Yurisk wrote:
Your test is not good for this - URL Filtering looks at URLs in a valid browser<->web server connection, your telnet session cannot emulate this and will be closed (as you see in the output) by the web server as invalid. To verify, try
browse to the domain.

Bold Eagle:
I know, but what if my system was infected with malware, and the website has code injected for this malware and will react on the malware request, then it is still not blocked by the Fortigate Webfilter. Or is this technically impossible?

Also make sure you don't have other rules that would allow outbound access to port 443 without Web Filtering applied.

Bold Eagle: no other rules with port 443 exist.

Yurisk

SuperUser

BTW The last rule in your URL FIlter should have action Block not Allow which makes URL filter to permit Any website.

Regarding the broader question of how to prevent potentially present in LAN malware to contact outside world, it is too broad of a question as this depends on malware, whether you are using Deep SSL inspection, whether you are using AppControl in addition to URL filtering. Or on a totally different side - are you using host based measures like EDR/Endpoint Protection?

You should formulate for yourself exact threats you are trying to prevent and do analysis of existing state of your security controls, then you will be able to answer "given this threat with these security measures already in place, what are chances of stopping this malware and what can be done to better those chances?".

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded