Skip to main content
Ashie
Ashie
New Member
July 24, 2014
Question

Web filtering once connected through SSL VPN

  • July 24, 2014
  • 8 replies
  • 10229 views
Hi, Issue as follows. Users accounts authenticate with ldap. Once connected to VPN there is a policy which allows users to browse the internet. The policies work 100% but the problem comes when web filtering does not filter blocked sites. I have blocked social networking category and windows updates but when users browse through VPN this is not blocked. The same web filter is used when connecting to the local lan and social networking and windows updates are blocked. Is there anything I' m overlooking? Below is an example of the logs - win updates allowed

    8 replies

    AtiT
    AtiT
    New Member
    July 24, 2014
    Hello, Could you please tell us what FortiGate unit you are using and the firmware version? Do you have HTTPS (SSL) scanning enabled?
    emnoc
    emnoc
    New Member
    July 24, 2014
    How are you applying the webfilter and for the SSLVPN interface? I have a policy that let' s my sslvpn user turn around and " nat" back out. You can apply the security profile with the selected UTM on the firewall policy that allows for this. Make sure you double and triple check your policy ordering & if you have multiple policies.
    Nihas
    Nihas
    New Member
    July 25, 2014
    1. You cannot block windows Update through WEB FILTER. You have to use an APPLICATION CONTROL to block the same. And you might have missed to apply the Application Filter in SSL Policy for internet. 2. I believe you already disabled split tunneling in SSL..! If you are using SPLIT Tunneling you cannot block the websites because the requests will pass through your local gateway also.
    emnoc
    emnoc
    New Member
    July 25, 2014
    Good catch for #2, if you split-tunnel is working than your security profiles will not be match for routes offered up by split tunneling. Do a traceroute to the websites that are not being block? Do they pass thru the FGT? You can diagnose the url filter via the following command; diag debug application urlfilter 2
    Ashie
    AshieAuthor
    New Member
    July 25, 2014
    @ AtiT The fortigate unit is a 1240B and runs v5.2.0 Where do I enable SSL scanning when in the policy for incoming port ssl.root? See below my policy: @ emnoc The policy is working according to order as users at the bottom policy are using the rule set for them. I' ve checked the logs and this all shows in there. @ Nihas you are correct in saying so. I' ve checked now and see app control is not applied. I will implement that as soon as I get approval from change control. Split tunneling is disabled.
    Nihas
    Nihas
    New Member
    July 25, 2014
    Okay. What about web filter ( the websites which you blocked through " COMPANY_USERS" profile) ? Still the users are able to access the blocked pages?
    Ashie
    AshieAuthor
    New Member
    July 30, 2014
    @ Nihas - yes, these users are still able to access blocked pages.
    Nihas
    Nihas
    New Member
    August 7, 2014
    Hi Ashie, Did you cross check that the Split Tunneling is " Disabled" ? If the policy is working inside the office and same is not happening through VPN, doesn' t looks like an issue with the web filtering.
    Terms & ConditionsAccessibility statement