Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

weipyang
New Contributor

How to configure to block github upload?

cert
app control
policytest

My configuration is as shown above, but there are problems with the upload and download of github. What should I do?

------------------------------
weiping [LastName] [Designation]
network engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
16 REPLIES 16
weipyang

hi 
The following is the information about the capture of the uploaded file. 

FortiGate-VM # diagnose sniffer packet any "src host 172.16.3.198"
interfaces=[any]
filters=[src host 172.16.3.198]
36.885002 arp who-has 172.16.3.190 tell 172.16.3.198
36.885285 172.16.3.198.51015 -> 114.114.114.114.53: udp 28
36.935006 172.16.3.198.49976 -> 52.74.223.119.443: syn 1137147361
36.988434 172.16.3.198.49976 -> 52.74.223.119.443: ack 195050056
36.998683 172.16.3.198.49976 -> 52.74.223.119.443: psh 1137147362 ack 195050056
37.057631 172.16.3.198.49976 -> 52.74.223.119.443: ack 195052928
37.058400 172.16.3.198.49976 -> 52.74.223.119.443: psh 1137147879 ack 195053692
37.058550 172.16.3.198.49976 -> 52.74.223.119.443: psh 1137147943 ack 195053692
37.111491 172.16.3.198.49976 -> 52.74.223.119.443: ack 195053850
38.050816 172.16.3.198.49976 -> 52.74.223.119.443: ack 195054122
38.105283 172.16.3.198.49592 -> 114.114.114.114.53: udp 32
38.145384 172.16.3.198.49977 -> 13.250.168.23.443: syn 1628066268
38.198429 172.16.3.198.49977 -> 13.250.168.23.443: ack 2010155428
38.199808 172.16.3.198.49977 -> 13.250.168.23.443: psh 1628066269 ack 2010155428
38.260343 172.16.3.198.49977 -> 13.250.168.23.443: ack 2010158728
38.267245 172.16.3.198.49977 -> 13.250.168.23.443: psh 1628066425 ack 2010158728
38.326931 172.16.3.198.49977 -> 13.250.168.23.443: psh 1628066591 ack 2010158819
38.735392 172.16.3.198.49977 -> 13.250.168.23.443: fin 1628067028 ack 2010159928
38.748773 172.16.3.198.49976 -> 52.74.223.119.443: psh 1137148150 ack 195054122
38.785421 172.16.3.198.49977 -> 13.250.168.23.443: rst 1628067029 ack 2010159997
38.785448 172.16.3.198.49977 -> 13.250.168.23.443: rst 1628067029
39.602323 172.16.3.198.49976 -> 52.74.223.119.443: ack 195054720
39.797922 172.16.3.198.49976 -> 52.74.223.119.443: ack 195054756
39.862511 172.16.3.198.49976 -> 52.74.223.119.443: psh 1137148416 ack 195054756
40.816282 172.16.3.198.49976 -> 52.74.223.119.443: ack 195055351
41.942120 arp reply 172.16.3.198 is-at 0:50:56:b0:3b:c6
42.621496 172.16.3.198.49976 -> 52.74.223.119.443: ack 195055434
42.944385 172.16.3.198.49976 -> 52.74.223.119.443: ack 195055506
42.948098 172.16.3.198.49976 -> 52.74.223.119.443: psh 1137149204 ack 195055506
42.949247 172.16.3.198.49976 -> 52.74.223.119.443: fin 1137149228 ack 195055506
43.000667 172.16.3.198.49976 -> 52.74.223.119.443: rst 1137149229 ack 195055530
43.000697 172.16.3.198.49976 -> 52.74.223.119.443: rst 1137149228
43.000921 172.16.3.198.49976 -> 52.74.223.119.443: rst 1137149229

------------------------------
weiping [LastName] [Designation]
network engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
DeepKuma2

Hi,
I can see that the Client is sending an RST signal to the server. I think this is happening because the client is waiting for reply packet and replay packet is getting dropped by the firewall. 

If possible collect more logs with below commands:
 diagnose sniffer packet any "host 172.16.3.198"
 diagnose sniffer packet any "host 52.74.223.119"

------------------------------
Deepak Kumar
First Option General Trading LLC
Dubai
------------------------------
Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai
weipyang

Hi,
The IP address of the github will change. The following is the capture of one of the destination addresses.What problems can  find?
I tested Baidu.Cloud_File.download and upload to be well recognized and can prevent upload actions.
I feel that application control does not recognize the difference between github upload and download traffic.
Is there any better way to solve the problem I need?


FortiGate-VM # diagnose sniffer packet any "dst host 13.229.188.59"
interfaces=[any]
filters=[dst host 13.229.188.59]
23.449847 172.16.3.198.50700 -> 13.229.188.59.443: syn 3069350836
23.450276 172.16.5.190.50700 -> 13.229.188.59.443: syn 3069350836
23.501720 172.16.3.198.50700 -> 13.229.188.59.443: ack 141016232
23.501789 172.16.5.190.50700 -> 13.229.188.59.443: ack 141016232
23.511918 172.16.3.198.50700 -> 13.229.188.59.443: psh 3069350837 ack 141016232
23.512394 172.16.5.190.50700 -> 13.229.188.59.443: psh 3069350837 ack 141016232
23.568649 172.16.5.190.50700 -> 13.229.188.59.443: ack 141017668
23.569265 172.16.5.190.50700 -> 13.229.188.59.443: ack 141019104
23.569520 172.16.3.198.50700 -> 13.229.188.59.443: ack 141019104
23.570706 172.16.3.198.50700 -> 13.229.188.59.443: psh 3069351354 ack 141019868
23.570807 172.16.3.198.50700 -> 13.229.188.59.443: psh 3069351418 ack 141019868
23.570892 172.16.5.190.50700 -> 13.229.188.59.443: psh 3069351354 ack 141019868
23.570961 172.16.5.190.50700 -> 13.229.188.59.443: psh 3069351418 ack 141019868
23.622582 172.16.3.198.50700 -> 13.229.188.59.443: ack 141020026
23.622633 172.16.5.190.50700 -> 13.229.188.59.443: ack 141020026
24.584521 172.16.3.198.50700 -> 13.229.188.59.443: ack 141020296
24.584711 172.16.5.190.50700 -> 13.229.188.59.443: ack 141020296
36.030558 172.16.3.198.50700 -> 13.229.188.59.443: psh 3069351625 ack 141020296
36.030773 172.16.5.190.50700 -> 13.229.188.59.443: psh 3069351625 ack 141020296
36.837076 172.16.3.198.50700 -> 13.229.188.59.443: ack 141020729
36.837199 172.16.5.190.50700 -> 13.229.188.59.443: ack 141020729
36.841849 172.16.3.198.50700 -> 13.229.188.59.443: ack 141020945
36.841895 172.16.5.190.50700 -> 13.229.188.59.443: ack 141020945
37.042016 172.16.3.198.50700 -> 13.229.188.59.443: ack 141020972
37.042122 172.16.5.190.50700 -> 13.229.188.59.443: ack 141020972
37.095585 172.16.3.198.50700 -> 13.229.188.59.443: psh 3069351891 ack 141020972
37.095769 172.16.5.190.50700 -> 13.229.188.59.443: psh 3069351891 ack 141020972
38.081770 172.16.3.198.50700 -> 13.229.188.59.443: ack 141021576
38.081838 172.16.5.190.50700 -> 13.229.188.59.443: ack 141021576
40.245354 172.16.3.198.50700 -> 13.229.188.59.443: ack 141021681
40.245437 172.16.5.190.50700 -> 13.229.188.59.443: ack 141021681
40.702576 172.16.3.198.50700 -> 13.229.188.59.443: ack 141021753
40.702628 172.16.5.190.50700 -> 13.229.188.59.443: ack 141021753
40.707979 172.16.3.198.50700 -> 13.229.188.59.443: psh 3069352687 ack 141021753
40.708066 172.16.5.190.50700 -> 13.229.188.59.443: psh 3069352687 ack 141021753
40.709100 172.16.3.198.50700 -> 13.229.188.59.443: fin 3069352711 ack 141021753
40.709160 172.16.5.190.50700 -> 13.229.188.59.443: fin 3069352711 ack 141021753
40.759415 172.16.3.198.50700 -> 13.229.188.59.443: rst 3069352712 ack 141021777
40.759494 172.16.5.190.50700 -> 13.229.188.59.443: rst 3069352712 ack 141021777
40.759970 172.16.3.198.50700 -> 13.229.188.59.443: rst 3069352711
40.759987 172.16.3.198.50700 -> 13.229.188.59.443: rst 3069352712
40.760026 172.16.5.190.50700 -> 13.229.188.59.443: rst 3069352711


------------------------------
weiping [LastName] [Designation]
network engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
YohaDAVI

Hello,

From my point of view, you should do the reverse : block all github and on unblock only what you need.

Because it's matching the global signature.

To be sure, could you please give us the rest of configuration : policy configuration, ssl inspection config,... ? Keep in mind that is your local language, it will be a good idea to change it to english just to give us screenshot in order to better understand.

Thanks a lot.

Best regards,
Yohann

------------------------------
Yohann [LastName] [Designation]
Ing?nieur syst?me / r?seaux
[CompanyName]
[City] [State]
[Phone]
------------------------------
weipyang

I tried the reverse application control strategy, the file can still be uploaded, but the log is implemented using HTTPS.BROWERS
I have another idea to use data leak prevention. Can I disable all file uploads?

12
3

------------------------------
weiping [LastName] [Designation]
network engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
YohaDAVI

Hello,

Which browser are you using ?

Best regards,
Yohann

------------------------------
Yohann [LastName] [Designation]
Ing?nieur syst?me / r?seaux
[CompanyName]
[City] [State]
[Phone]
------------------------------
weipyang

Hi,Yohann

I using centbrowser


------------------------------
weiping [LastName] [Designation]
network engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------