FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Vbharath_FTNT
Description
This article explains how to configure URL based address objects to work with HTTPS requests when using with webproxy.

Solution
From FortiOS v5.2.x, URL based address objects can be configured on the FortiGate unit to allow specific URL using firewall policy.

However, when working with HTTPS URL's, this policy may not match the traffic.

Network diagram
vbharat_FD40584_tn_FD40584-1.jpg

For example,  if the following 2 policies are configured:
Policy1 -  URL based address object to allow URL = "video.fortinet.com/video/261/security-fabric-installation-5-6".

Policy2 - Allow policy with web filter enabled to block the category "Information Technology".
When the request is HTTP, the request can be matched with the URL based address object and the access will be allowed by policy1.

However, when the request is HTTPS, the connection is encrypted so the FortiGate does not know the URL inside the CONNECT request.

In order to know the URL, the FortiGate has to decrypt the request and process against the firewall policy.  However, SSL decryption is performed after policy inspection and due to this, URL based address objects may not work with HTTPS requests.

In FortiOS v5.6, a new feature is introduced to validate the request against the firewall policy again after SSL decryption is done.

For the above example, the following configuration must be in place to allow HTTPS requests using URL based address objects.
config firewall profile-protocol-options
    edit "default"
        config http
            set http-policy enable  
        end
    next
end

SSL deep scan must be used in both policies, and http-policy setting must be enabled under protocol options profile.

The setting "set http-policy enable" will validate the request against the proxy policies again after the SSL request is decrypted by SSL deep scan.  So the encrypted URL can be decrypted and validated against the firewall policies.

To enable this setting in Web GUI

Security Profiles > Proxy Options > edit the profile > Select the option "HTTP Policy Redirect"

vbharat_FD40584_tn_FD40584-2.jpg

Configuration CLI

config firewall address  
edit "fortinet.com"
        set type wildcard-fqdn
        set wildcard-fqdn "*.fortinet.com"
    next
end

config firewall proxy-address
    edit "ftnt_url1"
        set host "fortinet"
        set path "/video/261/security-fabric-installation-5-6"
    next
end

config firewall profile-protocol-options
    edit "default"
        config http
            set http-policy enable  
        end
    next
end

config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port10"
        set srcaddr "all"
        set dstaddr "ftnt_url1"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set utm-status enable
        set webfilter-profile "monitor-all"
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection-lab"
    next
    edit 2
        set uuid 7c265834-203b-51e7-4123-455f8f218612
        set proxy explicit-web
        set dstintf "port10"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set utm-status enable
        set av-profile "default"
        set webfilter-profile "block_information_technology"
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection-lab"
    next
end

Verification of configuration and troubleshooting

When the client tries to access the URL "video.fortinet.com/video/261/security-fabric-installation-5-6", access is allowed by policy1:
date=2017-05-04 time=09:47:45 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 sessionid=987350404 srcip=10.25.3.1 srcport=50394 srcintf="port9" dstip=208.91.114.157 dstport=443 dstintf="port10" proto=6 service="HTTPS" hostname="video.fortinet.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/video/261/security-fabric-installation-5-6" sentbyte=941 rcvdbyte=3281 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"

When the client tries to access URL "video.fortinet.com, access is blocked by policy2:
date=2017-05-04 time=09:51:14 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 sessionid=987350461 srcip=10.25.3.1 srcport=50451 srcintf="port9" dstip=208.91.114.157 dstport=443 dstintf="port10" proto=6 service="HTTPS" hostname="video.fortinet.com" profile=" block_information_technology " action="blocked" reqtype="direct" url="/" sentbyte=1345 rcvdbyte=137 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

Contributors