Description

This article describes how to control access to Slack Workspaces via HTTP header injection.

Scope

FortiGate running FortiOS 6.0 or higher with proxy-based and Full SSL Inspection firewall policy.

Solution

It may be required by IT Administrators to restrict access to certain Slack Workspaces.

This can be achieved by leveraging web-proxy profile to add two HTTP headers as per Slack documentation below (X-Slack-Allowed-Workspaces-Requester and X-Slack-Allowed-Workspaces.

https://slack.com/help/articles/360024821873-Approve-Slack-workspaces-for-your-network

Slack Pre-requisites:

1) Must be Workspace Owner or Workspace Admin
2) Slack plan must be Business+ or Enterprise Grid.
3) The above is true for the content of header 'X-Slack-Allowed-Workspaces-Requester'.

4) The content for header 'X-Slack-Allowed-Workspaces' can be any public or private Workspace.

FortiGate Pre-requisites:

1) Firewall policy inspection mode must be set to proxy-based.
2) SSL Inspection Profile must be set to Full SSL Inspection.

Note.

The above is required only for traffic to slack.com domain and subdomains.

Configuration Steps:

1) Create an address object for Slack subdomains:

# config firewall address
    edit "wildcard.slack.com"

        set type fqdn

        set fqdn "*.slack.com"

    next

    end

2) Create Web-Proxy Profile with the http headers modification:

# config web-proxy profile

    edit "SLACK"

        set log-header-change enable

        config headers

            edit 1

                set name "X-Slack-Allowed-Workspaces-Requester"

                set dstaddr "wildcard.slack.com"

                set content "T03ARHV9669"

            next

            edit 2

                set name "X-Slack-Allowed-Workspaces"

                set dstaddr "wildcard.slack.com"

                set content "T03ARHV9669"

            next

            edit 3

                set name "X-Slack-Allowed-Workspaces"

                set dstaddr "wildcard.slack.com"

                set content " T0A93EN1Y"

            next

        end

    next

end

Note.

Multiple 'X-Slack-Allowed-Workspaces' headers can be added should more than one Slack Workspace be approved.

3) Additional logging can be enabled with setting 'set log-header-change enable'.

This will generate an extra event type 'http_header_change' on Web Filter logs as per example below:

date=2022-05-11 time=21:03:38 eventtime=1652328219334999559 tz="-0700" logid="0344013632" type="utm" subtype="webfilter" eventtype="http_header_change" level="notice" vd="root" policyid=40 poluuid="2aa5f31e-8131-51ec-a460-093b51af60ae" policytype="policy" transid=16777538 sessionid=168777 profile="SLACK" srcip=172.16.3.30 srcport=54976 srccountry="Reserved" dstip=44.237.180.172 dstport=443 dstcountry="United States" srcintf="port6" srcintfrole="lan" dstintf="port1" dstintfrole="wan" srcuuid="cde13dc2-cfe2-51ec-f78f-0e0e49eaf177" dstuuid="2e1f07f4-ab2c-51ec-2a5b-4d01ad8b2ed6" proto=6 service="HTTPS" url="https://robertao.slack.com/api/signin.findWorkspaces?_x_id=noversion-1652328222.694&slack_route=T000..." agent="Chrome/92.0.4515.131" chgheaders="Added=X-Slack-Allowed-Workspaces-Requester: T03ARHV9669|X-Slack-Allowed-Workspaces: T03ARHV9669|X-Slack-Allowed-Workspaces: T03891MQN3W"

4) Apply the web-proxy profile to a firewall policy, which can only be done via CLI

The example below applies to all forward traffic from 172.16.3.30 outbound; however, the http headers change will only apply to traffic matching the web-proxy profile, which in this example is limited to *.slack.com.

# config firewall policy

    edit 40

        set name "SLACK-Restriction"

        set srcintf "port6"

        set dstintf "virtual-wan-link"

        set action accept

        set srcaddr "172.16.3.30"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set inspection-mode proxy

        set webproxy-profile "SLACK"

        set ssl-ssh-profile "deep-inspection"

        set logtraffic all

        set nat enable

    next

end

Note.

Web Filter profile is not required, only web-proxy and full SSL inspection profiles are required.

Verification:

It is important to note that user will not receive a replacement message (blocked page message) from FortiGate.

1) Web Filter Logs.

To verify whether configuration is being applied correctly, the log previously mentioned can be checked to confirm header modification is performed.

date=2022-05-11 time=22:14:59 eventtime=1652332499253966355 tz="-0700" logid="0344013632" type="utm" subtype="webfilter" eventtype="http_header_change" level="notice" vd="root" policyid=40 poluuid="2aa5f31e-8131-51ec-a460-093b51af60ae" policytype="policy" transid=16777736 sessionid=187333 profile="SLACK" srcip=172.16.3.30 srcport=49524 srccountry="Reserved" dstip=44.237.180.172 dstport=443 dstcountry="United States" srcintf="port6" srcintfrole="lan" dstintf="port1" dstintfrole="wan" srcuuid="cde13dc2-cfe2-51ec-f78f-0e0e49eaf177" dstuuid="2e1f07f4-ab2c-51ec-2a5b-4d01ad8b2ed6" proto=6 service="HTTPS" url="https://robertao.slack.com/" agent="Chrome/92.0.4515.131" chgheaders="Added=X-Slack-Allowed-Workspaces-Requester: T03ARHV9669|X-Slack-Allowed-Workspaces: T03ARHV9669|X-Slack-Allowed-Workspaces: T03891MQN3W"

2) Backend debugs.

The below filters can be used considering this type of debug may be lengthy.

# diagnose wad filter vd root
# diagnose wad filter firewall-policy 40
# diagnose wad debug enable

# diagnose wad debug enable category http

# diagnose debug console timestamp enable

# diagnose debug enable

The output should be similar to the below:

[I]2022-05-11 22:14:59.253880 [p:252][s:187333][r:16777736] wad_dump_http_request :2558 hreq=0x7ff80e80cb48 Received request from client: 172.16.3.30:49524

GET / HTTP/1.1
Host: robertao.slack.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: b=b88f5b36faece16a3ace963c8e79bd9d

[I]2022-05-11 22:14:59.253987 [p:252][s:187333][r:16777736] wad_dump_fwd_http_req :2567 hreq=0x7ff80e80cb48 Forward request to server:
GET / HTTP/1.1
Host: robertao.slack.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: b=b88f5b36faece16a3ace963c8e79bd9d
X-Slack-Allowed-Workspaces-Requester: T03ARHV9669
X-Slack-Allowed-Workspaces: T03ARHV9669
X-Slack-Allowed-Workspaces: T03891MQN3W

3) Web browser message for the denied access.

Finally, end user browser will present a block message from Slack.