FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ales_FTNT
Staff
Staff
Description
When external explicit proxy is used, the browser will initiate the HTTPS session with an HTTP CONNECT request. Once this request is successful, the client will initiate an SSL handshake to start the secure connection.

In the FortiGate, the CONNECT request and response will be treated as one request while the SSL handshake will be treated as a second request. The CONNECT request is filtered using the full URL as available in the HTTP request header according to the URL filtering rules.

The second request, the SSL handshake, is filtered using the HTTPS filtering settings. This is often blocked because the site uses an invalid certificate.

In some occasions, when Fortiguard URL filtering is used, the URL of web sites that are permitted either by rating or explicitly listed in the whitelist are still blocked. The logged event is:

"The certificate for the HTTPS session contained an invalid domain name. The session has been filtered by IP only."

This log message is logged anytime the request hostname/domain name (from the HTTP headers or SSL certificate) is determined not to be valid or it is not found. It indicates that the IP address has been substituted for the hostname to allow web-filtering to still take place.

If 'block-invalid-urls' is enabled in the HTTP or HTTPS settings, the status in the log message will be 'blocked' instead of 'filtered'.


If  the HTTP/HTTPS request are done to an external proxy, the real IP address of the destination WEB server server is not known, and therefore the rating queries by either or both the IP address and the domain name are not reliable.

Scope
  • FortiOS 4.0MR2 and above
  • FortiGuard URL Web filtering

Solution
 FortiOS 4.2 allows the Fortigate HTTP proxy to recognize the CONNECT request and go into BYPASS mode once the request and response are allowed to pass. This will prevent the FortiGate from looking at the SSL handshake that  follows the CONNECT  request.

To prevent the SSL handshake from being blocked after the CONNECT request , use the following CLI configuration:

configure webfilter profile
edit "example"
      configure ftgd-wf
      set http-options connect-request-bypass
      end
next
end



Contributors