Description

This article describes how to block IP based HTTPS web site access when a static URL filter is configured in a web filter profile.

Scope

Any version of FortiGate.

Solution

This article assumes the existence of a web filter profile that's configured with static URL filters.
With this web filter profile applied to a firewall policy, the end user is able to browse to a HTTPS web site when accessed as 'https://1.1.1.1' which is not part of the allowed URL listed in static URL filters.

Below is the config of the web filter profile named 'blockprofile'.
No FortiGuard Category based filter is enabled. Only a Static URL filter is configured with few allowed URLs, where anything else is blocked as per the 'Block' Wildcard entry shown in the bottom of this screenshot:

 

With the configuration above, attempts to access URL's by IP such as https://1.1.1.1 can be allowed. 

Refer to the forward log from the CLI and the snapshot from the GUI .

From the CLI:

 

date=2020-04-20 time=09:48:24 logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587340104 srcip=192.168.1.1 srcname="win7-pc" srcport=50678 srcintf="port9" srcintfrole="lan" dstip=1.1.1.1 dstport=443 dstintf="port1" dstintfrole="undefined" poluuid="9468e8e2-7562-51ea-7453-d52953845052" sessionid=2549804 proto=6 action="accept" policyid=2 policytype="policy" service="HTTPS" dstcountry="Australia" srccountry="Reserved" trandisp="snat" transip=10.10.10.10 transport=50778 duration=166 sentbyte=2768 rcvdbyte=2990 sentpkt=20 rcvdpkt=19 appcat="unscanned" devtype="Windows PC" devcategory="Windows Device" osname="Windows 10 / 2016" mastersrcmac="00:58:33:70:28:01" srcmac="00:58:33:70:28:01" srcserver=0

 

From the GUI:

 

 

As shown above, access to https://1.1.1.1 was allowed to pass through despite the expectation that the access will be blocked.

 

This behaviour existed on FortiOS versions 6.0 and below, but was improved and newer and supported FortiOS versions. 

The option below was added, which allows a URL filter profile to block any IP address that appears in the http-get 'host' header or on the SNI field for HTTPS sessions:

 

config webfilter urlfilter

edit <id>

set ip-addr-block [enable|disable]

 

When enabled, the ip-addr-block will block any IP address that appears in the 'host' headers or SNI regardless of the urlfilter entries. 

When disabled, the urlfilter will attempt to match the IP against the entries with the following logic: 

 

Proxy-Based inspection: 

In Proxy mode, the 'ip-of-server' will be extracted from the TCP handshake, and will be matched against the urlfilter entries in the following order: 

1. HTTP-GET 'host' header.
2. ip-of-server.

The following results are observed when the URL filter is set to block 1.1.1.1* as a wildcard entry: 

 

Command	Result
curl -o /dev/null -vL --resolve one.one.one.one:80:1.1.1.1 http://one.one.one.one	Blocked - matched ip-of-server.
curl -o /dev/null -vL --resolve one.one.one.one:80:1.1.1.1 http://1.1.1.1	Blocked - matched host header.
curl -o /dev/null -vk --resolve one.one.one.one:443:1.1.1.1 https://one.one.one.one	Blocked - matched ip-of-server.
curl -o /dev/null -vk --resolve one.one.one.one:443:1.1.1.1 https://1.1.1.1	Blocked - matched SNI.

 

Flow-Based inspection: 

In Flow mode, the inspection will occur with single pass behavior. Only the http-get 'host' header will be matched against the URLfilter entries. 

 

Command	Result
curl -o /dev/null -vL --resolve one.one.one.one:80:1.1.1.1 http://one.one.one.one	Allowed - no match.
curl -o /dev/null -vL --resolve one.one.one.one:80:1.1.1.1 http://1.1.1.1	Blocked - matched host header.
curl -o /dev/null -vk --resolve one.one.one.one:443:1.1.1.1 https://one.one.one.one	Allowed - no match.
curl -o /dev/null -vk --resolve one.one.one.one:443:1.1.1.1 https://1.1.1.1	Blocked - matched SNI.

 

Related documents:

• Fortinet help - SSL/SSH inspection intro.
• Technical Tip: Using a static URL filter feature to allow/block web sites.