FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mprabakhar
Staff
Staff
Description
Web filter profile is configured with static URL filters.
With this security profile applied on a firewall policy, end user is able to browse to a HTTPS web site when accessed as 'https://1.1.1.1' which is not part of the allowed URL listed in static URL filters.

This article describes how to block IP based HTTPS web site access when static URL filter is configured in web filter profile.

Solution
Below is the config of the web filter profile named 'blockprofile'.
Only Static URL filter is configured with few allowed URLs and rest to be blocked.





This security profile is bound in the firewall policy ID 2 with certificate-inspection enabled as ssl-inspection profile.




With this config, the access to IP based access like https://1.1.1.1  gets bypassed .
Refer to the forward log on CLI and the snapshot from GUI .

From CLI.
date=2020-04-20 time=09:48:24 logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587340104 srcip=192.168.1.1 srcname="win7-pc" srcport=50678 srcintf="port9" srcintfrole="lan" dstip=1.1.1.1 dstport=443 dstintf="port1" dstintfrole="undefined" poluuid="9468e8e2-7562-51ea-7453-d52953845052" sessionid=2549804 proto=6 action="accept" policyid=2 policytype="policy" service="HTTPS" dstcountry="Australia" srccountry="Reserved" trandisp="snat" transip=10.10.10.10 transport=50778 duration=166 sentbyte=2768 rcvdbyte=2990 sentpkt=20 rcvdpkt=19 appcat="unscanned" devtype="Windows PC" devcategory="Windows Device" osname="Windows 10 / 2016" mastersrcmac="00:58:33:70:28:01" srcmac="00:58:33:70:28:01" srcserver=0

From GUI.





As it can be seen from the above that the access to https://1.1.1.1 was allowed to pass through while the expectation is that the access is to be blocked.

The reason for this to be allowed is because when certificate-inspection is selected as ssl-inspection type of the firewall policy, the FortiGate looks into the Server Name Indication (SNI) extension field that is usually present in the Client Hello of the SSL handshake that the client’s browser and the destination web site server exchange to establish a https connection.

When the web site is accessed as a HTTPS using IP address https://1.1.1.1 , the Server Name Indication  (SNI) extension is not present in the client hello and hence the FortiGate is unable to identify the URL to which this access it so and hence being allowed as pass through .

Solution to this is to enable a deep-inspection SSL Inspection profile in the firewall policy so that the web filter can inspect the actual URL after decrypting the HTTPS connection and take a decision based on that.



Related Articles

Technical Tip: Using a static URL filter feature to allow/block web sites

Contributors