Description
This article describes how to use FortiGate to control and block custom-created web proxies.
Scope
Any supported version of FortiGate.
Solution
FortiGate administrators may wish to control and block personally crafted web proxies. This step-by-step guide will leverage the content filter to implement a scoring system based on portions of the page and take desired actions.
This guide can be adjusted easily to block other services by using different keywords or components of the target page.
Customized tools using personal domains might be 'Unrated' or uncategorized under the FortiGuard web filter categories.
It is possible to submit a categorization request at https://www.fortiguard.com/webfilter or create custom categories to place the domains into, but this option relies on observation and manual action.
Content filtering offers an automated score system to block pages if they contain a certain sum of words.
Be careful when configuring matching criteria as poorly constructed criteria can lead to false positives.
More information about the web content filter:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/725397/web-content-filter.
REQUIREMENT:
SSL Deep Inspection is required on HTTPS websites to ensure the content filter has access to the encrypted page and the full page contents.
Steps:
1) Make sure the web filter profile is in proxy mode.
2) Enable the web content filter on a web filter profile.
3) Add the following entries as wildcards and set the action to 'Block' for each.
The list of words below should be updated as needed.
4) Link the web filter profile to a firewall policy and set the policy to proxy mode as well.
CLI script:
config webfilter content
edit 1
set name "block_nebulaweb"
config entries
edit "*nebulaclock.js"
set status enable
next
edit "*nebulamain.js"
set status enable
next
edit "*stealthEngine.js"
set status enable
next
edit "NebulaWeb"
set status enable
next
edit "\"Nebula Services\""
set status enable
next
edit "unblocker"
set status enable
next
end
next
end
config webfilter profile
edit "block_nebula"
set feature-set proxy
config web
set bword-threshold 20
set bword-table 1
end
end
end
Testing the results:
When accessing a website that's configured with portions of the Nebula web proxy code, the whole page is blocked.
The web filter logs should log other portions of the page that are allowed until the content filter score triggers.
Notice the above page was initially allowed because it is part of the Information Technology category, which is one category that was set to be allowed.
The newest log entry shows the final result where the page was blocked:
The Log details show the page was blocked because of 'Banned Words'. Note that two items were triggered.
Upon comparing with the CLI web filter settings, it can be seen that the content filter is set with a threshold of 20. Each match sums up 10 to the score, so with the above settings, the page is only blocked two times the items are matched. This decreases the chance of false positives.
Related articles:
