FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mramalinga
Staff
Staff
Description
This article provides details of the ‘Simple’ URL filter type inspection in Flow inspection mode.

Solution
In Flow-based inspection, IPS engine inspects the traffic.

For simple patterns, IPS engine uses the rule where only partial matching is possible.
This behavior is by design.

Example 1:
If camel.com is added as type ‘Simple’ under Static URL Filter, in Flow-mode the IPS engine would also match urls with domain 'camelcamelcamel.com'.

Example 2:
Static URL Filter is configured to block a 'simple' type 's.id' - in this case the website apps.identrust.com will also be blocked.

Configured as below:
# config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
    edit 27
        set url "s.id"         <-----
        set action block       <-----
    next
Excerpt from the WebFilter log:
date=2021-03-10 time=09:33:58 id=6937940868305257768 itime="2021-03-10 09:33:58" euid=3 epid=6288 dsteuid=3 dstepid=101 logver=604021723 type="utm" subtype="webfilter" level="warning" action="blocked" sessionid=383954196 policyid=55 srcip=10.1.2.3 dstip=192.35.177.64 srcport=51121 dstport=80 proto=6 logid=0315012544 service="HTTP" eventtime=1615365238986150716 urlfilteridx=1 sentbyte=140 rcvdbyte=0 craction=8 crscore=30 crlevel="high" srcintfrole="undefined" dstintfrole="wan" direction="outgoing" reqtype="direct" url="http://apps.identrust.com/roots/dstrootcax3.p7c" urlfilterlist="Auto-webfilter-urlfilter" hostname="apps.identrust.com" profile="BlockingFaultUrls" eventtype="urlfilter" srcintf="npu0_vlink1" dstintf="EXT-VLAN1240" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" tz="+0100" devid="FGxxxxxxxxxxxx" vd="VD-EXTERN" dtime="2021-03-10 09:33:58" itime_t=1615365238 devname="FGT"
In order to perform exact match, below are the options available:

1) Switch inspection to proxy mode in the respective policy/VDOM, if possible.

2) Use 'regex' type for the short patterns.
set url "x.co"
set type regex
This will cause the engine to do exact matching.

3) Use ‘Wildcard’ type entry.

For example:
# config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
    edit 27
        set url "*.s.id"       <-----
        set type wildcard      <-----
        set action block       <-----
    next
end
Note that the Fortinet Technical Support department does not offer technical assistance with regex configuration.

Internal Notes
Forticare ticket# 4749381.

Related Articles

Technical Tip: Technical support on customization on various Fortinet products

Contributors