| Description | This article describes a possible cause for Web Traffic to bypass Web Filter and DNS Filter Inspection when the firewall rule has Deep Inspection. |
| Scope | FortiGate. |
| Solution |
Web Filter and DNS Filter are examples of Security Profiles that can be added to a Firewall Rule to perform different layers of inspection.
Web Filter inspects Web Traffic, which is mostly Web Browsing traffic, over the HTTP protocol. It is powered by FortiGuard to categorize a website, so the FortiGate Administrator can control which Web Categories can be accessed from the FortiGate-protected network.
DNS Filter inspects DNS traffic, also categorizing the domain name in the dns-response message sent to the client. The FortiGate Administrator can control which domain categories are allowed to be accessed from the FortiGate-protected network.
To inspect the secure version of these protocols, such as HTTPS and DoT, FortiGate needs to perform Deep Packet Inspection so it can sit in between the Client and the Server, establishing a secure connection with both, instead of the Client establishing a direct connection with the Server.
Due to privacy and legal guidelines, organizations are prohibited from performing Deep Packet Inspection on some categories of Web Traffic, such as Health and Wellness, as well as Finance and Banking. Also, some applications use the HSTS protocol, which is intended to prevent man-in-the-middle attacks, but since Deep Packet Inspection operates similarly, it is impossible to perform Deep Packet Inspection on traffic to and from such applications.
For that reason, FortiGate contains a list of pre-configured wildcard FQDN addresses on the System Default Deep Inspection Profile:
Traffic matching those addresses will not be decrypted for inspection, so the Security Profiles will act based on information contained in the unencrypted portion of packets, including the information available in the Certificates used to establish the secure connection.
Because administrators can add new objects and Categories to the exemption list, and the dynamic changes in IP Addresses used by Content Distribution Networks (CDN), sometimes traffic that should be inspected and even blocked might become accessible due to destination IPs matching the Deep Inspection exemption list.
If that happens, the FortiGate Administrator can proceed with the following troubleshooting steps.
To be able to verify if traffic is matching the exemption list, clone the production Deep Inspection profile, and in the new profile, remove the exemption list.
Using a client device for testing, create a firewall rule to match the traffic of interest, narrowing it down to only match the testing device source IP and the Destination of interest.
In the test firewall rule, apply the same Security Profiles as the production firewall rule, except for the Deep Inspection profile. In the Test firewall rule, apply the cloned Deep Inspection Profile, without the exempt list.
Using the test device, try to access the destination of interest. If the behavior changes and the expected Security Action is executed, the IP address of the website/domain likely matches one of the entries of the exempt list.
Related document: |
