Description

This article describes an issue where the website 'mastercardconnect.com' is blocked by FortiProxy when accessed via Firefox by the Tor application signature. However, the same website works without issues when accessed using other browsers like Chrome and Edge from the same machine.

Scope

FortiProxy.

Solution

Firefox version = version 131.0.
IPS Attack Engine = Version: 7.00181.
Application Definitions = Version: 28.00879.

When accessing https://www.mastercardconnect.com via Chrome, the website loads successfully. However, attempting to access the same URL using Firefox results in the traffic being blocked by FortiProxy's application control.

Block Page:

Block event logs:

date=2024-10-15 time=12:01:58 id=7425886433446985735 itime="2024-10-15 08:31:58" euid=1 epid=1 dsteuid=1 dstepid=1 logid=1059028705 type=utm subtype=app-ctrl level=warning eventtime=1728973918991511366 action=block srcip=10.5.210.32 srcport=57389 dstip=216.119.218.157 dstport=443 service=SSL proto=6 policyid=1 msg="Proxy: Tor" srcintf=port4 srcintfrole=undefined dstintf=port1 dstintfrole=wan sessionid=1908197390 crscore=10 crlevel=medium eventtype=signature direction=incoming apprisk=critical applist=DBL-IT-APP-FILTER appcat=Proxy app=Tor appid=15565 hostname=http://www.mastercardconnect.com url=/ incidentserialno=81793904 tz=+0530 craction=1048576 poluuid=60137048-9a58-51ee-2708-468ee8a4c551 policytype=policy srccountry=Reserved dstcountry="United States" devid=FPXVM8TM22000168 vd=root dtime="2024-10-15 12:01:58" itime_t=1728973918 devname=DBL-DC-FortiProxy-01

The logs clearly show that traffic from Firefox is being blocked by FortiProxy's Application Control under the Tor application signature, categorized as Proxy.

The issue occurs because FortiProxy (FPX) is detecting traffic to https://www.mastercardconnect.com specifically from Firefox as the Tor application signature under the Proxy category, resulting in the traffic being blocked. Adjusting the configuration by either removing the Tor application signature or setting its action to Allow will permit the traffic. Testing with Edge confirms that the website works fine, making this issue specific to Firefox

During WAD debugging, the traffic to https://www.mastercardconnect.com was observed matching Application Signature 15565, which is associated with the Tor application signature. This match resulted in the traffic being blocked by FortiProxy.

[p:12327] ipsapp ses 1855 msg 6279 eval response dir 1 act 1 app 15565 proto 0 tlv_len 0 >> app sign 15565 is Tor app signature
[I][p:12327][s:1908197603] wad_ips_conn_engine_action :700 ips_conn=0x7f2892389790 dir=1 action=deny len=0 >> ips blocking the traffic

I][p:12327][s:1908197603][r:1886] wad_dump_http_request :2731 hreq=0x7f288cf85a48 Received request from client: 10.5.210.32:50971

GET / HTTP/1.1

Host: http://www.mastercardconnect.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br, zstd

[V][p:12327][s:1908197603][r:1886] wad_http_marker_uri :1260 path=/ len=1
[V][p:12327][s:1908197603][r:1886] wad_http_parse_host :1635 host_len=25
[I][p:12327][s:1908197603][r:1886] wad_http_parse_host :1667 host=[25]http://www.mastercardconnect.com
[I][p:12327][s:1908197603][r:1886] wad_http_str_canonicalize :2186 enc=0 path=/ len=1 changes=0
[V][p:12327][s:1908197603][r:1886] wad_http_normalize_uri :2330 host_len=25 path_len=1 query_len=0
[I][p:12327][s:1908197603][r:1886] wad_http_req_domain_front_blk :10296 domain fronting chk uri host(is_abs=0 http_encap=1 connect=0): http://www.mastercardconnect.com
[V][p:12327][s:1908197603][r:1886] wad_http_req_exec_act :13915 request(0x7f288cf85a48), intercept(block_req), block(25)
[I][p:12327][s:1908197603][r:1886] __wad_http_build_replmsg_resp :789 Generating replacement message. The app is blocked by IPS. repmsg_id 53
[V][p:12327][s:1908197603][r:1886] wad_mem_c_malloc :138 size 32770 exceeds max_elm_size (18396); not using bucket
[V][p:12327][s:1908197603][r:1886] wad_http_msg_start_setup_proc :2293 msg(0x7f288cf85a48) proc-setup started from: req_resp_ready.
[V][p:12327][s:1908197603][r:1886] wad_http_def_proc_msg_plan :2255 msg(0x7f288cf85a48) setting up processor(req_resp_ready)
[V][p:12327][s:1908197603][r:1886] wad_http_msg_start_setup_proc :2293 msg(0x7f2892385de8) proc-setup started from: resp_forward.
[V][p:12327][s:1908197603][r:1886] wad_http_def_proc_msg_plan :2255 msg(0x7f2892385de8) setting up processor(resp_forward)
[I][p:12327][s:1908197603][r:1886] wad_dump_fwd_http_resp :2746 hreq=0x7f288cf85a48 Forward response from Internal:

Application Signature 15565 is for the TOR application:

Workaround:

1. Disable the App Control Profile.
2. Use Chrome/Edge browser to access http://www.mastercardconnect.com.
3. Set the application signature Tor as 'allow'.
4. Use the custom signature specific to the URL http://www.mastercardconnect.com to allow it.

Custom signature provided:

F-SBID( --attack_id 2575; --name "MasterCard.Custom"; --protocol tcp; --service SSL; --app_cat 12; --weight 10; --pattern "mastercardconnect.com"; --context host; --no_case; )

This issue is resolved in the latest APDB definition 29.901, where the Tor application signature has been improved to reduce the risk of false positives.