|
An issue has been observed where a policy configured with 'action = Deny' and using the URL Category setting does not match as expected.
In this scenario, two policies were configured:
- The first policy with 'action = Deny' and a url-category were configured.
- A second, more general policy with 'action = Accept' (allow all) was configured.
The issue caused traffic that should have matched the first policy (Deny) to instead match the second policy (Allow).
This known issue has been fixed in:
- FortiProxy v7.4.12.
- FortiProxy v7.6.4.
Policy 1: Deny - News and Media:
config firewall policy
edit 2
set type explicit-web
set name "news and media"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set url-category 36 <----- News and Media.
set logtraffic all
set ssl-ssh-profile "certificate-inspection"
next
end
Policy 2: Allow - Internet Access:
config firewall policy
edit 1
set type explicit-web
set name "INTERNET"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set logtraffic all
set log-http-transaction enable
set extended-log enable
set ssl-ssh-profile "certificate-inspection"
next
end
|
