Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JC_Geosoft
New Contributor

[BUG] FortiClient [5.6.1] assuming webfilter policies when it shouldn't

Hey There,

 

I have found a bug with FortiClient 5.6.1 where it's assuming policies set by my organization that it should not be doing. Namely, the web filtering of "Newly Observed Domains". This feature in the FortiClient, which I'm testing as a replacement for 3rd party antivirus, is triggering too many false positives alerts. I purposefully have this disabled on my FortiGate policies for this reason. I have tried to disable this feature many times on the FortiClient, but it seems to ignore any attempts I do to turn this feature off and will always remain in a "deny access" state.

 

Application: FortiClient 5.6.1

Platform: Windows 10 (Build 1709)

Application: FortiClient EMS 1.2.2

Platform: Windows 2016

Steps to reproduce:

- Login to FortiClient EMS and setup a profile that does not use web filtering.

- Setup the AntiVirus profile with default options. Enable "Block access to malicious websites"

- Register a FortiClient to use this profile. FortiClient insallation would need Antivirus and Web Filtering.

Expected behaviour:

- Browse to a website Fortinet classified as "newly observed domain"

- Be granted access to such sites

Observed behaviour:

- FortiClient will block access to the site with a Fortinet Splash page saying category is blocked by FortiClient Administrator

- Since a "newly observed domain" is not a malicious site, there is no reason why this page should be blocked. You will see later on there is no way to bypass this issue.

 

These classifications of Malicious Websites are required for the Web Filter engine to be installed on the FortiClient, but does not require to have the FortiClient EMS to have web filter enabled. That being said, I would expect the ability to disable this feature in the webfilter.

 

Steps to reproduce:

- Open the profile above in FortiClient EMS

- Enable the Web Filter portion of the webfilter

Expected behaviour: 

- Have the ability to granular control "newly observed domains"

Observed behaviour:

- There is no UI option to configure this item.

 

After a little digging, I found the webfilter id being used by the FortiGard service which is listed here http://help.fortinet.com/...reCatalog-sec-pro.htm. I then attempted to modify XML file to make the necessary changes. Since there wasn't a UI option for the Exploit Prevention option in EMS yet, XML was a good way to enable this on the client side.

 

Steps to reproduce:

- Open the profile in FortiClient EMS and edit the XML Configuration

- Browse the XML tree for Webfilter -> Profiles -> Profile -> Categories -> Category

- Located where category id is 90

- Change action from "deny" to "monitor" or "allow"

- Save the changes

Expected behaviour:

- Changing the "newly observed domain" into a more permissible state will allow site navigation

Observed behaviour:

- Website still being blocked.

 

Thinking "that's really weird. I should be able to use this site now. The configuration I push says I should. Is it not following these settings?" So I decided to take the client out of managed mode and do some stand alone testing

 

Steps to reproduce:

- Install a FortiClient in standalone mode with web filtering enabled

- Enable "block all access to malicious websites" on the antivirus portion of the configuration

- Backup the FortiClient configuration to disk using the FortiClient File -> Settings menu

- Edit the FortiClient configuration, browse the XML tree for Webfilter -> Profiles -> Profile -> Categories -> Category

- Located where category id is 90

- Change action from "deny" to "monitor" or "allow"

- Save the changes

- Restore the configuration changes back into FortiClient

Expected behaviour:

- Changing the "newly observed domain" into a more permissible state will allow site navigation

- Making a new backup configuration of the restore config would reflect the changes I made

Observed behaviour:

- Website still being blocked.

- Making a new backup configuration of the restore config will actually show the category id 90 reverted to a deny state

13 REPLIES 13
Sebastiaan_Koopmans
Contributor II

Same issue here... Ticket created @Support 2448916

FortiAnalyzer / 6.4.0

FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6

FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0

FortiWeb VM / 6.3.2

FortiManager VM / 6.4.0

FortiAnalyzer / 6.4.0 FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6 FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0 FortiWeb VM / 6.3.2 FortiManager VM / 6.4.0
FGTuser

Same issue when using standalone FortiClient 5.6.2.

There is no option to enable "Newly Observed Domains" in webfilter konfig, the only workaround is to disable webfiltering.

kolawale_FTNT

Based on FortiGuard Web Filter Categories, "Newly Observed Domains" is part of the "Security Risk" category. Try disabling "Block access to malicious websites" to verify.

If a website should be recategorised, consider submitting a request.

JC_Geosoft

Hi kolawale,

 

While the item may be classified as a Security Risk, it isn't "malicious" which is what the box is for. I rather not have a client be less protected to remove this option as well. I rather have the option to take no action on this category like the other ones that exists. If I want this classification to have it disabled, I should have that option. I don't want Fortinet to force this option upon me.

 

At this time, it's difficult to submit a request to get domains reclassified if GoToMeeting application is being blocked, and it doesn't tell me what the URL is. Not to mention that I cannot wait for Fortinet to fix it's classification if a webinar needs to be presented while they are working from home. It is also blocking LAN traffic from private IP addresses that is not on the same broadcast domain.

 

 

FGTuser

1) It's hard to understand why "Newly Observed Domains" is part of the "Security Risk" category?! But it is and shouldn't be blocked by default.

2) It's blocking also direct IP access - e.g. to Fortigate web GUI https://1.2.3.4, how can IP be categorized? Please don't tell me to put all IP's I need to exclusion list one by one.

3) IP access, wasn't issue in 5.6.0 and earlier, not sure about "Newly Observed Domains".

4) I have "block malicious websites" enabled in AntiVirus tab - as I've tested now this doesn't work when Web Security is disabled. Completely misleading - why it states enabled (in AV tab) while it's really disabled? (controlled by Web Security setting). 

5) Exclusions still go to Web Security tab. Does it make any sense?

 

So there are definitely few things to fix:

1) No sense of moving whole "Security Risk" category to AntiVirus setting "block malicious websites", when it doesn't work until you have Web Security enabled. Either move it back to Web Security, or should work even if Web Security is disabled, or at least should be disabled automatically in AntiVirus tab when Web Security disabled.

2) Regardless if it stays in AntiVirus part or not (I prefer to have it back in Web Security), it should be permitted to allow/block/warn/monitor or at least allow/block per subcategory (Dynamic DNS, etc...). Now it's block all or nothing.

 

It was OK in previous versions of FC (everything in Web Security part, possible to manage subcategories), then it was messed up (moving "Security Risk" to AntiVirus, no subcategories) and now it's messed up completely as described in this post.

Sorry to be honest.

 

PS: I don't have paid Forticlient/EMS, so can't open ticket for this.

 

TechConnect_JC

I have experienced similar issues with this new FortiClient change (the issue able is also happening in the latest FortiClient 5.6.2).

I was also unable to modify the Category settings from "Deny" to "Warn" using the XML export/import idea.

 

This FortiClient change has broken legitimate access to internal web management access (when accessing by IP) since it is now categorized as a "Newly Observed Domain".

 

These new categories should be shown in the Web Filter feature; not hidden and grouped under "Security Risk" in AntiVirus feature.

The individual categories and actions should be adjustable; or they should be set to "Warn" by default.

 

As a temporary work-around, I added 10.* and 192.168.* to the Web Filter exclusion list so my users could access their internal printers/servers/devices/etc.

 

Carl_Wallmark

I´m seeing the same thing:

 

Blocked (Security Risk:Newly Observed Domain): 2.16.162.11/ (C:\Users\x\AppData\Local\Akamai\netsession_win.exe) 2017-11-17 07:13:22 Blocked (Security Risk:Newly Observed Domain): 2.16.162.4/ (C:\Users\x\AppData\Local\Akamai\netsession_win.exe) 2017-11-17 07:10:25 Blocked (Security Risk:Newly Observed Domain): 2.16.162.5/ (C:\Users\x\AppData\Local\Akamai\netsession_win.exe) 2017-11-17 07:08:26 Blocked (Security Risk:Newly Observed Domain): 2.16.162.12/ (C:\Users\x\AppData\Local\Akamai\netsession_win.exe) 2017-11-17 07:07:08 Blocked (Security Risk:Newly Observed Domain): 2.16.162.10/ (C:\Users\x\AppData\Local\Akamai\netsession_win.exe) 2017-11-17 07:06:16 Blocked (Security Risk:Newly Observed Domain): 2.16.162.14/ (C:\Users\x\AppData\Local\Akamai\netsession_win.exe) 2017-11-17 07:05:41 Blocked (Security Risk:Newly Observed Domain): 2.16.162.14/ (C:\Users\x\AppData\Local\Akamai\netsession_win.exe) 2017-11-17 07:05:18

 

It blocks Akamai and also GoToMeeting...

 

5.6.2 is no good.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
SteveRoadWarrior

Testing with 5.6.3, meanwhile started case 2500010

FGTuser

5.6.3 doesn't block IP's (as it wasn't in 5.6.0 already) -> good 

But still blocks "Newly Observed Domains" category and you can't disable it without disabling "block malicious websites" completely -> bad

Labels
Top Kudoed Authors