Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mbutler522010
New Contributor

How do I block specific "sites.google.com"

We have the google FQDN's opened per their suggestion ( https://support.google.com/a/answer/2589954?hl=en ) and ( https://support.google.com/drive/answer/6163291 )

 

the kids have discovered a number of gaming sites on google homepages, all seem to be named "unblocked games" i.e.

https://sites.google.com/site/unblockedgames4me

https://sites.google.com/site/unblockedgames77

https://sites.google.com/site/punblockedgames/

 

The problem is that blocking google by address doesn't seem to work as every request seems to use a different one, and I don't know why but I don't seem to be able to block by name.

 

I put in a simple IPV4 policy, source = any,  Destination = "sites.google.com/site/unblockedgames4me",  block

and it doesn't work.  because it is a block there is no SSL inspection or anything like that....

 

When I look at the log there is nothing that says "sites.google.com/site/unblockedgames4me" just "encrypted-tbn1.gstatic.com" but I don't want to block all of google, just the few sites.

 

Can anyone help?

2 Solutions
AlexFeren

michellem812 wrote:

If I enable Full (deep) inspection, then Google complains about HSTS issues. How did you get past that issue?

[size="2"]

[/size]

[size="3"]See "config ssl-exempt" below.[/size]

 

FG60C (root) # show firewall ssl-ssh-profile "Deep-inspection with HSTS Exception" config firewall ssl-ssh-profile     edit "Deep-inspection with HSTS Exception"         set comment "Deep inspection!"             config https                 set ports 443             end             config ftps                 set ports 990             end             config imaps                 set ports 993             end             config pop3s                 set ports 995             end             config smtps                 set ports 465             end             config ssl-exempt                 edit 1                     set type address                     set address "*.adobe.com"                 next                 edit 2                     set type address                     set address "android"                 next                 edit 3                     set type address                     set address "apple"                 next                 edit 4                     set type address                     set address "appstore.com"                 next                 edit 5                     set type address                     set address "citrixonline"                 next                 edit 6                     set type address                     set address "dropbox.com"                 next                 edit 7                     set type address                     set address "Gotomeeting"                 next                 edit 8                     set type address                     set address "icloud"                 next                 edit 9                     set type address                     set address "itunes"                 next                 edit 10                     set type address                     set address "skype"                 next                 edit 11                     set type address                     set address "swscan.apple.com"                 next                 edit 12                     set type address                     set address "update.microsoft.com"                 next                 edit 13                     set type address                     set address "HSTS"                 next             end     next end

 

  FG60C (root) # show firewall addrgrp HSTS config firewall addrgrp     edit "HSTS"         set member "wikipedia" "Google"     next end

 

FG60C (root) # show firewall addrgrp Google config firewall addrgrp     edit "Google"         set member "*.google.com.au" "*.google.com"     next end

 

FG60C (root) # show firewall address *.google.com.au config firewall address     edit "*.google.com.au"         set type fqdn         set fqdn "*.google.com.au"     next end FG60C (root) # show firewall address *.google.com config firewall address     edit "*.google.com"         set type fqdn         set fqdn "*.google.com"     next end

View solution in original post

michellem812

Props to AlexFeren for the info on how to do this - I used that info and expanded on it to give me what I needed. You need to use Deep/Full SSL inspection to restrict on the words in the URL, and if you deploy certificates I think it is easier to configure the Fortigate, but I did not want to install certificates. So instead you have to do what AlexFeren suggested - use the Deep/Full SSL profile, but also exempt most sites/categories due to HSTS, so that the end users don't get a web prompt to 'continue to this site' for most sites. If you do not require end-users to install a certificate on their device, then it is a matter of playing with the "firewall ssl-ssh-profile" exemptions to get around Chrome's HSTS restrictions but still block what you want.

View solution in original post

19 REPLIES 19
gschmitt
Valued Contributor

Don't use a FQDN Object for Webfiltering

Please go to Security Profiles > Webfilter and select your used Webfilter

Check Enable URL Filter and click Create New

Enter your URL, make sure Enable is checked and hit OK and Apply

Make sure the Webfiltering Profile is selected for your internal to wan policy

Mbutler522010

unfortunately that doesnt work. I tried it, the logs showed 2 blocked packets, then success to a different address and the website came up. I am going to have to open a support ticket on this I think.

Allwyn_Mascarenhas

Just go through this and you will get the idea on how to do it.

 

What you did failed exactly because it had no ssl inspection as you said. Also don't forget to block google's new quic protocol.

 

so many people are struggling with this because of their quic thing now..we should have a sticky post with a checklist for webfiltering.

Mbutler522010

thanks, I will give it a try

michellem812

Did you figure this out? I haven't gotten it working yet either, but I did just disable QUIC. I opened a support ticket to ask FG, but didn't know if you had it working to block the "unblocked" Google sites yet, yet leave all the other Google sites open.

AlexFeren

Mbutler522010 wrote:

unfortunately that doesnt work.

I believe it's working for me:

 

FG60C (root) # show firewall policy 18 config firewall policy     edit 18         set srcintf "any"         set dstintf "any"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set comments "Block Ads"         set av-profile "Block_Virus_Botnet_AV"         set webfilter-profile "Block_Ads_Security_WF"         set application-list "Block_Botnet_AppCtrl"         set profile-protocol-options "default"         set ssl-ssh-profile "Deep-inspection with HSTS Exception"     next end

FG60C (root) # show webfilter profile Block_Ads_Security_WF config webfilter profile     edit "Block_Ads_Security_WF"         set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override             config override                 set ovrd-scope ask                 set ovrd-dur 2h                 set ovrd-user-group "Local Users Group"                 set profile "monitor-all for override"             end             config web                 set urlfilter-table 1             end             config ftgd-wf                 unset options                 set category-override g01 g02 g04 g05 g06 g07 g21 142 140 141                 set ovrd 8 13 14 g05 17                     config filters                         edit 17                             set category 17                             set action block                         next                         edit 26                             set category 26                             set action block                         next                         edit 61                             set category 61                             set action block                         next                         edit 86                             set category 86                             set action block                         next                         edit 87                             set category 13                             set action block                         next                         edit 88                             set category 8                             set action block                         next                         edit 89                             set category 14                             set action block                         next                     end             end     next end

FG60C (root) # get webfilter urlfilter *id    ID. 1  Block_Ads_Security_WF    FG60C (root) # show webfilter urlfilter 1 config webfilter urlfilter     edit 1         set name "Block_Ads_Security_WF"             config entries                 edit 1                     set url "s.yimg.com/gs/apex/mediastore/*"                     set type wildcard                     set action block                 next                 edit 2                     set url "sites.google.com/site/unblockedgames4me"                     set type wildcard                     set action block                 next             end     next end

FG60C (root) # execute log filter reset FG60C (root) # execute log filter category utm-webfilter FG60C (root) # execute log filter field urlfilteridx 1

 

Now, from my machine, X.X.25.70, issue :

$ curl -ik https://sites.google.com/site/unblockedgames4me :

        <p>           The page you have requested has been blocked, because the URL is           banned.         </p> :

On Fortigate get:

FG60C (root) # execute log display 11 logs found. 10 logs returned. 1: date=2015-12-09 time=17:02:32 logid=0315012544 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=1 urlfilterlist="Block_Ads_Security_WF" policyid=18 sessionid=463855 user="" srcip=X.X.25.70 srcport=54357 srcintf="internal4" dstip=203.13.161.86 dstport=443 dstintf="wan1" proto=6 service=HTTPS hostname="sites.google.com" profile="Block_Ads_Security_WF" action=blocked reqtype=direct url="/site/unblockedgames4me" sentbyte=102 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high :

 

[Edit: corrected URL]

michellem812

Sorry for the late reply, but mine still doesn't work. What settings do you have for your "set ssl-ssh-profile "Deep-inspection with HSTS Exception" profile? I believe that might be my issue. With only "set status certificate-inspection" instead of full/deep inspection, then my FG won't block by the wildcard in the Google site URL. If I enable Full (deep) inspection, then Google complains about HSTS issues. How did you get past that issue? 

AlexFeren

michellem812 wrote:

If I enable Full (deep) inspection, then Google complains about HSTS issues. How did you get past that issue?

[size="2"]

[/size]

[size="3"]See "config ssl-exempt" below.[/size]

 

FG60C (root) # show firewall ssl-ssh-profile "Deep-inspection with HSTS Exception" config firewall ssl-ssh-profile     edit "Deep-inspection with HSTS Exception"         set comment "Deep inspection!"             config https                 set ports 443             end             config ftps                 set ports 990             end             config imaps                 set ports 993             end             config pop3s                 set ports 995             end             config smtps                 set ports 465             end             config ssl-exempt                 edit 1                     set type address                     set address "*.adobe.com"                 next                 edit 2                     set type address                     set address "android"                 next                 edit 3                     set type address                     set address "apple"                 next                 edit 4                     set type address                     set address "appstore.com"                 next                 edit 5                     set type address                     set address "citrixonline"                 next                 edit 6                     set type address                     set address "dropbox.com"                 next                 edit 7                     set type address                     set address "Gotomeeting"                 next                 edit 8                     set type address                     set address "icloud"                 next                 edit 9                     set type address                     set address "itunes"                 next                 edit 10                     set type address                     set address "skype"                 next                 edit 11                     set type address                     set address "swscan.apple.com"                 next                 edit 12                     set type address                     set address "update.microsoft.com"                 next                 edit 13                     set type address                     set address "HSTS"                 next             end     next end

 

  FG60C (root) # show firewall addrgrp HSTS config firewall addrgrp     edit "HSTS"         set member "wikipedia" "Google"     next end

 

FG60C (root) # show firewall addrgrp Google config firewall addrgrp     edit "Google"         set member "*.google.com.au" "*.google.com"     next end

 

FG60C (root) # show firewall address *.google.com.au config firewall address     edit "*.google.com.au"         set type fqdn         set fqdn "*.google.com.au"     next end FG60C (root) # show firewall address *.google.com config firewall address     edit "*.google.com"         set type fqdn         set fqdn "*.google.com"     next end

michellem812

Thank you so much!!! I am much closer on this now. It seems like many websites use HSTS, so if I want to use wildcard URL filters on HTTPS sites, then I should use Full/deep inspection to block the sites I want to block...but then I still need to exempt most everything else. So that's where I'm at now, trying to figure out all the sites I need to exempt. But this is so much closer to blocking the 'unblocked' Google sites - so thank you!!!