Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kish
New Contributor

Webfilter blocking URI (Page) after allowing the Host Address (Domain)

Hi All, We have a Fortigate 30E and I have a requirement to block certain page in a particular domain. 

Ex.) There is a domain https://xyz.com. That primary domain must be allowed but a page in that domain must not be blocked, like https://xyz.com/page1.php? .  I could find that after allowing the primary domain the firewall is creating a session, hence not blocking any URI path further. Correct me if I am wrong. Also please provide an way to implement the URI block (or) HTTP method block (or) using any other method, but the primary domain should be blocked.  Thanks.

9 REPLIES 9
yashwani
Staff
Staff

You can use static URL filter in Web Filter profile to allow a specific URL instead of the domain. You can also use wildcard/regex to match a specific pattern.  Example shown in the attached image.  Mark it solved if it answered your query. 

 

yashwani_0-1641273437288.png

 

Regards
yashwani
Kish
New Contributor

Hi Yashwani,

 

Thanks for your reply. I have tried this but the problem is,

  •            The main domain must be allowed ie. https://xyz.com
  •            After a user login to that particular website xyz.com, an allow session is created in firewall session table. Also a cookie is created by that website to maintain persistence.
  •            Next in that website there is a particular page https://xyz.com/Page1.php, and that particular page has to be blocked.
  •            Since the main domain is allowed already by the firewall, I am unable to pick the URI of that domain and create a filter policy for that particular page.

Please suggest me if there is any way to work on this.

           

            

yashwani

You can use regular expression to exclude the specifc page and allow all other  instead of the full domain (https://xyz.com

Regards
yashwani
Kish
New Contributor

Let me try this and update you, Thanks.

hermann
New Contributor II

Do you use deep packet inspection for this encrypted traffic?

Best regards
Hermann
Best regardsHermann
Kish
New Contributor

Thanks for your reply. Yes Hermann. I have tried deep packet inspection with default ca certificate. Not not working. Even tried content inspection with some website content in block list. But no use.

hermann
New Contributor II

Deep packet inspection is a MUST to enable any control of sub-URLs in the content filters. Without DPI the Fortigate is not able to see any content in encrypted packets. The host name  could be visible, though, if it is a part of the SSL/TLS handshaking.  

Best regards
Hermann
Best regardsHermann
Kish
New Contributor

I have tried Deep Packet Inspection. My doubt is, will FortiGate look in to sub-url / path after creating the Statefull session entry for the particular destination. Firewall is doing man-in-the-middle process, but I am not sure whether it is checking the requesting sub-url / path for that domain every time. Is there anything to deal with cookie.

hermann
New Contributor II

afaik you should not be worried about TLS 1.2 and before, each packet will be inspected. I have no idea if UTP works smoothly with TLS 1.3, although.

Best regards
Hermann
Best regardsHermann
Labels
Top Kudoed Authors