Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JC_Geosoft
New Contributor

[BUG] FortiClient [5.6.1] assuming webfilter policies when it shouldn't

Hey There,

 

I have found a bug with FortiClient 5.6.1 where it's assuming policies set by my organization that it should not be doing. Namely, the web filtering of "Newly Observed Domains". This feature in the FortiClient, which I'm testing as a replacement for 3rd party antivirus, is triggering too many false positives alerts. I purposefully have this disabled on my FortiGate policies for this reason. I have tried to disable this feature many times on the FortiClient, but it seems to ignore any attempts I do to turn this feature off and will always remain in a "deny access" state.

 

Application: FortiClient 5.6.1

Platform: Windows 10 (Build 1709)

Application: FortiClient EMS 1.2.2

Platform: Windows 2016

Steps to reproduce:

- Login to FortiClient EMS and setup a profile that does not use web filtering.

- Setup the AntiVirus profile with default options. Enable "Block access to malicious websites"

- Register a FortiClient to use this profile. FortiClient insallation would need Antivirus and Web Filtering.

Expected behaviour:

- Browse to a website Fortinet classified as "newly observed domain"

- Be granted access to such sites

Observed behaviour:

- FortiClient will block access to the site with a Fortinet Splash page saying category is blocked by FortiClient Administrator

- Since a "newly observed domain" is not a malicious site, there is no reason why this page should be blocked. You will see later on there is no way to bypass this issue.

 

These classifications of Malicious Websites are required for the Web Filter engine to be installed on the FortiClient, but does not require to have the FortiClient EMS to have web filter enabled. That being said, I would expect the ability to disable this feature in the webfilter.

 

Steps to reproduce:

- Open the profile above in FortiClient EMS

- Enable the Web Filter portion of the webfilter

Expected behaviour: 

- Have the ability to granular control "newly observed domains"

Observed behaviour:

- There is no UI option to configure this item.

 

After a little digging, I found the webfilter id being used by the FortiGard service which is listed here http://help.fortinet.com/...reCatalog-sec-pro.htm. I then attempted to modify XML file to make the necessary changes. Since there wasn't a UI option for the Exploit Prevention option in EMS yet, XML was a good way to enable this on the client side.

 

Steps to reproduce:

- Open the profile in FortiClient EMS and edit the XML Configuration

- Browse the XML tree for Webfilter -> Profiles -> Profile -> Categories -> Category

- Located where category id is 90

- Change action from "deny" to "monitor" or "allow"

- Save the changes

Expected behaviour:

- Changing the "newly observed domain" into a more permissible state will allow site navigation

Observed behaviour:

- Website still being blocked.

 

Thinking "that's really weird. I should be able to use this site now. The configuration I push says I should. Is it not following these settings?" So I decided to take the client out of managed mode and do some stand alone testing

 

Steps to reproduce:

- Install a FortiClient in standalone mode with web filtering enabled

- Enable "block all access to malicious websites" on the antivirus portion of the configuration

- Backup the FortiClient configuration to disk using the FortiClient File -> Settings menu

- Edit the FortiClient configuration, browse the XML tree for Webfilter -> Profiles -> Profile -> Categories -> Category

- Located where category id is 90

- Change action from "deny" to "monitor" or "allow"

- Save the changes

- Restore the configuration changes back into FortiClient

Expected behaviour:

- Changing the "newly observed domain" into a more permissible state will allow site navigation

- Making a new backup configuration of the restore config would reflect the changes I made

Observed behaviour:

- Website still being blocked.

- Making a new backup configuration of the restore config will actually show the category id 90 reverted to a deny state

13 REPLIES 13
SteveRoadWarrior

I've tested this combination and it works:

 

Use of Web Filter exclusions: working under 5.6.3 client with EMS server 1.2 Patch 3

How to:

- be sure your EMS Server is up to date

- deploy the 5.6.3 client.  You can reuse MST from your previous MSI deployment.

     see: https://forum.fortinet.com/tm.aspx?m=153392

- edit the profile for your group of machines

- go to web filter and scroll down to "Exclusion List"

- add the domain to the exclusion list and click "Save"

- wait 60 seconds or so and test

- at the workstation, you can verify the client got the changes by:

   - click on web filter

   - click on site categories

   - look for "exclusion list" on the left side

   - look for your new entry in the domain exclusions list

 

 

 

 

ExpertDeveloper

Using standalone FortiClient, and faced the same issue. Getting a blocked message. What is the next step?

App Developer | Moblie app development company

App Developer | Moblie app development company
Markus
Valued Contributor

It seems it's a while, any news if this is coming to ems/webfilter category? This is worst as we daily have issues and have to whitelist domains. This should get fixed asap, I don't want to disable "Block Access to Malicious Websites". This is not the way of security.


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
ggntt

Just wondering does anyone have any issue with users reporting that Forticlient is blocking access to public wifi such as hotel captive portals ?

 

We also have EMS managing Forticlient profiles, but during testing, some users complained that they cannot access wifi in hotels which is a problem. We thought we were clever enabling webfiltering to block malicious sites and unrated sites, but it seems to cause an issue.  We thought about the possibility of whitelisting internal subnets e.g 192.168.x.x etc but I guess a lot of those captive portals use DNS names etc...

 

Anyone any suggestions or experience similar issues ?

 

thanks

ggntt

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors