Hi, I've trying to block any computers on my network from accessing sites that only uses HTTP. Currently I've tried blocking all the HTTP ports (80, 8008, 8080) but somehow it's still going through, does anyone know what I'm doing wrong?
I've uploaded the policy I created for this task.
1) this policy should be ordered to be first in lan-wan policy
2) try in cli -> conf firewall policy edit"policyID" set match-vip enable
________________________________________________________
--- NSE 4 ---
________________________________________________________
If it is a newer Fortigate OS version you can start with Security Policy Lookup - enter port 80 etc and see that only your Deny policy is indeed matched.
To really know on what feature/policy this goes out, you'd need to run debug on cli:
# diagn debug flow filter ? <-- Filter on something specific to the test, say IP address of remote website
# diag debug flow show function
# dia deb flow trace start
# dia deb enable
What I would do is do a application-control and with services ports that are not 443.
To find what policy that are allowing http just use the diag sys session and the filter
e.g
diag sys session filter dport 80
diag sys session list | grep policy_id
Than you can review those policyid# that's allowing the traffic flows
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.