Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Browsers Circumvent Web Filtering

We have been getting reports that people are able to get to blocked content using Firefox 4 and flavors of Chromium such as SRWare Iron. All IE versions, Safari, and Google branded Chrome " obey" the content filtering. Any ideas on how I can troubleshoot this other than having to monitor and write filters for all new user-agent strings that come along? We are running FortiOS Version 4.0 MR2
10 REPLIES 10
bmann
New Contributor

Can you describe to more details? What do you mean by " blocked content" ? URL filter or what? I can image some ways how to obey restrictions and it depends what is your configuration. It' s cat-and-mouse game.
billp
Contributor

If you give some specifics, we might be able to give some suggestions. I have found Google image search to be problematic to filter, especially in Chrome. Sometime SafeSearch is enforced, sometimes not. I found it' s easier to filter on " safe=off" in the URL, but that' s not perfect either. I have never had a problem with it not blocking specific websites that were in a banned category, though. That has been rock solid for us. Of course, there are tons of proxy sites. That is a constant battle, but there are ways to fix that, too. Twitter is a big resource for those.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Not applicable

One of the categories we have set to be blocked is Web-Based Email. Staff members and students have been able to access Gmail, Yahoo Mail and MSN Hotmail using FF 4 and SRWare Iron. We constantly test browsers, along with all of our other applications, to make sure our builds are as up to date and secure as possible. All browsers are the most current, stable builds from their respective websites. We have done no customizing to the browsers. In poking around to see what else they may be able to get to, we found that certain sites categorized as Adult Materials and Pornography were also able to be accessed.
bmann
New Contributor

Do you have enabled " strict blocking" enabled " https" filtering disabled " Allow Websites When a Rating Error Occurs" ? try this and let know.
Not applicable

@bmann I took a screen shot of the UTM profile settings we use. I think we' ve got them set as you' ve suggested.
bmann
New Contributor

I would try to disable " Rate URLs by Domain and IP Address" . I have opposite experience with this. Site reclassfied to good category, but still blocked due to IP classification. When disabled, it works fine. Maybe it is opposite scenario, even it makes no sense. Or try to log all web access and debug maybe helpful too.
billp
Contributor

I second that motion :) I have not found the " Rate URLS by Domain and IP Address" option to be very useful. It feels like a throwback feature related to the " old" Internet where all sites only had one or two IPs. So many sites have huge ranges of IP addresses that vary by the particular content provider they use. Gmail might be particularly hard to filter, though, because it uses the same ssl cert as other Google sites, I think. . .you might need to filter that under Application Control? Just an idea if it doesn' t work. We don' t filter web email here. Logs are definitely your friends.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Not applicable

Thanks guys. I' ll look at implementing your suggestions and let you know how I make out!
Not applicable

Hi, I' ve checked all categories in webfiltering to be blocked (http and https) and I' ve enabled deep scan. But I' ve problems with gmail and firefox. If I go to https://mail.google.com with Internet explorer I' m blocked correctly. But if I try the same web with firefox I can acces to gmail!!! How can I fix it? Thanks.
Labels
Top Kudoed Authors