Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sevro_Wolf
New Contributor

Created on ‎01-03-2025 12:09 PM

CDN Hosted Web Traffic Hitting Implicit Deny.

I have a lot of user web traffic that is ultimately hitting the implicit deny because instead of matching the general 80/443 web rule we have in place with the appropriate UTM, it is hitting the implicit deny. The commonality with all of this traffic is that rather than being seen as SSL or web browser application traffic it is being seen as a CDN application (Akamai, Fastly, AWS, etc...).

 

I'm trying to determine what would be the best way to handle it. I thought about creating a clone of the standard web browsing rule and making it specific with CDN applications, but in the logs they all report as "unscanned" sites and I don't think the web filtering would work in those cases, which I fear would leave some holes I don't want.

 

Was hoping someone else has dealt with this, or something similar, and had a course of action they took.

 

Thanks!

Labels:
169
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎01-04-2025 01:14 AM

Did you try using ISDB as destination?

AEK
AEK
135
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎01-04-2025 01:37 AM

CDN entries in ISDB:

 

dingjerry_FTNT_0-1735983429612.png

 

Regards,

Jerry
128
0 Kudos
Sevro_Wolf
New Contributor
In response to dingjerry_FTNT

Created on ‎01-06-2025 07:31 AM

This seems like a good option, but I just want to confirm, will ISDB based policies also apply the web filtering, application control, and other UTM features?

79
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Sevro_Wolf

Created on ‎01-06-2025 07:43 AM

Hi @Sevro_Wolf ,

 

No. You can create a new firewall policy above the current one using any UTM features. 

 

The new firewall policy uses the ISDB object as the destination and you may apply either Allow or Deny action for it.

Regards,

Jerry
67
0 Kudos
AEK
SuperUser
SuperUser
In response to Sevro_Wolf

Created on ‎01-06-2025 10:39 AM

When you select ISDB as destination you cannot select service (port number) since service is already defined in the ISDB object.

However it seems you still can select security profiles (AV, WF, APP, IPS, and so), which seems to me quite logical.

AEK
AEK
52
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.