Hi,
i need help to configure a block to incoming connection to a specific url website in my infrastructure:
actually i've an IIS server published with a vip_rule in firewall policy.
WAN --> serverLAn - source:all dest:vip_ipaddress protocol:80/443 ALLOW
In this webserver, inside my LAN, i've 20 different sites (are all on the same ip address, because the "binding" is setting up on IIS level and work correctly) and i need to filter access to a specific site (http:\\site1.mysite.com) blocking all traffic except 2 ip addresses.
example: (in my mind )
WAN -->serverLan - source:(group ip) dest:Http:\\site1.mysite.com protocol:80/443 ALLOW
WAN -->serverLan - source:all dest:Http:\\site1.mysite.com protocol:80/443 DENY
2 rule because one block all traffic and the other to allow only my autorizhed ip.
I've tried but, without success.
All others sites of my iis server instead is opened to all inbound traffic without any filter.
Any suggestion for this problem?
Thanks in advance
Matteo
Hi Matteo Welcome to the forum.
In my opinion this should work, but you have to consider some stuff.
1) Policy Order: Fortigate (and all other FW) "reads" the policies top down. If a policy hits, no further rules are processed. So you have to put Wan-->ServerLan-->All-->Vip-->http/https after the "more restricted" policies.
2) About encryptet Traffic: Not quite sure how the FGT process URL destinations with https. Maybe you have to inspect SSL for that. So first policy is allowing the specific IPs to site1... Second is deny to site1... maybe with SSL Inspection
Third is the allow any
Best, Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
Hi Markus,
and thanks for reply.
In my post i've put in order my rules, first the rule with the filter and after the rule with "all".
Anyway my problem is to set correctly the rules. I not understand what the metod to filter to specific internal url.
Create a fqdn? Does not work for me because i've blocked all sites binding to same vip_ip. i need to block (or filter) only one.
what you mean with ssl inspection? help me to configure it.
What if you create web filter profiles? You can create customer categorys, enter all the sites you want to allow in one category, then the one you want to limit in another. Your first policy gets the web filter profile with both custom categories allowed(or just the one you want to limit), then the second policy has another web filter profile with the custom category with all the other sites allowed. Since you have the source IP set in the first policy then this should work for you.
A custom IPS signature and inspection for the URL/URI and host_header is what I would do. if it's HTTPS than obvious ssl inspection is need.
here's one for email but the process would be the same for HTTP
http://socpuppet.blogspot.com/2014/08/how-to-write-ips-signature-to-block.html
Ken
PCNSE
NSE
StrongSwan
Seems a bit tricky. If you have web-filtering in your licence you can try with a web-filtering profile where you specify in a custom denied category your domains that you don't wish to deny.
Keep in mind that it should work in HTTP but not in HTTPS without deep-inspection enabled. Since it is traffic towards your own server it shouldn't be to hard to get the server's certificate and enable deep-inspection on that flow.
A Layer 3 policy won't work without a change in your design.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.