Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sistemi
New Contributor

Deny incoming connection to a specific Url

Hi,

i need help to configure a block to incoming connection to a specific url website in my infrastructure:

actually i've an IIS server published with a vip_rule in firewall policy.

WAN --> serverLAn - source:all dest:vip_ipaddress protocol:80/443 ALLOW

 

In this webserver, inside my LAN, i've 20 different sites (are all on the same ip address, because the "binding" is setting up on IIS level and work correctly) and i need to filter access to a specific site (http:\\site1.mysite.com) blocking all traffic except 2 ip addresses.

 

example: (in my mind )

 

WAN -->serverLan - source:(group ip) dest:Http:\\site1.mysite.com  protocol:80/443 ALLOW

WAN -->serverLan - source:all dest:Http:\\site1.mysite.com  protocol:80/443 DENY

2 rule because one block all traffic and the other to allow only my autorizhed ip.

I've tried but, without success.

 

All others sites of my iis server instead is opened to all inbound traffic without any filter.

 

Any suggestion for this problem?

Thanks in advance

Matteo

5 REPLIES 5
Markus
Valued Contributor

Hi Matteo Welcome to the forum.

 

In my opinion this should work, but you have to consider some stuff.

1) Policy Order: Fortigate (and all other FW) "reads" the policies top down. If a policy hits, no further rules are processed. So you have to put Wan-->ServerLan-->All-->Vip-->http/https after the "more restricted" policies.

2) About encryptet Traffic: Not quite sure how the FGT process URL destinations with https. Maybe you have to inspect SSL for that. So first policy is allowing the specific IPs to site1... Second is deny to site1... maybe with SSL Inspection

Third is the allow any

 

Best, Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
sistemi
New Contributor

Hi Markus,

and thanks for reply.

In my post i've put in order my rules, first the rule with the filter and after the rule with "all".

Anyway my problem is to set correctly the rules. I not understand what the metod to filter to specific internal url.

Create a fqdn? Does not work for me because i've blocked all sites binding to same vip_ip. i need to block (or filter) only one.

what you mean with ssl inspection? help me to configure it.

 

EMES

What if you create web filter profiles? You can create customer categorys, enter all the sites you want to allow in one category, then the one you want to limit in another. Your first policy gets the web filter profile with both custom categories allowed(or just the one you want to limit), then the second policy has another web filter profile with the custom category with all the other sites allowed. Since you have the source IP set in the first policy then this should work for you.

emnoc
Esteemed Contributor III

A  custom IPS signature and inspection for  the  URL/URI and host_header is what I would do. if it's HTTPS than obvious   ssl inspection is need.

 

here's one for email  but the  process would be the same for HTTP

 

http://socpuppet.blogspot.com/2014/08/how-to-write-ips-signature-to-block.html

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
anelis
New Contributor

Seems a bit tricky. If you have web-filtering in your licence you can try with a web-filtering profile where you specify in a custom denied category your domains that you don't wish to deny.

 

Keep in mind that it should work in HTTP but not in HTTPS without deep-inspection enabled. Since it is traffic towards your own server it shouldn't be to hard to get the server's certificate and enable deep-inspection on that flow.

 

A Layer 3 policy won't work without a change in your design.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors