Deny incoming connection to a specific Url

sistemi · ‎03-08-2018

Hi,

i need help to configure a block to incoming connection to a specific url website in my infrastructure:

actually i've an IIS server published with a vip_rule in firewall policy.

WAN --> serverLAn - source:all dest:vip_ipaddress protocol:80/443 ALLOW

In this webserver, inside my LAN, i've 20 different sites (are all on the same ip address, because the "binding" is setting up on IIS level and work correctly) and i need to filter access to a specific site (http:\\site1.mysite.com) blocking all traffic except 2 ip addresses.

example: (in my mind )

WAN -->serverLan - source:(group ip) dest:Http:\\site1.mysite.com protocol:80/443 ALLOW

WAN -->serverLan - source:all dest:Http:\\site1.mysite.com protocol:80/443 DENY

2 rule because one block all traffic and the other to allow only my autorizhed ip.

I've tried but, without success.

All others sites of my iis server instead is opened to all inbound traffic without any filter.

Any suggestion for this problem?

Thanks in advance

Matteo

Markus · ‎03-08-2018

Hi Matteo Welcome to the forum.

In my opinion this should work, but you have to consider some stuff.

1) Policy Order: Fortigate (and all other FW) "reads" the policies top down. If a policy hits, no further rules are processed. So you have to put Wan-->ServerLan-->All-->Vip-->http/https after the "more restricted" policies.

2) About encryptet Traffic: Not quite sure how the FGT process URL destinations with https. Maybe you have to inspect SSL for that. So first policy is allowing the specific IPs to site1... Second is deny to site1... maybe with SSL Inspection

Third is the allow any

Best, Markus

________________________________________________________
--- NSE 4 ---
________________________________________________________

sistemi · ‎03-09-2018

Hi Markus,

and thanks for reply.

In my post i've put in order my rules, first the rule with the filter and after the rule with "all".

Anyway my problem is to set correctly the rules. I not understand what the metod to filter to specific internal url.

Create a fqdn? Does not work for me because i've blocked all sites binding to same vip_ip. i need to block (or filter) only one.

what you mean with ssl inspection? help me to configure it.

EMES · ‎03-09-2018

What if you create web filter profiles? You can create customer categorys, enter all the sites you want to allow in one category, then the one you want to limit in another. Your first policy gets the web filter profile with both custom categories allowed(or just the one you want to limit), then the second policy has another web filter profile with the custom category with all the other sites allowed. Since you have the source IP set in the first policy then this should work for you.

emnoc · ‎03-09-2018

A custom IPS signature and inspection for the URL/URI and host_header is what I would do. if it's HTTPS than obvious ssl inspection is need.

here's one for email but the process would be the same for HTTP

http://socpuppet.blogspot.com/2014/08/how-to-write-ips-signature-to-block.html

Ken

PCNSE

NSE

StrongSwan

anelis · ‎03-12-2018

Seems a bit tricky. If you have web-filtering in your licence you can try with a web-filtering profile where you specify in a custom denied category your domains that you don't wish to deny.

Keep in mind that it should work in HTTP but not in HTTPS without deep-inspection enabled. Since it is traffic towards your own server it shouldn't be to hard to get the server's certificate and enable deep-inspection on that flow.

A Layer 3 policy won't work without a change in your design.