Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ameif56hgt
New Contributor II

Facebook Just Wont Die

I guess the title says it all.  I block Facebook in a web profile with *.facebook.com. and its the first item, with action to block. (I block Meta as well.)  I have an application profile with the first override to block the facebook application.  My DNS server has the DNS for Facebook to be blocked.  I've never had a facebook account and never installed a facebook app on my computer, and nobody in my house uses facebook.  But, as you can see, sometimes its blocked, other times its not a moment later. What am I missing here??

 

Facebook Not Blocked.png

 

 

12 REPLIES 12
ameif56hgt
New Contributor II

I looked more at the details. The ones passed says action: client-rst with Security Action Allow.  Others says action: client-rst with Security Action Block a second later.  

ozkanaltas
Valued Contributor III

Hello @ameif56hgt ,

 

Did you configure deep ssl-inspection? if you're not doing it, that could be why.

 

Also DNS filter should catch this before the web and application filter. Which application do you use as a DNS filter? Fortigate or other app?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
ameif56hgt

Deep inspection is ON and the Fortigate certificate is installed on computers and phones, BUT I do not believe this needs to be on to detect Facebook web access.  I do use AdGuard Home on a Pi for DNS blocking, but I'm also seeing more apps get around it by going to their own DNS (which I block) or having the IP hardcoded in the app.  If you look at the log I provided, you can clearly see the IP identified as Facebook, which the Fortigate should be blocking.

hbac
Staff
Staff

Hi @ameif56hgt,

 

We should see those traffic if you don't use Facebook. Can you check what is the source IP and track it from there? Can you show the log details of the allowed logs? 

 

Regards, 

ameif56hgt
New Contributor II

The source IP is from Macs or iPhones or iPads. My guess Apple initiates this or some non-related app I have does. Maybe a browser. 

Screenshot 2024-03-22 at 9.32.14 AM.pngScreenshot 2024-03-22 at 9.33.13 AM.png

smaruvala

Hi,

 

From the traffic logs it is using udp protocol for communication. So I am assuming it is using QUIC protocol for the communication. You can try to block the quic application or service so that the facebook will fallback TLS.

 

Regards,

Shiva

Genobaseball10
New Contributor III

Web filtering should work by editing your security profile and doing a URL filter with a wildcard mask of *facebook.com. If this doesn't fix your issue, we can move to DNS filtering. Please let us know the status after trying this solution! I've just tested it in my home network and it seems to function. If this doesn't work, we can try DNS filtering after.

CCNA | FCP | CWNA
CCNA | FCP | CWNA
ameif56hgt

So I do have a Fortigate DNS filter in between my devices and my DNS repeaters (AdGuards) which are also on my network.  I block DNS traffic that goes from devices to the WAN unless it's from AdGuard to the WAN, obviously.  It's a wildcard *Facebook.com  

 

I do wish I could find the app. on the iPhone or Mac generating it, but I don't really know how to go that deep.

ameif56hgt

Also, I know some browsers want to use DNS over TLS or DNS over HTTPS but I do have those turned off in the browser because the AdGuard enforces this to the actual DNS servers.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors