I guess the title says it all. I block Facebook in a web profile with *.facebook.com. and its the first item, with action to block. (I block Meta as well.) I have an application profile with the first override to block the facebook application. My DNS server has the DNS for Facebook to be blocked. I've never had a facebook account and never installed a facebook app on my computer, and nobody in my house uses facebook. But, as you can see, sometimes its blocked, other times its not a moment later. What am I missing here??
I looked more at the details. The ones passed says action: client-rst with Security Action Allow. Others says action: client-rst with Security Action Block a second later.
Hello @ameif56hgt ,
Did you configure deep ssl-inspection? if you're not doing it, that could be why.
Also DNS filter should catch this before the web and application filter. Which application do you use as a DNS filter? Fortigate or other app?
Deep inspection is ON and the Fortigate certificate is installed on computers and phones, BUT I do not believe this needs to be on to detect Facebook web access. I do use AdGuard Home on a Pi for DNS blocking, but I'm also seeing more apps get around it by going to their own DNS (which I block) or having the IP hardcoded in the app. If you look at the log I provided, you can clearly see the IP identified as Facebook, which the Fortigate should be blocking.
Hi @ameif56hgt,
We should see those traffic if you don't use Facebook. Can you check what is the source IP and track it from there? Can you show the log details of the allowed logs?
Regards,
The source IP is from Macs or iPhones or iPads. My guess Apple initiates this or some non-related app I have does. Maybe a browser.
Hi,
From the traffic logs it is using udp protocol for communication. So I am assuming it is using QUIC protocol for the communication. You can try to block the quic application or service so that the facebook will fallback TLS.
Regards,
Shiva
Web filtering should work by editing your security profile and doing a URL filter with a wildcard mask of *facebook.com. If this doesn't fix your issue, we can move to DNS filtering. Please let us know the status after trying this solution! I've just tested it in my home network and it seems to function. If this doesn't work, we can try DNS filtering after.
So I do have a Fortigate DNS filter in between my devices and my DNS repeaters (AdGuards) which are also on my network. I block DNS traffic that goes from devices to the WAN unless it's from AdGuard to the WAN, obviously. It's a wildcard *Facebook.com
I do wish I could find the app. on the iPhone or Mac generating it, but I don't really know how to go that deep.
Also, I know some browsers want to use DNS over TLS or DNS over HTTPS but I do have those turned off in the browser because the AdGuard enforces this to the actual DNS servers.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.