Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ambush4261
New Contributor II

Created on ‎02-06-2024 03:08 AM

Facebook blocked and not blocked with same policy

Hello,

 

I have a mystery on a Fortigate.

I have a security group that block Facebook using application control and webfilter categories.

My users told by that they still can use Facebook. I checked the log and I see that most of the traffic linked to Facebook is blocked, but, I have some line with allowed traffic to facebook, using the same firewall policy. it's unbelievable, my own rules which block Facebook is also allowing it.

How this is possible ?

2024-02-06 12_03_25-Clipboard.jpg2024-02-06 12_05_11-Clipboard.jpg

 
 

2024-02-06 12_06_18-Mozilla Firefox (Work Resources).jpg

 

 

Labels:
1560
0 Kudos
1 Solution
fricci_FTNT
Staff
Staff
In response to Ambush4261

Created on ‎02-08-2024 05:17 AM Edited on ‎02-08-2024 05:18 AM

Proxy mode can be a workaround for now.
Flow-based inspection uses hardware acceleration (where available, depends on the model), Proxy inspected traffic goes through the FortiGate main CPU.
Using Proxy mode is more CPU intensive but in normal condition should be fine, it actually depend on the traffic running through the FortiGate. Please keep on eye on the CPU (get sys performance status).

Here you can find some more details about Flow/Proxy inspection: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/721410/inspection-modes

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

1359
12 REPLIES 12
fricci_FTNT
Staff
Staff
In response to Ambush4261

Created on ‎02-06-2024 07:16 AM

You stated that you are using flow-based inspection.
Please try to change it to proxy-based (or clone current policy -> change new policy to proxy-based and move it above the current policy to test it) and see if you have the same behaviour.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
386
0 Kudos
Ambush4261
New Contributor II

Created on ‎02-08-2024 04:59 AM

I switch to "proxy-based" and it seems to work much better, 99% of the traffic I want to block is really blocked now.

Whats the impact of settings a firewall policy to proxy-based instead of flow-based ? it will load the firewall cpu ?

363
0 Kudos
fricci_FTNT
Staff
Staff
In response to Ambush4261

Created on ‎02-08-2024 05:17 AM Edited on ‎02-08-2024 05:18 AM

Proxy mode can be a workaround for now.
Flow-based inspection uses hardware acceleration (where available, depends on the model), Proxy inspected traffic goes through the FortiGate main CPU.
Using Proxy mode is more CPU intensive but in normal condition should be fine, it actually depend on the traffic running through the FortiGate. Please keep on eye on the CPU (get sys performance status).

Here you can find some more details about Flow/Proxy inspection: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/721410/inspection-modes

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
1360
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.