Filter blocks only insecured web sites

zigfridus · ‎02-11-2020

Hello

I would like to create a policy that consists of the white list URLs and a rule that block all other URLs. So I started with creating a WEB filter and added only one rule that block everything.

Then I added the filter into the policy. Unfortunately this filter blocks only insecured web sites (http) but not secured (https).

Could you please help?

Thanks

Dave_Hall · ‎02-12-2020

Hi Valentyn.

Screenshot shows you are using certificate inspection on the Web Filter Profile, which means the fgt should peek at the security certificate for the CN or alt names to process whether it needs to be allow or blocked. Common problems using this approach is some sites may use wildcard security certificates or use the same security certificates for multiple sites. On top of that, some sites may make the use of local content servers or pull resources (like images) from other domains.

The pic below shows www.mcdonalds.com, but the CN on the certificate is assets.mcdonalds.co.uk. (Though I haven't checked on the alt names.) To fully block/allow www.mcdonalds.com you may need to also include a URL filter for assets.mcdonalds.co.uk.

DNS filtering is another approach for web filtering, but mostly only works on whole FQDNs. (Someone correct me on this if this is incorrect.)

Full SSL or deep packet inspection is likely the best option for monitoring/limiting/restricting web traffic, but it requires a security certificate be installed on client browsers (for the most part).

This KB explains the differences between the two inspection modes.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

Johan_Witters · ‎02-27-2020

Hi Zigfridus,

like Dave already stated your Fortigate will try to inspect the ssl certificate for the CN or ALT names and match that info to your web filter settings. If the info on the certificate does not 100% match with your filter, it will not block/allow the traffic, depending on what you have set. It will not inspect the packets themselves as this is encrypted traffic and cannot be read.

Best way to process your traffic is by enabling ssl "deep inspection", that way the Fortigate can inspect all packets and work on different levels to check and allow/block traffic according to your policies and utm profiles. It will however require you to by an official ssh certificate, or to install the self-signed fortigate certificate on your clients.

If you can't or don't want to use deep inspection you would mainly focus on dns and webfilter to check your traffic.

regards,

Johan

Johan Witters

Network & Security Engineer

FCNSP V4/V5

BKM NV

View solution in original post

Johan_Witters · ‎02-12-2020

Hi,

I recommend you to use a DNS filter if possible as it will block the name resolution itself, and not HTTP or other traffic.

If you want to use a web filter you have to configure ssl inspection (certificate inspection or deep inspection) so the Fortigate can at least check the certificate of the website to check the url, but the browser might present a "certificate warning". This is due to the fact https traffic is encrypted so the Fortigate can't see which site the request is for.

You can also try with a webfilter "*.*:443", but I haven't tried that myself, so I can't promise it'll work.

Good luck,

Johan

Johan Witters

Network & Security Engineer

FCNSP V4/V5

BKM NV

zigfridus · ‎02-12-2020

Thank you Johan for your reply.

As I understood the DNS filter parse only DNS requests. So when a user sends a request not to the WEB site name, but it's IP address then DNS filter will not block it.

Am I right?

Dave_Hall · ‎02-12-2020

Hi Valentyn.

Screenshot shows you are using certificate inspection on the Web Filter Profile, which means the fgt should peek at the security certificate for the CN or alt names to process whether it needs to be allow or blocked. Common problems using this approach is some sites may use wildcard security certificates or use the same security certificates for multiple sites. On top of that, some sites may make the use of local content servers or pull resources (like images) from other domains.

The pic below shows www.mcdonalds.com, but the CN on the certificate is assets.mcdonalds.co.uk. (Though I haven't checked on the alt names.) To fully block/allow www.mcdonalds.com you may need to also include a URL filter for assets.mcdonalds.co.uk.

DNS filtering is another approach for web filtering, but mostly only works on whole FQDNs. (Someone correct me on this if this is incorrect.)

Full SSL or deep packet inspection is likely the best option for monitoring/limiting/restricting web traffic, but it requires a security certificate be installed on client browsers (for the most part).

This KB explains the differences between the two inspection modes.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

zigfridus · ‎02-13-2020

Hi Dave

Thank you for your answer.

Dave Hall wrote:
To fully block/allow www.mcdonalds.com you may need to also include a URL filter for assets.mcdonalds.co.uk.

But why my filter *.* doesn't block all web sites? I thought it must block every web site.

zigfridus · ‎02-14-2020

I figured out something weird. Fortigate blocks https web sites but not all. For example it's successfully blocks https://itc.ua:

2020-02-14T09:35:04.355876+02:00 192.168.60.2 date=2020-02-14 time=09:35:03 devname="fortigate" devid="xxx" logid="0315012544" type="utm" subtype="webfilter" eventtype="urlfilter" level="warning" vd="root" eventtime=1581665704323571840 tz="+0200" urlfilteridx=1 urlfilterlist="Auto-webfilter-urlfilter_qka27jppz" policyid=15 sessionid=3770186 srcip=192.168.60.17 srcport=5247 srcintf="lan" srcintfrole="lan" dstip=93.183.199.243 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="itc.ua" profile="exclusions" action="blocked" reqtype="direct" url="https://itc.ua/" sentbyte=517 rcvdbyte=0 direction="outgoing" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"

But it doesn't block https://facebook.com and https://youtube.com at all. I don't understand why the web filter's rule "*" works so selectively. Maybe it's SSL inspection allows requests.

Johan_Witters · ‎02-27-2020

Hi Zigfridus,

like Dave already stated your Fortigate will try to inspect the ssl certificate for the CN or ALT names and match that info to your web filter settings. If the info on the certificate does not 100% match with your filter, it will not block/allow the traffic, depending on what you have set. It will not inspect the packets themselves as this is encrypted traffic and cannot be read.

Best way to process your traffic is by enabling ssl "deep inspection", that way the Fortigate can inspect all packets and work on different levels to check and allow/block traffic according to your policies and utm profiles. It will however require you to by an official ssh certificate, or to install the self-signed fortigate certificate on your clients.

If you can't or don't want to use deep inspection you would mainly focus on dns and webfilter to check your traffic.

regards,

Johan

Johan Witters

Network & Security Engineer

FCNSP V4/V5

BKM NV

zigfridus · ‎02-28-2020

Hello

I've decided to enable deep inspection and installed Forigate's self-signed certificated on all PCs.

Tomorrow I'm going to install Fortigate as a main router.

Hope everything will be fine.

Thanks everyone for your advices and help.