Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Billgazz
New Contributor

Fortigate 80C Webfiltering SSL Inspection

Hello everyone, I have the following problem. On the farm we installed a FortiGate 80C with firmware 5.0 Bild 0310 Ga Patch 11 with relative configuration webfiltering and SSL Inspection and firewall rule. The firewall can not block anything. I did the test with a VM to a course that I made and it all works. I have to do a factory reset?

8 REPLIES 8
Christopher_McMullan

Could you post a copy of the firewall policy, webfilter, and SSL/SSH inspection profile you are using?

Regards, Chris McMullan Fortinet Ottawa

Billgazz
New Contributor

SSL

Billgazz
New Contributor

profile

Billgazz
New Contributor

policy

Christopher_McMullan

It looks like the policy is ordered high enough, and has the filter and inspection profiles applied, and there is a packet count. Do you see the packet count increment immediately after visiting a site which should be blocked?

Regards, Chris McMullan Fortinet Ottawa

Dave_Hall
Honored Contributor

That column with Claudio, Lan 01, Lan 02, etc. looks like address subnet ranges.  Is the Fortigate set up in transparent mode?  Can you post the edit view of your fw rule#8?  Does the Claudio label have a proper IP/subnet?  Do you have any firewall rule covering that "claudio" traffic above rule #8?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Billgazz
New Contributor

I put as the first rule in the top, and the packets pass through this rule, but do not apply the filters you've set.

I enclose the rules also in global view. The networks are are the different classes of subnet in my office.

Christopher_McMullan

It would be best to examine a flow trace and UTM logs/diagnostics to see where the breakdown occurs.

 

Pick an HTTPS site with a known public IP:

diag debug reset

diag debug enable

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow filter addr w.x.y.z //--enter the IP of the test site

diag debug flow trace start 5000

diag debug flow trace stop //--type this command without pressing Enter *before* visiting the site; that way, you can just press Enter to stop output, even if a lot is being generated - you won't have to guess whether you're entering typos or not

<browse to the site, then...>

<Enter>

diag debug flow filter clear

diag debug reset

diag debug disable

 

Look for the policy and route chosen in the output, and whether the traffic is sent to IPS or to the 'application layer' for further processing. This will prove what level of inspection takes place.

 

Then, you can look through any UTM logs generated, if you log all traffic in the policy and enable logging through the CLI for the UTM profiles in place. Barring that, for web filtering, you can debug the urlfilter daemon.

diag debug reset

diag debug enable

diag debug urlfilter src-addr w.x.y.z //--here, you can specify the private IP of your testing host, to limit output

diag debug application urlfilter -1

diag debug reset //-same as above, type the command without pressing Enter

<browse to a site which should trigger your UTM rules, then...>

<Enter>

diag debug disable

 

Let's see what comes up! 

Regards, Chris McMullan Fortinet Ottawa

Labels
Top Kudoed Authors