Can someone give a quick overview (or point me to docs please) of how FPX matches explicit proxy traffic it gets _in detail_?
From what I understand so far
* Policy looks at ACE of type explicit proxy and tries to match (interfaces,src,dst,schedule,service)
* After policy matches, a security profile can (but NEED NOT) be applied
** application control
** webfilter (a subset of what appcontrol does, mainly for web apps)
** ...
* If security profile is specified then it has to allow, otherwise traffic is denied even though policy is "allow".
For matching security profiles, URL categories and whatnot, SSL inspection has to be enabled.
Now to my questions:
1) I see that (at least in most recent versions) several other items can be specified before security profile (see screenshot)
* "Service" itself has "application service" i.e. a service of type "application" or "application group" (I guess that is ISDB)
* "application"
* "application category"
* "application group"
* "url category"
I guess this is part of the ACE evaluation?
Well I tried with some URL category and it seems so.
2) And now to a practical issue: "Howto" / "Not working"
We have a rule that contains a blacklist (URLs) which includes for example facebook.com.
Before that rule I want to specify exceptions for access to Facebook. I tried using "Application Facebook" as well as an "Application Service" matching facebook. Also a category matching social media. But policy is not hit. Instead, the blacklist that comes later is. How do I troubleshoot this?
(Yes I know I could include facebook.com again from an URL list, but I would like to understand why the application match is not working)
Concerning 1)
Concerning 2)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi jammac,
you might refer to following doc/articles.
1. Rule matching and policy processing
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/237189/proxy-authentication
2. Wad debugging for Explicit proxy
3. Troubleshooting example:
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.