Hello,
I'm blocking app control Proxy category but I need to whitelist access to proxy-safebrowsing.googleapis.com. It falls under Proxy.HTTP application and gets blocked. I would like to do it via custom signature. But I can't seem to match the traffic using my custom signature. I've read the signature creating guide and followed it but no luck. It still recognized as Proxy.HTTP.
config application custom
edit "Google.Safebrowsing.Proxy"
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; -- app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end
config application list
edit "AppControl"
set extended-log enable
set other-application-log enable
set unknown-application-log enable
set deep-app-inspection disable
unset options
config entries
edit 4
set application 9876
set action pass
next
edit 5
set category 2 6 7 8
next
end
next
end
Sample log of traffic:
date=2024-10-01 time=17:26:51 id=7420921850693158485 itime=2024-10-01 17:26:51 euid=3 epid=326934 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=warning action=block sessionid=186458912 policyid=89 srcip=10.123.111.111 dstip=123.123.123.123 srcport=54654 dstport=80 proto=6 logid=1059028705 service=HTTP eventtime=1727818011353619038 incidentserialno=82324068 crscore=10 craction=1048576 crlevel=medium direction=outgoing apprisk=critical appid=107347980 srcintfrole=lan dstintfrole=undefined applist=AppControl appcat=Proxy app=Proxy.HTTP hostname=proxy-safebrowsing.googleapis.com url=/ eventtype=signature srcintf=WIFI dstintf=port16 rawdata=Response-Content-Type=text/html rawdataid=1/1 msg=Proxy: Proxy.HTTP tz=-0400 policytype=policy srccountry=Reserved dstcountry=United States poluuid=39cfc8a0-241e-51ef-27e1-221716410659 httpmethod=CONNECT devid=FG4H111111111111 vd=root dtime=2024-10-01 17:26:51 itime_t=1727818011
Anyone has any idea how to match it ? Maybe "hostname" is not something that is searched for the "pattern".
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1478 | |
1007 | |
749 | |
443 | |
207 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.