Hello,
I'm blocking app control Proxy category but I need to whitelist access to proxy-safebrowsing.googleapis.com. It falls under Proxy.HTTP application and gets blocked. I would like to do it via custom signature. But I can't seem to match the traffic using my custom signature. I've read the signature creating guide and followed it but no luck. It still recognized as Proxy.HTTP.
config application custom
edit "Google.Safebrowsing.Proxy"
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; -- app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end
config application list
edit "AppControl"
set extended-log enable
set other-application-log enable
set unknown-application-log enable
set deep-app-inspection disable
unset options
config entries
edit 4
set application 9876
set action pass
next
edit 5
set category 2 6 7 8
next
end
next
end
Sample log of traffic:
date=2024-10-01 time=17:26:51 id=7420921850693158485 itime=2024-10-01 17:26:51 euid=3 epid=326934 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=warning action=block sessionid=186458912 policyid=89 srcip=10.123.111.111 dstip=123.123.123.123 srcport=54654 dstport=80 proto=6 logid=1059028705 service=HTTP eventtime=1727818011353619038 incidentserialno=82324068 crscore=10 craction=1048576 crlevel=medium direction=outgoing apprisk=critical appid=107347980 srcintfrole=lan dstintfrole=undefined applist=AppControl appcat=Proxy app=Proxy.HTTP hostname=proxy-safebrowsing.googleapis.com url=/ eventtype=signature srcintf=WIFI dstintf=port16 rawdata=Response-Content-Type=text/html rawdataid=1/1 msg=Proxy: Proxy.HTTP tz=-0400 policytype=policy srccountry=Reserved dstcountry=United States poluuid=39cfc8a0-241e-51ef-27e1-221716410659 httpmethod=CONNECT devid=FG4H111111111111 vd=root dtime=2024-10-01 17:26:51 itime_t=1727818011
Anyone has any idea how to match it ? Maybe "hostname" is not something that is searched for the "pattern".
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It is working now.
On Tuesday Oct 8 around 2PM the related traffic started to match my custom signature and stopped matching Proxy.HTTP for all our firewalls.
I have not changed anything in the configuration, and config captures show no difference in config.
The customer signature was pushed to the firewalls via FMG a week before it started to work.
Not sure how to explain it.
Current working signature:
config application custom
edit "Google.Safebrowsing.Proxy"
set comment ''
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end
Counterintuitively, you may be able to add a Web Filter and add a 'static URL filter' entry to exempt that URL from all UTM. This will stop it from even being scanned by the Application Control.
See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-The-difference-between-allow-and-exempt-in...
If you need to do this within Application Control, it seems like the signature is correct. I would check and see if the request from the client is HTTPS, and if it is, you may need to enable Deep Inspection so Application Control can see inside that encrypted stream.
Thank you for your reply, Johnathan
I created "Simple" "Exempt" URL filter of "proxy-safebrowsing.googleapis.com" and logs showed that the traffic was "passthrough" and not blocked. But then, on the next step, it got matched by Proxy.HTTP and blocked.
The packets are not encrypted and I was able to capture a sample (shown below). Not sure why custom application does not match it.
I tried
F-SBID( --attack_id 9876; --name "Google.Safebrowsing.Proxy"; --service HTTP; --protocol tcp; --app_cat 6; --pattern "CONNECT proxy-safebrowsing.googleapis.com:443"; --weight 40;)
but it still recognized as Proxy.HTTP only
Let's try and make it as simple as possible:
----
F-SBID( --name "block.proxy"; --pattern "proxy-safebrowsing.googleapis.com"; --service HTTP; --protocol tcp; )
----
I will try this also in my lab when I have a moment. Will keep you posted.
Via CLI it rejects the simple signature (lacking some necessary fields). When doing in GUI it automatically adds --attack_id 9876;and --app_cat 6; when missing.
So the simplest signature is
set signature "F-SBID(--attack_id 5280; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --pattern \"proxy-safebrowsing.googleapis.com\";--app_cat 6; )"
Still, the traffic matches Proxy.HTTP
The Proxy.HTTP signature weight is 9 and, I believe the default weight is 10, so I hope the custom signature implicit weight is 10 (more preferable).
It is working now.
On Tuesday Oct 8 around 2PM the related traffic started to match my custom signature and stopped matching Proxy.HTTP for all our firewalls.
I have not changed anything in the configuration, and config captures show no difference in config.
The customer signature was pushed to the firewalls via FMG a week before it started to work.
Not sure how to explain it.
Current working signature:
config application custom
edit "Google.Safebrowsing.Proxy"
set comment ''
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.