We have the google FQDN's opened per their suggestion ( https://support.google.com/a/answer/2589954?hl=en ) and ( https://support.google.com/drive/answer/6163291 )
the kids have discovered a number of gaming sites on google homepages, all seem to be named "unblocked games" i.e.
https://sites.google.com/site/unblockedgames4me
https://sites.google.com/site/unblockedgames77
https://sites.google.com/site/punblockedgames/
The problem is that blocking google by address doesn't seem to work as every request seems to use a different one, and I don't know why but I don't seem to be able to block by name.
I put in a simple IPV4 policy, source = any, Destination = "sites.google.com/site/unblockedgames4me", block
and it doesn't work. because it is a block there is no SSL inspection or anything like that....
When I look at the log there is nothing that says "sites.google.com/site/unblockedgames4me" just "encrypted-tbn1.gstatic.com" but I don't want to block all of google, just the few sites.
Can anyone help?
Solved! Go to Solution.
michellem812 wrote:[/size]If I enable Full (deep) inspection, then Google complains about HSTS issues. How did you get past that issue?
[size="2"]
[size="3"]See "config ssl-exempt" below.[/size]
FG60C (root) # show firewall ssl-ssh-profile "Deep-inspection with HSTS Exception" config firewall ssl-ssh-profile edit "Deep-inspection with HSTS Exception" set comment "Deep inspection!" config https set ports 443 end config ftps set ports 990 end config imaps set ports 993 end config pop3s set ports 995 end config smtps set ports 465 end config ssl-exempt edit 1 set type address set address "*.adobe.com" next edit 2 set type address set address "android" next edit 3 set type address set address "apple" next edit 4 set type address set address "appstore.com" next edit 5 set type address set address "citrixonline" next edit 6 set type address set address "dropbox.com" next edit 7 set type address set address "Gotomeeting" next edit 8 set type address set address "icloud" next edit 9 set type address set address "itunes" next edit 10 set type address set address "skype" next edit 11 set type address set address "swscan.apple.com" next edit 12 set type address set address "update.microsoft.com" next edit 13 set type address set address "HSTS" next end next end
FG60C (root) # show firewall addrgrp HSTS config firewall addrgrp edit "HSTS" set member "wikipedia" "Google" next end
FG60C (root) # show firewall addrgrp Google config firewall addrgrp edit "Google" set member "*.google.com.au" "*.google.com" next end
FG60C (root) # show firewall address *.google.com.au config firewall address edit "*.google.com.au" set type fqdn set fqdn "*.google.com.au" next end FG60C (root) # show firewall address *.google.com config firewall address edit "*.google.com" set type fqdn set fqdn "*.google.com" next end
Props to AlexFeren for the info on how to do this - I used that info and expanded on it to give me what I needed. You need to use Deep/Full SSL inspection to restrict on the words in the URL, and if you deploy certificates I think it is easier to configure the Fortigate, but I did not want to install certificates. So instead you have to do what AlexFeren suggested - use the Deep/Full SSL profile, but also exempt most sites/categories due to HSTS, so that the end users don't get a web prompt to 'continue to this site' for most sites. If you do not require end-users to install a certificate on their device, then it is a matter of playing with the "firewall ssl-ssh-profile" exemptions to get around Chrome's HSTS restrictions but still block what you want.
Don't use a FQDN Object for Webfiltering
Please go to Security Profiles > Webfilter and select your used Webfilter
Check Enable URL Filter and click Create New
Enter your URL, make sure Enable is checked and hit OK and Apply
Make sure the Webfiltering Profile is selected for your internal to wan policy
unfortunately that doesnt work. I tried it, the logs showed 2 blocked packets, then success to a different address and the website came up. I am going to have to open a support ticket on this I think.
Just go through this and you will get the idea on how to do it.
What you did failed exactly because it had no ssl inspection as you said. Also don't forget to block google's new quic protocol.
so many people are struggling with this because of their quic thing now..we should have a sticky post with a checklist for webfiltering.
thanks, I will give it a try
Did you figure this out? I haven't gotten it working yet either, but I did just disable QUIC. I opened a support ticket to ask FG, but didn't know if you had it working to block the "unblocked" Google sites yet, yet leave all the other Google sites open.
Mbutler522010 wrote:I believe it's working for me:unfortunately that doesnt work.
FG60C (root) # show firewall policy 18 config firewall policy edit 18 set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set comments "Block Ads" set av-profile "Block_Virus_Botnet_AV" set webfilter-profile "Block_Ads_Security_WF" set application-list "Block_Botnet_AppCtrl" set profile-protocol-options "default" set ssl-ssh-profile "Deep-inspection with HSTS Exception" next end
FG60C (root) # show webfilter profile Block_Ads_Security_WF config webfilter profile edit "Block_Ads_Security_WF" set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override config override set ovrd-scope ask set ovrd-dur 2h set ovrd-user-group "Local Users Group" set profile "monitor-all for override" end config web set urlfilter-table 1 end config ftgd-wf unset options set category-override g01 g02 g04 g05 g06 g07 g21 142 140 141 set ovrd 8 13 14 g05 17 config filters edit 17 set category 17 set action block next edit 26 set category 26 set action block next edit 61 set category 61 set action block next edit 86 set category 86 set action block next edit 87 set category 13 set action block next edit 88 set category 8 set action block next edit 89 set category 14 set action block next end end next end
FG60C (root) # get webfilter urlfilter *id ID. 1 Block_Ads_Security_WF FG60C (root) # show webfilter urlfilter 1 config webfilter urlfilter edit 1 set name "Block_Ads_Security_WF" config entries edit 1 set url "s.yimg.com/gs/apex/mediastore/*" set type wildcard set action block next edit 2 set url "sites.google.com/site/unblockedgames4me" set type wildcard set action block next end next end
FG60C (root) # execute log filter reset FG60C (root) # execute log filter category utm-webfilter FG60C (root) # execute log filter field urlfilteridx 1
Now, from my machine, X.X.25.70, issue :
$ curl -ik https://sites.google.com/site/unblockedgames4me :
<p> The page you have requested has been blocked, because the URL is banned. </p> :
On Fortigate get:
FG60C (root) # execute log display 11 logs found. 10 logs returned. 1: date=2015-12-09 time=17:02:32 logid=0315012544 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=1 urlfilterlist="Block_Ads_Security_WF" policyid=18 sessionid=463855 user="" srcip=X.X.25.70 srcport=54357 srcintf="internal4" dstip=203.13.161.86 dstport=443 dstintf="wan1" proto=6 service=HTTPS hostname="sites.google.com" profile="Block_Ads_Security_WF" action=blocked reqtype=direct url="/site/unblockedgames4me" sentbyte=102 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high :
[Edit: corrected URL]
Sorry for the late reply, but mine still doesn't work. What settings do you have for your "set ssl-ssh-profile "Deep-inspection with HSTS Exception" profile? I believe that might be my issue. With only "set status certificate-inspection" instead of full/deep inspection, then my FG won't block by the wildcard in the Google site URL. If I enable Full (deep) inspection, then Google complains about HSTS issues. How did you get past that issue?
michellem812 wrote:[/size]If I enable Full (deep) inspection, then Google complains about HSTS issues. How did you get past that issue?
[size="2"]
[size="3"]See "config ssl-exempt" below.[/size]
FG60C (root) # show firewall ssl-ssh-profile "Deep-inspection with HSTS Exception" config firewall ssl-ssh-profile edit "Deep-inspection with HSTS Exception" set comment "Deep inspection!" config https set ports 443 end config ftps set ports 990 end config imaps set ports 993 end config pop3s set ports 995 end config smtps set ports 465 end config ssl-exempt edit 1 set type address set address "*.adobe.com" next edit 2 set type address set address "android" next edit 3 set type address set address "apple" next edit 4 set type address set address "appstore.com" next edit 5 set type address set address "citrixonline" next edit 6 set type address set address "dropbox.com" next edit 7 set type address set address "Gotomeeting" next edit 8 set type address set address "icloud" next edit 9 set type address set address "itunes" next edit 10 set type address set address "skype" next edit 11 set type address set address "swscan.apple.com" next edit 12 set type address set address "update.microsoft.com" next edit 13 set type address set address "HSTS" next end next end
FG60C (root) # show firewall addrgrp HSTS config firewall addrgrp edit "HSTS" set member "wikipedia" "Google" next end
FG60C (root) # show firewall addrgrp Google config firewall addrgrp edit "Google" set member "*.google.com.au" "*.google.com" next end
FG60C (root) # show firewall address *.google.com.au config firewall address edit "*.google.com.au" set type fqdn set fqdn "*.google.com.au" next end FG60C (root) # show firewall address *.google.com config firewall address edit "*.google.com" set type fqdn set fqdn "*.google.com" next end
Thank you so much!!! I am much closer on this now. It seems like many websites use HSTS, so if I want to use wildcard URL filters on HTTPS sites, then I should use Full/deep inspection to block the sites I want to block...but then I still need to exempt most everything else. So that's where I'm at now, trying to figure out all the sites I need to exempt. But this is so much closer to blocking the 'unblocked' Google sites - so thank you!!!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.