Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jor1
New Contributor

Created on ‎03-19-2025 01:30 PM

Intermittenly blocked by application filter

Hi,

 

I've got a site that's being blocked by the student policy
(yearbookavenue.jostens.com 192.189.112.187). It's a big single page web
app type site that makes a lot of xml http requests. Students can visit
the site just fine, but when students go to save their progress on the
site it makes a POST request to yearbookavenue.jostens.com/savestuff or
whatever and this will work fine on my machine when I'm hitting the
Staff policy, but produces an error when on a student account on a chromebook.

 

Looking in the firewall logs I can see that the ip address
192.189.112.197 is allowed when the "Application Name" is HTTPS.BROWSER but blocked when it's SSL. I've
allowed the site in web filter but it seems like it's still being
blocked at the application level somehow, like the SPA is producing a
different application signature. To make things trickier sometimes traffic to that site produces HTTPS.BROWSER when student access it, allowing them to save, but other times it produces SSL traffic and it's blocked.

 

I've tried adding an application signature

config application custom
edit "yearbookavenue"
set comment "yearbookavenue.jostens.com signature"
set signature "F-SBID( --attack_id 6694; --name Allow.YearbookAvenue.jostens.com; --pattern yearbookavenue.jostens.com; --service SSL; --protocol tcp; --no_case; --app_cat 32; )"
set category 32
next
end

This is my first time writing one and I'm kind of confused as to how it works, and I've also failed to apply it to the student application policy.

 

I'm therefore kind of stuck on how to allow yearbookavenue.jostens.com
on the fortigate. I've included a screenshot that can show you what I'm
talking about a little better. I filtered only destination
192.189.112.187 and you can see that SSL is getting denied and
HTTPS.BROWSER is allowed.

 

Thanks,

Jordan

Labels:
97
0 Kudos
3 REPLIES 3
yderek
Staff
Staff

Created on ‎03-19-2025 02:53 PM

Hi, jor1

 

If allowing in application control does not help, bypass the website or domain in your inspection profile, see below KB might help   

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Exempting-applications-domains-websites-fr...

 

Feel free to post here if you have any other doubts 

81
0 Kudos
jor1
New Contributor
In response to yderek

Created on ‎03-21-2025 02:28 PM Edited on ‎03-21-2025 02:34 PM

In my case the firewall is not configured to use SSL inspection method: full SSL inspection. So the above article doesn't apply to my situation.

 

*EDIT it seems that I might not have applied the signature correctly to the policy. I've tried again and it seems to want to stick this time

41
0 Kudos
yderek
Staff
Staff

Created on ‎03-21-2025 05:08 PM

 

What version of FortiOs are you currently running? 

Try below command see whether you have the correct connection to FortiGuard 

exe ping services.fortiguard.net 

exe ping update.fortiguard.net 

Run below debug 

dia de reset 

dia de dis 

dia de app update -1 

dia de en 

exe update now 

Let debug run for 1 minutes , to stop use below 

dia de dis 

dia de reset 

26
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.