Hello everybody,
I'm working on a Fortigate 60E (FortiOS 7.2.8).
My pc is on an isolated network (i'm the only host) and there is only one simple rule:
As you can see, the security profile is very simple, it has a DLP configured with a profile that only intercepts the credit cards' informations. The dictionary is the default c redit card type, while the sensor is configured to any message or file regarding every protocol:
The problem is that for some reason, sites like facebook.com are blocked by the same policy.
date=2024-06-19 time=17:57:53 id=7382244222788698112 itime="2024-06-19 17:57:54" euid=1026 epid=1030 dsteuid=3 dstepid=101 logflag=3 logver=702081639 type="traffic" subtype="forward" level="notice" action="close" utmaction="block" policyid=19 sessionid=796241 srcip=10.1.20.4 dstip=157.240.203.35 transip=192.168.1.4 srcport=64759 dstport=443 transport=64759 trandisp="snat" duration=1 proto=6 sentbyte=1886 rcvdbyte=1565 sentpkt=14 rcvdpkt=14 logid=0000000013 unauthuser="r.dipascale" srcname="MacBook_Pro" service="HTTPS" app="HTTPS" appcat="unscanned" fctuid="92CB99E956C6570AB48FD3B7E84960C7" srcintfrole="lan" dstintfrole="wan" srcserver=0 policytype="policy" eventtime=1718812673181524199 wanin=8803 wanout=1150 lanin=2930 lanout=829 countweb=1 poluuid="a6630e6c-2e1b-51ef-5ba8-5e215e3c9279" srcmac="00:e0:4c:a3:17:56" mastersrcmac="00:e0:4c:a3:17:56" srccountry="Reserved" dstcountry="Italy" srcintf="Test Config" dstintf="wan1" unauthusersource="forticlient" policyname="dlp" dstowner="facebook.com" tz="+0200" srcremote=79.10.64.49 devid="FGT60FTK23099PH2" vd="root" utmref="BAQQAAAEAAAB3AQCAAAEAc2YBAHNm" dtime="2024-06-19 17:57:53" itime_t=1718812674 devname="ntd-fg"
How is this possible? The Policy 19 has only DLP...what am I doing wrong?
Than I have another question. This kind of rule is able to intercept credit card informations also in application like outlook (desktop client), microsoft teams, gmail and so on?
Thank you so much for your help!
Solved! Go to Solution.
It says policy ID 19. Can you review its config?
Try CLI, that's authoritative:
> show firewall policy 19
ANd to spoil some fun in advance, the FortiGate is complaining about unsupported Content-Encoding, namely "zstd", which started to be recently used by Facebook/Meta-owned sites:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-and-ZSTD-implementation-for-exam...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Facebook-Meta-webpages-cannot-be-loa...
So filtering this will be problematic.
Maybe the facebook pages contain some number sequences that accidentally look like credit card numbers?
Consider checking the DLP log itself, that should hopefully give some more detail. (Forward traffic log doesn't usually say as much with regards to the UTM results).
It may also be good to view the site/page/code that triggered the block. Either in the browser's network debugger screen, "View Page Source", etc.
Created on 06-20-2024 05:44 AM Edited on 06-20-2024 05:45 AM
Thank you for the reply.
I don't think the the problem could be a credit card number inside my facebook homepage, because I've visited the site different times. I will give a look at the security logs
Created on 06-20-2024 07:07 AM Edited on 06-20-2024 07:14 AM
Hello, I've found a related security log (looking at the forward logs and selecting the tab "security"):
date=2024-06-19 time=17:57:51 id=7382244218493730817 itime="2024-06-19 17:57:53" euid=1026 epid=1030 dsteuid=3 dstepid=101 logver=702081639 type="utm" subtype="webfilter" level="warning" action="blocked" sessionid=796241 policyid=19 srcip=10.1.20.4 dstip=157.240.203.35 srcport=64759 dstport=443 proto=6 logid=0349013696 service="HTTPS" eventtime=1718812672115534599 srcintfrole="lan" dstintfrole="wan" url="facebook.com" eventtype="unknown-ce" srcintf="Test Config" dstintf="wan1" msg="Unknown content-encoding detected and blocked." tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-06-19 17:57:51" itime_t=1718812673 devname="ntd-fg"
From this log I see that the subtype of the event is "webfilter" (we are in the same ID 19 policy), but how is it possible? The firewall policy has only a DLP profile.
Looking at the DLP security logs, I've found no correlated entries:
(also looking at the event time that should be 17:53:53), and the same is for the SSL security logs (there isn't the only interface we have in the network, that is called Test Config):
Thank you.
It says policy ID 19. Can you review its config?
Try CLI, that's authoritative:
> show firewall policy 19
ANd to spoil some fun in advance, the FortiGate is complaining about unsupported Content-Encoding, namely "zstd", which started to be recently used by Facebook/Meta-owned sites:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-and-ZSTD-implementation-for-exam...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Facebook-Meta-webpages-cannot-be-loa...
So filtering this will be problematic.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.