Hello everybody,
I'm working on a Fortigate 60E (FortiOS 7.2.8).
My pc is on an isolated network (i'm the only host) and there is only one simple rule:
As you can see, the security profile is very simple, it has a DLP configured with a profile that only intercepts the credit cards' informations. The dictionary is the default c redit card type, while the sensor is configured to any message or file regarding every protocol:
The problem is that for some reason, sites like facebook.com are blocked by the same policy.
date=2024-06-19 time=17:57:53 id=7382244222788698112 itime="2024-06-19 17:57:54" euid=1026 epid=1030 dsteuid=3 dstepid=101 logflag=3 logver=702081639 type="traffic" subtype="forward" level="notice" action="close" utmaction="block" policyid=19 sessionid=796241 srcip=10.1.20.4 dstip=157.240.203.35 transip=192.168.1.4 srcport=64759 dstport=443 transport=64759 trandisp="snat" duration=1 proto=6 sentbyte=1886 rcvdbyte=1565 sentpkt=14 rcvdpkt=14 logid=0000000013 unauthuser="r.dipascale" srcname="MacBook_Pro" service="HTTPS" app="HTTPS" appcat="unscanned" fctuid="92CB99E956C6570AB48FD3B7E84960C7" srcintfrole="lan" dstintfrole="wan" srcserver=0 policytype="policy" eventtime=1718812673181524199 wanin=8803 wanout=1150 lanin=2930 lanout=829 countweb=1 poluuid="a6630e6c-2e1b-51ef-5ba8-5e215e3c9279" srcmac="00:e0:4c:a3:17:56" mastersrcmac="00:e0:4c:a3:17:56" srccountry="Reserved" dstcountry="Italy" srcintf="Test Config" dstintf="wan1" unauthusersource="forticlient" policyname="dlp" dstowner="facebook.com" tz="+0200" srcremote=79.10.64.49 devid="FGT60FTK23099PH2" vd="root" utmref="BAQQAAAEAAAB3AQCAAAEAc2YBAHNm" dtime="2024-06-19 17:57:53" itime_t=1718812674 devname="ntd-fg"
How is this possible? The Policy 19 has only DLP...what am I doing wrong?
Than I have another question. This kind of rule is able to intercept credit card informations also in application like outlook (desktop client), microsoft teams, gmail and so on?
Thank you so much for your help!
1 Solution
Hello, I've found a related security log (looking at the forward logs and selecting the tab "security"):
date=2024-06-19 time=17:57:51 id=7382244218493730817 itime="2024-06-19 17:57:53" euid=1026 epid=1030 dsteuid=3 dstepid=101 logver=702081639 type="utm" subtype="webfilter" level="warning" action="blocked" sessionid=796241 policyid=19 srcip=10.1.20.4 dstip=157.240.203.35 srcport=64759 dstport=443 proto=6 logid=0349013696 service="HTTPS" eventtime=1718812672115534599 srcintfrole="lan" dstintfrole="wan" url="facebook.com" eventtype="unknown-ce" srcintf="Test Config" dstintf="wan1" msg="Unknown content-encoding detected and blocked." tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-06-19 17:57:51" itime_t=1718812673 devname="ntd-fg"
From this log I see that the subtype of the event is "webfilter" (we are in the same ID 19 policy), but how is it possible? The firewall policy has only a DLP profile.
Looking at the DLP security logs, I've found no correlated entries:
(also looking at the event time that should be 17:53:53), and the same is for the SSL security logs (there isn't the only interface we have in the network, that is called Test Config):
Thank you.
