- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problems with blocking urls with .js or .css
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with blocking urls with .js or .css
Have others here had issues with blocking urls\downloads that inlcude .js or .css files?
fortiguard correctly catagorises the website and the main site, images etc. are blocked but it seems that if directly accessing a url with the above extensions, webfiltering is bypassed?
NSE8
Fortinet Expert partner - Norway
NSE8Fortinet Expert partner - Norway
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tested on version 5.0 Patch 5
By doing the following you can safely test this Fortigate security hole:
1) Under " Security Profile -> Web Filter -> Profiles" , check/enable FortiGuard Categories and block " Adult/Mature Content -> Pornography" .
2) Remember to check the box before " Rate Images by URL (Blocked images will be replaced with blanks)" so that images will be blocked. If this box is not checked you are able to download images from any domains in a blocked category. You can test this if you enable/use this WEB-filter profile in your Policy and try to visiting http://static2.playboy.com/assets/tour/img/home/casting-call-small-dallas.jpg (a safe picture of the American city Dallas).
3) Visit http://static2.playboy.com/. This site is correctly blocked as Pornography.
4) Visit http://static2.playboy.com/assets/tour/css/common.css?cb=134 and download the content. This CSS-file is not blocked.
5) Visit http://static2.playboy.com/assets/tour/js/base/firstload.js?cb=134 and download the content. This JS-file is not blocked.
In this test you are downloading a .css-file and a .js-file from a blocked domain. But the file could be a .zip, .exe, .bat, or anything else as long as it is not a picture or .html/.shtml/.htm-file. I would argue that this is a big security problem.
If you block the Fortigate Category " Security Risk" your clients should be safe from malware from these domains right? Well, they are still able to get infected since malware does not come as HTML-files or pictures.
This means that your clients can visit http://www.orgsite.info/.../cryptolocker.exe or http://www.gumblar.cn/.../flashback.payload or http://www.d99q.cn/../sasser.js and download and run the content and get infected with whatever malware the site host at the time. An infected client can also download updates for the malware it has.
You can argue that this will be stopped by the Fortigate Antivirus or IPS. That would be true if the Fortigate had all of todays and future signatures. Since malware mutate fast, new ones rise every minute and they are often encrypted it would be impossible for the Fortigate to recognize and stop every type of malware from entering your network.
Can you fix this Fortinet?
If I decide to block domains using the " Fortigate Category" , I would like the Web Filter to block ANY web-request to those blocked domains. This is how Sophos UTM and CheckPoint (I have tested them) and probably all the other FW-vendors do it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For js and css files it is documented on page 88 here: http://docs.fortinet.com/fgt/handbook/50/5-0-5/fortigate-security_profiles-50.pdf
" The reason for this is that to optimize speed throughput and reduce the load on the FortiGuard servers the FortiGate does not determine a category rating on scripts and css files."
But rating by domain and ip + ftgd-wf strict-blocking could help here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allowing clients to download/run CSS and JS file from any domain is a security risk. Hiding malware in JavaScript is easy, and it is highly unlikely that the Fortigate antivirus will be able to stop all of it from running and installing on a client/server.
The whole point of using a web-filter is to completely block access to domains that the company do not want client/servers to access. I find it questionable that Fortinet has decided to allow certain files (and thereby compromising the security) to make the Fortigate look better when comparing web filtering speed against other vendors.
Is it possible to make the Fortigate block the domains selected from " Security Profile – Web Filter – Profiles - FortiGuard Categories" completely? Is there a switch in CLI or GUI that makes it block any request to these domains so that JS and CSS files will be blocked as well?
Related Posts
- Centos 9 upgrade problem 27 Views
- web filter and app control do... 64 Views
- Access Denied - The page... 90 Views
- SSL VPN connection attempt prompts Fortiguard... 123 Views
- FortiGate 60D as switch with firewall 331 Views
Labels
-
FortiGate
6,943 -
FortiClient
1,368 -
5.2
801 -
5.4
639 -
FortiManager
600 -
FortiAnalyzer
440 -
6.0
416 -
5.6
362 -
FortiAP
362 -
FortiSwitch
358 -
FortiClient EMS
281 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
99 -
FortiGateCloud
92 -
FortiSIEM
91 -
SSL-VPN
87 -
FortiCloud Products
85 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
42 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
High Availability
28 -
FortiAuthenticator
27 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 991 | |
| 831 | |
| 462 | |
| 440 | |
| 132 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.