- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Web Filter still allowing traffic?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web Filter still allowing traffic?
I have a webfilter active with some URL's
URL Type Action Status
*.123.domain1.com Wildcard Allow Enable
*.123.domain2.com Wildcard Allow Enable
*.123.domain3.com Wildcard Allow Enable
*.* Wildcard Block Enable
If i do a telnet> telnet www.xyzdomain.com 443
In my opinion this should be blocked, but it shows:
HTTP/1.1 400 Bad Request
Server: nginx/1.17.7
Date: Thu, 18 Feb 2021 14:19:24 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
<html> <head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.17.7</center>
</body>
</html>
Does this expose a security risk for PC contacting a Malware site.
Regards,
Henk
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your test is not good for this - URL Filtering looks at URLs in a valid browser<->web server connection, your telnet session cannot emulate this and will be closed (as you see in the output) by the web server as invalid. To verify, try browse to the domain.
Also make sure you don't have other rules that would allow outbound access to port 443 without Web Filtering applied.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Yurisk,
Yurisk wrote:Your test is not good for this - URL Filtering looks at URLs in a valid browser<->web server connection, your telnet session cannot emulate this and will be closed (as you see in the output) by the web server as invalid. To verify, try
browse to the domain.
Bold Eagle:
I know, but what if my system was infected with malware, and the website has code injected for this malware and will react on the malware request, then it is still not blocked by the Fortigate Webfilter. Or is this technically impossible?
Also make sure you don't have other rules that would allow outbound access to port 443 without Web Filtering applied.
Bold Eagle: no other rules with port 443 exist.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW The last rule in your URL FIlter should have action Block not Allow which makes URL filter to permit Any website.
Regarding the broader question of how to prevent potentially present in LAN malware to contact outside world, it is too broad of a question as this depends on malware, whether you are using Deep SSL inspection, whether you are using AppControl in addition to URL filtering. Or on a totally different side - are you using host based measures like EDR/Endpoint Protection?
You should formulate for yourself exact threats you are trying to prevent and do analysis of existing state of your security controls, then you will be able to answer "given this threat with these security measures already in place, what are chances of stopping this malware and what can be done to better those chances?".
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yurisk wrote:BTW The last rule in your URL FIlter should have action Block not Allow which makes URL filter to permit Any website.
[Bold Eagle]
There was a mistake in my overview, the last is a Block, I've corrected my question.
Regarding the broader question of how to prevent potentially present in LAN malware to contact outside world, it is too broad of a question as this depends on malware, whether you are using Deep SSL inspection, whether you are using AppControl in addition to URL filtering. Or on a totally different side - are you using host based measures like EDR/Endpoint Protection?
[Bold Eagle]
We also have Symantec SEP/SES in place as Endpoint protection, so we have several layers of safety nets.
You should formulate for yourself exact threats you are trying to prevent and do analysis of existing state of your security controls, then you will be able to answer "given this threat with these security measures already in place, what are chances of stopping this malware and what can be done to better those chances?".
[Bold Eagle]
Clear, thanks for your explanation.
Related Posts
- Combine Tables In Datasets 49 Views
- No Traffic Logs in FortiADC 180 Views
- Guide Tecnical Tip - How to... 231 Views
- Fortigate with Mikrotik Site to site... 380 Views
- Fortinet solution for DNS filtering when... 254 Views
Labels
-
FortiGate
6,448 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.