I'm using a Fortigate 4200 running firmware 7.4. Most of our rules use FQDNs like www.microsoft.com but this seems very permissive. Ideally we'd like to examine the actual URLs being used and restrict i.e. allow things like http://www.microsoft.com/crl or https://www.microsoft.com/crl. We have many applications/systems that don't support explicit proxying so explicit proxy is not an option.
So in the absence of using an explicit proxy is this possible?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can simply use web filtering profile (create as per your requirement) with flow mode policy inspection. However, it will give better result when you use policy in proxy-based inspection.
For fine tuning of URL/application you can use "static web filter", also you can explore "application control" profile with proxy-based inspection
Explicit proxy is not needed.
But you need to perform deep inspection in proxy-mode policy.
With certificate inspection only, FortiGate is only able to see the domain name for that particular website. So the full URL is not visible, can't be logged, no action can be taken. Deep inspection profile is the only way (note the default profile may exempt several sites from deep inspection)
Hi @shocko ,
You need to use Deep Inspection instead of Certificate Inspection for the SSL Inspection profile so FGT can tell the real URL in the HTTP header. Then you can use the static URL filter to allow/deny such URLs.
For more info about the static URL Filter, please check this KB:
In the References section at the end, there are a lot of useful links as well.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.