Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nickesh_k
New Contributor

Web Rating overrides not working as expected with proxy address with URL category.

Hi all,

I have configured SSO with the DC . DC maintains the multiple groups with multiple users for different access to the internet depending on the category such social media, web-based mail and etc. The web-filter profile were out of the option as it match the first policy and denies all the category for the users that are in other group. 

The proxy addresses with the URL category in destination parameter helped us to provide access to allow traffic and match all the policy configured.

While configuring proxy address with the URL category we had to override certain websites to different category. The web rating override is configured and site is mapped to different category. In the screen shot you can find the site from the Finance and Banking Category is overridden to Brokerage and Trading Category.

There is a different policy with specific group user that is allowed to access Brokerage and Trading and the Domain user group is not suppose to access the overridden site but the traffic is accepted by the default FortiGuard Category. The placement of policy doesn't have any effect on top-to-bottom approach.

But the policy with the original FortiGuard category can still access the overridden category in FortiProxy.
Even with the FortiGate configured with explicit proxy can still access site.

Please feel free to post your finding and suggestion to work around with the scenario.

Thank you

FortiProxy

Proxy address Group with URL Category.

 Proxy addressProxy address

Policy configured with Proxy address group.

0-02-06-878536bdf69c28bd05ee0b44358eceada3ab32a3639d0724d618a4929b566bf6_364042399bd773af.jpg

 

Web-rating Override

Web-rating OverrideWeb-rating Override

Logs

0-02-06-fd814ab934a1d5cb501c14040c2fc5b271a0520ad2d00be0c59140f47e88186d_72b97a2bcf43eef1.jpg

 

 

 

 

 

Cheers,
Nikesh
Cheers,Nikesh
12 REPLIES 12
gfleming
Staff
Staff

What does the UTM/web filter logs show for those policy hits?

Cheers,
Graham
Nickesh_k
New Contributor

There are no logs regarding the accepted traffic.

 

Cheers,
Nikesh
Cheers,Nikesh
Nickesh_k
New Contributor

@gfleming If I disable this policy the users that are in the policy with the destination parameter as Brokerage and Trading can access the mentioned site. This proves that the web rating override is working. But the Fortiproxy is unable to block the overridden site on the original Fortiguard Categories.

 

Cheers,
Nikesh
Cheers,Nikesh
gfleming

Can you please enable logging on your policies so we can review the logs?

 

Also as per the documentation, a web override should not leave the URL in the original category after you've created the override: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/122974/web-rating-override

Cheers,
Graham
Nickesh_k
New Contributor

Yes, I have enabled the log with the All Sessions option. When you use the proxy address in the destination, it will only accept the traffic in the categories mapped with the proxy address.

The web-filter profiles can override the site when the category is enabled in monitored action. But we are working with the proxy address that matches all the policies from the top-to-bottom.

 

You don't get UTM logs, As the traffic is being accepted by the policy. You only get the logs in forward traffic as attached in the last screenshot.

 

Cheers,
Nikesh
Cheers,Nikesh
gfleming

OK I understand now. So you are not actually doing Web Rating overrides (Which is a function of the Web Filter security profile). You are creating custom Proxy Addresses and using those to steer your traffic. In that case yes it makes sense the behaviour you are experiencing as the changes are not global.

 

If you used Web Rating overrides in Web Filter it would be a global change. Can you use Web Filter and proper Web Rating Overrides?

Cheers,
Graham
Nickesh_k
New Contributor

I think the web rating override is working globally cause when you use the user with specific access to the overridden URL category proxy address you can find the site accessed from the overridden category.

Cheers,
Nikesh
Cheers,Nikesh
gfleming

To be honest I'm still not 100% clear on your actual config or issue here. You pasted a screen shot for one policy but you seem to be talking about other policies as well.

 

Either way, does this apply to your configuration?

 

When a new threat feed connector or web rating overrides in a custom category are created, it will not impact any web filters until the category's action is changed to Monitor, Block, Warning, or Authenticate in the specific web filter's settings.

 

From this Technical Tip: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-explicitly-custom-categories...

Cheers,
Graham
Nickesh_k

config firewall proxy-address
edit "Finance and Banking Category"
set type category
set host "all"
set category 31
next
edit "Sharemarket Category"
set type category
set host "all"
set category 18
next
end

config webfilter ftgd-local-rating
edit "sharesansar.com"
set rating 18
next
edit "merolagani.com"
set rating 18
next
end

config firewall proxy-addrgrp
edit "Base Allowed Category Group"
set type dst
set member "Govt Sites of Nepal" "NRB Sites" "HBL Allow Url List" "Finance and Banking Category" "Government and Legal Organisations Category"
next
end

config firewall policy
edit 28
set type explicit-web
set name "ShareMarket"
set uuid 57e3b79e-b77c-51ed-e270-5c66e69a5c30
set dstintf "port1"
set srcaddr "all"
set dstaddr "Sharemarket Category"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set logtraffic all
set groups "AD Group-Share Market"
set comments " (Copy of Temp)"
next
edit 3
set type explicit-web
set name "Base Internet Access"
set uuid e4f14c8c-b696-51ed-50f7-1ed7df4d2eec
set dstintf "port1"
set srcaddr "all"
set dstaddr "Base Allowed Category Group"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set logtraffic all
next
end

 

As you said that we need to use the category action to be changed to Monitor, Block, Warning, or Authenticate to work with web-rating override. Override still works without using any web filter with the proxy address.

In this case, when you put policy ID 28 before policy ID 3 the users in that policy will be able to access the overridden URL. But as the URL is overridden from Finance and Banking category to Brokerage and trading the users that are in policy ID 3 will also be able to get access from those overridden sites from Finance and banking category.

I will give you the scenario and you can try this on your lab user A, B, and C. A and B need access to brokerage and trading. B and C need access to web-based email. A and C need access to Finance and Banking. You can override the same sites as mentioned and put a policy with overridden category before the policy with the original FortiGuard category. You will find that users A and B can access those sites but you will also find that User C is able to access the site.


The only resolution that I found for this till now is to use the web filter allowing the original category to the most privileged policy at the bottom. Once you use the web-filter you can find the overridden replacement message and web filter blocking the overridden site. 

Let me know your findings.

 

Cheers,
Nikesh
Cheers,Nikesh
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors