Web filtering once connected through SSL VPN

Ashie · ‎07-24-2014

Hi, Issue as follows. Users accounts authenticate with ldap. Once connected to VPN there is a policy which allows users to browse the internet. The policies work 100% but the problem comes when web filtering does not filter blocked sites. I have blocked social networking category and windows updates but when users browse through VPN this is not blocked. The same web filter is used when connecting to the local lan and social networking and windows updates are blocked. Is there anything I' m overlooking? Below is an example of the logs - win updates allowed

AtiT · ‎07-24-2014

Hello, Could you please tell us what FortiGate unit you are using and the firmware version? Do you have HTTPS (SSL) scanning enabled?

AtiT

emnoc · ‎07-24-2014

How are you applying the webfilter and for the SSLVPN interface? I have a policy that let' s my sslvpn user turn around and " nat" back out. You can apply the security profile with the selected UTM on the firewall policy that allows for this. Make sure you double and triple check your policy ordering & if you have multiple policies.

PCNSE

NSE

StrongSwan

Nihas · ‎07-24-2014

1. You cannot block windows Update through WEB FILTER. You have to use an APPLICATION CONTROL to block the same. And you might have missed to apply the Application Filter in SSL Policy for internet. 2. I believe you already disabled split tunneling in SSL..! If you are using SPLIT Tunneling you cannot block the websites because the requests will pass through your local gateway also.

Nihas [\b]

emnoc · ‎07-25-2014

Good catch for #2, if you split-tunnel is working than your security profiles will not be match for routes offered up by split tunneling. Do a traceroute to the websites that are not being block? Do they pass thru the FGT? You can diagnose the url filter via the following command; diag debug application urlfilter 2

PCNSE

NSE

StrongSwan

Ashie · ‎07-25-2014

@ AtiT The fortigate unit is a 1240B and runs v5.2.0 Where do I enable SSL scanning when in the policy for incoming port ssl.root? See below my policy: @ emnoc The policy is working according to order as users at the bottom policy are using the rule set for them. I' ve checked the logs and this all shows in there. @ Nihas you are correct in saying so. I' ve checked now and see app control is not applied. I will implement that as soon as I get approval from change control. Split tunneling is disabled.

Nihas · ‎07-25-2014

Okay. What about web filter ( the websites which you blocked through " COMPANY_USERS" profile) ? Still the users are able to access the blocked pages?

Nihas [\b]

Ashie · ‎07-30-2014

@ Nihas - yes, these users are still able to access blocked pages.

Nihas · ‎08-07-2014

Hi Ashie, Did you cross check that the Split Tunneling is " Disabled" ? If the policy is working inside the office and same is not happening through VPN, doesn' t looks like an issue with the web filtering.

Nihas [\b]

Web filtering once connected through SSL VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website