Hi All, We have a Fortigate 30E and I have a requirement to block certain page in a particular domain.
Ex.) There is a domain https://xyz.com. That primary domain must be allowed but a page in that domain must not be blocked, like https://xyz.com/page1.php? . I could find that after allowing the primary domain the firewall is creating a session, hence not blocking any URI path further. Correct me if I am wrong. Also please provide an way to implement the URI block (or) HTTP method block (or) using any other method, but the primary domain should be blocked. Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can use static URL filter in Web Filter profile to allow a specific URL instead of the domain. You can also use wildcard/regex to match a specific pattern. Example shown in the attached image. Mark it solved if it answered your query.
Hi Yashwani,
Thanks for your reply. I have tried this but the problem is,
Please suggest me if there is any way to work on this.
You can use regular expression to exclude the specifc page and allow all other instead of the full domain (https://xyz.com)
Let me try this and update you, Thanks.
Do you use deep packet inspection for this encrypted traffic?
Thanks for your reply. Yes Hermann. I have tried deep packet inspection with default ca certificate. Not not working. Even tried content inspection with some website content in block list. But no use.
Deep packet inspection is a MUST to enable any control of sub-URLs in the content filters. Without DPI the Fortigate is not able to see any content in encrypted packets. The host name could be visible, though, if it is a part of the SSL/TLS handshaking.
I have tried Deep Packet Inspection. My doubt is, will FortiGate look in to sub-url / path after creating the Statefull session entry for the particular destination. Firewall is doing man-in-the-middle process, but I am not sure whether it is checking the requesting sub-url / path for that domain every time. Is there anything to deal with cookie.
afaik you should not be worried about TLS 1.2 and before, each packet will be inspected. I have no idea if UTP works smoothly with TLS 1.3, although.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.