- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Web Filter Security Profile does not apply or log ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web Filter Security Profile does not apply or log consistently
Scenario:
One "inside" server talks to another "outside" server over HTTPS. I want to monitor and log all traffic, with as much detail as possible.
I set up firewall policies to allow the traffic (from certain hosts to other certain hosts, on HTTP(S)),works great, traffic flows. I assign a web filter profile setup to "monitor" all categories, including unrated. This should have the effect of creating Web Filter Security Event Log entries for all URLs flowing through a given policy, since I monitor everything and monitoring logs, right? They all have the "certificate-inspection" profile assigned as well.
Except it doesn't.
When looking at the Forward traffic log, and the details on the right, some entries have the "Security" entry with web filtering details, while others do not. When filtering on a given firewall policy and selecting different log entries, the security tab appears and disappears, seemingly randomly, entry to entry.
Both the policy and security profile are flow-based. The only other security profile applied is the "certificate-inspection" one. So no SSL deep-inspection. I've read in a virous places however that that should be OK?
This is a FortiGate-VM 7.2.0. Lightly loaded, lots of CPU to spare, and RAM is at about 51% right now. All licensing, including FortiGuard, is current.
Any thoughts on what might be going on??
Thanks in advance.
Manager, IT Operations and Security
Solved! Go to Solution.
Manager, IT Operations and Security
Labels:
- Labels:
-
FortiGate
1 Solution
Anonymous
Not applicable
Created on 08-15-2022 01:23 PM Edited on 08-15-2022 01:24 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jdoyon,
Thank you for reaching Fortinet Community. I would recommend you to perform the following:
1) Inspection mode: Ideally web filter best works in proxy mode as most of them are HTTPS traffic and the man-in-middle does the inspection in a better way. Also flow based web-filter has limited features. More info in below document:
2) Logging: Could you verify if the logging is set to 'All sessions' and also in the respective web profile if the logging is set to 'ALL'. More info in below KB article:
Hope this helps.
Thanks and regards,
2 REPLIES 2
Anonymous
Not applicable
Created on 08-15-2022 01:23 PM Edited on 08-15-2022 01:24 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jdoyon,
Thank you for reaching Fortinet Community. I would recommend you to perform the following:
1) Inspection mode: Ideally web filter best works in proxy mode as most of them are HTTPS traffic and the man-in-middle does the inspection in a better way. Also flow based web-filter has limited features. More info in below document:
2) Logging: Could you verify if the logging is set to 'All sessions' and also in the respective web profile if the logging is set to 'ALL'. More info in below KB article:
Hope this helps.
Thanks and regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indeed, once I switched the relevant firewall policy to proxy, as well as the security profile, things started working better.
Also took me a while to realize that the URL filter only works on hostnames because with HTTPS, it only inspects SNI, instead of the whole URL.
Once I change my URL filter to be a hostname only, that also helped.
The GUI improvements in 7.2.1 also helped. Helped me realize that a session can have multiple log entries in the forward log, and that the web filter decision only appears on the last one. In flow mode this is a problem because of long-lived "keep-alive" TCP sessions. The URL would go through unfiltered in flow mode, because the session only closes much later.
Thanks for the help!
Manager, IT Operations and Security
Manager, IT Operations and Security
Related Posts
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.