Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
krusty
New Contributor

Created on ‎03-26-2017 07:23 PM

Web filtering not performed following Application control

Hello,

 

Hope someone can help here.

 

The fortigate seems to skip web filtering following application control. Is this normal?

 

Thanks in advance.

9281
0 Kudos
1 Solution
hmtay_FTNT
Staff
Staff
In response to krusty

Created on ‎03-29-2017 07:15 AM

Hi krusty,

 

I replied to the PM. Can you enable certificate-inspection under "SSL Inspection"? If you do not enable that, the IPS engine will not scan any SSL sessions.

 

HoMing

View solution in original post

2853
0 Kudos
8 REPLIES 8
hmtay_FTNT
Staff
Staff

Created on ‎03-27-2017 05:46 AM

Hello krusty,

 

If you enabled a Web Filter profile with Application Control, and the App Control action does not drop the traffic, no, it should not skip web filtering. However, if App Control drops the traffic, then Web Filter will not apply. How did you test your policy? Can you send me your configuration file and let me know which policy ID are you using?

 

HoMing

2826
0 Kudos
Iescudero
Contributor II
In response to hmtay_FTNT

Created on ‎03-27-2017 06:32 AM

Hello!

Application Control and IPs were applied before web filter, so this is a normal behaviour.

 

2826
0 Kudos
krusty
New Contributor
In response to hmtay_FTNT

Created on ‎03-28-2017 03:02 PM

Hi,

 

I've PM'ed you the config.

 

Following application control we can still get to the blocked sites.

 

Thanks

2826
0 Kudos
hmtay_FTNT
Staff
Staff
In response to krusty

Created on ‎03-29-2017 07:15 AM

Hi krusty,

 

I replied to the PM. Can you enable certificate-inspection under "SSL Inspection"? If you do not enable that, the IPS engine will not scan any SSL sessions.

 

HoMing

2854
0 Kudos
PDG
New Contributor
In response to hmtay_FTNT

Created on ‎03-29-2017 11:34 AM

Are you using Proxy or flow mode?

 

Did you checked the following Settings?:

 

config firewall profile-protocol-options 

config http 

set Status enable # <- this must be enabled ; otherwise webfiltering AND AV won't work

end

next

end

 

 

2826
0 Kudos
krusty
New Contributor
In response to PDG

Created on ‎03-30-2017 06:09 PM

Hi,

 

Thanks for the response.

 

It is in proxy-based mode.

 

config firewall profile-protocol-options is not enabled. Will this cause a loss of access on other policies if I enable it?

 

Cheers

 

 

2826
0 Kudos
PDG
New Contributor
In response to krusty

Created on ‎03-30-2017 11:54 PM

Hi Dan, you have to enable it for every protocol you'd like to scan. Otherwise in proxy mode no av+webfiltering will work. By default it should be enabled. I had also one unit/firmware there it was disabled by default. Cheers, Patrick
2826
0 Kudos
krusty
New Contributor
In response to PDG

Created on ‎04-09-2017 09:58 PM

Enabling certificate inspection worked.

 

Thanks for your help guys!! :)

2826
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.