Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

static url filter does not work when cathegory is blocked

I have this url:

https://scnem2.com/goto.php?l=6zyco3.14kg484,u=ca0e6e8374547cefdd49da232d825666,n=2mt9d.301e22,art_i...

 

scnem2.com is rated in cathegory "information technology" by fortiguard which is blocked in webfilter here.

 

I set up a static url filter rule for the url with type exempt.

 

Thus this rule does not match and I get blocked by utm cathegory.

I don't want to allow this cathegory or set a rating override for the domain. I want my users to be able to open just this one url.

 

This is all in one webfilter profile that applies to the used policy. I see in traffic and webfilter log that the correct profile is used. 

Also diag test app urlfilter 3 on cli shows no match for this url unless I unblock or orverride the cathegory.

 

Is this no longer possible? I remember that this worked in FortiOS before 6.x .

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
5 REPLIES 5
localhost
Contributor III

Are you using Type: Simple and Action: Exempt in the static url filter?

sw2090
Honored Contributor

yes that is what I do. I know accept would still trigger the utm filters and i use type simple. Even using only part of the url and makeing a wildcard rule with that does not work.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Dave_Hall
Honored Contributor

If the fgt is not using full SSL inspection, it will likely only sees *.scem2.com.  Another thing is that url appears to be redirected to the www.loeffler.at domain, so you may need to do exemption on that url too.  May want to check to see how the fgt handles url redirects.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
sw2090
Honored Contributor

hm I retested with a policy now that does have full inspection enabled (and with different url). The policy is definietely matched and the the target of the forward is not blocked by cathegory.

Still I have the same behaviour even with enabled full inspection:

 

Even though there is an exempt rule for that url in url filter it still gets blocked by cathegory. If I set a rating override for it to a cathegory that is in the reputation list in the ssl profile it dies not get blocked any longer.

 

To me that looks like if deep inspection does not care for webfilter profiles and url filters and just only looks at its owb whitelist by cathegory. This is not very satisfying. In times of more and more *censored* tracking and putting everything into some cloud this will also create a security risk as you mostly have to whitelist most of the cloud since rating override only works for domains.

 

I verfied that now: as long as there is an url filter exempt rule in the webfilter profile applied to the policy the site is accessible if you use http. It is still blocked when you use https as it is not in a reputable cathegory.

So looks to me as if you cannot use any webfilter profiles with https atm. SSL Inspection allows filtering by fortiguard cathegories only. Filtering sepcific urls is obviously impossible atm.

 

I also openened a TAC Ticket for this and annother issue connected to it. TAC will do a remote session with me at a yet-to-be negotiated time and date to have a close look at this.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

To make it even worse: ever since I set a web rating override for scnem2.com to a reputable cathegory in ssl inspection profile the site is accessible. It even stays accessible when I remove the rating override.

Looks like this gets cached somewhere on the FGT. Emptying Browser Cache on Client or Webfilter Cache on FGT do not help here.

 

Additionally google does not work in all browsers (except IE) when deep inspection is on. Thus google starts to work in all other browsers once you openend it in IE for one time.

 

Even TAC couldn't tell me why those things happen...

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors