Description
This article clarifies how the FortiGate behaves when setting the Block Invalid URL option from Web Filtering UTM profile.
Scope
All FortiGate users
Solution
When configuring the "block-invalid-url" within the "config firewall profile" it is important to understand the behaviour of the FortiGate once this option is active.
Enable to block web sites whose SSL certificate's CN field does not contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is disabled, although validation failure does not cause the FortiGate unit to block the request, it changes the behaviour of FortiGuard Web Filtering.
1) If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name.
2) If the request is to a web server proxy, the real IP address of the web server is not known, and so rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering.
When a visited URL that contains a "_", the site will be blocked with "block-invalid-url".
As per RFC 952, " A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). "
