Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fropert_FTNT
Staff
Staff

Created on ‎05-04-2012 12:00 AM

Article Id 196650

Technical Note : Websites not blocked by FortiGuard web filtering when WCCP servers are unreachable

Description
Fortigate is configured to use WCCP transparent caching servers on HTTP or HTTPS firewall policy.
If WCCP servers are operationally down, the firewall policy with WCCP enable will be skipped.
Depending the next policies, traffic could be interrupted or, in this example, FortiGuard web filtering is not applied because the next policy that match the traffic pattern have none UTM profile assigned.

Firewall policies:

config firewall policy
    edit 4
        set srcintf "lan"
        set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "HTTP" "HTTPS"
        set utm-status enable
        set wccp enable <= WCCP is enabled
        set webfilter-profile "default"  <= Fortiguard Web filtering is configured
        set profile-protocol-options "default"
        set nat enable
    next
    edit 2
        set srcintf "lan"
        set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
        set nat enable
    next
end

Considering an HTTP request to www.fortinet.com and that WCCP servers are unreachable, policy number 4 will be skipped.
Traffic will then match the policy number 2 as indicated by the policy_id field from the following session list:

session info: proto=6 proto_state=01 duration=16 expire=3592 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
statistic(bytes/packets/allow_err): org=6257/99/1 reply=251010/172/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=72.31.227.254/1.124.2.18
hook=post dir=org act=snat 1.124.2.18:57410->66.171.121.34:80(72.31.224.182:28902)
hook=pre dir=reply act=dnat 66.171.121.34:80->72.31.224.182:28902(1.124.2.18:57410)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0

As the policy number 2 does not have FortiGuard web filtering applied, all websites will be reachable from the users.




Solution
To apply FortiGuard web filtering when WCCP servers are unreachable, a configuration change must be operated on the next matching policy.
Policy 2 rewritten to match the customer requirements regarding FortiGuard web filtering:

config firewall policy
    edit 2
        set srcintf "lan"
        set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
        set utm-status enable
        set webfilter-profile "default" <= Fortiguard web filtering is now configured
        set profile-protocol-options "default"
        set nat enable
    next


2154
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.