Description
Solution
This article explains how to configure URL based address objects to work with HTTPS requests when using with webproxy.
Solution
From FortiOS v5.2.x, URL based address objects can be configured on the FortiGate unit to allow specific URL using firewall policy.
However, when working with HTTPS URL's, this policy may not match the traffic.
Network diagram
For example, if the following 2 policies are configured:
However, when the request is HTTPS, the connection is encrypted so the FortiGate does not know the URL inside the CONNECT request.
In order to know the URL, the FortiGate has to decrypt the request and process against the firewall policy. However, SSL decryption is performed after policy inspection and due to this, URL based address objects may not work with HTTPS requests.
In FortiOS v5.6, a new feature is introduced to validate the request against the firewall policy again after SSL decryption is done.
For the above example, the following configuration must be in place to allow HTTPS requests using URL based address objects.
SSL deep scan must be used in both policies, and http-policy setting must be enabled under protocol options profile.
The setting "set http-policy enable" will validate the request against the proxy policies again after the SSL request is decrypted by SSL deep scan. So the encrypted URL can be decrypted and validated against the firewall policies.
To enable this setting in Web GUI
Security Profiles > Proxy Options > edit the profile > Select the option "HTTP Policy Redirect"
Configuration CLI
Verification of configuration and troubleshooting
When the client tries to access the URL "video.fortinet.com/video/261/security-fabric-installation-5-6", access is allowed by policy1:
When the client tries to access URL "video.fortinet.com, access is blocked by policy2:
However, when working with HTTPS URL's, this policy may not match the traffic.
Network diagram
For example, if the following 2 policies are configured:
Policy1 - URL based address object to allow URL = "video.fortinet.com/video/261/security-fabric-installation-5-6".When the request is HTTP, the request can be matched with the URL based address object and the access will be allowed by policy1.
Policy2 - Allow policy with web filter enabled to block the category "Information Technology".
However, when the request is HTTPS, the connection is encrypted so the FortiGate does not know the URL inside the CONNECT request.
In order to know the URL, the FortiGate has to decrypt the request and process against the firewall policy. However, SSL decryption is performed after policy inspection and due to this, URL based address objects may not work with HTTPS requests.
In FortiOS v5.6, a new feature is introduced to validate the request against the firewall policy again after SSL decryption is done.
For the above example, the following configuration must be in place to allow HTTPS requests using URL based address objects.
config firewall profile-protocol-options
edit "default"
config http
set http-policy enable
end
next
end
SSL deep scan must be used in both policies, and http-policy setting must be enabled under protocol options profile.
The setting "set http-policy enable" will validate the request against the proxy policies again after the SSL request is decrypted by SSL deep scan. So the encrypted URL can be decrypted and validated against the firewall policies.
To enable this setting in Web GUI
Security Profiles > Proxy Options > edit the profile > Select the option "HTTP Policy Redirect"
Configuration CLI
config firewall address
edit "fortinet.com"
set type wildcard-fqdn
set wildcard-fqdn "*.fortinet.com"
next
end
config firewall proxy-address
edit "ftnt_url1"
set host "fortinet"
set path "/video/261/security-fabric-installation-5-6"
next
end
config firewall profile-protocol-options
edit "default"
config http
set http-policy enable
end
next
end
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port10"
set srcaddr "all"
set dstaddr "ftnt_url1"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
set webfilter-profile "monitor-all"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection-lab"
next
edit 2
set uuid 7c265834-203b-51e7-4123-455f8f218612
set proxy explicit-web
set dstintf "port10"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
set av-profile "default"
set webfilter-profile "block_information_technology"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection-lab"
next
end
Verification of configuration and troubleshooting
When the client tries to access the URL "video.fortinet.com/video/261/security-fabric-installation-5-6", access is allowed by policy1:
date=2017-05-04 time=09:47:45 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 sessionid=987350404 srcip=10.25.3.1 srcport=50394 srcintf="port9" dstip=208.91.114.157 dstport=443 dstintf="port10" proto=6 service="HTTPS" hostname="video.fortinet.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/video/261/security-fabric-installation-5-6" sentbyte=941 rcvdbyte=3281 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"
When the client tries to access URL "video.fortinet.com, access is blocked by policy2:
date=2017-05-04 time=09:51:14 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 sessionid=987350461 srcip=10.25.3.1 srcport=50451 srcintf="port9" dstip=208.91.114.157 dstport=443 dstintf="port10" proto=6 service="HTTPS" hostname="video.fortinet.com" profile=" block_information_technology " action="blocked" reqtype="direct" url="/" sentbyte=1345 rcvdbyte=137 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"
