FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mramalinga
Staff
Staff
Article Id 197999

Description
This article provides details of the ‘Simple’ URL filter type inspection in Flow inspection mode.

Solution
In Flow-based inspection, IPS engine inspects the traffic.

For simple patterns, IPS engine uses the rule where only partial matching is possible.
This behavior is by design.

Example 1:
If camel.com is added as type ‘Simple’ under Static URL Filter, in Flow-mode the IPS engine would also match urls with domain 'camelcamelcamel.com'.

Example 2:
Static URL Filter is configured to block a 'simple' type 's.id' - in this case the website apps.identrust.com will also be blocked.

Configured as below:

# config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
    edit 27
        set url "s.id"         <-----
        set action block       <-----
    next

Excerpt from the WebFilter log:

date=2021-03-10 time=09:33:58 id=6937940868305257768 itime="2021-03-10 09:33:58" euid=3 epid=6288 dsteuid=3 dstepid=101 logver=604021723 type="utm" subtype="webfilter" level="warning" action="blocked" sessionid=383954196 policyid=55 srcip=10.1.2.3 dstip=192.35.177.64 srcport=51121 dstport=80 proto=6 logid=0315012544 service="HTTP" eventtime=1615365238986150716 urlfilteridx=1 sentbyte=140 rcvdbyte=0 craction=8 crscore=30 crlevel="high" srcintfrole="undefined" dstintfrole="wan" direction="outgoing" reqtype="direct" url="http://apps.identrust.com/roots/dstrootcax3.p7c" urlfilterlist="Auto-webfilter-urlfilter" hostname="apps.identrust.com" profile="BlockingFaultUrls" eventtype="urlfilter" srcintf="npu0_vlink1" dstintf="EXT-VLAN1240" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" tz="+0100" devid="FGxxxxxxxxxxxx" vd="VD-EXTERN" dtime="2021-03-10 09:33:58" itime_t=1615365238 devname="FGT"

In order to perform exact match, below are the options available:

1) Switch inspection to proxy mode in the respective policy/VDOM, if possible.

2) Use 'regex' type for the short patterns.

set url "x.co"
set type regex

This will cause the engine to do exact matching.

3) Use ‘Wildcard’ type entry.

For example:

# config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
    edit 27
        set url "*.s.id"       <-----
        set type wildcard      <-----
        set action block       <-----
    next
end

Note that the Fortinet Technical Support department does not offer technical assistance with regex configuration.

 

Related Articles

Technical Tip: Technical support on customization on various Fortinet products

Contributors