Created on 03-25-2021 12:19 AM Edited on 06-02-2022 09:39 AM By Anonymous
Description
This article provides details of the ‘Simple’ URL filter type inspection in Flow inspection mode.
Solution
In Flow-based inspection, IPS engine inspects the traffic.
For simple patterns, IPS engine uses the rule where only partial matching is possible.
This behavior is by design.
Example 1:
If camel.com is added as type ‘Simple’ under Static URL Filter, in Flow-mode the IPS engine would also match urls with domain 'camelcamelcamel.com'.
Example 2:
Static URL Filter is configured to block a 'simple' type 's.id' - in this case the website apps.identrust.com will also be blocked.
Configured as below:
# config webfilter urlfilter
edit 1
set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
edit 27
set url "s.id" <-----
set action block <-----
next
Excerpt from the WebFilter log:
date=2021-03-10 time=09:33:58 id=6937940868305257768 itime="2021-03-10 09:33:58" euid=3 epid=6288 dsteuid=3 dstepid=101 logver=604021723 type="utm" subtype="webfilter" level="warning" action="blocked" sessionid=383954196 policyid=55 srcip=10.1.2.3 dstip=192.35.177.64 srcport=51121 dstport=80 proto=6 logid=0315012544 service="HTTP" eventtime=1615365238986150716 urlfilteridx=1 sentbyte=140 rcvdbyte=0 craction=8 crscore=30 crlevel="high" srcintfrole="undefined" dstintfrole="wan" direction="outgoing" reqtype="direct" url="http://apps.identrust.com/roots/dstrootcax3.p7c" urlfilterlist="Auto-webfilter-urlfilter" hostname="apps.identrust.com" profile="BlockingFaultUrls" eventtype="urlfilter" srcintf="npu0_vlink1" dstintf="EXT-VLAN1240" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" tz="+0100" devid="FGxxxxxxxxxxxx" vd="VD-EXTERN" dtime="2021-03-10 09:33:58" itime_t=1615365238 devname="FGT"
In order to perform exact match, below are the options available:
1) Switch inspection to proxy mode in the respective policy/VDOM, if possible.
2) Use 'regex' type for the short patterns.
set url "x.co"
set type regex
This will cause the engine to do exact matching.
3) Use ‘Wildcard’ type entry.
For example:
# config webfilter urlfilter
edit 1
set name "Auto-webfilter-urlfilter_fuajzhlqi"
# config entries
edit 27
set url "*.s.id" <-----
set type wildcard <-----
set action block <-----
next
end
Note that the Fortinet Technical Support department does not offer technical assistance with regex configuration.
Related Articles
Technical Tip: Technical support on customization on various Fortinet products
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.