Web Filter ISDB queries for unrated IP category 7.2.1
FortiGuard does not categorize known IP addresses for some services, such as Webex. This can block traffic to these services when you configure FortiClient Web Filter to block the unrated category. You can now configure Internet Services Database (ISDB) XML elements to set actions for applications using their ISDB owner and application IDs. FortiClient queries ISDB with the unrated IP address to obtain the application name and applies the action as the EMS administrator defined on the Web Filter profile.
To configure Web Filter ISDB queries for cloud applications in unrated IP category:
- Configure the Web Filter profile:
- In EMS, go to Endpoint Profiles > Web Filter.
- Edit the desired profile or create a new one.
- Enable Categories.
- For Unrated, set the action to Block.
- Click + beside Unrated.
- In Cloud Application, click Add.
- Select the desired application and set the desired action for it. In this example, it is Allow. Click Add.
- Enable Rate IP addresses.
- Click Save.
- After FortiClient receives the Web Filter update, run Webex on the endpoint. FortiClient queries ISDB, and since Webex matches the settings configured on the Web Filter profile, allows access when FortiGuard categorizes it as an unrated IP address.
The following shows the FortiClient FortiProxy log when this feature is not configured. You can see that FortiGuard returns the IP as unrated (
iCat=0
) and FortiClient blocks it (m_ClassAction=3
):[2023-04-04 21:20:47.8473595] [2064:4156] [fortiproxy 713 info] fid=1216 current state: listen server hello [2023-04-04 21:20:47.8473611] [2064:4156] [fortiproxy 723 info] fid=1216 extractCommonName: [] hasCert=0 [2023-04-04 21:20:47.8473643] [2064:4156] [fortiproxy 770 info] fid=1216 Common name: [170.72.88.124] [2023-04-04 21:20:47.8473714] [2064:4156] [fortiproxy 783 info] fid=1216 check->(21)https://170.72.88.124 [2023-04-04 21:20:47.8473743] [2064:4156] [fortiproxy 819 info] fid=1216 querying [2023-04-04 21:20:47.8476214] [2064:4228] [fortiproxy 460 info] fid=1216 context=0x0000000000000000 ok [2023-04-04 21:20:47.8476998] [2064:4228] [fortiproxy 282 info] fid=1216 iCat=0 iClass=0, m_CatAction=3, m_ClassAction=0 [2023-04-04 21:20:47.8507145] [2064:4156] [fortiproxy 657 info] fid=1216 family=2 pid=1944 [2023-04-04 21:20:47.8507294] [2064:4156] [fortiproxy 657 info] fid=1211 family=2 pid=1944 [2023-04-04 21:20:47.8507329] [2064:4156] [fortiproxy 688 info] fid=1211 act action or class action is denied
When this feature is not configured, Web Filter logs this IP address (170.72.88.124) as a violation:
The following shows the FortiClient FortiProxy log when this feature is configured. You can see that FortiGuard returns the IP as unrated (
iCat=0
) . FortiClient queries it and returns the owner and application IDs, which match those values for Webex in ISDB:[2023-04-04 15:29:21.2228238] [2992:4120] [fortiproxy 657 info] fid=7520 family=2 pid=6980 [2023-04-04 15:29:21.2228553] [2992:4120] [fortiproxy 713 info] fid=7520 current state: listen server hello [2023-04-04 15:29:21.2228574] [2992:4120] [fortiproxy 723 info] fid=7520 extractCommonName: [] hasCert=0 [2023-04-04 15:29:21.2228606] [2992:4120] [fortiproxy 770 info] fid=7520 Common name: [150.253.134.155] [2023-04-04 15:29:21.2228873] [2992:4120] [fortiproxy 783 info] fid=7520 check->(23)https://150.253.134.155 [2023-04-04 15:29:21.2228904] [2992:4120] [fortiproxy 819 info] fid=7520 querying [2023-04-04 15:29:21.2231367] [2992:4224] [fortiproxy 460 info] fid=7520 context=0x0000000000000000 ok [2023-04-04 15:29:21.2231961] [2992:4224] [fortiproxy 282 info] fid=7520 iCat=0 iClass=0, m_CatAction=3, m_ClassAction=0 [2023-04-04 15:29:21.2232007] [2992:4224] [fortiproxy 727 info] ISDBAction ip=0x96fd869b, owner=30 app=103 action=0 [2023-04-04 15:29:21.2232016] [2992:4224] [fortiproxy 311 info] ISDB action ip=0x96fd869b, action=0 [2023-04-04 15:29:21.2738060] [2992:4120] [fortiproxy 657 info] fid=7520 family=2 pid=6980 [2023-04-04 15:29:21.2738312] [2992:4120] [fortiproxy 504 info] fid=7520 [2023-04-04 15:29:21.2738393] [2992:4120] [fortiproxy 517 info] fid=7520 current state: 2, cat action: 0, class action: 0