0

My Fortinet firewall seems to be blocking invalid URLs (for example, URLs that it considers invalid, which means that underscores are not accepted, even though some sites use them). This causes some problems.

I want to remove that option so that it does not block invalid URLs anymore. What is the danger of disabling the check from the firewall for invalid URLs?

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
Yann Chabot
  • 103
  • 4

2 Answers2

2

I want to remove that option so that it does not block invalid URLs anymore.

Fortinet actually has a clear article on exactly this issue.

it's a checkbox that I can check or uncheck

The checkbox simply controls:

Enable to block web sites whose SSL certificate's CN
field does not contain a valid domain name.

and as they point out:

When a visited URL that contains a "_", the site will be blocked
with "block-invalid-url". 
As per RFC 952, " A "name" (Net, Host, Gateway, or Domain name)
is a text string up to 24 characters drawn from the alphabet (A-Z),
digits (0-9), minus sign (-), and period (.).

The prohibition upon having underscores in domain names, which dates back to RFC 952, is a controversial issue which is somewhat pedantically clung to by security software. There's some discussion of it in this answer. In practice, having underscores in the host portion of a domain name is technically not legal, but widely practiced and does not indicate anything at all as to the security of the site.

What is the danger of disabling the check from the firewall for invalid URLs?

Very low. This is a pedantic check on RFC compliance rather than a reflection upon any actual security value. In practice, malicious sites are not particularly likely to have "invalid" domain names. There is no indication from the Fortinet KB article that they are drawing on any other source of data (e.g., blacklists, keywords) when determining if a URL is "bad".

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
-1

1.) Certain search engines do not treat underscores as seperators, rather they are seen as part of the word they are connecting. For example, Google. Explanation from Google.

2.) Internet Explorer has trouble with cookies (will ignore them) when using underscores in the domain name.

3.) As far as your firewall not allowing you to connect to a website using underscores in a url. I have no idea, you should be able to disable that filter. I would start with the manufacturer of the firewall.

4.) Is there a danger of removing the filter? No. Atleast no more of a danger than navigating to an unknown url that doesn't have underscores in it. The underscore will in no way indicate whether a site is secure and should be filtered or not.

5.) I would think the url filter would be best suited for certain keywords. Expample: hack, sex, guns, .. things a corporation doesn't want you looking at, or you don't want children viewing.

WorWin
  • 19
  • 2
  • Yes, but the url is from the gouvernment where I live, it has an underscore in its subdomain (i.e: aaaaaaaa_bbbbbbbb.gouv.qc.ca) so it doesn't pass in my Firewall, but I did some research and I don't think it has any real danger to allow URL without checking them at the first place. (We already have other options in our firewall that is checking for Content and that disable pornography, violence and such). So you're saying there is no danger in disabling this option that block invalid URL? – Yann Chabot Feb 09 '17 at 20:29
  • 1
    @YannChabot: I'm pretty sure that the option to disable invalid URL includes more than just blocking domains with an underscore. Thus while it is probably safe to allow underscores in domains it does not mean that disabling this option is safe too since this would mean to allow more than just underscores in the name. – Steffen Ullrich Feb 09 '17 at 21:20
  • @SteffenUllrich it disable names with "unallowed" character in the URL. But I can't find a way that it could be dangerous, like any valid URL can be dangerous at this point the character in the URL, if I'm right, does not represent any danger? It is what I wonder... – Yann Chabot Feb 09 '17 at 21:23
  • @YannChabot: see http://kb.fortinet.com/kb/documentLink.do?externalID=FD31850 for the side effects when disabling this option. – Steffen Ullrich Feb 09 '17 at 21:24
  • @SteffenUllrich yes I read that already, but it does not seems to bring any additionnal danger, am I right? – Yann Chabot Feb 09 '17 at 21:30
  • they reference RFC 952. This was written in 1985 to define several rules for what websites and urls would look like. (google rfc 952) There is no way to just disable underscores with that product. Maybe go with a different product? OpenBSD? CiscoASA? Barracuda? – WorWin Feb 09 '17 at 21:36
  • As far as danger, You could turn it off, test it for 24 hours, or however long. If you start having problems, re-enable it. – WorWin Feb 09 '17 at 21:37
  • @WorWin I would like to take a toughtful decision before disabling it, but I don't believe there is any additionnal danger. – Yann Chabot Feb 09 '17 at 21:43
  • 3
    @WorWin: that's not how security works. With this argumentation you can just use a cable in place of the firewall: it will probably cause no problems so you might leave it there. Unfortunately it will also not provide any security but since you don't see any problems there probably aren't any? Also recommending to replace Fortinet (DPI, Proxy...) with OpenBSD (packet filter) is like recommending to use a bike instead of a truck. – Steffen Ullrich Feb 09 '17 at 21:44
  • 2
    @YannChabot: my understanding of the Fortinet KB article is that web filtering can be easily bypassed by just using an underscore in the domain name in case the option to block invalid names is disabled since it will do the filtering either check the category by IP address only or disable the filtering at all. I would definitely consider this additional danger. – Steffen Ullrich Feb 09 '17 at 21:52