Technical Tip: Enable Web Filter only when the user is off-fabric (off-net) when connected to public internet

Description

This article explains the correct way to enable a web filter feature that is only active when the endpoint goes off fabric.

Scope

FortiClient EMS.

Solution

This is a common practice to keep FortiClient Web Filter module disabled when the user is on-net (on fabric) since firewall can take care of web filtering when the endpoint is in the office.

Set the option 'Enable WebFiltering on FortiClient' under Web Filter profile to 'Only When Endpoint is Off-Fabric' can cause the extension to be installed on browser due to an existing known issue. In order to prevent this to happen, do the following steps:

1. Configure off-fabric Web Filter profile and set 'Enable WebFiltering on FortiClient' to 'Always On' and enable the profile on top:

2. Configure an on-fabric Web Filter profile and make it disabled:

    

3. Under EMS policy, toggle on Profile (Off-Fabric) on top, then use WF profile with Always On for off-fabric (right column).

4. Starting from version 7.4.5+ of FortiClient EMS, the option 'Keep Extension When Endpoint is Off-Fabric' is available, allowing to control the plugin installation to prevent the extension from being uninstalled when the device is not On-Fabric:
   
   

Related documents:

Web Filter