Technical Tip: How to permit temporary access to a site during a particular time slot
Description
The following example allows users able to access http://www.facebook.com during weekday lunchtime (13:00 - 14:00).
Scope
FortiGate.
Solution
- Create a web filter profile to allow web site.
config webfilter profile
edit "allow_facebook"
set options activexfilter cookiefilter javafilter block-invalid-url
config override
set ovrd-user-group ""
end
config web
set urlfilter-table 1
end
config ftgd-wf
unset options
config filters
edit 1
set category 140
next
edit 2
set category 141
next
end
end
next
end
config webfilter urlfilter
edit 1
set name "allow_facebook"
config entries
edit 1
set url "www.facebook.com"
next
end
next
end - Create a schedule time window.
config firewall schedule recurring
edit "lunchtime"
set start 12:55
set end 13:55
set day monday tuesday wednesday thursday friday
next
end - Assign webfilter profile and schedule profile to a firewall policy and position it at the top.
- Enable schedule-timeout option to force one-time schedule active session terminate while reach schedule stop time.
config firewall policy
edit 2
set srcintf "port9"
set dstintf "mgmt1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "lunchtime"
set schedule-timeout enable
set service "ALL"
set utm-status enable
set av-profile "av-scan-flow"
set webfilter-profile "allow_facebook"
set ips-sensor "protect_client"
set application-list "default"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
edit 1
set srcintf "port9"
set dstintf "mgmt1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set av-profile "default"
set webfilter-profile "default"
set ips-sensor "protect_client"
set application-list "default"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
Verification.
diag sys session list
session info: proto=6 proto_state=11 duration=0 expire=311 timeout=3600 flags=00000000 sockflag=00000000 sockport=80 av_idx=1 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=redir local may_dirty ndr hlife
statistic(bytes/packets/allow_err): org=754/4/1 reply=627/3/1 tuples=3
orgin->sink: org pre->post, reply pre->post dev=36->3/3->36 gwy=192.18.17.254/10.18.0.150
hook=post dir=org act=snat 10.18.0.150:39801->198.41.207.97:80(192.18.16.182:39801)
hook=pre dir=reply act=dnat 198.41.207.97:80->192.18.16.182:39801(10.18.0.150:39801)
hook=post dir=reply act=noop 198.41.207.97:80->10.18.0.150:39801(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00032bea tos=ff/ff ips_view=2 app_list=2001 app=0
dd_type=0 dd_mode=0
npu_state=0x000400
The following example allows users able to access Youtube during break time everyday (12:00 - 14:00).
- Create a scheduled policy to allow Youtube during a particular time slot. Refer to the below:
-
For the recurring schedule, refer to the article Technical Tip: How to configure schedule policy with deny action. The sample below for schedule is set from 12 pm - 2 pm every day:
When both policies are enabled, make sure that the allow policy is above the block policy. Refer to the below screenshot:
The expected result is the user able to view Youtube videos during the configured schedule.
Related Article: