Explorer

Question

Allow specific URL but also check other Domains on that IP

Forum|Forum|2 months ago
March 20, 2026
6 replies
410 views

Maybe I'm just being clueless...

I want to explicitly allow a specific URL on the Fortigate,

I want to allow certain URLs for the entire network (Source: all) – but only those specific ones, so that:

Other domains that happen to be on the same IP address aren’t automatically allowed but are still checked by subsequent policies and can therefore be treated differently.

How do I do that? I tried setting up a rule at the top that accesses a web filter which has stored these URLs as static addresses.
But that just allows all URLs to be accessed.

I want to ensure that this policy is effectively bypassed for other URLs and that the subsequent policies are applied.

funkylicious

SuperUser

are you also doing deep packet inspection ?

"jack of all trades, master of none"

sw2090

SuperUser

Webfilter itself only checks fortiguard ratings wich you could override to allow a site (or forbin one). This doesn't support urls or wildcards.

If you want urls and/or wildcards you need to use the url filter. That supports URLs , wildcards and even Regexps.

The others which are domains can be handled via rating override or depnding on your policies also using a fqdn address object.

Demir25

New Member

Domain Name Threat Feed is also a good example. Check link: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/195303/domain-name-threat-feed

yderek

Staff

@tobisfr do you mean by below
For example

Google.com resolved to 8.8.8.8 and example.com resolve to 8.8.8.8

You want to allow google.com but say different action for example.com ?

tobisfrAuthor

Explorer

Yes, exactly!
I want all clients to be able to access google.com (a policy at the very top covering the entire IP address range).

But after that, I'd like to apply further filtering for specific groups or IP ranges—even if other domains might still be using 8.8.8.8.

yderek

Staff

@tobisfr I think you can use DNS filter , create the static domain filter in DNS profile to block the domain and rest of the domain will be allowed, try and let us know if that works , here is KB how to use DNS filter https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-DNS-filter-to-allow-block-DNS-queries/ta-p/192151

yderek

Staff

@tobisfr make sure you are doing this for one source computer only or consider to block other category of the DNS filter as by default , the permission of DNS filter profile might open wide for the category

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded