Skip to main content
MitchK
MitchK
New Member
August 19, 2009
Question

Best way to allow a site

  • August 19, 2009
  • 4 replies
  • 6894 views
Our Fortigate blocks sites as it should, but occasionally, we want to allow a site that would otherwise be blocked. I' ve found three ways to allow a blocked site, and I' m wondering which is the " best" way...or the reasoning you might use behind each method. Here they are: 1. In the Firewall/Address section, I created a group " Whitelisted URLs" and populated them with the URLs (from the " address" tab) to be allowed. I then construct a firewall rule to allow the " Whitelisted URLs" with no associated protection profile. 2. In the Web Filter section, I created a URL Filter containing the URLs to be permitted, in RegEx format, with the Action " Exempt" . 3. In the Firewall/Address section, I created an FQDN for each web site. I then go to the Web Filter/Fortiguard-Web Filter section and create an override for the site. Each category of blocked sites in my protection profile has overrides allowed. I believe each method works as expected. But which method should I use, and why? Thanks very much.

    4 replies

    A
    Anonymous_User
    Contributor
    August 19, 2009
    I have been using UTM > Web Filter > URL Filter and setting certain sites to exempt. it works just fine, but I am curious as well what the " best practice" is here and why.
    rwpatterson
    rwpatterson
    New Member
    August 19, 2009
    Guess it depends on your individual constraints... How long do you need to bypass it? How many people involved? How long for each occurrence? Would (should) the end user be able to bypass it from the far end? etc.
    MitchK
    MitchKAuthor
    New Member
    August 19, 2009
    Assume we need to allow it permanently. For everyone. At all times. Don' t know what you mean " should the end user be able to bypass it from the far end?" . The end user can' t get to the far end, the site is blocked.
    rwpatterson
    rwpatterson
    New Member
    August 19, 2009
    ORIGINAL: MitchK Don' t know what you mean " should the end user be able to bypass it from the far end?"
    From the workstation, as the far end. Who administers the access... We use the Fortiguard web filtering, and create custom ratings. We then use these ratings in the protection profiles, and away you go. One rating is called " Windows Updates" (for obvious reasons). This one is a list of sites that anyone is allowed to access, even the restricted work stations. If we need to add another, we just place it here, and everyone can get to it.
    MitchK
    MitchKAuthor
    New Member
    August 19, 2009
    The trouble with the ratings is you can only use a regular URL or IP address. You can' t build a RegEx filter that will grab sub-pages and sub-domains. The URL filter allows RegEx. Also, putting a firewall rule allowing access to sites as rule#1 will bypass the protection profiles altogether. This way, you get access to all the approved sites first, and eliminate the need for the Fortigate to rummage through its profiles, only to approve it anyway in the end...faster response and saved resources, no?
    MitchK
    MitchKAuthor
    New Member
    August 19, 2009
    By the way, you' re not telling me that the Fortigate blocks Windows Updates, are you?
    rwpatterson
    rwpatterson
    New Member
    August 19, 2009
    We have a group of workstations that are not allowed any Internet access. I have had to make a way for them to get updates.
    Terms & ConditionsAccessibility statement