Skip to main content
GustavoDecenci
GustavoDecenci
New Member
July 31, 2025
Question

Block internet access with web filter

  • July 31, 2025
  • 1 reply
  • 1705 views

Hi everyone!

I'm facing a specific need and would appreciate some help to understand the best way to configure this in FortiGate.

I need to completely block internet access for a specific IP range, and then allow access only to certain websites as needed.

Currently, I'm handling this using a Web Filter with the URL Filter option. Within the URL Filter, I have a rule that blocks all access, and above it, I add the URLs that need to be allowed. This Web Filter profile is applied to a firewall policy for the range.

This setup is working fine to allow access to sites for the entire range, but now I need to allow a specific site for only one IP, without affecting the rest of the IPs in the range, which must remain blocked.

My question is: what’s the best way to implement this kind of per-IP exception using Web Filter, without affecting the general rule that is already working for the rest of the range?

Thanks in advance for any help!

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 31, 2025

If it's "IP-based" filtering, the best way is to allow specific IPs for HTTPS/HTTP with one policy, then deny any/all IPs(dst address) for HTTPS/HTTP for the next policy for the src/dst interface pair.

Toshi

    GustavoDecenci
    GustavoDecenciAuthor
    New Member
    July 31, 2025

    I do this for some exceptions but I need to make some exceptions with wildcard or regular expressions.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 31, 2025

    You can define address objects with wildcard FQDNs then use them in policies.
    https://docs.fortinet.com/document/fortigate/7.4.8/administration-guide/217973/using-wildcard-fqdn-addresses-in-firewall-policies

    Toshi

      Terms & ConditionsAccessibility statement