Skip to main content
KenS
KenS
New Member
December 8, 2016
Question

Creating a URL Whitelist for an SSID

  • December 8, 2016
  • 3 replies
  • 13375 views

I'm the "IT guy" at a small manufacturing company, but kind of a noob at firewall configs. We have several computers on the shop floor used to access an intranet to get production drawings and the like from a local LAN server.  These machines do not have access to the internet, only the resources on the local LAN via a specific SSID..  We are changing our anti-virus system to "WebRoot" that requires the end points to have access to the internet in order to get signature files and be managed from the cloud. I'm trying to create a URL based white-list to allow these shop floor machines to be able to connect to the needed webroot servers but still block all other internet traffic on that SSID.  What I've done so far: Device: 200D Firewall OS: 5.4.1 I started by creating a policy that will allow the SSID to have internet access.  The policy works, enabled they get full internet, disabled, no internet.  Good so far. I then created a Web filter under Security Profiles (see pic attached), this is where it starts to get foggy for me.  I initially created one URL filter using a wildcard of "*" and an action of "Block". Assuming that if this filter was added and enabled on the previous policy that it would block all internet traffic other than sites listed above it. This part is not working, we are still getting access most internet sites, though some sites come up as blocked, but far from the white-list I'm hoping for.  Using the 5.4 FortiOS handbook is a bit overwhelming for what I think should be a basic task.  I could also be coming at this from entirely the wrong direction. Any help in accomplishing this task would be greatly appreciated.

Thanks in advance.

    3 replies

    SCSIraidGURU
    SCSIraidGURU
    New Member
    December 8, 2016

    Symantec Endpoint Protection Management, Windows System Update Service allow me to create a Virtual Machine Server on our domain to push out updates to the users without them going to the internet to get them?   The benefit of this is 1.) Only one server goes to the internet for updates instead of every workstation and VM 2.) I can decline what I don't want installed 3.) I can see who is upgraded and what has failed. Can your application be installed on a VM like these?

    KenS
    KenSAuthor
    New Member
    December 8, 2016

    We've looked at a product like Symantec that has a central console that can push updates to non-internet connected LAN machines.  There are a few reasons we are not going that route.  Webroot's model works well for us.  So creating a filter that will allow ONLY access to the sites needed for Webroot to work is what I need to do. I have made some progress, and might have a workable solution sometime tomorrow.  I'm getting a better understanding of how Fortinet handles web filtering as well as SSL based filtering, so what I'm learning here has some value that way.   Thanks for the reply!

    SCSIraidGURU
    SCSIraidGURU
    New Member
    December 8, 2016

    So you need a rule for a few computers/servers that only allow a few sites in and blocks all other traffic.   Can you move them to their own VLAN to isolate them better.  You can create a VLAN based rule using an ACL list that allows only TCP traffic to those sites and blocks IP ANY ANY is how I would do it in Cisco.  Only Fortinet, I would do a IPv4 policy like this Policy 3:  Allow VLAN traffic to those sites Policy 4:  Deny VLAN traffic for IP

    By placing them in a separate VLAN, you can add machines later on.  

     

     

    SCSIraidGURU
    SCSIraidGURU
    New Member
    December 12, 2016

    I setup my 60E over the weekend.   It has a Interface called LAN (it was the default name) that is setup for only WIFI.  WIFI group would be the devices in that SSID. LAN is not tied to any interfaces on the device.   So it is just a virtual interface that has all the WIFI traffic from FWF-60E wife.  So I have an outbound rule for LAN to WAN1.  This allows LAN (all WIFI traffic) out to the internet with any traffic.   I can post it tonight, the setup. 

     

    SOURCE:  those workstations / servers in a address group

    DESTINATION:  The sites you want them only to use SERVICE: HTTPS (443) and HTTP (80) ports only Put it as top rule

     

    Rule underneath it would be denying them from everything else.  

    Terms & ConditionsAccessibility statement