Skip to main content
larch
larch
Explorer
July 21, 2025
Question

domain whitelist

  • July 21, 2025
  • 3 replies
  • 1195 views

hi,

 

we have 4 VDoms on a single physical fortigate running 7.2. All 4 have internet access, 3 over NAT, 1 via explicit Proxy.

 

If i want to whitelist a Domainname (In case SSL-Inspection or some other security feature is blocking access) i have to configure the whitelist entry separately on all 4 VDoms.

 

I am looking for a way to centralize the whitelist on a single place (i.e. a textfile on a webserver). Then use that object in a policy on top of every ruleset. I therefore created a  threat feed

 

What i tried so far:

  • DNSFilter
    n/a for explicit proxy
    n/a on global VDOM
  • Webfilter
    not possible to solely allow the whitelist and ignore all fortiguard categories. They must either be set to allow or block

 

Maybe i am missing something here? Is it possible to achieve a common ruleset over 4 Vdoms with Fortimanager?

 

 

 

3 replies

AEK
SuperUser
AEK
SuperUser
July 22, 2025

Hi Larch

Usually in multi-VDOM common design you usually have one frontal VDOM (facing the internet). In that one you configure Web Filter and DNS filter. So you have to do it only one time, not in every internal VDOM.

If you don't have this design then you can also customize a Web Filter profile on FMG and use it for all your 4 VDOMs.

AEK
    Yurisk
    SuperUser
    Yurisk
    SuperUser
    July 22, 2025

    If you are talking about Web Filtering rules, then indeed External Threat Feed used as Remote category in Web Filter by Categories will do the job. And the rest of Categories filtering you may put in Monitoring only or Block unconditionally - this would not interfere with traffic.

     

    But if you mean SSL Exception - exempt some web sites from SSL inspection altogether, to prevent SSL errors, like bank sites etc, then it can be done only individually on each VDOM. 

      larch
      larchAuthor
      Explorer
      July 24, 2025

      @AEKthanks i will take a look if i can find some docu on that FMG 

       

      @yurisk thanks for your advice, unfortunately it does not work. When i put all categories (except for my external allow category) in monitor mode, then all websites matching the categories are allowed. so "monitor" indeed interferes with traffic. There is no further rule processing after that top "allow rule" matched. Further i don't have a "block unconditionally" option.

       

       

       

       

      Terms & ConditionsAccessibility statement