Fortigate 30E : Stopping all browsing?

Forum|Forum|8 years ago
March 30, 2018
1 reply
3390 views

Hello all,

I need some help on the following, i am trying to stop access of all websites (browser) from the remote office using the fortigate 30E. The users should only have access to the mail server and some applications which are on the internet (example teamviewer and all), i am using a public dns such as google.

The simplest will be set to allow only ports to the mailserver and those internet applications, however since DNS is now blocked via policies, i am not able to reach by URLs, however by IPs it is ok .. This of course stops users from surfing and is the most ideal but is there any way to allow the DNS to work to resolve URLS but not allowing users to surf?

Thank you!

5.6

rwpatterson

New Member

Welcome to the forums.

Simply do not create a policy allowing http/https traffic. No policy = no access. If you have the per defined 'any/any/all' policy enabled then create one before that which denies http/https traffic. Policies are executed from the top down so place before the global allow. You [should] know your network. You should remove any global allows and break down the traffic the way it is supposed to flow. Good security and laziness (or sloppiness) are exclusive concepts in fire-walling.

Hope that helps

ede_pfau

SuperUser

If you want to allow Teamviewer you need to allow HTTPS. I would create a separate policy to allow HTTPS and apply an Application Control sensor to exempt Teamviewer (rough sketch, you know what I mean).

CaveyAuthor

New Member

Hello all,

Thanks for the tips! i found out just a simple first rule of any to any and allowing only the dns service for that rule allows the url resolution to work perfectly. of coz the separate rules to block off http / https traffic will be in separate rules :)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded