Skip to main content
raafat
raafat
New Member
June 7, 2021
Question

How to cascade Web Filter Policies in Web Proxy?

  • June 7, 2021
  • 4 replies
  • 3994 views

Hello,

 

At our company we need to allow specific websites to specific users on top of what is allowed company-wide. The thing is we need to mix and match what websites are allowed for which users. 

 

For example:

User A will have access to x.com and y.net

User B will have access to y.net and z.org

User C will have access to x.com and z.org

 

Our previous Web Gateway allowed us to create policies in which we allow specific users to visit specific URLs; if a user is not in the policy or the website is not defined, it doesn't take any action but rather evaluate the next policy and so on till and if no policy matched the request, then the default policy is applied.

 

If I create a web filter rule and disable category filtering and add the specific URL to be allowed to this rule and, for example, I create another rule that blocks all websites and add the first web filter rule to a proxy policy with specific users and add the other web filter rule to another proxy policy that has all users defined in the source, I find that ALL websites are allowed as the first policy really does not evaluate anything and don't even show up in the logs instead of the firewall evaluating the next policy.

 

I am using FortiOS 6.4.6, is this a bug in this release or this is not a feature of FortiOS? Can anyone provide workarounds that have the same effect as what were doing originally with our old web proxy? 

 

    4 replies

    abarushka
    Staff
    abarushka
    Staff
    June 7, 2022

    Hello,

     

    Please find the details regarding webfilter execution order by following the link below:

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filtering-order-of-execution/ta-p/196179

     

    You may consider 2 options:

     

    - block all FortiGuard webfilter categories and exempt certain URLs under webfilter profile

     

    - create policies and configure allowed URLs as destination

    KingHolly
    KingHolly
    Visitor III
    June 16, 2022

    I have been looking into the same thing. Even used "cascade" in my search terms.

     

    Have you tried setting the NGFW mode under Settings to "Policy-based"? I can't say for certain it will solve your issue, but it approaches firewall rules in a different manner. I am currently testing that setting. I will come back and comment if I find some success with it.

    KingHolly
    KingHolly
    Visitor III
    June 16, 2022

    This may provide an answer to your question. There is an implicit fall-through to rules without authentication. Read the links to know more. In the second link, there appears to be a way in the CLI to change that behavior. My use case for cascading firewall rules is outside the realm of authentication, but maybe this helps you.

     

     
    A
    Anonymous_User
    New Contributor III
    March 30, 2023

    Hello,

     

    If I understood the issue correctly you want to provide the web filter profile based on users, you can use the web profile override it might help.

    https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/408599/web-profile-override

    Terms & ConditionsAccessibility statement