Skip to main content
CrawfCol
CrawfCol
New Member
November 19, 2021
Question

Restrict Internet Access for certain Hosts

  • November 19, 2021
  • 5 replies
  • 6727 views

We have a number of Hosts on our network, where we would like to limit the URLs they can access out on the Internet.

 

They will be limited to accessing only a small number of specific URLs.

 

I'm pretty sure this can be done, using Address Groups and Addresses maybe (MAC Address).  But has anyone done this and can they point me to a good guide?

5 replies

nomeursy
nomeursy
New Member
November 19, 2021

If you only want to allow FQDN's then you can add teh specific FQDN as a Address_Object and group them in an Address_Group. Then allow in a policy only HTTP(s) to this Address_Group.

If you want to use a URL, then you could do it with URL filters on the WEB-filter but if I remember correctly, you need to enable SSL deepinspection when the URL's are HTTPS

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
November 19, 2021

Deep-inspection is NOT required for HTTPS websites, but certificate inspection is; FortiGate will pull URL information from the certificate subject and subject Alternate Name fields for webfiltering purposes.

chatroomwebcam
chatroomwebcam
New Member
November 19, 2021

Bandwidth Management: Bandwidth abuse causes severe latency and network crashes. Organizations will use a bandwidth analyzer to identify the users and websites responsible for the excessive bandwidth usage, later adding them to their internet blacklist to prevent future abuse. Network & Computer Security: By preventing users from accessing malicious websites that are known to contain malware, an internet filter provides critical security controls for protecting sensitive data Productivity Management: Content filters are used to block access to distracting websites and computer applications such as social media sites, computer games, and video streaming services.

bpozdena_FTNT
Staff
bpozdena_FTNT
Staff
November 19, 2021

There are many ways to achieve this behavior. The bellow suggestion assumes the hosts in question have Fortigate's IP address set as the default gateway:

 

1)Create MAC address objects for your hosts and specify them as source in your firewall policy [Ref.: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/485133/mac-address-based-policies ]

2)Create a webfilter profile where only the URLs you need are allowed, then add the webfilter profile to the above firewall policy.  [Ref.: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/615462/url-filter ]

 

Note that most websites require whitelisting of multiple domain names to load properly. Always use developer tools in your browser to see which resource is not accessible and whitelist it in your URL filter as needed. [ Ref: https://developer.chrome.com/docs/devtools/network/ ]

jboyssac95
jboyssac95
New Member
November 19, 2021

Found this example that may work: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/701862/blocking-facebook-with-web-filtering 

pavankr5
Staff
pavankr5
Staff
July 21, 2023

Hello ,

 

Please check this article on configuring FortiGate Firewall Policy to block traffic for one or more IP addresses 
https://community.fortinet.com/t5/FortiGate/Technical-Note-Configuring-FortiGate-Firewall-Policy-to-block/ta-p/197727 
let us know if you have any queries.

Thanks

Terms & ConditionsAccessibility statement