Web Filtering on Fortigate without Explicit Proxy

Forum|Forum|1 year ago
November 12, 2024
3 replies
1547 views

I'm using a Fortigate 4200 running firmware 7.4. Most of our rules use FQDNs like www.microsoft.com but this seems very permissive. Ideally we'd like to examine the actual URLs being used and restrict i.e. allow things like http://www.microsoft.com/crl or https://www.microsoft.com/crl. We have many applications/systems that don't support explicit proxying so explicit proxy is not an option.

So in the absence of using an explicit proxy is this possible?

FortiGate

GauravPandya

Explorer

You can simply use web filtering profile (create as per your requirement) with flow mode policy inspection. However, it will give better result when you use policy in proxy-based inspection.

For fine tuning of URL/application you can use "static web filter", also you can explore "application control" profile with proxy-based inspection

AlexC-FTNT

Staff

Explicit proxy is not needed.

But you need to perform deep inspection in proxy-mode policy.

With certificate inspection only, FortiGate is only able to see the domain name for that particular website. So the full URL is not visible, can't be logged, no action can be taken. Deep inspection profile is the only way (note the default profile may exempt several sites from deep inspection)

dingjerry_FTNT

Staff

Hi @shocko ,

You need to use Deep Inspection instead of Certificate Inspection for the SSL Inspection profile so FGT can tell the real URL in the HTTP header. Then you can use the static URL filter to allow/deny such URLs.

For more info about the static URL Filter, please check this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Static-URL-filter-actions-explained/ta-p/206632

In the References section at the end, there are a lot of useful links as well.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded