FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Article Id 298713
Description

 

This article describes how to configure user authentication for a specific FortiGuard Web Filter category.

 

Scope

 

FortiGate, Web filter.

 

Solution

 

Requirements:

  • A valid Fortiguard Web Filter license.
  • An authentication server: Local, LDAP, or Radius.
  • An active connection to FortiGuard.

 

  1. User Group:


Configure a specific user group. It can be Local, LDAP or Radius. For this exercise, a Local user group will be used.

Note: FSSO and SAML user groups are not supported for now.

  • To create a user: go to User & Authentication -> User Definition -> Create New -> Local User -> Enter a username + password -> for Two-factor choose 'none' -> Select Finish.
  • Create user group: go to User & Authentication -> User Groups -> Create New -> Name, enter 'Firewall' and for members, choose 'select previously created', then select OK.


WebFilterAuth.png

 

Note: The user group can be LDAP or Radius.

 

  1. Web Filter profile:

 

Go to Security Profiles -> Web Filter -> Create New -> Name, FortiGuard Category Based Filter -> Select Category -> Authenticate

 

WebFilterAuth2.png

For this example, social network is used.
After, select the user group created in point 1, define the time range for warning interval in hours, minutes and/or seconds. Select OK.

Note: This warning level will define the interval, after which the timer will expire. In this particular example, after 2 hours, the user will no longer be able to access the website until the authentication happens again. This case will hold true particularly for streaming platforms such as YouTube, where the video will stop after two hours.

 

WebFilterAuth3.png

 

After, remember to select OK in the next screen to save the Web Filter Profile.

 

CLI reference:

 

Use the following command to see the website category ID:

 

get webfilter categories

 

Set the category to authenticate and add the user group.

 

config webfilter profile

    edit "default"

        config ftgd-wf

            config filters

                edit 36

                    set category 37

                    set action authenticate

                    set warn-duration 2h5m

                    set auth-usr-grp "usergroup"

                next

            end

        end

    next

end

 
  1. Firewall Policy:

 

Create a firewall policy and select the Web Filter 'WebAuth' profile created in point 2.

  • Name: WebAuthTest.
  • Incoming Interface: LAN.
  • Outgoing Interface: WAN.
  • Source: all.
  • Destination: all.
  • Service: all.
  • NAT: Enabled.
  • Web Filter: WebAuth.
  • SSL Inspection: Certificate Inspection.

 

  1. Test:

 

Open a web browser and try to reach any site belonging to a category such as Facebook. A certificate error may appear: to prevent this, install Fortinet_CA_SSL certificate as a trusted root certificate in the PC.

 

WebFilterAuth4.png

Select Proceed and authenticate with user credentials.

 

WebFilterAuth5.png

 

If authentication is successful, access will be allowed.

 

WebFilterAuth7.png

 
  1. Log:

 

Go to Log & Report -> Events -> User Events.

 

WebFilterAuth6.png
Notes:

  1. The policy inspection mode should be set to 'Proxy-based' in versions 7.2.x and 7.0.x.
  2. Starting from FortiOS 7.4.4, this functionality will work with policy inspection mode set to 'Flow-based'.

 

Related articles: