Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Staff
Staff

Created on ‎02-11-2024 07:40 AM Edited on ‎08-15-2024 05:02 PM By Moderator

Article Id 298713

Technical Tip: Creating a Web Filter profile with user authentication

Description

 

This article describes how to configure user authentication for a specific FortiGuard Web Filter category.

 

Scope

 

FortiGate, Web filter.

 

Solution

 

Requirements:

  • A valid Fortiguard Web Filter license.
  • An authentication server: Local, LDAP, or Radius.
  • An active connection to FortiGuard.

 

1. User Group:

Configure a specific user group. It can be Local, LDAP or Radius. For this exercise, a Local user group will be used.

Note: FSSO and SAML user groups are not supported for now.

  • To create a user: go to User & Authentication -> User Definition -> Create New -> Local User -> Enter a username + password -> for Two-factor choose 'none' -> Select Finish.
  • Create user group: go to User & Authentication -> User Groups -> Create New -> Name, enter 'Firewall' and for members, choose 'select previously created', then select OK.

    WebFilterAuth.png

Note: The user group can be LDAP or Radius.

 

2. Web Filter profile:

 

Go to Security Profiles -> Web Filter -> Create New -> Name, FortiGuard Category Based Filter -> Select Category -> Authenticate

 

WebFilterAuth2.png

For this example, social network is used.
After, select the user group created in point 1, define the time range for warning interval in hours, minutes and/or seconds. Select OK.

 

WebFilterAuth3.png

 

After, remember to select OK in the next screen to save the Web Filter Profile.

 

3. Firewall Policy:

 

Create a firewall policy and select the Web Filter 'WebAuth' profile created in point 2.

  • Name: WebAuthTest.
  • Incoming Interface: LAN.
  • Outgoing Interface: WAN.
  • Source: all.
  • Destination: all.
  • Service: all.
  • NAT: Enabled.
  • Web Filter: WebAuth.
  • SSL Inspection: Certificate Inspection.

 

4. Test:

 

Open a web browser and try to reach any site belonging to a category such as Facebook. A certificate error may appear: to prevent this, install Fortinet_CA_SSL certificate as a trusted root certificate in the PC.

 

WebFilterAuth4.png

Select Proceed and authenticate with user credentials.

 

WebFilterAuth5.png

 

If authentication is successful, access will be allowed.

 

WebFilterAuth7.png

 

3. Log:

 

Go to Log & Report -> Events -> User Events.

 

WebFilterAuth6.png

Note: The policy should be set to 'Proxy-Based' to make this work.

  

Related articles:

2478
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.