Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Staff
Staff

Created on ‎02-11-2024 09:29 PM Edited on ‎03-24-2024 10:07 PM By Community Manager

Article Id 298841

Technical Tip: Web Filter Authentication for local categories

Description

 

This article describes how to configure Web Filter authentication user for local categories overrides.

Web Filter authentication is required for branch-office users to access to internal sites of a private domain.

 

Scope

 

FortiGate, Web Filter, User Authentication.

 

Solution

 

In this scenario:

  • Internal Web Services are located in the Data Center. (e.g. https://intranet.fortilabmx.net).
  • There is an IPsec VPN Tunnel between FGT_Datacenter and FGT_Branch.
  • Internal URLs are resolved with DNS or 'host' file with private addressing. (e. g. 192.168.x.x).
  • Local category override is needed.
  • Web Authentication user is required to reach Internal Web Services. For this exercise, a Local user group will be used.

 

Simple Network Diagram.Simple Network Diagram.

 

 

Local Category:

In FGT_Branch create a new web Custom Category and override internal URLs.

  • To create a Custom Category: go to Security Profiles -> Web Rating Overrides -> Custom Categories -> Create New ->Name, 'Internal Sites'  then select OK.
  • To create a Web Rating Override: go to Security Profiles -> Web Rating Overrides -> Create New.
  • URL: 'intranet.fortilabmx.net', Category: 'Custom Categories', Sub-category: 'Internal Sites', then select OK.

 

Capture02.PNG

 

Capture03.PNG

Capture04.PNG

Important Note:

Captive portal uses temporary TCP ports for web authentication. The internal URLs must use standard web ports for HTTP/HTTPS, otherwise authentication port must be changed..

Technical Tip: How to allow custom port when non-standard port is used while active authentication

 

 

Web Filter Profile:

In FGT_Branch, create a new Web Filter profile and configure user authentication for the local category 'Internal Sites'.

  • Go to Security Profiles -> Web Filter -> Create New -> Name, FortiGuard Category Based Filter -> Local Categories select 'Internal Sites'-> then  Authenticate
  • Select User Groups, and define the time range for warning intervals in hours, minutes, and/or seconds. Select OK.

 

Capture05.PNG

 

WebFilterAuth3.png

Remember to select OK on the next screen to save the Web Filter Profile.

 

Firewall Policy:

Create a firewall policy as follows:

  • Name: Internal Sites.
  • Incoming Interface: LAN.
  • Outgoing Interface: IPSec_VPN_Interface.
  • Source: all.
  • Destination: all.
  • Service: all.
  • Inspection mode: Proxy.
  • Web Filter: Web Filter.
  • SSL Inspection: Certificate Inspection.

 

Results:

When a web browser tries to reach an internal URL, Web Authentication will prompted. After successful authentication, the Web page must be displayed as well.

 

Capture06.PNG

Capture07.PNG

 

Capture08.PNG

Related articles:

Technical Tip: Creating a Web Filter profile with user authentication

Video: Flow Mode Webfilter Support (Warning/Authenticate/Override).

647
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.