Description

This article describes the working flow of offline web-filtering functionality on a FortiGate (for DoT Compliance).

Scope

FortiGate.

Solution

Diagram:

Working Flow:

• Configure Static URLs to block using a web-filtering profile and apply it to a policy that allows traffic in the direction of Downstream to the Upstream interface.
• FortiGate resolves the URL against the configured static URLs against the DNS servers entered in the command 'config system ips-urlfilter-dns'.

For example:

config system ips-urlfilter-dns
    edit 4.2.2.2
next
    edit 8.8.8.8
next

end

• The resolved IPs are inserted as Static Routes on the FortiGate
• For this 'Static Route' to be created, the 'Gateway', 'Distance', and the next-hop interface (device) need to be defined. Go to the CLI to define the following settings:

config webfilter ips-urlfilter-setting
    set device “port x" <----- Upstream port.
    set distance 10
    set gateway <x.x.x.x> <----- Next hop IP of upstream port.
end

'Set Device' as egress interface or upstream link, with the next-hop IP as 'Gateway' and with the same distance as configured for the default static route.

Note:

This enables the device to auto-configure static routes with the auto-resolved website IP addresses pointing to the upstream link.

These static routes are redistributed to the Gateway router via the Downstream iBGP session.