Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raafat
New Contributor

How to cascade Web Filter Policies in Web Proxy?

Hello,

 

At our company we need to allow specific websites to specific users on top of what is allowed company-wide. The thing is we need to mix and match what websites are allowed for which users. 

 

For example:

User A will have access to x.com and y.net

User B will have access to y.net and z.org

User C will have access to x.com and z.org

 

Our previous Web Gateway allowed us to create policies in which we allow specific users to visit specific URLs; if a user is not in the policy or the website is not defined, it doesn't take any action but rather evaluate the next policy and so on till and if no policy matched the request, then the default policy is applied.

 

If I create a web filter rule and disable category filtering and add the specific URL to be allowed to this rule and, for example, I create another rule that blocks all websites and add the first web filter rule to a proxy policy with specific users and add the other web filter rule to another proxy policy that has all users defined in the source, I find that ALL websites are allowed as the first policy really does not evaluate anything and don't even show up in the logs instead of the firewall evaluating the next policy.

 

I am using FortiOS 6.4.6, is this a bug in this release or this is not a feature of FortiOS? Can anyone provide workarounds that have the same effect as what were doing originally with our old web proxy? 

 

4 REPLIES 4
abarushka
Staff
Staff

Hello,

 

Please find the details regarding webfilter execution order by following the link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filtering-order-of-execution/ta-p/1961...

 

You may consider 2 options:

 

- block all FortiGuard webfilter categories and exempt certain URLs under webfilter profile

 

- create policies and configure allowed URLs as destination

FortiGate
KingHolly
New Contributor

I have been looking into the same thing. Even used "cascade" in my search terms.

 

Have you tried setting the NGFW mode under Settings to "Policy-based"? I can't say for certain it will solve your issue, but it approaches firewall rules in a different manner. I am currently testing that setting. I will come back and comment if I find some success with it.

KingHolly
New Contributor

This may provide an answer to your question. There is an implicit fall-through to rules without authentication. Read the links to know more. In the second link, there appears to be a way in the CLI to change that behavior. My use case for cascading firewall rules is outside the realm of authentication, but maybe this helps you.

 

 
vsahu
Staff
Staff

Hello,

 

If I understood the issue correctly you want to provide the web filter profile based on users, you can use the web profile override it might help.

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/408599/web-profile-override

Regards,
Vishal
Labels
Top Kudoed Authors