Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
navin_cool
New Contributor

How to configure Static URLfilter in Fortigate 4.0 with FortiGuard license expired

Hi,

We are using Fortigate 200A with version 4.0 (MR2 Patch 2) and Fortiguard license expired.

Now, we are planning to block few websites to overcome Internet Bandwidth high utilization issue.

I have configured Webfilter under UTM services, but it does not work. I think its because of no FortiGuard active licence.

 

I heard that we can use Static Filter list here. Can someone guide me, how to use it, since I do not see static filter option in GUI mode. Or is there any other way to block websites without having Fortiguard active license.

 

Thanks and Regards

Naveen

2 Solutions
emnoc
Esteemed Contributor III

 

The whole thing won't work without a license.

 

 

I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.

 

You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard  allowance. BTW I've done this in K-12 edu with site allowances.

 

Be very very very careful in  your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

Allwyn_Mascarenhas

navin.cool wrote:

you are referring static filtering as web filter, which is part of Fortiguard services. 

So, in your case, do you have active fortiguard license ?

 

For me, this license expired already.

Yes my license is active.

 

Inside webfilter below the categories you see the url filter option. And yes it's in web filter.

View solution in original post

17 REPLIES 17
Allwyn_Mascarenhas
Contributor

With no license fortigate webfiltering will not work AT ALL. It will just block all legit traffic as well.

 

and on using static filtering i'm in the middle of doing this with fortinet TAC. HTTPs won't be blocked with this unless you install cert on clients with ssl inspection on.

navin_cool

Thanks for your reply.

I know, webfilter will not work without active Fortigaurd license. 

Hence, we need to go with Static Filter for time being (until get the new license).

So, can you please share me the configuration steps and your observations, after you finish with Fortinet TAC.

 

 

Allwyn_Mascarenhas

what exactly is static filtering, you are referring to the url filter option with webfilter right?

 

The whole thing won't work without a license.

emnoc
Esteemed Contributor III

 

The whole thing won't work without a license.

 

 

I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.

 

You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard  allowance. BTW I've done this in K-12 edu with site allowances.

 

Be very very very careful in  your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.

 

 

PCNSE 

NSE 

StrongSwan  

Allwyn_Mascarenhas

emnoc wrote:

 

The whole thing won't work without a license.

 

 

I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.

 

You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard  allowance. BTW I've done this in K-12 edu with site allowances.

 

Be very very very careful in  your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.

while we're at it, i have a client who wants to block facebook over https without having to install the ssl cert in 100+ PCs, I tried and tested this with wildcard block but simply fails.

 

So this is not possible right? For some reason FTNT has a doc which says this can done. And the TAC pointed me out to the same. But when I tried this it only work with the cert installed on the pc if not then starts block all legit https sites as well.

emnoc
Esteemed Contributor III

Do you have  Fortiguard  service license and is it active? In that example you reference, I believe they are blocking by web category ( Social Networking ) and by  extracting the CN field from the cert , so we can drop the session without  ssl-deep-scan

 

e.g look at the  receiving the  cert in the server.hello

 

id-at-commonName=*.facebook.com

 

 

PCNSE 

NSE 

StrongSwan  

navin_cool

Hi both,

I am referring to static URL filter (create static entries), but not using web filter (which is part of FortiGuard Services).

 

So, I understand by using static URL filter we can block only http/www websites, but not https.

If we want to block https traffic aswell, we need to go with SSL full inspection and install the ssl certificate in all client machines, after we generate it from FortiGuard firewall.

 

Please correct me, if I am wrong.

Also I do not see "Security Profile" option in GUI in Fortigate 200A with 4.0 MR2 version, to start with static URLfilter. Please guide me on the procedure.

 

Allwyn_Mascarenhas

navin.cool wrote:

Hi both,

I am referring to static URL filter (create static entries), but not using web filter (which is part of FortiGuard Services).

 

So, I understand by using static URL filter we can block only http/www websites, but not https.

If we want to block https traffic aswell, we need to go with SSL full inspection and install the ssl certificate in all client machines, after we generate it from FortiGuard firewall.

 

Please correct me, if I am wrong.

Also I do not see "Security Profile" option in GUI in Fortigate 200A with 4.0 MR2 version, to start with static URLfilter. Please guide me on the procedure.

 

You can refer to this doc

 

You can't see the webfilter option in your policies then you need to turn webfilter on from the system>config>features.

 

emnoc
Esteemed Contributor III

Try both *.facebook and dot com is all that I can suggest.

 

Ken

PCNSE 

NSE 

StrongSwan