Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paul_woods
New Contributor

Implementing UK Prevent agenda web filtering

Hello,

 

we have been asked to implement the UK Government's Prevent agenda web filtering to stop people going to radicalisation sites etc. Does anyone have any guides or notes on what to do to implement it on the FortiGate firewalls? 

 

Thanks,

Paul

1 Solution
tanr
Valued Contributor II

 I don't have any official guides or notes, but some quick thoughts:

 

You probably want to look through the Web Filter Categories: [link]https://fortiguard.com/webfilter/categories.[/link]

Blocking the "Extremist Groups" category using both Web Filter and DNS Filter would be a start.

 

You would need to do SSL inspection.  Note that this means you need to deal with setting up your own internal certificate authority and making sure all users have your certificate installed.  This will absolutely require work to avoid causing issues for sites and apps that use certificate pinning or have privacy issues.

 

To avoid people working around the filters you'd need to block the "Proxy Avoidance" category through web and dns filters, and "Proxy" category through Application Control. Note that this might block valid VPN use, so you might need to tweak the settings.

 

Beyond that start, I would contact TAC directly.  They may already have a template to follow.

View solution in original post

3 REPLIES 3
tanr
Valued Contributor II

 I don't have any official guides or notes, but some quick thoughts:

 

You probably want to look through the Web Filter Categories: [link]https://fortiguard.com/webfilter/categories.[/link]

Blocking the "Extremist Groups" category using both Web Filter and DNS Filter would be a start.

 

You would need to do SSL inspection.  Note that this means you need to deal with setting up your own internal certificate authority and making sure all users have your certificate installed.  This will absolutely require work to avoid causing issues for sites and apps that use certificate pinning or have privacy issues.

 

To avoid people working around the filters you'd need to block the "Proxy Avoidance" category through web and dns filters, and "Proxy" category through Application Control. Note that this might block valid VPN use, so you might need to tweak the settings.

 

Beyond that start, I would contact TAC directly.  They may already have a template to follow.

paul_woods

raising a ticket with Fortinet about this.

 

Thanks,

Paul

Dave_Hall
Honored Contributor

Good plan, though while I was formulating my own response to this question I did a quick research on UK Government's Prevent agenda web filtering and concluded because of the scope and potential liability you may be better off contacting Fortinet and/or a Fortinet partner to assist with designing the web filter/content policies and have someone higher up in your organization sign off on the implementation.  IMO.

 

paul.woods@durham.gov.uk wrote:

raising a ticket with Fortinet about this.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C