Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
drivesafely
New Contributor

Allow specific full url in fortigate

Hello All,

In Fotigate firewall, can someone guide how can we allow a specific full/exact URL as below only,

https://code.ionicframework.com/ionicons/2.0.1/css/ionicons.min.css

Thanks,

 

10 REPLIES 10
adambomb1219
SuperUser
SuperUser

How do you know this is being blocked by the firewall?  What do the logs say?  Which inspection feature is blocking this?  Web Filter?  DNS?  Something else?

drivesafely

Hello @adambomb1219 

Thank you for your response.

The firewall is not currently blocking this URL. We have certain devices restricted from accessing the internet through the firewall, but we’d like to make an exception to allow access to this specific URL for an application on these devices.

bkrishnan
Staff
Staff

Hi
Create a simple URL filter to block the full URL in the web filter profile.
The below doc might help you;

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-static-URL-filter-feature-to-allow...

ezhupa
Staff
Staff

Hello,

Since you want to allow the full URL I assume the path of the URL needs to be checked as well. 

With a simple policy and only cert inspection the web filter will only check the certificate information present. 
You would need a policy preferably in proxy mode and with SSL deep inspection enabled.

In the web filter profile you create a static URL filter with the action set to "EXEMPT". This is really important as sometimes with action set to "allow" if you are blocking the category in the webfilter then it will still be blocked.

 

Hope this helps.

drivesafely
New Contributor

Hello @bkrishnan@ezhupa,

 

Thank you for sharing the useful link!

I was having the doubt whether deep inspection would be necessary, as @ezhupa have mentioned.

To make is easier, creating a simple URL filter to allow, "code.ionicframework.com/*" should work?

Please guide. Thanks,

ezhupa

Hello,

 

Yes that should work, but remember it is better to set the action to "Exempt". I am adding below an article that explains the difference.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-The-difference-between-allow-and-exempt-in...
You can either configure it as a simple URL or a WILDCARD/Regex URL.

You can test either way and see whichever works best in your scenario.

 

EDIT:
code.ionicframework.com/*  -> if you are using a * after the slash that would allow every possible path after the link and not only limited to

 code.ionicframework.com/ionicons/2.0.1/css/ionicons.min.css .  
And if using * better would be to use Wildcard type URL.

drivesafely

@ezhupa 

Thanks for confirming.

I will configure a wildcard URL for "code.ionicframework.com/*" with action set to Exempt.

Then add another filter below it with * and action set to block.

Can you guide, whether another filter with * and action set to block is necessary ?

ezhupa

Hello, 

 

If you want to block everything else, a wildcard type URL "*.*" with action set to BLOCK will block everything. Only URLs exempted above this block rule should be allowed.

drivesafely

@ezhupa 

I got that, thanks. Since the devices for which we want to allow this URL are already restricted from accessing the internet through the firewall, i thought whether it is required.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors