Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ali84
New Contributor

Application Control and Web Filtering not working together.

I want to keep Office apps open and also let the user browse to some specific URLs, but the web filtering works properly only if I apply alone, not with Application Control. 

Any advice on how I can do that? 

I have the 6.4.8 version

17 REPLIES 17
srajeswaran
Staff
Staff

Can you share more details? When you apply WF+Application Control, is the URLs that is supposed to be blocked is getting allowed?

Is it proxy based or flow-based inspection and is there SSL inspection active?

 

Also, below discussion may give me you some more pointers.

https://community.fortinet.com/t5/Support-Forum/manage-application-control-and-web-filter/td-p/12241

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Ali84
New Contributor

I set up the office to be open in application control, and it's working fine; I also need to filter the internet and leave a few URLs open. 

I tested it several times and realized it was not working correctly. I disabled the AC and tried to use only WF, but it's not working. 

I set it like the picture, but it's not working. It leaves everything open like there is no filtering.  

Ali84_0-1676295855357.png

 

gfleming

Sounds like you need two policies:

 

1. One policy to allow access to Office.

2. Second policy to restrict Web traffic.

 

If the policy allowing Office is above the other policy then the only traffic that is going to match the Office policy is traffic destined to Office apps.

 

When a user tries to access a blocked web page it will completely bypass the office policy and go to the web filter policy.

 

Now, we can't really use application control to block access in this way because policies are matched on the network traffic and then we filter the application traffic. So in the scenario above if you are allowing Office using application control your policy must also be allowing HTTP traffic which means your also going to have to simultaneously block using web filters.

 

I would suggest leveraging the ISDB whenever you need to allow access to specific resources and services. In this case use ISDB (which is a network-level classification) to allow access to Office in a single policy.

 

Then use the web filter policy below it to filter out how your users web browsing should work.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/179236/using-internet-servic...

 

https://www.fortiguard.com/encyclopedia/isdb/327782

 

Hope that helps.

Cheers,
Graham
Ali84
New Contributor

Hi,  

Thanks for your reply, and sorry about the delay. 

 

It seems I'm not doing Web Filtering right. 

I tried to start with only a web filter for the first step, but it is not working. 

I'm trying to block all the URLs and then leave a couple of them accessible. But it's not working. Would you please guide me with that first? 

Please consider my Firewall config for the Web Filter. 

Ali84_0-1677512244236.png

Ali84_1-1677512401018.png

Regards

gfleming

You haven't shown the security profiles on the firewall policy. Is "Blocked Internet Web Filter" applied to the FW Policy?

 

Also confirm you want to block access to the entire web except for the URLs in your filter? If so, I don't see anything defining the blocking.

 

You should probably put a wildcard catch-all at the end of your URL filter and set it to Block.

Cheers,
Graham
Ali84
New Contributor

That's the whole plan. We want to block the entire web except for some specific URLs, and we also want to keep outlook 365 open with application control. 

I want to do Outlook with application control because I don't know what websites I should leave accessible to do that. I know it's more than one URL.

Please advise me on how to do the whole plan.  

Sorry the plan is changed, and it caused the delay. 

Thanks for your help. 

gfleming

Yes as mentioned already in previous reply, you create a policy to allow only the office/outlook 365 traffic. You can use App Control or maybe even better to use ISDB.

https://www.fortiguard.com/encyclopedia/isdb/327791

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/179236/using-internet-servic...

 

So now everyone accessing Outlook 365 will hit that policy. Any other traffic that is not Outlook will not match that policy so will go down the list to evaluate the next policies.

 

So that's where the second policy comes in to play and where you define what is allowed to be accessed using either ISDB, App Control or Web Filter or combination therein.

Cheers,
Graham
Ali84
New Contributor

It seems I'm doing something wrong with web filtering. Would you please guide me? I removed the incoming and outcoming sources for security, and I wanted to test only on my computer first. That's why in the head, you only see my computer. But Web filtering is not working based on my config. The policy is at the bottom of all policies.Screenshot 2023-03-24 160706.png

 
Ali84
New Contributor

Screenshot 2023-03-24 160743.png

Labels
Top Kudoed Authors