Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

BLOCK specific IP/PC/User

Hi all.

I got a 90D device. I want to block some User in my domain access to internet.

I try to set up but it doesn't work. Anyone help.


When i set up WEB FILTER, it effect to all network, all user. But i just want it effect to some user/PC/IP only. Is it possible? 


I read someone talk about SINGLE SIGN ON function.

I already set up SINGLE SIGN ON in my AD and already connected.

But when i create policy, it doesn't work. I don't know what wrong, did i wrong in setting up.


Explain for image

policy 1: All user can access to All resource

policy 2: User in group " FSSO BLOCK GROUP" can NOT access to  All resource.

( i tried move policy 2 up but nothing change)


Please contact me through this forum or by email


Thank you so much 

New Contributor III


Don't know if anyone has contacted you privately, but it looks like you have your Policy order backwards. Try placing the Deny policy above the Allow policy.  When a packet hits the FG, it will be processed via the first policy that applies to it.  Since the Allow is for "all" it is processed there and never hits the second one.

New Contributor

How do I block specific ""

We have the google FQDN's opened per their suggestion ( ) and ( )   the kids have discovered a number of gaming sites on google homepages, all seem to be named "my games

" i.e. [link=] http://mygameus.blogspot....3/Jet-Pack-Monkey.html[/link] The problem is that blocking google by address doesn't seem to work as every request seems to use a different one, and I don't know why but I don't seem to be able to block by name.   I put in a simple IPV4 policy, source = any,  Destination = "",  block and it doesn't work.  because it is a block there is no SSL inspection or anything like that....   When I look at the log there is nothing that says "" just "" but I don't want to block all of google, just the few sites.   Can anyone help?


You could use Application Control to block the whole category instead of just one URL. Create an AC sensor, enable category "Gaming" and apply that to the policy 'internal' -> 'wan'. Works quite well IME.


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors