Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
clayrogers
New Contributor

Best Practices For Fortigate In School Setting

I am going to be installing a Fortigate in a small secondary school. Can you guys give me a rundown of tips and best practices for content filtering in this environment?

 

I would love to get a list of recommended config options along with instructions on how to set it up.

 

Setting up filtering for a school seems like a bigger challenge as opposed to setting them up for a business which is where most of my experience with Fortigate is.

 

Thanks!

2 Solutions
eti_andrei
New Contributor III

Our company deals exclusively with the education market. While we remain vendor agnostic, I'm a big fan of the FortiGate - and several of Fortinet's products - in an educational setting and I recommend them whenever I think they're appropriate.

 

Here's an abbreviated version (focusing on content filtering) of our internal guide:

 

First and foremost, we always speak to administration about their needs and expectations. We also explain the practical limitations of the device and try to temper expectations. Suffice it to say, there have been many times when administrators have come to us in a panic: "How were students able to get onto this inappropriate site? We just spent $xx,xxx on this device, isn't it supposed to block everything?" Conversely, we deal with many schools who don't mind certain sites being accessible by students that others would want blocked. We use administration's guidance to build our content filtering policies.

 

Second, we always establish a logical organizational map of user groups and who should have access to what. We will use this for our group mapping.

 

Third, and this is optional, we recommend to our client that they have some sort of client management/MDM solution in place. While this doesn't directly affect perimeter security and content filtering, it's especially useful for distributing certificates when enabling deep SSL inspections. If you're a homogenous Windows environment, you can get by pretty well with GPOs. Likewise, you can do basic certificate pushes with Apple's Profile Manager for your Macs.

 

Fourth, we find out how users are accessing the network and determine how we will identify them. By now, we have created our groups in the FortiGate and mapped them accordingly to our LDAP environment. 

 

For Windows clients bound to AD, you can have the FortiGate poll your domain controllers or retrieve logon info from the aggregate collector on a Windows machine that can be configured to either poll your DCs or install an agent. You may not like the idea of an agent on your domain controllers, so polling should suffice in many cases. We also found that polling is a must if you have Mac clients.

 

For clients connecting wirelessly and authenticating via RADIUS, enable the RSSO collector agent on the FortiGate (and configure the groups accordingly) and have your RADIUS server forward accounting packets to it. This works just fine with Microsoft's NPS.

 

If you're connecting non-AD-bound wireless devices and aren't using RADIUS authentication but want to apply content filtering policies, you'll either need to register individual devices into groups (which becomes inefficient and unwieldy for all but the smallest environments) or create a VLAN for wireless devices and use the FortiGate as the VLAN's gateway with captive portal enabled. The idea is to have a user login mapped for every device that accesses the network whenever possible. Using FortiAPs for your wireless network can make this process somewhat easier, but this is not always realistic.

 

Lastly, and depending upon your needs, have a look at the FortiAuthenticator. Think of it as the "professional" version of the FortiGate's SSO/authentication features. For example, it allows for users to register their BYOD devices via a self-service portal.

 

Best of luck!

 

View solution in original post

GrantWilson

Greetings from a teacher,

I work in a K-12 school and want to clarify how to work with allowed and disallowed lists. We need to have the same websites whitelisted for teachers, social workers and school staff and blocked for students. How can we do this? We're planning to use Fortinet FortiGate 60E.

 

 

 

 

_ _ _ Access path: Troubles creating custom datasets and separating data for students and educators listed website writemyessaytoday

View solution in original post

15 REPLIES 15
eti_andrei

Thanks! That means a lot coming from you, Mike.

 

I'm a big believer in taking a holistic, big picture view before delving into the technological bits and wrote our internal guides to share this philosophy with our technicians and sales people. We'd like to see Fortinet make a bigger push into the educational space, as we could use some marketing muscle behind our own case studies and evaluations.

Arthia

Hi guys,

Need your help..

GrantWilson

Greetings from a teacher,

I work in a K-12 school and want to clarify how to work with allowed and disallowed lists. We need to have the same websites whitelisted for teachers, social workers and school staff and blocked for students. How can we do this? We're planning to use Fortinet FortiGate 60E.

 

 

 

 

_ _ _ Access path: Troubles creating custom datasets and separating data for students and educators listed website writemyessaytoday

Yurisk

You need to authenticate those aforementioned users in some way, so those users come to Fortigate identified already. Next you create different policies for each user group. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
marjoriefrench
New Contributor

Installing a Fortigate in a small secondary school for content filtering is a smart move to ensure a secure and productive online environment for students and staff. Here are some tips and best practices to consider:

  1. Understand School Policies and Requirements: Before configuring the Fortigate, ensure you have a clear understanding of the school's acceptable use policies, content filtering requirements, and any legal considerations regarding internet usage in educational institutions.

  2. Granular Policy Creation: Utilize the Fortigate's capabilities to create granular content filtering policies based on user roles, groups, or specific requirements. This allows you to tailor internet access permissions according to different user categories, such as students, teachers, and administrators.

  3. Block Malicious Content: Enable the Fortigate's built-in security features to block access to websites known for hosting malware, phishing, or other malicious content. This helps protect the school's network and devices from cybersecurity threats.

ClovisLang
New Contributor

When setting up a Fortigate for content filtering in a small secondary school, there are a few key best practices to keep in mind. First, it’s essential to prioritize safeguarding students while maintaining an optimal learning environment. Begin by setting up web filtering policies tailored to education, using FortiGuard categories to block inappropriate content such as adult material, violence, or gambling, while allowing educational websites and resources. You can create specific filtering profiles for different user groups like students, teachers, and administrators, ensuring they have appropriate access based on their roles. SSL inspection is also critical to ensure that encrypted traffic is properly filtered—ensure this is configured correctly to avoid loopholes. Enable application control to prevent access to unauthorized applications like VPNs or peer-to-peer sharing tools that students might use to bypass filters. Implement Safe Search enforcement to restrict inappropriate search engine results, and configure logs and reporting tools to monitor traffic and identify any potential misuse or suspicious activity. Additionally, set bandwidth limits to ensure that critical applications (such as learning platforms) are prioritized over recreational or non-essential ones. Finally, ensure policies are updated regularly, keeping pace with new websites, applications, and security threats. Fortigate provides user-friendly interfaces for configuring these settings, and using the built-in wizards can simplify the process.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors