Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dlabacs
New Contributor

Block Facebook and Youtube

Hi, Newbie Here. I really had a hard time in configuring our new Fortigate Device to block Facebook and Youtube during work hours. I went to URL filtering but it doesn' t work for me. My fortigate device/version is 200B. Please help. Thanks.
11 REPLIES 11
lightmoon1992
New Contributor

You need to define three profiles actually to tighten it the most: 1- SSL inspection profile enabling the HTTPS scanning 2- webfiltering profile with appropriate setting to bandwidth consuming and personal categories 3- application control controlling the social networking traffic (you can selectively define specific application signatures only) Mohammad

Mohammad Al-Zard

 

Mohammad Al-Zard
dlabacs
New Contributor

Thanks Sir.. I did the advice and it works:)
Phillyidol
New Contributor

Just out of curiosity, do the above steps block the https URL with youtube, or just basic http? I started a post under Web Filtering on this because we can' t seem to block the https URL for youtube without blocking ALL other https URL' s.
Philly Idol
Philly Idol
Dave_Hall
Honored Contributor

There are two general methods on the Fortigate to determining which URL is being visited on via HTTPS. One way is to enable deep (packet) inspection (profile) on the fw policy -- this is where the Fortigate will substitute it' s own security certificate so it is able to decrypt the traffic to see what URL is being visited. However, unless you install the Fortigate' s own security cert. on the workstation (in question), the web browser client will report a cert error when connecting (aka " Man-in-middle" attack) to the website. Of course you can always live with that error message (but it sets a bad precedent, IMHO). The other method deployed by the Fortigate is to check the domain name on the security cert of the web site -- this generally works well, providing the domain name listed in the security cert is not a wild-card...such as one deployed by Google (ie. Youtube). You could always try setting up an app sensor for blocking youtube (which I think is listed as google/media.) Considering most of our clients do not managed networks (e.g no AD servers, " open" workstations) installing fgt sec certs on workstations is out of the question, we have resorted to creating blocks of addresses, covering most of the youtube IP address space range, and setting up firewall blocks to them, either on the time-based and/or port base (any or HTTPS). A bit ugly and not perfect.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Fatih
New Contributor

Hi, You can get help from the link below http://docs.fortinet.com/d/fortigate-configuring-fortios-v5.0-webfiltering-for-https-scanning-without-ssl-deep-scanning/download
FCNSA / FCNSP
FCNSA / FCNSP
mramon79
New Contributor

Hi, First of all sorry for my english. If you want to block access to facebook and youtube without SSL inspection, create a policy with destination those domains(fqdn) and action--deny. Regards
Amiko
New Contributor

hi all, how to block only facebook games and apps? 

 

https://www.facebook.com/games/

 

https://apps.facebook.com/

 

 

Centrocito
New Contributor

dlabacs wrote:
Hi, Newbie Here. I really had a hard time in configuring our new Fortigate Device to block Facebook and Youtube during work hours. I went to URL filtering but it doesn' t work for me. My fortigate device/version is 200B. Please help. Thanks.

Remember that facebook use HTTPS not HTTP make sure to block the correct one

Adrian_Buckley_FTNT

Blocking Facebook games and apps with WF isn't going to work very well. Use the App control signature Facebook.app

Top Kudoed Authors