Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ThePro
New Contributor III

Block Internet except some specific websites

I know I can block Internet to specific devices using a policy and, for example, the devices IP.

 

Can I allow those devices (or all devices for that matter) to access a specific list of websites (the unit does not have a UTM/WebFiltering license).

6 REPLIES 6
Dave_Hall
Honored Contributor

I believe URL web filtering should still work, but not the FortiGuard web filtering (service) part. 

 

You can still block/unblock by creating address/fqdn firewall objects for the website(s) and group them into an object groups then use that as the dest address in firewall policies.  Of course, you will need to move such firewall policies up, in the firewall rule chain so they can be triggered.  This is a bit ugly IMO depending on the website if content servers (server farms) are used.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Toshi_Esumi
SuperUser
SuperUser

FQDNs can be used to the allowed sites in a policy. Make sure the FQDN you configure is actually resolves with the DNS the FGT is configured to use.

Also you can use URL filter in a Web filter profile, as long as you disable FortiGuard Category filtering in the profile.

Kenundrum

A long time ago, at a job far far way....

I did exactly what you are describing on about a hundred 60Bs that needed to block all internet access except about 25 sites.

The way we did it was with a web filter policy that had fortiguard filtering turned off and instead had a specific URL list enabled. In general, you put in the allowed URLs with the action of allow or monitor and then at the end you put a wildcard in with block. Thankfully now you can use simple wildcards- back in the 3.6/3.7 days it was only regular expressions and it took some finessing to get the correct syntax for certain urls.

Here are some words of caution... The list is read top to bottom and i don't believe there is a way to rearrange the list easily. So when we had to add sites to the list, we deleted the wildcard block on the end, added more sites, and then put the wildcard block back. Also since this is fully on the device, it may impact performance on smaller units if the list gets extraordinarily large. I imagine you'll run into manageability problems handling such a large list before you actually run up against processing problems, but it's something to note. It also may become easier to handle it through a CLI script instead of directly in GUI.

CISSP, NSE4

 

CISSP, NSE4
sw2090
SuperUser
SuperUser

yeah as said the FortiGuard Filters can only filter (or not filter) Domain names. Not Protocolls, no wildcards,no paths.

 

You will have to use -as also said - the url filter.

Add a profile to use in your policy. Disable FortiGuard if not needed. Enable url filter.

Set an exempt rule for the sites you want to have enabled. You will need exempt here to have the url filter stop once it matched a rule successfully. If you set allow the last rule we need will kill this rule since it matches too.

Last rule in url filter has to be Block * .

This will then grant access to website that have an exempt rule which is above the block * rule and stop checking here.

Everything else will be blocked.

 

Note: This will not work via FortiManager <= 5.4 due to a confirmed Bug in FortiManger that affects the order of the url filter rules. I cannot currently tell you if it still is in FMG >=5.6 since I haven't checked yet.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
apeiffer1901
New Contributor

How do i unblock a url

 

sw2090

create a local webfilter category and add the url to it. Then set webfilter to allow this category. Local category serves before FortiGuard category.

This will btw only work for FQDNs. complete or urls or wildcards are not supported here.

If you need complete url or wildcard entries you have to use the url filter instead.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors