Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
duong
New Contributor

Block facebook, youtube, skype and amazon

Hi all,

 

I am a Newbie, I using Foretigate 300D, I need block "facebook, youtube, skype, gmail and amazon" and just open some ip as required. Please help me!

 

Thanks!

2 Solutions
hmtay_FTNT
Staff
Staff

Hello duong,

 

You can do so with Application Control. Under Security Profiles, select a sensor that you are going to use in your policy. Add the signatures Facebook and all its children (Facebook_xxx), YouTube, Skype and Amazon and all their children into your policy. Set them to Block. 

 

Make sure that you set your policy to use that sensor and enable at least certificate-inspection. That should block the usage of those applications. 

 

HoMing

View solution in original post

hmtay_FTNT

Hello duong,

 

If you can contact your local support to help you, it will be the best solution since they can help you if some settings arent correct.

 

Otherwise, here are the rough steps:

 

1) Go to Policy & Objects-> Addresses. Create a new address group that includes all the IPs that you want to allow YouTube, Facebook, etc.

2) Create 2 policies in IPv4 Policy. The first one should contain the address group you created in 1) and have the signatures set to Allow. The second policy then has the signatures set to Block.

 

E.g.

edit 1         set name "wifi"         set uuid 361c7d7a-2413-51e6-0f0a-340c73277268         set srcintf "wifi"         set dstintf "wan2"         set srcaddr "allowedip"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set application-list "default-allow"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next

edit 2         set name "wifi"         set uuid 361c7d7a-2413-51e6-0f0a-340c73277268         set srcintf "wifi"         set dstintf "wan2"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set application-list "default-block"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next

 

Policy ID 1, since it is above 2, will have priority. And since the address group is "allowedip", it will use the application sensor "default-allow". The rest of the IP in the interface "wifi" will be under policy ID 2 and have the application sensor "default-block".

 

HoMing

View solution in original post

10 REPLIES 10
Sudarsan_Babu
Contributor

Hi Duong ,

 

what Firmware version ?

 

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
hmtay_FTNT
Staff
Staff

Hello duong,

 

You can do so with Application Control. Under Security Profiles, select a sensor that you are going to use in your policy. Add the signatures Facebook and all its children (Facebook_xxx), YouTube, Skype and Amazon and all their children into your policy. Set them to Block. 

 

Make sure that you set your policy to use that sensor and enable at least certificate-inspection. That should block the usage of those applications. 

 

HoMing

duong

Hi all,

 

I using Foretigate 300D, v5.4. I need your help how to allow specific ip from LAN to access facebook and youtube?. step by step procedure would be really helpful.

 

Thanks!

hmtay_FTNT

Hello duong,

 

If you can contact your local support to help you, it will be the best solution since they can help you if some settings arent correct.

 

Otherwise, here are the rough steps:

 

1) Go to Policy & Objects-> Addresses. Create a new address group that includes all the IPs that you want to allow YouTube, Facebook, etc.

2) Create 2 policies in IPv4 Policy. The first one should contain the address group you created in 1) and have the signatures set to Allow. The second policy then has the signatures set to Block.

 

E.g.

edit 1         set name "wifi"         set uuid 361c7d7a-2413-51e6-0f0a-340c73277268         set srcintf "wifi"         set dstintf "wan2"         set srcaddr "allowedip"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set application-list "default-allow"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next

edit 2         set name "wifi"         set uuid 361c7d7a-2413-51e6-0f0a-340c73277268         set srcintf "wifi"         set dstintf "wan2"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set application-list "default-block"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next

 

Policy ID 1, since it is above 2, will have priority. And since the address group is "allowedip", it will use the application sensor "default-allow". The rest of the IP in the interface "wifi" will be under policy ID 2 and have the application sensor "default-block".

 

HoMing

duong

Thanks for your support! I got it, it's worked. That's great!

 

The last question, If I have 2 IPs:

 

1. xxx.xxx.xxx.xx1 access to Facebook and Youtube.

2. xxx.xxx.xxx.xx2 access to Skype and Amazon.

3. Block all.

 

- In the Addresss: I create a IP access to Facebook, Youtube and a IP access to Skype, Amazon.

 

- In the Policy: I created 3 rules:

                1. Allow IP access Facebook, Youtube and block Skype and Amazon (Block by Application).

                2. Allow IP access Skype, Amazon and block Facebook and Amazon (Block by Application).

                3. Allow access internet. (Block Facebook, Youtube, Skype and Amazon).

 

But it's not run.

 

Please...! Thanks!

hmtay_FTNT

Hello duong,

 

That should work. Do you have the 2 policies for 1) and 2) above 3)? When you said it didnt work, did it not work for just one or both 1) and 2)?

 

HoMing

duong

Hi hmtay_FTNT,

 

Sorry for late reply.

 

I did create 3 rules:

 

                1. Allow IP access Facebook, Youtube and block Skype and Amazon (Block by Application).                 2. Allow IP access Skype, Amazon and block Facebook and Amazon (Block by Application).                 3. Allow access internet. (Block Facebook, Youtube, Skype and Amazon).

 

Rule 1. => OK.

Rule 2. => Not OK.

Rule 3. => OK.

 

Seem, when I create 2 or more rules with Application Control, it does not work.

 

Thanks!

hmtay_FTNT

Can you send me the configuration, pcap and Application Logs for the failed one? You can send it to my email at hmtay@fortinet.com. I can take a look at it.

DingDong
New Contributor II

Create a web filter. In the web filter you can whitelist or block single URLs, IP Addresses or wildcard URLs and also block them under Security Profiles -> Web Filter -> Static URL Filter

 

Hope this helps you

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors