Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
duong
New Contributor

Block facebook, youtube, skype and amazon

Hi all,

 

I am a Newbie, I using Foretigate 300D, I need block "facebook, youtube, skype, gmail and amazon" and just open some ip as required. Please help me!

 

Thanks!

2 Solutions
hmtay_FTNT
Staff
Staff

Hello duong,

 

You can do so with Application Control. Under Security Profiles, select a sensor that you are going to use in your policy. Add the signatures Facebook and all its children (Facebook_xxx), YouTube, Skype and Amazon and all their children into your policy. Set them to Block. 

 

Make sure that you set your policy to use that sensor and enable at least certificate-inspection. That should block the usage of those applications. 

 

HoMing

View solution in original post

hmtay_FTNT

Hello duong,

 

If you can contact your local support to help you, it will be the best solution since they can help you if some settings arent correct.

 

Otherwise, here are the rough steps:

 

1) Go to Policy & Objects-> Addresses. Create a new address group that includes all the IPs that you want to allow YouTube, Facebook, etc.

2) Create 2 policies in IPv4 Policy. The first one should contain the address group you created in 1) and have the signatures set to Allow. The second policy then has the signatures set to Block.

 

E.g.

edit 1         set name "wifi"         set uuid 361c7d7a-2413-51e6-0f0a-340c73277268         set srcintf "wifi"         set dstintf "wan2"         set srcaddr "allowedip"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set application-list "default-allow"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next

edit 2         set name "wifi"         set uuid 361c7d7a-2413-51e6-0f0a-340c73277268         set srcintf "wifi"         set dstintf "wan2"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set application-list "default-block"         set profile-protocol-options "default"         set ssl-ssh-profile "certificate-inspection"         set nat enable     next

 

Policy ID 1, since it is above 2, will have priority. And since the address group is "allowedip", it will use the application sensor "default-allow". The rest of the IP in the interface "wifi" will be under policy ID 2 and have the application sensor "default-block".

 

HoMing

View solution in original post

10 REPLIES 10
ThePro
New Contributor III

If I do it through Application Control it works, but through WebFiltering it does not work. Its the same Policy I just turned off Application Control on the policy and enabled Web Filter with a custom profile with URL Filter turned on and URL - 8facebook.com, Tye - Wildcard, Action - Block, Status - Enable (everything else on that profile is turned off).

 

Any pros/cons of doing it through Application Control instead of Web Filtering? When a page is blocked though Application Control is there a way to show the users a message? (Right now it just tries to keep opening the page, but it never loads. Is there a way of displaying a message like it does when WebFiltering works).

 

I would still like to know why WebFiltering is not working. Any ideas?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors