Hi all,
I am a Newbie, I using Foretigate 300D, I need block "facebook, youtube, skype, gmail and amazon" and just open some ip as required. Please help me!
Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello duong,
You can do so with Application Control. Under Security Profiles, select a sensor that you are going to use in your policy. Add the signatures Facebook and all its children (Facebook_xxx), YouTube, Skype and Amazon and all their children into your policy. Set them to Block.
Make sure that you set your policy to use that sensor and enable at least certificate-inspection. That should block the usage of those applications.
HoMing
Hello duong,
If you can contact your local support to help you, it will be the best solution since they can help you if some settings arent correct.
Otherwise, here are the rough steps:
1) Go to Policy & Objects-> Addresses. Create a new address group that includes all the IPs that you want to allow YouTube, Facebook, etc.
2) Create 2 policies in IPv4 Policy. The first one should contain the address group you created in 1) and have the signatures set to Allow. The second policy then has the signatures set to Block.
E.g.
edit 1 set name "wifi" set uuid 361c7d7a-2413-51e6-0f0a-340c73277268 set srcintf "wifi" set dstintf "wan2" set srcaddr "allowedip" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set application-list "default-allow" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next
edit 2 set name "wifi" set uuid 361c7d7a-2413-51e6-0f0a-340c73277268 set srcintf "wifi" set dstintf "wan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set application-list "default-block" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next
Policy ID 1, since it is above 2, will have priority. And since the address group is "allowedip", it will use the application sensor "default-allow". The rest of the IP in the interface "wifi" will be under policy ID 2 and have the application sensor "default-block".
HoMing
If I do it through Application Control it works, but through WebFiltering it does not work. Its the same Policy I just turned off Application Control on the policy and enabled Web Filter with a custom profile with URL Filter turned on and URL - 8facebook.com, Tye - Wildcard, Action - Block, Status - Enable (everything else on that profile is turned off).
Any pros/cons of doing it through Application Control instead of Web Filtering? When a page is blocked though Application Control is there a way to show the users a message? (Right now it just tries to keep opening the page, but it never loads. Is there a way of displaying a message like it does when WebFiltering works).
I would still like to know why WebFiltering is not working. Any ideas?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.