Hi Experts,
i am very new to Fortinet so i am abit confused on how web filter via category blocking worked in firewall policy.
I want to block facebook to all users/devices but i want to have some exemptions to certain users/devices.
Would these method below will work?
1) Allow the exempted users to facebook
2) block all users to facebook
3 any any any allow
i am used to configure cisco FTD FMC and thede method worked i am not sure in Fortinet because in Fortinet once you select a category all categories will be included unlike in cisco that only the categories you want to allow or block will be included in the rules you are creating.
one more thing if i will upgrade the firmware would it require a reboot? Can i revert back to old firmware incase i am not happy with the newly installed firmware?
Thank you and morr power to all!
Create/Clone a URL Filtering Profile that will allow and log (alert) all safe categories, then uncheck the “log container page only” option on the URL Filtering Profile. Apply this URL Filtering Profile to your catch all policy. If you still don’t see what you are hoping for, then possibly your previous policy is silently blocking the URLs you are in search of. In that case, swap the policies briefly to gain visibility.
Hi Sir,
this is my current firewall policy created and i noticed that the policy 1 - 3 does not have any hit counts so i assume the policy was bypassed or not being used.
and regarding the "log container page only" i cannot see any option on that one.
Hi @HeraldGoSison,
You will need two separate firewall policy and web filter profile.
1. Create a web filter profile with Social Networking set to Allow and put it in a firewall policy for exempted users. This policy should be above.
2. Create a web filter profile with Social Networking set to Block and put it in a firewall policy for all users.
3. any any any allow is not a good practice. There is already a default implicit deny policy at the bottom of the list.
Regards,
And yes, upgrading the firmware will require a reboot. It is also possible to rollback.
Hi Sir,
This is what i made.
Rule #1 is allow FB, Youtube and Spotify. assign source to LDAP group that i am part of and department 1&2.
Rule #2 is allow Youtube and Spotify only. assign source to LDAP group that is department 3
Rule #3 is allow spotify only. assign source to LDAP group that is department 4
Rule #4 is blocked FB, Youtube and spotify to all users inside the network
but still i cannot access either fb, youtube and spotify. does assigning from the source field for user remote groups via LDAP worked? or is there other way to add user remote groups? Or do i need an SSO agent installed in our domain controllers so that it will recognize user and groups?
If you want to allow/deny based on LDAP users, you need to use FSSO. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/450337/fsso
Regards,
hi sir i am following a certain youtube tutorial on how to connect using FSSO but upon checking i dont have FOrtinet Single SIgn On Agent in my Fabric connectors. how can i add it?
Looks like you are using an older FortiOS version. You can check Security Fabric > External Connectors. Please refer to https://docs.fortinet.com/document/fortigate/6.4.14/administration-guide/503764/fsso-polling-connect...
Regards,
Hi Sir,
i tried following the instructions from the article you sent but after setting up the Security Fabric-> External Connectors
i did not see a Local FSSO agent only the Active Directory Connector as instructed by the article.
i have also upgraded my FortiOS version to 7.0.12. What FortiOS should i use to make this functional?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.