Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fred339
Contributor

Converting to a Fortigate firewall with user-assigned whitelists

I have a few whitelists of URLs that have been developed over time to match user needs.

I want to implement them on a new Fortigate 80_F 6.4.10.

My preferential approach is to have things as separate and distinct as possible.  And, my notion is to have the firewall policies ordered so that the process will be fast and efficient.

I have firewall policies for:

Whitelist for all - so there are no names and Source is just "all".  Uses a Static URL filter only.

Whitelist for buyers - trying to use a short list of names as Source.  Not working yet but OK for this question.

Whitelist for others - same

DNS with DNS profile

HTTP-HTTPS with WEB, AV and APP profiles

Applications - with APP profile.

Social - with web profile

Catch-all - with web profiles

 

The idea is that these policies will either be acted on or skipped because they don't apply..

I wouldn't want one to overcome those remaining by letting unwanted traffic through.

Is that an issue and how to understand and deal with that?

 

 

Fred Marshall
Fred Marshall
12 REPLIES 12
gfleming
Staff
Staff

If you are using FSSO/user sources in your policies then the only policies that will apply will be the ones that those users are authorize for (based on group membership most likely). 

 

For any policies that are not FSSO or based on user auth you just follow the standard approach of most specific to least specific.

Cheers,
Graham
fred339

Graham,

Thank you!

That's what I'm used to and what I'm trying to do.  

Where I'm the most unsure is seeing the combination of category filtering AND URL filtering in the same policy.  I can choose to NOT use category filtering when I'm going to apply a whitelist in a policy.  Is that good practice?  It appeals to me in the sense of keeping things separate and distinct.  That being the case, it would seem less confusing.

Fred Marshall
Fred Marshall
gfleming

It's totally up to you. Personally I like using the FortiGuard categories as it's a lot less work maintaining a whitelist. If you have a large list of URLs you may also want to look at using a threat feed remote URL filter category: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/009463/threat-feeds

Cheers,
Graham
fred339

#gfleming:  Thank you! 

I'm not really maintaining a whitelist in the sense that "this is all you get to see".  Been there, done that.  I think that's what you were referring to.

What I've done is this:

1) Use the categories as a primary approach.

2) When a user or user group finds that they are being blocked from a needed website, I add that site to a "whitelist" which operates ahead of the category list.  Then they can see the site - but I don't have to do this for EVERY site they need to see - only a few by exception like this.

It's been working very well.  But, just now, I'm converting to Fortigate so things look a little different.

The end result are a small set of these "whitelists" that apply to certain user groups that are followed by category-type filtering.  I guess these "whitelists" would be called 

Fred Marshall
Fred Marshall
gfleming

OK in this case you probably want to look at using overrides:

 

https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/918943/overrides

Cheers,
Graham
fred339

@gfleming :  Thank you.  Well, I looked at the overrides briefly but that seems more intricate than what I'm used to doing.  I'm used to using up-front static URL filters that are mostly intended for ALLOW entries for a select Group.  Then any subsequent filtering will be skipped, won't it?  And, with small groups involved, these should be efficiently skipped, right?

Fred Marshall
Fred Marshall
gfleming

Web rating overrides are basically static URL filter whitelists for the web filter security profile. I'm not too sure what your issue is. Perhaps you can elaborate?

Cheers,
Graham
fred3
New Contributor II

@gfleming :

Sorry for the delay.  I had to look further into the Overrides.  I must say that documented instructions and the pages on the FG were pretty confusing for me as they didn't seem to track.

I've tried to explain this but let me give some background as to what I've been doing and am trying to do;

- We have been using a firewall with very similar web filtering categories - and we have been using them.

- We had a few sets of categories for User Groups such as Managers, Non-Managers, Buyers, etc.  We set ALLOW and BLOCK in each category set to suit those group's needs and permissions.

Then, as time went on, we found that some of those User Groups were being blocked on specific URLs as a result of the assigned category list and permissions.

Now, we didn't want to change the category settings en masse for two reasons:

1) We had already gone to the trouble to set them up and they were working OK.

2) We realize that they are *dynamic* and subject to change regarding URLs embedded within them (which is kept secret from us).  This begs for ALLOWing the needed URLs up front.

So, rather than dealing with all that, we simply created what we called "whitelists" for each User Group and added critical URLs, being blocked in the Categories, to support their business needs as they came up.  This was clearly important to operations but didn't come up very often.  We now have those lists based on real world experience.

I really don't want to make setting "items" for each of those special URLs.  I much prefer to enter each list into a static URL list or, possibly, into a Custom Category if that approach makes sense.  So far, I've not found how to do that in the Overrides.

gfleming

OK Sounds like you can just use URL Filter within the Web Profile then to exempt the URLs (whitelist).

 

Create a Web Filter profile for each category of User Group and whitelist as-needed using the URL Filter.

Cheers,
Graham
Labels
Top Kudoed Authors